What is the meaning of each “Action taken” criteria in the Symantec Endpoint Protection Manager (SEPM) event notifications?
Last Updated March 06, 2012
This document explains the meaning of each “Action taken” criteria that can be selected for Event notifications in the Symantec Endpoint Protection Manager (SEPM).
The options are described in the table below:
It also explains how they correlate with each other and with the parameters of the AntiVirus and AntiSpyware policy.
Symantec Endpoint Protection (SEP) prevented a malware from accessing a file.
The configured action could not be taken. For example, "quarantine" is the defined action,
but the file is also blocked from being written, then it cannot be quarantined.
All actions failed
None of the actions configured in the policies were successful.
The infected file was successfully cleaned from the existing risk as per action setup in the
Cleaned by deletion
Action setup was Clean but the file contained nothing but malicious code, so it was
Cleaned or macros deleted
This applies to files containing Macros. Either the malicious code was cleaned or the full
Macros were deleted.
The risk was successfully deteled as per action setup in the policy.
The file was excluded from scanning by the SEP as part of the “Reboot Pending” action (to prevent continuous redetections).
The risk was left alone as per action setup in the policy.
No repair available
The file couldn’t be repaired as there was no remediation code available.
Only part of the repair was completed.
Repair is pending. For instance, the machine (PC) might need to be rebooted.
A process which has been identified as a risk, has been successfully terminated.
Process terminated pending restart
Same as above, but a restart is required for the action to be completed.
The risk was successfully quarantined as per action setup in the policy.
Proactive Threat Protection has detected a risk, but it is set to "Log only". In this case, the
notification will display the risk as suspicious.
Here are some Best Practices / Recommendations regarding setting up Notifications:
Monitoring your environment as a whole
Remember that the environment needs to be monitored as a whole. It may be that monitoring a reoccurring infection is required, say to check whether there is a blended threat. Blended threats cause some computers to constantly have to take action on detected risks, because one other undetected risk is spreading malware throughout the network. In this scenario, it's useful to be notified about successful actions taken as well as actions that have failed.
If you are looking to avoid excessive number of notifications / redundant information.
Using the damper period can be a way to avoid an excessive number of notifications within a short period of time. Whilst setting up an "outbreak" type of notification, it's also possible to control how many reoccurrences would have to happen within a chosen number of minutes, before being notified.
For an overview of what’s happening, this type of setting can be applied on a notification that includes "all" possible results on actions taken. Simultaneously, a notification can be setup using the criteria "all actions failed". This helps to keep the focus on situations that might need a quicker action from the administrator.