The behavior for each Notification Condition is unclear.
Page 215-217 of the Administrators guide goes into more detail about the specific on each of these settings. That information has also been placed below:
- Authentication failure
Logon failures trigger this type of notification. You set the number of logon
failures and the time period that you want to trigger a notification. Symantec
Endpoint Protection notifies you if the number of logon failures that occur
during the time period exceeds your setting. It reports the number of logon
failures that occurred.
- Client list change
Changes to the clients trigger this type of notification. The types of changes
that can trigger this notification include the addition, movement, name change,
or deletion of a client. Additional possibilities are that a client's Unmanaged
Detector status, client mode, or hardware changed.
- Client security alert
You can choose from compliance, Network Threat Protection, traffic, packet,
device control, and application control security events. You can also choose
the type and extent of the outbreak that should trigger this notification and
the time period. Types include occurrences on any computer, occurrences on
a single computer, or occurrences on distinct computers. Some of these types
require that you also enable logging in the associated policy.
- Enforcer down
An offline Enforcer appliance triggers this type of notification. The notification
tells you the name of each Enforcers, its group, and the time of its last status.
- Forced or Commercial application detected
The detection of an application on the Commercial Application List or on the
administrator's list of applications to watch for triggers this notification.
- New learned application
New learned applications trigger this type of notification.
- New risk detected
New risks trigger this type of notification.
- New software package
New software package downloads trigger this type of notification.
- Risk outbreak
You set the number and type of occurrences of new risks and the time period
that should trigger this type of notification. Types include occurrences on any
computer, occurrences on a single computer, or occurrences on distinct
- Server health
Server health statuses of offline, poor, or critical trigger this notification. The
notification lists the server name, health status, reason, and last status.
- Single risk event
The detection of a single risk event triggers this notification. The notification
lists a number of details about the risk, which includes the user and computer
involved, and the action that Symantec Endpoint Protection took.
- System event
System events such as server and Enforcer activities, replication failure, backup
and restore problems, and system errors trigger this notification. The
notification lists the number of such events that were detected.
- Unmanaged computer
Unmanaged computers trigger this notification. The notification lists details
such as the IP address, MAC address, and operating system for each computer.
- Virus definitions out-of-date
You define out-of-date when setting up the notification. You set the number
of computers and the number of days that the computer's definitions must be
older than to trigger this notification.