Tamper Protection Scan blocking legitimate application.

July 3, 2018, 7:07 am

≫ Next: Insight Cache - Can it run on SEPM server?

≪ Previous: How to update symantec endpoint protection

I need a solution

Hi,

I have agent behaviour logs as follow :

2018-07-03 09:19:58,Minor,SCTX0100,,Blocked,C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3752.1000.105\Bin\ccSvcHst.exe,,Begin: 2018-07-03 09:19:58,End: 2018-07-03 09:19:58,Rule: ,2748,C:\PROGRAM FILES\LUMENSION\LEMSSAGENT\00\LMHOST.EXE,0,,C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3752.1000.105\Bin\ccSvcHst.exe,User: SYSTEM,Domain: ,Action Type: 55,File size (bytes): ,Device ID:

I have already added tamper exception however still receiving huge number of event. servers are having 13000+ event for this block. Refer event logs from server as well.

Scan type: Tamper Protection Scan
Event: Tamper Protection Detection
Security risk detected: C:\PROGRAM FILES\LUMENSION\LEMSSAGENT\00\LMHOST.EXE
File: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.2415.0200.105\Bin\ccSvcHst.exe
Location: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.2415.0200.105\Bin
Computer: SAPP0630
User: SYSTEM
Action taken: Access denied

Please suggest solution.

↧

Insight Cache - Can it run on SEPM server?

July 3, 2018, 7:42 am

≫ Next: XP Machines not communicating to SEPM 14 via HTTPS

≪ Previous: Tamper Protection Scan blocking legitimate application.

I need a solution

Is it not advised to run an insight cache server on the SEPM server or is it ok to do this?

Watson

↧

XP Machines not communicating to SEPM 14 via HTTPS

July 4, 2018, 1:33 am

≫ Next: Check Your Router for VPNFilter

≪ Previous: Insight Cache - Can it run on SEPM server?

I need a solution

Hello.
I do as specified in TECH236004 :
Installed 12.1 legacy client on a computer with Windows XP, and TLS 1.0 is enabled in Internet Options (TECH231025)

But agent SEP does not connect to SEPM. Error "<ParseErrorCode:>12029=>The attempt to connect to the server failed.".
If use http communication settings (8014 port), connection is established successfully.
Telnet on SEPM:443 port passes successfully.

↧

Check Your Router for VPNFilter

July 4, 2018, 1:40 am

≫ Next: SEP 14.2 Firewall Rules Crash after system rebooting

≪ Previous: XP Machines not communicating to SEPM 14 via HTTPS

I do not need a solution (just sharing information)

Just raising awareness:

Symantec Launches Quick Online Tool to Help Consumers and Enterprises Detect Recent VPNFilter Malware on Routers
http://investor.symantec.com/About/Investors/press-releases/press-releas...

That free online tool:

Check Your Router for VPNFilter
http://www.symantec.com/filtercheck/

Security Response blog- much good detail:

VPNFilter: New Router Malware with Destructive Capabilities
https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

AV and IPS signatures designed to block VPNFilter:

Linux.VPNFilter
https://www.symantec.com/security-center/writeup/2018-053113-3755-99

System Infected: VPNfilter Activity 2
https://www.symantec.com/security_response/attacksignatures/detail.jsp?a...

↧

SEP 14.2 Firewall Rules Crash after system rebooting

July 5, 2018, 1:19 am

≫ Next: Reputation Detection

≪ Previous: Check Your Router for VPNFilter

I need a solution

At the moment, I am testing SEP unmanaged client DarkNet (14.2.758 RU) and have the problem with Firewall Rules (the same problem was when I try to use the english version unmanaged client 14.2, also clean and rolling over installation, on Win7x64 Rus and Win10x64 Rus, disable or enable Application Hardening - all results negative). About problem, I made new test Firewall Rule named Block All Tested, which should block all activities, moved it up in the rules box and approved. I checked it on various browsers (IE11, Chrome and Slimjet), e-mail client (Windows Live), AdGuard Software - all of them had been blocked with the above rule. But after rebooting my system, I checked these applications again and found that they were walking into net without any blocks and these activities not write into the logs. I enclosed two screens from system logs (russian and english). As I know the same problem occured with too mutch users with standalone SEP client, the previous version SEP 14.01 MP2 have not such problem. Unfortunately, I have not license information for my testing unmanaged client so I could not receive Symantec Support assistance. I kindly ask the community for the assistance in my matter or probably Symantec Support also will take this case for correction because it looks like in 14.2 the firewall is a sieve. Also, to all whom used unmanaged client please repeat my expirience and probably You will be lucky. For little more information I enclosed a few screens. Waiting for Yours commentary.

