A Risk or Threat is detected and logged on the SEP client, but the specific event does not yet show in the Risk Logs or Risk Reports on SEPM.
When looking at Risks Logs or Risk Reports in SEPM, there may be differences between "Database insert date" and "Event client Date"
The SEP client will only upload its logged events on the configured Heartbeat interval, in both Push or Pull mode Communication Settings.
In larger environments where the Communication Settings are configured in Pull mode and where the default Heartbeat interval was increased to several hours to support the larger environment this means that the clients' Risk events will not be available to SEPM until at least one Hearbeat has occured. If the SEPM is busy with other tasks, e.g content distribution, or replication, etc., there may be some additional delays inserting the received client data into the database.
There is no mechanism in place for SEP Clients to communicate with SEPM via an out of bounds or unscheduled Heartbeat.
In the examples below, the client was configured in Pull mode with a 1 hour Heartbeat interval. The local client log records that the event occured on 10/06/2011 at 12:14:45. This corresponds to the "Event Client date" below.
The Database insert date shows that this occured one hour later, because of the following settings - Please note that the Heartbeat interval also applies to Push mode, and that as stated below, this is used as the "Frequency in which clients will upload data":
This article is no longer applicable to Symantec Endpoint Protection 12.1 RU4 and higher versions. Event 'Fast pathing' was introduced from this version which will essentially bypass the heartbeat settings that was described on this article. You can refer to this KB article below to know more about this feature -
Imported Document ID: TECH175364
Subscribing will provide email updates when this Article is updated. Login is required.