My SEPM is not reflecting the changes that I made in AD. I checked the server properties to make sure they are set correctly and all my Directory servers are listed and if I try to manually sync it, the sync now is grayed out. I am running SEPM 140.1(14.0 RU1) build 3752(14.0.3752.1000)
Dear All,
We have Symantec Endpoint 14.1 installed recently,
I would like to have a rule to block upload / download of unwated attachments on the outlook 2016 client which is installed on all PCs on our network.
I need to allow certain attachments - pdf, dwg, jpeg, etc... while we definitely want to block others
Can you pl help and let me know how this can be configured ?
Hi,
Im wondering if it is ok to delete and recreate the "admin" account which comes by default upon SEPM installation.
the password has been lost and we dont have a way of recovering it.
Im aware that the Admin account is required to confirm replication configuration and other settings.
If i delete the admin account and create a new one with the same name can i use this when prompted for default admin credentials?
Thanks,
Jamie.
Updated to v14 RU1 MP2 (from 12.1 MP9) and found that while I can still update the virus definitions for 12.1 clients I can't update Sonar or Intrusion Protection. The only options offered are for v14. Is this a fix for this or just a major limitation of v14?
With each new version of SEP this list seems to get larger and larger. Once all clients are on v14 ideally I'd just want to see the option for v14 x64 machines since we have no 32bit. See screenshot.
Hi all,
I have an issue where an Oracle Linux install doesn't install it's definitions- it's a new build.
The server goes out to the LUA server (12.1 MP9 cleint install) ,via port 7070- with nothing blocking on the firewall, this has been confirmed as turned off.
Please see the liveupdt.log output when a manually sav liveupdate -u is executed- output below
Any help appriciated
============================================================
May 10, 2018 8:24:07 AM Java LiveUpdate launched with the command line = [ -p Avenge MicroDefs25 SavCorp10 Linux -v MicroDefsB.Error -l SymAllLanguages -t HubDefs -z 0 ] [ -p Avenge MicroDefs25 SavCorp10 Linux -v MicroDefsB.Error -l SymAllLanguages -t CurDefs -z 0 ] [ -p Avenge MicroDefs25 SavCorp10 Linux -v MicroDefsB.CurDefs -l SymAllLanguages -t CurDefs -z 0 ]
May 10, 2018 8:24:07 AM Avenge MicroDefs25 SavCorp10 Linux, MicroDefsB.Error, SymAllLanguages, HubDefs, 0
May 10, 2018 8:24:07 AM Avenge MicroDefs25 SavCorp10 Linux, MicroDefsB.Error, SymAllLanguages, CurDefs, 0
May 10, 2018 8:24:07 AM Avenge MicroDefs25 SavCorp10 Linux, MicroDefsB.CurDefs, SymAllLanguages, CurDefs, 0
May 10, 2018 8:24:07 AM Using character set UTF-8
May 10, 2018 8:24:07 AM Command-line Product Selections to update:
May 10, 2018 8:24:07 AM (ProdName, Version, Lang, ItemSeqName, SeqNum)
May 10, 2018 8:24:07 AM Adding JLU to the current command line
May 10, 2018 8:24:07 AM JLU Linux, 3.10.2, English, LiveUpdateSeq, 13
May 10, 2018 8:24:08 AM Java Version 1.8.0_172.
May 10, 2018 8:24:08 AM Linux 4.1.12-112.14.13.el6uek.x86_64
May 10, 2018 8:24:08 AM Java LiveUpdate version 3.10.2 Build 13.
May 10, 2018 8:24:08 AM ProductInventory: parsed default inventory file: /etc/Product.Catalog.JavaLiveUpdate
May 10, 2018 8:24:08 AM Inventory File Product Selections to update:
May 10, 2018 8:24:08 AM (ProdName, Version, Lang, ItemSeqName, SeqNum)
May 10, 2018 8:24:08 AM NBClient_Linux-X64, 7.7.3, English, Update, 20160401
May 10, 2018 8:24:08 AM Avenge MicroDefs25 SavCorp10 Linux, MicroDefsB.CurDefs, SymAllLanguages, HubDefs, 0
May 10, 2018 8:24:08 AM Avenge MicroDefs25 SavCorp10 Linux, MicroDefsB.CurDefs, SymAllLanguages, CurDefs, 0
May 10, 2018 8:24:08 AM The property maxZipFileSize in config file is 614,400
May 10, 2018 8:24:08 AM The property maxTriFileSize in config file is 10,485,760
May 10, 2018 8:24:08 AM The property maxPackageSize in config file is 1,073,741,824
May 10, 2018 8:24:08 AM The property maxPackageContentSize in config file is 1,342,177,280
May 10, 2018 8:24:08 AM The property enableIPv4Preference is not set in config file
May 10, 2018 8:24:08 AM Checking to see if JLU can connect to its own listener thread.
