Creating notifications in the Symantec Endpoint Protection Manager
search cancel

Creating notifications in the Symantec Endpoint Protection Manager

book

Article ID: 177468

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How to set up notifications in the Symantec Endpoint Protection Manager.
 

Resolution

Notifications are messages about security events that have taken place in an Endpoint Protection environment. 

Notifications can be configured to alert both clients and network administrators using the following methods: 

  • Send an email.
  • Run a batch file or another executable file.
  • Log an entry in the notifications log in the Endpoint Protection Manager database.


See “Setting up administrator notifications” in the Administration_Guide.PDF


Viewing and filtering administrator notification information


You can view the information from the notifications log in the same way that you view the
information that is contained in other logs. You can filter the notifications log to view
information about a single type of notification event at a time. You can filter your view
of notifications and save the filters for future use.


Using notifications

You can filter notifications in the log based on the following criteria:

  • Time range
  • Acknowledgment status
  • Type
  • Creator
  • Name



To view all notifications

  1. In the management console, click Monitors.
  2. On the Notifications tab, click View Notifications. The list of all types of notifications appears.



To filter your view of notifications

  1. In the management console, click Monitors.
  2. On the Notifications tab, under What filter settings would you like to use,click Advanced Settings.
  3. Set any option you want to filter on.You can filter on any combination of the time range, the acknowledgment status, the notification type, the creator, or a specific notification name.
  4. Click View Notifications.


A list of the type of notifications that you selected appears. Some notification types
contain default values when you configure them.


Threshold guidelines for administrator notifications

NOTE: These guidelines provide reasonable starting points depending on the size of your
environment, but they may need to be adjusted. Trial and error may be required to find
the right balance between too many and too few notifications for your environment. Set the
threshold to an initial limit, then wait for a few days. See if you receive notifications too
infrequently or if notifications inundate you or your network.

For virus, security risk, and firewall event detection, suppose that you have fewer than 100 computers
in a network. A reasonable starting point in this network is to configure a notification when two risk events
are detected within one minute. If you have 100 to 1000 computers, detecting five risk events within one
minute may be a more useful starting point.


Creating administrator notifications

You can create and configure notifications to be triggered when certain security-related
events occur.You can configure the software to take the following notification actions:

  • Log the notification to the database.
  • Send an email to individuals.
    Note: To send notifications by email, you must also configure a mail server. To configure
    a mail server, click the Admin > Servers page, select a server, click Edit Server Properties,
    and then click the Mail Server tab.
  • Run a batch file or other kind of executable file.


The default damper period for notifications is Auto (automatic). If a notification is triggered
and the trigger condition continues to exist, the notification action that you configured is not
performed again for 60 minutes. For example, suppose you set a notification so that you are
emailed when a virus infects five computers within one hour. If a virus continues to infect your
computers at or above this rate, Symantec Endpoint Protection emails you every hour. The
emails continue until the rate slows to fewer than five computers per hour.

You can configure the software to notify you when a number of different types of
events occur.

Using the Notification Conditions settings, you can configure a client security alert by
occurrences on any computer, a single computer, or on distinct computers. You can also
configure these options for a risk outbreak.

To create an administrative notification:

  1. In the management console, click Monitors.
  2. On the Notifications tab, click Notification Conditions.
  3. Click Add, and then select the type of notification that you want to add from the list that appears.
  4. In the new window that appears, in the Notification name text box, type a descriptive name.
  5. Specify the filter options that you want. For example, for some types of notifications, you can limit the notification to specific domains, groups, servers, computers, risks, or applications.
  6. Specify the notification settings and the actions that you want to occur when this notification is triggered. You can click Help to see descriptions of the possible options for all types of notifications.
  7. Click OK.



Sending mail as a result of a notification.

If you select Send email to as the action to take, the email notification depends on the mail
server's user name option. The user name that is configured for the mail server from the Server
Properties dialog must be a fully qualified domain name (FQDN) in the form user@domain.
If this field is left blank, the notifications are sent from SYSTEM@computername. If the
reporting server has a name that uses Double Byte Character Set (DBCS) characters, you
must specify the user name field with an email account name of the form user@domain.
To check this setting, follow the instructions Below.

