Quantcast
Channel: Symantec Connect - Endpoint Protection - Discussions
Viewing all 10484 articles
Browse latest View live

SEP v14 causing network adapter issues

August 22, 2017, 7:30 am
$
0
0
I need a solution

We had a user this morning that could not conntect to our network with wi-fi or ethernet.  The nework adapters were present in device manger but did now show up in ipconfig.  I didn't get the chance to troubleshoot as one of my coworkers found an article elsewhere saying to uninistall SEP, which worked.  After looking around in the forums I noticed that there was an issue with SEP v12 and network connections.  Has anyone else had the same issue with SEP v14?  The users computer is a Dell Latitude E7470 with Intel I219-LM ethernet and Intel Dual Band Wireless-AC 8260 adapters.  To prevent this from happening elsewhere I disabled Network Intrusion Prevention.

0
Search

Database is down

August 22, 2017, 11:26 am
$
0
0
I need a solution

Starting at 8:45 this morning, I've been getting these emails:

Message from: 

    Server name: XXXXXX 

    Server IP: XXX.XXX.X.XXX 

     

The Symantec Endpoint Protection Manager database has gone down and needs immediate attention.

If I go onto the server and try to log into the SEP manager, I get another error just saying database is down and cannot log in.

0

How does client locate nearest GUP in multipe Gup config

August 22, 2017, 4:22 pm
$
0
0
I need a solution

Hi -

I am trying to create a common LU policy that spans across multiple different linked sites in different geographic regions.  I was planning on usuing a policy with Multiple GUP configuration with a GUP defined for each location that needs one.  From the docco I get that with this config, the list of available gup's becomes available to all clients.

The question is, how do the clients detect the nearest GUP if the gup itself is not in the same subnet as the clients.  For example most of our locations the servers and worstations will be in different subnets, even though they are in the same physical location. So how do the clients detect the nearest gup, (or in this case would they detect a GUP at all and intstead go to the default management server, which may be in a diffent geographic region)

I have a design that has sites spread over several physical geographic locations.  the intention is that the clients in the hub site will download from the site SEPM, and clients in other locations would download from a local GUP 

thanks

0

Command status - wrong info of status and remote scan command was cancel itself

August 22, 2017, 8:12 pm
$
0
0
I need a solution

Dear Experts, 

For some reason the client doesn't have the latest virus definition. So, I'm trying to run remote command to update content directly to liveupdate server.

The status say 100% completed, but when check details, a few of them actually have liveupdate download failed.

  

And, I also found that active scan or full scan remote command was canceled itself at a few clients.

Any idea? I'm appreciate your advise.

regards,

Loh

0

Unable to Block few websites using SEP firewall rule

August 23, 2017, 12:42 am
$
0
0
I need a solution

Hello All,

I followed the below given article and i was able to Block few websites using Firewall rule.

https://support.symantec.com/en_US/article.TECH920...

however i was unable to block few though. 

Could anyone comment on this issue ? 

And how to block all the desired websites.

0

Deleted Thunderbird inbox after SEP full scan

August 23, 2017, 1:22 am
$
0
0
I need a solution

  Hi all,

  We have installed Symantec Endpoint Protection Manager 14 MP2 in our corporate network. During last night's scheduled full scan, SEP client found a suspicious mails on one of the computers. This morning after we closed SEPs information popup windows, thunderbird suddenly crashed. After the next start of the program, we saw that not all mails are present and after we've checked the file location, found that the inbox file is too small. We realize that this "new" inbox contains only mails from this morning, but not the older ones. There were no records that the old inbox file was deleted in "Risk logs" on the local SEP client. Only in Windows application log we found information that the inbox file was successfully deleted (Security Risk Found! JS.Downloader.D in File: PATH\inbox  by: Scheduled scan. Action: Cleaned by Deletion.  Action Description: The file was deleted successfully.).  

 Is there any method so we can restore the old inbox?

Thanks in advance!

