search cancel

SCSP and DCS:SA DISPOSITION & DISPOSITION_D event fields - what do they mean?

book

Article ID: 150299

calendar_today

Updated On:

Products

Embedded Security Critical System Protection Critical System Protection

Issue/Introduction

 

Resolution

Symantec Critical System Protection (SCSP) and Symantec Data Center Security Server Advanced (DCS:SA) generate events with a DISPOSITION field. You want to know what the possible values are and what their meaning is.

DISPOSITION DISPOSITION_D Effective Description:
A Allow The operation was allowed to proceed by the prevention engine.
D Denied The operation was blocked by the prevention engine.
F Failure Failed completion status of the detected event for example a login attempt that failed.
S Success Normal completion status of the detected event for example a login attempt that succeeded.
E Error Error condition detected (usually associated with a Management event)
P P FileWatch Polling mode
R R FileWatch Real-Time mode

The P and R DISPOSITION values were added when the Real-Time File Integrity Monitoring feature was introduced in SCSP. We only expect to see this disposition (P or R) for 2 particular EVENT_TYPE's: DFWW (Filewatch Windows) and DFWU (Filewatch UNIX)

Depending on your "{DEFAULT.EN_US} Detection Parameters" Configuration -> Parameters -> "Enable Realtime File Monitoring" checkbox, when checked, one would get an R disposition for filewatch events and when unchecked one would get a P disposition event.

The P and R values were undocumented untill now but this information will now be added to future documents that ship with this product line.