Symantec detected "io.sys and msdos.sys" as WS.Reputation.1

April 12, 2018, 4:57 am

≫ Next: How migrate SEPM client 12.x to other new server SEPM 14.0.1

≪ Previous: Client deployment problems after adding 32-bit client install package

$

0

0

I need a solution

Hi Team,

We have SEPM version 14. We have found symantec has detecting files  "io.sys and msdos.sys" as WS.Reputation.1 same has been qurantined and deleted by SEPM. but still we are see those file in system but size is 0 kb.

Also we have observed those files(io.sys and msdos.sys) are created by process"ntvdm.exe". and this file belong to mircosoft and genuine process

Date	size	File
03/14/2018 07:34 AM GMT	0	IO.SYS
03/14/2018 07:34 AM GMT	0	MSDOS.SYS

Symantec Logs:

Filename	Risk	Original Location	Computer	Current Location	Primary Action	Secondary Action	Action Description	Date and Time
msdos.sys	WS.Reputation.1	c:\	D00070-0061	Quarantine	Restart Required - Quarantine	Restart Required - Delete	Restart Required - The file was quarantined successfully.	12/4/2018 10:19
io.sys	WS.Reputation.1	c:\	D00070-0061	Quarantine	Restart Required - Quarantine	Restart Required - Delete	Restart Required - The file was quarantined successfully.	12/4/2018 10:18
msdos.sys	WS.Reputation.1	c:\	D00070-0061	Quarantine	Quarantine	Delete	Performed Post-Reboot Risk Processing.	12/4/2018 9:54
msdos.sys	WS.Reputation.1	c:\	D00070-0061	Quarantine	Quarantine	Delete	Performed Post-Reboot Risk Processing.	12/4/2018 9:54

Hash value of files io.sys and msdos.sys : E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 

Files path: C:/ io.sys and C:/ msdos.sys

Please confirme what basis symantec has detecting those files io.sys and msdos.sys as WS.Reputation.1. and let us know the reason?

0

---

How migrate SEPM client 12.x to other new server SEPM 14.0.1

April 12, 2018, 5:10 am

≫ Next: External Logging for Local Site -> Log Filter

≪ Previous: Symantec detected "io.sys and msdos.sys" as WS.Reputation.1

$

0

0

I need a solution

Hi i find soloution how can move all active clients from one old server (SEPM 12.1.6) to other SEPM server (14.0.1).  I try all available soloution for my issue: SEPM server has a same IP and different hostanme. 1) tryed use Sylinkreplacer - doesnt work :( 2) tryed scenar for add new management server to list i policy components - still old clients connected to old server. 3) i tryed use command file when i try uploud new sylink.xml - doesnt work. Can somebody help me?  Thanks.

0

External Logging for Local Site -> Log Filter

April 12, 2018, 8:19 am

≫ Next: Exploit mitigation (GEM) details and attribution

≪ Previous: How migrate SEPM client 12.x to other new server SEPM 14.0.1

$

0

0

I need a solution

I'm looking for any log filter reference guide for External Logging for Local Site. Looking at configuring this but first I need to fully understand what information/log is provided under each Log type.

Attached is screenshot from configuration window. 

Any advice or guidance would be greatly appreciated!

Thanks,

Janis

0

• External Logging for Local Site.jpg

Exploit mitigation (GEM) details and attribution

April 12, 2018, 9:30 am

≫ Next: Is SEP compatible with Chrome Cleanup tool?

≪ Previous: External Logging for Local Site -> Log Filter

$

0

0

I need a solution

Check with you guys, any idea how to drill down further on above subject?

In Risk/NTP we would able to see remote or attacker IP

I know memory attack is much more different than others...just wondering if I can get more information on this topic

0

Is SEP compatible with Chrome Cleanup tool?

April 12, 2018, 10:58 am

≫ Next: unable to deploy SEP client on Windows 10 pro build 16299.371

≪ Previous: Exploit mitigation (GEM) details and attribution

$

0

0

I need a solution

Hi,

Can anyone help me out to see if SEP conflicts with Chrome Cleanup engine which detects and removes unwanted software from hosts. This tool is not a general-purpose AV which only detects the software. However, there is a “Clean up Computer” setting which user can click to scan the computer for  harmful software. Please advise. 

0

unable to deploy SEP client on Windows 10 pro build 16299.371

April 12, 2018, 6:24 pm

≫ Next: Trojan.Gen.2 and Trojan.Gen.NPE Warning coming repeatedly...

≪ Previous: Is SEP compatible with Chrome Cleanup tool?

$

0

0

I need a solution

Hi There,

I'm unable to deploy SEP client on a new Windows 10 Surface Pro using remote push from the SEP Manager.

SEPM version : - version 14 (14 MP2) build 2415 (14.0.2415.0200)

SEP client version : - version 14.0.2415.0200

Windows version : - Windows 10 Pro Version 1709 (OS build 16299.371)

I installed windows 10 on to the Surface Pro using image(which contain SEP client) that I created using Sysprep.

