Symantec Connect - Articles

Please find the Screenshot attached.

Replication Report or Summary

Based on my experience I have inputted the 3 options to generate total Data Replication report

Option: 1

-->login to Datadomain web GUI http://<storagename> press enter

-->Click on Storage Server

--> Click on Replication

-->if DDboost, Click on DDboost

-->Click on File Replication

-->select the Duration

--> there you can find the total Replication size in 24 hrs

Option: 2

-->login to Datadomain web GUI http://<storagename> press enter

-->On left bottom, click on report,

--> Select replicationSummary --> select duration --> click on create

Option: 3 opscenter

-->Click on Report

-->Click on New Custom Report

Select Ranking

àSelect Duration

àSelect Master server if any in particular

àUnder Disk please select Storage server name or Disk Volume name if you looking for any specific

Select Report on: “Disk Volume Name” or Storage Server Name

y-axis Display name

Select Report Data: “Disk Volume Replication “

Select Count

Select time basis as “Job End Time”

Click on Next

After clicking next you will get the report based on Disk volume name and Disk Replication Count in form on Ranking

Click next to save

After Save, open report and click on “show chart as Table”

A table will pop up with all values

Replication Report.docx

Introduction

This is the third of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions).

The first article, Using SEPM Alerts and Reports to Combat a Malware Outbreak, demonstrated how to use reporting features of SEP 12.1's SONAR component to identify Suspicious files for which there were no AntiVirus signatures yet created.
The second, Recovering Ransomlocked Files Using Built-In Windows Tools, deals with a few possible ways how to prevent and recover from one of today's most-destructive threats, should it infect your network and hold your data hostage.

This third article illustrates how Symantec Endpoint Protection's optional Intrusion Prevention System (IPS) component can help security admins keep their organization secure and track down infected computers on the network.

IP What?

Unlike AntiVirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them. It’s very cool.

SEP’s IPS component greatly increases the number of threats that can be blocked, so the use of IPS is strongly recommended on almost all endpoints. More details are contained in:

Best practices regarding Intrusion Prevention System technology
http://www.symantec.com/docs/TECH95347

Not Just for Windows Any More!

IPS has been an optional component of SEP for Windows since the beginning. In order to enable IPS in Symantec Endpoint Protection 11.x, the client firewall portion (Network Threat Protection) must be installed and running. In SEP 12.1, the client firewall function is separate and does not need to be installed or enabled for IPS to function.

SEP 12.1 RU4 brought many new features to the SEP client that runs on Macintosh (“SEP for Mac”). An overview of these enhancements can be found in:

Overview for Symantec Endpoint Protection 12.1.4 for Mac
http://www.symantec.com/docs/HOWTO92146

One of the best of these enhancements is that IPS can now defend Mac machines as well as the Windows boxes on the network. So, definitely upgrade the protection on your Macs!

How IPS Defends Clients

For an excellent illustration of how IPS can protect against a very dangerous threat, see Recovering Ransomlocked Files Using Built-In Windows Tools. Even if the initial Trojan.Cryptolocker .exe is not detected by SEP’s AntiVirus components, IPS attack signatures can still block the network traffic that this threat relies upon in order to generate the keys necessary to sabotage a computer’s files. If you see a pop-up “System Infected: Trojan.Cryptolocker” then IPS has just blocked the Trojan’s network activity (and saved you a load of grief). Get that computer isolated and perform a load point diagnostic to identify any unidentified malware files!

Generating SEPM Reports of Network Attacks

As detailed in my first article, your Symantec Endpoint Protection Manager contains advanced capabilities for reporting and alerting. It can often tell you exactly what is going on with the security of your network, if you know how to look.

One report that it can generate on demand is Network Threat Protection: Attacks. (Remember: in SEP 12.1, it is not necessary to have the NTP component of SEP installed in order to take advantage of IPS. IPS can be installed without NTP. The report of all IPS attacks is still listed under Network Threat Protection as a legacy inherited from SEP 11 days.)

