We have licenses for 6000 clients but as part of migration, we have noticed that 200+ machines are showing as over-deployed.
We are enterprise clients .
What are the disadvantages of being over-deployed?
1. will Sonar, IP, File Insight work?
How to clear obsolete clients?
Hi All,
May i know how to collect the data from SEP manager once you execute the command "Collect File Fingerprint List". See image below for reference.
Thank you.
How to resolve this issue ?
What could be the possible isolation steps to remediate this infections and locate the infected file ?
I don't have 100% proof, but we recently started experiencing some VM servers hanging (it seems to be working, but one can't logon interactively to them and WMI scanner reports connectivity errors). The only change recently was installing of SEP 14 MP1 client (Basic Protection for Servers) over the latest 12 version. Currently i had two 2012R2 servers hanging once per week (they are on the 2012R2 host which also received SEP 14). And one WS2008R2 which is hanging every few days, which is on WS2012 Hyper-V host with SEP 12 for now (VM is on SEP 14). I don't see anything in the Event log. These machines were running smoothly for half a year with SEP 12.
Hi All,
As per one of my friend's suggestion, I have created ADC rule as mentioned below to detect TOR Browsers on endpoints.
--------------------------------------------
File and Folder Access Attempts:
*Browser\firefox.exe
c:\*Browser\firefox.exe
*\*firefox.exe
Launch Process Attempts
firefox.exe
----------------------------------------------
I have found below files under Caller Process Name.
C:/Program Files/Symantec/Symantec Endpoint Protection/12.1.1000.157.105/Bin/ccSvcHst.exe
C:/Program Files (x86)/Symantec/Symantec Endpoint Protection/12.1.3001.165.105/Bin/ccSvcHst.exe
C:/Program Files/Symantec/Symantec Endpoint Protection/12.1.3001.165.105/Bin/ccSvcHst.exe
C:/Program Files (x86)/Symantec/Symantec Endpoint Protection/12.1.2015.2015.105/Bin/ccSvcHst.exe
C:/Program Files/Symantec/Symantec Endpoint Protection/12.1.2015.2015.105/Bin/ccSvcHst.exe
C:/Program Files/Symantec Client Security/Symantec AntiVirus/12.1.1000.157.105/Bin/ccSvcHst.exe
C:/Program Files (x86)/Symantec/Symantec Endpoint Protection/12.1.5337.5000.105/Bin/ccSvcHst.exe
My query is why Symantec is calling below mentioned TOR browsers
C:/Documents and Settings/Mike.Oyeniran/Local Settings/Temp/7ZS2E2.TMP/CORE/FIREFOX.EXE
C:/Program Files (x86)/Mozilla Firefox/FIREFOX.EXE
c:/Program Files/Mozilla Firefox/firefox.exe
C:/Users/djamel.faid/Desktop/BROWSER/UPDATED/BROWSER/FIREFOX.EXE
C:/Users/djamel.faid/Desktop/BROWSER/FIREFOX.EXE
C:/Users/djamel.faid/Desktop/TOR BROWSER/BROWSER/FIREFOX.EXE
C:/Users/djamel.faid/Desktop/BROWSER/BROWSER/FIREFOX.EXE
c:/program files/mozilla firefox/updated/firefox.exe
C:/WINDOWS.OLD/PROGRAM FILES/MOZILLA FIREFOX/FIREFOX.EXE
C:/Program Files (x86)/Mozilla Firefox/UPDATED/FIREFOX.EXE
C:/PROGRAM FILES/MOZILLA FIREFOX/NSS11B.TMP/FIREFOX.EXE
C:/Documents and Settings/JCF/LOCALS~1/TEMP/7ZS1F3.TMP/CORE/FIREFOX.EXE
C:/Users/shazim/Desktop/TOR BROWSER/BROWSER/FIREFOX.EXE
C:/Users/mukesh.LAFARGE/Desktop/SOFTWARES/TOR BROWSER/BROWSER/FIREFOX.EXE
c:/Users/mohamed.abdelsamad/AppData/Local/Temp/7zS5263.tmp/core/firefox.exe
C:/DRP_14.9/SOFT/BROWSER/FIREFOX.EXE
C:/Data/Softwares/Tor Browser/Browser/firefox.exe
C:/Users/ext.cmostafai/Downloads/BROWSER-20160608T103400Z/BROWSER/BROWSER/FIREFOX.EXE
C:/Users/rabah.maza/Desktop/BROWSER-2015-09-25/BROWSER-2015-09-25/BROWSER/FIREFOX.EXE
C:/Users/ext.cmostafai/Downloads/BROWSER/BROWSER/FIREFOX.EXE
