How does the History window work the Symantec Endpoint Protection Cloud (SEPC) agent?
Where can I find my security logs in SEPC?
Where can I find my Firewall reports locally?
Where can I find my Quarantine folder?
How can I check if my Security Policy was pushed out to my device?
How can I check if my Security Policy was applied to my device properly?
How can I check if my policies was updated correctly?
How can I check if my device completed the enrollment process to the cloud?
How can I check if my management commands were received on the local device?
How can I check if my management commands were pushed out properly by the SEPC management portal?
How can I export logs from my local agent to a file?
What is Tamper Protection?
What is Product Troubleshooting Data?
What is Symantec Community Watch?
What is Symantec Error Reporting?
From the main SEPC window, you can select the History icon to open a 2nd window to view the detailed logs on the local device.
Using the drop down menu, you can select from a variety of different types of logging.
1) Recent/Full History are used as a general summary of the activities logged on the device.
2) Scan Results reports what occurred during a scheduled or manual scan.
Note: If the device is offline or in sleep mode, the scheduled scan will attempt for 36 hours to initiate the scan once the device is online and idle again. If the device does not come back online, it will miss the scheduled scan after the 36 hours buffer.
3) Resolved Security Risk are items that were handled automatically by the SEPC agent. While "Unresolved Security Risk" are items that required additional administrative actions and user interactions
If there are more than one entry, you can select between the different panels. But if you select "More Options" or simply double click on an entry, a 3rd window will pop up with a more detailed report of the item detected. In this 3rd window, you can select between Details, Origin, or Activity. It is from this view that you can perform the extra administrative step to restore, dismiss, or remove actions when required.
Should you choose to "Restore" the detected item. You will be prompted again for confirmation then presented with the "Restore Status".
If you performed the administrative step, it will remove the entry from "Resolved/Unresolved Security Risk".
4) The "Quarantine" section will report which files, executables, or items were quarantined and contained. Here, you can configure and manage the detected threat or potential False Positives.
5) "Sonar Activity" reports all detections specifically taken actions by the protection feature Sonar, also known as Application Behavior Monitoring. Sonar looks for suspicious behavior by Allentown applications to decide whether the application has been compromised. Protects the devices from zero threats, before traditional virus and spy ware definitions have been created to address the threats.
Detects the emerging threats by combining Symantec Insight with proactive local monitoring on devices. How Protection Features work in SEP Cloud
6) "Firewall - Network and Connections" reports all network connections from and through the device.
7) "Firewall - Activities" reports all events that occurred on the device.
8) Wi-Fi Security reports all events occurred through Wi-Fi. Configuration details can be found here. Configuring wireless access policy setting.
Note:If Symantec MDM is disabled, wireless access policies are not supported.
9) Intrusion Prevention Events that relate to network or browser intrusion attacks. Intrusion prevention technology provides signature scans of packets or streams of packets to look for the patterns that correspond to network attacks or browser attacks.
For example, the events that are raised when a network intrusion attempt is prevented or a highbrows intrusion attempt is blocked.
10) Social protection reports events that are associated with a specific user and indicate a pattern of highbrows behavior, whether intentional or unintentional.
For example, opening un trusted links in emails or social media, unintentional downloads of mal ware (drive downloads), or an attack originating inside your network (insider threats).
11) Download Insight is also known as File Reputation Assessment. Detects the potential risks in downloaded files based on file reputation. Leverages the Symantec Insight reputation database, which collects information from a global community of millions of users and from the Global Intelligence Network.
12) Symantec Product Tamper Protection is a feature of the product that detects and blocks other applications/processes from touching SEPC's files/registry keys. It will log anything it detected trying to do so and block it from taking any actions.
13) Performance Alert reports how SEPC performs on the local device. Example: memory usage, disk read/write activity, process ID, CPU, and Handles Count.
14) Device Control reports all activities with concerning USB devices and mass storage. Create event rule for plugged in USB devices and mass storage
15) Symantec Error Reporting is also known as SymQual. It sends system/application crash information to us for improving the product.
16) Symantec Community Watch are files being submitted to the cloud to get their reputation evaluated.
17) Product Troubleshooting Data are logs collected by the client when debugging.
18) Silent Mode reports when Silent Mode has successfully turned on and off. Turning on this option prevents any interruptions due to alerts, notifications, or background activities for a specified duration. The security application icon in the notification area changes from yellow outer circle to gray to display the turn-on status of Silent Mode.
Note: The Silent Mode option is available only on Windows devices.
19) LiveUpdate to send updates to clients on enrolled devices. Devices receive virus definitions and product updates automatically, however, you can choose to force the updates if required. For example, if the device has been offline for a considerable period of time. LiveUpdate requires adequate disk space to run successfully. Please ensure that your devices have 1 GB of available disk space to avoid LiveUpdate failures. Running LiveUpdate
20) Management Commands are commands issued from the SEPC management console directed towards the device.
Once the command is received. They will appear in this section. Please note: starting a command does not mean that the command was successfully completed. Please wait for the commands to respond with "Completed" to prove the commands were executed properly.
21) Operational State reports on the status of the SEPC agent and will tell you when it is experiencing any problems. Please note: the Operational State will always attempt to correct itself and obtain a successful working state.
22) Enrollment reports on the current status of the device in regards to the Cloud Portal. A completed Enrollment Status will prove that the installation was successful and is properly enrolled in the SEPC portal.
23) The Policy section reports when the currently applied Security Policy is updated properly or failed to be applied. To resolve the "Partially Applied" status, please refer to Error: 0x80040500 management policy partially applied