You have configured an email notification (or other notification) for "Single Virus Events". However, it appears to take at least 20 minutes for this notification to be generated by the SEPM. The on-screen notification appears immediately on the SEP client.
This is to be expected. Event Notifications and Event Log Forwarding are separate steps. Virus events will be written from the client to the server based on the log aggregation setting on the client, but alerts/notifications will be generated based on the Notification Damper setting.
Event log forwarding is dependent upon the Log Aggregation frequency policy (part of the Antivirus and Antispyware policy) that is active on the client.
To set the Log Event Aggregation value
Log into the SEPM
Open the "Policies" tab
Select the "Antivirus and Antispyware" policy and chose the "Edit" option
In the "Miscellaneous" section, open the "Log Handling" tab
Set the "Log Event Aggregation" to the value you desire. (Smallest possible value is 1 minute; default value is 5 minutes).
Event Notification is dependent upon the "Notification Damper Period" that is active on the SEPM
To set the Event-specific "Notification Damper Period"
Log into the SEPM
Open the "Monitors" tab
Select the "Notifications" tab
Click on the "Notification Conditions" button
Edit the "Single Risk Event" (If this does not exist, create the notification by clicking "Add" and selecting "Single Risk Event" for the event type).
Under "What Settings would you like for this Notification", set the "Damper" value to the value you desire. (Smallest value is 20 minutes; default value is "Auto").
Note: The "Auto" value is set for 1hour for all notifications.
Technical Information Note that setting a damper value to be significantly faster than 20 minutes would cause a major performance hit on the database as it would continuously be running queries to determine if a notification was necessary.
Imported Document ID: TECH104921
Subscribing will provide email updates when this Article is updated. Login is required.