Endpoint Protection

What is the purpose of the damper setting in the notifications?

It's just a time delay for the notifications. Goes from auto to 10 hours delay.

How long does Symantec Endpoint Protection Manager (SEPM) wait to send notifications when the damper period is set to Auto?

How notifications work

I would like to get an alert each time someone gets a virus but I don't want to keep getting the same alert.

Right now I have "Single Risk Event" to alert on all computers.  Will setting the damper to never cause me to get multiple notifications of the same event, or will it alert on each infection once?

If you set the notification damper period to None, you should make sure that clients can upload critical events immediately. The Let clients upload critical events immediately option is enabled by default and configured in the Communications Settings dialog box.

I understand that but I don't think my question has been answered yet.

Right now I have "Single Risk Event" to alert on all computers.  Will setting the damper to never cause me to get multiple notifications of the same event, or will it alert on each infection once?

Or is there a bette way to do what I'm trying to achieve?

If you set it to never you will recieve every individual alert everytime it goes off. 

Auto tries to damper it to indivdual alerts but so you don't get bombarded if there are hundreds of them will try to roll it into a single event you can investigate instead of tralling through the spam.

Setting to none will be the opposite of what you want.

When you set a damper period, the notification is only issued on the first occurrence of the trigger condition within the time frame you choose.

The auto setting for the damper is set for 60 minutes.
 

http://www.symantec.com/business/support/index?page=content&id=TECH96877

So what would be the best configuration in this situation?

We want to get notified of each virus/risk but not multiple times for the same infection on the same comptuer

I've always left it auto (60 minutes). Every now and then you might get a multiple but I've not felt a need to change it. Start it auto and see what happens. You may need to adjust/tweak as you see fit.

@Brian, I just reread your post: 

Setting to none will be the opposite of what you want.

When you set a damper period, the notification is only issued on the first occurrence of the trigger condition within the time frame you choose.

---

Isn't none what I would want?  I want to be notified each time there's a virus on someone's machine. I just don't want multiple alerts for the same event on the same computer.  Example, computer A gets a virus (1) I want a notification.  computer B gets a virus (1), I want a notification.  computer A gets another virus (2) I want a notification.  However, I don't want to keep geting an alert for computer A virus 1 because I didn't acknowledge a notification or something.  

Setting it to none you would get an alert everytime, including multiples.

Hi,

A notification for "new risk detected" will trigger only once when a risk is first logged in the SEPM. Any subsequent detection will not trigger notification irrespective of damper settings.

This is by design. Reference: http://www.symantec.com/docs/TECH209148 

The damper period specifies the time that must pass before the notification condition is checked for new data. Minimum setting is 20 minutes and maximum is 10 hours or None. I would not suggest to set it to None. Notifications are critical to maintaining a secure environment and can also save you time. It means you can keep maximum difference between two emails is 10 hours.

So I believe it's not possible to configure settings to trigger only single risk notification per computer. I feel it's important as a security best practice. Sometime Admin may forget to take an action on infected machine but subsequesnt email might help him to remind it.

When a notification condition has a damper period, the notification is only issued on the first occurrence of the trigger condition within that period. For example, suppose a large-scale virus attack occurs, and that there is a notification condition configured to send an email whenever viruses infect five computers on the network. If you set a one hour damper period for that notification condition, the server sends only one notification email each hour during the attack I would suggest to maximize the time if it's practical.

Symantec recommendations:

Create a notification for a Single risk event and modify the notification for Risk Outbreak.

For these notifications, Symantec recommends that you do the following actions:

"I would not suggest to set it to None. Notifications are critical to maintaining a secure environment and can also save you time."

If there's no damper (none) won't that mean we keep getting email alerts each time there is a new risk?

-----

"When a notification condition has a damper period, the notification is only issued on the first occurrence of the trigger condition within that period."

So if a computer is infected and we have a "single risk event" notification with the damper set to never, we should receive one alert on this machine per risk, correct or would we have to set it to Auto or something else to achieve this?

-----

"For example, suppose a large-scale virus attack occurs, and that there is a notification condition configured to send an email whenever viruses infect five computers on the network. If you set a one hour damper period for that notification condition, the server sends only one notification email each hour during the attack I would suggest to maximize the time if it's practical."

I understand, we are talking about single events though.  We have pretty agressive controls in place to limit widespread viruses.  We're more concerned about getting alerts on single events right now.  If we receive a lot of emails in a short period of time because of an outbreak we will disable the single alerts for that time.

I will have to reconfirm about None settings. But if you set it to 'Auto' you will receive single email per hour.

Setting it to none will get you alerts constantly

Is this per issue or a single alert per risk until the risk is fixed?

About the same issue or different issues?

Both. You will get alerts every time something comes up.

What would cause it to keep alerting on the same issue though?  What does it take to stop getting that alert?

Setting a damper time. Events will be aggregated.

from help menu

You can set a damper period for notifications. The damper period specifies the time that must pass before the notification condition is checked for new data. When a notification condition has a damper period, the notification is only issued on the first occurrence of the trigger condition within that period. For example, suppose a large-scale virus attack occurs, and that there is a notification condition configured to send an email whenever viruses infect five computers on the network. If you set a one hour damper period for that notification condition, the server sends only one notification email each hour during the attack.

None settings will keep sending notifications constantly.

Is this per issue or a single alert per risk until the risk is fixed?

--> Single alert per risk until the risk is fixed. In simple words alerts are generated as per damper settings.You can set it between 20 minutes to 10 hours gap. 

For each risk event it will generate an email then it can be for same or different issues. That's the reason it's recommended to set it either auto or increase damper settings.

I set the damer to never and it's working like I want it.  I tested downloading virsus to two test machines and I'm getting alerts perfectly.

Each time there is a NEW risk I get an alert but I don't keep getting multiple alerts for the same issue even if I don't clean the risk.  Either my install is broken or the info everyone has been poviding me is incorrect.

Hi,

Your feedback forced me to make more research.

Here it is:

The “None” Damper: Any SEPM notification with a damper of “None” is set to be checked for each minute.
    The “None” damper setting allows notifications about priority event to happen  quickly.

Reference: Information about the "Fast Pathing" feature in SEP 12.1 RU4

http://www.symantec.com/docs/TECH212153

It seems it's an enhancement after SEP 12.1 RU4 release