Quantcast
Channel: Symantec Connect - Endpoint Protection - Discussions
Viewing all 10484 articles
Browse latest View live

Data to collect for Support when opening a case

January 30, 2018, 9:29 am
$
0
0
I do not need a solution (just sharing information)

Based on Supports review of the data collected below, there may be situations we will need to collect specialized data to continue our investigations into your issue.

  1. Please include the following and any other supporting information you believe is relevant to your case.
  • Errors – Document any error messages and the steps to reproduce the error.
  • Occurrences – Document the exact times of first and subsequent occurrences.
  • Environment – List any unique conditions or recent changes in your environment

       2. The Symdiag tool should be run for every situation and provided to Support.

       Steps:

  • Download Symdiag from here: http://entced.symantec.com/symhelp/2/dl
  • Accept EULA
  • Click Collect Data for Support
  • Select Symantec products you are running on the system
  • Select All data
  • Once collection is complete. Save the file for support. Have this ready when opening your case.

       3. For database related issues support may request a backup of your Database.  You can provide a backup from the SQL server, or use the Backup and Restore Wizard on the SEPM.

       4. For Policy issues support will need an export of the policy in question for review purposes.

For certain issues debug logging will need to be enabled and the issue reproduced.

  • If troubleshooting Symantec Endpoint Protection Manager (SEPM) please enable Finest debugging and reproduce the issue.  This document explains how to enable debugging for SEPM. https://support.symantec.com/en_US/article.TECH230072.html.  Once the issue is reproduced gather a Symdiag for Support.
  • For SEP client communication issues please enable Sylink debugging. Sylink logging will log the communication between the SEP client and SEPM. Generally, support will need a minimum of 2 full heartbeats worth of logging.  This document explains how to enable Sylink debugging via the Symdiag tool.  https://support.symantec.com/en_US/article.TECH207795.html.  A Symdiag of the SEP client and SEPM will need to be collected as well.
  • For Group Update Provider (GUP) issues please enable SMC Debug logging on the GUP, Sylink logging on the client updating from the GUP, Finest logging on the SEPM. Let the logging run at the same time for a minimum of 2 Heartbests. Collect Symdiag from each system.  To enable Debug logging for the GUP please see: https://support.symantec.com/en_US/article.TECH207795.html
  • For driver level conflicts or problems with the SEP Client support will need WPP debug logging. Make sure to always set the Max file size to 500 and the Trace Level to Verbose.  Please follow the steps in this document to enable the logging: https://support.symantec.com/en_US/article.TECH207795.html

Additional Logging:

  • For Application crashes support will need Full Process Dumps as well as a Symdiag.
  • For BSOD issues support will need a Full Memory Dump as well as a Symdiag
  • For system hangs support will need a Full Memory Dump forced at the time of the hang as well as a Symdiag.
  • For slow logon or boot issues support will need WPP Boot Logging and Low-Alt Process Monitor as well as a Symdiag.
  • At times Support may ask for a Low-Alt Process Monitor debug to be run for permission related issues.
  • For networking issues support will need packet captures (Wireshark) and WPP logging of the issue being reproduced.
  • SQL Trace logs may be needed for SQL and SEPM database related issues.
  • System images may (rarely) be needed for issues we are not able to reproduce locally.
0
Search

Conflicting Status

January 30, 2018, 1:39 am
$
0
0
I need a solution

14.0 MP2 (14.0.2415.0200) on Windows 10 1709 (16299.192)

So...which status do I believe? 

0

TCP/IP Driver is attempting to access the network - no chance for BFUs...

January 30, 2018, 3:01 am
$
0
0
I do not need a solution (just sharing information)

Hello,

my company just pushed a new install / upgrade or something of SEP to my Windows 10 laptop. After reboot I got this question:

I wonder why is Symantec asking me this? Why can't it check that this is part of OS and this file has a digital signature from Microsoft thus it's not needed to ask user if it can communicate over the network.

How can normal people have any idea how to respond to this? With questions like these you are just teaching everybody to click yes on everything and not care at all. I don't remember ever before this kind of question. What can trigger it and why don't I see some other process/app name besides tcpip.sys?

0

Serveur Symantec long avec CPU 99%

January 30, 2018, 5:39 am
$
0
0
I need a solution

bonjour;

j'ai un serveur SEPM 14MP1, avec une base de données SQL serveur 2012

le problème est le CPU de serveur atteins 99%, j'ai redémarrer le serveur, les services mais problème persiste toujours

0

Hidden pieces of a very old version of Endpoint needs to be removed

January 30, 2018, 11:21 am
$
0
0
I need a solution

I have a computer that must have a very old version of endpoint probably that came with the original hardware (ended up being transferred with the data from the original hard drive) because windows 10 update won't work until symantec endpoint is removed.  Can you provide a clean wipe tool for very old versions of endpoint.  I have tried the clean wipe for 11.X and newer but it did not remove the problem.  Thank you for the help.

