Hello Everyone,
Hope you all are doing well. I have a concern with SEPM. what is a defualt configuration of SEPM?
And how SEPM server check their update on SEPM client and what are configuration for it.?
Thanks in advance.
Thanks,
Devang Raval
We have multiple Application & Device Control (ADC) Policies. Against any threat advisory we generally get multiple file fingerprints (MD5/SHA256).Thus, its cumbersome to one by one block all file fingerprints one by one in all ADC Policies.
Decided to work on a application using SEPM web API to block file fingerprints easily it may take sometime develop. If any solution already exists please share.
Hi all,
I have been issues involving coinminer and when I see the risk log it's showed:
| Risk Name | Occurrences | Actual Action | Requested Action | Secondary Action |
| PUA.WASMcoinminer | 1 | Left alone | Quarantine | Delete or remove |
Is there way to fix that?
Follow attached print of my Auto Protection and Download Protection configurations.
Under 'Clients' and 'My Company' we have the 'Install Packages' tab. I click on 'Add a Client Install Package' and it gives me the option to add a package. This is how my organization wishes to upgrade our clients. Currently we use SCCM. I would like to understand the process of this feature. More so what happens with the 'Upgrade Schedule' and the 'Distribute upgrades over:' features.
If I choose to only upgrade between 2000 and 0000 over a 10 day period and I have 10000 clients, is the SEPM pushing 1000 packages a day, 250 packages an hour? Please help me understand. Thank you.
I you have any thing to comment on this, be my guest
I recomment applying all rules in Production mode buy with CONTINUE and LOG. Each rule that has no false positives you can change to BLOCK
In some rules you will need to make many exclutions for your organization untill you reach the time you can BLOCK
Prevent APPS Processes from Launching scripts
Processes:
Acrobat???.exe
adobe???.exe
AcroRd??.exe
acrobat.exe
Launch processes:
powershell.exe
cmd.exe
wscript.exe
Prevent cmd and vb from launching scripts
Processes:
cmd.exe
*.vb?
Launch Processes:
powershell.exe
wscript.exe
Prevent SCRIPTS from accessing Docs
Processes:
*.vb?
*.dat
powershell.exe
wscript.exe
File and Folder Access Attempts:
%USERPROFILE%\pictures\*.doc?
%USERPROFILE%\documents\*.doc?
%USERPROFILE%\desktop\*.doc?
%USERPROFILE%\pictures\*.xlx?
%USERPROFILE%\desktop\*.xlx?
%USERPROFILE%\documents\*.xlx?
*.doc? (network drives)
*.xlx? (network drives)
Script launching script
Processes:
cscript.exe
wscript.exe
Launch CMD-Powershell attempts:
powershell.execmd.exe
Prevent OFFICE from running scripts
Processes:
%programfiles%\Microsoft Office\Office??\*.exe
Launch processes:
powershell.exe
cmd.exe
wscript.exe
Prevent Browsers frp, running scripts
Processes:
iexplore.exe
chrome.exe
firefox.exe
Launch processes:
powershell.exe
cmd.exe
wscript.exe
Prevent WINRM
Processes:
winrm.exe
File folder access:
*
Launch process:
*
Prevent WINRM execution
Processes:
*
Lauch proccess:
winrm.exe
Script Launch RegSvr
Processes:
powershell.exe
Lauch process:
regsvr32.exe
Does anyone have any detailed listing of exceptions for Symantec Netbackup v7.7 for SEP 14?
What features should/should not be included? Any recommendations?
Hi Team
Do we have a security measure put in place between the communication of SEP and SEPM that prevents a hacker (that compromised the machine where SEP resides) to leverage on the established communication channel of SEP/SEPM?
Do we have any incidents reported from Symantec?
Thanks
Mirana
i have a problem that symantec clients are getting policy very late even if i go to client and update policy after that it takes 5 to 10 mints or more some time
In SEPM console. i made Communication settings in Pull mode and Change the HeartBeat Interval 5 mints / Download Randomization also 5 mints but still i am facing that clients are sending logs after 1 hours and getting policies same 1 hours
.
