Quantcast
Channel: Symantec Connect - Endpoint Protection - Discussions
Viewing all 10484 articles
Browse latest View live

SEPM reporting latest content not available when up to date

April 19, 2018, 3:54 am
$
0
0
I need a solution

I Have an issue on the SEPM, on the home tab the security status is saying attnetion needed. The Problem is Content category Download Problems and states "latest Content  Not Available"

The latest definitions available from symantec are currently installed on the SEPMs so i dont see why this is appearing as a problem. We use an internal liveupdate server to update from, we dont connect direct to symantec to retrieve liveupdates.

Is there a configuration change i can make to fix this issue or a threshold value i can edit to prevent this appearing as an issue?

Thanks.

0
Search

What do you do against these kind of attacks?

April 19, 2018, 1:16 pm
$
0
0
I need a solution

Branching off from this thread.

https://www.symantec.com/connect/forums/where-can-...

I'm not directly involved in this anymore.  We're seeing more of these kind of attacks and it doesn't appear to a friendly surprise security scan, at least not for all the remote ip addresses.

Here's a sample of the descriptions.  I see a lot of these in the logs.

Attack: SMB Double Pulsar Ping

Audit: Unimplemented Trans2 Subcommand

OS Attack: Microsoft SMB MS17-010 Disclosure Attempt

Web Attack: IIS Server CVE-2017-7269

What's a good response to an ongoing attack like this?  Just about every hour for 10-15 minutes an ip address will go after anything on subnets I work within.

It's been sent to higher security levels in my organziation.  Isn't the best thing to find the remote host ip machines and take those out?  From what I've seen I think 95% of the remote host ip addresses are within my overall organization.  Remove the source of the problems (infected machines I would think), not as much adjustments made on my end?  But on my side, is there anything I should be doing?  Machines are updated.   Symantec is installed and updated.  All the attacks are from outside my subnets but as far as I can tell still within the range of the overall organization.  I'm thinking the best option is for people above me to remove those infect, attacking machines, and we've given them plenty of information from logs to find them.  Do you agree?  Beyond that, is there anything reasonable I should do for things I might control on my end?  On one extreme, someone could say if you're not using a machine, shut it off, problem solved.  But is that "problem solved" really if the attacker is still there?  I've removed the target but that's it.  And I'm wondering why I should change anything on my side if the main attack threat is still present.  Is "hide more targets" really a great stategy?

0

SEP14 installation on server

April 20, 2018, 1:04 am
$
0
0
I need a solution

Hi All, 

Just to give a little background , my company is aquiring another company. 

Say suppose X is purchasing Y.

We need to innstall SEP 14 on the servers which belongs to Y and 

the requirement is it should report to SEPM which is already in X.

After installing SEP in the servers , what are the network changes I need to make so that it 

reports to SEPM in X. Please help .

Thanks in advance!

0

Allocating groups of clients to different SEPM servers

April 20, 2018, 5:36 am
$
0
0
I need a solution

Good day,

I manage a large site with approx 1000 clients, It is fairly geographically dispersed.

In an effort to reduce traffic on our network links, I have installed replication servers of our sepm on two remote servers at two distant site that are more central to a group of clients.

Our SEPM is AD linked and I would really just link to tell one of my AD groups to prioritise the one SEPM server, (I do this on WSUS for example, with a GPO applied to that group)

and then use trhe primary as failover.

How do I set groups of clients to use certain servers?

0

SEP 12.0.6 BHEngine.dll Problem

April 20, 2018, 5:39 am
$
0
0
I need a solution
CcSvcHst.exe hit over 20% cpu always, therefore i tested use Symantec Diag tool. 
Below thing is showing on the result report.
Please help.
 
Process: BHEngine.dll
Recommendation:This item should be submitted to Symantec Security Response for analysis.
 
File Details:
Path:C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.7004.6500.105\Data\Definitions\BASHDefs\20180409.001\BHEngine.dll
Version:11.4.0.29
Company:Symantec Corporation
Product:BHEngine
SHA256:
MD5:
 
File Reputation:There is not enough information about this file to rate it.
 
