Symantec Endpoint Protection keeps stopping

January 9, 2018, 2:25 pm

≪ Previous: block execution from removable drives - but allowing 1

I need a solution

Definistions are out of date & i cannot update them as the service stops are four seconds. Cannot uninstall as it keeps asking to restart PC, cannot repair in config settings for the same reason.

When I try to open the GUI I get the message "symantec endpoint protection cannot open because some symantec services are stopped. restart the symantec services and then open the symantec endpoint protection".

I ran the Symantec repair tool & got lots of errors, attached the diagnostic file.

[LAPTOP-3O14QJ0C]__2018-01-09__22-41-00__9e4fec_TSF.7z

↧

license query

January 9, 2018, 10:43 pm

≫ Next: Meltdown / Spectre Signatures?

≪ Previous: Symantec Endpoint Protection keeps stopping

I need a solution

Hi,

I am intenting to upgrade SEPM 12.1.6 to 14.0.1 by performing a fresh installation on a new windows 2016 server.

The clients are then slowly upgraded to 14.0.1 by small groups and then point to the new server.

There will be a period of time where there is two SEPM in the same domain. Thus, is there any licensing concern?

↧

Meltdown / Spectre Signatures?

January 10, 2018, 12:49 am

≫ Next: SAP upgrade requires Symantec uninstall

≪ Previous: license query

I need a solution

Hi,

Are there any signatures or method of identifying vulnerability exploits for the spectre/CPU issue? Need to know particularly for our content inspection facility.

Cheers,

Sam

↧

SAP upgrade requires Symantec uninstall

January 10, 2018, 2:40 am

≫ Next: Impossible d'activer la politique IPS

≪ Previous: Meltdown / Spectre Signatures?

I need a solution

Hello experts,

while upgrading the SAP Solution Manager 71 to the latest version 7.2, the upgrade process was stopped. After contacting SAP support, it was requested to completely uninstall the Symantec End point (Version: 14.0.2349.100) from the Server. Disabling the services and process was not sufficient. A full uninstall was necessary.

Indeed, after the uninstall, the upgrade process was able to finish.

Questions:

why is a full uninstall of Symantec needed?
Which process is conflicting with the upgrade?
Are ther no better option but to uninstall Symantec?

Thanks for your support.

Youssef

↧

Impossible d'activer la politique IPS

January 10, 2018, 5:35 am

≫ Next: Some basic cloud portal questions

≪ Previous: SAP upgrade requires Symantec uninstall

I need a solution

Bonjour, je n'arrive plus à activer la poilitque IPS sur ma console SEPM 14 MP1. En effet, lors de l'accès à la politique j'ai un message m'indiquant l'impossibilité de charger correctement les données et la fenêtre reste figée sans possibilité de valider les modifications.

Merci d'avance pour votre aide.

↧

Some basic cloud portal questions

January 10, 2018, 6:50 am

≫ Next: Symantec updates on Meltdown & Spectre

≪ Previous: Impossible d'activer la politique IPS

I need a solution

Hello, We've been using Symantec EndPoint Protection Suite for over a decade. Everyone few months I download the latest bits, update our server/server console and then our clients. The latest version I downloaded has the "Introducing Symantec EndPoint Protection 14.1" link where we can create a cloud portal account. I found this article https://support.symantec.com/en_US/article.HOWTO127721.html but I still have some questions.

1 - Is there an additional charge to migrate from on-premise management to cloud based management?

2 - Would all my pcs,laptops and servers now report / be managed by the cloud? i.e. I wouldn't need to maintain a local database or a local EndPoint Protection Management Console?

3 - Does cloud offer all the features of on premise ? We use some basic policies and have USB thumb drive restrictions

4 - Would we need a BAA since we are a health organization? I'm not sure exactly all that is transferred and hosted on Symantecs servers.

Any help/feedback would be much appreciated!

thanks

-Kevin

↧

Symantec updates on Meltdown & Spectre

January 10, 2018, 7:02 am

≫ Next: Windows 10 upgrade 1607 fails because of SEP

≪ Previous: Some basic cloud portal questions

I do not need a solution (just sharing information)

Recent vulnerabilities have been reported, under both Meltdown & Spectre familiar names. Associated MS out-of-band patches are being published.