c:/Users/mmoubark/AppData/Local/Mozilla Firefox/updated/firefox.exe
C:/Program Files (x86)/MALWAREBYTES ANTI-MALWARE/CHAMELEON/WINDOWS/FIREFOX.EXE
C:/FirefoxPortableTest/App/Firefox/firefox.exe
C:/Users/salem.amer/AppData/Local/Mozilla Firefox/UPDATED/FIREFOX.EXE
C:/Users/raed.emailat/AppData/Local/MOZILLA FIREFOX/FIREFOX.EXE
C:/Program Files/Hewlett-Packard/Firefox - HP Virtual Browser Edition/fslrdr/1/[_B_]PROGRAMFILES[_E_]/Virtual Firefox/firefox.exe
c:/Users/faiz/AppData/Local/Mozilla Firefox/updated/firefox.exe
C:/Users/Sathis - RMQ/Desktop/Satish/Doc/FirefoxPortable/App/Firefox/FIREFOX.EXE
c:/Users/olkilani/AppData/Local/Temp/WPDNSE/{00006318-0001-0002-0000-000000000000}/firefox.exe
C:/Users/chamith/Documents/Chamith - Rashen/Chamith Nilanka/Credit Controll Department/Customers/Tekfen/Mozilla Firefox/firefox.exe
C:/Users/Mazen.Dibie/AppData/Local/MOZILLA FIREFOX/FIREFOX.EXE
C:/Users/Mazen.Dibie/AppData/Local/MOZILLA FIREFOX/UPDATED/FIREFOX.EXE
C:/Users/salem.amer/AppData/Local/Mozilla Firefox/firefox.exe
C:/Users/user/AppData/Local/Mozilla Firefox/updated/firefox.exe
C:/Users/user/AppData/Local/Mozilla Firefox/firefox.exe
C:/Users/mmoubark/AppData/Local/Mozilla Firefox/firefox.exe
C:/Users/hanine.benyounes/Desktop/BROWSER/FIREFOX.EXE
C:/Users/djamel.hadidi/Desktop/BROWSER/FIREFOX.EXE
Please help me.
Attempting to upgrade from 12.1.6 MP5 and the process stops with the attached error.
We have a group policy that associates most scripts with notepad but this has been disabled for the admin account used and .vs* extensions have been checked and are associtated with cscript.
are there any other script extensions tha should be checked
Stan
Hi,
i have a custom HI requirement check which i want to run every day.
I use the standard HI Settings from Symantec:
when i check the Logs on the Client for Compliance Events, i only see the following events:
How does this work in the background, there are two days missing 20.05 and 21.05 doing the checks i want?
The Logs on the Manager look the same.
Any ideas how to interpret the logs in this case, did the checks not run every 10 minutes as per the settings?
Hello,
2017-05-24 12:37:34.400 THREAD 1 AVERTISSEMENT: Finished validating LiveUpdate content. --> SUCCESSFUL
2017-05-24 12:37:34.400 THREAD 1 AVERTISSEMENT: Database validation failed.
2017-05-24 12:37:34.451 THREAD 1 AVERTISSEMENT: [La base de données contient des anomalies.Pour plus d’informations, reportez-vous à dbvalidator-x.log dans le dossier d’installation de Symantec Endpoint Protection Manager, sous tomcatlogs.]
2017-05-24 12:37:34.575 THREAD 1 AVERTISSEMENT: Finished.
Résultats DBCC pour 'ALERTS'.
Msg 2533, Niveau 16, État 1, Ligne 1
Erreur de table : la page (5:47371) assignée à l'ID d'objet 110623437, ID d'index 0, ID de partition 72057594045267968, ID d'unité d'allocation 72057594047430656 (type In-row data) n'a pas été affichée. La page n'est peut-être pas valide ou comporte un ID d'unité d'allocation dans son en-tête.
Il y a 5528 lignes dans 699 pages pour l'objet "ALERTS".
CHECKDB a trouvé 0 erreurs d'allocation et 1 erreurs de cohérence dans la table 'ALERTS' (ID d'objet 110623437).Résultats DBCC pour 'ALERTS'.
Msg 2533, Niveau 16, État 1, Ligne 1
Erreur de table : la page (5:47371) assignée à l'ID d'objet 110623437, ID d'index 0, ID de partition 72057594045267968, ID d'unité d'allocation 72057594047430656 (type In-row data) n'a pas été affichée. La page n'est peut-être pas valide ou comporte un ID d'unité d'allocation dans son en-tête.
Il y a 5528 lignes dans 699 pages pour l'objet "ALERTS".
