Why when SEP detect test virus and send log to SEPM, it takes like 10 minute before i get my dump risk file? Same when i try syslog server.
 

How to change the parner name from hyderabad(srv-kdms-hydav) to  global(srv-kdms-av).I have manually changed the replication site properties and changed the replication server to golbal(srv-kdms-av) but i dont have any option to change the parnername.

How to change the parner name from hyderabad(srv-kdms-hydav) to  global(srv-kdms-av).I have manually changed the replication site properties and changed the replication server to golbal(srv-kdms-av) but i dont have any option to change the parnername.

Hi,

We encouter this problem on windows 2012. We are using SEP12. When i disable SEP12, windows will not haging and operate as normal. If we enable SEP12, a few days server will hanging and we need to force reboot. After google around, we do not find any related solution. Please advice.

Thanks.

Hello,

We have SEP System Lockdown enabled in whitelisting mode but are having some trouble with the contents of the C:\Windows\assembly folder in Windows 10.

From what we can tell the contents of this folder is dynamic so a hash fingerprint of the contents on one device is not gurenteed to match that of another, despite all devices in our fleet being built from the same image.

To workaround this we have tried setting a definition rule for C:\Windows\assembly\* in the System Lockdown policy however we still see various dll files in the directroy being blocked.

Has anyone else come across this or something similar?

I am also interested to know how others have implemented whitelisting with SEP Lockdown on Windows 10.

Hello all,

I have an problem with my SEP 12.1 for linux that after installation the liveupdate didn't get update from Liveupdate server. The issue that i found probably the JAVA failed to encrypt the liveupdate.conf. Below debug output when i run debugging for by using this command :java -classpath jlu.jar com.symantec.liveupdate.LiveUpdate -d

============================================================================================================

Using character set UTF-8
Command-line Product Selections to update:
(ProdName, Version, Lang, ItemSeqName, SeqNum)
Debug - output[nIdx] = uid=0(root) gid=0(root) groups=0(root)
Adding JLU to the current command line
  JLU Linux, 3.10.2, English, LiveUpdateSeq, 13
Trying to load jar file from null/LiveUpdate/bcprov-jdk15on-148.jar
Trying to load jar file from current directory or mentioned in classpath
JLUException [
Nested Exception is:
 [ java.lang.ClassNotFoundException ] org.bouncycastle.jce.provider.BouncyCastleProvider

java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider
    at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:264)
    at jlucn.a(Unknown Source)
    at jlucn.load(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.c(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.b(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.main(Unknown Source)
]
    at jlucn.a(Unknown Source)
    at jlucn.load(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.c(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.b(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.main(Unknown Source)
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider
    at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:264)
    ... 7 more

java.io.IOException: org.bouncycastle.jce.provider.BouncyCastleProvider
    at jlucn.load(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.c(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.b(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.main(Unknown Source)

An error was encountered when reading in the liveupdate.conf file /etc/liveupdate.conf
Checking to see if JLU can connect to its own listener thread.
Checking to see if a session of JLU is running at port 56598.
An active JLU session has been detected.
JLU was able to successfully connect to its own listener thread.
createConfiguration failed.

The Java LiveUpdate session did not complete successfully.
Return code = -1

ProductInventory: parsed default inventory file: /etc/Product.Catalog.JavaLiveUpdate
Inventory File Product Selections to update:
(ProdName, Version, Lang, ItemSeqName, SeqNum)
ProductInventory.save: Saving updates to product inventory file
Trying to load jar file from null/LiveUpdate/bcprov-jdk15on-148.jar
Trying to load jar file from current directory or mentioned in classpath
JLUException [
Nested Exception is:
 [ java.lang.ClassNotFoundException ] org.bouncycastle.jce.provider.BouncyCastleProvider

java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider
    at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:264)
    at jlucn.a(Unknown Source)
    at jlucn.load(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.c(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.d(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.c(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.<init>(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.a(Unknown Source)
    at jlufo.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.b(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.main(Unknown Source)
]
    at jlucn.a(Unknown Source)
    at jlucn.load(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.c(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.d(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.c(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.<init>(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.a(Unknown Source)
    at jlufo.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.b(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.main(Unknown Source)
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider
    at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:264)
    ... 11 more

java.io.IOException: org.bouncycastle.jce.provider.BouncyCastleProvider
    at jlucn.load(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.c(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.d(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.c(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.<init>(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.a(Unknown Source)
    at jlufo.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.b(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.main(Unknown Source)

