User Information Collection box keeps popping up

October 26, 2017, 8:40 am

≫ Next: Block the application in 50 machines

≪ Previous: Endpoint v14 build 2415 not updating IPS signatures

I need a solution

Hi,

for some reason we have a lot of trouble with the User Information Collection box popping up on some machines after every reboot. This seems to get worse now with version 14. The only solution on impacted clients is to totally uninstall SEP and then re-install. It does not happen on all machines but seems to be related to SEP upgrades. Anyone else have this issue? Is there a fix besides un-install/re-install? Anything that can be done on the server side?

We do like the option and it has helped us identify infected machines much faster so I would hate to turn it off.

Thanks

↧

Block the application in 50 machines

October 26, 2017, 9:45 pm

≫ Next: SEP blocks safe removal of external disks (AHCI or USB)

≪ Previous: User Information Collection box keeps popping up

I need a solution

How to block these application from application & Device policy in 50 machines.

Notepad
cmd
wordpad
sticknote
paint
inet.cpl
rightclick
control panel etc

Regards,

Harsha

↧

SEP blocks safe removal of external disks (AHCI or USB)

October 27, 2017, 12:23 am

≫ Next: SEP 14 Add Process Exclusions

≪ Previous: Block the application in 50 machines

I need a solution

Hi,
I have a problem: whenever I issue a safe remove command, System starts to access SYMEFA*.DB and SYMEFA*.DB-journal from <disk>:\System Volume Information\EfaSIDat\, that blocks the save remove process.
I used resource monitor to identify the files causing the problem. I noticed that they are not accessed unless a safe remove is issued!
There is another forum discussion that states that upgrading from 12.4 fixes the problem. I upgraded to 12.6 then to 14.0 RU1 and the problem is still there.
OS: Windows Server 2012 R2 Datacenter

↧

SEP 14 Add Process Exclusions

October 26, 2017, 3:20 am

≫ Next: Is Doscan support ERRORLEVEL for virus scan using command prompt?

≪ Previous: SEP blocks safe removal of external disks (AHCI or USB)

I need a solution

Im asking foa assistance.. i need to exclude those processes in SEP

How can i do that ?

Cdb.exe	Microsoft.Exchange.Search.Exsearch.exe
Cidaemon.exe	Microsoft.Exchange.Servicehost.exe
Clussvc.exe	MSExchangeADTopologyService.exe
Dsamain.exe	MSExchangeFDS.exe
Microsoft.Exchange.EdgeCredentialSvc.exe	MSExchangeMailboxAssistants.exe
EdgeTransport.exe	MSExchangeMailboxReplication.exe
ExFBA.exe	MSExchangeMailSubmission.exe
GalGrammarGenerator.exe	MSExchangeRepl.exe
Inetinfo.exe	MSExchangeTransport.exe
Mad.exe	MSExchangeTransportLogSearch.exe
Microsoft.Exchange.AddressBook.Service.exe	MSExchangeThrottling.exe
Microsoft.Exchange.AntispamUpdateSvc.exe	Msftefd.exe
Microsoft.Exchange.ContentFilter.Wrapper.exe	Msftesql.exe
Microsoft.Exchange.EdgeSyncSvc.exe	OleConverter.exe
Microsoft.Exchange.Imap4.exe	Powershell.exe
Microsoft.Exchange.Imap4service.exe	SESWorker.exe
MSExchangeMailboxAssistants.exe	SpeechService.exe
Microsoft.Exchange.Monitoring.exe	Store.exe
Microsoft.Exchange.Pop3.exe	TranscodingService.exe
Microsoft.Exchange.Pop3service.exe	UmService.exe
Microsoft.Exchange.ProtectedServiceHost.exe	UmWorkerProcess.exe
Microsoft.Exchange.RPCClientAccess.Service.exe	W3wp.exe

↧

Is Doscan support ERRORLEVEL for virus scan using command prompt?

October 27, 2017, 5:57 am

≫ Next: How Does Symatec Endpoint Protection Handles Trusted Folders and Files

≪ Previous: SEP 14 Add Process Exclusions

I need a solution

I am trying to scan a file using command prompt and want to get the scan result using error level. But each time getting ERRORLEVEL 0, even in case of file with virus after scan.

Version: Symantec Endpoint Protection Manager (14.1)

OS: Windows 10 operating system

I am using the below command in cmd:

>DoScan.exe /ScanFile "D:\Personal\fifa.txt"

>echo "%ERRORLEVEL%"

"0"

For each case its returning 0 as errorLevel. i.e a virus file scaned with Doscan.exe returning ERRORLEVEL 0

Is there any process to get proper ERRORLEVEL ? If not, is Symantec endpoint Protection Manager 14.1 support ERRORLEVEL for scan using command prompt.

