There is a need to review local activity on an Endpoint Protection Mac client.
Client activity logs can be viewed in the user interface for Content updates, Firewall, Intrusion Prevention, Detections, Scans, Quarantine actions, Unresolved Risk activity, and Device Control.
Endpoint Protection Mac client 14.3 RU1 and newer.
To view the client activity logs perform the following:
1) Open the client user interface using the 'Open Symantec Endpoint Protection' option when viewing the Endpoint Protection icon in the notification bar.
2) Click on the Advanced gear.
3) Click Activity.
4) Click on the Arrow to the right of Security History.
5) The following will open for the client:
Log type definitions:
All - This combines all activity from every section into a full list of client activity. NOTE - when viewing/exporting from "All", some category-specific columns are omitted. To see all event details, it is best to view and export from the specific category, e.g. "Connection blocking"
Updates - Content update activity.
Connection Blocking - Firewall activity for any rules matched. The rules would need to be configured to write to the traffic log.
Vulnerability Protection - Intrusion Prevention (IPS) detection activity.
Threat Detections - Risk detection activity.
Virus Scans - On-demand scan activity. This includes administrator defined or manual scans that are run.
Quarantine - Quarantine activity from any threat detections.
Unresolved Risks - Detected risks that require additional remediation activity such as a reboot, a scan or quarantine in order to take action on the risk.
Device Detections - Device Control activity.
On this screen there are a series of options at the top that provide additional activities that can be taken.
The options from left to right are:
Export - export the logs out to a local file. NOTE - when viewing/exporting from "All", some category-specific columns are omitted. To see all event details, it is best to view and export from the specific category, e.g. "Connection blocking"
Clear Security History - Clear or set a log retention interval.
Filter - Show events that are only Allowed or Blocked and filter on Date or Severity.
Print - Print to the logs.
More Info - When an activity is selected this can show additional information about the event.
Additional actions - Some events will allow additional actions to be performed when clicking on the gear icon.
Security History View Options - Provides options to customize the view of the various logs when shown in the user interface.