Hello everyone,

Can someone please give me some advice concerning the different SEP 14.X versions.

Currently we are on version 14.0.1 (14.0 RU1) build 3752 (14.0.3752.1000), Symdiag tells me there is a newer version 14 RU1 MP1 (14.0.3897.1101).

However when I try to download this version trough Fileconnect I can only download Symantec_Endpoint_Protection_14.0.1_MP2_Full_Installation_EN.exe

Is this the correct version to upgrade my product? 

Thx in advance

Hello All,

we are facing an issue with our 2 SEPM. We cant acces our SEPM with no error msg or service stop. to solve this we ethier restart SEPM service or reboot our SQL Server (the second solution give more time befor the next crache)

The invetigation showed a lot of  connection total count on the db_connection-0

Log befor SQL reboot

Good day All,

Recently we have enabled IPS signature policy in SEPM in our environment. After the configuration we are receving many signature related alert.

Most of the signature were  blocked by the symantec. If it is not blocked, am having two scenarios

Scenario 1:

if the remote host IP address is public and SEP doesn't blocked means we can block the external IP at perimeter level(Firewall)..

Scenario 2:

If the remote IP address is private and the alert is SMB related signatures or ransom.wannacry means we can apply the patch MS17-010. Apart from SMB related signatures. I saw many signatures configured on SEPM console.

Can someone help me to find out the  patches available for the  list of signatures given below.   

https://www.symantec.com/security_response/attacks...

Thank in Advance

Hi all,  has anyone started applying the Endpoint Protection Deception that shipped with SEPM 14?  I was able to extract the 3 policies and import two into SEPM Policies --> Host Integrity --> Import a Host Integrity Policy, but when I try to import "Deception ADC Monitoring - Process Termination.dat" SEPM tells me:  Failed to import the policy.  Error: Invalid import file.  I cant find any advice on this error. Has anybody dealt with this before?

FYI

SEP 14 RU1 MP2 has been released. This version has a few bug fixes and  supports Windows 10 Spring Creators Update

https://support.symantec.com/en_US/article.INFO495...

I need to know if it is possible to use multiple GUPs (defined by IP and assigned by subnet) and the SEPM for definition downloads in one LiveUpdate policy.

I want all the clients in HQ download definitions from SEPM and all the branches downloading definitions from a GUP. In one LU policy.
So far, I have a test policy assigned to a test group where my workstation (in HQ) is part of. Unfortunately, I did not receive defnitions ever since I moved the client to this group.

Checked the "Use management server" in the LU policy and subsequently defined the GUPs and assigned them via subnet. Of course, the HQ subnets are not defined, as I want them to use SEPM.
Obviously, this is not how it works.

What am I missing?

Customer is considering to rellocate all clients from location A to location B. The SEPM server at location B should have new hostname and IP i believe.

Any hint or idea how this should be done?

I'm thinking to setup new SEPM at location B, and use clients communication update for all clients that coming from location A.

This should work fine right?

Hi Team,

I have some problems with installing the SEP on RHEL server. Just some background: SEP 14.0.2415.0200 (installation using RPM package), RHEL Linux 3.10.0-693.17.1.el7.x86_64 (kernel is supported https://support.symantec.com/en_US/article.INFO398...)

Initial liveupdate I think runs from public internet so it will not work (i have isolated infra), but traffic to our SEP server on port 8014 is UP. After the installation the agent register in SEPM in correct container

The biggest problem i think is with the autoprotect.service which failed during installation

[root@X Symantec]# ls -la
total 22712
drwxr-xr-x  5 root root     4096 Apr  4 15:50 .
dr-xr-x---. 5 root root     4096 Apr  4 15:47 ..
drwxr-xr-x  2 root root     4096 May 24  2017 Configuration
-rwxr--r--  1 root root    53326 May 24  2017 install.sh
-rw-r--r--  1 root root      218 May 24  2017 pkg.sig
drwxr-xr-x  2 root root     4096 May 24  2017 Repository
drwxr-xr-x  2 root root     4096 May 24  2017 src
-rw-------  1 root root 23174913 Apr  4 15:50 SymantecEndpointProtection.zip