0

Block incoming connections with SEP Firewall

January 30, 2018, 2:38 pm
$
0
0
I need a solution

I've been tasked with evaluating the SEP firewall to replace the Windows Firewall configuration in our environment.   I'm attempting to create a firewall rule that will be used when computers are off site.   The rule simply needs to block all inbound traffic from other hosts,  while allowing any outbound traffic from the computer (essentially mirroring the default Windows firewall behavior).   

I don't see any indication SEP has configuration options based on inbound/outbound traffic direction,  so what would be the best way to achieve this?

Below is the windows firewall settings that i need to replicate:

0

blocking local exceptions creation wont take

January 30, 2018, 3:51 pm
$
0
0
I need a solution

I'm trying to block local exception creating through SEPM with no luck. Ive forced updates on the clients but am still able to add exceptions on the clients. 

Restarted the client with no luck

0

Does SEP support or provide an alternative to 'Controlled Folder Access' feature?

January 30, 2018, 10:08 pm
$
0
0
I need a solution

Hi all,

Does Symantec offer an alternative to the Controlled Folder Access feature in Windows Defender Exploit Guard deployed with Windows 10 Fall Creators Update?

https://cloudblogs.microsoft.com/microsoftsecure/2...

Our security audit is recommending we turn it on, but as we're using SEP, it's disabled. Is there a way to use feautres within SEP to replicate this functionality?

Cheers,

Steve

0
1517398944
Search

Memory Exploit Mitigation Events

January 31, 2018, 1:55 am
$
0
0
I need a solution

Hi all

We have experiencing many events related to Memory Exploit Mitigation (Monitors - system logs - Client activity)

Does someone know if there is possibility to not upload this kind of events to management server??
 

thanks

0

Computer Status - Infected value

January 31, 2018, 3:07 am
$
0
0
I need a solution

Hi!

I spent few time on Internet searching for a clear description about the field Infected in the Computer Status extract from SEPM (tab Monitors) without any success.

I need to understand on which cirteria SEPM will set the infected status of an asset to "Yes".

Any idea from the expert ?

Thanks!

0
1517404794

Symantec Install compenant occupe 75% du CPU

January 31, 2018, 3:21 am
$
0
0
I need a solution

bonjour ;

CPU au niveau de Serveur Symantec Endpoint Protection manager 14MP1 est occupé a 99%; le processus Symantec Install Conpenant occupe 75% du CPU

0

How to disable 'Disable Symantec Endpoint Protection' Option from Right-click menu for Local admins for SEP14.01

January 31, 2018, 4:55 am
$
0
0
I need a solution

Hi,

is there a solution how to disable 'Disable Symantec Endpoint Protection' Option from Right-click menu for Local admins for SEP14.01.

I know that the heartbeat can change the settings again but we want to avoid that clients that have local admin rights can diable this even for a short time.

We have looked at https://support.symantec.com/en_US/article.HOWTO81... article but this does not proivde the solution.

We want to make sure that the Local admin cannot disable the SEP.

Thanks for getting back to us.

Regards,

Rik

0
1517405156

Weird "Web Attack: VMWare Directory Traversal CVE-2009-3733 detected"

January 31, 2018, 7:14 am
$
0
0
I need a solution

Hello All,

My client recently report several Web Attack: VMWare warning when he powered on his PC. A Enterprise Endpoint Protection is on his PC. I have checked all the programs installed on his PC, and didn't find anything about VMWare. I also tried to find some detail from Endpoint Protection logs, but found nothing about this warning. I wonder whether this is errorneous detection or not. I searched about this warning , its severity is high. I have to figure it out what is behind this warning. 

Thanks in advance for all helps.

0

Replication is failing from site with embedded db

January 31, 2018, 7:29 am
$
0
0
I need a solution

Hello,

I have a UAT SEPM 14 ru1 mp1 environment with three SEPM servers all replicating. One uses an embedded db the other two have external SQL databases. Replication is failing between one of the SEPMs that uses a SQL db and one that uses an embedded db. I have checked some other posts such as increasing the limit of the FG_Loginfo but I was not near the limit. Below is the message I see in the replicationlocal-0. Main items I saw were the PVL invalid and the failure reported copy on dir. 