May 10, 2018 8:24:08 AM Checking to see if a session of JLU is running at port 63351.
May 10, 2018 8:24:08 AM An active JLU session has been detected.
May 10, 2018 8:24:08 AM JLU was able to successfully connect to its own listener thread.
May 10, 2018 8:24:08 AM Checking to see if a session of JLU is running at port 47355.
May 10, 2018 8:24:08 AM JLU session not detected at that port.
May 10, 2018 8:24:08 AM Checking to see if a session of JLU is running at port 64384.
May 10, 2018 8:24:08 AM An active JLU session has been detected.
May 10, 2018 8:24:08 AM
May 10, 2018 8:24:08 AM The Java LiveUpdate session did not complete successfully.
May 10, 2018 8:24:08 AM Return code = -1
May 10, 2018 8:24:08 AM
============================================================
<IdsJluCommandLine><[ -p Avenge MicroDefs25 SavCorp10 Linux -v MicroDefsB.Error -l SymAllLanguages -t HubDefs -z 0 ] [ -p Avenge MicroDefs25 SavCorp10 Linux -v MicroDefsB.Error -l SymAllLanguages -t CurDefs -z 0 ] [ -p Avenge MicroDefs25 SavCorp10 Linux -v MicroDefsB.CurDefs -l SymAllLanguages -t CurDefs -z 0 ] >
<IdsJluCommandLineCharacterSet><UTF-8>
<IdsPVLListing1>
<IdsPVLListing2>
<IdsJluCommandLineAddedJluToSession>
<IdsJavaVersion><1.8.0_172>
<IdsJavaLiveUpdateVersion><3.10.2><13>
<IdsProductInventoryParsedDefault></2Fetc/2FProduct.Catalog.JavaLiveUpdate>
<IdsPVLListing3>
<IdsPVLListing2>
<IdsMaxSize><maxZipFileSize><614400>
<IdsMaxSize><maxTriFileSize><10485760>
<IdsMaxSize><maxPackageSize><1073741824>
<IdsMaxSize><maxPackageContentSize><1342177280>
<IdsEnableIPv4PreferenceNull><enableIPv4Preference>
<IdsJluSyncCheckCurrentSession>
<IdsJluSyncCheckPort><63351>
<IdsJluSyncCheckActive>
<IdsJluSyncCurrentSessionActive>
<IdsJluSyncCheckPort><47355>
<IdsJluSyncCheckInactive>
<IdsJluSyncCheckPort><64384>
<IdsJluSyncCheckActive>
<IdsJavaSessionFailure>
<IdsJavaSessionReturnCode><-1>
Good Morning All,
I am having a little trouble understanding the differance between Symantec 14.0.1 MP2 and Symantec 14.1.
Is the differance just the cloud connectivity, and does the cloud connectivity add additional detection capabilities?
My other question is to people who upgraded to 14.1 Cloud - how did the upgrade go? Any issues with policies or enviorment stability during or after the upgrade?
Thanks!
Hello all
I have a problem
In SEP 14.0.1 after updating some workstations present problems when loading the internet explorer or the acrobat this occurs more frequently on computers with Windows 7 operating system
As I seek ways to speed up the upgrade to windows 1803, the biggest bottleneck I see is SEP's iops. We have tamper protection on and do not want to change that configuration but I need a method to disable it within an sccm task sequence for the length of the upgrade. Does sep have a supported method for doing that?
Hello,
I am new to the SEP product have been tasked to deploy it in a new envoirnment.
It has no access to the internet. I connect to an upstream server for updates.
I have managed to install and deploy the SEP client to a few servers but notice that they are not getting any definition updates. They are also looking to default sources for the live updates on the internet.
