search cancel

Single Virus Event Notifications are Delayed by 20 minutes or longer


Article ID: 151530


Updated On:


Endpoint Protection


You have configured an email notification (or other notification) for "Single Virus Events". However, it appears to take at least 20 minutes for this notification to be generated by the SEPM. The on-screen notification appears immediately on the SEP client.


This is to be expected. Event Notifications and Event Log Forwarding are separate steps. Virus events will be written from the client to the server based on the log aggregation setting on the client, but alerts/notifications will be generated based on the Notification Damper setting.


Event log forwarding is dependent upon the Log Aggregation frequency policy (part of the Antivirus and Antispyware policy) that is active on the client.

To set the Log Event Aggregation value
  1. Log into the SEPM
  2. Open the "Policies" tab
  3. Select the "Antivirus and Antispyware" policy and chose the "Edit" option
  4. In the "Miscellaneous" section, open the "Log Handling" tab
  5. Set the "Log Event Aggregation" to the value you desire. (Smallest possible value is 1 minute; default value is 5 minutes).

Event Notification is dependent upon the "Notification Damper Period" that is active on the SEPM

To set the Event-specific "Notification Damper Period"
  1. Log into the SEPM
  2. Open the "Monitors" tab
  3. Select the "Notifications" tab
  4. Click on the "Notification Conditions" button
  5. Edit the "Single Risk Event"
    (If this does not exist, create the notification by clicking "Add" and selecting "Single Risk Event" for the event type).
  6. Under "What Settings would you like for this Notification", set the "Damper" value to the value you desire. (Smallest value is 20 minutes; default value is "Auto").

Note: The "Auto" value is set for 1hour for all notifications.

Technical Information
Note that setting a damper value to be significantly faster than 20 minutes would cause a major performance hit on the database as it would continuously be running queries to determine if a notification was necessary.