I've determined that only local files get cached by Symantec. This means that if you are accessing a file on a shared drive on a server, it will not be cached, and Symantec will have to scan it every single time it is accessed. What I am trying to determine is whether putting AV on the servers would improve speed. Right now, no data comes in through the servers, so AV was only installed on the clients. The catch is that the servers handle many files. For caching to be advantageous, the cache would need to be very large. If it's going to be large, we need to know where it gets stored. So...
Where does Linux put the file cache?
Hi,
Does anyone know how to add a host to be excluded for the following event:
Event Description: Denial of Service "Smurf" attack detected. Description: A Smurf attack occurs when a hacker spoofs your system's IP address and then broadcasts a ping request to several subnets. The resulting deluge of ping responses ties up your system as well as the various network subnets pinged.
Event Type: Denial of Service
Hack Type: 4097
Severity: Major and above
Application Name: N\A
Network Protocol: ICMP
Traffic Direction: Outbound
Hi all!
I have SEPM 12.1.6 (12.1 RU6 MP) with embedded database on Windows 2008 Enterprise 32-bit installed.
Because the new SEPM 14 doesn't support 32-bit systems, an in-place upgrade is impossible,so i have installed a new temporary server with Windows 2012 R2 64-bit
and trying to install additional SEPM management server to my site.
The problem is that installation wizard asks me about location of MS SQL Client tools and SQL server location and port ( i tryed both SEPM 12 & SEPM 14 ), and don't allow me to
choose Embedded database.
Why i need to install SQL server for 100-client installation? How can i install secondary management server with embedded database?
Regards, Alex
More malware is coming in via links to web sites that want to to download and runa VB script
Is there a way to disable the saving (or execution) of VB script files
I see in Policies / Applicaiton and Device Control / Application Control that there is an option to enable various scripts and files (eg : autorun.inf)
Is there any downside in enabling AC7 (Block access to scripts)
Thanks,
Steve
Firewall again goes in Malfunctioning State even after Upgrading from 14 RU1 to 14 RU1 MP1 (14.0.3876.1100) on Windows 10 PC.
Then Windows firewall gets turned on automatically.
Hello everybody,
Want to monitor SEP12.1 and SEP14.1 agents from a single SEPM. SEP12.1 using on Windows XP.
How can it be done perfectly where from one single SEPM both SEP14.1 and SEP12.1 agent computers can be monitored and administrate well.
Looking for a solution please.
Thanks in Advance
@Riyad
Hello guys,
I am trying to install SEP client on iOS. I have exported the setup Client for this OS.
But after successfull instalation on MacBook I can not see this computer in the specific group.
Could anybody help me please?
Thank you
Hello guys,
I am trying to solve this issue. I have exported SEP client setup files each group.
After installing SEP on a new computer, the comuputer appears in the right group.That is good.
But if I uninstall SEP client (this client is for group A) and install the new SEP clinet (for example for Group B),
the computer will show up again in Group A. Each group has own policies. I have tried delete the computer in SEP manager
and install it again, but the result is the same. The computer shows up in the group A again.
Could anyone please help me with this issue.
Thank you.
Hello,
according https://support.symantec.com/en_US/article.TECH239... I added IP Nessus scanner to IPS Excluded Hosts list. But I can see records on the Nessus host itself. How do I get rid of these records?
| Signature Name: | Web Attack: Nessus Vulnerability Scanner Activity 3 |
| Signature ID: | 30369 |
| Signature Sub ID: | 71921 |
| Intrusion URL: | d456187.usb.root.lc:49152/ |
| Intrusion Payload URL: | N/A |
| Event Description: | [SID: 30369] Web Attack: Nessus Vulnerability Scanner Activity 3 attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES\TENABLE\NESSUS\NESSUSD.EXE |
| Event Type: | Intrusion Prevention |
| Hack Type: | 0 |
| Severity: | Critical |
| Application Name: | C:\PROGRAM FILES\TENABLE\NESSUS\NESSUSD.EXE |
| Network Protocol: | TCP |
| Traffic Direction: | Outbound |
Two of our servers need a restart based on the following error "the centralized reputation component has a component configuration error to fix."
Obviously they need a restart, but what exactly is the centralized reputation component? Knowing that will help us decide if this needs to be done today or can wait until the weekend.
Hello
I have an issue about Windows 10, when windows is looking for updates, it shows a message:
If I need to exclude an .exe process - should I exlude that as an application or as a file?