2018-01-31 10:08:17.427 THREAD 296721 SEVERE: ERROR: ContentReplicationHelper >> generateDetailsForFullRevision > PVL invalid!

ContentReplicationDetail:
FullPath= C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\temp\replication87A5CC07AC1CB550018199B7F0A2ECED1517411055932\content\{9706309A-0A4B-0378-40BB-F90BA19BB8F8}\234884900\Full
fullFolderExists=true fileCount=17
clientMoniker= {9706309A-0A4B-0378-40BB-F90BA19BB8F8} serverMoniker= {F3FC8E37-0A4B-0378-40BB-F90B133EDC57}
sequenceNum= 234884900 sequenceTag= PATCH product=
version= language= luType=4
PhysicalFile= C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\temp\replication87A5CC07AC1CB550018199B7F0A2ECED1517411055932\metadata\BASIC_METADATA\21D26A6817DED626809D43A8968499DE
BinaryFile= C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\temp\replication87A5CC07AC1CB550018199B7F0A2ECED1517411055932\metadata\BINARY_FILE\A79D98E113BBDF9659071CC31CF245B7
2018-01-31 10:08:17.428 THREAD 296721 WARNING: ContentReplicationHelper >> Processing Remote Identity Moniker: {07B590B3-9282-482f-BBAA-6D515D385869} , Remote Revisions: [180110002, 180110008, 180110020, 180111001, 180111007, 180111020, 180112002, 180112008, 180113001, 180114006, 180114021, 180115002, 180115008, 180115024, 180116002, 180116008, 180116021, 180117002, 180117008, 180117020, 180118002, 180118007, 180118018, 180119002, 180119007, 180120002, 180121008, 180121021, 180122002, 180122006, 180122017, 180123002, 180123007, 180123020, 180124002, 180124007, 180124018, 180125002, 180125007, 180125020, 180126002, 180126009, 180127001, 180128007, 180128020, 180129001, 180130002]
2018-01-31 10:08:17.428 THREAD 296721 WARNING: ContentReplicationHelper >> Processing Remote Revision : 180130002
2018-01-31 10:08:17.431 THREAD 296721 WARNING: ContentReplicationHelper >> generateDetailsForFullRevision > sMoniker: {307D2C61-0AB4-F6D4-00BE-15391E224ABA} luType: 0
2018-01-31 10:08:18.182 THREAD 296721 WARNING: ReplicationTask>> initialize: Error-> Rolling back db changes...
2018-01-31 10:08:18.182 THREAD 296721 WARNING: ReplicationTask>> initialize: Closing db connection...
2018-01-31 10:08:18.182 THREAD 296721 WARNING: ReplicationTask>> replicate: Exception...
2018-01-31 10:08:18.183 THREAD 296721 WARNING: java.lang.IllegalStateException: failure reported on copy dir
    at com.sygate.scm.server.liveupdate.ContentReplicationHelper.getLocalFullRevision(ContentReplicationHelper.java:1553)
    at com.sygate.scm.server.liveupdate.ContentReplicationHelper.generateDetailsForFullRevision(ContentReplicationHelper.java:1690)
    at com.sygate.scm.server.liveupdate.ContentReplicationHelper.initRevision(ContentReplicationHelper.java:1380)
    at com.sygate.scm.server.liveupdate.ContentReplicationHelper.initIdentityMoniker(ContentReplicationHelper.java:1354)
    at com.sygate.scm.server.liveupdate.ContentReplicationHelper.initialize(ContentReplicationHelper.java:1100)
    at com.sygate.scm.server.replication.ReplicationTask.executeContentReplication(ReplicationTask.java:1979)
    at com.sygate.scm.server.replication.ReplicationTask.initialize(ReplicationTask.java:1931)
    at com.sygate.scm.server.replication.ReplicationTask.replicate(ReplicationTask.java:1241)
    at com.sygate.scm.server.replication.ReplicationTask.execute(ReplicationTask.java:504)
    at com.sygate.scm.server.task.MonitoredTimerTask.run(MonitoredTimerTask.java:41)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

2018-01-31 10:08:18.183 THREAD 296721 WARNING: ReplicationTask>> replicate: Unable to fetch changed data from remote site [pisepdev03]: failure reported on copy dir
2018-01-31 10:08:19.414 THREAD 296721 WARNING: ReplicationTask>> replicate: Refreshing replication task schedule...

0

SEPM 14.0.3876.1100 no update over one week

January 31, 2018, 7:29 am
$
0
0
I need a solution

My SEPM cannot download any new update since 23/Jan/2018. 