[root@X Symantec]# ./install.sh -i
Starting to install Symantec Endpoint Protection for Linux
Performing pre-check...
Pre-check succeeded
Begin installing virus protection component
Preparing...                          ################################# [100%]
Performing pre-check...
Pre-check is successful
Updating / installing...
   1:sav-14.0.2415-0200               ################################# [100%]
Virus protection component installed successfully
Begin installing Auto-Protect component
Preparing...                          ################################# [100%]
Performing pre-check...
Pre-check is successful
Updating / installing...
   1:savap-x64-14.0.2415-0200         ################################# [100%]
Auto-Protect component installed successfully
Begin installing GUI component
Preparing...                          ################################# [100%]
Performing pre-check...
Pre-check is successful
Updating / installing...
   1:savui-14.0.2415-0200             ################################# [100%]
GUI component installed successfully
Pre-compiled Auto-Protect kernel modules are not loaded yet, need compile them from source code
Build Auto-Protect kernel modules from source code failed with error: 1
Running LiveUpdate to get the latest defintions...
sep::lux::Cseplux: Failed to run session, error code: 0x80010830
Live update session failed. Please enable debug logging for more information
Unable to perform update
Installation completed
=============================================================
Daemon status:
symcfgd                         [running]
rtvscand                        [running]
smcd                            [running]
=============================================================
Error: No drivers are loaded into kernel.
=============================================================
Auto-Protect starting
Protection status:
Definition:     Waiting for update.
AP:             Malfunctioning
=============================================================
The log files for installation of Symantec Endpoint Protection for Linux are under ~/:
sepfl-install.log
sep-install.log
sepap-install.log
sepui-install.log
sepfl-kbuild.log