↧

How Does Symatec Endpoint Protection Handles Trusted Folders and Files

October 27, 2017, 7:44 am

≫ Next: Upgrade from 12 - 14 clients not getting virus defs

≪ Previous: Is Doscan support ERRORLEVEL for virus scan using command prompt?

I need a solution

Hello,

I am curious as to how does Symantec handles the folders and files that you mark as trusted say (C:\Windows\System32) and what if you a program is added to that folder will Symnatec perform scan if there is any changes in that folder or will it treat it as a trusted folder and will not perform scans and allow vulnerable applications.

Let me know if you know something about this.

Thanks.

↧

Upgrade from 12 - 14 clients not getting virus defs

October 27, 2017, 12:25 pm

≫ Next: 14 RU1 Cloud portal

≪ Previous: How Does Symatec Endpoint Protection Handles Trusted Folders and Files

I need a solution

Hello community - first time posting, and I need some help.

I have a standalone network and was tasked to upgrade from 12x to 14x both sepm and clients. After doing so, the clients are not getting their updates. There is a bit of info out there but nothing has helped so far.

Clients can talk to server
Server reporting that it has the LU correct LU updates
Reinstall / clean of test client has happened
0 clients are getting their updates. I have a management server only, no internal live update server (disabled in policy)
Tried other vius defs which were sucked up fine, no go.
Database cleaned and re-init with a fresh install (database troubleshooting happend first).

I cant enable logging via registry.
No errors I can find in event log.
No errors on SEPM that I can see from the admin panel.
I don't have sep 12 to try.

Any ideas.

Thanks folks in advance.

↧

14 RU1 Cloud portal

October 29, 2017, 4:08 am

≫ Next: Question About Legacy Versions and Virus Definitions

≪ Previous: Upgrade from 12 - 14 clients not getting virus defs

I need a solution

Are anyone else experiencing problems with the 14 RU1 cloud portal?

When you enroll into the RU1 cloud you are no longer able to create an "allow application" exclusions from the on-premise SEPM risk Monitor logs. You have to wait for the incident to appear in the Cloud portal and then create an exclusion by hash from the cloud event using the new whitelist policies.

My problem is that incidents never seem to reach the cloud portal. If i manually create an exclusion in the cloud whitelist policy it will eventually reach the SEPM (5-10 minutes later) so I know that the SEPM is enrolled and communicating.

↧

Question About Legacy Versions and Virus Definitions

October 28, 2017, 10:08 am

≫ Next: unable Proactive Threat Protection to update

≪ Previous: 14 RU1 Cloud portal

I need a solution

Hello,

In my environment we are prepping for an update to take us from Symantec Endpoint Protection 12.1.3 to 14. We have some legacy clients that cannot be updated past their current point, and some devices where we have concerns about updating right away. Will Symantec Endpoint Protection Manager 14 still provide virus definition updates to devices running 12.1.1 and 12.1.3, or will the update leave these devices behind completely?

Thanks

Phil

↧

unable Proactive Threat Protection to update

October 30, 2017, 3:48 am

≫ Next: SEPM service not able to strat

≪ Previous: Question About Legacy Versions and Virus Definitions

I need a solution

bonjour,

au niveau des postes travailles, la mise à jour proactive est bloquée à la date 3 juillet 2017

Veuillez trouver ci-joint l'imprime Ecran de message d'erreur

↧

SEPM service not able to strat

October 28, 2017, 7:50 am

≫ Next: Pending Restart will do restart if upgrade to the new version

≪ Previous: unable Proactive Threat Protection to update

I need a solution

not able to start SEPM service and not able to login to SEPM as it says failed to conect to the server

↧

Pending Restart will do restart if upgrade to the new version

October 30, 2017, 10:36 am

≫ Next: Symantec LiveUpdate Administrator fail to download new updates

≪ Previous: SEPM service not able to strat

I need a solution

I have some clients (Servers) which required restart but i can not restart because of application running

i want to upgrade SEPM 12.1 to 14, if i do upgrade SEPM 14 the clients which are pending restart will restart automatically or not? SEPM i can restart but i can not restart. after SEPM 14 upgrade client pending will stay in same state or restart ??

↧

Symantec LiveUpdate Administrator fail to download new updates

October 31, 2017, 7:21 am

≫ Next: Port Scan

≪ Previous: Pending Restart will do restart if upgrade to the new version

I need a solution

Hi,

We are using Symantec LiveUpdate Administrator version 2.3.5.99 . Since a few days ago we have problems with downloading new definitions on the server.

Server is connected to "liveupdate.symantecliveupdate.com" through proxy server. When we manually start download, we can see that there is a traffic through the proxy and some files are downloaded in the "temporary directory". But after few seconds transfer stops and we are getting "Download request XXXX started by USER has failed".

We've tried many times to delete the content of the "Temporary" and "Download" directories, tried to change some server connection settings recommended here (https://www.symantec.com/connect/articles/liveupda...), but without success. There is enough space on the HDD where the new definitions are stored.