Symantec Security Response has published a dedicated blog post covering this topic:

https://www.symantec.com/blogs/threat-intelligence/meltdown-spectre-cpu-bugs

Which Symantec software products are affected ?

http://www.symantec.com/docs/INFO4793

Symantec is aware of issues that can be experienced with both SEP 12.1 and 14.0 after applying the Microsoft patches, and is treating these with the highest possible priority.

ccSvcHst.exe crash after applying the January 3rd, 2018 Windows Security Update to a system running SEP 12.1.x

http://www.symantec.com/docs/TECH248558

All SEP 12.1 versions prior to SEP 12.1 RU6 MP6, which are not running on Windows 7 or Windows Server 2008 R2, are affected by this problem if the Microsoft patch has been applied to the system after ERASER engine update.

If you are running a SEP 12.1 RU6 MP5 and earlier client on Windows 8, 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, the error will occur and the system could be damage irreparable.

Endpoint Protection system tray icon reports there are multiple errors after updating ERASER to 117.3.0 and Microsoft Update KB4056892

http://www.symantec.com/docs/TECH248552

All Versions of SEP 12.1 or SEP 14, which are not running on Windows 7 or Windows Server 2008 R2, are affected by this problem.

Symantec will release a new client version build for:

12.1 RU6 MP9
14 MP2
14 RU1
14 RU1 MP1

These new packages will be available on the 17th January 2018 (subject to change) over Symantec Fileconnect, as a new build-version and fix both issues on Windows OS which are not Windows 7 or Windows Server 2008 R2.

o These builds will follow all the normal supported upgrade paths and migration steps associated with moving to a new version of the product

o The 12.1 hotfix will be based off of 12.1 RU6 MP9

o Client patches will be available for the hotfix releases (similar to: http://www.symantec.com/docs/INFO4642)

o LiveUpdate will NOT be used to distribute the hotfix

Technical information and research

Vulnerability Coverage: CVE-2017-5753

https://www.symantec.com/security_response/writeup.jsp?docid=2018-010508-3826-99

Antivirus Protection Dates

Initial Rapid Release version January 4, 2018 revision 022
Latest Rapid Release version January 7, 2018 revision 022
Initial Daily Certified version January 5, 2018 revision 002
Latest Daily Certified version January 8, 2018 revision 003
Initial Weekly Certified release date January 10, 2018

You can test the ERASER Engine and definitions sets on selected SEP client machines using the LiveUpdate EAS (Early Adopter System) servers.

Preview new Endpoint Protection engines with Early Adopter System

http://www.symantec.com/docs/TECH246341

More information

Microsoft has reports of some customers with AMD devices getting into an unbootable state after installing this KB. To prevent this issue, Microsoft will temporarily pause Windows OS updates to devices with impacted AMD processors at this time.

Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible. If you have experienced an unbootable state or for more information see KB4073707. For AMD specific information please contact AMD.

https://support.microsoft.com/en-us/help/4056897/windows-7-update-kb4056897

https://support.microsoft.com/en-us/help/4056895/windows-81-update-kb4056895

↧

Windows 10 upgrade 1607 fails because of SEP

January 10, 2018, 7:59 am

≫ Next: Kick off LiveUpdate by a non-administrative user?

≪ Previous: Symantec updates on Meltdown & Spectre

I need a solution

Well this is a pain, Microsoft say's Symantec Endpoint Protection isn't supported in this upgrade and it needs to be uninstalled. I did, plus I went into the registry and deleted any reference to it and to Symantec itself. Ran the Cleanwipe and followed everything in article.TECH231349.html. I also deleted all content in temp and install folders related to Symantec as well as Symantect Ghost Sloution Suite dagent.

I've been battling for 3 days and it just keeps throwing the---need to uninstall SEP in my face. Does anyone know if there is a way to force install it and to keep all files, folders and programs intact. Yes I know I can do a clean install...oyi...I'm not going down that path

Thanks, John V.

↧

Kick off LiveUpdate by a non-administrative user?

January 10, 2018, 12:21 pm

≫ Next: Recreating Audit:SMB Brute Force Attack

≪ Previous: Windows 10 upgrade 1607 fails because of SEP

I need a solution

So we've run into a situation where our users on travel (they are not administrators on their own laptops), cannot connect to our VPN until SEP has a recent set of definitions. While I do have an off site location awareness policy that directly them to the Symantec LiveUpdate servers, it seem as though that LiveUpdate process does not happen very quickly, and I like a method to jump start the LiveUpdate process on demand. I believe that SepLiveUpdate.exe will not launch as a non-administrative user, so that's out.

Options I have thought of are to set a scheduled task that runs SepLiveUpdate.exe (as the Local System account) upon logon (maybe with a 5 minute delay). Or maybe to utilize SCCM to kick off SepLiveUpdate.exe.

Does anyone one have an idea as to how a non-administrative user could manually kick off the LiveUpdate process?

Thanks for your time,
-Mike

↧

Recreating Audit:SMB Brute Force Attack

January 10, 2018, 2:01 pm

≫ Next: Does SQL Management Studio 2017 work with SEPM 14

≪ Previous: Kick off LiveUpdate by a non-administrative user?

I do not need a solution (just sharing information)

We are having an issue on most of our computers where they report an SMB: Audit Brute force attack and we can't exclude notifications. Symantec is looking into the issue and says this is possible to exclude, but needs us to recreate the issue. I don't know how I can recreate it though because it happens randomly and we don't exactly know what causes it.

We know its a software of ours that people log into, then at some point it just does incorrect logins to a fileshare every single second for 10 minutes which causes the alert.

My question is how can I recreate this with a script to maybe try to connect to a fileshare using SMB and an incorrect login that will give me denied access over and over so I can generate this alert.

↧

Does SQL Management Studio 2017 work with SEPM 14

January 10, 2018, 2:53 pm

≫ Next: Symantec updates on Meltdown & Spectre

≪ Previous: Recreating Audit:SMB Brute Force Attack

I need a solution

I'm setting up a SEPM in a DMZ to manage clients out side of our enviroment

I've connected a primary and secondary SEPMs to the SQL Database but those are the SQL Management Studio 2012 Versions.

When I try to Setup the SEPM in the DMZ and connect to the SQL Server I get this error.

Is this an issue other people have had recently using SQL Management Studio 2017

↧

Symantec updates on Meltdown & Spectre

January 10, 2018, 7:02 am

≫ Next: Trying to execute local Sep Console Java jnlp on MacOS and getting Java NullPointerException

≪ Previous: Does SQL Management Studio 2017 work with SEPM 14

I do not need a solution (just sharing information)

Recent vulnerabilities have been reported, under both Meltdown & Spectre familiar names. Associated MS out-of-band patches are being published.

Symantec Security Response has published a dedicated blog post covering this topic:

https://www.symantec.com/blogs/threat-intelligence/meltdown-spectre-cpu-bugs

Which Symantec software products are affected ?

http://www.symantec.com/docs/INFO4793

Symantec is aware of issues that can be experienced with both SEP 12.1 and 14.0 after applying the Microsoft patches, and is treating these with the highest possible priority.

ccSvcHst.exe crash after applying the January 3rd, 2018 Windows Security Update to a system running SEP 12.1.x

http://www.symantec.com/docs/TECH248558

Endpoint Protection system tray icon reports there are multiple errors after updating ERASER to 117.3.0 and Microsoft Update KB4056892

http://www.symantec.com/docs/TECH248552

All Versions of SEP 12.1 or SEP 14, which are not running on Windows 7 or Windows Server 2008 R2, are affected by this problem.

Symantec will release a new client version build for:

12.1 RU6 MP9
14 MP2
14 RU1
14 RU1 MP1

o These builds will follow all the normal supported upgrade paths and migration steps associated with moving to a new version of the product

o The 12.1 hotfix will be based off of 12.1 RU6 MP9

o Client patches will be available for the hotfix releases (similar to: http://www.symantec.com/docs/INFO4642)

o LiveUpdate will NOT be used to distribute the hotfix

Technical information and research

Vulnerability Coverage: CVE-2017-5753

https://www.symantec.com/security_response/writeup.jsp?docid=2018-010508-3826-99

Antivirus Protection Dates

Initial Rapid Release version January 4, 2018 revision 022
Latest Rapid Release version January 7, 2018 revision 022
Initial Daily Certified version January 5, 2018 revision 002
Latest Daily Certified version January 8, 2018 revision 003
Initial Weekly Certified release date January 10, 2018

You can test the ERASER Engine and definitions sets on selected SEP client machines using the LiveUpdate EAS (Early Adopter System) servers.

Preview new Endpoint Protection engines with Early Adopter System

http://www.symantec.com/docs/TECH246341

More information

https://support.microsoft.com/en-us/help/4056897/windows-7-update-kb4056897

https://support.microsoft.com/en-us/help/4056895/windows-81-update-kb4056895

↧

Trying to execute local Sep Console Java jnlp on MacOS and getting Java NullPointerException

January 10, 2018, 5:31 pm

≫ Next: Getting Error Message when trying to reinstall

≪ Previous: Symantec updates on Meltdown & Spectre

I need a solution

moving from windows to Mac as a desktop and trying to install local java applet interface to the SEPM (versus RDPing into the console to, or using the HTTPS console, which doesn't keymap correctly to Safari or Chrome or FF on Mac OS 10.13.x).

MAC is at 10.13.2. SEPM is at 14.0RU1. I've installed Java runtime 1.8.151(greater than 141) on my mac, and have the SEPM cert installed in the Keychain, when executing JnlpServlet.jnlp I'm getting:

"Unable to launch the application"

with the following error message:

java.lang.NullPointerException
   at com.sygate.scm.util.Utility.getAPPDATADir(Utility.java:4458)
   at com.sygate.scm.console.ui.ConsoleOptions.getCommonJavaConsoleOptionFilePath(ConsoleOptions.java:532)
   at com.sygate.scm.console.ui.ConsoleOptions.getCommonConsoleOptionFilePath(ConsoleOptions.java:580)
   at com.sygate.scm.console.ui.ConsoleOptions.getInstance(ConsoleOptions.java:99)
   at com.sygate.scm.console.ui.LoginPanel.<init>(LoginPanel.java:156)
   at com.sygate.scm.console.ui.MainFrame.showFirstLoginPanel(MainFrame.java:244)
   at com.sygate.scm.console.ConsoleMain.<init>(ConsoleMain.java:629)
   at com.sygate.scm.console.ConsoleMain.main(ConsoleMain.java:934)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:498)
   at com.sun.javaws.Launcher.executeApplication(Unknown Source)
   at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
   at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
   at com.sun.javaws.Launcher.run(Unknown Source)
   at java.lang.Thread.run(Thread.java:748)

Can someone decipher this error for me, and how to correct it?

↧

Getting Error Message when trying to reinstall

January 11, 2018, 1:18 am

≫ Next: SEPM not processing Updates

≪ Previous: Trying to execute local Sep Console Java jnlp on MacOS and getting Java NullPointerException

I need a solution

I am getting this error message "failed to set symantec endpoint protection manager service account acls" when I am trying to reinstall SEPM on my server, it comes on when I am trying to create database,why is it that way?

↧

SEPM not processing Updates

January 10, 2018, 11:58 pm

≫ Next: Symantec updates on Meltdown & Spectre

≪ Previous: Getting Error Message when trying to reinstall

I need a solution

Hi,

what can I do if the SEPM (14 MP2) downloads the newest definitions but does not process them? There's new content in the inetpub\content folder but the definitions are not updating unless you restart the server...

Any idea?

Thanks!

↧

Symantec updates on Meltdown & Spectre

January 11, 2018, 4:00 am

≫ Next: Any issues with 14.0.1.1 (14 RU1 MP1)?

≪ Previous: SEPM not processing Updates

I do not need a solution (just sharing information)

Recent vulnerabilities have been reported, under both Meltdown & Spectre familiar names. Associated MS out-of-band patches are being published.

Symantec Security Response has published a dedicated blog post covering this topic:

https://www.symantec.com/blogs/threat-intelligence/meltdown-spectre-cpu-bugs

Which Symantec software products are affected ?

http://www.symantec.com/docs/INFO4793

Symantec is aware of issues that can be experienced with both SEP 12.1 and 14.0 after applying the Microsoft patches, and is treating these with the highest possible priority.

1. ccSvcHst.exe crash after applying the January 3rd, 2018 Windows Security Update to a system running SEP 12.1.x

http://www.symantec.com/docs/TECH248558

2. Endpoint Protection system tray icon reports there are multiple errors after updating ERASER to 117.3.0 and Microsoft Update KB4056892

http://www.symantec.com/docs/TECH248552

All Versions of SEP 12.1 or SEP 14, which are not running on Windows 7 or Windows Server 2008 R2, are affected by this problem.

Symantec will release a new client version build for:

12.1 RU6 MP9
14 MP2
14 RU1
14 RU1 MP1

These new packages will be available on the 17th January 2018 (subject to change) over Symantec Fileconnect, as a new build-version and fix both issues on Windows OS which are not Windows 7 or Windows Server 2008 R2.

These builds will follow all the normal supported upgrade paths and migration steps associated with moving to a new version of the product
The 12.1 hotfix will be based off of 12.1 RU6 MP9
Client patches will be available for the hotfix releases (similar to: http://www.symantec.com/docs/INFO4642)
LiveUpdate will NOT be used to distribute the hotfix

Technical information and research

Vulnerability Coverage: CVE-2017-5753

https://www.symantec.com/security_response/writeup.jsp?docid=2018-010508-3826-99

Antivirus Protection Dates

Initial Rapid Release version January 4, 2018 revision 022
Latest Rapid Release version January 7, 2018 revision 022
Initial Daily Certified version January 5, 2018 revision 002
Latest Daily Certified version January 8, 2018 revision 003
Initial Weekly Certified release date January 10, 2018

You can test the ERASER Engine and definitions sets on selected SEP client machines using the LiveUpdate EAS (Early Adopter System) servers.

Preview new Endpoint Protection engines with Early Adopter System

http://www.symantec.com/docs/TECH246341

More information

https://support.microsoft.com/en-us/help/4056897/windows-7-update-kb4056897

https://support.microsoft.com/en-us/help/4056895/windows-81-update-kb4056895

↧

Any issues with 14.0.1.1 (14 RU1 MP1)?

January 11, 2018, 5:54 am

≫ Next: Upgrade from 14 MP1 to newest version

≪ Previous: Symantec updates on Meltdown & Spectre

I need a solution

We currently have 14.0 MP2 and while we wait for the hotfix, I am wondering if it is worth it to upgrade to the latest SepM? I don't plan on using the cloud features but would like to see what the general consensus is on the latest version.

Thanks

↧

Upgrade from 14 MP1 to newest version

January 11, 2018, 11:26 am

≫ Next: Endpoint SEP 14

≪ Previous: Any issues with 14.0.1.1 (14 RU1 MP1)?

I need a solution

I will be upgrading our v14 MP1 to the newest version which, at the time of this writing is 14.0.1.1 (14 RU1 MP1). From what I have been able to gather, a hotfix for my current version will not be released. Im also wondering if I should wait until after the 17th to upgrade as there may be a newer "Refresh" version for RU1 MP1 that I can go right to. It has been a year so I think we are due for an upgrade!

Do I need to do anyhting other than upgrade the software by running the upgrade? No SQL upgrades or anything? Afterwards, I will supply the client install package to SCCM to install on all PCs.

Is there a whitepaper on best practices for upgrading other than:

https://support.symantec.com/en_US/article.HOWTO81...

https://support.symantec.com/en_US/article.HOWTO12...

Thanks so much!!

↧

Endpoint SEP 14

January 11, 2018, 11:38 am

≫ Next: Upgraded to Build 14.0.1 3876, clients lost network connectivity

≪ Previous: Upgrade from 14 MP1 to newest version

I need a solution

Dear All,

This is RFP for Endpoint wherein out of many points following points has to address. However need your expertise to address this.

1:Solution must protect against ransomware running locally or remotely

2:Threat reduction technology – the detection of likely threats by a variety of criteria, such as double extensions or the extension not matching the true file type.

3:VM protection suite should have Host Intrusion Prevention System (HIPS) technology which works in 4 Layers to provide zero day protection without the need for updates (Unknown Virus Detection & Repair).

4:Solution should have caching technology for scanning modes.

5: Algorithmic pattern-matching – input data is checked against a set of known sequences of code already identified as a virus.

6: Solution anti-ransomware must have the capability to detect and intercept unsolicited encryption of files, resulting from ransomware running on a remote endpoint that is connected to the server.

7:File server based on windows 2008 R2(64-bit) or latest with mounted volume from storages (EMC Isilon and NetApp-E series)

8:Solution should have decision caching technology for scanning modes.

9: Solution should have PUA scanning that will inform administrator which applications have been found. Administrator can then configure antivirus
policies to allow or remove applications on this list.

Thanks in advance.

↧

Upgraded to Build 14.0.1 3876, clients lost network connectivity

January 11, 2018, 1:38 pm

≫ Next: Harness the Power of Symantec Endpoint Protection 14?

≪ Previous: Endpoint SEP 14

I need a solution

Total disaster here.

Upgraded SEP to 3876, pushed out the new client to two machines to test, upgraded just fine, pushed it out to company.

Everyone who has restarted after the notification has completely lost network connectivity.

I am on hold with Symantec but it is really bad here right now and figured I can multi-task with a forum post.

Has anyone experienced this before?

My goodness.

↧