I am also attaching the logs

cat sepfl-install.log
Wed Apr  4 15:53:32 CEST 2018: Starting to install Symantec Endpoint Protection for Linux
FromProduct=
ToProduct=14.0.2415.0200
Wed Apr  4 15:53:33 CEST 2018: Performing pre-check...
Wed Apr  4 15:53:34 CEST 2018: Pre-check succeeded
14.0.2415.0200 is newer than , need to copy setup.ini & setAid.ini
Succeed to copy /root/Symantec/./Configuration/setup.ini to /etc/symantec/sep/setup.ini
Succeed to copy /root/Symantec/./Configuration/setAid.ini to /etc/symantec/sep/setAid.ini
Sylink.xml doesn't exist, need copy it
Succeed to copy '/root/Symantec/./Configuration/sylink.xml' to '/etc/symantec/sep/sylink.xml'.
Succeed to copy /root/Symantec/./Configuration/sepfl.pem to /etc/symantec/sep/sepfl.pem
Succeed to copy /root/Symantec/./Configuration/serdef.dat to /var/symantec/sep/serdef.dat
Sep License doesn't exist, need copy it
Succeed to copy /root/Symantec/./Configuration/sep.slf to /etc/symantec/sep/sep.slf
Wed Apr  4 15:53:35 CEST 2018: Begin installing virus protection component
Wed Apr  4 15:53:35 CEST 2018: Performing pre-check...
Found /root/SepPrecheck.cfg, no need to perform pre-check
Wed Apr  4 15:53:35 CEST 2018: Pre-check is successful
Wed Apr  4 15:53:37 CEST 2018: Virus protection component installed successfully
Wed Apr  4 15:53:37 CEST 2018: Begin installing Auto-Protect component
Wed Apr  4 15:53:37 CEST 2018: Performing pre-check...
Found /root/SepPrecheck.cfg, no need to perform pre-check
Wed Apr  4 15:53:37 CEST 2018: Pre-check is successful
Wed Apr  4 15:53:38 CEST 2018: Auto-Protect component installed successfully
Wed Apr  4 15:53:38 CEST 2018: Begin installing GUI component
Wed Apr  4 15:53:38 CEST 2018: Performing pre-check...
Found /root/SepPrecheck.cfg, no need to perform pre-check
Wed Apr  4 15:53:38 CEST 2018: Pre-check is successful
Wed Apr  4 15:53:38 CEST 2018: GUI component installed successfully
chcon: can't apply partial context to unlabeled file ‘upgrade.sh’
chcon: can't apply partial context to unlabeled file ‘libstdc++.so.6’
chcon: can't apply partial context to unlabeled file ‘libgcc_s.so.1’
chcon: can't apply partial context to unlabeled file ‘liblog4cpp.so.4’
chcon: can't apply partial context to unlabeled file ‘tools’
chcon: can't apply partial context to unlabeled file ‘sav’
chcon: can't apply partial context to unlabeled file ‘AVMan.plg’
chcon: can't apply partial context to unlabeled file ‘LuMan.plg’
chcon: can't apply partial context to unlabeled file ‘plugins’
chcon: can't apply partial context to unlabeled file ‘libsep-cve.so’
chcon: can't apply partial context to unlabeled file ‘sadiag.sh’
chcon: can't apply partial context to unlabeled file ‘libluxSEPCallback.so’
chcon: can't apply partial context to unlabeled file ‘libSlicMan.so’
chcon: can't apply partial context to unlabeled file ‘xsymcfg’
chcon: can't apply partial context to unlabeled file ‘unsupported’
chcon: can't apply partial context to unlabeled file ‘libcx_lib.so’
chcon: can't apply partial context to unlabeled file ‘savluwrap’
chcon: can't apply partial context to unlabeled file ‘libsepcommon.so’
chcon: can't apply partial context to unlabeled file ‘libsep-util.so.1’
chcon: can't apply partial context to unlabeled file ‘liblux.so’
chcon: can't apply partial context to unlabeled file ‘rtvscand’
chcon: can't apply partial context to unlabeled file ‘libSyLog.so.1’
chcon: can't apply partial context to unlabeled file ‘libpatchapp.so’
chcon: can't apply partial context to unlabeled file ‘libduluxcallback.so’
chcon: can't apply partial context to unlabeled file ‘uninstall.sh’
chcon: can't apply partial context to unlabeled file ‘libLuxCustomerLogger.so’
chcon: can't apply partial context to unlabeled file ‘libecomlodrlin.so’
chcon: can't apply partial context to unlabeled file ‘savtray’
chcon: can't apply partial context to unlabeled file ‘libSlicMan.so.1’
chcon: can't apply partial context to unlabeled file ‘symcfgpop’
chcon: can't apply partial context to unlabeled file ‘libsep-util.so’
chcon: can't apply partial context to unlabeled file ‘libSyLog.so’
chcon: can't apply partial context to unlabeled file ‘symcfgdata.inf’
chcon: can't apply partial context to unlabeled file ‘smcd’
chcon: can't apply partial context to unlabeled file ‘libsepcommon.so.1’
chcon: can't apply partial context to unlabeled file ‘symcfgd’
chcon: can't apply partial context to unlabeled file ‘Symantec_2005_Root_CA2.cer’
chcon: can't apply partial context to unlabeled file ‘libSymDltCl.so’
chcon: can't apply partial context to unlabeled file ‘libluxSEPCallback.so.1’
chcon: can't apply partial context to unlabeled file ‘libsep-cve.so.1’
chcon: can't apply partial context to unlabeled file ‘symcfg’
chcon: can't apply partial context to unlabeled file ‘/opt/Symantec/symantec_antivirus’
Starting autoprotect (via systemctl):  Job for autoprotect.service failed because the control process exited with error code. See "systemctl status autoprotect.service" and "journalctl -xe" for details.
[FAILED]
Wed Apr  4 15:53:39 CEST 2018: Pre-compiled Auto-Protect kernel modules are not loaded yet, need compile them from source code
ap-kernelmodule-14.0.2415-0200/
ap-kernelmodule-14.0.2415-0200/kernelsource/
ap-kernelmodule-14.0.2415-0200/kernelsource/linux3.10.0/
ap-kernelmodule-14.0.2415-0200/kernelsource/linux3.10.0/fs/
ap-kernelmodule-14.0.2415-0200/kernelsource/linux3.10.0/fs/nfsd/