The LiveUpdate Status is up to date

The LiveUpdate Status is show up to date

Download log

The download log show no updates found

The last definition is download at 22/Jan/2018, which is over one week.

0
Search

Download Protection Failures in security status of SEPM

February 1, 2018, 2:01 am
$
0
0
I need a solution

Hi

I have an issue with SEPM , there is an alert with download protection failures in security status , anyone one have any idea how i can trobleshooing/address for this? 

regards

Phansa

0

Host Integrity Signature File Download

February 1, 2018, 5:07 am
$
0
0
I need a solution

Hi

When configuring my host integrity policy, i add a requirement to specify that the oldest age of the signature file should be 3 days.  I then want it to download a new signature file should this requirement not be met.  There is an option to configure this and i have tried this with the following URL:

http://liveupdate.symantec.com:80

I have then used %F% in the execute the command field.

I have been told that you cannot use an internet URL for this and it would have to be an internal server but i'm not convinced by this as the whole point of this is to stop our clients getting onto the internal network before their signature file is up to date.  To do this, the clients would need to connect to the internet first to update the signature file, then the laptop would be compliant and they could continue to connect to the internal network.

Does anybody have any experience with this?

Thanks

0

SEP 14 Policy Framework crashing in

February 1, 2018, 7:35 am
$
0
0
I need a solution

We have installed the new a new version of SEP in our Citrix XenDesktop environment, the version is 14.0.3892.1101.105 - and lots of people get an error saying the symantec policy framework has crashsed.

Faulting application name: ccSvcHst.exe, version: 13.3.1.5, time stamp: 0x5a53f171
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00001ab0
Faulting process id: 0xc430
Faulting application start time: 0x01d39b3bbb3eb9b8
Faulting application path: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3892.1101.105\Bin\ccSvcHst.exe
Faulting module path: unknown
Report Id: 2be3ffc6-075e-11e8-8252-36c626fad04c
Faulting package full name: 
Faulting package-relative application ID: 

Windows creates no DMP or crash dump to investiagte, why would it be crashing in <unknown> 

Is this a isolated fault is is anyone else having this issue ?

0
1517502821

SEP Firewall ignoring inbound/outbound property for UDP traffic

February 1, 2018, 7:54 am
$
0
0
I need a solution

In the process of updating from SEP 12.1 to 14 this week Tuesday I updated the SEPM server and deployed the new client to the first client. All seemed good. Wednesday I pushed the new client out to about a dozen computers and got reports of people unable to print. After some testing, disabling the Network Threat Protection allowed them to print which pointed me to a firewall issue. Looking through the firewall, I couldn't see anything wrong so I fired up wireshark and began looking at the differences between NTP on and off. I noticed that with NTP on, the client machine wasn't able to send/receive SNMP traffic which was why it couldn't print. I double-checked the firewall rules, there was nothing in there specifically about SNMP (the default rule which is available to prevent SNMP was turned off, no other rules specifically dealt with it or it's ports). I added a rule to specifically allow SNMP traffic and it fixed the issue. I deployed this change out to the updated client to fix the issue and began further investigation since as far as I could tell, that rule shouldn't have been necessary. Ultimately, what I learned was that the default medium security rules (block all incoming TCP and statefully block incoming UDP, and allow everything else) were also blocking all UDP traffic. After some experimenting, it appears that UDP rules that state incoming and outgoing traffic ignore the incoming and outgoing part, blocking all traffic both directions.

This can be easily recreated on my systems by implementing the two rules in the screenshot below UDP Rules. The first says allow all outgoing UDP traffic. The second says deny all incoming UDP traffic. With this setup, all UDP traffic is allow as can be seen in the traffic log screenshot. Of particular note is the .105 address which was specifically sent as an unsolicited UDP packet from another computer for testing purposes. (I couldn't be completely certain that the UDP outgoing log wasn't showing incoming packets from a previously established outgoing connection.) I can the printer issue specifically by just allowing SNMP ports above the deny incoming UDP rule, but this is likely to ultimately cause further issues down the line with outbound UDP packets being blocked that shouldn't be.

0

microsoft onedrive sync is being blocked by SEP

February 1, 2018, 8:13 am
$
0
0
I need a solution

Hello everyone,
I am having a problem with SEP 12.1.6.After updating Skype, Internet Explorer, and installing OneDrive for Office 365, these applications no longer support the internet.SEP blocks OneDrive synchronization.
Please someone have a solution to propose to me.
Thank you

0
Viewing all 10484 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>