Kaseya Community

Home » Discussion Forums » Monitoring - VSA » Symantec Endpoint Protection Notifications

Learn more about how AuthAnvil can protect and enhance your Kaseya experience

Similar Posts

Remove Symantec Endpoint Protection

by
on Dec 1, 2009

Symantec Endpoint Protection

by
on Sep 7, 2015

Symantec Endpoint Protection and Discovery

by
on Feb 12, 2016

Kaseya and Symantec Endpoint Protection 12.1

by
on Mar 20, 2012

Symantec Endpoint Protection 11 Removal

by
on Jan 12, 2009
Details
  • 5 Replies
  • 0 Subscribers
  • Postedover 11 years ago

Symantec Endpoint Protection Notifications

  • LegacyPoster
    Posted by
    on Jun 26, 2008 1:28 AM
    We have a couple of clients that are using Symantec Endpoint Protection, but since they do not have an exchange server we cannot use the notifications that come with the enpoint application. Does anyone have a symantec endpoint monitor set to send notification if a threat is detected?

    Legacy Forum Name: Symantec Endpoint Protection Notifications,
    Legacy Posted By Username: mstewart
  • LegacyPoster
    Posted by
    on Jun 26, 2008 2:53 AM 
    <?xml version="1.0" encoding="ISO-8859-1" ?>
<event_sets>
  <set_elements setName="Symantec Antivirus Event IDs" eventSetId="44388897">
    <element_data ignore="0" source="*" category="*" eventId="5" username="*" description="*"/>
    <element_data ignore="0" source="*" category="*" eventId="51" username="*" description="*"/>
    <element_data ignore="0" source="*" category="*" eventId="46" username="*" description="*"/>
    <element_data ignore="0" source="*" category="*" eventId="11" username="*" description="*"/>
    <element_data ignore="0" source="*" category="*" eventId="13" username="*" description="*"/>
    <element_data ignore="0" source="*" category="*" eventId="24" username="*" description="*"/>
    <element_data ignore="0" source="Symantec Mail Security for Microsoft Exchange" category="*" eventId="293" username="*" description="*"/>
  </set_elements>
</event_sets>


Here is an event set...not a monitor set
I have a monitor set as well, but it only alerts when a service is stopped/ doesn't start; Nothing real fancy.

    Legacy Forum Name: Monitor Sets, 
    Legacy Posted By Username: pbrophy


    [edited by: Brendan Cosgrove at 5:15 PM (GMT -8) on 12-20-2010] .
  • LegacyPoster
    Posted by
    on Jul 2, 2008 5:22 AM
    Maybe I am just missing it, but where the heck is the event set at?

    Duh, Found it ignore this post...

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: cking@faylib.org
  • LegacyPoster
    Posted by
    on Jul 9, 2008 12:54 AM
    Note that SAV & SEP reports event ID 5, 46 and 51 for pretty much every threat found, so if you look for all of those, you're likely to get 3 alerts for every threat found...

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: Lmhansen
  • LegacyPoster
    Posted by
    on Jul 9, 2008 6:23 AM
    Is there a list of event IDs somewhere so we can decide what to monitor for?

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: Grant
  • LegacyPoster
    Posted by
    on Jul 9, 2008 11:55 PM 
    The ones posted by pBrophy are the ones most commonly seen with regards to catching found threats.

My event set is pretty much the complete opposite of his, though. Mine reports on everything except a list of events. This way, if something different pops up, I get a warning, which I can then choose to continue looking for or not.

<?xml version="1.0" encoding="ISO-8859-1" ?>
<event_sets>
  <set_elements setName="Symantec AV Events" eventSetId="86081622">
    <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="46" username="*" description="*"/>
    <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="5" username="*" description="*"/>
    <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="45" username="*" description="*"/>
    <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="31" username="*" description="*"/>
    <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="6" username="*" description="*"/>
    <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="45" username="*" description="*"/>
    <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="73" username="*" description="*"/>
    <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="40" username="*" description="*"/>
    <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="51" username="*" description="*Cookie*"/>
    <element_data ignore="0" source="Symantec AntiVirus" category="*" eventId="-1" username="*" description="*"/>
  </set_elements>
</event_sets>

This should report on all found threats (event id 51), unless the "threat" is a cookie. It will also report on all other events not explicitly ignored.

    Legacy Forum Name: Monitor Sets, 
    Legacy Posted By Username: Lmhansen


    [edited by: Brendan Cosgrove at 5:14 PM (GMT -8) on 12-20-2010] .