ap-kernelmodule-14.0.2415-0200/kernelsource/linux3.10.0/fs/nfsd/vfs.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux3.10.0/fs/nfsd/cache.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux3.10.0/fs/nfsd/xdr3.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux3.10.0/fs/nfsd/_export.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux3.10.0/fs/nfsd/_nfsfh.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux3.10.0/fs/nfsd/nfsd.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux3.10.0/fs/nfsd/_stats.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux3.10.0/fs/nfsd/xdr.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux3.10.0/fs/nfsd/xdr4.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux3.10.0/fs/nfsd/state.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux3.10.0/fs/nfsd/nfsfh.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux4.7.0/
ap-kernelmodule-14.0.2415-0200/kernelsource/linux4.7.0/fs/
ap-kernelmodule-14.0.2415-0200/kernelsource/linux4.7.0/fs/nfsd/
ap-kernelmodule-14.0.2415-0200/kernelsource/linux4.7.0/fs/nfsd/vfs.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux4.7.0/fs/nfsd/cache.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux4.7.0/fs/nfsd/xdr3.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux4.7.0/fs/nfsd/nfsd.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux4.7.0/fs/nfsd/xdr.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux4.7.0/fs/nfsd/stats.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux4.7.0/fs/nfsd/xdr4.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux4.7.0/fs/nfsd/state.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux4.7.0/fs/nfsd/nfsfh.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux4.7.0/fs/nfsd/export.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux2.6.33/
ap-kernelmodule-14.0.2415-0200/kernelsource/linux2.6.33/fs/
ap-kernelmodule-14.0.2415-0200/kernelsource/linux2.6.33/fs/nfsd/
ap-kernelmodule-14.0.2415-0200/kernelsource/linux2.6.33/fs/nfsd/cache.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux2.6.33/fs/nfsd/xdr3.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux2.6.33/fs/nfsd/nfsd.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux2.6.33/fs/nfsd/xdr.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux2.6.33/fs/nfsd/xdr4.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux2.6.33/fs/nfsd/state.h
ap-kernelmodule-14.0.2415-0200/kernelsource/linux2.6.33/fs/nfsd/nfsfh.h
ap-kernelmodule-14.0.2415-0200/include/
ap-kernelmodule-14.0.2415-0200/include/symprocfs.h
ap-kernelmodule-14.0.2415-0200/include/symevl.h
ap-kernelmodule-14.0.2415-0200/include/symap_cfg.h
ap-kernelmodule-14.0.2415-0200/include/symkutil.h
ap-kernelmodule-14.0.2415-0200/include/symap-core.h
ap-kernelmodule-14.0.2415-0200/include/symtypes.h
ap-kernelmodule-14.0.2415-0200/include/vpregistry.h
ap-kernelmodule-14.0.2415-0200/include/commonids.h
ap-kernelmodule-14.0.2415-0200/include/distribution.h
ap-kernelmodule-14.0.2415-0200/symap/
ap-kernelmodule-14.0.2415-0200/symap/linuxmod.c
ap-kernelmodule-14.0.2415-0200/symap/Makefile
ap-kernelmodule-14.0.2415-0200/COPYING
ap-kernelmodule-14.0.2415-0200/bin.ida/
ap-kernelmodule-14.0.2415-0200/README
ap-kernelmodule-14.0.2415-0200/lib.ida/
ap-kernelmodule-14.0.2415-0200/symev/
ap-kernelmodule-14.0.2415-0200/symev/utils.c
ap-kernelmodule-14.0.2415-0200/symev/fileops.c
ap-kernelmodule-14.0.2415-0200/symev/hnfs.c
ap-kernelmodule-14.0.2415-0200/symev/Makefile
ap-kernelmodule-14.0.2415-0200/symev/syscalls.c
ap-kernelmodule-14.0.2415-0200/symev/fileops.h
ap-kernelmodule-14.0.2415-0200/symev/sym_stub_execve.S
ap-kernelmodule-14.0.2415-0200/symev/symev.h
ap-kernelmodule-14.0.2415-0200/symev/symevrm.c
ap-kernelmodule-14.0.2415-0200/symev/symev.c
ap-kernelmodule-14.0.2415-0200/symev/hnfs.h
ap-kernelmodule-14.0.2415-0200/symev/sym_procfs.c
ap-kernelmodule-14.0.2415-0200/bin.ira/
ap-kernelmodule-14.0.2415-0200/VERSION
ap-kernelmodule-14.0.2415-0200/sym.ira/
ap-kernelmodule-14.0.2415-0200/build.sh
ap-kernelmodule-14.0.2415-0200/lib.ira/
ap-kernelmodule-14.0.2415-0200/lib.ira/symap-core-x86_64.o
ap-kernelmodule-14.0.2415-0200/lib.ira/symap-core.o
Wed Apr  4 15:53:39 CEST 2018: Build Auto-Protect kernel modules from source code failed with error: 1
Starting symcfgd (via systemctl):  [  OK  ]
symcfgd is started successfully.
Starting rtvscand (via systemctl):  [  OK  ]
rtvscand is started successfully.
Succeed to enable ap
AP status: Malfunctioning
Starting smcd (via systemctl):  [  OK  ]
smcd is started successfully.
kernel drivers are not loaded.
Wed Apr  4 15:57:59 CEST 2018: Installation completed
Wed Apr  4 15:57:59 CEST 2018: =============================================================
Wed Apr  4 15:57:59 CEST 2018: Daemon status:
Wed Apr  4 15:57:59 CEST 2018: symcfgd                          [running]
Wed Apr  4 15:57:59 CEST 2018: rtvscand                 [running]
Wed Apr  4 15:57:59 CEST 2018: smcd                             [running]
Wed Apr  4 15:57:59 CEST 2018: =============================================================
Wed Apr  4 15:57:59 CEST 2018: Error: No drivers are loaded into kernel.
Wed Apr  4 15:57:59 CEST 2018: =============================================================
Wed Apr  4 15:57:59 CEST 2018: Auto-Protect starting
AP status: Malfunctioning in 1 time.
Wed Apr  4 15:58:00 CEST 2018: Protection status:
Wed Apr  4 15:58:00 CEST 2018: Definition:      Waiting for update.
Wed Apr  4 15:58:00 CEST 2018: AP:              Malfunctioning
Wed Apr  4 15:58:00 CEST 2018: =============================================================
Wed Apr  4 15:58:00 CEST 2018: The log files for installation of Symantec Endpoint Protection for Linux are under ~/:
Wed Apr  4 15:58:00 CEST 2018: sepfl-install.log
Wed Apr  4 15:58:00 CEST 2018: sep-install.log
Wed Apr  4 15:58:00 CEST 2018: sepap-install.log
Wed Apr  4 15:58:00 CEST 2018: sepui-install.log
Wed Apr  4 15:58:00 CEST 2018: sepfl-kbuild.log