Just click on Monitors, Logs tab, and pick the "Network Threat Protection" option for Log type. Choose “Attacks” to see all the IPS events that have occurred on managed SEP clients and been forwarded to the SEPM.

The logs for all the attack events will be displayed on screen, and can be exported for more advanced parsing and analysis with your favorite spreadsheet program.

Identifying Unprotected Computers

One example of how these can be useful: in a recent real-world case, an administrator had been fighting a never-ending battle to eradicate W32.Downadup from the corporate network. There were constant detections of this threat being stopped, but somewhere out there were infected computers which constantly tried to re-infect others. Examining the Risk Reports failed to show any instances where the threat was being detected by AV but “left alone,” so where were they?

Examining the exported Network Attack logs, it was pretty clear that IPS was also blocking infection attempts (traffic that attempted exploit of the vulnerability that W32.Downadup uses to spread). These logs, though, showed what IP addresses involved with each “[SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked. Traffic has been blocked for this application: SYSTEM”

Examining the Remote Hosts that were responsible for all that traffic was the solution to this case. There were a handful of infected computers that had no AV product on them at all. Installing SEP ended the persistent W32.Downadup troubles for good.

Identifying Infected Machines

In another recent real-world example: hundreds of Auto-Protect virus events (Event ID 51) were seen on the shared directory of a file server. Several days were spent examining the load points of the server itself, with nothing malicious found. The reason: the infection was on one of the 400 clients which connect daily to that mapped drive. Some client in the network had attempted to do the damage- but which one? It would not be possible to examine load point diagnostics from all those hundreds of clients.

Luckily, that file server had IPS installed. The IPS logs were examined and a large number of ”Incoming Auto-Block Event” entries were spotted, coming from one particular IP Address. This activity might have been a coincidence, but in this case it was a very big clue as to which mapped client was infected. That computer was isolated, cleaned, patched and returned to the network. Problem solved.

Conclusion

IPS can protect your computers- and everything on them- in ways that AV alone cannot. And, its logs can provide valuable intelligence about which computers in the network are infected.

Moral of this story: it’s much easier to deploy the SEP IPS client and read its logs than to examine 400 load point diagnostics. &: )

One final recommendation: it is always a good time to ensure that the organization's defenses are in good order. There is a great deal of malware in circulation, and it is guaranteed that tomorrow the baddies will come up with new code and techniques. Take precautions now!

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Many thanks for reading! Please do leave comments and feedback below.

In questo articolo sono elencati una serie di comandi e funzioni di sistema che consentono di personalizzare diversi aspetti del sistema operativo e del suo comportamento nelle singole sessioni utente.

La grande maggioranza di queste funzioni è richiamabile da menu di sistema operativo, da menu di sistema contestuali oppure dal pannello di controllo, ma utilizzando il nome del comando è possibile agire direttamente sulla funzione desiderata risparmiarmiando tempo per la sua ricerca.

Inoltre, una buona parte di queste funzioni sono utilizzabili all'interno di programmi batch, ad esempio inserendo alcuni di questi comandi con dei parametri specifici è possibile personalizzare vari aspetti del sistema operativo.

Nota : i comandi elencati sono per la maggior parte compatibili anche con i sistemi operativi Windows 7, Vista e Windows XP.

Per eseguire uno di questi comandi, da Esegui ( Tasto Windows + R ) digitare uno dei comandi elencati nella colonna Comandi :

