Endpoint Protection

I used to get “Old Virus Definition” reports in SEPM which included the client names. Now since upgrading to 12.1.1101.401 the report says "5 computers found with virus definitions older than 30 days" which is my trigger but it also says "All online clients have been updated to the latest virus definitions" and tells me to launch the SEPM to review.  When I go to a known outdated computer it is indeed outdated.

1. In the Monitors notification trigger I set it to Client List but it no longer lists them.
2. If I go to SEPM where can I generate a report with the 5 machine names which are out of date?

I tried recreating the monitor alert and no change.  How can I get a list of the computers in the email notice so the techs or help desk know which machines to fix?  Worked fine until .401.

The purpose of Reports/Scheduled Reports is to get global information about your SEP architecture, rather than fully detailled picture.

If you want to identify which machines are out-of-date, the best would be to go to Monitors > Logs > Computer Status > click on Advanced Settings to configure Definition Date criteria accordingly > View logs.

If you want to receive such data via email, you should rather use Monitors > Notifications, and dedicated "Virus definitions out-of-date" condition.

Using the Monitor - Logs shows the clients however it is a manual process.  If I add that filter to the main page I can make it one of the three defaults I can select from there after logged into the console.  Helps a little but the techs and help desk need alerts with names to review or forward as a ticket.  Not a manual process when they remember to do it.  In the past if an email came to the help desk or designated on call tech they could just action or forward it with the client name for review right from their mobile device.  Or even call the user and have them do something.

Now they need find a computer, log into the console, manually run a report to get the computer name, create an email to send to someone for action.  Before I just needed to grant console access to a couple of Symantec admins.  Now to get the client list with outdated definitions any of my 30 techs need console access.  The computer names in the email alert was a great solution.  Maybe it should be a checkbox to include client names as an option and have it actually list the names.  Client list right now is not a working setting.

As for the email alert that is what I am using.  Before .401 it sent the client names.  Now it does not and that is an issue and delay for my support team.

I have no filters.

5 computers with definitions older than 30 days

Include only clients checked in

Damper is auto

For the notification I have “Send email” and the report type is “Client List” but the clients are not in the email.

Thanks anyway for the follow up.

Ok, could you please copy/paste here the content of an email without hostnames?

You might have a problem with your notification emails sent, as I suspect hostnames should actually be available. You might open a ticket with Technical Support for further analysis.

By the way, I checked if there is a way to get a scheduled report showing out-of-date clients. You can basically achieve it following these steps:

 - Go to Reports > Quick Reports

 - Select "Computer Status" and "Client Inventory Details"

 - Click on Advanced Settings

 - Select "older than the last 30 days" in "Definition Date" drop-down list

 - Use other filtering options if needed

 - Save the filter using the button available at the right-bottom corner

 - Go to Scheduled Reports

 - Create new Scheduled Reports, with "Computer Status" and "Client Inventory Details" selected. Also choose your saved filter

 - Configure proper email addresses and scheduling

 - Save it

Tried the report option.  It gives me every computer online with any type of definition more than 30 days old.  If the AV is up to date and the IPS or Sonar is more than 30 days it shows up.  I just need the AV status for online clients only.  If only the once working monitor still did what it used to. 

Also the report sends an MHT attachment which is not viewable on the techs mobile devices.  This was an original issue with SEP 11 we bugged Symantec about to fix which they did by including the client names in the message body when 12.1 came out.

Here are the differences in the alerts with ***** replacing our specific details.   The computers when checked are indeed out of date.

(((((((Before .401)))))))

Message from:
    Server name: *****
    Server IP: *****

    Administrator Email: av-alerts
    Company Name: *****
    
4 computers found with virus definitions older than 30 days. 

(((((((After .401)))))))

Message from:
    Server name: *****
    Server IP: *****
    Administrator Email: av-alerts
    Company Name: *****

4 computers found with virus definitions older than 30 days. 

All online clients have been updated to the latest virus definitions.

Ok, I would then suggest you to open ticket with Support to perform deeper analysis of this behavior.

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:
United States: https://support.broadcom.com (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000

India: Toll-Free 000 800 4401 456 directly

IDD call: +61 2 8220 7111

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Is anyone else seeing the same problem?  It would be good info for them when I call to indicate it is not isolated.

Yes, a few reports so far, I managed to successfully reproduce it once. It appears to be an issue with the mismatched queries on SEPM, and looks to be fixed in the next release update.