cat sep-install.log
======================================================
Pre-install begin: Wed Apr  4 15:53:35 CEST 2018
Creating /etc/Symantec.conf file
Performing first install pre-install actions

Pre-install end: Wed Apr  4 15:53:35 CEST 2018
Post-install begin: Wed Apr  4 15:53:36 CEST 2018
Install and register the defs
cannot find /root/Symantec/./Repository/linuxdefs.zip
Performing new install post-install actions
Adding OS CA Certificate store to reg
symcfgd should not start at this time.
rtvscand should not start at this time.
smcd should not start at this time.
Post-install end: Wed Apr  4 15:53:37 CEST 2018

cat sepap-install.log
======================================================
Pre-install begin: Wed Apr  4 15:53:37 CEST 2018
Performing first install pre-install actions
groupadd: group 'avdefs' already exists
Pre-install end: Wed Apr  4 15:53:37 CEST 2018
Post-install begin: Wed Apr  4 15:53:37 CEST 2018
BaseDir=/opt/Symantec
Performing new install post-install actions
Starting autoprotect (via systemctl): Job for autoprotect.service failed because the control process exited with error code. See "systemctl status autoprotect.service" and "journalctl -xe" for details. [FAILED]
symcfgd should not start at this time.
rtvscand should not start at this time.
smcd should not start at this time.
Post-install end: Wed Apr  4 15:53:38 CEST 2018

sepui-install.log
======================================================
Pre-install begin: Wed Apr  4 15:53:38 CEST 2018
Pre-install end: Wed Apr  4 15:53:38 CEST 2018
Post-install begin: Wed Apr  4 15:53:38 CEST 2018
BaseDir=/opt/Symantec
savuiDir=/opt/Symantec
Performing new install post-install actions
savtray: cannot connect to X server
Post-install end: Wed Apr  4 15:53:38 CEST 2018


sepfl-kbuild.log
Wed Apr  4 15:53:39 CEST 2018: starting to build kernel modules of SEP for Linux
Kernel release not specified. Build kernel modules for current kernel version 3.10.0-693.17.1.el7.x86_64
 does not exist
Wed Apr  4 15:53:39 CEST 2018: Build failed

[root@X ~]# systemctl status symcfgd
● symcfgd.service - LSB: Symantec AntiVirus Configuration Server
   Loaded: loaded (/etc/rc.d/init.d/symcfgd; bad; vendor preset: disabled)
   Active: active (running) since Wed 2018-04-04 15:53:42 CEST; 51min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 4147 ExecStart=/etc/rc.d/init.d/symcfgd start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/symcfgd.service
           └─4180 /opt/Symantec/symantec_antivirus/symcfgd -l info

Apr 04 15:53:39 X symcfgd[4180]: --- symcfgd started (pid 4180) ---
Apr 04 15:53:39 X symcfgd[4180]: symcfgd running as daemon
Apr 04 15:53:39 X symcfgd[4180]: listening on local socket (abstract): sym_config_ipc
Apr 04 15:53:42 X symcfgd[4147]: [31B blob data]
Apr 04 15:53:42 X systemd[1]: Started LSB: Symantec AntiVirus Configuration Server.
Apr 04 15:53:42 X symcfgd[4180]: subscriber 2 has left -- closed 0 remaining handles
Apr 04 15:53:43 X symcfgd[4180]: subscriber 3 has left -- closed 0 remaining handles
Apr 04 15:57:59 X symcfgd[4180]: subscriber 4 has left -- closed 0 remaining handles
Apr 04 15:57:59 X symcfgd[4180]: subscriber 8 has left -- closed 0 remaining handles
Apr 04 15:58:00 X symcfgd[4180]: subscriber 9 has left -- closed 0 remaining handles
[root@X ~]# systemctl status rtvscand
● rtvscand.service - LSB: Symantec AntiVirus Scanner
   Loaded: loaded (/etc/rc.d/init.d/rtvscand; bad; vendor preset: disabled)
   Active: active (running) since Wed 2018-04-04 15:53:42 CEST; 51min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 4193 ExecStart=/etc/rc.d/init.d/rtvscand start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/rtvscand.service
           └─4216 /opt/Symantec/symantec_antivirus/rtvscand -l info