Please help us to resolve this issue.

Thank in advance!

↧

Port Scan

October 31, 2017, 7:47 am

≫ Next: Difference between Reports and Monitor tab in SEPM

≪ Previous: Symantec LiveUpdate Administrator fail to download new updates

I need a solution

Your computer's UDP ports: 60228, 61511, 58849, 61606 and 53615 have been scanned from 192.168.x.x

192.168.x.x is IP of domain controler.

Any Ideas?

↧

Difference between Reports and Monitor tab in SEPM

October 31, 2017, 8:42 am

≫ Next: SEPM menu not allowing me to move, delete, edit info

≪ Previous: Port Scan

I need a solution

Hi,

I would like to know whats the difference between Reports and Monitor tab in SEPM? Both seems to be similar.

Thanks.

↧

SEPM menu not allowing me to move, delete, edit info

October 31, 2017, 11:56 am

≫ Next: Proactive Threat Protection is not function correctly due to an internal configuration error

≪ Previous: Difference between Reports and Monitor tab in SEPM

I need a solution

One of our IT guys upgraded SEPM to the latest version a couple of days ago, without informing me (the person actually responsible for SEPM). We'd been at 14, now we're at 14.0.1.

Before this, if I wanted to move a computer or group of computers into a new group, I could select them, right click, and choose "Move" from the menu. Now, I can't click on "Move". Can't "Delete" either. Can't "Switch to User Mode". They don't get highlighted in the menu, it's as if in a normal Windows menu they were grayed out. I can "Enable as Unmanaged Detector", "Run Command" (and do anything in that sub-menu, and "Edit Properties", but when the properties window comes up, I can't actually edit anything in it except the description (I don't know if that's normal, I never used that before).

Thinking it was my browser, I tried IE 11 (I had first tried Chrome). No difference. I am an administrator, but I tried creating a new admin account, since I couldn't edit my permissions. I gave the new account unlimited permissions; no difference.

Is this happening to anyone else with the latest version of SEPM and if so, what do I do?

Thanks.

↧

Proactive Threat Protection is not function correctly due to an internal configuration error

October 31, 2017, 9:09 pm

≫ Next: Application exceptions

≪ Previous: SEPM menu not allowing me to move, delete, edit info

I need a solution

Proactive Threat Protection is not function correctly due to an internal configuration error

I fix SONAR has generated an error: code 0: description: Definition Failure

by delete 2 file restart and run live update

Now I got error

SONAR has generated an error: code 1: description: Heuristic Scan or Load Failure

I have 14 computers and 2 computers have error 'Proactive Threat Protection is not function correctly due to an internal configuration error'

I run SymDiag.exe and it wait for long time ( it not work)

Waiting for 1 definitions to be aquired

↧

Application exceptions

November 1, 2017, 7:21 am

≫ Next: Logging The Visited Website Where Malware Was Downloaded?

≪ Previous: Proactive Threat Protection is not function correctly due to an internal configuration error

I need a solution

Hey,

I've never really got my head around this in SEPM. In other products, you do an exception and just free type the process name. Job done.

What is 'Application to Montitor' all about. I want to have a proper exception for the mobsync.exe process for example. I originally added it as an application to monitor with Log only, which I don't think actually excludes it. So just gone back to try again and over time it has detected various versions of it, each with a different File Fingerprint.

So from the detected applications, which one do I actually choose? Is the File Fingerprint actually relevant or is that just for info. So if I add any one of them, mobsync.exe is mobsync.exe, so each version will be exceptioned.

Am I going to have to do the same for server processes, like EdgeTransport.exe in Exchange for example?

Thanks!

sepm-exceptions-applications.png

↧

Logging The Visited Website Where Malware Was Downloaded?

November 1, 2017, 10:25 am

≫ Next: SEP 12 Firewall still blocking LLMNR even after creating an ignore rule

≪ Previous: Application exceptions

I need a solution

Is there somewhere in the logs that will show what website was visited when a user downloaded malware? I'm not having any luck finding this information.

Thanks.

↧

SEP 12 Firewall still blocking LLMNR even after creating an ignore rule

November 1, 2017, 10:28 am

≫ Next: SEPM Reporting help

≪ Previous: Logging The Visited Website Where Malware Was Downloaded?

I need a solution

I've created an ignore rule for my my servers public IP range to allow all traffic on all prots / all protcols yet I am still seeing in my threat protection log that the range is being blocked by certain block rules - Block ipv4 LLMNR/ Block UPnP.

The block rules are closer to the top of the list while the ignore rule is at the bottom(see screenshot). I am trying to track down why these rules are still blocking the communcation even though I've created the ignore rule. I see the rule is working as the threat log does contain a few references to the ignore rule.

Any ideas?

FW.PNG

1509557958

↧