An error was encountered when reading in the liveupdate.conf file /etc/liveupdate.conf

====================================================================================================

Below is some of output that running

=====================================================================================================

Using character set UTF-8
Command-line Product Selections to update:
(ProdName, Version, Lang, ItemSeqName, SeqNum)
Debug - output[nIdx] = uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Adding JLU to the current command line
  JLU Linux, 3.10.2, English, LiveUpdateSeq, 13
Trying to load jar file from /opt/Symantec/LiveUpdate/bcprov-jdk15on-148.jar
Initializing the log file: /opt/Symantec/LiveUpdate/liveupdt.log
trying to write into log file
Java Version 1.8.0_101.
Linux 2.6.32-642.6.1.el6.x86_64
Java LiveUpdate version 3.10.2 Build 13.
Checking location of jlu.jar ...
Java LiveUpdate directory is /opt/Symantec/LiveUpdate
Found /opt/Symantec/LiveUpdate/jlu-3.10.2.13.jar
ProductInventory: parsed default inventory file: /etc/Product.Catalog.JavaLiveUpdate
Inventory File Product Selections to update:
(ProdName, Version, Lang, ItemSeqName, SeqNum)
  Avenge MicroDefs25 SavCorp10 Linux, MicroDefsB.CurDefs, SymAllLanguages, HubDefs, 0
  Avenge MicroDefs25 SavCorp10 Linux, MicroDefsB.CurDefs, SymAllLanguages, CurDefs, 161128001
The property maxZipFileSize in config file is 614,400
The property maxTriFileSize in config file is 10,485,760
The property maxPackageSize in config file is 1,073,741,824
The property maxPackageContentSize in config file is 1,342,177,280
The property enableIPv4Preference is not set in config file
Checking to see if JLU can connect to its own listener thread.
Checking to see if a session of JLU is running at port 33925.
An active JLU session has been detected.
JLU was able to successfully connect to its own listener thread.
Downloading minitri.flg to /opt/Symantec/LiveUpdate/tmp/1483414578885/minitri.flg ...
Connecting to [IP Address]:7070 via HTTP ...
Connected to [IP Address] sending request ...
pleaseResume is false
resumeSupported is null
Waiting for response ...
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: public
Cache-Control: max-age=0
Content-Disposition: attachment;filename="minitri.flg"
Content-Type: application/octet-stream
Content-Length: 1

===========================================================================================

I found this is some of the computers. All java JRE including JCE has been installed and read successfully when pre-check step in agent installation.

Kindly help to share the solution to fix.

Thanks

Giovanni

I'm looking to upgrade my SEP from version 12 to version 14 but i want to make sure before I do, that all clients with version 12.X.XXX installed will still receive definitions and updates from the new management console? Or do i have to install the version 14 client straight away?

Ideally i want to test the version 14 client on a number of servers before rolling out the latest version to the rest of my infrastructure.

I'm a System Admin/ISSO for a federal defense contractor and we have mulitiple systems running 12.1.6 MP6 SEP/SEPM. All of our systems are completely offline and cannot be allow to connect to the internet. We are utilizing the manual methods of updating the virus defenitions on the standalone and managed clients/servers. I'm evaluating potential issues with upgrading to the newest SEP/SEPM verison 14. Additionally, we have a particular set of Windows Security Settings, Account, Local System and User rights policies that must be configured on the Windows 7 SP1 and Server 2008 R2 SP2 OS we must utilize. I have run the Symantec System Diag Tool on all the systems and it doesn't seem to give much specific configuration issues. I can provide the particular Windows security settings, etc,... as well. I'm needing some more in-depth assessment of everything before we can begin to upgrade our SEP/SEPMs.

Hello,

i have a risk detected whit Trend and i want to know the name that symantec use for the same risk .

is there any way to know that ?

Exemple of Trend detections:

Thank you for your answers.

Kind regards

Hello,

Today i recieved 2 notification from my SEPM's that i never saw before.
I checked the log files and didnt found anything "suspicious"

The first e-mail: Security alert: suspicious activity from x.x.x.x was detected on Symantec Endpoint Protection Manager 1. Check the log files for details.

right after that from my Symantec Endpoint Protection Manager 2:

All accounts for system administrators are currently locked. Go to the Forgot your password link on the logon page and change your password to unlock an account.