Apr 04 15:53:42 X systemd[1]: Starting LSB: Symantec AntiVirus Scanner...
Apr 04 15:53:42 X rtvscand[4216]: --- rtvscand started (pid 4216) ---
Apr 04 15:53:42 X rtvscand[4216]: rtvscand running as daemon
Apr 04 15:53:42 X systemd[1]: Started LSB: Symantec AntiVirus Scanner.
Apr 04 15:53:42 X rtvscand[4193]: [32B blob data]
Apr 04 15:53:43 X rtvscand[4216]: Symantec AntiVirus services startup was successful.
Apr 04 15:53:44 X rtvscand[4216]: Symantec AntiVirus has determined that the virus definitions are missing on this computer. This computer will remain unprotected from viruses unti...this computer.
Apr 04 15:53:44 X rtvscand[4216]: Download of virus definition file from LiveUpdate server succeeded.
Apr 04 15:53:47 X rtvscand[4216]: Symantec AntiVirus has determined that the virus definitions are missing on this computer. This computer will remain unprotected from viruses unti...this computer.
Apr 04 15:53:47 X rtvscand[4216]: Download of virus definition file from LiveUpdate server succeeded.
Hint: Some lines were ellipsized, use -l to show in full.
[root@X ~]# systemctl status smcd
● smcd.service - LSB: Symantec AntiVirus Scanner
   Loaded: loaded (/etc/rc.d/init.d/smcd; bad; vendor preset: disabled)
   Active: active (running) since Wed 2018-04-04 15:53:44 CEST; 51min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 4247 ExecStart=/etc/rc.d/init.d/smcd start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/smcd.service
           └─4280 /opt/Symantec/symantec_antivirus/smcd -l info

Apr 04 15:53:43 X systemd[1]: Starting LSB: Symantec AntiVirus Scanner...
Apr 04 15:53:44 X smcd[4280]: --- smcd started (pid 4280) ---
Apr 04 15:53:44 X smcd[4280]: smcd running as daemon
Apr 04 15:53:44 X smcd[4247]: [28B blob data]
Apr 04 15:53:44 X systemd[1]: Started LSB: Symantec AntiVirus Scanner.


[root@x ~]# systemctl status autoprotect.service
● autoprotect.service - LSB: Symantec AutoProtect Modules
   Loaded: loaded (/etc/rc.d/init.d/autoprotect; bad; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2018-04-04 15:53:39 CEST; 53min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 3828 ExecStart=/etc/rc.d/init.d/autoprotect start (code=exited, status=1/FAILURE)

Apr 04 15:53:39 X autoprotect[3828]: insmod: ERROR: could not insert module /opt/Symantec/autoprotect/symev-rh-ES-7-3.10.0-229.el7-x86_64.ko: Invalid parameters
Apr 04 15:53:39 X autoprotect[3828]: insmod: ERROR: could not insert module /opt/Symantec/autoprotect/symev-rh-ES-7-3.10.0-123.el7-x86_64.ko: Invalid parameters
Apr 04 15:53:39 X autoprotect[3828]: insmod: ERROR: could not insert module /opt/Symantec/autoprotect/symev-rh-ES-7-3.10.0-514.el7-x86_64.ko: Invalid parameters
Apr 04 15:53:39 X autoprotect[3828]: insmod: ERROR: could not insert module /opt/Symantec/autoprotect/symev-rh-ES-7-3.10.0-229.el7-x86_64.ko: Invalid parameters
Apr 04 15:53:39 X autoprotect[3828]: insmod: ERROR: could not insert module /opt/Symantec/autoprotect/symev-rh-ES-7-3.10.0-123.el7-x86_64.ko: Invalid parameters
Apr 04 15:53:39 X autoprotect[3828]: symev: unable to load kernel support module (UNSUPPORTED-OS-rh-ES-7-3.10.0-693.17.1.el7-x86_64)
Apr 04 15:53:39 X systemd[1]: autoprotect.service: control process exited, code=exited status=1
Apr 04 15:53:39 X systemd[1]: Failed to start LSB: Symantec AutoProtect Modules.
Apr 04 15:53:39 X systemd[1]: Unit autoprotect.service entered failed state.
Apr 04 15:53:39 X systemd[1]: autoprotect.service failed.

