Kaseya Community

Symantec Endpoint Protection Notifications

  • We have a couple of clients that are using Symantec Endpoint Protection, but since they do not have an exchange server we cannot use the notifications that come with the enpoint application. Does anyone have a symantec endpoint monitor set to send notification if a threat is detected?

    Legacy Forum Name: Symantec Endpoint Protection Notifications,
    Legacy Posted By Username: mstewart
  • <?xml version="1.0" encoding="ISO-8859-1" ?>
    <event_sets>
      <set_elements setName="Symantec Antivirus Event IDs" eventSetId="44388897">
        <element_data ignore="0" source="*" category="*" eventId="5" username="*" description="*"/>
        <element_data ignore="0" source="*" category="*" eventId="51" username="*" description="*"/>
        <element_data ignore="0" source="*" category="*" eventId="46" username="*" description="*"/>
        <element_data ignore="0" source="*" category="*" eventId="11" username="*" description="*"/>
        <element_data ignore="0" source="*" category="*" eventId="13" username="*" description="*"/>
        <element_data ignore="0" source="*" category="*" eventId="24" username="*" description="*"/>
        <element_data ignore="0" source="Symantec Mail Security for Microsoft Exchange" category="*" eventId="293" username="*" description="*"/>
      </set_elements>
    </event_sets>
    
    
    Here is an event set...not a monitor set
    I have a monitor set as well, but it only alerts when a service is stopped/ doesn't start; Nothing real fancy.

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: pbrophy


    [edited by: Brendan Cosgrove at 5:15 PM (GMT -8) on 12-20-2010] .
  • Maybe I am just missing it, but where the heck is the event set at?

    Duh, Found it ignore this post...

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: cking@faylib.org
  • Note that SAV & SEP reports event ID 5, 46 and 51 for pretty much every threat found, so if you look for all of those, you're likely to get 3 alerts for every threat found...

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: Lmhansen
  • Is there a list of event IDs somewhere so we can decide what to monitor for?

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: Grant
  • The ones posted by pBrophy are the ones most commonly seen with regards to catching found threats.
    
    My event set is pretty much the complete opposite of his, though. Mine reports on everything except a list of events. This way, if something different pops up, I get a warning, which I can then choose to continue looking for or not.
    
    <?xml version="1.0" encoding="ISO-8859-1" ?>
    <event_sets>
      <set_elements setName="Symantec AV Events" eventSetId="86081622">
        <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="46" username="*" description="*"/>
        <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="5" username="*" description="*"/>
        <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="45" username="*" description="*"/>
        <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="31" username="*" description="*"/>
        <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="6" username="*" description="*"/>
        <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="45" username="*" description="*"/>
        <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="73" username="*" description="*"/>
        <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="40" username="*" description="*"/>
        <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="51" username="*" description="*Cookie*"/>
        <element_data ignore="0" source="Symantec AntiVirus" category="*" eventId="-1" username="*" description="*"/>
      </set_elements>
    </event_sets>
    
    This should report on all found threats (event id 51), unless the "threat" is a cookie. It will also report on all other events not explicitly ignored.

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: Lmhansen


    [edited by: Brendan Cosgrove at 5:14 PM (GMT -8) on 12-20-2010] .