Hi
I have setup a single risk event.
This is one of the alert i have received recently:
Risk name: W97M.Downloader
File path: xxxxx.doc
Event time: 05/11/2015 11:34:02 PM
Database insert time: 06/11/2015 2:00:00 AM
Source: Real Time Scan
Description: ""
User: SYSTEM
Computer: PCxxxxx
IP Address: x.x.x.x
Domain: Default
Server: xxxxxxx
Client Group: xxxxxxx
Action taken on risk: Quarantined
This alarm was generated at 06/11/2015 2:11:47 AM (Reporter host Time).
I am trying to understand the timing of it all.
I can confirm that a new definition was downloaded and installed at 11:30pm (so assume the heartbeat happened around this time). This in turn triggers that mini scan that happens after a new def is loaded. This scan has picked up a virus at 11:34pm. So far so good.
Can someone tell me what "Database insert time" is about? Why would this have happened at 2am the next morning?
I suspect this has something to do with the heartbeat, as our heartbeat is set for 2 hours with 1 hour randomization. Would it be safe to assume that the heartbeat triggered at around 2AM, and the logs from the PC has been uploaded to SEPM database at 2AM?
Also, the alarm generation time of 2:11AM, any idea why the 11minute delay for the email to be sent?
Our Damper is set to Auto.
Apart from lowering the heartbeat interval, any other suggestion of speeding up the email alerting for new virus?
Thanks,
DM.