Hello All,

We are in the process of planning to upgrade our SEPM from 12.X to 14.X I have consolidated most of the steps down into a checklist with links to the pages for how to do the steps outlined to help keep things organized.

I did have a couple of questions that I am still a bit confused on.

1.) Space requirements - Is there a certain rule when it comes to disk space? Should it be roughly double what the current usuage is? Or does it not matter and ensure you have enough space for the install and files?

2.) Compatability - All of our clients are currently using 12.X and I want to ensure that there will be backwards compatability when we upgrade the server. So will the clients still be able to communicate with SEPM? We will upgrade the clients soon after but not all will get done immediately, obviously.

3.) Installation - To install, do you just take the install file from FileConnect and then run it on the server itself? Do I need to uninstall the old SEPM first?

4.) Policies - Should I export the policies so they can be imported into the new build? Or should will they be pulled in when I build the new server.

I have been doing a lot of reading on the KB and still haven't found a solid answer to all of my questions. Hopefully some of you can help me out.

Hi,

I recently installed SEP 14 on windows 10, however after rebooting there is a warning that says "product requires attention", and in the system tray the SEP is in yellow exclamation (which shoul be in green) with a warning "There are multiple problems" is also displayed. When I open SEP, it is in green and says "Your computer is protected. No problems detected". I am just wondering why this warning constantly appears. I already tried re-installing the product but same problem occurs. Please help.

Hi All, we have two Scheduled Reports created by one of our admins. The two reports are using a filter, basically filtering Workstations and Servers into 2 reports. The filter is based on the clients Group location in SEPM.

What we havenoticed is that when the reports is sent to the distribution list of admins (admins email addresses listed in the send to field), the filter is not applying, in that all clients (Workstations and Servers) are appearing in the reports, so there is not separation of workstations and servers. We basically get 2 identical reports.

Also we have noticed that when anyone other that the admin that created the report the 2 reports filters shows as default, not the name of the filter that the creator of the report name the filter.

Has anyone else experienced this issue and have you found a solution or is it a known bug that Symantec need to resolve?

SEPM Version 14.0 RU1 MP1

TIA

Hi

I am trying to setup the reverse proxy on our SEPM server. I am using the procedure described here : https://support.symantec.com/en_US/article.HOWTO85034.html

/luproxy is responding when opening http://localhost:8014/luproxy/masttri.zip in browser but I am getting response

The access log from E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\logs shows 503 which is not really good ;>

127.0.0.1 - - [05/Apr/2018:12:52:40 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299
127.0.0.1 - - [05/Apr/2018:13:01:07 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299
127.0.0.1 - - [05/Apr/2018:13:02:36 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299
127.0.0.1 - - [05/Apr/2018:13:03:52 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299
127.0.0.1 - - [05/Apr/2018:13:04:05 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299
127.0.0.1 - - [05/Apr/2018:13:06:39 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299
127.0.0.1 - - [05/Apr/2018:13:10:13 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299
127.0.0.1 - - [05/Apr/2018:13:39:55 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299

httpd.conf

[..]

Listen 8014

[..]

#AsyncSendFile anydirectory

AsyncSendFile givendirectory
ForceAsyncSendFile "E:/Program Files (x86)/Symantec/Symantec Endpoint Protection Manager/Inetpub/content"

[..]

# SEPM_APACHE_AS_PROXY_START Preserve this line to maintain configuration across SEPM upgrades
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule cache_module modules/mod_cache.so
LoadModule cache_disk_module modules/mod_cache_disk.so
LoadModule setenvif_module modules/mod_setenvif.so
     
<IfModule mod_proxy.c>
  <IfModule mod_cache.c>
    <IfModule mod_cache_disk.c>
      <IfModule mod_setenvif.c>
        SetEnvIf Request_URI "/luproxy/" dolog
        SetEnvIf Request_URI "/luproxy/.*_livetri.zip" no-cache
        CustomLog "|| bin/rotatelogs.exe logs/access-%Z.log 25M" common env=dolog
      </IfModule>
      ProxyPass /luproxy/ http://liveupdate.symantecliveupdate.com/ retry=0 smax=0 ttl=60
      CacheRoot "cache-root"
      # CacheRoot is a path defined relative to "E:/Program Files (x86)/Symantec/Symantec Endpoint Protection Manager/apache"