My question:
How can I configure my SEPM to provide live updates to the clients?
Can it provide Live Updates or do I need a separate installation of the Live Update Administrator (LUA)?
Does the LUA need a separate license? I already have one for SEP and SEP clients.
The environment has no Internet access and needs to have limited connectivity to the outside world.
The network is small. Less than 200 clients.
What are my options?
Please help!
We use Symantec Endpoint Protection Manager 12.1.5337.5000
There is an error when we create client install package "Endpoint Protection 14.0.1 MP2" in SEP Manager 12.1.
How can we create the client install package properly without update the SEP Manager version?
Hi,
We are running a SEPM (14.1) with SQL database in our environment and presently want to add a replication partner for failover functionality. The Primary SEPM is AD sync as of now and we want to break it as its causing lots of administrative troubles for us. Is there a way to add a secondary SEPM server (replication partner) and NOT have the AD tree structure imported to it?
I know that if I break the AD sync in the primary SEPM, all the clients will start reporting to the "default" group and then they need to be manually moved to their designated groups. But we want to avoid this trouble as we have almost 200 different groups to which these clients are reporting.
What if we build a seperate SEPM (the secondary SEPM without AD sync) and export all the policies (virus &spyware\exceptions\Intrusion Prevention etc) from primary SEPM (which is AD sync) and import it into this secondary SEPM. Create different groups as per our liking and then apply these policies on these groups and then slowly start moving the clients from the primary SEPM into secondary one by replacing the Sylink on clients?
Any suggestions? I might be wrong but just wanted to check alternatives available. Thanks!
Hello SEP experts,
Question
========
What is the testing procedure for the "hard to test" features from SEP 14?
1. Product: SEP 14
2. New feature hard to test : Signatureless technologies (AML,MEM,CustomApplications MEM) , Advanced capabilities (Emulator)
"https://support.symantec.com/en_US/article.DOC10971.html"
Does Symantec have any recommended testing procedures for AML,MEM, Emulator?
Searched "support.symantec.com"
+++++++++++++++++++++++++++
1. https://support.symantec.com/en_US/article.HOWTO100329.html
2. https://support.symantec.com/en_US/article.TECH236704.html
Thank you.
Hi,
My problem is exactly described already in https://support.symantec.com/en_US/article.TECH239...
Unfortunately, I do not know how to add a firewall rule for "Any Application" for a specific local IP:
1) I can only select specific applications, but I do not see a field "any" or "*".
2) I can only specify remote IP or MAC addresses, but not local ones.
For there reasons, I cannot implement the solutions suggested in the abovementioned link. Consequently, my OS and any applications running in my VirtualBox are unable to access the internet in bridged mode. Are there alternative solutions, or can anybody help me by giving "click-by-click" instructions where to find the "missing" options?
Thank you very much!
Cheers,
Fabian
This is going to be a long post. it is to fix issues with Windows 10 1803 getting notification that Symantec must be manually uninstalled.
First you have to be at SEP Client 14.0.3 for Windows 10 1803 update of this to work. My version is 14.0.3929.1200.105 on server and most of my clients.
Script is saved as .txt and attached (I think) on this post,
Bottom of post has the text of the powershell script.
Some suggested fixes that did not work:
Cleanwipe will not resolve this issue, I tried that.
Re-installing windows also will not work unless you delete everything on the drive or format the drive during install.
Causes:
Essentially, what happened is that Symantec install is sent by a zipped package that has the executables in it.
Once you unzip the package, the executables that Windows update looks for is found in the install folder.
Windows 1803 update does not look everywhere, but will look anywhere that the system can access.
So if you are deploying with SCCM, there is an install package in ccmcache from the last install.
If you contacted support on a previous version and they sent you a 7zip exe to extract, then the exe's are somewhere else.
If you deployed using SCCM then the exe's will be in a subdirectory under the c:\windows\ccmcache directory.
If you deployed using a single exe, then it extracted somewhere and you may have the exe's there.
I called support for a script to fix this. Got nowhere. That is anothe story, best left out.
My Solution
I made a powershell script to find and rename the 2 executables if they are outside of Program Files or Program Files (x86)
For SCCM to be able to use this, the .ps1 probably needs to be signed.
