Quantcast
Channel: Symantec Connect - Endpoint Protection - Discussions
Viewing all 10484 articles
Browse latest View live

virus definitions will not update

November 30, 2017, 10:55 am
$
0
0
I need a solution

We have a test computer that has Windows XP and I updated SEP to version 12. The test machine was put behind the firewall that the lab computers are behind. I ran the SEPXMLUpdate and SEP is showing connected to the correct server but the virus definitions will not update. I have included the contents of SEPXMLUpdate log file with this email. Thank you for any assistance you can provide.

__________________________________________________________________________

***  Installation Started 11/29/2017 15:05  ***
Title: SEPXMLUpdate-V1.0-EN-R1-PKG
Source: F:\SEPXMLUpdate\V1.0\EN\R1-PKG\SEPXMLUpdate-V1.0-EN-R1-PKG.EXE
* 11/29/17 15:05:11 Computer role: WKS
* 11/29/17 15:05:11 Command line: 
* 11/29/17 15:05:11 Command line is null: Defaulting to /EMBEDDED: /EMBEDDED
* Script is running as: s20bswadm  
*:  Admin Rights Detected.
COMPNAM : CN=SWTD211158,OU=SAW COMPUTERS,OU=US SWIFTWATER,DC=PASTEUR,DC=AVENTIS,DC=COM
: PARSE0:  SAW COMPUTERS,OU=US SWIFTWATER,DC=PASTEUR,DC=AVENTIS,DC=COM
: PARSE1:  SAW COMPUTERS.US SWIFTWATER,DC=PASTEUR,DC=AVENTIS,DC=COM
: PARSE2:  SAW COMPUTERS.US SWIFTWATER,DC=PASTEUR,DC=AVENTIS,DC=COM.
: PARSE3:  SAW COMPUTERS.US SWIFTWATER,DC=PASTEUR,DC=AVENTIS,DC=COM..
: PARSE4:  SAW COMPUTERS.US SWIFTWATER,DC=PASTEUR,DC=AVENTIS,DC=COM...
: PARSE5:  SAW COMPUTERS.US SWIFTWATER,DC=PASTEUR,DC=AVENTIS,DC=COM....
: PARSE6:  SAW COMPUTERS.US SWIFTWATER,DC=PASTEUR,DC=AVENTIS,DC=COM.....
: PARSE7:  SAW COMPUTERS.US SWIFTWATER,DC=PASTEUR,DC=AVENTIS,DC=COM......
: PARSE8:  SAW COMPUTERS.US SWIFTWATER,DC=PASTEUR,DC=AVENTIS,DC=COM.......
: PARSEFINAL:  SAW COMPUTERS.US SWIFTWATER
: PARSEMACHINEDOMAIN:  PASTEUR,DC=AVENTIS,DC=COM.......
: PARSEMACHINEDOMAIN:  PASTEUR.AVENTIS,DC=COM.......
: PARSEMACHINEDOMAIN:  PASTEUR.AVENTIS.COM.......
: PARSEMACHINEDOMAIN:  PASTEUR.AVENTIS.COM........
: PARSEMACHINEDOMAIN:  PASTEUR.AVENTIS.COM.........
: PARSEMACHINEDOMAIN:  PASTEUR.AVENTIS.COM..........
: PARSEMACHINEDOMAIN:  PASTEUR.AVENTIS.COM...........
: PARSEMACHINEDOMAIN:  PASTEUR.AVENTIS.COM............
: Machine Domain:  PASTEUR.AVENTIS.COM
: Domain Specific Directory found at  F:\SEPXMLUpdate\V1.0\EN\R1-PKG\Content\PASTEUR.AVENTIS.COM-  Using those files...
* 11/29/17 15:05:11  Matched: Computers.US*=AMER\United States\Workstations
* 11/29/17 15:05:11 Set OURESULT:  AMER\United States\Workstations
* 11/29/17 15:05:11  Override: NONE  Domain: AMER  XMLFILE: AMER_sylink.xml
* 11/29/17 15:05:11 ************* Starting Installation ***********
* 11/29/17 15:05:11 Replacing End Point Server for Symantec Antivirus software
* 11/29/17 15:05:11 NO HWID CLEANUP Requested.   Specify "DOHWIDCLEANUP" on the command line to generate a fresh HWID.
* 11/29/17 15:05:11  TEMP: C:\DOCUME~1\S20BSW~1\LOCALS~1\Temp  Copied Source XML file to TEMP.
* 11/29/17 15:05:11 F:\SEPXMLUpdate\V1.0\EN\R1-PKG\Content\PASTEUR.AVENTIS.COM\AMER_sylink.xml located in the content directory.
File Overwrite: C:\SMSLogs\SyLink.xml
* 11/29/17 15:05:12 Symantec Product Version is:  12.1.7266.6800
* 11/29/17 15:05:12 Using Client SylinkDrop.exe at:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.7266.6800.105\Bin\\SylinkDrop.exe
* 11/29/17 15:05:12   Starting F:\SEPXMLUpdate\V1.0\EN\R1-PKG\MEDIA\PSEXEC.exe -s -i /accepteula "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.7266.6800.105\Bin\\SylinkDrop.exe" -silent "C:\SMSLOGS\SyLink.XML"
* 11/29/17 15:05:14   C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.7266.6800.105\Bin\\SylinkDrop.exe Ended with  RC 0
* Sylink.XML found here: C:\Documents and Settings\All Users\Application data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config\SYLINK.XML
*  Sylink.XML date: 11/29/17 14:59:12
* CurrentGroup: My Company\United States\Workstations
* CurrentMode: 1
*  COMSTAT: 1511985560:XSPW10B468K.pharma.aventis.com:8014:1511985560:XSPW10B468K.pharma.aventis.com:8014:0:0:
* 11/29/17 15:05:15   ********** Install successfully completed at 11/29/17 15:05:15
User Rights: Admin