↧

Reputation Detection

July 5, 2018, 6:40 am

≫ Next: SEP has covered OSX.dummy malware?

≪ Previous: SEP 14.2 Firewall Rules Crash after system rebooting

I need a solution

We have a group of developers that their code is being caught by the Reputation mechanism.

On the one hand, I dont want to disable the reputation detection but on the 2nd hand, I'd like them to be able to do their job.

What would be the best way to achieve that?

Thanks

↧

SEP has covered OSX.dummy malware?

July 5, 2018, 9:04 am

≫ Next: terminal scan results

≪ Previous: Reputation Detection

I need a solution

We use SEP for MacOS.

Some articles addressed there was a malware called "OSX.dummy" for MacOS.

How can I know where my SEP has covered this malware or not?

Thanks in advance.

↧

terminal scan results

July 5, 2018, 9:09 am

≫ Next: How to whitelist a whole installer like .NET ?

≪ Previous: SEP has covered OSX.dummy malware?

I need a solution

It will be great if a manual scan from sav (linux) can return scan results in the terminal. You can implement it as a configuration switch.

if i run sav manualscan -c /tmp i don't see the scan results in the terminal (i can see them in the syslog file).

The results should be something like this (the same info i can see in the log file):

Scan Complete: Threats: 1 Scanned: 1 Files/Folders/Drives Omitted: 0

Threat Found!Threat: EICAR Test String in File: /tmp/eicar/eicar.com by: Manual scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

How to whitelist a whole installer like .NET ?

July 5, 2018, 10:54 am

≫ Next: How to update virus definition in SEP

≪ Previous: terminal scan results

I need a solution

Hi,

I'd like to know if there is a way to Whitelist a entire installer.

I'm trying to install .NET framework on some machines, but SEP is blocking my install.

The problem for me is that the installer generate many temp files and other executables that are excluded after the install. So it's kind of hard to get the MD5 of these ones.

Are there any tools where I can whitelist the installer ? Or any tool that can capture all these files and generate MD5 of them?

Thanks in advance.

Mari

↧

How to update virus definition in SEP

July 5, 2018, 12:19 pm

≫ Next: SEPM add local Hash exception capability

≪ Previous: How to whitelist a whole installer like .NET ?

I need a solution

I have a problem client for downloading virus definition from the console. How do I manually update virus definition for this client?

The best way for me would be to copy the current package and paste it into the client folder, how do I do it?

↧

SEPM add local Hash exception capability

July 5, 2018, 12:28 pm

≫ Next: Can not find option to change mail server

≪ Previous: How to update virus definition in SEP

I need a solution

Our company writes a lot of in-house software that's only used in-house. I need a way to add exceptions based on the Hash values the programmers send me instead of leaving entire directories un-protected. Each programmer has their own style of originating their code and getting them to all use the same directories is an impossibility.

Submitting every recompilation to Symantec's false positive site and waiting for it to be exempted is not functional.

I need a quick way to add an exemption based solely on the files Hash/Name.

Thank you,

↧

Can not find option to change mail server

July 6, 2018, 2:13 am

≫ Next: Stop downloading virus definitions

≪ Previous: SEPM add local Hash exception capability

I need a solution

Hi, I go to Console - Admin but there is no Server tab there to change mail server. Thanks

↧

Stop downloading virus definitions

July 7, 2018, 6:57 am

≫ Next: Any idea what faults.qalabs.symantec.com is? SEP 14.0 MP2

≪ Previous: Can not find option to change mail server

I need a solution

The policy setting is that if you do not find the GUP is to fetch update at the console (SEPM). The process of downloading the virus definitions was started, we could identify by the Windows resource monitor, but we need to stop this process is possible?

Is it possible to stop downloading virus definitions after they have started?

