Endpoint Protection

 View Only

  • 1.  Single Alert Event.

    Posted Jul 16, 2009 10:16 AM

    I am in the need for some suggestions. I know there is a way for an executable or batch file to run after when a single alert event happens, under the notifications conditions area of SEPM.

    This is what I would like it to do (and maybe symantec can add it in the future).

    When an alert it triggered, SEP or some other application, grabs all the information that is needed to generate a report as to what the user was doing. For example key-logging and IE history. We have had issues in the past where users, lets say weren't doing their job, has completely denied any wrong doing while visiting sites that perhaps they shouldn't be visiting.

    In know there are packet and traffic logs available, but most of the time they are useless, especially if 24 hours or more have passed.

    Tell me what you are doing! 



  • 2.  RE: Single Alert Event.

    Posted Jul 16, 2009 12:00 PM
    Hi,

    with SEP it is possible to register what websites and applications are run in every client. Unfortunately actually they are just on/off features and cannot be triggered by a single event risk. You can cross these data with the risk logs and find out what the user did when the risk detection occurred.

    If you want enable these features as they are, you should also consider your local laws regarding the monitoring of employees' activities.

    You can submit your idea in the section "Ideas".

    Regards,


  • 3.  RE: Single Alert Event.

    Posted Jul 16, 2009 01:16 PM
    How would I enable these features?


  • 4.  RE: Single Alert Event.

    Posted Jul 17, 2009 09:29 AM
    Anyone have a suggestion? 


  • 5.  RE: Single Alert Event.

    Posted Jul 23, 2009 04:19 PM
    Hi,

    sorry for late.
    Regarding the websites, you can create a firewall rule where you set to log any external http communication.
    Regarding the applications, in the administration_guide.pdf, read the chapter: "Setting up learned applications".

    Regards,






  • 6.  RE: Single Alert Event.

    Posted Jul 23, 2009 04:41 PM
    Ok, so by default we have a rule that logs all applications, on any host, at any time, on any service, on all adapters, on any screen to allow and write to both the packet and traffic log. But like I mentioned,  if it is any extended period of time, the logs have been rewritten.

    What happens on a Friday evening at 5:30 EST and someone in PST decided to do something they shouldn't have. Monday morning the logs are gone. If there was some way of saying hey something just happened, maybe I should grab the last 500 packets, bundle them up and send them to someone who can do something about it.

    I will look into learned application.


  • 7.  RE: Single Alert Event.

    Posted Jul 24, 2009 05:30 AM
    It is a good idea and you should submit it to the section Ideas.