Funzioni	Comandi
Apre la cartella Documenti	documents
Apre la cartella video	videos
Apre la cartella Download	downloads
Apre la cartella Preferiti	favorites
Apre la cartella File recenti	recent
Disconnessione da Windows	logoff
Apre la cartella Immagini	pictures
Windows Sideshow	control.exe /name Microsoft.WindowsSideshow
Windows CardSpace	control.exe /name Microsoft.cardspace
Windows Anytime Upgrade	WindowsAnytimeUpgradeui
Taskbar e Start	control.exe /name Microsoft.TaskbarandStartMenu
Troubleshooting	control.exe /name Microsoft.Troubleshooting
Account utente	control.exe /name Microsoft.UserAccounts
Aggiunge un nuovo dispositivo	devicepairingwizard
Wizard per l’aggiunta di nuovo hardware	hdwwiz
Gestione avanzata account	netplwiz
Gestione autorizzazioni	azman.msc
Backup e ripristino	sdclt
Trasferimento file Bluetooth	fsquirt
Calcolatrice	calc
Certificati	certmgr.msc
Cambia le impostazioni sulle performance del PC	systempropertiesperformance
Cambia impostazioni DEP	systempropertiesdataexecutionprevention
Cambia impostazioni stampa	printui
Mappa caratteri	charmap
ClearType Tuner	cttune
Gestione colori	colorcpl
Prompt dei comandi	cmd
Componenti di servizio aperto	comexp.msc
Componenti di servizio aperto	dcomcnfg
Gestione computer	compmgmt.msc
Gestione computer	compmgmtlauncher
Connessione proiettore di rete	netproj
Connessione proiettore	displayswitch
Pannello di controllo	control
Wizard per creazione cartella condivisa	shrpubw
Crea disco di ripristino	recdisc
Wizard per backup/ripristino credenziali	credwiz
Data Execution Prevention	systempropertiesdataexecutionprevention
Data e ora	timedate.cpl
Percorso predefinito	locationnotifications
Gestione dispositivi	devmgmt.msc
Gestione dispositivi	hdwwiz.cpl
Aggiunge un nuovo dispositivo	devicepairingwizard
Wizard risoluzione problemi	msdt
Calibrazione	tabcal
Diagnostica DirectX	dxdiag
Pulizia disco	cleanmgr
Utility deframmentazione disco	dfrgui
Gestione dischi	diskmgmt.msc
Schermo	dpiscaling
Calibrazione colori	dccw
Cambio schermo	displayswitch
Wizard migrazione chiavi DPAPI	dpapimig
Gestione verifica driver	verifier
Accesso facilitato	utilman
Wizard EFS	rekeywiz
Visualizzatore eventi	eventvwr.msc
Fax editor	fxscover
Verifica firma file	sigverif
Visualizzatore font	fontview
Controller giochi	joy.cpl
Schermata presentazione Windows	gettingstarted
IExpress Wizard	iexpress
Infrarosso	irprops.cpl
Installa/Disinstalla lingue	lusrmgr
Internet Explorer	iexplore
Opzioni Internet	inetcpl.cpl
Configurazione iSCSI Initiator	iscsicpl
Installazione language pack	lpksetup
Gestione criteri di gruppo	gpedit.msc
Criteri di protezione locali	secpol.msc
Gestione utenti e gruppi	lusrmgr.msc
Imposta posizione geografica	locationnotifications
Lente d’ingrandimento	magnify
Malicious Software Removal Tool	mrt
Gestisce certificati di protezione	rekeywiz
Pannello espressioni matematiche	mip
Microsoft Management Console	mmc
Microsoft Support Diagnostic Tool	msdt
Mouse	main.cpl
Configurazione client NAP	napclcfg.msc
Narrator	narrator
Connessioni di rete	ncpa.cpl
Wizard acquisizione immagine	wiaacmgr
Blocco note	notepad
ODBC Data Source Administrator	odbcad32
ODBC Driver Configuration	odbcconf
Tastiera su schermo	osk
Paint	mspaint
Penna e Touch	tabletpc.cpl
Persone nelle vicinanze	collab.cpl
Monitoraggio performance	perfmon.msc
Impostazioni performance	systempropertiesperformance
Telefono e modem	telephon.cpl
Composizione telefonica	dialer
Impostazioni risparmio energia	powercfg.cpl
Impostazioni presentazione	presentationsettings
Gestione stampa	printmanagement.msc
Migrazionestampa	printbrmui
Interfaccia di stampa	printui
Editor caratteri	eudcedit
Registratore problemi	psr
Programmi e funzioni	appwiz.cpl
Migrazione contenuto protetto	dpapimig
Paese e Lingua	intl.cpl
Editor registro	regedit
Editor registro 32	regedt32
Rubrica accesso remoto	rasphone
Connessione remota desktop	mstsc
Monitoraggio risorse	resmon
Gruppo criteri risultante	rsop.msc
SAM Lock Tool	syskey
Risoluzione schermo	desk.cpl
Messa in sicurezza database account Windows	syskey
Servizi	services.msc
Impostazioni accesso ai programmi	computerdefaults
Creazione condivisione	shrpubw
Cartelle condivise	fsmgmt.msc
Strumento di cattura	snippingtool
Suono	mmsys.cpl
Registratore suoni	soundrecorder
SQL Server Client Network Utility	cliconfg
Sticky Notes	stikynot
Username e Password conservati	credwiz
Sync Center	mobsync
Utility configurazione sistema	msconfig
Editor configurazione sistema	sysedit
System Information	msinfo32
Proprietà sistema	sysdm.cpl
Proprietà sistema – avanzate	systempropertiesadvanced
Proprietà sistema – nome computer	systempropertiescomputername
Proprietà sistema – hardware	systempropertieshardware
Proprietà sistema – remoto	systempropertiesremote
Proprietà sistema – protezione	systempropertiesprotection
Ripristino sistema	rstrui
Task Manager	taskmgr
Pianificazione operazioni	taskschd.msc
Gestione Trusted Platform Module (TPM)	tpm.msc
Impostazioni Controllo account utente	useraccountcontrolsettings
Utility Manager	utilman
Version Reporter Applet	winver
Mixer volume	sndvol
Windows Action Center	wscui.cpl
Client attivazione Windows	slui
Windows Anytime Upgrade Results	windowsanytimeupgraderesults
Windows CardSpace	infocardcpl.cpl
Masterizzazione file immagine	isoburn
Windows DVD Maker	dvdmaker
Windows Easy Transfer	migwiz
Windows Explorer	explorer
Fax e scanner	wfs
Funzioni di Windows	optionalfeatures
Windows Firewall	firewall.cpl
Windows firewall con impostazioni sicurezza avanzate	wf.msc
Windows Journal	journal
Windows Media Player	wmplayer
Windows Memory Diagnostic Scheduler	mdsched
Windows Mobility Center	mblctr
Wizard Acquisizione Immagini	wiaacmgr
Windows PowerShell	powershell
Windows PowerShell ISE	powershell_ise
Assistenza remota	msra
Disco ripristino di Windows	recdisc
Windows Script Host	wscript
Windows Update	wuapp
Windows Update Standalone Installer	wusa
Versione Windows	winver
WMI Management	wmimgmt.msc
WordPad	write
XPS Viewer	xpsrchvw