CHECKDB a trouvé 0 erreurs d'allocation et 1 erreurs de cohérence dans la table 'ALERTS' (ID d'objet 110623437).
Résultats DBCC pour 'SCANS'.
Msg 2533, Niveau 16, État 1, Ligne 1
Erreur de table : la page (5:64586) assignée à l'ID d'objet 548197003, ID d'index 0, ID de partition 72057594048217088, ID d'unité d'allocation 72057595497086976 (type In-row data) n'a pas été affichée. La page n'est peut-être pas valide ou comporte un ID d'unité d'allocation dans son en-tête.
Il y a 295930 lignes dans 30791 pages pour l'objet "SCANS".
CHECKDB a trouvé 0 erreurs d'allocation et 1 erreurs de cohérence dans la table 'SCANS' (ID d'objet 548197003).
Kind regards
N.Achraf
Under Live Update Settings > Windows Setting > Schedule - The Enable LiveUpdate scheduling is uncheck..
what is the implication?
For servers which have multiple local drives...is it possible to create an exception to tell SEP to only protect the C: drive and leave alone other local drives such as an F: and R: drive?
I assume this would be done directly from the SEP client rather than the SEPM console?
My Mdaemon server is running on Windows Server 2008R2 installed with Symantec endpoint protection version 14 (14.0 MP1) BUILD 2349 (14.0.2349.0100).
I notice my server always prompt out a message SID:29634 Wed Attack: ZyNOS information disclosed detected.
What is this actually? Will it be serious or effect my office network? How to resolve this issue?
Bonjour ;
sa fait un moi que j'ai procédé à la mise à niveau des serveurs SEPM ( 03 serveurs : 01 serveur management et deux partenaires de réplication)
Après la mise à niveau, la mise à jour au niveau de 02 serveurs partenaires de réplication est bloquée, j’ai essayé plusieurs fois de reconfigurer la réplication télécharger la mise à jour manuellement, vider le fichier de Symantec Download mais toujours la mise à jour est bloquée
Mes serveurs sont des machines virtuelles avec Windows 8 , RAM 8 Go
SVP aidez-moi a résoudre le problème
Cordialement,
Thw W64.Viknok.B!.inf virus was detected by the Endpoint but cannot be cleaned. I used the SymDiag and Norton Power Eraser tools with no success. Is there a manual method to follow to delete the virus or some other tool I can use.
Thanks....Bob
Here's the question -
We have our sepm which is using Sql database. We wanted to migrate to embedded. I saw a forum thread where disaster recovery is suggested and instead of sql, embedded database needed to be created amd then older database is restored. So the question is, which password it will use to login to sepm?
Another question -
If i have an sepm with embedded database and we have changed the admin password several times. So if i restore the database to fresh sepm, will it allow me to login to sepm with current password or the first password that i used while installing sepm (as far as i know embedded database password is the password when we first install sepm)
And what if i dont recall first embedded password?
In version 14 can a GUP be placed "under" another GUP? I have a remote site running on a 20mb line with a GUP. It has another building on a 10mb line. I currently have a GUP there as well. Both report to the main SEPM in another city. Can I point the one on 10mb to the one on the 20mb with 14.x?
Greetings,
We have a Windows Windows Server 2012 R2 server with SEP 12.1.6. Lookig at the Network threat Protection Traffic logs I see that it is blocking Incoming UDP traffic from an external IP. External traffic should not be getting through the firewall. Doesanyone have any ideas how to figure out how this traffic is getting to this server. According to the network engineers who maintain the firewall therre are no rules that allow this traffic to this server.
Any and all ideas are appreciated.
Joe
Hi,
I have install the SEP with basic protection for server feature setting and which means that the installer will come along with Virus, Spyware, and Basic Download Protection only. May I know why the BASHdef folder will exist after install the SEP?
Thanks.
I see a couple of machines on which the file is quarantined and after 2-3 minutes showing as "Log only"
Does "Log only" mean... no action is taken? what to do for such cases?
How can we clear the qurantine , to prove that the files are cleared from the PC?
Hi,
I have install the SEP with basic protection for server feature setting and which means that the installer will come along with Virus, Spyware, and Basic Download Protection only. May I know why the BASHdef folder will exist after install the SEP?
Thanks.
Hi,
Asking for input whether the SEP 12 does include the definition to quarantine HP keylogger related file/malware?
http://thehackernews.com/2017/05/hp-audio-driver-l...
Was trying to contact with Symantec local support, which were finger pointing ask me to ensure the Windows update is up to date. I'm not convinced where i don't agree Symantec is relying for Microsoft to quarantine malware.