Endpoint Protection

 View Only

  • 1.  Risk Outbreak notification

    Posted Sep 25, 2013 10:30 PM
      |   view attached

    I am not very clear about the condition setting of Risk Outbreak Notification.

    LIke the attached screen: Does it mean in 5 mins, if SEPM received 2 or more than 2 risk alert , it maybe different risk type or risk name, and it may happen on different or same SEP client. and then SEPM will send out the first risk outbreak notification. And then wait for Damper time 20 mins, if same situation still occur in the next 20 mins, it will send again?

    Do you know if the notification sending interval depend on the Damper setting?



  • 2.  RE: Risk Outbreak notification

    Posted Sep 26, 2013 05:34 AM

    Hello,

    More about notifications: http://www.symantec.com/docs/HOWTO55051

    If same situation occurs, SEPM will not send new notification during the dumper time (20 min. in your case), then after that everything is same, it will send first notification and wait for next dumper period.



  • 3.  RE: Risk Outbreak notification

    Posted Sep 26, 2013 06:02 AM

    Hello,

    you may also click the Help button for further details however your understanding seems OK.



  • 4.  RE: Risk Outbreak notification

    Trusted Advisor
    Posted Sep 26, 2013 08:25 AM

    Hello,

    In your case, For Client security alert and Risk outbreak, specifies the type and extent of the outbreak that should trigger this notification.

    The outbreak type that you select results in the following information:

    • Occurrences on any computer - The number of security events or risks that are found in the number of minutes that you set.

    Risk Severity - Specifies the severity category of risk that should trigger this notification.

    This option applies only to New risk detected, Risk outbreak, and Single risk event.
     
    You can select one of the following:
    • All
    • Category 5 (Very Severe)
    • Category 4 (Severe) and above
    • Category 3 (Moderate) and above
    • Category 2 (Low) and above
    • Category 1 (Very Low) and above
    • Unknown - Unknown risks are the risks that Symantec Security Response has not rated.
    Scan Type: Specifies the type of scan that should trigger this notification.
     
    This option applies only to New risk detected, Risk outbreak, and Single risk event.
     
    You can select one of the following:
    • All
    • Scheduled scan
    • Manual scan
    • Auto-Protect scan
    • SONAR
    • Console
    • Definition download
    • System
    • Startup scan
    • Idle scan
    • Manual quarantine
    Action taken: Specifies the configured action that you want to trigger this notification. This option applies only to New risk detected, Risk outbreak, and Single risk event.
     
    Notification Condition: For Authentication failure, Risk outbreak, and Client security alert notifications, specifies the number of events that must occur within this number of minutes to trigger a notification.
     
    For a Virus definitions out-of-date notification, specifies that the following conditions trigger a notification:
    • The number of days that definitions must be out-of-date.
    • The number of computers that must have virus definitions that are older than this value 
    Damper: Specifies the length of the damper period, in minutes or hours, that you want to use for this notification.
     
    Some logs use a damper period for event aggregation. Events are held on the clients for the damper period before they are aggregated into a single event and then uploaded to the console. The damper period helps to reduce events to a manageable number.
     
    The default damper setting is Auto (automatic). If a notification is triggered and the trigger condition continues to exist, the notification action that you configured is not performed again for 60 minutes. For example, suppose you configure a notification to alert you when a virus infects five computers within one hour. If a virus continues to infect your computers at or above this rate, you receive notifications every hour. The notifications continue until the rate slows to fewer than five computers per hour.
     
    Hope that helps!!