Symantec Endpoint Protection Client

Version 3

    Symantec Endpoint Protection Client

    This template allows you to monitor Symantec Endpoint Protection client services and major events from the application event log.

    Prerequisites:WinRM must be installed and properly configured on the target server.

    Credentials:Administrator on target server.

    Configuring Windows Remote Management (WinRM)

    1.     If not already done so, install PowerShell 2.0 and WinRM on the APM and target servers. Powershell 2.0 can be found here: http://support.microsoft.com/kb/968930.

    2.     On the APM server, open a command prompt as an Administrator. To do this, perform the following step:

    • Go to the Startmenu and right-click the cmd.exe and then select Run as Administrator.

    3.     Enter the following in the command prompt:
                winrm quickconfig
           winrm set winrm/config/client @{TrustedHosts="*"}

    4.     On the target server, open a command prompt as an Administrator and enter the following:
                winrm quickconfig
           winrm set winrm/config/client @{TrustedHosts="IP_ADDRESS"}

    where IP address is the IP address of your APM server.

    Monitored Components

    Note: All monitors should return values of zero. Returned values other than zero indicate an abnormality. Examining the Windows system and application log files should provide information pertaining to the issue. All event monitors are based on this document: http://www.symantec.com/business/support/index?page=content&id=TECH105571.

    Service: Symantec Endpoint Protection

    This monitor returns the CPU and memory usage of the Symantec Endpoint Protection service. This service provides malware and threat protection for Symantec Endpoint Protection.

    Service: Symantec Management Client

    This monitor returns the CPU and memory usage of the Symantec Management Client service. This service provides communication with the Symantec Endpoint Protection Manager. It also provides network threat protection and application and device control for the client.

    Days passed from last SEP client update

    This monitor returns the number of days passed since the last SEP update. In the Messagefield, this component returns the date of last SEP update in the following format: Month/Day/Year.

    Virus found events

    This monitor returns the number of the Virus Found events.

    Type of event: Any event. Event ID: 5.

    Antivirus scan events

    This monitor returns the number of events that occur when:

    • Antivirus scan started/stopped with errors;
    • Scanning fails to gain access to a file or directory;
    • Scan is stopped before it completes;
    • Scheduled scan is snoozed/paused (delayed);
    • Snoozed/paused scan is restarted.

    Type of event: Warning, Error. Event ID: 2, 3, 6, 21, 26, 27.

    Adware and spyware scan events

    This monitor returns the number of events that occur when the adware and spyware scan started or stopped with errors.

    Type of event: Warning, Error. Event ID: 65, 66.

    Definition file events

    This monitor returns the number of events that occur when:

    • The parent server sends a .vdb file to a secondary server;
    • Symantec AntiVirus loads a new .vdb file with errors;
    • New definitions are downloaded with errors by a scheduled definitions update;
    • Definitions are rolled back;
    • The computer is not protected with definitions.

    Type of event: Warning, Error. Event ID: 4, 7, 16, 39, 40.

    Auto-Protect events

    This monitor returns the number of events that occur when:

    • Auto-Protect is not fully operational;
    • Auto-Protect fails to load;
    • Auto-Protect is unloaded;
    • An error occurs with Auto-Protect;
    • Auto-Protect fails to perform a successful side-effects repair for adware or spyware.

    Type of event: Warning, Error. Event ID: 11, 22, 24, 41, 49.

    Antivirus startup and shutdown events

    This monitor returns the number of events that occur when the AntiVirus starts and stops.

    Type of event: Any event. Event ID: 13, 14.

    Backup and restore from quarantine events

    This monitor returns the number of events when the Symantec AntiVirus cannot back up a file or restore a file from quarantine.

    Type of event: Warning, Error. Event ID: 20.

    Configuration events

    This monitor returns the number of events when a configuration file cannot be read.

    Type of event: Warning, Error. Event ID: 42.

    Log forwarding events

    This monitor returns the number of events when there is a problem with the log forwarding process.

    Type of event: Warning, Error. Event ID: 34.

    TruScan events

    This monitor returns the number of events that occur when:

    • The TruScan component could not be started;
    • The TruScan engine could not be started;
    • The TruScan is enabled, but it is not supported on the platform.

    Type of event: Warning, Error. Event ID: 74, 73, 76.

    Symantec tamper protection alerts

    This monitor returns the number of events when SymProtect blocks a tamper attempt.

    Type of event: Warning, Error. Event ID: 45.

    More information about this event can be found here: http://eventid.net/display.asp?eventid=45&eventno=8599&source=Symantec%20AntiVirus&phase=1.

     

    Portions of this document were originally created by and are excerpted from the following sources:

    Symantec Corporation, “Tech102748”, Copyright © 2012, Symantec Inc.  All rights reserved. 
    Available at
    http://www.symantec.com/business/support/index?page=content&id=TECH102748