We're please to announce support for OS X 10.9 Mavericks. More details can be found here:

https://www-secure.symantec.com/connect/articles/it-management-suite-os-platform-support

V-79-57344-33967 - Snapshot Technology: Initialization failure on: "Search instance\Search-DB 1 (Sharepoint\WSS_Search_Sharepoint)". Snapshot technology used: Microsoft Volume Shadow Copy Service (VSS). Snapshot technology error (0xE00084AF): The directory or file was not found, or could not be accessed. Check the Windows Event Viewer for details.

Job log.JPG

Windows Event Viewer information

Event ID : 8193
Source : VSS
Error : ConvertStringSidToSid(S-1-5-80-1202657632-534270475-2053275915-3193571600-3895445954.bak), 0x80070539, The security ID structure is invalid.

Event ID.JPG

Cause
Invalid security ID structure

Solution

1)Open regedit on remote server

2)Navigate to HKLM\Software\Microsoft\Windows NT\Current Version\Profile List

3)Right click on Profile list and click Export to take a backup of the registry and save it

4)Look for the invalid SID that is listed in the event viewer (S-1-5-80-1202657632-534270475-2053275915-3193571600-3895445954.bak) and delete it.

5)Restart the remote server and run the backup again.

Often times when software is purchased for an organization, the vendor provides a license key or user ID and password combination to activate their software.