1530979440

↧

Any idea what faults.qalabs.symantec.com is? SEP 14.0 MP2

July 8, 2018, 6:07 pm

≫ Next: difference between various products

≪ Previous: Stop downloading virus definitions

I need a solution

Hi everyone,

Whilst looking at client access to the Internet and we found a lot of clients attempting to go through the Proxy to this URL: faults.qalabs.symantec.com

When you ping the DNS name it does not exist, but all of our clients try to access it regularly.

Does anyone know what this is for, why the SEP client is trying to access it, and most importantly, why Symantec don't have it pointing to anything valid anymore?

This https://support.symantec.com/en_US/article.HOWTO98461.html site refers to the list of sites the SEP client requires access to and it is included here.

Cheers,

Steve.

↧

difference between various products

July 8, 2018, 12:21 am

≫ Next: Advantage Database Application failing after 14.2 Update

≪ Previous: Any idea what faults.qalabs.symantec.com is? SEP 14.0 MP2

I need a solution

What is the difference between Symantec Endpoint Protection Cloud 14,

and Symantec Endpoint Protection Client 14?

↧

Advantage Database Application failing after 14.2 Update

July 9, 2018, 8:08 am

≫ Next: SEP14 client syslinked to SEPM12 not updating

≪ Previous: difference between various products

I need a solution

I'm having a strange problem after updating our server and clients from 14.1 to 14.2.

Our 2 Windows 10 Pro workstations can no longer access our backoffice software, which uses Advantage Database Server 10.10. They both worked the day before the Endpoint update. They both failed since the update. Now I get Error 7077: The Advantage Data Dictionary cannot be opened.

The Windows 7 Pro and 8 Pro workstations are still functioning normally. Any ideas?

Stuart

↧

SEP14 client syslinked to SEPM12 not updating

July 9, 2018, 3:52 pm

≫ Next: Windows 2016 R2 compatibility with SEP 14

≪ Previous: Advantage Database Application failing after 14.2 Update

I need a solution

Hi, we will upgrade our SEPM (currently 12) and SEP clients to version 14.xs.

We started by upgrading all clients using the Install Package and everything went mostly fine until we realized that all SEP 14 clients were not receiving virus definitions... So It may had something to do with sylink communication issue.

I searched around and started the Sylink log using the Symdiag application and got a log from a SEP14 (that won't update) and a SEP12 (that is updating).

Im attaching both Logs, but basically what I have realized is that on SEP14 one of the requests is not working... It says 500 Internal Server Error, and It actually does show that error if opened on a Browser...

This is from the SEP14 that is NOT updating..