0

Sep 14 MP2 Locations

August 23, 2017, 1:58 am
$
0
0
I need a solution

Hello all, 

I am thinking about using quite a lot of different locations on a client due to a specific needs of their infraestructure. I have read a TN (https://support.symantec.com/en_US/article.TECH973...), in which says that SYM does not recommends to create more than seven locations per group. 

Note: Symantec does not recommend more than seven (7) locations per group when using Location Awareness. Exceeding this number can negatively affect the execution time on how long it takes the Endpoint Protection client to process and ultimately connect to a valid location when it meets all conditions.

In my experience, I have used a maximum of four locations for a group. Does anyone have experience using more than seven locations? Do you really notice the execution time badly affected?

In my environment I do not mind to check the location once per hour or even longer. 

Kind regards,

 Juan

0

Filtering out Syslog forward messages

August 23, 2017, 2:28 am
$
0
0
I need a solution

Hey,

We're forwarding SEP logs to the external Syslog server for further analythis.

The SEP sends a lot of OK messages that we don't want to see.

There were a massive amount of "The management server received the client log successfully" messages - I've filtered them out by disabling "System Client-Server Activity Log".

Now i'm trying to folter out positive messages similar to those:

Aug 23 12:01:18 SEPS1 Local: 2,Local: 484D7EBF6F59,Remote: 224.0.0.22,Remote: ,Remote: 0,Remote: 01005E000016,8,Outbound,Begin: 2017-08-23 12:00:02,End: 2017-08-23 12:00:02,Occurrences: 5,Application: ,Rule: Allow IGMP traffic,User: monik,Action: Allowed

Aug 23 12:21:24 SEPS1 ,Local: 1900,Local: 01005E7FFFFA,Remote: 10.150.100.173,Remote: ,Remote: 63854,Remote: 00118575A6A3,UDP,Inbound,Begin: 2017-08-23 12:15:53,End: 2017-08-23 12:15:57,Occurrences: 8,Application: ,Rule: Allow UPnP Discovery from private IP addresses,User: johnt,Action: Allowed

Aug 23 12:03:05 SEPS1 Local: 61645,Local: 00155D02463E,Remote: 192.116.194.3,Remote: ,Remote: 20,Remote: 001C7F3DDD29,TCP,Inbound,Begin: 2017-08-23 11:58:41,End: 2017-08-23 11:58:41,Occurrences: 1,Application: C:/SmartFTP/SmartFTP.exe,Rule: Allow 172.16.2.46 FTP,User: app_ftp,Action: Allowed

Any other ideas how to set correctly Log Filters to get only risk/block messages will be highly appreciated.

Attached is the screenshot of current Log filter config.

Many thanks,

Gennady

0

Search

SEP 14 Linux Client Red Hat 7.4 Support ETA?

August 23, 2017, 7:31 am
$
0
0
I need a solution

Just wondering if you have any info when you will have support for Red Hat 7.4.  Looks like that support was not added to 14 MP2 client. 

0

[SID: 30239] Audit: Unimplemented Trans2 Subcommand attack detected but not blocked

August 23, 2017, 8:07 am
$
0
0
I need a solution

Hi,

we have these IPS messages pop up at some customers System lately:

[SID: 30239] Audit: Unimplemented Trans2 Subcommand attack detected but not blocked. Application path: SYSTEM

The connection goes to Port 445 outbound to different systems, mostly fileservers.

The Systems initiating the connection appear clean with a full scan, powererasor scan and symdiag threat analysis.  (Did not check with other tools yet)

Anyone else got these lately? Could maybe be a false positive.

0

Link listing everything that install with SEPM 14.X

August 23, 2017, 9:44 am
$
0
0
I need a solution

Is anyone aware of a link that details everything installed by default (external SQL database) when intalling SEPM 14.X  Enterprise?  I am building a DEV environment and am really curious what all installs by default.  For example, does JAVA install and is it required if I do NOT use the web interface?  Sorry for the random question but I could only find the requirements ... Thanks everyone!

