We have several hardware tools that we use that use the EtherCAT network protocol. We have found that they only work with Endpoint Protection disabled. This protocol is used accross many industries for different pieces of network hardware. What settings do I need to update to enable support for this protocol?
https://en.wikipedia.org/wiki/EtherCAT
Thank you for your help!
We have one 2008 server that shows in our SEPM Console in the EndPoint Staus as Disable but when you view the clent it is online and green as well as it shows the same on the server. The reason for the disabled endpoint is casued by the tamper protection status as it shows "component is malfunctioning" .We have had this issue ongoing for over a year. We have uninstalled, used the REpair Tools and CleanWipe and still does not change. This appeared when we were on 12.1 version and now we are running 14.0.1. Can this be realted to somethign stuck in the database? Looking for other options.
Just saw in FileConnect, SEP version name is still 14.0.1MP1, but the downloaded file is different than the one that I downloaded in january. what is the difference between them? Which one should be used?
If it is a "re-released" version, at least the file name should be different to avoid confusion.
Hello,
I changed SEPM settings accordance https://support.symantec.com/en_US/article.TECH163... - Repair duplicate IDs on cloned Endpoint Protection clients.
Where I can see which clients was repaired ?
Does somebody know why the Symantec Endpoint Protection Firewall has the Status "off" (see pic.) in the AT&T Global Network Client (VPN) even if the Network Threat Protection is enabled.
Hi!
I have Symantec Endpoint protection Manager, Symantec Live Update Administrator installed on the same machine. SEMP is configured that managed clients get updates from LUA.
I have 10 clients with windows XP and Symantec endpoint protection 12.1 RU6 installed.
Also i have 30 clients with windows 7+ installed(windows 8, windows 10) , with Symantec Endpoint Protection 14.
I don't have any problems with symantec 14.
But have strange problems with symantec 12:
It connects to SEMP fine, and is visible in SEMP.
Also it works with policies, as if i press LiveUpdate i see that it goes to my internal update server (192.168.*.*) and downloading updates.
But the main problem is that it downloads from SEMP updates only to "Proactive threat protection" and "Network threat protection" but not to "Virus and spyware protection"
The log shows:
Initializing...
Connecting to 192.168.121.19...
Connected to LiveUpdate server successfully.
There are 11 update(s) to be downloaded.
Downloading catalog file (1 of 11) finished.
Downloading catalog file (2 of 11) finished.
Downloading catalog file (3 of 11) finished.
Downloading catalog file (4 of 11) finished.
Downloading catalog file (5 of 11) finished.
Downloading catalog file (6 of 11) finished.
Downloading catalog file (7 of 11) finished.
Downloading catalog file (8 of 11) finished.
Downloading catalog file (9 of 11) finished.
Downloading catalog file (10 of 11) finished.
Downloading catalog file (11 of 11) finished.
Session summary: 0 update(s) available, 0 update(s) installed.
LiveUpdate session is complete.
If i change update source in Live update policy from internal (192.168.121.19) to external symantec server, that updates goes fine, and clients start to download new updates from internet.
Please advice what should i fix, to be able to download updates to 12.1 version from internal source?
I need a little clarification about what constitutes a "VDI". I have a Vitrtual Citrix environment that contains 40 XenApp VDA-Agents. Would I create a VDI install package for those servers, and then treat my other Citrix servers (Xenapp Controllers, Xenapp Storefron Servers, License/SQL/File Servers, etc) as a just a standard VM client?
Thank you.
Runniing SEP v14. I have a W7 client.
I have added Firewall rule with the following rule
Rule Name : qshellblock
Action: Block this traffic
Firewall setting: All Network adapters
Remote Host > Apply this rule to: All hosts
Apply this rule to > Protocol > TCP > Local ports > 2850-2852
Traffic direction: Both
After launching the appl I am finding the appl is not blocking the ports.
C:\Users\IBM_ADMIN>netstat -n
Active Connections
Proto Local Address Foreign Address State
TCP 9.10.77.153:2850 9.5.65.136:9311 ESTABLISHED
TCP 9.10.77.153:2851 9.5.65.136:8527 ESTABLISHED
TCP 9.10.77.153:2852 9.5.65.136:38855 ESTABLISHED
Why are the ports not blocked?
I have a VBScript that stops a service, replaces the executable file, and starts the service.
when the script Starts the service, it activates "download insight" to allow the file, if the file has never been used as the service.
if I dont start the service I do not get prompted by insight to allow.
How do I get around this? is this a bug? I thought insight was based on browser downloads.
With so many different servers playing so many different roles (SQL, Exchange, DC, Web, File, Print, etc), how do recommend breaking out groups?
For example - on one end of the spectrum, I could have one group called "Physical Servers" and drop all of my physical servers in that group (SQL, Exchange, DC, Web, etc, etc). From a policy standpoint (I'm mostly concerned about EXCEPTIONS for this example) I'd have ALL of my necessary exceptions for ALL of these server roles in ONE policy called "Physical Server Exceptions Policy". This is obviously the EASIER route, but not very secure.
On the other end of the spectrum, I could break out my "Physical Servers" group into MANY different subgroups and have a different set of policies per every server role. This route seems unnecessarily granular and complex.
