Some risk event notifications show as sent with a two minute delay, even with priority event notification enabled
Last Updated October 31, 2013
In Symantec Endpoint Protection Manager (SEPM) 12.1.4, you have enabled priority event notifications, which are sent outside the scope of the client heartbeat. You have configured multiple risk-related notifications, including Single Risk Event. However, when you review the logs, you notice that some notifications are sent about two minutes after notifications for the same detection.
This is an example of what the SEPM displays when you view the detailed event information under Monitors > Logs > Risk > View Log.
Click Monitors > Notifications > View Notifications, and then compare the trigger times between the New risk and the Single risk notifications.
New risk found notification trigger time: 09/04/2013 15:51:21
Single risk event notification trigger time: 09/04/2013 15:53:21
The default mechanism for selecting risk events subtracts two minutes from the present time. This mechanism prevents notifications from excluding risk events. Since you can configure SEP 12.1.4 to bypass the normal client-server communication to immediately send priority events, the preventative default can cause a delay in notification trigger.
Reconfigure the default value of the notification task mechanism.
Open conf.properties with Notepad. This file is located in the following folder:
Where SEPM Installation is the SEPM installation path.
By default, this path is C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager on a 64-bit system, and C:\Program Files\Symantec\Symantec Endpoint Protection Manager on a 32-bit system.
Add the line
scm.server.task.securityalertnotifytask.delta = x
Where x is one of the following values:
To speed up notification from the default, set the value of
To disable this feature, set the value of
Note: If you set the value to
, you remove the notification trigger delay, but as a consequence, some notifications may exclude some events.
Save changes and close conf.properties.
Symantec Endpoint Protection (SEP) 12.1.4 (enterprise version) or SEP Small Business Edition 12.1.4, with priority event notifications enabled for Single risk event notifications and/or Risk outbreak notifications.
Imported Document ID: TECH210682
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe