ELAM scan history

March 14, 2018, 5:26 am

≫ Next: SEP 14x & Veritas Backup conflicts

≪ Previous: SEP 14.0.1 MP1 : GUI Client Tasks > add group feature not appearing

I do not need a solution (just sharing information)

We have several Windows 10 machines with Microsoft ELAM enabled (confirmed in both local policy and in registry). Symantec ELAM is enabled. However, for every Windows 10 machines, we can't find anywhere the ELAM scan log to verify that this feature actually scan the machines at startup. All clients are managed by a SEP Manager, and there is no issue in the communication. Is there a way to verify if a Windows 10 machine is scanned at startup using Symantec ELAM driver? Thanks!

↧

SEP 14x & Veritas Backup conflicts

March 14, 2018, 7:45 am

≫ Next: Session Highjacking and Cryptomining

≪ Previous: ELAM scan history

I need a solution

I have installed SEP 14.x on a Server 2008R2 standard server which is running Veritas Backup exec 16.

Since Installing SEP14.x my backups will not run, they just stay in a queued state. This may be coincidence but im pretty sure SEP is the cause as i havent had any issues with the backups before the install.

Is there any settings/exclusins that need to be applied for Backup exec?

Any advise on this is appriciated.

↧

Session Highjacking and Cryptomining

March 14, 2018, 8:18 am

≫ Next: SEP v14 API: Adding computers/endpoints

≪ Previous: SEP 14x & Veritas Backup conflicts

I need a solution

Hello,

I would like to implementing SEP(M) controls on Session Highjacking and Cryptomining. Before I get started on my research, I was wondering if others have any guidance or suggestions on how to implement these controls for protection.

Thanks

1521043109

↧

SEP v14 API: Adding computers/endpoints

March 14, 2018, 9:51 am

≫ Next: unable to create communication via sylink.xml v14

≪ Previous: Session Highjacking and Cryptomining

I need a solution

Hi All,

I've been looking at the docs for the SEP v14 REST API, but can't seem to find any way to add computers to the client list/inventory. I can see a delete (api/v1/computers/delete) for deleting computers, but there doesn't seem to be an add or create operation. Does anyone know if this is currently supported by the REST API? I'm looking to be able to add machines into the inventory, and to deploy SEP agents to these machines remotely.

Thanks!
Matt

↧

unable to create communication via sylink.xml v14

March 14, 2018, 12:05 pm

≫ Next: Requesting information on log and dump files external logging

≪ Previous: SEP v14 API: Adding computers/endpoints

I need a solution

I have recently installed a new Sepm v14 server in my environment, on a different server with different I.P, my clients still have v12 running on them , i am upgrading client via client deployment wizard, the next step i have exported a sylink.xml file so i can replace it on to the client machine, problem i am facing is after importing sylink.xml client machine doesnt show new server details , i can see the client machine in the specific group but it shows offline, even the client doesnt have the green dot .

Am i missing a trick here please can someone help .

↧

Requesting information on log and dump files external logging

March 14, 2018, 12:10 pm

≫ Next: All devices status unknown in cloud

≪ Previous: unable to create communication via sylink.xml v14

I need a solution

We are moving off of Splunk and over to Elastic using filebeat to transfer we have it setup and working. I see the tmp files being updated every five minutes in teh data\dump directory which I think corresponds to the hearbeat setting but the log files are not being updated that frequently. How often should data be moved from tmp to log? I there any documentation on this I have looked at the admin guide and have not found any specifics on it.

our version on both SEPM and the Clients is 14 MP2 14.0.2415.0200

Thanks

Stan

↧

All devices status unknown in cloud

March 14, 2018, 12:24 pm

≫ Next: Compatibility Assistant

≪ Previous: Requesting information on log and dump files external logging

I need a solution

I have upgrade SEPM to 14.01, and have rolled out the updated client (14.0.3897.1101) - about 50% complete on the rollout. I have enroll my SEPM into the cloud portal. I got enrolled and my clients (devices) are showing up, but they all have a status of "Unknown" and have no data for "Last Connected". How can I fix this?

↧

Compatibility Assistant

March 14, 2018, 2:10 pm

≫ Next: how to update 12.1.4 to 12.1.6

≪ Previous: All devices status unknown in cloud

I do not need a solution (just sharing information)

Recently we updated some devices to Windows version 1709

It required to uninstall the endpoint software

While trying to reinstall it, we keep getting the compatibility assistant warning that this app is not compatible.

Even after disabling the services and turning it off in the local policy, i continue to get this warning

Any advice to get the endpoint software reinstalled?

↧

how to update 12.1.4 to 12.1.6

March 14, 2018, 8:51 pm

≫ Next: Client version 8.1.0.825 not updating. Windows 2000

≪ Previous: Compatibility Assistant

I need a solution

I try to instal clinet on windows 2016 but it not support.

I need to go to verion 12.1.6 to be used with win2016 correct and where to download

↧

Client version 8.1.0.825 not updating. Windows 2000

March 15, 2018, 2:37 am

≫ Next: Renewing Licenses

≪ Previous: how to update 12.1.4 to 12.1.6

I need a solution

Hi,

I have an old server, virus definition is out of date. Windows 2000 Service Pack 4. Tried to run LiveUpdate but same is failing, with message 'LU1814: LiveUpdate could not retrieve the update list'. On the server, I can browse the internet without any issue. Where can I get Norton Power Eraser 32bit? What other tool can I run to scan the server?

How can I update the client? Will it update or its too old?

Thanks to help.

↧

Renewing Licenses

March 14, 2018, 10:47 am

≫ Next: Cannot Install SEP 14.0.2415.0200 on Brand New Win10 1709 PCs

≪ Previous: Client version 8.1.0.825 not updating. Windows 2000

I need a solution

Having issues trying to activate a new license key. As far as I can tell we don't have any firewall rules that would interefere with this, as the SEPM is successfully updating signatures every day. Is there a specific port/site that needs to be open to contact the license portal to register this key?

↧

Cannot Install SEP 14.0.2415.0200 on Brand New Win10 1709 PCs

March 14, 2018, 12:05 pm

≫ Next: Added licenses not showing and other issues

≪ Previous: Renewing Licenses

I need a solution

I have multiple brand-new PCs in my office, some still in the box, and after topping them off on Windows Update and Dell Command Update, I find that I'm unable to install SEP. These are all PCs that have shipped with 1709 already on them and no version of SEP installed; the advice/solutions that address how to fix SEP so as to upgrade from 1703 to 1709 have proved fruitless. Even the method from Experts Exchange that details cross-referencing files within C:\$WINDOWS.~BT is of no help since that folder doesn't even exist on these PCs.

I've tried rebuilding the installer package from the SEPM server with the same results, running CleanWipe, and yet the results are still the same: "Symantec Endpoint Protection doesn't work on this version of Windows. An updated app may be available."

Software Versions:

Windows 1709 Build 16299.309

SEP 14.0.2415.0200

Example Systems:

Dell Latitude 7390 (8th gen i5)

Dell Precision 5520 (E3-1505M v6 Xeon)

↧

Added licenses not showing and other issues

March 14, 2018, 12:14 pm

≫ Next: Which Logs?

≪ Previous: Cannot Install SEP 14.0.2415.0200 on Brand New Win10 1709 PCs

I need a solution

Hello, I am having several problems with licensing. We have SEP 12.1 with 10 licenses. We added 5 more this year, but they show for ver 14.0.5. The new ones do not show in the dashboard, only when looking in the admin > licenses. The assistance is:

1) how to make available the new licenses to install the clients?

2) in MySymantec I only see the new 5 licenses. Tried adding the past 10 using the serial number and it says it is invalid. How come? It hasn't expired.

3) Can't add a support ticket. It asks for assets which do not show for my account. Tried to add it, but finds nothing. It always returns "Choose Entitlement: NONE". I had created tickets in the past, so something was changed in the website. Please fix.

Thanks,

Carlos

↧

Which Logs?

March 14, 2018, 4:32 pm

≫ Next: Help with finding risk score

≪ Previous: Added licenses not showing and other issues

I need a solution

I received the following email from one of our SEPMs today and would like to know which (and where) the log files I should examine.

Subject: Security alert for sepm.<domain.name>
Message from:
Server name: sepm
Server IP: 10.x.x.x
Security alert: suspicious activity from 10.y.y.y was detected on Symantec Endpoint Protection Manager sepm.<domain.name>. Check the log files for details.

↧

Help with finding risk score

March 15, 2018, 10:34 am

≫ Next: GEM Malfunctions

≪ Previous: Which Logs?

I need a solution

Where can I see the risk score given to a suspicious file? Either in the DB, the SEPM console, or the dump folder ingested by syslogs.

↧

GEM Malfunctions

March 15, 2018, 10:37 am

≫ Next: Unattended suppression of AV pop-up notifications

≪ Previous: Help with finding risk score

I need a solution

Can GEM malfunctions be remediated remotely?

1521137833

↧

Unattended suppression of AV pop-up notifications

March 15, 2018, 12:31 pm

≫ Next: Need To Review Packet Data

≪ Previous: GEM Malfunctions

I need a solution

We need to suppress the AV pop-up notifications without the user's input from the client gui to turn off scan notification meesages.

An update to the Symantec Endpoint Protection registry settings or up date to an EP configuration file would be preferred.

↧

Need To Review Packet Data

March 15, 2018, 1:12 pm

≫ Next: SONAR.Powershell detections

≪ Previous: Unattended suppression of AV pop-up notifications

I need a solution

Hi All,

Might anyone know of a means for extracting/exporting the packet data that shows in the bottom half of the "Details" of individual Packet Log items?

The Packet Log information is essentially the same as the Traffic Log (i.e. redundant). However the Packet *Data*, which is not in common with the Traffic Log, is out of reach.

Ideas, anyone? :-}

↧

SONAR.Powershell detections

March 15, 2018, 3:48 pm

≫ Next: firewall blocking youtube and googlemaps

≪ Previous: Need To Review Packet Data

I need a solution

Lately I have been seeing more SONAR.Powershell!gx detections beeing blocked by SEP.

In the SONAR logs powershell.exe is listed as maclicious with a an action taken of "access denied". From my understanding this means that SONAR has blocked a malicious Powershell action.

https://support.symantec.com/en_US/article.TECH102...

It's very recent that we began to see these SONAR.Powershell detections. A few of them I actually manually identified by timestamp that matched scheduled tasks.These scripts were legit.

My main problem is that I don't know how to validate if the detections are true positives or not. I can't see the Powershell CLI arguments or script that SONAR has blocked as its not found in the SONAR logs. This is kind of strange as the arguments fields are usually found in other SEP alerts.

This also makes me wonder how I am supposed to whiteliste false positives? Have anyone came across this before?

↧

firewall blocking youtube and googlemaps

March 15, 2018, 6:46 pm

≫ Next: Managed Detector - How to find it after enabling?

≪ Previous: SONAR.Powershell detections

I need a solution

Hi All,

we have a requirement that is to block google drive,cloud and sheets, and i put them in via the SEP firewall to block only those DNS names, but it seems to be blocking youtube and maps as well,

any ideas?

firewall.JPG

↧