____________________________________________________________________________

0
Search

Uninstall SEP with a password on a many PCs

November 30, 2017, 11:06 pm
$
0
0
I need a solution

Hello guys. I have SEP clients with passwords, i have license and SEPM, but i have a question about how can i delete SEP clients on many PCs. Firsttime i wanted to remove SEP via command line with PsTools, but command line does not support a password of uninstall, SEPM cannot delet many station via condition or via a list. And now i have question: how can i do fully clean uninstall SEP clients on many PCs with  a password of client. 

Please, i need a solution

0

64 bit md5 hash

December 1, 2017, 1:24 am
$
0
0
I need a solution

How to included 64 bit md5 hash in application and device control policy in symantec endpoint protection 12.1 RU6 mp5

0

Heur.AdvML.B

December 1, 2017, 3:42 am
$
0
0
I need a solution

 

We look after multiple sites for various clients and over the last couple of weeks we have stared getting reports of the virus name in the subject (Heur.AdvML.B) being detected on multiple PC's. Some of these PC's have no relation with another site as they are from different clients in different geographical locations. The reports are coming from both Windows 7 and Windows 10 (both 64bit & Pro) operating systems.

While the reports we receive state that the issue is resolved and that no action needs to be taken we then find that the following day we will receive another report for the same virus but a different TMP file name, some examples below:

c:\windows\temp\wax7ae1.tmp

c:\windows\temp\wax8938.tmp

c:\windows\temp\wax6fee.tmp

c:\windows\temp\wax845e.tmp

c:\windows\temp\wax7862.tmp

c:\windows\temp\wax87b3.tmp

c:\windows\temp\wax9d9f.tmp

c:\windows\temp\waxc902.tmp

Is this a true detection or a false positive?

And if it is a false positive what can we do to stop the detections?

The clients also receive the reports and are questioning why they are seeing so many alerts.

0

Security certificate error (12045) after upgrading to SEP14

December 1, 2017, 3:51 am
$
0
0
I need a solution

Hi,

Recently we have upgraded our SEPM to version 14.0.1 (Windows Server 2008R2 x64). For test purposes we started from upgrading 2 endpoint clients to version 14 .0 RU1 (Windows 7 x64). Since the upgrade, clients are unable to connect to SEPM via HTTPS protocol. Client is constantly getting error: Security certificate error (12045). HTTP connection works fine.

At the moment we have the following settings in the Menagament Server Lists:

All endpoint clients which stayed on version 12.x connect via HTTPS to SEPM without any issues.

I tried to update sylink files but it did not solve the problem.

New case in Symantec Support was created one week ago and it is still not solved by the technican. I am on the phone almost every day and they can not figure it out.

Any ideas would be much appreciated.

Regards,

Marcin

0

Does reports log "once" or per occurrence?

December 1, 2017, 6:43 am
$
0
0
I need a solution

Hi,

I apologize in advance if this has been asked or answered before, I did try to search for it (both here and using Google) but I couldn't find the information I was looking for here or in the manual.

Scenario: You create a Report, type "Network and host exploit mitigation", Full report, Time range 3 months and the rest is default. In the exported CSV file I see a lot of blocked Nessus scans on ONE day, like "[SID: 30226] Attack: Nessus Vulnerability Scanner Activity attack blocked. Traffic has been blocked for this application: SYSTEM".

For some reason I cannot reproduce a Nessus scan right now and I cannot really trust the SEP Manager 100%, and I'm looking for external verification on the following question:

If a Nessus agent scans an endpoint 1000 times, will it be showed 1 time in the report or 1000 times? If it will only show once, how long time must pass before the Nessus scan shows again in the same report?
Is there a way for me to configure it so that it logs each detected/blocked scan and get that in some report?

Again, I feel that a question like this should be answered in the manual for starters or that other people have asked the same, so almost a bit embarrased to create this thread.. :/

Thanks in advance!

0

multiple packages to use for upgrading clients in a group (AutoUpgrade)

December 1, 2017, 9:31 am
$
0
0
I need a solution

Hi.

I wonder if works & it is a good practice add Legacy v12.1.7266 & SEP v14.03752 packages in the tab "Install Packges" for the same group ?

the scenario is the clients migration from SEPM v12 to SEPM v14, but some clients still have Legacy v12.1.5337 endpoint installed.

thank you

0
1512153479

Virus keeps popping up and getting quarantined every night

December 1, 2017, 11:33 am
$
0
0
I need a solution

For the last 2 weeks and roughly the same time every night, our Symantec Endpoint Protection on a server keeps quarantining a file.  The name changes slightly but always starts with a dwhxxxx.exe.  It is always found in the C:/Windows/Temp folder.

In checking my web logs, I cannot see where this file is coming in.  Some nights we only get it a few times, other times we may  have up to 20 or 30 files getting quarantined.   Each day I run an full virus scan and we always come back clean.  Any information in the Risk Details area does not indicate anything.  Is here any information in this area that may help us in tracking down how this keeps getting into the system?

Any suggestions?

0
Search

Server SMB hang 14 RU1

December 1, 2017, 1:31 pm
$
0
0
I do not need a solution (just sharing information)

Just wanted to share some things we have been experiencing to see if anyone else is seeing this.  First on SEP 14 MP2, we had a lot of our SQL servers get to a point where they would respond to pings, but we would be unable to RDP.  I found some articles that mention this is resolved in RU1 so we have upgraded these SQL servers and so far none has experienced this issue again, however we have another issue that may be separate where a file server's SMB shares will randomly stop working.  You can still RDP to the server, and even hit shares going out from the server.  In an attempt to gather logs, I ran SymDiag and enabled debug logging and this runs the smc -stop/start command.  Once this was done and logs were being gathered, we noticed/tested and SMB shares were working again.  This is the 2nd time this specific server has done this since upgrading to 14 RU1.  We have a 2nd suspect server that may be experiencing the issue but we are in the middle of verifying if disabling SEP has any effect.  Not all servers are up to RU1, but this is making me a little scared to fully move to RU1.

I do have an open case and will try and remember to report back if any progress is made.

Nathan

0

endpoint protection for Isolated PC

December 2, 2017, 1:48 am
$
0
0
I need a solution

Hi,

We have a PC wich is in isolated network (its not connected with internet also). Our endpont protection  server and clients are in different network. How  can I install, activate, and update on the issolated PC, If possible I want to keep it on standalone. Is it possible?.

Thanks

Barshani

0

SEPM 14 RU1 Replication

December 3, 2017, 10:06 pm
$
0
0
I need a solution

Hello Everyone,

I have a small query with regards to SEP. We have currently three different geographical Sites in the same country for SEP. Site-A has 2 SEPMs (Managing approx. 5000 clients), Site-B has 2 SEPMs  (Managing approx. 4500 clients) and Site-C has 1 SEPM  (Managing approx. 1500 clients). Currently each site in being managed separately as there is no replication enabled between these sites. Version of SEP is 14 RU1. Can we enable replication among these three sites without any data loss or issues to have the capabilities of centralized management and policy enforcement. 

Your comments and suggestions are appreciated. Thanks

0

How can I prevent ability to restore files from Quarantine for end users on SEP 14.MP2 ?

December 4, 2017, 1:23 am
$
0
0
I need a solution

How can I prevent ability to restore files from Quarantine for end users on SEP 14.MP2 ?

0

I can't open a menu

December 4, 2017, 10:33 am
$
0
0
I need a solution

Hi, I upgrade the version of 12.6.1 to 14.0.1. (RU1) and now the menu Home, Reports and Monitors don't show anything, all look in blanc.

The ODBC was reconfigurated and work find, the same situation with the permissions in SQL, the authentication with SQL is fine, the comunication with clients are good but always in the login show me the error 0x10010000 and I can't make reports, the program reports don't send by the e-mail.

Thanks for your help.