Customers often store this information in spreadsheets on their local computer or on a file share within their organization. This can lead to lost information when it is not linked to the consumption of licenses within the organization.

By using the Symantec Management Platform with Asset Management Suite, a customer can simply extend the out-of-the-box solution and create a central repository for such information that also links to purchase information; individual licenses; and actual consumption of such licenses.

The attached document outlines the necessary steps to add data classes; modify a Resource Type; and create a data entry screen for storing license keys, usernames, and passwords (in clear text).

Extending Asset Management Solution.pdf

Trying to wade through Client Activity logs can become a tedious task, especially when you have thousands of clients. I would like to show you some advanced filtering that you can do to get the Client info you need much more quickly.

For this article, I will focus solely on the Client Activity logs in the SEPM:

The box we want to use for filtering is the Event source box. There are specific keywords you can use to get more granular. They are as follows:

GUP
IPS
LiveUpdate Manager
Network Intrusion Protection Sys
REP
Smc
SONAR
SYLINK
Symantec AntiVirus
Symantec Endpoint Protection

To look at events generated by SMC, we enter SMC into the Event source box:

Click View Log to see those events

As you can see, a wealth of info is generated. This also holds true for the other nine keywords above as well. I highly recommend you try these out to see what info comes back. It is very detailed and you may find somethings that you previously did not know about! Better yet, you can export to CSV and drop into Excel and filter as needed.

I hope these help you in your daily monitoring tasks. Feel free to post and comments/questions/criticisms

Thanks!
Brian

Issue

This document explains the process of configuring the Symantec Alerting Services for BCS customers, which includes editing and confirming your recipient information, alerts and notifications and resetting your password.

Solution

Logging in
( https://symantec.mir3.com )
On entering, you see the following login screen:

Your Username is the same numeric login you use to log into the BCS Support site.

The initial password is the first two characters of your last name (in lower case) followed by: 4Zp%9sj2
For example, the initial login password for John Smith would be: sm4Zp%9sj2
The password is 10 characters long, has no spaces and it is case sensitive.

When you successfully login, you see the following screen. Click the Profile button at the top.

The recipient setup screen appears.

Changing/Setting passwords

To change your password, please go to the left hand navigational bar under Security and click Change Password. (shown below)

In this section, the initial password is the first two characters of your family name (again in lower case) followed by: 4Zp%9sj2
For example, the login for John Smith would be: sm4Zp%9sj2
The password is 10 characters long, has no spaces and it is case sensitive.

Once you have logged in, you will be asked to reset your password to one of your choosing. That password must meet the following criteria:

- It must be at least 10 characters long
- It must contain at least one upper case letter
- It must contain one lower case letter
- It must contain one number
- It must contain one special character (for example: !@#$)

In the future, you will have to reset this password every 90 days per security best practices.

Recipient Information Setup

Click the back arrow on the browser to return to the Recipient Setup page. The screen should be at the General tab

At the Recipient Setup page:
- Confirm your time zone in the drop down menu.
- Enter your company name. (Employee ID is not necessary)
Confirm the communication modalities you require. The devices circled in red below are the ones available:

Note: After some study, Symantec BCS has decided to join the global trend and discontinue slower or problematic legacy telephone and fax communication modes. We will retain only email and SMS modes by which you can receive alerts. Selecting other than the two specified modalities will not enable them, and you will not receive information on them.

Setting up Alerts and Subscriptions

Click the Topic Subscriptions tab and then click the User Subscriptions tab. (as shown below)

Select the Categories you wish to activate for alerts/notifications. You may already see pre-populated information.
Confirm all needed alerts/notifications are here. If not, please add the category by using the drop down menu.
Selection of the top category header will select all sub-categories. If you do not want to receive all sub-categories, iteratively select specific categories from the drop down menu.
All other settings: Priority, Severity, Location are already set to their defaults and need no further attention.
Select the Activate check boxes.

The following shows the relevant selections:

This will give you informations about the Daily Definition Updates.

This will give you informations about known vulnerabilitys of your Symantec product and recommendations for this.

