Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Monitoring network security with LEM > Monitor antivirus software for viruses that are not cleaned

Monitor antivirus software for viruses that are not cleaned

You can monitor your antivirus software performance by configuring the software to log to your SolarWinds LEM appliance. When completed, set up the appropriate connector on your SolarWinds LEM Manager to view the events in the default Virus Attack filter in your SolarWinds LEM Console.

Configure antivirus software to Log to a LEM appliance

Set your antivirus software to log to your SolarWinds LEM appliance. This process centralizes the antivirus log data with your existing SolarWinds LEM events.

You can integrate antivirus software with your SolarWinds LEM appliance from manufacturers such as Symantec and McAfee. See the SolarWinds Knowledge Base or contact SolarWinds Support for more information.

Configure the antivirus connector on LEM Manager

The following procedure describes how to configure the Symantec Endpoint Protection 11 connector on your SolarWinds LEM Manager.

For Symantec Endpoint Protection (SEP), the Log Facility is equal to the local facility on your SolarWinds LEM appliance plus 16. For example, the default Log File for /var/log/local6.log on your SolarWinds LEM appliance corresponds to Log Facility 22 in your Symantec Endpoint Protection 11 settings.

  1. Replace the Alias value with a custom alias or accept the default.
  2. Ensure that the Log File value matches the Log Facility defined in your antivirus settings.
  3. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator.
  4. Click the Manage tab and select Appliances.
  5. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/030/Button-Gear(Gray)_17x14.png next to your SolarWinds LEM Manager and select Connectors.
  6. In the Connector Configuration window, enter the following in the search box:

    Symantec Endpoint Protection

  7. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/030/Button-Gear(Gray)_17x14.png next to the Symantec Endpoint Protection 11 connector and select New.
  8. Click Save.
  9. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/030/Button-Gear(Gray)_18x15.png next to the new connector instance and select Start.
  10. Click Close to close the Connector Configuration window.

Creating a LEM Rule to Track When Viruses Are Not Cleaned

Clone and enable the Virus Attack Bad State rule to track virus attacks reported by your anti-virus software. The Bad Virus State User-Defined Group defines a bad state as any virus that is not fully cleaned by your anti-virus software. This includes any virus that is not addressed, quarantined, or renamed.

The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to notify auditors you are auditing the critical events on your network.

  1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator.
  2. Click the Build tab and select Rules.
  3. In the search box, enter:

    Virus Attack - Bad State

  4. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/030/Button-Gear(Gray)_18x15.png next to the rule and select Clone.
  5. Select the folder to store cloned rule and click OK.
  6. Select the Enable check box.
  7. Click Save.
  8. In the main Rules screen, click Activate Rules.

 

 
You must to post a comment.
Last modified
23:08, 26 Jan 2017

Tags

Classifications

Public