About suppressing a Security report item

Symantec ESM security checks may report computers with the conditions that are tolerated within an organization's security policy. You can either temporarily or permanently suppress the messages instead of excluding important areas of a check from the Symantec ESM policy. You can do so on a case-by-case basis. All messages are suppressible.

Suppressions do not correct security problems. They only prevent the messages that the agents report from appearing in future Security reports. You can suppress the messages by Title, Name, Information (text in the Information column of the grid), and agent. You can suppress specific messages or use wildcards to suppress all messages of a certain type.

Note:

Exercise caution while using suppressions, especially if you use wildcards to create suppressions. You may inadvertently mask security problems.

You can view, edit, and delete message suppressions in the Policy branch of the enterprise tree. By default, suppressions expire after six months.

Newly created suppressions become attributes of a policy. You can view suppressed items in the grid by expanding the policies branch and by selecting the Suppressions node. You can also include them in the Security report by choosing them as part of the filter.

See Filtering the security data.

For each suppression, the grid displays the agent, policy, module, and operating system for which the message is suppressed. The grid also displays the following:

Some suppressions do not work after you upgrade agents. This limitation applies only to module the upgrades that change the message text. Symantec ESM cannot suppress a message if the text in the message does not match the text that is used to create the suppression. In these instances, you can create a new suppression that is based on the new message.

When you create a suppression, you use fields in the Create a suppression window to customize the suppression. These fields allow you to add wildcards, expiration dates, and comments to the suppressions. Wildcard check boxes let you suppress messages for multiple agent names, user accounts, or message text values. If you uncheck the wildcard check boxes, the suppression is valid for the specific agent, the user account, and the message text that are associated with the message.

Table: Create a suppression window field descriptions lists and explains each field in the Create a suppression window.

Table: Create a suppression window field descriptions

Field

Description

Enable Suppression

This check box lets you enable and disable suppressions.

Ignore Title

This field displays the title of the message that you selected in the ESM console grid. If you check the check box, the suppression can match any message title. If you uncheck the check box, the suppression must explicitly match the message title that is listed to the right of the check box.

Wildcard Name

This field lets you specify the name of the user, account, or computer that the suppression must match. A Security report may list more than one user or account on a computer with the security violation. You can use a wildcard character to suppress the message for all user, account, or computer names.

Note:

Computer names in this field differ from agent names. Computer names indicate the computers that are assessed with proxy agents, or other agent-less assessment methods.

Wildcard Information

This field lets you indicate the message text that the suppression must match. A Security report may list more than one occurrence of a security violation. You can use a wildcard character to suppress the message for all occurrences of the message text.

Wildcard Agent Name

This field lets you indicate the agent that have the suppression applied to it. A Security report may list more than one agent with the security violation. You can use a wildcard character to suppress the message for all agents.

Expiration Date

This field lets you set a date when the suppression expires. Use the drop-down arrow to see the calendar tool that lets you select the date.

Comment

This field lets you add information about suppression details, reasons for the suppression, or other information.

Use the asterisk (*) wildcard operator in place of multiple missing characters in the Wildcard Name, Wildcard Information, or Wildcard Agent Name fields. For example, an asterisk in the Wildcard Agent Name field applies the suppression to each agent in the domain. You can also use the question mark (?) wildcard operator in place of a single missing character. Agent names cannot be longer than 61 characters.

If you select the Wildcard Name, Wildcard Information, or Wildcard Agent Name check box, but do not type a wildcard character in the related text box, the suppression must explicitly match the value in the related field to suppress the message.

Also, while using wildcards to create suppressions, Symantec ESM lets you create multiple suppressions of the same item using different options or wildcard characters.

For example, if you select the message titled Inactive Account to create a suppression, to suppress all of the messages titled Inactive Account, from the GS1001 agent computer, do the following:

By placing a check and an asterisk in the Wildcard Agent Name fields, you activate the suppression for every agent on the manager. By typing GS*, you enable the suppression for every agent that begins with the string GS. Wildcard fields are case sensitive.