  1. Log in to the SEPM
  2. From the Admin tab click > Servers > Server name > Edit server properties > Mail server tab
  3. Input the name as "[email protected]"(As an example.). The name used has to be a valid user name that belongs to the domain.



NOTE: The Symantec Endpoint Protection Manager cannot send email notifications to a SMTP
server configured to require Secure Password Authentication. You will need to configure SEPM
to use another mail server that does not require SPA or disable the requirement of SPA from
your current email server.

To test whether the server requires Secure Password Authentication:

Configure another email client program, such as Outlook or Outlook Express to send POP3/SMTP
Email using the same SMTP Server. If you are only able to send Email through that SMTP Server
when the option "Log on using Secure Password Authentication" (or similar) is checked this indicates
that SPA is required.


Running a batch or executable file as the result of a notification.

If you select Run the batch or executable file as the action to take, type in
the name of the file. Path names are not allowed. The batch file or executable
file to run must be located in the following directory:

drive:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin

For this process to function properly, it is required to allow the
"Symantec Endpoint Protection Manager" (SEPM) service to interact with desktop.

To allow the SEPM service to interact with the desktop:

  1. Use an administrative Login to access the machine which has SEPM installed.
  2. Click Start > Run, and type services.msc, then click OK.
  3. Find the "Symantec Endpoint Protection Manager" service, right click and select "Properties".
  4. Select the "Log On" Tab.
  5. Under "Local System Account" check the box to "Allow service to interact with desktop".
  6. Click OK.
  7. Restart the Machine.

Note: For SEPM 12.1 RU5 or later, you have to enable "Allow service to interact with desktop" for the "Symantec Endpoint Protection Launcher" service instead of the "Symantec Endpoint Protection Manager" service.


Network Threat Protection Email Notifications

You may want to create a Network Threat Protection notification that is triggered when a traffic
event matches the criteria that are set for a firewall rule.

To create this type of notification, you must perform the following tasks:

  • In the Firewall Policy Rules list, check the Send Email Alert option in the Logging column of the rules you want to be notified about.
  • On the Notifications tab, configure a Client security alert for Network Threat Protection, Packet, or Traffic events.
  • Run a batch file or other kind of executable file.


Note: To send notifications by email, you must also configure a mail server. To configure a mail
server, click the Admin > Servers page, select a server, click Edit Server Properties, and then
click the Mail Server tab.

See “Configuring notifications for Network Threat Protection” below, or on page 483 of the
Administration_Guide.PDF

For a description of each configurable option, you can click Tell me more on the
Symantec Endpoint Protection Manager Console.Tell me more displays context-sensitive Help .

Note: You can filter your view of the Notification Conditions you have created by using the Show
notification types list box. To be sure that the new notifications that you create are displayed, make
sure that All is selected in this list box.


To Create a Network Threat Protection administrative notification:

  1. In the management console, click Monitors.
  2. On the Notifications tab, click Notification Conditions.
  3. Click Add and select Client security alert.
  4. Type in a name for this notification.
  5. If you want to limit this notification to specific domains, groups, servers, or computers, specify the filter options that you want.
  6. To further filter when the notification is sent select one of the following outbreak types:
    • Occurrences on distinct computers
    • Occurrences on any computer
    • Occurrences on single computer
  7. To specify the type of Network Threat Protection activity, check one of the following check boxes:
    • For the attacks and events that the firewall detects or the Intrusion Prevention signatures detect, check Network Threat Protection events
    • For the firewall rules that are triggered and recorded in the Packet Log, check Packet events
    • For the firewall rules that are triggered and recorded in the Traffic Log, check Traffic events
  8. If desired, change the default notification conditions to set the number of occurrences within the number of minutes that you want to trigger this notification.
  9. Check Send email to, and then type in the email addresses of the people that you want to notify when these criteria are met.
  10. Click OK.