This will give you informations about Endpoint Protection Engine Updates like new BASH driver or new Eraser engine etc.

MIR3_Profile_03_Subscriptions_SEP Engine Update.PNG

Ensuring you receive your alerts or notifications

Depending on your company's Security protocols, you may need to reset your SPAM filters to allow these alerts to enter. If this is the situation, use the following sending address string information for your filters: @notify2.mir3.com

Additional questions

If you have any problems with your set up, please contact your BCAM.

Additional Alternative Notification Methods

You may also want to subscribe to anti-virus RSS feeds by visiting the following link and signing up for the virus definitions and security updates: http://www.symantec.com/xml/rss/definitions.jsp

Symantec Workspace Streaming SDK includes several web services. You can access them by using the Simple Object Access Protocol (SOAP). A Web Services Description Language (WSLD) document exposes the interface. The WSLD document provides details on the published methods and objects. The Workspace Streaming web services are separated into multiple areas of management. Each area has its own WSDL file.

This Quick Start Guide explains you through developing clients in the Visual Basic and Java languages. However, most programming languages, such as C#, Visual Basic, C++, Java, and Python, provide support for SOAP web services. Most languages also let you use the WSLD document to automatically generate proxy classes.

You must meet the following requirements to use the Symantec Workspace Streaming SDK:

The Workspace Streaming web services require Workspace Streaming 6.1 or later.
Applications accessing the web services must be able to contact the server that hosts the Streaming Console.
You must have an account on your Workspace Streaming system.

Thanks,

Ankit Shrivastava

SWS-SDK-7_5-QuickStartGuide.zip

Are you using Yahoo Mail as your primary contact email or email client for receiving Connect notifications and find that a lot of your messages are being delivered to the Spam folder?

Yahoo is inconsistent - messages from Connect will be delivered to your Inbox AND to your Spam folder. Just to be on the safe side, check that Spam folder to see what's piling up in there. It can't all be cheap pharmaceuticals!

yahoo spam 1.png

Creating a filter that will deliver your Connect messages to the Inbox is a simple task - then you won't need to check your Spam folder for our messages ever again!

First you need to start with a message from us that has landed in your Spam folder that you know is a legitimate Connect message. Go right ahead and open it. It never hurts to add us to your Contacts list but don't get distracted - we're creating a Filter.

Open your Spam Folder and look for a message from Connect - it could be a notification or a newsletter.

yahoo spam 2.png

Open any one of these messages and then choose the "More..." icon

yahoo spam 3.png

A drop down menu will open with a list of options. Choose "Filter Email Like This..."

yahoo spam 4.png

A box will open allowing you to customize your filter

yahoo spam 5.png

All you need to do is choose "Inbox" in the drop down menu under "Then move the message to" and click "Save"

Unlike Gmail, messages currently in your Spam folder that would be affected by this filter won't be delivered to your inbox. It only applies to messages delivered after the filter has been created. You're still going to have to crawl through your spam folder looking for important messages.

For IT Analytics reports hosted by SQL Server Reporting Services (which include out-of-the-box reports and dashbaords) some users may experience extended wait times before the report is able to render, and in some cases the report may even fail or timeout. This typically occurs in environments where there are extremely large data volumes and where reports are pre-configured to display all data by default (without filtering).

To minimize the time it takes for some IT Analytics reports to load, steps can be taken to configure settings so that data will be filtered by default, hence greatly improving performance. This article will describe such process, utilizing Microsoft Report Builder a client side aplpication which comes with SQL Server Reporting Services.

Selecting the Report

To load Report Builder, open Symantec Management Platform Console and navigate to: Settings > Notification Server > IT Analytics Settings > Reports > Report Builder. Then click on the Launch Report Builder button.

If prompted, click Run to start downloading the application.
Be patient, launching application may take a minute or two, depending on connectivity. While the application is loading, you should see this message:

Click Open to select the report you want to optimize. Under the default configuration, all IT Analytics reports are stored within the ITAnalytics folder off the ReportServer root.

