Some risk event notifications show as sent with a two minute delay, even with priority event notification enabled

book

Article ID: 158417

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

In Symantec Endpoint Protection Manager (SEPM) 12.1.4, you have enabled priority event notifications, which are sent outside the scope of the client heartbeat. You have configured multiple risk-related notifications, including Single Risk Event. However, when you review the logs, you notice that some notifications are sent about two minutes after notifications for the same detection.
 

This is an example of what the SEPM displays when you view the detailed event information under Monitors > Logs > Risk > View Log.

Database insert date: 09/04/2013 15:51:13
Event client date: 09/04/2013 15:50:14

Click Monitors > Notifications > View Notifications, and then compare the trigger times between the New risk and the Single risk notifications.

New risk found notification trigger time: 09/04/2013 15:51:21
Single risk event notification trigger time: 09/04/2013 15:53:21
 

Cause

The default mechanism for selecting risk events subtracts two minutes from the present time. This mechanism prevents notifications from excluding risk events. Since you can configure SEP 12.1.4 to bypass the normal client-server communication to immediately send priority events, the preventative default can cause a delay in notification trigger.
 

Resolution

Reconfigure the default value of the notification task mechanism.

  1. Open conf.properties with Notepad. This file is located in the following folder:

    SEPM Installation\tomcat\etc

    Where SEPM Installation is the SEPM installation path.

    By default, this path is C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager on a 64-bit system, and C:\Program Files\Symantec\Symantec Endpoint Protection Manager on a 32-bit system.

  2. Add the line

    scm.server.task.securityalertnotifytask.delta = x

    Where x is one of the following values:

    • To speed up notification from the default, set the value of x to 1.

    • To disable this feature, set the value of x to 0.

      Note: If you set the value to 0, you remove the notification trigger delay, but as a consequence, some notifications may exclude some events.

  3. Save changes and close conf.properties.

 


Applies To

Symantec Endpoint Protection (SEP) 12.1.4 (enterprise version) or SEP Small Business Edition 12.1.4, with priority event notifications enabled for Single risk event notifications and/or Risk outbreak notifications.