Endpoint Protection

I was wondering if anyone could help me.  None of my SEP clients are showing any entiries within the logs for Proactive Threat Protection or Network Threat Protection.  I would assume that I am supposed to be (at least) seeing entries within the 'system' tab when definitions are updated.  The Antivirus/Antispyware logging portion is working fine, however.

The seclog (C:\Program Files\Symantec\Symantec Endpoint Protection\) is showing very little -- 2 lines

I am running a mixed environment of Windows XP and Windows 7 machines.  All are acting the same.  Most machines are 32 bit, ten or so are 64 bit.  All machines are reporting to the SEPM fine and recieving policy/definition updates fine.  The SEP clients are all at Version 11.0.6000.550.

Thanks

do you have networ threat and proactive protection technology installed...

Yes, both are installed and running correctly as far as reporting to the SEPM and receiving updates.  As far as finding threats, not sure because the logs are empty.

Maybe you have no threats currently? Not sure if this is realistic for your environment but try checking logs on a few clients

You should be able to view all the reports from the SEPM

Maybe not, but all reports are blank at all clients and there no entries for definition updates.

Yes, but need the ability to see these [logs] at the clients for troubleshooting and testing.

Try the EICAR test just to see if it shows up in SEPM. It sounds like you are not getting any logs at all?

Also have a look at what logs are being sent to SEPM:

Open SEPM

Go to Policies

Select your AV/AS policy

Select Miscellaneous

Select Log Handling tab

In here will show you all events that will go to the SEPM

Thanks, but the issue is not the AV/AS logs.   They are working well, both at the client, and the SEPM.  The EICAR test was one of the first things I did upon setup to test the clients; worked great.

The issue is the other two portions of the SEP spectrum: Proactive Threat Protection & Network Threat Protection

There are no log events for these two technologies; at the SEPM or at the individual clients.  Both report to the SEPM that they are updated and running normal and both report the same at the clients themselves.  However, if you are to open the logs for these there are no entries, not even logs for updates.

I have attached screen shots for the AV/AS logs and for the PTP logs at the client level.  Updates are shown for AV/AS, but nothing for PTP.

Well then I'm not sure other than you may just not have these types of threats.

Try a ping of death from your client to another, ping -l 65000 <target PC>, it should show up in your NTP logs as well as in the SEPM. You will see it blocked at your client as well.

Well, I got an entry within the Network Threat Protection log.  At least its working in that regard.  I wonder whats wrong with PTP?

Thanks for that suggestion, by the way.

PTP scans for trojans, worms, and keyloggers and looks for certain characteristics such as a program opening a backdoor or trying to spread itself to other hosts.

For me, I don't see much in the logs on PTP. We have some custom in-house stuff our developers build for various reasons that do show up. And I think it's the result of poor coding but it's easier for me to just add the exceptions than go thru the hassle of dealing with them.

You likely won't find commercial products showing up.

What I would do is this:

Download VNC, Real VNC, something that is a remote control app.

Set your PTP options to log when a commercial app is detected.

Then go into your Centralized Exceptions policy and add a Windows ---> PTP ---> Process exception. Enter in the name of the executable of the remote app you downloaded, wait for the policy to pickup and then run the app for a few hours. It should then be showing up in the PTP logs.

Do you get log entries in the PTP logs (at the clients) under the system tab when the PTP product receives definition updates?

No

To my knowledge when definition updates are loaded, it will only show in the System Log under the AV/AS log history. Even though the updates also include PTP and IPS, it will only show under AV/AS logs. Kind of confusing I suppose but the way it is I guess.

Under PTP ---> System Log, this will show errors such as a whitelist failure and obviously threat log will show what threats PTP detected and the action taken.

Huh...

It only says 'virus definitions updated' under the AV/AS logs.  I suppose this would be a design change request then? Oh well.  I'll wait to see if anyone else has any suggestions before I close this.  Just seems oddly empty.

Thanks again Brian81

My guess it both PTP and NTP updates also fall under "virus definitions" updated. I've never seen PTP updates in the PTP log, same for NTP updates.

My PTP log has never had any data in it, mainly because I've never used a program that PTP flagged as being such.