Attached is a sample of the script.
<#
This Script is to look for any Symantec Endpoint Protection files that prevent Windows 10 Update to 1803
If a computer has any install folder for an older version these files will exist in the install folder. Windows update checks the version.
ccsvchst.exe Version 13.3.1.14
smc.exe Version 14.0.3929.1200
Windows Update to 1803 gives error that 2 Symantecs must be uninstalled, 1 for each file.
To find the offending file names look in this folder (after the update has failed or they will not be listed.)
C:\$WINDOWS.~BT\Sources\Panther\setupact.log
Search for 'Manual uninstall required' (no tick marks.)
References:
https://www.symantec.com/connect/forums/solved-windows-10-1709-cant-update-and-clean-wipe-cant-full-remove-endpoint-protection
Point of contact, Brian VanTassel
Agency for Persons with Disabilities, Florida.
Notes: This has to be signed to run through SCCM
Built for deployment through SCCM Task Sequence.
#>
Script renames either ccsvchst.exe Version 13.3.1.14 or smc.exe Version 14.0.3929.1200 if version is less than what is shown
In this script, change 'SomeServerName' in the line to your share path. Create the folders for the path. The script writes results to the file. The results are attempted. Depending on system rights, it may not be the case. This indicates the steps ran, but you should test it.
$outfile="\\SomeServerName\DeployLogs\Symantec\Win10-1803RenameFix\Win10-FilesRenam_Status-Apps.txt"
This is where the accumulated log is written to. Domain users and Domain Computers will need read and write to this share.
You will also need a share for deploy files. This will need to be read for domain users and domain computers.
Sign the script using a code signing certificate (another story there.)
Example of results shows Computer name, path to file, version information and what was attempted:
ComputerName-10;;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Bin\ccSvcHst.exe;13.3.1.14;Not Modified
ComputerName-10;;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Bin\Smc.exe;14.0.3929.1200;Not Modified
ComputerName-10;;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe;14.0.3929.1200;Not Modified
ComputerName-10;;C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\ccSvcHst.exe;13.3.1.14;Not Modified
ComputerName-10;;C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\Smc.exe;14.0.3929.1200;Not Modified
ComputerName-10;;C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\ccSvcHst.exe;13.3.1.14;Not Modified
ComputerName-10;;C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\Smc.exe;14.0.3929.1200;Not Modified
ComputerName-10;;C:\Users\All Users\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\ccSvcHst.exe;13.3.1.14;Not Modified
ComputerName-10;;C:\Users\All Users\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\Smc.exe;14.0.3929.1200;Not Modified
ComputerName-10;;C:\Users\All Users\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\ccSvcHst.exe;13.3.1.14;Not Modified
ComputerName-10;;C:\Users\All Users\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\Smc.exe;14.0.3929.1200;Not Modified
To deploy the script in SCCM I used a Task Sequence, with 2 run command steps.
it will probably work with one step, but I copy the script to a folder I use on the computers for local install logs.
Most of my Task Sequences create this folder if it does not exist: "C:\ProgramData\CM_Install_logs"
Copy Command line:
cmd.exe /c copy /y "\\ServerName\Deploy File Share\Scripts\Win101803SymFileRenamFix.ps1""C:\ProgramData\CM_Install_logs"
Run powershell cmd:
cmd.exe /c PowerShell.exe -executionpolicy unrestricted -file "C:\ProgramData\CM_Install_logs\Win101803SymFileRenamFix.ps1"
Powershell Script (was named Win101803SymFileRenamFix.ps1) Start below this line
<#
This Script is to look for any Symantec Endpoint Protection files that prevent Windows 10 Update to 1803
If a computer has any install folder for an older version these files will exist in the install folder. Windows update checks the version.
ccsvchst.exe Version 13.3.1.14
smc.exe Version 14.0.3929.1200
Windows Update to 1803 gives error that 2 Symantecs must be uninstalled, 1 for each file.
To find the offending file names look in this folder (after the update has failed or they will not be listed.)
C:\$WINDOWS.~BT\Sources\Panther\setupact.log
Search for 'Manual uninstall required' (no tick marks.)