The Send Email Alert option in the Logging column of the Firewall Policy Rules list is now operational.
When this notification is triggered, email is sent.

See “Configuring email messages for traffic events” on page 485 of the Administration_Guide.PDF.

For a description of each configurable option, you can click Tell me more on the
Symantec Endpoint Protection Manager Console. Tell me more displays the context-sensitive Help.

Note: You can filter your view of the Notification Conditions you have created by using the
Show notification types list box. To be sure that the new notifications that you create are
displayed, make sure that All is selected in this list box.


Network Threat Protection notifications:

By default, notifications appear on client computers when the client detects various Network
Threat Protection events. You can configure some of these notifications. Enabled notifications
display a standard message to which you can add customized text.

To configure firewall notifications:

  1. In the console, open a Firewall Policy. See “Editing a policy” in the Administration_Guide.PDF on page 336.
  2. On the Firewall Policy page, click Rules.
  3. On the Notifications tab, check Display notification on the computer when the client blocks an application.
  4. To add customized text to the standard message that appears when a rule's action is set to Ask, check Additional text to display if the action for a firewall rule is 'Ask'.
  5. For either notification, click Set Additional Text.
  6. In the Enter Additional Text dialog box, type the additional text you want the notification to display, and then click OK.
  7. When you are done with the configuration of this policy, click OK.



To configure intrusion prevention notifications:

  1. In the console, click Clients and under View Clients, select a group.
  2. On the Policies tab, under Location-specific Policies and Settings, under a location, expand Location-specific Settings.
  3. To the right of Client User Interface Control Settings, click Tasks , and then click Edit Settings.
  4. In the Client User Interface Control Settings for group name dialog box, click either Mixed control or Server control.
  5. Beside Mixed control or Server control, click Customize. If you click Mixed control, on the Client/Server Control Settings tab, beside Show/Hide Intrusion Prevention notifications, click Server. Then click the Client User Interface Settings tab.
  6. In the Client User Interface Settings dialog box or tab, click Display Intrusion Prevention notifications.
  7. To enable a beep when the notification appears, click Use sound when notifying users.
  8. In the Number of seconds to display notifications text field, type the number of seconds that you want the notification to appear.
  9. To add text to the standard notification that appears, click Additional Text.
  10. In the Additional Text dialog box, type the additional text you want the notification to display, and then click OK.
  11. Click OK, then click OK again to complete configuration.



Configuring email messages for traffic events:

You can configure the Symantec Endpoint Protection Manager to send an email message to
you each time the firewall detects a rule violation, attack, or event. For example, you may want
to know when a client blocks the traffic that comes from a particular IP address.To configure
email messages for traffic events.

  1. In the console, open a Firewall Policy. See “Editing a policy” in the Administration_Guide.PDF on page 336.
  2. On the Firewall Policy page, click Rules.
  3. On the Rules tab, select a rule, right-click the Logging field, and do the following actions:
    • To send an email message when a firewall rule is triggered, check Send Email Alert
    • To generate a log event when a firewall rule is triggered, check both Write to Traffic Log and Write to Packet Log
  4. When you are done with the configuration of this policy, click OK.


To configure a security alert. See “Creating administrator notifications” in the Administration_Guide.PDF on page 211.
To configure a mail server. See “Establishing communication between Symantec Endpoint Protection Manager and email servers” in the Administration_Guide.PDF on page 259.


About editing existing notifications

If you edit the settings of an existing notification, the previous entries that it generated
display messages in the notifications log based on your new settings. If you want to
retain your past notification messages in the notifications log view, do not edit the
settings of an existing notification. Instead, create a new notification with a new name.
Then, disable the existing notification by unchecking the actions that were configured
under What should happen when this notification is triggered.

 


References
See “Managing notifications” in the Administration_Guide.PDF p.647-650
Symantec™ Endpoint Protection 14.3 RU9 Installation and Administration Guide

 



 

 

Powered by Wolken Software