Educause Security Discussion mailing list archives
Re: Symantec SEP, SEM and IP address
From: "Eric C. Lukens" <eric.lukens () UNI EDU>
Date: Wed, 17 Nov 2010 16:29:20 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Since SEP can and does log virus events to the event viewer on the local system, you can forward the virus events from there to the SEM instead. Granted, you may be wanting to track virus outbreaks without using a SEM for every single desktop in your environment. - -Eric - -------- Original Message -------- Subject: [SECURITY] Symantec SEP, SEM and IP address From: Brad Judy <win-hied () BRADJUDY COM> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 11/17/2010 3:24 PM
We have recently started using a SEM for collecting and correlating a variety of event logs. We?ve run into a problem with the fact that Symantec Endpoint Protection?s management server does not log the client IP address in virus detection events, preventing us from properly correlating them to the source and to other events. So far, I haven?t received much traction with Symantec on getting this fixed, so I have created an ?idea? for this feature on their support site here: http://www.symantec.com/connect/idea/include-client-ip-address-virus-detection-event-logs As far as I can tell, the SEP management server tracks system information and virus alerts in different tables that are linked by the computer?s NetBIOS name (or perhaps an assigned database key that isn?t visible in the GUI). It tracks the last known IP address in the system table, but does not track the IP address held by the client at the time each virus was detected. This information is particularly important for SEM correlation or building out incident timelines. If you share this frustration with SEP logs, please log in and bump the idea to get some attention. Thanks, Brad Judy Emory University
- -- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 http://www.uni.edu/elukens/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzkV0AACgkQN+w4PqsMNp0iCACeO/kOFl0gvFv2UI9vkTAzMJ0c LVwAoIk6seA4icS2zlU8kaEwJdxvHNXu =Ae42 -----END PGP SIGNATURE-----
Current thread:
- Symantec SEP, SEM and IP address Brad Judy (Nov 17)
- Re: Symantec SEP, SEM and IP address Eric C. Lukens (Nov 17)
- Re: Symantec SEP, SEM and IP address Brad Judy (Nov 18)
- Re: Symantec SEP, SEM and IP address Eric C. Lukens (Nov 17)