Educause Security Discussion mailing list archives
Re: Symantec SEP, SEM and IP address
From: Brad Judy <win-hied () BRADJUDY COM>
Date: Thu, 18 Nov 2010 08:32:41 -0500
Yes that might work, but we have neither the ability nor the funds to have thousands of end user systems directly feed their logs to the SEM. I would be surprised if anyone is sending desktop level logs from their entire enterprise into a SEM product. Brad Judy Emory University -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric C. Lukens Sent: Wednesday, November 17, 2010 5:29 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Symantec SEP, SEM and IP address * PGP Signed by an unknown key Since SEP can and does log virus events to the event viewer on the local system, you can forward the virus events from there to the SEM instead. Granted, you may be wanting to track virus outbreaks without using a SEM for every single desktop in your environment. -Eric -------- Original Message -------- Subject: [SECURITY] Symantec SEP, SEM and IP address From: Brad Judy <win-hied () BRADJUDY COM> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 11/17/2010 3:24 PM
We have recently started using a SEM for collecting and correlating a variety of event logs. We?ve run into a problem with the fact that Symantec Endpoint Protection?s management server does not log the client IP address in virus detection events, preventing us from properly correlating them to the source and to other events. So far, I haven?t received much traction with Symantec on getting this fixed, so I have created an ?idea? for this feature on their support site here: http://www.symantec.com/connect/idea/include-client-ip-address-virus-d etection-event-logs As far as I can tell, the SEP management server tracks system information and virus alerts in different tables that are linked by the computer?s NetBIOS name (or perhaps an assigned database key that isn?t visible in the GUI). It tracks the last known IP address in the system table, but does not track the IP address held by the client at the time each virus was detected. This information is particularly important for SEM correlation or building out incident timelines. If you share this frustration with SEP logs, please log in and bump the idea to get some attention. Thanks, Brad Judy Emory University
-- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 http://www.uni.edu/elukens/ * Unknown Key * 0xAB0C369D(L)
Current thread:
- Symantec SEP, SEM and IP address Brad Judy (Nov 17)
- Re: Symantec SEP, SEM and IP address Eric C. Lukens (Nov 17)
- Re: Symantec SEP, SEM and IP address Brad Judy (Nov 18)
- Re: Symantec SEP, SEM and IP address Eric C. Lukens (Nov 17)