SCSP and DCS:SA DISPOSITION & DISPOSITION_D event fields - what do they mean?
Article ID: 150299
Updated On:
Products
Issue/Introduction
Resolution
Symantec Critical System Protection (SCSP) and Symantec Data Center Security Server Advanced (DCS:SA) generate events with a DISPOSITION field. You want to know what the possible values are and what their meaning is.
| DISPOSITION | DISPOSITION_D | Effective Description: |
|---|---|---|
| A | Allow | The operation was allowed to proceed by the prevention engine. |
| D | Denied | The operation was blocked by the prevention engine. |
| F | Failure | Failed completion status of the detected event for example a login attempt that failed. |
| S | Success | Normal completion status of the detected event for example a login attempt that succeeded. |
| E | Error | Error condition detected (usually associated with a Management event) |
| P | P | FileWatch Polling mode |
| R | R | FileWatch Real-Time mode |
The P and R DISPOSITION values were added when the Real-Time File Integrity Monitoring feature was introduced in SCSP. We only expect to see this disposition (P or R) for 2 particular EVENT_TYPE's: DFWW (Filewatch Windows) and DFWU (Filewatch UNIX)
Depending on your "{DEFAULT.EN_US} Detection Parameters" Configuration -> Parameters -> "Enable Realtime File Monitoring" checkbox, when checked, one would get an R disposition for filewatch events and when unchecked one would get a P disposition event.
The P and R values were undocumented untill now but this information will now be added to future documents that ship with this product line.
Feedback
