Symantec Endpoint Protection Client 12.1.x

Version 1

    This template allows you to monitor Symantec Endpoint Protection 12.1.x client services and major events from the application event log.

     

    Prerequisites: WinRM must be installed and properly configured on the target server.

    Credentials: Administrator on target server.


    Monitored Components

    Service: Symantec Endpoint Protection

    This monitor returns the CPU and memory usage of the Symantec Endpoint Protection service. This service provides malware and threat protection for Symantec Endpoint Protection.

     

    Service: Symantec Management Client

    This monitor returns the CPU and memory usage of the Symantec Management Client service. This service provides communication with the Symantec Endpoint Protection Manager. It also provides network threat protection and application and device control for the client.

     

    Service: Symantec Network Access Control

    This monitor returns the CPU and memory usage of the Symantec Network Access Control service. This service checks that the computer complies with the defined security policy and communicates with the Symantec Enforcers to allow your computer to access the corporate network.

    Note: By default, this monitor is disabled.

     

    Client Protection Status

    This monitor returns overall Symantec Endpoint Protection client protection status. It returns the following:

         Definitions Date – This component returns the number of days passed since the last SEP update. In the Message field, this component returns the date of last SEP update in the following format: Year/Month/Day.
         Spyware Protection – This component show whether Spyware Protection is enabled (1) or disabled (0).
         Virus Protection – This component show whether Virus Protection is enabled (1) or disabled (0).
        
    Firewall Protection – This component show whether Firewall Protection is enabled (1) or disabled (0).
         Infection Status – This component show whether the client computer is infected (1) with one or more risks that are detected by Virus and Spyware Protection. If no infections found this monitor returns 0.
         SNAC Status – This component show whether Symantec Network Access Control is enabled (1) or disabled (0).

     

    Virus found events

    This monitor returns the number of the Virus Found events.

    Type of event: Any event. Event ID: 5.

     

    Antivirus scan events

    This monitor returns the number of events that occur when:

    • Antivirus scan started/stopped with errors;
    • Scanning fails to gain access to a file or directory;
    • Scan is stopped before it completes;
    • Scheduled scan is snoozed/paused (delayed);
    • Snoozed/paused scan is restarted.

    Type of event: Warning, Error. Event ID: 2, 3, 6, 21, 26, 27.

     

    Adware and spyware scan events

    This monitor returns the number of events that occur when the adware and spyware scan started or stopped with errors.

    Type of event: Warning, Error. Event ID: 65, 66.

     

    Definition file events

    This monitor returns the number of events that occur when:

    • The parent server sends a .vdb file to a secondary server;
    • Symantec AntiVirus loads a new .vdb file with errors;
    • New definitions are downloaded with errors by a scheduled definitions update;
    • Definitions are rolled back;
    • The computer is not protected with definitions.

    Type of event: Warning, Error. Event ID: 4, 7, 16, 39, 40.

     

    Auto-Protect events

    This monitor returns the number of events that occur when:

    • Auto-Protect is not fully operational;
    • Auto-Protect fails to load;
    • Auto-Protect is unloaded;
    • An error occurs with Auto-Protect;
    • Auto-Protect fails to perform a successful side-effects repair for adware or spyware.

    Type of event: Warning, Error. Event ID: 11, 22, 24, 41, 49.

     

    Antivirus startup and shutdown events

    This monitor returns the number of events that occur when the AntiVirus starts and stops.

    Type of event: Any event. Event ID: 13, 14.

     

    Backup and restore from quarantine events

    This monitor returns the number of events when the Symantec AntiVirus cannot back up a file or restore a file from quarantine.

    Type of event: Warning, Error. Event ID: 20.

     

    Configuration events

    This monitor returns the number of events when a configuration file cannot be read.

    Type of event: Warning, Error. Event ID: 42.

     

    Log forwarding events

    This monitor returns the number of events when there is a problem with the log forwarding process.

    Type of event: Warning, Error. Event ID: 34.

     

    Symantec tamper protection alerts

    This monitor returns the number of events when SymProtect blocks a tamper attempt.

    Type of event: Warning, Error. Event ID: 45.

    More information about this event can be found at: http://eventid.net/display.asp?eventid=45&eventno=8599&source=Symantec%20AntiVirus&phase=1.

     

    SONAR Events

    This monitor returns the number of SONAR events

    • 73 - SONAR engine load error - Failed to load SONAR engine.
    • 74 - SONAR definitions load error - Failed to load SONAR definitions.
    • 75 - Interesting Process Found Finish - SONAR detection has finished handling the process.
    • 76 - SONAR operating system not supported - SONAR is enabled, but it is not supported on the platform.
    • 77 - SONAR Detected Threat Now Known - A SONAR process detection is now a confirmed signature-based security risk.
    • 78 - SONAR engine is disabled.
    • 79 - SONAR engine is enabled

    Type of event: Warning, Error. Event ID: 73,74,75,76,77,78,79.

     

    Configuring Windows Remote Management (WinRM)

    1. If not already done so, install PowerShell 2.0 and WinRM on the SAM and target servers. Powershell 2.0 can be found here: http://support.microsoft.com/kb/968930.
    2. On the APM server, open a command prompt as an Administrator. To do this, perform the following step:
    • Go to the Start menu and right-click the cmd.exe and then select Run as Administrator.
    1. Enter the following in the command prompt:
             winrm quickconfig
      winrm set winrm/config/client @{TrustedHosts="*"}
    2. 4.     On the target server, open a command prompt as an Administrator and enter the following:
             winrm quickconfig
      winrm set winrm/config/client @{TrustedHosts="IP_ADDRESS"}

    where IP address is the IP address of your SAM server.

     

    Copyright 2014. Portions of this template is based on the following:
    http://www.symantec.com/business/support/index?page=content&id=TECH163787
    http://www.symantec.com/business/support/index?page=content&id=TECH186925
    http://www.symantec.com/business/support/index?page=content&pmv=print&impressions=&viewlocale=&id=HOWTO75109

    Last updated: 9/29/2014