      CacheEnable disk /luproxy/
      CacheDirLevels 1
      CacheDirLength 5

      # directives to override any caching prohibitions in LiveUpdate content headers
      # see TECH230862
      CacheStoreNoStore On
      CacheIgnoreCacheControl On
      CacheStoreExpired On
      CacheIgnoreHeaders Cache-Control Pragma

      #allow downloads up to 1 GB
      CacheMaxFileSize 1000000000
    </IfModule>
  </IfModule> 
</IfModule>
# SEPM_APACHE_AS_PROXY_END Preserve this line to maintain configuration across SEPM upgrades

Our SEPM server has access to public internet only through proxy, SEPM is configured to use proxy but i am wondering if maybe a separete configuration is require for apache?! E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\cache-root is still empty, the service running "Symantec Endpoint Protection Manager Webserver" has full control on the folder

Thanks

On April 3, 2018 MS released an emergency update to address a critical security vulnerabilty in their "Microsoft Malware Protection Engine" that allows an attacker to execute remote code on a windows device (see CVE-2018-0986 link below). My question is; does SEP provide coverage for attacks utilizing this attack vector?

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-...

Hello all,

I've been having ongoing issues with LiveUpdate Administrator on our server. Downloads and Distributions will continually fail. It also appears that the Production Default Distribution Center is using space on C drive that I would like to move. Is there any way that I can change where the clu-prod directory is located, without having to change the 5 servers that are communicating with LUA? We have specific firewall rules tha tallow them to come in on port 7070 so I would like to continue using that.

Thanks!

My Company has been experiencing randomized backup "snap-shot" failures and the System Logs have many errors like below:

We had the same issue a while back and it required a reboot to correct the snapshots (quiesce) issue.

Errors:

A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SepMasterService service.

Is this an issue related to Symantec Enpoint Protection, or possibly the Backup Solution?  I am trying to rule out the Ant-Virus as a cause.

 - If I need to open a Support Case, I will.

We have PGP endpoint encryption and our client has asked us to use an expiring key.  I was able to do this, but now they want to know if the key will simply stop working when the year is up on their end or if they will be able to continue to use it and it will expire on our end and we will not be able to open the files.

I keep getting a windows notification that "Traffic has been blocked from this application: MS Link-Layer Discovery Protocol Driver (mslldp.sys)."

I have a user-defined exception for C:\Windows\System32\drivers\mslldp.sys, but that hasn't done anything.  Presumably because its a scan exception and this is triggering on an execution.  Weird thing is I can't find the activity in the Network and Host log or the Proactive Threat log.  Or anywhere.  It keeps sending notifications, every few minutes, but clicking the notification does nothing, and I can't find the activity in the log to figure out which part of the engine is causing the alert.  

How do I make it stop?  And why does Microsuck need LLDP anyway?  Its not like they have to make a POE or Voice VLAN decision.  Intrusive proprietary garbage.  

14.0MP2 build 2415 on Windows 10 1709

I am facing issue that my SEP client can not read logs in other languages 

i have folders in my computer and there folders having names in other languages not in english and in computer its showing fine everything is working perfect but when i check the logs its showing ?

How to add others languages in SEP to read logs

Hi,

Previously a McAfee admin and now leaning toward to Symantec.

Question:

What is the equivalent of McAfee agent handler in SEPM environment?

On my previous work, our McAfee Agent handler (DMZ)  managed our roaming users for policies and content update and the McAfee ePO as the sole central management console and served the internal users (LAN).

With my current company, not sure how to go with the same approach with SEPM?

Hello,

I have a warning from a higher organization about the distribution of letters with a threat in the attachment.

There is a distribution of malicious e-mails with a disguised link to download the JAR file from the cloud service DROPBOX.
Malware refers to RAT Adwind.
Download     hxxps: // www [.] dropbox.com/s/z6offdjjzr5mn4y/FULL%20ORIGINAL%20DOCUMENTS%202FC1.jar?dl=1
File               FULL ORIGINAL DOCUMENTS 2FC1.jar
Themes of the letters      Re: import wholsale

Details of the attachment on https://www.hybrid-analysis.com/sample/ae745fea5d6f51bd4ab5a913fe4fa08933bd78e9d04b5f2ce1e65cfe1b7f9c5c/5ac71a7f7ca3e1020e7b58b8

FULL ORIGINAL DOCUMENTS 2FC1.jar

Labeled as: Trojan.Java

Report generated by Falcon Sandbox v8.00 © Hybrid Analysis

I sent the file with a threat to the Symantec(Tracking #42360883). But I was told that this is an artifact. "FULL ORIGINAL DOCUMENTS 2FC1.jar is not malicious itself, but may be an artifact of a threat."
How can I be sure that Symantec detects a threat when employees will receive such a letter?