0

Client has in connection status Win Inet error 997

December 4, 2017, 3:04 pm
$
0
0
I need a solution

HI all, we are experiencing an issue with clients with version 12.1. 7004.6500 running in Windows 7 SP1 32 bits, that report error Win inet error 997. In addition the clients are connecting and disconnecting form the server.

We have exported to one of the clients the sylink in order to see if it resolves the issue.

In other terminals we have desintalled and reinstalled the client. It works during several days and after the issue comes again.

Your comments are welcome.

Carlos

0

TA14-017A UDP-based Amplification Attacks

December 4, 2017, 8:14 pm
$
0
0
I need a solution

Does Symantec Endpoint Protection  has some protection for this attack?

TA14-017A: UDP-Based Amplification Attacks
Original release date: January 17, 2014
Updated on: December 4, 2017

0
Search

SEP 14 Standard client

December 5, 2017, 5:26 am
$
0
0
I need a solution

Question regarding the virus definitions in the new Standard client package in SEP 14. How do you understand this?

Installs only the latest virus and spyware definitions.

The standard client is approximately 80 percent to 90 percent smaller on disk than dark network Windows clients because they download only the latest definitions.

How are "the latest virus and spyware definitions" defined? For example today is Dec 5th, so will the virus definitions on the disk contain only what was added as detections in the virus defs with date Dec 4th and everything older will be on the cloud?

0

Sync issues with Directory servers

December 5, 2017, 8:18 am
$
0
0
I need a solution

Hello,

Some OU from SEPM are linked to our Active directory and we try to "Sync now", some OU's get this error message : The directory server from wich one or more organizational units have been imported does not exist. Ensure that the directory server exists, and then import the organizational units before trying to synchronize.

That we think is that OU have benn synced with a DC server that is offline now. It have a way to change the configuration of this particular OU ? Can we found what directory server is associated to this SEPM OU's ?

Thanks

0

1512499144

Creating Exceptions in SEPM 14.1

December 5, 2017, 8:34 am
$
0
0
I need a solution

I'm currently creating exceptions in SEPM 14.1.

I've added a few exceptions so far however I'm confused on how to create an exceptions that will exclude file extensions from scans in a folder rather than the system as a whole.

For example I want to excluded .jrs files in folder C:\Program Files(x86)\MySuperSecrectFolder\Folder1

0

Having different live update schedules for different groups with a default management server

December 5, 2017, 10:15 am
$
0
0
I need a solution

We're running SEP 12.1.6 MP9 and our management server is the server that gets the definition updates daily.

Is there a way to have some groups get the definitions immediately and some to wait one day before they get the updated definitions? In the interface options for scheduling are grayed out since we're using a default management server and not giving the clients access to the public Live Update servers.

I'm bascially trying to update non-critical machines as soon a new definition is released but more critical servers we'd like to wait a little longer in case a bad definition comes out.

0

14 RU1 - Apache stop responding after some time

December 5, 2017, 1:26 pm
$
0
0
I need a solution

Hello, 

I'm facing some issues after SEPM upgrade from 12.1.6 to 14 RU1 (Windows Server 2008 R2 + external MS SQL 2012 ). There are ~2000 clients after 30-60 minutes they go Offline and apache service is not responsive (unable to check secars/secars.dll?hello,secars - port 443 is listening all the time) after I restart Web Service everything gets back online (sescars shows OK) for another 30-60 minute sometimes more and then Offline again.. like in the loop.  Right now all clients are in 12.1.6. version mixed Windows and Linux with revers-proxy setup. This is my third upgrade from 12.1.6. to 14 RU1 and previous 2 environments went ok without this kind of issues.

I've made installation repair but without success, before repair  httpd.exe was crashing randomly one or twice per hour with an event in Application Log but after repair not seeing this errors anymore.

Faulting application name: httpd.exe, version: 2.4.26.310, time stamp: 0x59aaedd4
Faulting module name: ntdll.dll, version: 6.1.7601.23915, time stamp: 0x59b94a16

In scm-server-0.log I could see these errors before installation repair. 

.
.
2017-12-05 19:13:31.171 THREAD 206 WARNING: AgentLastCheckInTask invalid IP in line: 18474BC90AC9000901309D9A9C7FA027-0
2017-12-05 19:43:31.207 THREAD 206 WARNING: AgentLastCheckInTask invalid IP in line: 185238680AC9000901309D9AE1345A7F-0
2017-12-05 20:00:31.546 THREAD 210 SEVERE: Your hard disk C:\ space is less than <6,144>MB and impacts the performance of Symantec Endpoint Protection Manager. You should delete some files to free up space. Symantec recommends that you have a minimum of 6GB of free disk space.

Wanted to ask for some ideas before installing everything from scratch and proceeding with DR. 

Best regards

PG

0
Viewing all 10484 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>