Im not sure but i think the following could have caused this issue:

The first email about suspicious activity from x.x.x.x and on SEPM1 is one and the same server, so SEPM1 detects activity on itself.
After that SEPM2 kicks in and locks all system admin accounts, because SEPM1 might be compromized.
After some research i found the SEP that protects the SEPM1 server had problems updating itself for the past kopple of day, i think somehow SEPM1 marked the update process for the SEP as suspicious activity.
Deinstalled and reinstalled SEP, ran liveupdate, no more e-mails.

Could this be the case?

LEVD

Am not able to login into the SEPM...i have checked the forum & tried to run the DB servicer but it stuck at starting...please help me as all clinet systems are in out of date error...

Please help me answer my following queries ..

1.Do I need to  install SEP on non- persistent vdi clients ?

2. If my non- persistent vdi clients idle for 4 hours  I can get a new vdi session , so will SEP get a new client info ?

3 .will license added every ned session of non- persistent vdi clients ?

4. If SEP install on non - persistent vdi clients , how it will get the definition ( if 4 hours idle session will be closed)

5 . Need a document to install SEP on non-persistent vdi clients

Hi,I have detected that some files have become hidden and that the virus has created shortcuts for these folders.

Symantec Endpoint 12.1 RU6 MP4

Windows server 2012 r2 updated

Thank you

I have one symantec Management Server at primary location (Hyderabad) and I have installed site servers in Delhi, Bangalore and Pune. We have installed 50 machines in each location. All the 150 machines are reporting to primary location (Hyderabad). However, when we look at Delhi location, it shows Delhi machines as well as other 2 location machines (pune and bangalore) and the same is reflecting when we check other locations also (In pune location it shows bangalore and delhi machines and In bangalore it shows Pune and Delhi machines. 

But we want the respective locations to show its machines (50 each) and all 3 location machines should be reflected in primary server. Please assist. 

Hi all and a Happy New Year everyone.

I have a question. Do any of you know of any exclusions that I may need add to our SEP 12.1 solution that allow Cisco ISE to work without being impeeded by SEP? Any info would be greatly appreciated.

Cheers

PaulC 

I'm trying to figure out if the outlook protection function under virus protection policy->email scans is worth using.  Here’s all I see in manual regarding the outlook add-in. Downloads incoming Microsoft Outlook email attachments and scans for viruses and security risks when the user reads the message and opens the attachment. Based on this definition this seems to duplicate the file system AV functionality but it will catch a malicious file before the user opens it.  So it is worth it?

We tested it and had some compatibility issues with users who like to modify message subject lines in shared/group mailboxes and have disabled this feature.

Comments?  Thanks.  Paul

Hi Guys,

Just purchased SEP and configured the policy. While testing on my PC, i found very weird notification from SEP. It found trojan on it's own folder.

Below are the copy paste from the pop up that i'm getting.

----

Scan type: Auto-Protect Scan

Event: Risk Found!

Security risk detected: Trojan Horse

File: C:\ProgramData\Symantec\DefWatch.DWH\dwh3545.exe

Location: C:\ProgramData\Symantec\DefWatch.DWH

----

hope someone can help me to ensure that it's not actually a trojan and a way to resolve it. i do not want to exclude any folder as a solution.

thank you

Z

Hi there,

I have a unique (maybe not) requirement for my users.
i'm blocking most of USB drive from the client PC however, some PC will be shared with some people which are allowed to use USB drive. 

i'm thinking to create a group of users which allowed to use USB drive and link it with SEP. Can it be done?. Or anyone can suggestion another solution.

thank you

Z

So I had an issue the other day,

Some bright spark thought it would be fun to install McAfee VirusScan (with Agent) on my SEPM server.

I've managed to get McAfee removed and the Symantec client reinstalled but I think since then, it has stopped emailing alert notifications.

The test email works fine but I've not had any alerts, I've been using an EICAR file on the SEPM server and it is displaying the pop-up alert and it is being logged in the SEPM but I don't get an alert email.

I assumed that the SEPM would see EICAR as a Risk Event and trigger the Single Risk Event condition.

Is that wrong?

HI

We enable the only device ids which we use and rest everything is disabeled. But at times the devices never work!

Does the device id for a device remain the same or can it change? I see it changing at times!

Does the device id change from pc to pc?

At times for USB Internet Dongles, there are upto 4 device ids from different areas like: CDROM, STORAGE, MODEM. Do i have to enable all of them?

We use deviewer to note the device id before enabling it in the policy.

Our hardware list of device IDs is now huuuuuuge. And there is no way to export it and is a nightmare!

How do you deal with device IDs in your environment?

Thanks