Re: Symantec SEP, SEM and IP address

[Brad Judy <win-hied () BRADJUDY COM>]

Yes that might work, but we have neither the ability nor the funds to have
thousands of end user systems directly feed their logs to the SEM.  I would
be surprised if anyone is sending desktop level logs from their entire
enterprise into a SEM product.  

Brad Judy

Emory University

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric C. Lukens
Sent: Wednesday, November 17, 2010 5:29 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Symantec SEP, SEM and IP address

* PGP Signed by an unknown key

Since SEP can and does log virus events to the event viewer on the local
system, you can forward the virus events from there to the SEM instead.
 Granted, you may be wanting to track virus outbreaks without using a SEM
for every single desktop in your environment.

-Eric

-------- Original Message --------
Subject: [SECURITY] Symantec SEP, SEM and IP address
From: Brad Judy <win-hied () BRADJUDY COM>
To: SECURITY () LISTSERV EDUCAUSE EDU
Date: 11/17/2010 3:24 PM

> We have recently started using a SEM for collecting and correlating a 
> variety of event logs.  We?ve run into a problem with the fact that 
> Symantec Endpoint Protection?s management server does not log the 
> client IP address in virus detection events, preventing us from 
> properly correlating them to the source and to other events.  So far, 
> I haven?t received much traction with Symantec on getting this fixed, 
> so I have created an ?idea? for this feature on their support site here:
>
>  
>
> http://www.symantec.com/connect/idea/include-client-ip-address-virus-d
> etection-event-logs
>
>  
>
> As far as I can tell, the SEP management server tracks system 
> information and virus alerts in different tables that are linked by 
> the computer?s NetBIOS name (or perhaps an assigned database key that 
> isn?t visible in the GUI).  It tracks the last known IP address in the 
> system table, but does not track the IP address held by the client at 
> the time each virus was detected.  This information is particularly 
> important for SEM correlation or building out incident timelines.
>
>  
>
> If you share this frustration with SEP logs, please log in and bump 
> the idea to get some attention.
>
>  
>
> Thanks,
>
>  
>
> Brad Judy
>
>  
>
> Emory University
>
>  

--
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris
Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121
319-273-7434
http://www.uni.edu/elukens/

* Unknown Key
* 0xAB0C369D(L)