File Score:-193
 
TestResultScoreDetails
Was the file recently created or modified?Yes-143Created date: 4/12/2018
Modified date: 3/6/2018
The created date was use for scoring.
Is the file's signature valid?No-50Signature not present
Is the file version present?Yes011.4.0.29
Does the file have multiple extensions?No01 extensions
Is the file protected by the OS?No0
What is the file's reputation?Unproven0There is not enough information about this file to rate it.
Is the file size between 10KB and 500 KB?No02.05 MB
0

How do I get a weekly attack log automatically sent?

April 20, 2018, 7:48 am
$
0
0
I need a solution

I want a weekly "Network and Host Exploit Mitigation - Attacks "  .csv file emailed to me.  I can check manually under the monitor left column box but I want SEPM to email me that report as a .csv automatically.  I've got a couple reports set up under the reports left column box, but I'm not seeing quite the options I want for attacks, a week time period, and a .csv file.  Is there a way to do that?

0

Active directory attributes

April 20, 2018, 9:31 am
$
0
0
I need a solution

I have a use case where in I need to apply a policy to a specific user in Active Directory who will be part of a specific AD group. I synced AD with SEPM  and can see the UPN of the user as the logon name in SEP. I use my samAccountName to login to my desktop and it appears as a separate entry in SEPM. In my case the UPN is my email address i.e. abc@xyz.com and the samAccountName is different i.e. ID123456. Is there a way I can have SEPM use samAccountName instead of UPN?

Thanks.

Qamar Vakil

0

Can't install SEP 14.0.1904 on clients running Windows 10 1709

April 20, 2018, 3:06 pm
$
0
0
I need a solution

I have a client that is getting some new computers & want SEP installed on it. I managed to get the Endpoint manager installed on their server running Windows 10 1709.

But I can't get the client software (14.0.1904) installed on the workstations. It is running the same version of Windows as the protection manager. I keep getting an error that the "App isn't compatible with this version of Windows."

How do I fix this? From what I've found online, 14.0.1 should work on Windows 10 1709

0
Search

SEP Client on SEPM 14 Server & Windows 2016

April 20, 2018, 5:16 pm
$
0
0
I need a solution

Whether right or wrong, I have an unmanaged SEP 12 client running on my SEPM 12 server where things have been running just fine.  Found this useful in troubleshooting whenever my SEPM server fails to download virus definitions.  Moving forward, I'll need to set up a new server/VM with SEPM 14 and migrate the existing SEP clients over.  Does anyone know whether it's recommended to install a managed or unmanaged SEP client on the SEPM server and why?  Also, are there suggestions on what SEP options should or shouldn't be installed for the SEP client that's protecting the SEPM server?

As for the OS on my new SEPM 14 server, I secured a Windows 2016 license although my VM sometimes hangs after rebooting from patch installs.  Is anyone else seeing this same behavior?  Like Windows 10, 2016 seems to have issues as well so I'm thinking maybe it's better to go with 2012 R2 instead.  I'd appreciate your thoughts on this.  Thanks in advance!

0

IPS detection from 192.X.X.X

April 20, 2018, 7:16 pm
$
0
0
I need a solution

Good Day All ,

I am facing the a  challanging task in my environment. Continous I was notified with the IPS detection alert and please find the alert details.

computer: XXXX(workstation)

protocol direction: TCP inbound

remote host IP address: 192.X.X.X

Traffic intiated from the remote IP 192.X.X.X is class c subnet range and it is an private IP, communicates towards  our known workstation.

Signature triggered is OS Attack: Microsoft SMB MS17-010 .

SEP client installed on that workstation blocked this traffic. So there is no  impact but we are unable to find the traffic intiated from the remote IP. Since  We do not have any information about this IP, it is not the standard IP segment used in our environment and we are not able to trace this IP.

Any suggestion from your end is highly helpful.

Thanks in advance.

0

cant uninstall Symantec endpoint V.14.0 RU1 MP1 buid 3876

April 22, 2018, 4:10 am
$
0
0
I need a solution

After i have installed the patch update vesion 14.0 RU1 MP1 buid 3876, 1 clinent PC that i try show message " dowload insight is not functioning corrctly ..." and "Memmory exploit mitigation ...." so i decide to uninstall it but i can not uninstall it , when go to uninstalling, it asking the password tat i really dont know event i use all password that we know , still saying that password not correct, i have no idea about this password

please help 

0

SQl Query to show all definitions installed on client

April 23, 2018, 8:30 am
$
0
0
I need a solution

Hello, 

I find alot of forums on SQL queries to show Virus Definitions, I cannot find any showing all deifnitions on the client, Virus, Sonar, IPS, DP, EDR, etc.