07/09 17:41:35.325 [776] <mfn_MakeGetAtpInfoFileUrl:>Request is: action=66&hostid=FDF1C91B0A010FA401C34A452A2C89B2&chk=80A45937DBAFE0E01959B31DB20BE4E0&ck=BCDF81853552D4135C4DDF3BD25F7887&uchk=C6D51752C51A8CCC58128A17FB158614&uck=916E2D26EA9437C464813018FBF78CA0&groupid=63C8BCAC0A0166DD0085D9A47C304551&ClientProductVersion=14.0.3929.1200&as=12970&cn=[hex]3130304A504F4E4345&lun=[hex]4A504F4E4345&udn=[hex]47504F4445414345524F2E434F5250
07/09 17:41:35.325 [776] </CSyLink::mfn_MakeGetAtpInfoFileUrl()>
07/09 17:41:35.325 [776] <mfn_SendRequestToServer:>http://antsymda.GPODEACERO.CORP:8014/secars/secars.dll?h=65E7E578F1819F6B0E7577793F253F90DBFE143AAD2F0D2BB123B1FA17AE25E1037C804DA5F292859177C63DA45BEF5F684ED5F31EB53D4EB7E73BB8452A3BD6F69395953D331D150516A178A4EBA185BDBE9C503C3CE6764DCABD85A15B579DF8042140993916570C6C323B9217F3C70627C4FF30C99CC46D95C434FC991C65AA2B03CC4806B0FFD184B85174391EF0F525A465A5621A2809FB9D8C983EBAC24FB42AB1608E1C208E280EF4B58EEBA30E49C368E586D8CAC08D475F93DA5152AA9671789B1594478B138330F5B1E8FD9A7E3C09AF45FE189722439CE0384BBFFA92DFA0E80B480278C9C241ECC3ECED9EEC74FCED9006EEDD9F4C19AA44FF292BA5FD1FF256EF84A4D759152A56050AD0C3AAF199E87255830F30F0299A91073ED5621DCC8A437CEEA32A88B9BE6C5AE9956E13DC886E90B6C02BDA2220FF77B992FDD6A402CFCAD6B186C038B24F022576A11233E1CE8B00A7D29353C349396FA9827358DA5083E82139B1131091D6606707AC85E0C59C5ACA1E09C9A15CD1
07/09 17:41:35.325 [776] <InternetCallback> HttpOpenRequest; Internet status: 60; CtrlBlk: 07B99968
07/09 17:41:35.325 [776] 17:41:35=>Send HTTP REQUEST
07/09 17:41:35.331 [1360] <InternetCallback> HttpSendRequest; Internet status: 100; CtrlBlk: 07B99968
07/09 17:41:35.345 [776] AH: (InetWaiting) bFinished is TRUE on CtrlBlk: 07B99968
07/09 17:41:35.345 [776] 17:41:35=>HTTP REQUEST sent
07/09 17:41:35.345 [776] <mfn_SendRequestToServer:>SMS return=500
07/09 17:41:35.345 [776] <ParseHTTPStatusCode:>500=>500 INTERNAL SERVER ERROR
07/09 17:41:35.345 [776] HTTP returns status code=500
07/09 17:41:35.345 [776] <GetAtpInfoFileRequest:>RECEIVE STAGE COMPLETED
07/09 17:41:35.345 [776] <GetAtpInfoFileRequest:>COMPLETED
07/09 17:41:35.345 [776] </CSyLink::GetAtpInfoFileRequest()>
07/09 17:41:35.345 [776] Failed to download the ATP information file from SEPM. Error: 4
07/09 17:41:35.345 [776] <GetIndexFileRequest:>COMPLETED
07/09 17:41:35.345 [776] <IndexHeartbeatProc>GetIndexFile handling status: 0
07/09 17:41:35.345 [776] <IndexHeartbeatProc>Switch Server flag=0
07/09 17:41:35.347 [776] HEARTBEAT: Check Point 5.1

This ur (from the log) is showing a 500 INTERNAL ERROR

http://antsymda.gpodeacero.corp:8014/secars/secars...

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at [no address given] to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Any suggestions?

Im attaching also a SEP12 (working) log just for reference... both on one zip..

sylink-sep14-sep12-log.zip

↧

Windows 2016 R2 compatibility with SEP 14

July 10, 2018, 3:38 am

≫ Next: diff bw Trojan.Gen.6 & Trojan.Gen.9

≪ Previous: SEP14 client syslinked to SEPM12 not updating

I need a solution

Hi,

I can see that Windows 2016 is a supported OS in SEP 14 MP1, however I can find no reference to Windows 2016 R2. Does anyone know if SEP 14 supports Windows 2016 R2 as a server OS and also the Hyper-V version?

Thanks

Chris

↧

diff bw Trojan.Gen.6 & Trojan.Gen.9

July 10, 2018, 7:21 am

≫ Next: File reputation lookup alert

≪ Previous: Windows 2016 R2 compatibility with SEP 14

I need a solution

Hi, what is the difference between Trojan.Gen.6 & Trojan.Gen.9

↧

File reputation lookup alert

July 10, 2018, 10:27 am

≫ Next: Symantec Firewall Occasionally Blocking Google IPs/Services

≪ Previous: diff bw Trojan.Gen.6 & Trojan.Gen.9

I need a solution

Recently for no apparent reason I started getting email alerts for File Reputation Lookup Alert. The exact error in the email says "Reputation check for unproven files failed because of network errors for the last 3 days." Over the last 2 weeks I've now gotten an email alert for about 50% of the computers on my network. Every one of the computers has network access. If I look in the logs on those clients I see nothing out of the ordinary and everything is up to date. I found an older post that led me to a Symantec connections page to test connectivity and they all work as expected. Does anyone know the solution to this besides disabling Insight all together?

All clients are Windows 7 Profession x64

All clients are version 14 MP1 build 2349

Thanks

↧