0
1503513642

"Failed to contact Symantec Endpoint Protection."

August 23, 2017, 11:49 am
$
0
0
I need a solution

Hello All,

I stopped and restarted the symcfgd service using the command "/etc/init.d/symcfgd stop" and "/etc/init.d/symcfgd start".

All the services came back up again (symcfgd, smcd, and rtvscand), but I began to get this error message when running "./sav manage -s" and "./sav manage -h":

"Failed to contact Symantec Endpoint Protection."

This is from a server that appeared to be working correctly before.

I verified that server could ping the SEPM manager and did a telnet to port 8014 on SEPM and port 7070 on the LiveUpdate server, and it connected no problem.

This is baffling me what could have gone wrong.

The server is running redhat 7.4, the SEP client is 12.1.7061.6600

Any ideas?

PG

0

Log folders persist after logout

August 23, 2017, 12:59 pm
$
0
0
I need a solution

Hi,

Our Windows 10 computers (Windows 10 Enterprise LTSB 2016 x64) have an issue when someone logs off, then back in again another time, they get a new profile. In the form of:

C:\Users\<user>.DOMAIN.000, 001, 002, etc...

SEP (12.1.7266.6800 x64) leaves a folder where a log file was located in:

C:\Users\<user>\AppData\Local\Symantec\Symantec Endpoint Protection\Logs\MMDDYYYY.log

After logoff, the log file goes, but the path remains negating the possibility of the user using the same profile again. Since Windows 10 takes forever to log in from the beginning, I'd like to have profiles reused.

Is there anything I can do? I've read previous posts where disabling autoprotect fixes it, but the admins won't go for that. Isn't that tantamount to disabling AV protection all together?

Thanks

jason

0

SEP 14 MP2 and ClientSideClonePrep.exe?

August 23, 2017, 9:28 am
$
0
0
I need a solution

I'm building a custom image in Win7x64 SP1 that incldes SEP 14 MP2. When I try to run ClientSideClonePrepTool.exe it throws the error: "Failed: Unable to Get Install Path. Please check if SEP was installed successfully." Just to verify that it's not just my image, I ren the clone tool on a couple of Win7X64 boxes with the SEP14 client installed and saw exactly the same error.

I have the version of the clone prep tool linked to in http://www.symantec.com/docs/HOWTO54706  and have seen several references to that page being applicaple to SEP14, but as far as I can see it's not. Is there a new version, a fix or a workaround?

I've tried the manual steps outlined in http://www.symantec.com/docs/HOWTO54706  running as the local administrator, and access was denied to all of the file deletions and registry value changes. I'm sure if I wanted to take the time I could work around that, but time is one thing I don't have much of right now.

Is there a working fix for the clone prep tool?

Thanks!

D.

0

Server 2016 issues with SEP

August 23, 2017, 5:16 pm
$
0
0
I need a solution

My company has a DMZ which I've stood up a new 2016 domain controller for.  

As soon as I install Symantec Endpoint Protection 14MR2 latest version, then reboot, then all network communications seem to cease.  It's like networking is totally broken because you can't even browse the web or do dns lookups.  

Looking into it deeply, it seems that the Symantec Firewall Driver isn't getting applied properly.  I found a forum thread with manual steps to apply the driver with the "install" button in the ipv4 network adapter properties, but am met with an ACCESS DENIED message from Windows when trying to do this.  

I called support and had a ticket open (might still be open) and when seeing how things were working they tried these same manual steps to bind the Firewall driver to the NIC but it didn't work due to the same error.

I tried all kinds of things and found that Windows firewall service is not running and neither is the base filtering engine, and these things need to be running for normal TCPIP operations.

Well, Symantec changes something because once it is installed these things happen.  Even after removing Symantec using the cleanwipe utility I had networking issues persist until I ran a tool that repairs Windows Firewall/base filtering engine.  