Does anyone have a SQL query to share showing all definitions on the host? Thank you

0

Replication SEPMs

April 24, 2018, 2:17 am
$
0
0
I need a solution

Hello everyone,

I have two remote site-A and site-B with 1MB link. I would to set up a replication partner in Site-A which will replicate the data from SEPM 14 in site-B. the sem5.db in site-B is around 20GB.

I would like to know that how much time would it take approximately for the replication to complete as I install SEPM in site-A as a replication partner???

And what do I need to make sure that the initial replication cycle should be completed sucuessfuly as the SEPM is installed in site-A

Thanks

0

IPS alerts

April 24, 2018, 7:33 am
$
0
0
I need a solution

I would like to know if we can stop IPS notificaions on Client end. I particularly want to know if we have the possibility of blocking juse the desired notification, than blocking all.

This article doesnt say if we can block one particular alert: https://support.symantec.com/en_US/article.TECH105013.html

0
1524581346

IPS Signatures not updating - GUPs

April 24, 2018, 9:12 am
$
0
0
I need a solution

We recently spun up a third SEPM site, which will be used to migrate 2 separate sites we are currently managing.  When replication was setup between the 3 sites, IPS signatures failed to update on our GUPs.  

We have been updating IPS signatures manually with success.  Adding the JDB file is allowing the GUPs to grab it and clients update successfully.  We have a case open to work out whether replication may have broken the GUP's ability to pull the IPS sigs from SEPMs.

We have successfully used the JDB file for RU1 to update the GUPs, which are running MP2.  

We are mid-upgrade from MP2 (14.0.2415.0200) to RU1 MP1 (14.0.3897.1101), and the GUPs failed to be upgraded before our workstation clients.  Yesterday most of the GUPs were upgraded to RU1 MP1.

Today, we went to manually update the IPS signatures with the latest available, as is routine at this point,  and only the non-upgraded GUPs pulled that latest IPS sig.  The upgraded GUPs are still failing to update.  I understand that this is a mess on the upgrade front, but it doesn't make sense that the RU1 MP1 GUPs aren't updating signatures, while the non updated GUP clients are.  Clearly a compounded issue, but reaching out to see if there's something I might be missing.  

**GUP install package for the upgrade kept all GUPs in their respective groups, with the same policies applied.  No changes at all, except the client upgrade.

**All of our SEPMs were upgraded to RU1 MP1 prior to any client upgrades.

0
Search

Daily scan scans no files on some computers

April 24, 2018, 10:50 am
$
0
0
I need a solution

On some computers, the daily scan will scan everything including mounted network drives.  On other computers, absolutely nothing gets scanned by the daily scan.  This is according to the logs on the SEPM.  I have tried reinstalling SEP on these computers, but it doesn't help.  What could cause such an issue?

0

Cannot enable firewall policy?

April 24, 2018, 12:57 pm
$
0
0
I need a solution

When I try to enable a firewall policy on a container I get "The location is under Client Control. You cannot add a new firewall policy"

Anybody know how to get this to allow me to do a firewall policy?

Jason

0
1524600366

Firewall Status showing "Disabled by policy" but its enabled?

April 24, 2018, 1:15 pm
$
0
0
I need a solution

The container this client is under has a firewall policy in place. Also, the client itself has the SEP firewall turned on. Why would it continue to say "Disabled by policy?"

0

Migrate McAfee to Symantec

April 24, 2018, 1:37 pm
$
0
0
I need a solution

Hi Community,

Requesting assistance.

We acquire a company and the AV is McAfee what will be the approach for migration and deployment?

thank you.

0

SEP 14 via GPO

April 24, 2018, 8:58 pm
$
0
0
I need a solution

Is there a way to push SEP as a GPO and ensure it installs putting the computer in a proper container? I noticed you can create a .msi installer, but how do you control the sylink communciation setting of what container it gets put into?

Or is ther any other ways to force SEP installations?

0
Viewing all 10484 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>