I am using an Apple MacBook Pro laptop computer.  My anti-virus software found a virus in the following directory but can not delete it.  The directory path is /volumes/Install/Install.app/contents/MacOS/Install  OSX.Trojan.Gen.  When I use the anti-virus software (Endpoint Protection) I get a message that the repair failed!!!!  It calls the virus "OSX Bundlore activity 2".  I have updated the anti-virus signatures but this does NOT delete the virus.  I found out about this when I tried to update Adobe Acrobat reader software.  I need a solution to this issue please!

bonjour;

HELP, j'ai des attaques  wanacray "SMB Double Pulsar Ping attaque", et j'ai besoin de bloquer le port 445 et 139 :

-  est ce que ces port je peux les bloquer sans avoir des problème réseaux

-  et comment les bloqués à l'aide de la console SEPM 14

Hi all,

how can i monitor and block attempts accesso to local folder C:\Users from remote computers (\\mymachine\c$\users) ?

I cannot remove BUILTIN\Administrators' group from Security Folder of the folder.

Thanks

M

We have a number of Macs running v14.x connected to a 14.x SEPM server.  The virus definitions on these macs are continually out of date on SEPM.  For instance, even though a handful show having last communicated with SEPM today the 11th, all of their virus definitions are listed as the 5th or 6th.  Often time most of them are offline.  For instance 5 of them are virutal machines running on a Mac ESXi host, which means they are always on, yet even after reboot they often show as being offline, but having had talked to the server today, so I know the components are running.  Further more even though I have a scheduled scan set for every night  at 1 am and to cancel if its still running by 6 am, the systems will have times that the last time they completed a scan as long a week or more ago.  Even some of the virtual machines report this, or no scans completed at all, when they have nothing on them except the os and a few apps, and a small disk size(80gb).  

However, then I log into the console of any mac the menu bar application shows the state as "connected", even when the server states it is offline.  The client side applciation usually lists the definitions as being up to date(today or yesterday), yet the SEPM console lists them being vastly out of date.  It appears that after logging in to the console of a mac, the SEPM updates with new information, sometimes.  

This leads me to believe that SEPM getting properly updated information is entirely dependant on a user being logged into the client.  I read this was the case in 12.1.x.  Is this correct in version 14?  I hope not as that's the worst client/server AV application design I've ever seen.    Both the LiveUpdate and SymDaemon processes run full time as root. They should not need a user logged in to perform any communications with the server.  I have tried to ssh into clients to see if I could determine the definition date from the command line, thus not causing the gui menu bar application to open, and have no found a way to check connection status or AV def version information from the terminal.  From the only real mac document I've found on symtantec's site, the Mac FAQ, it doesn't appear there is a way to check defintion versions or communication status except using the gui app, which makes troubleshooting in the scenerio nearly impossible.  Not to mention if I could check that information from the command line I'd script reporting back to our mac management software for compliance and forego the appearingly faulty SEPM<->SEP relationship for reporting. But alas it seems there are no commandline options for sepm 14 except to restart the daemon and run lutool.

Does anyone have any reliable information from symantec on if this behavior is expected, or any suggetsions on how to get the SEPM console to reflect the client status without having users loging in just to get that information updated?  Is there a way to pull definition date, connection status, last scan date from the command line? 

SEPM not having accurate information makes if very difficult to report compliance to our overlords.  I'm not going to chase users around every week begging them to log into their systems so it security can get the compliance it needs, and IT security isn't going to continually accept submitting garbage reports to their higher-ups. 

We have a number of Macs running v14.x connected to a 14.x SEPM server.  The virus definitions on these macs are continually out of date on SEPM.  For instance, even though a handful show having last communicated with SEPM today the 11th, all of their virus definitions are listed as the 5th or 6th.  Often time most of them are offline.  For instance 5 of them are virtual machines running on a Mac ESXi host, which means they are always on, yet even after reboot they often show as being offline, but having had talked to the server today, so I know the components are running.  Furthermore even though I have a scheduled scan set for every night at 1 am and to cancel if it’s still running by 6 am, and two scans to run, Monday and Thursday, during the day until they complete, yet the systems will have times that the last time they completed a scan was a week ago or more.  Even some of the virtual machines report this, or no scans completed at all, when they have nothing on them except the os and a few apps, a small disk size(80gb), and no users logged in to interrupt an scanning.  

However, then I log into the console of any mac the menu bar application shows the state as "connected", even when the server states it is offline.  The client side application usually lists the definitions as being up to date(today or yesterday), yet the SEPM console lists them being vastly out of date.  It appears that after logging in to the console of a mac, the SEPM updates with new information, sometimes.  

