Endpoint Protection

Hello,
Today I noticed I had a client with a few files showing up as viruses during my weekly scan.  However I was never notified of this.  I logged into Endpoint protection manager  (v11)  and noticed on the home screen under Action Summary by Detection Count that there were files infected.   I then went into my notifications and set everything to all for the last month and I get NO notifications.   Then I have 4 notification conditions that are set to email me,  none of those worked either.   They are   new risk,  risk event,  client security alert,  and definitions out of date.   Obviously my email settings are set and correct.   I dont even see any logs that it tries to send an email.   I purposely have a client with out of date definitions and I get no email.   BUT again i dont even see ANYTHING under notifications.  So Im assuming if no notificaitons are showing up,  its not going to email any notification either.   I appreciate any help.  Thanks.

before we could analyze the cause can you please check if things are in place

How to Configure Symantec Endpoint Protection Manager to Send Email Alerts
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008031219333348

is your exchange server rejecting mails? when was the last time u received emails ? never ?

Are you using Secure Password Authentication on your SMTP server?

The Symantec Endpoint Protection Manager cannot send email notifications to a SMTP
server configured to require Secure Password Authentication. You will need to configure SEPM
to use another mail server that does not require SPA or disable the requirement of SPA from
your current email server.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/d28e5621b64d9ddb88257543007672ff?OpenDocument

Thomas

Hello,
Yes I have configured all of those options and I have never gotten an email.  Again I dont see any log that says its even tried to send an email.  We are using an IMAP email server and no SPA is NOT required.  

go to admin
servers
your server name properties
check your exchange server name
have u enter the admin name as
admin @domain.com or just admin
is your password correct?
the email will be sent from System, so check your email server , hope its not getting filtered.

drop a test virus eicar, check if you are getting notifications

https://www-secure.symantec.com/connect/forums/endpoint-email-notification

The thing I dont understand is even just under the notifications I dont see ANYTHING  even though Ive had an infected machine TODAY.     Yet I see this infection on the home screen and under the Summary Tab under Monitors.   

How to test the e-mail notification feature in the Symantec Endpoint Protection Manager Console.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/ea9afe1b3e0127976525762300763136?OpenDocument

I have the FQDN name of my server and its not an exchange server,   its a dovecot/postfix IMAP server

I have the username as   endpoint@domain.com  and yes the password is correct.  

Still...  why are no notifications showing up when I view notifications.   Shouldnt files being found on a weekly scan produce some notification?

Also Ive looked under the system logs and there are NO error  logs,  so again I cant even tell if its trying to send an email

as cycletech mentioned
test if you are getting any message.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/ea9afe1b3e0127976525762300763136?OpenDocument

in this discussion it was account being disabled.

https://www-secure.symantec.com/connect/forums/notifications-not-being-sent


seems like u had this issue before , again the same issue ?? this discussion was posted by you

https://www-secure.symantec.com/connect/forums/risk-monitoring-and-alerts

Ok thanks!  That test was exactly what I need and sure enough the email is working fine!  
So... now I need to know why files being found on a client computer through a weekly scan DID NOT email notify me.  

Thats something we need to check the configuration can you tell me whats your scan email alerts settings are?

The notification conditions I have configured are:

definitions out of date
single risk event
authentication failure
client security alert
new risk

There is no filtering within them  i have them set to ALL or *  for the fields.   I have write notification to database and send email checked and configured.    

i would like u to set a notification for virus defs out of date, u said u have one machine in your group
specify the group and the client. name
these conditions are AND type, both the conditions should be true to trigger the alert.
all the conditions are AND which should be correct to finish the loop to send u an alert.

I will try that.  I also just dropped the test eicar on a machine and endpoint on the client cleaned and removed it,   waiting for something about it to show up on the server

you need to change this setting

Symantec Endpoint Protection Manager: EICAR events don't send Email Notifications

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008040309460648

whats the version of your sepm?

for the definitions out of date  I specified my group and my endpoint server,   but not that actual machine name,   shouldnt have to do that. 

I also unchecked only machines that are online,  because this machine is not powered on and thats why the definitions are out of date.

On the home screen under security status I can clearly see this machine having out of date definitions.

Symantec Endpoint Protection Manager: EICAR events don't send Email Notifications

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008040309460648

whats the version of your sepm?

Ok I will have to continue on this.  We are shut down until the new year.  Im glad the email is working,   but I need to make sure actual virus notifications are being sent. 
Thanks for your help so far!  

actually right as I was leaving I got a single risk and a new risk email regarding the EICAR!   so its working!      Thanks!

Happy that it worked for you, can you please mark this post as resolved.

Merry X-Mas :) and a wondeful new year :)

yes this is definitely working now

i dont think its a safe idea to disable exchange SPA just to get symantec mail notifications runnings, yet exchange is exactly what we are running on our network. can someone tell me if there's a service (prefferably free) that will allow sending via smtp without authentication. i found some google ips here: http://coding.derkeiler.com/Archive/PHP/comp.lang.php/2006-03/msg01293.html that supposively allow smtp transfer without authentication for google's gmail to gmail accounts only (that would work for me). However none of those ip's even respond to ping command, so the servers could be dead for all i know.

how safe is it having an exchange server without SPA enabled????