Later, I ran windows updates and it updated itself to the windows Fall Creators Update(1709). To do this update Windows uninstalled the SEP client and now when I am trying to install it back it is not doing anything.

On SEPM deployment screen it is saying that the client have been successfully installed but on the actual machine I cant see any SEP client running.

I have tried restarting the surface pro multiple times. I've also run Clean wipe to make sure that SEP client have been properly removed and then tried to re-deploy again - but still its not getting installed.

And when I'm trying to deploy using "Save Package" instead of Remote Push - its saying "Symantec Enpoint Protection doesn't work on this version of windows. An updated app may be available"

Can somone please let me know, what am I missing or how can I deploy the SEP client from the SEPManager.

Cheers,

Inder

0

Trojan.Gen.2 and Trojan.Gen.NPE Warning coming repeatedly...

April 13, 2018, 6:14 am

≫ Next: Deception Feature with SEP 14 RU1 who is using

≪ Previous: unable to deploy SEP client on Windows 10 pro build 16299.371

$

0

0

I need a solution

Hello,

We are having windows 7 OS in our Environment. From last two days we are getting virus alert Trojan.Gen.2 and Trojan.Gen.NPE with file name "tpmagentservice.dll" and "MsraReportDataCache32.tlb". This alret coming repeatedly. SEP detects and Cleaned the virus and asked to reboot the system. But, this virus alert coming ever after reboot.

Please do the needful to fix this issue.

Please see the attachment.

0

• Virus-Alert.jpg

Deception Feature with SEP 14 RU1 who is using

April 9, 2018, 10:19 am

≫ Next: SEP GUP sizing and deployment

≪ Previous: Trojan.Gen.2 and Trojan.Gen.NPE Warning coming repeatedly...

$

0

0

I need a solution

Who is using deception and how are you testing the setup.

 I have in installed in development and would like to test.

Thanks

0

---

SEP GUP sizing and deployment

April 12, 2018, 7:11 pm

≫ Next: Trojan.Gen.2 and Trojan.Gen.NPE Warning coming repeatedly...

≪ Previous: Deception Feature with SEP 14 RU1 who is using

$

0

0

I need a solution

Hi Folks,

I need some help with GUP sizng and deployment consideartion. There are around 10K endpoint spread across 380 sites in various locations of australia(QLD,NSW,WA,ACT)

1. Is there any guide that covers the criteria to deploy a gup?(for eg. if the client counts increase 50 add gup server etc.)

2. Bandwith requirement and throtlling for gup servers in remote sites connecting via MPLS.

3. Can multiple gups server clients entertain clients from different subnets or I've to sepcficially map the subnets to talk to gup in different subnets

4. Can I use combination of Single gup for sites with good bandwidth and multiple gups for sites with low bandwidth?

The bandwith in some sites are netween 1mbps to 512 kbps.

How many gups would be sufficient for 10k clients.

Is there any formula or cacluation available?

I've checked that gups server can handle upto 10k client. I need to know the approach if I should use two local gups in each datacentre or remote sites with low bandwidth should have multiple gups.

I need some stats around that. I would really appreciate the approach of GUP deployment consideration as I've check the documentation and I'm uable to find some concrete info.

I've checked the below links already

https://support.symantec.com/en_US/article.TECH938...

https://www.symantec.com/connect/blogs/best-practi...

Any quick reposne will be much appreciated!

0

Trojan.Gen.2 and Trojan.Gen.NPE Warning coming repeatedly...

April 13, 2018, 6:14 am

≫ Next: Push Deployment Wizard (ClientRemote.exe)

≪ Previous: SEP GUP sizing and deployment

$

0

0

I need a solution

Hello,

We are having windows 7 OS in our Environment. From last two days we are getting virus alert Trojan.Gen.2 and Trojan.Gen.NPE with file name "tpmagentservice.dll" and "MsraReportDataCache32.tlb". This alret coming repeatedly. SEP detects and Cleaned the virus and asked to reboot the system. But, this virus alert coming ever after reboot.

Please do the needful to fix this issue.

Please see the attachment.

0

• Virus-Alert.jpg

Push Deployment Wizard (ClientRemote.exe)

April 13, 2018, 6:28 am

≫ Next: SEP dark network clients

≪ Previous: Trojan.Gen.2 and Trojan.Gen.NPE Warning coming repeatedly...

$

0

0

I need a solution

Hi Guys,

I came across the following article at https://support.symantec.com/en_US/article.TECH195705.html which talks about using the Push Deployment Wizard to remotely push SEP agents to machines. I noticed that ClientRemote.exe takes some command line arguments and I was wondering if it's possible to deploy SEP agents via the CLI using this tool. Does anyone know if this is possible? I haven't yet been able to find any relevant documentation.

Thanks!
Matt

0

SEP dark network clients

April 13, 2018, 6:49 am

≫ Next: Having an issue upgrading client from 12 to 14

≪ Previous: Push Deployment Wizard (ClientRemote.exe)

$

0

0

I need a solution

Hi all, do the dark network clients use live update to update defs when off the domain? Basically, our clients update through the SEP Manager when on the network and use live update when offsite. Not sure which client type to use. Thanks. 

