Documentation forServer & Application Monitor
Monitoring your applications and environment is a key capability of SolarWinds Observability Self-Hosted (formerly Hybrid Cloud Observability) and is available in the Essentials edition. Server & Application Monitor (SAM) is also available in a standalone module.

Symantec Endpoint Protection Client

This template allows you to monitor Symantec Endpoint Protection client services and major events from the application event log.

Prerequisites:

WinRM must be installed and properly configured on the target server.

Credentials:

Administrator on target server.

Component monitors

Click here for an overview about SAM application monitor templates and component monitors. SAM API Poller templates are also available.

All monitors should return values of zero. Returned values other than zero indicate an abnormality. Examining the Windows system and application log files should provide information pertaining to the issue.

Service: Symantec Endpoint Protection

This monitor returns the CPU and memory usage of the Symantec Endpoint Protection service. This service provides malware and threat protection for Symantec Endpoint Protection.

Service: Symantec Management Client

This monitor returns the CPU and memory usage of the Symantec Management Client service. This service provides communication with the Symantec Endpoint Protection Manager. It also provides network threat protection and application and device control for the client.

Days passed from last SEP client update

This monitor returns the number of days passed since the last SEP update. In the Message field, this component returns the date of last SEP update in the following format: Month/Day/Year.

Virus found events

This monitor returns the number of the Virus Found events.

Type of event: Any event. Event ID: 5.

Antivirus scan events

This monitor returns the number of events that occur when:

  • Antivirus scan started/stopped with errors;
  • Scanning fails to gain access to a file or directory;
  • Scan is stopped before it completes;
  • Scheduled scan is snoozed/paused (delayed);
  • Snoozed/paused scan is restarted.

Type of event: Warning, Error. Event ID: 2, 3, 6, 21, 26, 27.

Adware and spyware scan events

This monitor returns the number of events that occur when the adware and spyware scan started or stopped with errors.

Type of event: Warning, Error. Event ID: 65, 66.

Definition file events

This monitor returns the number of events that occur when:

  • The parent server sends a .vdb file to a secondary server;
  • Symantec AntiVirus loads a new .vdb file with errors;
  • New definitions are downloaded with errors by a scheduled definitions update;
  • Definitions are rolled back;
  • The computer is not protected with definitions.

Type of event: Warning, Error. Event ID: 4, 7, 16, 39, 40.

Auto-Protect events

This monitor returns the number of events that occur when:

  • Auto-Protect is not fully operational;
  • Auto-Protect fails to load;
  • Auto-Protect is unloaded;
  • An error occurs with Auto-Protect;
  • Auto-Protect fails to perform a successful side-effects repair for adware or spyware.

Type of event: Warning, Error. Event ID: 11, 22, 24, 41, 49.

Antivirus startup and shutdown events

This monitor returns the number of events that occur when the AntiVirus starts and stops.

Type of event: Any event. Event ID: 13, 14.

Backup and restore from quarantine events

This monitor returns the number of events when the Symantec AntiVirus cannot back up a file or restore a file from quarantine.

Type of event: Warning, Error. Event ID: 20.

Configuration events

This monitor returns the number of events when a configuration file cannot be read.

Type of event: Warning, Error. Event ID: 42.

Log forwarding events

This monitor returns the number of events when there is a problem with the log forwarding process.

Type of event: Warning, Error. Event ID: 34.

TruScan events

This monitor returns the number of events that occur when:

  • The TruScan component could not be started;
  • The TruScan engine could not be started;
  • The TruScan is enabled, but it is not supported on the platform.

Type of event: Warning, Error. Event ID: 74, 73, 76.

Symantec tamper protection alerts

This monitor returns the number of events when SymProtect blocks a tamper attempt.

Type of event: Warning, Error. Event ID: 45.