What are the types of notifications and when are they sent?

Symantec Endpoint Protection Manager
provides notifications for administrators. You can customize most of these notifications to meet your particular needs. For example, you can add filters to limit a trigger condition only to specific computers. Or you can set notifications to take specific actions when they are triggered.
By default, some of these notifications are enabled when you install
Symantec Endpoint Protection Manager
. Notifications that are enabled by default are configured to log to the server and send email to system administrators.
For more information, see:
Preconfigured notifications
Notification
Description
Authentication failure
A configurable number of logon failures in a defined period of time triggers the Authentication failure notification. You can set the number of logon failures and the time period within which they must occur to trigger the notification.
Client list changed
This notification triggers when there is a change to the existing client list. This notification condition is enabled by default.
Client list changes can include:
  • The addition of a client
  • A change in the name of a client
  • The deletion of a client
  • A change in the hardware of a client
  • A change in the Unmanaged Detector status of a client
  • A client mode change
Client security alert
This notification triggers upon any of the following security events:
  • Compliance events
  • Network and Host Exploit Mitigation events
  • Traffic events
  • Packet events
  • Device control events
  • Application control events
You can modify this notification to specify the type, severity, and frequency of events that determine when these notifications are triggered.
Some of these occurrence types require that you also enable logging in the associated policy.
If you set the notification damper period to
None
, you should make sure that clients can upload critical events immediately. The
Let clients upload critical events immediately
option is enabled by default and configured in the
Communications Settings
dialog box.
Deception Detection
When an attacker attempts to touch or modify a deceptor, the Deception tools log an event. A notification is triggered when:
  • An attacker gets past the client’s defenses.
  • An attacker retrieves information about the client computer.
  • An attacker attempts to use the client computer in additional attacks within the enterprise network.
Download Protection content out-of-date
Alerts the administrators about out-of-date Download Protection content. You can specify the age at which the definitions trigger the notification.
File reputation lookup alert
Alerts the administrators when a file is submitted to Symantec for a reputation check. SONAR and Download Insight use file reputation lookups and submit files to Symantec automatically.
The
File Reputation Detection
notification is enabled by default.
Forced application detected
This notification triggers when an application on the commercial application list is detected or when an application on the list of applications that the administrator monitors is detected.
IPS signature out-of-date
Alerts the administrators about out-of-date IPS signatures. You can specify the age at which the definitions trigger the notification.
Licensing issue
Paid license expiration
This notification alerts administrators and, optionally, partners, about the paid licenses that have expired or that are about to expire.
This notification is enabled by default.
Over-deployment
This notification alerts administrators and, optionally, partners, about over-deployed paid licenses.
This notification is enabled by default.
Trial license expiration
This notification alerts administrators about expired trial licenses and the trial licenses that are due to expire in 60, 30, and 7 days.
This notification is enabled by default if there is a trial license. It is not enabled by default if your license is due for an upgrade or has been paid.
Memory Exploit Mitigation Detection
This notification triggers when an exploit attempt against a known or unknown vulnerability is detected.
Network load alert: requests for virus and spyware full definitions
Alerts the administrators when too many clients request a full definition set, and to potential network bandwidth issues.
This notification is enabled by default.
New learned application
This notification triggers when application learning detects a new application.
New risk detected
This notification triggers whenever virus and spyware scans detect a new risk.
If you set the notification damper period to
None
, you should make sure that clients can upload critical events immediately. The
Let clients upload critical events immediately
option is enabled by default and configured in the
Communications Settings
dialog box.
New software package
This notification triggers when a new software package downloads or the following occurs:
  • LiveUpdate downloads a client package.
  • The management server is upgraded.
  • The console manually imports client packages.
  • LiveUpdate has new security definitions or engine content.
You can specify whether the notification is triggered only by new security definitions, only by new client packages, or by both.
This notification is enabled by default.
New user-allowed download
This notification triggers when a client computer allows an application that Download Insight detected. An administrator can use this information to help evaluate whether to block or allow the application.
Power Eraser recommended
Alerts the administrators when a regular scan cannot repair an infection, so the administrators can use Power Eraser.
This notification is enabled by default.
Risk outbreak
This notification alerts administrators about security risk outbreaks. You set the number and type of occurrences of new risks and the time period within which they must occur to trigger the notification. Types of occurrences include occurrences on any computer, occurrences on a single computer, or occurrences on distinct computers.
This notification condition is enabled by default.
If you set the notification damper period to
None
, you should make sure that clients can upload critical events immediately. The
Let clients upload critical events immediately
option is enabled by default and configured in the
Communications Settings
dialog box.
Server health
Server health issues trigger the notification. The notification lists the server name, the health status, the reason, and the last online or offline status.
This notification is enabled by default.
Single risk event
This notification triggers upon the detection of a single risk event and provides details about the risk. The details include the user and the computer involved, and the actions that the management server took.
If you set the notification damper period to
None
, you should make sure that clients can upload critical events immediately. The
Let clients upload critical events immediately
option is enabled by default and configured in the
Communications Settings
dialog box.
SONAR definitions out-of-date
Alerts the administrators about out-of-date SONAR definitions. You can specify the age at which the definitions trigger the notification.
System event
This notification triggers upon certain system events and provides the number of such events that were detected. System events include management server activities, replication failures, backups, and system errors.
Unmanaged computers
This notification triggers when the management server detects unmanaged computers on the network. The notification provides details including the IP address, the MAC address, and the operating system of each unmanaged computer.
Upgrade license expiration
Upgrades from previous versions of
Symantec Endpoint Protection Manager
to the current version are granted an upgrade license. This notification triggers when the upgrade license is due to expire.
This notification appears only after an upgrade.
Virus definitions out-of-date
Alerts the administrators about out-of-date virus definitions. You can specify the age at which the definitions trigger the notification.
This notification is enabled by default.