This leads me to believe that SEPM getting properly updated information is entirely dependent on a user being logged into the client.  I read this was the case in 12.1.x.  Is this correct in version 14?  I hope not as that's the worst client/server AV application design I've ever seen.    Both the LiveUpdate and SymDaemon processes run full time as root. They should not need a user logged in to perform any communications with the server.  I have tried to ssh into clients to see if I could determine the definition date from the command line, thus not causing the gui menu bar application to open, and have no found a way to check connection status or AV def version information from the terminal.  From the only real mac document I've found on symtantec's site, the Mac FAQ, it doesn't appear there is a way to check definition versions or communication status except using the gui app, which makes troubleshooting in the scenario nearly impossible.  Not to mention if I could check that information from the command line I'd script reporting back to our mac management software for compliance and forego the appealingly faulty SEPM<->SEP relationship for reporting. But alas it seems there are no command line options for sepm 14 except to restart the daemon and run lutool.

Does anyone have any reliable information from symantec on if this behavior is expected, or any suggestions on how to get the SEPM console to reflect the client status without having users logging in just to get that information updated?  Is there a way to pull definition date, connection status, last scan date from the command line? 

SEPM not having accurate information makes it very difficult to report compliance to our overlords.  I'm not going to chase users around every week begging them to log into their systems so it security can get the compliance it needs, and IT security isn't going to continually accept submitting garbage reports to their higher-ups. 

Thank you for any feedback,

Paul

I am using Symantic end point protection anti-virus software on an Apple MacBook Pro laptop computer.  The software detects a virus called OSX.trojan.Gen on the computer.  It also lists this as "OSX Bundlore Activity 2" The virus is located at /volumes/Install/install.app/MacOS/Install.  The software does NOT clean the virus for some reason?????  I have updated by anti-virus software but this does NOT get rid of the virus!  I tried to delete the virus file and that did not work.  This started when I went to update Adobe Acrobat software.  What can I do to get rid of this virus? 

The problem that I would like to solve (and I'm not sure if there is a viable solution for this), is that I would like my client machines running SEP to be able to receive policy updates while working remote. Content updates are not a problem, my clients already receive those from Symantec. However, the policy updates are specific to the SEPM server, and thus the clients need a way to somehow talk to the SEPM from the outside internet. Obviously we have a VPN which users can connect to and then receive policy updates from the SEPM server, but I would like clients to receive policy updates without connecting to the VPN. Sometimes users work remote for several days, and they don't necessarily connect to the VPN. It would be helpful if they could still receive policy updates. I do not want the SEPM server to have a public IP for obvious reasons, either. Perhaps some sort of proxy located in the DMZ could act as a middleman to push policy updates to clients as long as they have internet access, since they can access the DMZ from anywhere.

I exercised the idea of having a GUP client in the DMZ, but realized that GUP only sends out content updates, not policy. If there is any way at all to do this, I would really appreciate knowing. Every option will be considered, even paid solutions.

Thanks

We have disabled endpoints showing up in the console, can HI Policy solve this?

Hi everybody

I noticed that when exporting the "Application and Device Control Logs", there are two different time formats in the exported CSV file:

Format 1: 03/13/2018 10:29:40
Format 2: 04.03.2018  07:01:47

This, of course is messing up the processing of these exports.
Is there anything that can be done to get one format only?

Cheers

Hi I've just recently started having the problem of notifications coming up around every 10 minutes that says: Traffic has been blocked from this application: Device Association Framework Provider Host (dashost.exe).

A while back i had the same issue with svchost.exe and found a fix from a forum page which told me to change one of the settings in the firewall settings (I think it was unchecking "Enable network application monitoring" not sure exactly because it was a while ago but i'm pretty sure it was this).

Anyway now I'm having the same message for the dashost.exe and couldn't find any fixes for it. I've checked in taskmanager and the dashost.exe is running from C:/Windows/System32 and a full scan shows no threats so i don't think it is anything to do with a virus.

Testing out Symantec Endpoint Protection Cloud.  How do you excluded %userprofile%\appdata\CustomApp for all users on all machines?    

Windows 7 SP1 Enterprise
Patched to May Security patches for all programs
Symantec Endpoint Protection 14.0.3897.1101
Exploit/IPS definitions June 8th, R1 and June 12th R2.

