Quantcast
Channel: Symantec Connect - Endpoint Protection - Discussions
Viewing all 10484 articles
Browse latest View live

Heur.AdvML.B - How to disable detections

February 27, 2018, 12:41 pm
$
0
0
I need a solution

SEPM 14.  I'm having hundreds of false-positive detections on Heur.AdvML.B across my enterprise.  Most of it is in custom code developed and used internally.

I know what Heur.AdvML.B is.  I know all about the Machine Learning and Reputation-based detection.  I know how to upload files to be whitelisted, and I've done that for several.  I know how to exclude individual files, folders, and applications/hashes in the SEPM policy.

I'm looking for the most effective ways to prevent Heur.AdvML.B detections.  I'd like instructions on two items -

1) Change the Action for "Heur.AdvML.B" detection to Alert-Only

2) Disable detection for "Heur.AdvML.B" entirely.

In the Exceptions Policy, Known Risks, this doesn't show up as a Known Risk that I can exclude.  When right-clicking on one of the detected items in the Monitor-Risks view, Add Exception, when I try to add an exception for the Risk there's a message that this detection cannot be excluded by Risk.

The only thing related that I've found is in teh "Virus and Spyware Protection" Policy, under Global Scan Options, there is an option for "Enable Bloodhound Heuristic virus detection".  Will disabling Bloodhound prevent Heur.AdvML.B detections?  Is there a more granular way to handle it?

I very much appreciate any help you can give on this.

0
Search

Group Update Provider on Windows 10

February 27, 2018, 9:26 pm
$
0
0
I need a solution

Hi, 

I ahve configured WINDOws 10 System as gup , But it nevr worked Cleint property showing  GUP=False.

Thank you, 

0

Point Symantec Scan Engine at SEPMv14 server?

February 27, 2018, 7:33 pm
$
0
0
I need a solution

Hi, we're just completing an upgrade to SEPv14 from SEPv12 and also have Symantec Scan engine (used by another team) running and pointing to an install of Symantec LiveUpdate Administrator v2.3.4.16.  I don't know a great deal about these 2 products but I thought I'd been told that we didn't need LiveUpdate Administrator anymore with SEPv14. I'm hopeful we can just point the Scan engine at the SEPv14 Mgmt server and that's it!

Is this correct and/or is there anything i need to configure?

Thanks

0

What is the different between SONAR & IPS

February 28, 2018, 2:17 am
$
0
0
I need a solution

Hi, im reading about each feature of SEP to get comprehensive understanding, but i am a little bit confuse about (SONAR vs IPS)

from my reading it seem they do the same things, both of them are Behavior-Based Protection.

Can you please descrip the different between them with example if possible? 

----

I was watching the learing videos of SEPM 14, they sapareted the SONAR and IPS in deferent layer

can we say:

SONAR is application behavior protection & IPS is network behavior protection?

0

How to stop user disabling SEP from the Shield

February 28, 2018, 3:58 am
$
0
0
I need a solution

Hi All, Having a real brain fa*t at the moment. Can someone please remind me how to grey out (disable) the "Disable Symantec Endpoint Protection" option that comes up when you right click on the shield icon.

Cheers

PaulC

0

SEP System Log Source view-Local view

February 28, 2018, 4:05 am
$
0
0
I need a solution

Hello,

please help me understand the difference between Source view and Local view on System Log on the SEP clients.

0

1519828151

32 Bit or 64 Bit Symantec after Upgrade

February 28, 2018, 10:10 am
$
0
0
I need a solution

Good Afternoon,

I have a question maybe someone can help me with. We are getting ready to upgrade from Symantec 12.1 to Symantec 14. I am in the planning stages and have realized I have machines in production that have 64 bit processors that are running 32 bit Windows 7 operating systems.

My question is: After the upgrade should I deploy 64 bit Symantec package to these machines to match the processors or should I deploy 32 bit Symantec to match the operating system?

I'm thinking the 32 bit version but I would rather have other opinions or a more solid answer.

Thanks!

Mark

0
1519843006

Another day wasted trying to update 14.x to 14.0.1MP1

February 28, 2018, 11:52 am
$
0
0
I need a solution

Oh, possibl a bit harsh but - like afew other people here - I've spent an entire day doing what should have been an hour long task - and it still doesn't work.

I look after a small - 40 user - site and the clients run a mixture on W7 & W10 x64 PCs. Due to all the recent issues with the 'green dot' etc it seemed prudent to update to the latest version, which I was told is 14.0.1MP1 which has a version number of 14.0.3897.1101 and is dated 21st jan 2018.

