Endpoint Protection

Hello-

We recently switched from Trend Micro because we were unhappy with their product. However right now we are having a lot of issues with SEP 11. The biggest one is we simply don't know what to tell our users when they get certain alerts. I found the two links below but neither one really seems to give us an idea as to what any alert means or what we have to do, or more importantly what we tell our users? Do we tell them to ignore or do we tell them that the machine needs to be rebuilt. I was hoping to find something somewhere that would list all altert messagages generated by SEP and what we need to do about it.

http://www.symantec.com/business/support/index?page=content&id=TECH102052&locale=en_US

http://www.symantec.com/business/support/index?page=content&id=TECH105571&locale=en_US

any help is appreciated

Thanks

The first link is probably the best one.

Basically, if a file has been cleaned, deleted, or quarantined, the user can ignore.

For any others, they should contact your helpdesk.

As always, I would recommend a re-image if a machine is infected but that's not always practical.

ok but today we got this message

Scan type: Auto-Protect Scan

Event: Risk Found!

Security risk detected: Trojan Horse

File: C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APQ45.tmp

Location: C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine

Computer:

Action taken: Pending Side Effects Analysis : Access denied

Date found: Friday, November 19, 2010  10:32:53 AM

based on a seperate page I read here earlier

https://www-secure.symantec.com/connect/forums/action-takenpending-side-effects-analysis-access-denied

the user gets two messages-

what do I tell them to do if one message says access denied and one says quarantined?

The file was quarantined and the user can ignore. Second message is the final result.

Also, SEP is scanning it's quarantine, which is a glitch in earlier versions. I would recommend upgrading to the lastest version of SEP, RU6 MP1

First of all..I wont allow the Alerts to appear on user's screen.

HIde all Alert notifications from the user.

The SEP Admin should look into these infection based on the logs from SEPM.

Create new risk,Single Risk email notification.

You get alerts only when SEP detects a threat so its not that you will always have to take an action.

However if there is action where the threat is in Peneding Analysis,Partially Cleaned in those cases you need to take action on that client machine

We allow the Autoprotect notifications for user awareness mostly but not any other notifications. But it can be painful in a large enterprise when dealing with users.

If your user's are  not sure what they need to do when they see aleets, why have the alerts  displayed to them???? You can disable all alerts and notifications about risks found , for the  clients. And then, as Vikram said, manage all risks notifications from SEPM.

You can also create email notifications, so that you would be emailed , when ever there is a risk detected...