Blocked Attack: Memory Heap Spray attack against C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\Acrobat.exe
Blocked Attack: Memory Heap Spray attack against C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE

Since late last week I have been seeing issues with memory exploit/IPS signatures shutting down legitimate programs before they can load, some common examples below:

Adobe Acrobat
Microsft Office Word
Microsoft Office Excel
Internet Explorer

This is when opening the program, not when opening a document or when browsing to a webpage. This seems to only impact windows 7

So far I have experienced this on the following IPS definition versions:

June 8th R1

June 12th R2

The June 8th R61 definitions stopped the issue

Support told me to upgrade Office 2013 to 2016 throughout my entire organization and to not use IE, we do not have this option.

Any other users experiencing this? If so have you found a safe version of IPS defintions to use until this is fixed?

My RHEL6 and RHEL7 machines have no problem connecting to the management server running 14 and using the reverse proxy for LiveUpdates.  My RHEL5 machines running SEP 12.1.7, on the other hand, cannot seam to communicate.  I'm running the latest JRE.  Installation and logs after the fact on SEP show no errors.  However, the client never shows up in SEPM and the client is stuck in a "Malfunctioning" state - presumably because it cannot download definitions.  How do I go about troubleshooting?  The client I'm testing on is running RHEL5-11.  It's a test machines so it's a fresh installation.  I don't have ELS with RedHat so other than manually installing the latest Java it's never been patched.

FYI - The LiveUpdate log indicates it's about to connect to the reverse proxy and download but despite the lack of an error they don't install.

Strong configuration against ransomware

I wonder what would be the best configuration to protect against ransomware? What you recommend enable, etc.

Hi. I am having issues with annoying poupus coming up every few minuits, saying SEP blocked application "svchost.exe". I have been using this PC with SEP for little over an year now and I haven't had this popup come up until yesterday. The only thing I remember changing on that time was setting up a Dropbox share folder, which I assume is unrelated from the information I show below.

I am on an unmanaged client.

I checked the network threat protection logs, and has identified the notification is coming from an incoming traffic to port 3702, from an IPv6 address. The log tells me that the applied rule is Block Web Services discovery.

Here is the exact log entry:

2018/06/14 10:10:44    遮断しました    3    着信    UDP    FE80:0:0:0:6152:E281:F972:22C8    28-16-AD-21-2F-0F    64489    FF02:0:0:0:0:0:0:C    33-33-00-00-00-0C    3702    C:\Windows\System32\svchost.exe    LOCAL SERVICE    NT AUTHORITY    Default    4    2018/06/14 10:10:20    2018/06/14 10:10:25    Block Web Services Discovery    

遮断しました = blocked, 着信 = inbound (I run on a  Japanese client. Sorry for the inconvenience)

I looked through other forum posts, and have figured out I can change this particular firewall rule to allow traffic, but I don't know if this is safe to do. So I want some expert advice on the matter.

I am currently supressing the popups by turning off Network Intrusion Alert but this is probably not ideal in the long term.

Hi,

I am configuring an environment where a SEPM will have several replication partners.

My question is, does each replication partner require a unique license or is the livense applied to the Primary SEPM shared with all replication partners?

Thanks.

Hello dears,

I would like to have more graphics and to Customize Summary in Monitors Page for my symantec endopoint protection manager console

How can i do it because i could not find anything.

Please any idea ?

Thnx

Hello, asking your advise

We have  a production line that uses several computers running Windows XP computers, those computers don´t have SEP installed and no Windows security patches installed , are connected to each other using a switch and uses a particular network segment (192.168.x.x). The production line uses an application that does not work in Windows 7 or Windows 10.  These computers don´t have internet access, it is only a local LAN for the production line.

Also we have a Windows 7 computer that has two network cards, one is connected to the switch described above and the another card is connected to the swtches that has internet access. In one network card uses an IP address of segment (192.168.x.x) and another is using an IP address of the segment that has internet access (are different).  This computer has SEP installed and Windows security patches installed. The reason to have different segments was because the computers inside the production line has XP with and we don´t want to connect the computers to the "main network" that has internet access to avoid a security risk. Is our "main network" that has internet access sucure?, knowing that we have old OS and no SEP installed in the computers located in the separate network segment and the separete segment is only reachable by the computer that has the 2 network cards

​Thanks

​

What is the behavior if a full scan is missed because the system is offline? What is the behavior in Symantec for these scans? Scan upon login? etc. From the looks of it, the scan just simply gets missed.

J

I have SEPM 14 MP1 installed and I want to upgrade to latest version 14 RU1 MP2.

I went through the guides and information on the symantec page, but I still have a question left.

Do I need to purchase a new license key for this upgrade or can I download the installation files from my SEPM-Server?

If yes, where can I get the installation package without purchasing a new license?

Hi,

Is it possible to configure the management console to export data via Syslog to two downstream databases (for example a SIEM and another application)?

Thanks,

Tim