I have a VM of W2012R2 running the previous version of 14.x and using the embded dBase. So I back it all up, run the set up on top of the curent installtion, and run into the (i) MS C++ redistributable being the wrong version & (ii) LiveUpdate refusing ever to complete.

Spend some time here researching these and install the MS component and use the LiveUpdate from the previous 14.x and yes, it installs the first part. It then removes the embeded dbase service and the dBase. Thanks.

I restore the VM and try again, and this time the same thing happens - and yes, I rebooted after each attempt.

So I now use CleanWipe to trash everything, reboot expecting to do a clean install. o off I go, run the installer, and the embeded dBase & service is marked for deletion on reboot - so I get a 'can't connect to dbase' error.

I reboot and repeat this a few times with the same result.

I really think this should be much easier than it is. The logs are fullsome but dense if you are not a Symantec tech.

So where do I go from here pls?

0
Search

How do I get the additional logs to appear in SEPM??????

February 28, 2018, 11:56 am
$
0
0
I need a solution

Within the SEPM console I can only see the first three reports in the list below copied from https://support.symantec.com/en_US/article.TECH95539.html

HOW do I make the SEPM console show me the 4th log, shown in italics below????? All the other logs are useless, they don't tell me anything useful.

Thank you, Tom

  • The table below describes some typical uses for the kind of information that you can get from Application Control and Device Control reports and logs. 

     
    Report or logTypical uses
    Top Groups with most Alerted Application Control LogsUse this report to check which groups are most at risk in your network.
    Top Targets BlockedUse this report to check which files, processes, and other entities are used most frequently in attacks against your network.
    Top Devices BlockedUse this report to find out which devices are the most problematic from the standpoint of compromising your network's security.
    Application Control logUse this log to see information about the following entities:
    • The actions that were taken in response to events
    • The processes that were involved in the events
    • The rule names that were applied from the policy when an application's access is blocked
    Device Control logUse this log when you need to see Device Control details, such as the exact time that Device Control enabled or disabled devices. This log also displays information such as the name of the computer, its location, the user who was logged on, and the operating system involved.
0

SEPM consolations

February 28, 2018, 2:38 pm
$
0
0
I need a solution

SEPM 14.x consolations

I have a couple of sepm server domains I would like to consolidate to one VM.

Questions

  1. Has anyone tried this before where you have multiple Sepm Servers within your info structure.
  2. Can you just export the domains and spin up a new VM and import them?
  3. How does the Sylink react to this if you a non-routable network you are importing into it?
  4. How many domains can one VM handle.
  5. How heavy is the definition traffic going to be if you used gups at these sites?
0

Intrusion prevention submissions failing and SEPv14 MP2

February 28, 2018, 5:40 pm
$
0
0
I need a solution

Hi,

We have the following warning in the System Log on our SEPv14 MP2 clients:

[Intrusion prevention submission] Submitting information to Symantec about file failed. File : '\??\C:\windows\System32\jscript9.dll'. Network error : 'Failed to connect to proxy server. Please verify configured proxy server is online and accessible.'.

I thought we had the Proxy side set up as the following also shows in the System Log for our SEP clients ....

[File reputation submission] Information submitted to Symantec.  Size (bytes): 1317.

... though obviously not.  Anyone know how to resolve Intrusion prevention submissions failing.

Thanks

0

SEP 14 RU1 MP1 incompatible with Windows 10 Professional upgrade from 1703 to 1709

February 28, 2018, 7:08 pm
$
0
0
I need a solution

I am trying to upgrade our Windows 10 1703 Professional computers with SEP 14 RU1 MP1 (14.0.3892.1101) to 1709 and getting a report that Symantec Endpoint Protection isn’t compatible and must be uninstalled before upgrading (see attached screenshot). Uninstalling SEP on hundreds of computers isn’t acceptable and I need a resolution from Symantec so we can upgrade our Windows 10 computer to 1709 while leaving SEP installed.

0

Remotely retrieving quarantined files from client

February 28, 2018, 12:31 pm
$
0
0
I need a solution

Just curious how other folks out there are managing retrieval of items from quarantine on client machines.   I've read about Qextract and SEP Quarantine Tool,  but I've never been able to effectively use those to pull a sample from a remote machine.  Any suggestions on how to more effectively use those tools is appreciated.

Currently,  we still utilize Central Quarantine 3.6.   It works most of the time,  but I'm well aware that Symantec has stated for years that this product is no longer supported and will not be actively developed.  This seems like a huge misstep in my opinion.  For an enterprise security team,  being able to retrieve samples to perform additional analysis is of utmost importance.  Other solutions like Cylance facilitate analysis by making samples retrievable from the console,  running strings against them, etc.  From what I can see Symantec is failing in this regard.