0

Having an issue upgrading client from 12 to 14

April 13, 2018, 8:50 am

≫ Next: What is ASRunningStatus =2

≪ Previous: SEP dark network clients

$

0

0

I need a solution

Hello.  I've set up a fresh install of SEPM 14 RU1 MP1 on a new server, and I'd like to upgrade my clients on the old 12 server to 14 with only 1 reboot if possible.

I've tried on multiple occasions to do a remote push of v14 to a server with v12, but after reboot the client is still v12.

Any ideas?

Thanks!

0

What is ASRunningStatus =2

April 13, 2018, 9:50 am

≫ Next: Change of domain in SQL Configuration

≪ Previous: Having an issue upgrading client from 12 to 14

$

0

0

I need a solution

We are seeing a new ASRunningStatus value 2 and what does this mean?

0

Change of domain in SQL Configuration

April 13, 2018, 11:53 am

≫ Next: Block Safe Remove USB Device

≪ Previous: What is ASRunningStatus =2

$

0

0

I need a solution

Does anything with SEPM need to be changed when changing the domain on embeded SQL Server. If yes where we need to check and correct in SEPM Configuration.

0

---

Block Safe Remove USB Device

April 13, 2018, 10:49 pm

≫ Next: Super admin user account to view all user account risk or scan log

≪ Previous: Change of domain in SQL Configuration

$

0

0

I do not need a solution (just sharing information)

Hi,

The File "System Volume Information\EfaSIDat\SYMEFA.DB" blocks the remove of external USB devices.

The Symantec version is 14.0.3897.1101

I saw this "solution": https://support.symantec.com/en_US/article.TECH240567.html

May be it is acceptable for home users with admin-rights and their only USB device, but i can't belive there is no real solution for enterprise users.

I read an other article here for a 12.1 version and there was a hotfix. https://www.symantec.com/connect/forums/system-volume-informationefadatasymefadb-seems-block-safely-remove

I think this problem is back again, what can i do?

Thanks!

0

Super admin user account to view all user account risk or scan log

April 14, 2018, 2:24 am

≫ Next: SEPm - Recommendation

≪ Previous: Block Safe Remove USB Device

$

0

0

I need a solution

Hi 

I would like to check if there's any super admin account which I could use to login at individual workstations to check and view all user's SEP risk logs? 

I understand that any risk captured by SEP's will be log under that particular's user account and might not show up if i were to login with a domain administrator account or a local administrator account.

Will running Symantec services using (at services.msc) using a dedicated domain account solves this issue?

Thank you.

0

SEPm - Recommendation

April 14, 2018, 7:07 am

≫ Next: 14.0 RU1 MP1 Hyperv Firewall for DNS on Windows 2012 Server

≪ Previous: Super admin user account to view all user account risk or scan log

$

0

0

I need a solution

Hi All,

I have few questions about SEPm.

1. I will deploy SEPm to the customer with 300-400 Endpoints. I checked a lot of articles. I want to create two servers, one for SEPm and one for a database with SQL Server.

2. I want to configure database maintenance. can you give me few recommendations for SQL database maintenance ?

3. What happaend when the SEPm license is over/ expired?

Thanks,

Amit

0

14.0 RU1 MP1 Hyperv Firewall for DNS on Windows 2012 Server

April 14, 2018, 9:19 am

≫ Next: Software exclusion by Digital certificate (SEPM/SEP)

≪ Previous: SEPm - Recommendation

$

0

0

I do not need a solution (just sharing information)

Hey!

I have a Windows 2012 Server with DNS installed in a virtualized domain controller.

I have installed Symantec Endpoint Protection 14.0.3897.1101 on the Hyperv Host. (I use this machine as a workstation and flip to various VMs.)

The default configuration blocks DNS queries. When Network Threat Protection is disabled, all devices and VMs can get through to the Internet.

In order to get the VMs to work with Chrome, I added a firewall exception as follows:

    "* Allow DNS", Allow, All network adapters, All hosts, UDP, Remote ports: 53.

This works for VMs and when the laptop is connected with a wired Ethernet connection, but not the laptop, tablet, and cell phones on the wireless network.

For wireless, I added:

     "* Allow DNS Wireless", Allow, All network adapters, All hosts, UDP, Local ports: 53.

It allows the wireless devices to get to the Internet.

These rules should be added to the default rules that ship with the product.

Hope this helpes someone.

Bob.

0

Software exclusion by Digital certificate (SEPM/SEP)

April 16, 2018, 1:31 am

≫ Next: IS SEP For Linux can control CPU and Mem ??

≪ Previous: 14.0 RU1 MP1 Hyperv Firewall for DNS on Windows 2012 Server

$

0

0

I need a solution

we have many programmers writing code. Creating execution folders on systems gives a safe haven for infected files. Currently that’s what I’m doing.

We want to offer a file exclusion by Digital signature (Certificate).
We have already a certificate. Does symantec have any procedure to know how to sign the files with the certificate?

After that, we will create a certificate exclusion in order not to quarantine/delete files.

Thanks

0