Endpoint Protection

 View Only

  • 1.  SEP IPS log has incorrect Begin Time

    Posted Dec 26, 2017 07:57 AM

    Hello,

     

    Can everybody give an explaination of Time Stamp, Event Type, Begin Time, End Time in SEP Attack log?

    I have the issue on client side when IPS log has different timing on some SEP agents running 12.1RU6MP8. The Begin Time does not comply to Event Time in View Logs -> Security Log (NTP Attack logs).

     

    For example, I filtered Begin Time by October then see Time Stamp or Event Time have timings from December. With my ongoing test the timing are different on some SEP agents.

    That means SEPM notifies me with alert that was happend 2 months ago even the host was always online with healthy SEP agent.

     

    Time Stamp Event Type Event Time Begin Time End Time
    01.12.2017 6:27 Intrusion Prevention 01.12.2017 6:26 12.10.2017 13:21 12.10.2017 13:21
    01.12.2017 16:40 Intrusion Prevention 01.12.2017 16:39 12.10.2017 23:34 12.10.2017 23:34
    02.12.2017 17:46 Intrusion Prevention 02.12.2017 17:45 14.10.2017 0:40 14.10.2017 0:40
    02.12.2017 17:46 Intrusion Prevention 02.12.2017 17:45 14.10.2017 0:40 14.10.2017 0:40
    03.12.2017 1:12 Intrusion Prevention 03.12.2017 1:11 14.10.2017 8:06 14.10.2017 8:06
    03.12.2017 8:01 Intrusion Prevention 03.12.2017 8:00 14.10.2017 14:55 14.10.2017 14:55
    03.12.2017 8:01 Intrusion Prevention 03.12.2017 8:01 14.10.2017 14:56 14.10.2017 14:56
    04.12.2017 3:46 Intrusion Prevention 04.12.2017 3:45 15.10.2017 10:40 15.10.2017 10:40
    04.12.2017 15:08 Intrusion Prevention 04.12.2017 15:07 15.10.2017 22:02 15.10.2017 22:02
    04.12.2017 19:58 Intrusion Prevention 04.12.2017 19:57 16.10.2017 2:52 16.10.2017 2:52
    05.12.2017 19:27 Intrusion Prevention 05.12.2017 18:43 17.10.2017 1:38 17.10.2017 1:38
    05.12.2017 19:27 Intrusion Prevention 05.12.2017 18:43 17.10.2017 1:38 17.10.2017 1:38
    06.12.2017 5:19 Intrusion Prevention 06.12.2017 5:18 17.10.2017 12:13 17.10.2017 12:13
    06.12.2017 12:18 Intrusion Prevention 06.12.2017 12:17 17.10.2017 19:12 17.10.2017 19:12
    06.12.2017 12:18 Intrusion Prevention 06.12.2017 12:17 17.10.2017 19:12 17.10.2017 19:12
    07.12.2017 7:18 Intrusion Prevention 07.12.2017 7:17 18.10.2017 14:12 18.10.2017 14:12
    07.12.2017 10:44 Intrusion Prevention 07.12.2017 10:44 18.10.2017 17:38 18.10.2017 17:38
    07.12.2017 10:44 Intrusion Prevention 07.12.2017 10:44 18.10.2017 17:38 18.10.2017 17:38
    08.12.2017 8:47 Intrusion Prevention 08.12.2017 8:46 19.10.2017 15:41 19.10.2017 15:41
    08.12.2017 8:47 Intrusion Prevention 08.12.2017 8:46 19.10.2017 15:41 19.10.2017 15:41
    10.12.2017 5:09 Intrusion Prevention 10.12.2017 5:08 21.10.2017 12:03 21.10.2017 12:03
    10.12.2017 8:02 Intrusion Prevention 10.12.2017 8:01 21.10.2017 14:55 21.10.2017 14:55
    10.12.2017 8:02 Intrusion Prevention 10.12.2017 8:01 21.10.2017 14:56 21.10.2017 14:56
    11.12.2017 7:46 Intrusion Prevention 11.12.2017 7:45 22.10.2017 14:39 22.10.2017 14:39
    11.12.2017 7:46 Intrusion Prevention 11.12.2017 7:45 22.10.2017 14:40 22.10.2017 14:40
    12.12.2017 21:20 Intrusion Prevention 12.12.2017 21:19 24.10.2017 4:13 24.10.2017 4:13
    13.12.2017 18:10 Intrusion Prevention 13.12.2017 18:09 25.10.2017 1:04 25.10.2017 1:04
    14.12.2017 6:13 Intrusion Prevention 14.12.2017 6:12 25.10.2017 13:06 25.10.2017 13:06
    15.12.2017 6:52 Intrusion Prevention 15.12.2017 6:51 26.10.2017 13:45 26.10.2017 13:45
    17.12.2017 8:01 Intrusion Prevention 17.12.2017 8:00 28.10.2017 14:55 28.10.2017 14:55
    17.12.2017 8:02 Intrusion Prevention 17.12.2017 8:01 28.10.2017 14:55 28.10.2017 14:55
    18.12.2017 7:49 Intrusion Prevention 18.12.2017 7:48 29.10.2017 14:43 29.10.2017 14:43
    18.12.2017 10:47 Intrusion Prevention 18.12.2017 10:46 29.10.2017 17:40 29.10.2017 17:40
    18.12.2017 10:47 Intrusion Prevention 18.12.2017 10:46 29.10.2017 17:40 29.10.2017 17:40
    18.12.2017 17:29 Intrusion Prevention 18.12.2017 17:28 30.10.2017 0:22 30.10.2017 0:22
    19.12.2017 0:34 Intrusion Prevention 19.12.2017 0:33 30.10.2017 7:28 30.10.2017 7:28
    19.12.2017 9:20 Intrusion Prevention 19.12.2017 9:18 30.10.2017 16:13 30.10.2017 16:13
    19.12.2017 13:35 Intrusion Prevention 19.12.2017 13:34 30.10.2017 20:28 30.10.2017 20:28
    19.12.2017 23:11 Intrusion Prevention 19.12.2017 23:11 31.10.2017 6:05 31.10.2017 6:05
    20.12.2017 10:48 Intrusion Prevention 20.12.2017 10:47 31.10.2017 17:41 31.10.2017 17:41
    20.12.2017 13:07 Intrusion Prevention 20.12.2017 13:06 31.10.2017 20:00 31.10.2017 20:00
    20.12.2017 15:23 Intrusion Prevention 20.12.2017 15:22 31.10.2017 22:16 31.10.2017 22:16

     

     



  • 2.  RE: SEP IPS log has incorrect Begin Time

    Posted Dec 26, 2017 11:07 AM

    I just tested the issue with IPS event on affected host, the log is the same on SEPM server and SEP client. So it's a SEP client bug. I hope Symantec can fix this bug.

     



  • 3.  RE: SEP IPS log has incorrect Begin Time

    Posted Dec 26, 2017 01:56 PM

    You're on an older version. Did you go thru the fix notes to see if this has been addressed?