Strangely, after that the networking issues would always return after a reboot etc.  

So, I totally started over with a new VM, fresh install of Windows Server 2016 and promote to a DC.  

Install SEP, reboot, can't ping the server, can't get to the net, can't do anything, networking is hosed.  

Support was not much help and didn't have much idea other than trying to uninstall and reinstall it.  

Is anyone using SEP on Server 2016 in the wild with any issues?? This is extremely frustrating as I'm not able to finish my project because of this.

0
Search

Can't get legacy clients reporting to 14.x SEPM

August 23, 2017, 9:03 pm
$
0
0
I need a solution

I am testing a new SEPM 14.x deployment,  we have a number of legacy clients to manage but I am unable to get 2003 Server or XP reporting to SEPM

I have push installed a client version 12.1.5 RU5 client to a 2003 Sp2 server, and while the client seems to be functional and according to the client log seems to be receiving policy from the SEPM, however the client does not show up in the SEPM console at all

How can I troubleshoot this?

thanks

0

SEPM DB Migration from SQL Server 2008R2 to 2012

August 23, 2017, 10:57 pm
$
0
0
I need a solution

Hey guys,

I've been following this KB for the migration process:

https://support.symantec.com/en_US/article.TECH132...

But I have 2 question here:

1. Does this apply also if I'm moving from 2008R2 to 2012?

2. Would it also work if the SQL Server 2008R2 and the 2012  have different IP addresses?

Thank you,

0

SEP 14 MP2

August 24, 2017, 6:09 am
$
0
0
I need a solution

Im setting up SEP 14 from new on WINDOWS SERVER 2016​, with a SERVER 2016 - SQL 2016 ​running the database​, all within a virtual envronment. I seem to be having a problem when running the install when it comes to creating the database. I get the error Error - Preparing Datase, failed to connect to the database. 

I've gone through the errors in the install_log.err​ file and find the error 'The CREATE DATABASE statement failed. The primary file must be at least 3072 MB to accommodate a copy of the model database' . I did originally get this error but instead of 3075 MB it wanted 1025 MB, so I had this increased. But I now get the error above.

In the previous steps before it trys to prepare the DB I can connect to the DB, so struggling to find out where it's going wrong?

Can any one help?

Thanks

0
1503587146

SEP v14 (Linux) defs freezing at "Removing Temporary Files"

August 24, 2017, 8:55 am
$
0
0
I need a solution

Has anyone seen this or been able to solve?  We seem to see it very infrequently. Not sure if a newer virus defs file would fix the situation or not. 

Running on a RHEL 7.x machine, offline updates with the shell script.  The install process will freeze during the "Remove Temporary Files" stage, but then on another attempt, it will complete successfully.

Like I said, very infrequent, and we're not exactly sure what causes it or how to consistently reproduce it.  Our first guess might be to grab a newer virus defs file, but beyond that, we're not sure.

Thanks in advance.

0

Cloud definitions and LiveUpdate policy

August 24, 2017, 12:59 pm
$
0
0
I need a solution

Hello:

We are upgrading from Endpoint Protection 12.1.6 to 14.0.  We will be doing a migration to retain our database and settings.  However, now with version 14, I am confused as to how the client downloads the definitions, as there is now the cloud definitions option available when installing.  Yet there is also the LiveUpdate settings policy as well which we use currently with version 12.  I am not sure how they both work together in 14, and have tried to read but have been unable to confirm exactly how they work.

In our case, we will have the Endpoint Protection 14 Manager, and in the past we have all of our clients contact the management server for the definitions.  Now, we want to have two sets of clients.  One set to continue to contact the management server for its definitions, and other set to get its definitions from Symantec direct over the Internet.  My question is, what do we set the installation settings to (Cloud definitions, or Dark Network defintions), and also what do we set our LiveUpdate policy to (Symantec server, or our Management Server), for each of these two sets of clients?

Thanks for the advise on this question.

0
Viewing all 10484 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>