Endpoint Protection

Hi all,

We have SEP configured across Asia Pacific I'm on a global mail list which "New Risk Found" and "Single Risk Event" emails are sent when viruses are discovered, I am just wondering which table in the database stores this information so that I could write a basic application which would query for stuff like, top 10 infected pc or user or which site has the most infections etc.

Has anyone done anything like this before? Can anyone help with this?

Thanks.

I am no SQL Expert but this link may assist you find our answer.

https://www-secure.symantec.com/connect/downloads/sql-database-schema-information-and-database-planning-symantec-endpoint-protection-manager

Here is a link that explain about the Database Schema in Symantec Endpoint Protection RU5, please download the pdf file from the below link,

Web Link: https://www-secure.symantec.com/connect/downloads/sep-ru5-schema

Hi helpdeskaus,

The SEPM has some in-built capabilities for generating such reports and notifications.  Rather than creating a custom script which draws directly from the databse, I recommend checking out what the SEPM can do itself, first.  The following article may help get you started:

About Risk reports and logs (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009081410532848)

Also, a word of caution: directly manipulating the SEPM database is not suported- Symantec Tech Support won't be able to offer any assistance creating or maintaining such custom scripts, and if any changes are made to the data and the DB becomes corrupted, they won't be able to help you get it back into a supported state.  I recommend performing regular DB backups, ensuring you have a DB manitenence schedule in place, and only attempt custom queries if you are very familiar with MS SQL.  Another helpful article:

Create database maintenance plans in MS SQL Server 2005 using SQL Server Integration Services (SSIS) (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009050514205448)

Final plug: do be sure that your SEPM and its DB have the very latest install (SEP 11 RU6a- this includes some datbase performance enhancements)

Please let the forum know of any additional queries!

Thanks and best regards,

Mick

Thanks for the help however I found that document before I posted here, anyway I have figured out the database schema and how it works I've got a page with some nice custom reports and stats.

The next question I have is that under the Agent System Logs data base there is a field called EVENT_ID and I am looking to find outdated antiviruses, according to the document It's listed as 0x12071027 = Symantec AntiVirus is using old virus definitions but when I search for the number I'm not getting any results.

Should I convert somehow? What am I doing wrong?