Symantec Endpoint Protection Client
This template allows you to monitor Symantec Endpoint Protection client services and major events from the application event log.
Prerequisites:
WinRM must be installed and properly configured on the target server.
Credentials:
Administrator on target server.
Component monitors
Click here for an overview about SAM application monitor templates and component monitors. SAM API Poller templates are also available.
All monitors should return values of zero. Returned values other than zero indicate an abnormality. Examining the Windows system and application log files should provide information pertaining to the issue.
Service: Symantec Endpoint Protection
This monitor returns the CPU and memory usage of the Symantec Endpoint Protection service. This service provides malware and threat protection for Symantec Endpoint Protection.
Service: Symantec Management Client
This monitor returns the CPU and memory usage of the Symantec Management Client service. This service provides communication with the Symantec Endpoint Protection Manager. It also provides network threat protection and application and device control for the client.
Days passed from last SEP client update
This monitor returns the number of days passed since the last SEP update. In the Message field, this component returns the date of last SEP update in the following format: Month/Day/Year.
Virus found events
This monitor returns the number of the Virus Found events.
Type of event: Any event. Event ID: 5.
Antivirus scan events
This monitor returns the number of events that occur when:
- Antivirus scan started/stopped with errors;
- Scanning fails to gain access to a file or directory;
- Scan is stopped before it completes;
- Scheduled scan is snoozed/paused (delayed);
- Snoozed/paused scan is restarted.
Type of event: Warning, Error. Event ID: 2, 3, 6, 21, 26, 27.
Adware and spyware scan events
This monitor returns the number of events that occur when the adware and spyware scan started or stopped with errors.
Type of event: Warning, Error. Event ID: 65, 66.
Definition file events
This monitor returns the number of events that occur when:
- The parent server sends a .vdb file to a secondary server;
- Symantec AntiVirus loads a new .vdb file with errors;
- New definitions are downloaded with errors by a scheduled definitions update;
- Definitions are rolled back;
- The computer is not protected with definitions.
Type of event: Warning, Error. Event ID: 4, 7, 16, 39, 40.
Auto-Protect events
This monitor returns the number of events that occur when:
- Auto-Protect is not fully operational;
- Auto-Protect fails to load;
- Auto-Protect is unloaded;
- An error occurs with Auto-Protect;
- Auto-Protect fails to perform a successful side-effects repair for adware or spyware.
Type of event: Warning, Error. Event ID: 11, 22, 24, 41, 49.
Antivirus startup and shutdown events
This monitor returns the number of events that occur when the AntiVirus starts and stops.
Type of event: Any event. Event ID: 13, 14.
Backup and restore from quarantine events
This monitor returns the number of events when the Symantec AntiVirus cannot back up a file or restore a file from quarantine.
Type of event: Warning, Error. Event ID: 20.
Configuration events
This monitor returns the number of events when a configuration file cannot be read.
Type of event: Warning, Error. Event ID: 42.
Log forwarding events
This monitor returns the number of events when there is a problem with the log forwarding process.
Type of event: Warning, Error. Event ID: 34.
TruScan events
This monitor returns the number of events that occur when:
- The TruScan component could not be started;
- The TruScan engine could not be started;
- The TruScan is enabled, but it is not supported on the platform.
Type of event: Warning, Error. Event ID: 74, 73, 76.
Symantec tamper protection alerts
This monitor returns the number of events when SymProtect blocks a tamper attempt.
Type of event: Warning, Error. Event ID: 45.