Using Custom Scan Notification Options

Products

Endpoint Protection

Issue/Introduction

How to use custom scan option variables from Symantec Endpoint Protection event notifications.

Resolution

Notifications can be configured using variables along with custom text in the notification fields for Auto-Protect, email protection and user-defined scans, either from the Symantec Endpoint Protection client UI or from the Symantec Endpoint Protection Manager. For centrally managed clients, the administrator may lock some of these settings from the Symantec Endpoint Protection Manager.

Notification and remediation options

Option

Description

Detection options

Display a notification message when a risk is detected

Enables or disables notifications on infected computers when Auto-Protect or a user-defined scan finds a virus or a security risk.

You can modify the type of information that you want to appear in the message. You can use the default text or you can delete text and type in your own text. If you right-click inside of the text box, you can insert variable fields into the notification text. In the message itself, the relevant text automatically replaces the variable fields.

Message variables displays the default message variables and the variables that you can add.

Remediation Options

The client might need to terminate a process or stop a service to remove or repair a risk.

The following options are available:

Terminate processes automatically
If you enable this option, the client terminates processes automatically. If you disable this option, Symantec Endpoint Protection prompts you before it takes action on a process.

Stop services automatically

If you enable this option, the client stops services automatically. If you disable this option, the client prompts you before it takes action on a service.

Note:

You are always notified when a restart is required. You can then save data and close open applications or opt out of the restart.

Note that message variables must be entered exactly as they appear in the table below and be contained within brackets.
For example with a notification by AutoProtect, the default alert notification variable "LoggedBy" would display Auto-Protect. The entry in the notification reads "Scan type: [LoggedBy] Scan" and will display "Scan type: Auto-Protect Scan" if a detection is made by AutoProtect, or if a threat is found during a scheduled scan it will show "Scan type: Scheduled Scan". The wording before an after the variable can be what ever the user/administrator chooses.

Message variables

Field	Description
LoggedBy	The type of scan that detected the virus or security risk.
Event	The type of event, such as "Risk Found."
SecurityRiskName	The name of the virus or security risk that was found.
PathAndFilename	The complete path and name of the file that the virus or the security risk has infected.
Location	The drive on the computer on which the virus or security risk was located.
Computer	The name of the computer on which the virus or security risk was found.
User	The name of the user who was logged on when the virus or security risk occurred.
ActionTaken	The action that was taken in response to detecting the virus or security risk. This action can be either the first action or second action that was configured.
DateFound	The date on which the virus or security risk was found.
Status	The state of the file: Infected, Not Infected, or Deleted.
Filename	The name of the file that the virus or the security risk has infected.
StorageName	The affected area of the application, such as File System Auto-Protect or Lotus Notes Auto-Protect.
ActionDescription	A full description of the actions that were taken in response to detecting the virus or security risk.