Is there a happy medium?
Any thoughts on this matter?
Thank you!
I have a VBScript that stops a service, replaces the executable file, and starts the service.
when the script Starts the service, it activates "download insight" to allow the file, if the file has never been used as the service.
if I dont start the service I do not get prompted by insight to allow.
How do I get around this? is this a bug? I thought insight was based on browser downloads.
example:
Set oFSO = CreateObject("Scripting.FileSystemObject")
sCurPath = CreateObject("Scripting.FileSystemObject").GetAbsolutePathName(".")
ServiceWasStarted = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\"& strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name='MyService'")
nItems = colServiceList.Count
if nItems <= 0 then
' MsgBox("Service is not Installed")
elseif oFSO.FileExists(sCurPath & "\MyService.exe") then
For each objService in colServiceList
if objService.State = "Running" then
ServiceWasStarted = 1
errReturn = objService.StopService()
end if
Next
Wscript.Sleep 3000
oFSO.GetFile("MyNewService.exe").Copy sCurPath & "\MyService.exe", True
Wscript.Sleep 3000
if ServiceWasStarted = 1 then
For each objService in colServiceList
errReturn = objService.StartService()
Next
end if
MsgBox("Complete")
end if
Hi dears,
we have two SEPM servers which are running on windows server 2008 r2 and one DB server on another server which running for several years and working properly. the current SEPM version is 12 RU6 MP9.
recently we have added a new SEPM server on windows server 2016 but whenever we login to the new server the dashboard and Monitor sections have very slow performance.
do you have any idea to resolve this issue?
Thanks.
Good Day,
I have come acroos one false positive alarm. I had a discussion wth concern person to check the legitimacy of the application and found it was trusted one. Then I have tried to give an exception in our symantec endpoint protection manager. There I have found three option under exception.
1) Application
2) Application to monitor
3) file
4) folder.
Can anyone help me to understand this option.
Thanks in advance.
Hello everyone,
We have SEPM 14.0 deployed with a SQL database. We have a specific group of computers (including desktops and servers) running 12.1.x version which are in PCI scope.
We have a compliance requirement for this specific group of computers to have logs retained for 1 year. We have created a specific group for this PCI computers. Can we increase the log retention period to be one 1 year for this specific PCI group and not the other groups in SEPM?
Can we have log retention period to be 1 year for only this specific group and no other groups?
Thanks
I have been messing around with
symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v FileCacheEntries -d 30000 -t REG_DWORDI have also been testing how long it takes to read a given number of files. Now, I would think that setting FileCacheEntries to 0 would be the same as disabling the cache. Turns out, it's not. Why? Is there a minimum cache size? Setting the FileCacheEntries to 0 from 30000 had absolutely no effect.
Now, I am under the impression that this number of FileCacheEntries is the number of files that can be in cache, but I don't know this for sure because I cannot find any documentation that actually tells what the units of this number is. Based in this, I also tested increasing the number of files that are being read. One would expect that as the number of files goes beyond 30000, the time should sharply increase to become more like the timings of when the cache is disabled. This also has not been the case. At 60000 files, any deviation in time remained neglegible, in spite of the fact that 30000 of those files should not have been cached. Then I also increased FileCacheEntries to 60000 to see if that would make things faster. There was no effect.
Is 30000 a maximum for FileCacheEntries? Is there any control I really have over the cache? because it doesn't feel like there is. Does SEP use a sophisticated caching strategy that involves evicting files that have been recently read to scan in files it anticipates will be read in the near future? Where does the cache even get stored?
Can someone please explain this?
Hello,
We have an internal web application which uses a browser HTML editor.
We have seen occurrences where users, which have the Symantec PKI Client Plugin installed in Firefox, have extra HTML content inserted into the content they enter.
The inserted content is of the form: <p><object data-extension-version="0.5.0.161" data-install-updates-user-configuration="true" data-supports-flavor-configuration="true" id="__symantecPKIClientMessenger" style="display: none;"></object></p>
It is similar to this problem I have seen posted: https://www.symantec.com/connect/forums/sep-client...
This is causing integration problems with some of our other applications.
Do you know why this is happening and what could be done to prevent it?
Thanks
Hi
Does anyone know when SEP 12.1 MP10 will be released?
Thanks, DM
To whom it may concern,
When I read my e-mail at home, my anti-virus software Sophs detect virus name AL/Bursted-AJ. Detail please see https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/AL~Bursted-AJ/detailed-analysis.asp
I read the same mail on my office pc which installed symantec endpoint protection, but it can not detect above virus. I try to search such information from symantec database, but can't. How I make sure the mail is safe or dangerous? May I upload the e-mail sample to symantec support center to analyze? If so, please let me know the URL for upload. Thanks.
Hello,
I'm getting this pop-up message often. It also started happening with earlier builds of versions 14. Why is this being blocked outbound? I even get this pop-up message AFTER I disabled SEP in the system tray!
This is very annoying.
Please help
Pierre
Can you point me to where we can find some Test cases and/or test plan for testing the SEP 14 clients before deploying them to production: OS win 7, Win 10, Win 2012 and Win 2016. Any help would be appreciated