References:
https://www.symantec.com/connect/forums/solved-windows-10-1709-cant-update-and-clean-wipe-cant-full-remove-endpoint-protection
Point of contact, Brian VanTassel
Agency for Persons with Disabilities, Florida.
Notes: This has to be signed to run through SCCM
Built for deployment through SCCM Task Sequence.
#>
$outfile="\\SomeServerName\DeployLogs\Symantec\Win10-1803RenameFix\Win10-FilesRenam_Status-Apps.txt"
#$env:COMPUTERNAME
#Get-Childitem –Path C:\ -Include ccsvchst.exe,smc.exe -File -Recurse –force -ErrorAction SilentlyContinue | Select *
#$Paths2Files = Get-Childitem –Path "C:\" -Include ccsvchst.exe,smc.exe -File -Recurse –force -ErrorAction SilentlyContinue | Select name,Fullname
$Paths2Files = Get-Childitem –Path "C:\" -Include ccsvchst.exe,smc.exe -File -Recurse -ErrorAction SilentlyContinue | Select name,Fullname
foreach ($file in $Paths2Files){
$VersionInfo = (Get-Item $file.fullname).VersionInfo
$FileVersion = ("{0}.{1}.{2}.{3}" -f $VersionInfo.FileMajorPart,
$VersionInfo.FileMinorPart,
$VersionInfo.FileBuildPart,
$VersionInfo.FilePrivatePart)
#Write-Host $file.fullname $fileversion
If ($file.fullname -like "*Program Files*\Symantec\Symantec Endpoint Protection*") {$action="ProgramFiles Not Modified"}
ElseIf ($file.name -eq "ccsvchst.exe") {
If ($FileVersion -lt "13.3.1.14") {$action="renamed"
Rename-Item -Path $file.fullname -NewName "ccsvchst.ex_"}
ElseIf ($FileVersion -eq "13.3.1.14") {$action="Not Modified"}
}
ElseIf ($file.name -eq "smc.exe") {
If ($FileVersion -lt "14.0.3929.1200") {$action="renamed"
Rename-Item -Path $file.fullname -NewName "smc.ex_"}
ElseIf ($FileVersion -eq "14.0.3929.1200") {$action="Not Modified"}
}
Write-Host $file.fullname $fileversion $action
$out2file=$env:COMPUTERNAME+";"+$date+";"+$file.fullname+";"+$fileversion+";"+$action
$out2file | out-file -filepath $outfile -append
}
# SIGNATURE BLOCK WAS HERE
# End signature block WAS HERE
End of script above this line
Hi All,
I encounter this issue My current Symantec Endpoint Protection Manager 12.1 Version is Expiring soon.
from my understanding is i just need to open up the console login and if i have a new license key i just
input and click on activate.
I was inform by my reseller that they required the cert number to do a renew.
Anyone have experience or know how can i retrive the cert number by command line
or any sample how does it look like?
Appreciate if anyone can advise
Thanks
Regards
Jing
I keep getting a windows notification that "Traffic has been blocked from this application: MS Link-Layer Discovery Protocol Driver (mslldp.sys)."
I have a user-defined exception for C:\Windows\System32\drivers\mslldp.sys, but that hasn't done anything.
I followed http://www.symantec.com/docs/TECH203497, and even with the "Allow All" rule at the top, I get the notification.
What's the next step to isolate?
14.0MP2 build 2415 on Windows 10 1709
Hello support,
Question
++++++++
1. "Test 1"
We can test SONAR using socar.exe (https://support.symantec.com/en_US/article.TECH216...) and it works fine
but
2. "Test 2"
We want to test only the "SuspiciousBehaviorDetection" feature (https://support.symantec.com/en_US/article.HOWTO12...), SONAR is Off/Not enabled.
How to do it?
We know "SuspiciousBehaviorDetection" feature workings are proprietary but how we can check the feature is working.
Searched the symantec KBs etc (https://www.symantec.com/connect/forums/how-calcul...) but there is no detailed info about it.
Thank you.
Hi,
Is the loopback address 127.0.0.1 always allowed?
If not, what rule would I use?
If the client address is x.y.z.a then a connection to itself via x.y.z.a I would assume needs to be explicitly allowed.
Is this correct?
Thanks for any help
How To "Internal Error" in Help > Troubleshooting > Connection Status