NOTE: For the purposes of this example, we will select the IT Analytics Configuration Events report. As such, the parameters you select in the next section of this article may be different.

Modifying the Report

When report opens, expand Parameters in the Report Data pane on the left, then right-click the From parameter and select Parameter Properties.

Navigte to Default Values > Get values from a query. For both fields select MaxDate from drop-down list, then click OK.

NOTE: Write down original values prior to making any modifications.

Modify the properties for the Types parameter and navigate again to Default Values. Select Specify Values and Add new value. In the field type in 'Cube Processing' (without quotes) as shown below, then click OK. If you are modifying a different report, select an appropriate paramater and input a default value that matches a value for that parameter.

Modify the properties for the Targets parameter and navigate again to Default Values. Select Specify Values and Add new value. In the field type in 'Processing Trace' (without quotes) as shown below, then click OK. If you are modifying a different report, select an appropriate paramater and input a default value that matches a value for that parameter.

Click Save to apply all changes (saving may take couple seconds).

Reloading the Report

In the Symantec Management Console, navigate to Reports > IT Analytics > Reports > IT Analytics Events > ITA Configuration Events (or a the appropriate report you modified). Refresh the browser if necessary. You should notice the report load much faster than previously.
Verify that the current day (in the From parameter) and the specific Type and Target are pre-selected with the values we input previously (or the appropriate values you entered if modifying a different report).

To adjust the parameter values, you can select different values as you normally would.

By default, reports and dashboards in IT Analytics (hosted by SQL Server Reporting Services) will run automatically when selected. This behavior can sometimes be problematic for environments with excessive amounts of data, resulting in increased load times or timeouts for certain reports. One option to prevent this is to modify the value of a parameter within a report so that it does not execute automatically when clicked, a process which is documented in the article below.

To modify report parameters in more detail in order to load reports more efficiently, please see the article: Modifying IT Analytics Reports to Decrease Load Times.

For the purposes of this example we will use the DLP Endpoint Incident Search report. Note that by default, the report runs with the Policy Name parameter value of 'All' pre-selected.

To change this report, open a browser on the server hosing SQL Reporting Services and goto: http://localhost/Reports.
From within the IT Analytics folder, locate and hover over the DLP Endpoint Incident Search report (or the report you want to modify) and to the right you will see a menu of options. Select Manage.

Once in the report manage screen, select the Parameters section.

Once there, uncheck the 'Has Default' column from the parameter you want to force users to select or enter information on. This will ensure a user must select a value for that parameter before the report can be executed. In this example we will use the Policy Name parameter, then click Apply.

Return to the Symantec Management console to load the report and you should notice that it does not automatically execute the report, but instead prompts for a parameter value. Once a value is selected click View Report. Refresh the browser if necessary.

Symantec Data Loss Prevention provides many operational log files that can be used to interpret how the system is running.

The default locations put the log files during installation for the Enforce Server and Detection Servers on the computers that host the servers. The files are in the \SymantecDLP\Protect\logs directory on Windows installations and in the /var/log/SymantecDLP directory on Linux installations. The number at the end of the log file name indicates the count.

Most log files are located on the sub-directory: \SymantecDLP\Protect\logs\debug on Windows and /var/log/SymantecDLP/debug on Linux.

