Symantec Endpoint Protection Manager (SEPM) has been configured to send email notifications for risk events, e.g. Single Risk Event or Risk Outbreak by Number of Attacked Computers, with a damper period. The damper period is designed to prevent a flood of notifications or emails for several similar events within the same time period.
For example, a Single Risk Event notification with a damper period of 20 minutes should be limited to one email for any number of similar events during a 20-minute period.
When the notification condition is triggered, a single email notification is received as expected during the damper period, however, many more notifications for the same event(s) are received later, well after the damper period is expired.
For SEP 12.1, a fix to improve the behavior was released in SEP 12.1.1 (RU1). Additional improvements were added in SEP 12.1 RU1 MP1.
For SEP 11, one possible cause of this behavior was corrected in SEP 11 RU7 MP1.