0

Application and device not working (SEP is trail version)

March 1, 2018, 12:33 am
$
0
0
I need a solution

hi TEam,

May i know if there is limitation with SEP 14.0.1 (RU1 MP1) build 3897 trial version? we are testing with Application and Device Control but its not working. any thought on this? already follow KB https://support.symantec.com/en_US/article.HOWTO80867.html#v36657576 

0

Firewall Malfunctions post installation of CSP

March 1, 2018, 1:32 am
$
0
0
I need a solution

Just to brief on the issue, we have both SEP  and CSP  installed on the client machines.

If the machine in installed with only SEP everything works fine on the machine and even the Fire wall component will be active without any issues.

But when we installl CSP on the same machine, after 5-10 mins the Firewall component on SEP will malfunctions.

During troubleshooting of the issue we notice that when we install only SEP on the machine the registry key value of below will be equal to 1 which means it is enabled.

HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Public-Opstate  = 1

But when we install CSP on the same machines after few mins the reg key will changed to 2 leaving the Firewall in inactive means malfunction state.

HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Public-Opstate = 2

Anyone have any idea about the root cause of this issue ?

Will await experts advice on the issue..... Thanks in Advance

0
Search

A lot of Single Risk Event

March 1, 2018, 4:29 am
$
0
0
I need a solution

Risk name: Ransom.Wannacry
File path: C:\Windows\mssecsvc.exe 

Source: Real Time Scan 

Action taken on risk: Cleaned by deletion 

I keep getting these alerts. I would like to know if we can stop this. (without stopping the scheduled reports)

0

Uninstalling SEP client using group policy or automated way ?

March 1, 2018, 9:27 pm
$
0
0
I need a solution

OK, this sounds absurd but I need some help to know what's the best way to uninstall Symantec Endpoint protection in bulk?

The uninstallation prompted me for the password to be typed in, so I wonder if there any script to do that?

or do I have to visit each computer (1150 users and 350 servers) and run CleanWipe.exe manually?

one of the companies that I have been working with is no longer decided to continue with Symantec anymore, hence I need to uninstall it from all AD computer Windows Server (2008, 2012 and 2016) and workstations as well (7,8.1 and 10).

Note: The company has moved on to the new next generation of Antivirus called Crowdstrike Falcon (cloud-based AV), but I still love to manage and use Symantec as my software to manage.

0

SEP for Linux, virus definition updates via Proxy

March 2, 2018, 5:15 am
$
0
0
I need a solution

Hello,

We are planning to install SEP on some Linux machines. We will configure them to update from the public Symantec LiveUpdate servers via Proxy.

What I will do is to configure the proxy from the LU policy -> Linux Settings -> Server Settings -> Configure Proxy Options.

But I saw some articles saying that the proxy settings have to be configure in "liveupdate.conf" on the Linux machines. Is this really necessary and shouldn't Linux machines get automatically the proxy settings from the SEPM server via the policy? 

https://support.symantec.com/en_US/article.TECH960...

Anyone using Linux and Proxy? Or any advise from Symantec?

0

Counter Feet Signed certificates

March 1, 2018, 11:10 pm
$
0
0
I need a solution

Hi Team

Please help me with the below questions.

  1. Does Symantec whitelist or exclusively trust binaries signed by certain legit/high reputation legitimate certificates? (eg: binaries signed by Microsoft, Mozilla, Apple, etc)
  2. If “yes” for Question 1, what if the certificate get stolen and use to sign malware? Will Symantec pickup the detection; or; it will still be whitelisted or exclusively trust due to the signature? Kindly ignore Question 2 is answer for Question 1 is “no”.

Also I have refered to the below link please let me know if my query and the below link are relevant. 

https://www.symantec.com/security_response/attacks...

Thank you 

Mirana

0

Best practices for off network clients

March 2, 2018, 9:32 am
$
0
0
I need a solution

All, 

We're currently having some issues with keeping virus definitions up to date on machines that are consistently off our network. I was looking to see what your suggested practices would be for dealing with this? 

Following this article: https://support.symantec.com/en_US/article.HOWTO80888.html#v38557491

I'm assuming the most commonly used method would be going straight to the Symantec LiveUpdate server and getting definitions that way. I just want to confirm there isn't a better method than that prior to us testing and implementing it for some commonly off network machines. 

I'm also concerned with the machines not staying in the group we would be creating with the direct to Symantec LiveUpdate policy applied. Is there a way to ensure that these machines stay in this group? 

0
Viewing all 10484 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>