Log File Name	Description	Server
Aggregator0.log	This file describes communications between the detection server and the agents. Look at this log to troubleshoot the following problems: ■ Connection to the agents ■ To find out why incidents do not appear when they should ■ If unexpected agent events occur	Endpoint detection servers
BoxMonitor0.log	This file is typically very small, and it shows how the application processes are running. The BoxMonitor process oversees the detection server processes that pertain to that particular server type. For example, the processes that run on Network Monitor are file reader and packet capture.	All detection servers
ContentExtractor0.log	This log file may be helpful for troubleshooting ContextExtractor issues.	All detection servers, Enforce Server
DiscoverNative.log.0	Contains the log statements that the Network Discover native code emits. Currently contains the information that is related to ,pst scanning. This log file applies only to the Network Discover Servers that run on Windows platforms.	Discover detection servers
FileReader0.log	This log file pertains to the file reader process and contains application-specific logging, which may be helpful in resolving issues in detection and incident creation. Look at this log file to find out why an incident was not detected. One symptom that shows up is content extractor timeouts	All detection servers
IncidentPersister0.log	This log file pertains to the Incident Persister process. This process reads incidents from the incidents folder on the Enforce Server, and writes them to the database. Look at this log if the incident queue on the Enforce Server (manager) grows too large. This situation can be observed also by checking the incidents folder on the Enforce Server to see if incidents have backed up.	Enforce Server
Indexer0.log	This log file contains information when an EDM profile is indexed. It also includes the information that is collected when the external indexer is used. If indexing fails then this log should be consulted.	Enforce Server (or computer where the external indexer is running)
jdbc.log	This log file is a trace of JDBC calls to the database. By default, writing to this log is turned off.	Enforce Server
MonitorController0.log	This log file is a detailed log of the connections between the Enforce Server and the detection servers. It gives details around the information that is exchanged between these servers including whether policies have been pushed to the detection servers or not.	Enforce Server
PacketCapture.log	This log file pertains to the packet capture process that reassembles packets into messages and writes to the drop_pcap directory. Look at this log if there is a problem with dropped packets or traffic is lower than expected. PacketCapture is not a Java process, so it does not follow the same logging rules as the other Symantec Data Loss Prevention system processes.	All detection servers
PacketCapture0.log	This log file describes issues with PacketCapture communications.	All detection servers
RequestProcessor0.log	This log file pertains to SMTP Prevent only. The log file is primarily for use in cases where SmtpPrevent0.log is not sufficient.	SMTP Prevent detection servers
ScanDetail-target-0.log	Where target is the name of the scan target. All white spaces in the target's name are replaced with hyphens. This log file pertains to Discover server scanning. It is a file by file record of what happened in the scan. If the scan of the file is successful, it reads success, and then the path, size, time, owner, and ACL information of the file scanned. If it failed, a warning appears followed by the file name.	Discover detection servers
SmtpPrevent0.log	This operational log file pertains to SMTP Prevent only. It is the primary log for tracking health and activity of a Mail Prevent system. Look at this file for information on the communications between the MTA and detection server.	SMTP Prevent detection servers
Tomcat\Localhost.<date>.log	This log file contains information for any action that involves the user interface. The log includes the User Interface red error message box, password fails when logging on ) and Oracle errors (ORA –#).	Enforce Server
Tomcat\ Localhost_access_log.<date>.txt	This log contains the record of all URLs requested.	Enforce Server
VontuIncidentPersister.log	This log file contains minimal information –stdout and stderr only (fatal events).	Enforce Server
VontuManager.log	This log file contains minimal information –stdout and stderr only (fatal events).	Enforce Server
VontuMonitor.log	This log file contains minimal information –stdout and stderr only (fatal events).	All detection servers
VontuMonitorController.log	This log file contains minimal information –stdout and stderr only (fatal events).	Enforce Server
VontuNotifier.log	This log file pertains to the Notifier service and its communications with the Enforce Server and the MonitorController service. Look at this file to see if the MonitorController service registered a policy change	Enforce Server
VontuUpdate.log	This log file is populated when Symantec Data Loss Prevention is updated.	Enforce Server
WebPrevent_Access0.log	This access log file pertains to Web Prevent only. It records all the requests that Web Prevent processes. It is similar to Web access logs for a proxy server.	Web Prevent detection servers
WebPrevent_Operational0.log	This operational log file pertains to Web Prevent only. It reports the operating condition of Web Prevent such as whether the system is up or down, connection management, and so on. This log is the primary log file for tracking Web Prevent operations.	Web Prevent detection servers

To minimize the time it takes for some IT Analytics reports to load, steps can be taken to configure settings so that data will be filtered by default, hence greatly improving performance. This article will describe such process, utilizing Microsoft Report Builder a client side application which comes with SQL Server Reporting Services.