Quantcast
Channel: Symantec Connect - Endpoint Protection - Discussions
Viewing all 10484 articles
Browse latest View live

Symantec Firewall Occasionally Blocking Google IPs/Services

July 10, 2018, 10:53 am
$
0
0
I need a solution

Hi,

I have Symantec 14.0.3929.1200 running on a Windows 2012 server with mainly Windows 10 clients running the same version of Symantec.

Many times a day during normal usage, the client machines get a pop up saying that a specific IP was blocked. These IPs are all owned by Google and are for their services that a computer's Chrome browser is using (such as Hangouts, Drive, Gmail, etc.). When this happens, the user cannot access the specific Google service for 600 seconds.  This only seems to happen a few times a day. For most of the day, the computers have no problem accessing & using Google services.

I know that I can change the time that Symantec blocks IPs, but I don't want to make it shorter than 600 seconds in case there is another intrusion that is actually a threat.

Under Policies - Intrusion Prevention - Excluded Hosts, I've added several Google IPs (173.194.205.189, 173.134.204.189, 172.217.10.227, 172.217.11.14, 209.85.232.189, etc.), but I feel that no matter how many IPs I exclude, a new Google IP will be blocked. Is there a fix for this or did I miss something when during setup for Symantec to allow Google services/IPs.

Any help/ideas would be appreciated.

Thank you!

0
Search

SEP 14 RU2 - Memory Exploit Mitigation policy

July 11, 2018, 1:48 am
$
0
0
I need a solution

Just upgraded the SEPM to 14 RU2 Refresh Build and noticed that I cannot withdraw the Memory Exploit Mitigation policy but in 14 RU1 it was possible. This environments has only servers, no workstations so I don't want MEM policy in the groups. Of couse I disabled it but I don't want it assigned.

Getting the attached error. 

@Symantec support - is this something new, by design or again some bug?

0

Action field values for Endpoint Protection 14

July 11, 2018, 9:29 pm
$
0
0
I need a solution

Hi all

Reviewing our logs, we have found a virus alert that SEP14 has the Actual Action listed as "Place". We are not able to determine what this means in simple terms.

Any help?

Thanks.

0

Should we block Suspicious hash Values from Threats using ADC?

July 12, 2018, 3:51 am
$
0
0
I need a solution

We have multiple Application & Device Control (ADC) Policies. Against any threat advisory we generally get multiple file fingerprints (MD5/SHA256).Thus, its cumbersome to one by one block all file fingerprints one by one in all ADC Policies. 

1.IS this the best practice to block hash values one by one??

2. do we need to block these hashes?

Eg: Threat Advisory: 180709.1 - Hide 'N Seek (HNS) Botnet

Recommendations

  • Please block the below Hashes in your IPS, and use your Endpoint monitor tool to monitor the below IOCs:
    • d69ff15cff8bd25698d8bb33de044c34353d74ef801338ee3e67e7d7524f8078
  • 24b89e36e12166f613edb61909d1192dbd918c2eac45d3a75a588ec24a4e2a36

Also,

kindly find the hard coded P2P peer address list (attached.)

What action should be done in such cases?

0

Networking Still Broken

July 12, 2018, 12:49 pm
$
0
0
I need a solution

I can't seem to get a users VM networking to be restored after removing Symantec ( he did not have a virus or anything we were having issues with SEP blocking something so I ran the cleanwipe with no luck )...

* I have tried netsh int ip reset

* I have tried the cleanwipe exe

* I have done everything I can in the https://support.symantec.com/en_US/article.TECH161956.html 

* I have removed all networking devices and still get nothing

* the following process are still running:

System (4), DLL, C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Data\Definitions\IPSDefs\20180711.061\IDSvia64.sys, 0xfffff801f3d20000
svchost.exe (1032), File, C:\Windows\System32\winevt\Logs\Symantec Endpoint Protection Client.evtx, 0x2c4
explorer.exe (3600), DLL, C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Bin64\vpshell2.dll, 0x66b70000
explorer.exe (3600), DLL, C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Bin64\msvcp110.dll, 0x7ff8d5df0000
explorer.exe (3600), DLL, C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Bin64\msvcr110.dll, 0x7ff8d1b40000
explorer.exe (3600), DLL, C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Bin64\ccLib.dll, 0x66a40000
explorer.exe (3600), DLL, C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Bin64\srtsp64.dll, 0x7ff8d1a90000

* I managed to prevent any of the following services from running:

CAF, Symantec CAF Service, Own process, Stopped, Disabled, 
SISIPSService, Symantec Data Center Security Server Agent, Own process, Stopped, Disabled, 
SISIDSService, Symantec Data Center Security Server IDS Agent, Own process, Stopped, Disabled, 
SISIPSUtil, Symantec Data Center Security Server Utility, Own process, Stopped, Disabled, 
SymELAM, Symantec ELAM Driver, Driver, Stopped, Disabled, 
SepMasterService, Symantec Endpoint Protection, Own process, Stopped, Disabled, 
ccSettings_{10F84D40-0354-414C-90C4-EB8CFFAB0192}, Symantec Endpoint Protection 14.0.3929.1200.105 Settings Manager, Driver, Stopped, Disabled, 
Teefer2, Symantec Endpoint Protection Firewall, Driver, Stopped, Disabled, 
eeCtrl, Symantec Eraser Control driver, Driver, Stopped, Disabled, 
SymEFASI, Symantec Extended File Attributes (SI), FS driver, Stopped, Disabled, 
SymIRON, Symantec Iron Driver, Driver, Stopped, Disabled, 
SNAC, Symantec Network Access Control, Own process, Stopped, Disabled, 
SYMNETS, Symantec Network Security WFP Driver, Driver, Stopped, Disabled, 
SRTSPX, Symantec Real Time Storage Protection (PEL) x64, Driver, Stopped, Disabled, 
SRTSP, Symantec Real Time Storage Protection x64, FS driver, Stopped, Disabled, 
SymEvent, SymEvent, Driver, Stopped, Disabled, 

0

"Configure Unmanaged Detector" export

July 12, 2018, 2:13 pm
$
0
0
I need a solution

We have 4 machines set up as Unmanaged Detectors. Each machine has several entries.

These 4 machines are due to be rotated out of service very soon.

My question: is there a way to export the entries in the current Unmanaged Detectors and import them into the "soon-to-be" Unmanaged Detectors?

Thanks very much for any insight you can provide!

0

Client Deployment Wizard Logs or Debug

July 12, 2018, 4:17 pm
$
0
0
I need a solution

Hi, I have around 2500 14.x endpoints reporting to a SEPM12 console.. For wrong reasons we first upgraded clients using package deployment on the SEPM12..

Now we have a brand new SEPM14 where we will manage most of our Endpoints and will leave some on the old SEPM12...

The problem is when I try to use the Client Deployment Wizard on SEPM14 either for updating the sylink settings o for deploying new Endpoints to new PCs, I get a "Failed" status on every PC..  

I have searched the Logs on the Endpoint on the %TEMP% folder, also looked for new logs on the server on the %ApplicationData%/Symantec/Symantec Endpoint Manager/CurrentVersion/etc/etc/etc and could not get them..

I need to know what's going on on the Server or Endpoint and the reason that the Deployment fails...

Note: If I try to deploy using the SEPM12 (to report to SEPM12) it works... If I try to Deploy a Saved Install package (With SEPM14 sylink or just the Sylink) using the SEPM12, it WONT work..

What I need is an effective way to change Sylink from SEPM12 to SEPM14 and also deploy new SEP14 from SEPM14 console.. 

Also, If I manually go there and replace the sylink.xml on the Endpoint, it will work... The problem is doing it remotley from either SEPM12 or SEPM14 console...

¿Any suggestions?

0

Moving clients to the other server

July 13, 2018, 1:50 am
$
0
0
I need a solution

I need to move clients, the SEPM server has a different IP address and another host name.

Old server: srvapp150 - 14.2 (14.2.760.0000)

New Server: shv-vapp05 - 14.2 (14.2.760.0000)

i try it by this article: https://www.symantec.com/connect/articles/how-move-sepm-one-server-another-server 

3) SEPM server has a differenet IP and different hostname.

2.Follow disaster recovery method & Create a new MSL.as per following

  1. Follow "Best Practices for Disaster Recovery with Symantec Endpoint Protection" (see Related Articles below) to backup and reinstall SEPM on MACHINE_2
  2. Log in to the old SEPM on MACHINE_1
  3. Click Policies > Policy Components > Management Server Lists > Add Management Server List
  4. Click Add> Priority and a new Priority would get added named as "Priority2"
  5. Add MACHINE_1 under Priority 2 and add MACHINE_2 under Priority 1, and assign this New Management Server List to all the groups.
  6. Clients will then move from old SEPM to new one gradually
  7. Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" service on MACHINE_1 to verify whether all client now report to the new SEPM on MACHINE_2
  8. Once verified that all the clients are reporting into the new SEPM, and have moved away from the old one, proceed to the next step.
  9. Uninstall SEPM from MACHINE_1

But i get error on client: peer certificate cannot be authenticated with given CA

 

How i can solve this problem? 

 

0
1531481792
Search

SEP12 to SEP14

July 13, 2018, 6:43 am
$
0
0
I need a solution

Hi,

I am moving from SEP12 to SEP14 and I am building a new server and database for SEP14.

What's the best way to upgrade the clients? Currently they are v12 pointing to server A. I want them to all be SEP v14 and pointing to server B.

Thanks!

0

Auto-Protect Malfunctionning Ubuntu

July 13, 2018, 2:21 am
$
0
0
I need a solution

Hi,

We have several Ubuntu virtual machines running 16.04 and 14.04 with SEP 14.2 (managed by SEPM) installed on them however on each one the Auto-Protect module is reporting as malfunctionning. The version of SEP we are installing is the managed version: 14.2.758.0000.

So far we've tried the following:

1. Reinstall and reboot

2. Install / update of build essential packages (libc6:i386), recompile AP module, reboot

3. Various combinations of the above

Does anyone have any ideas please on how to get AP working?

Thanks,

James

0

Port Configuration

July 13, 2018, 3:30 am
$
0
0
I need a solution 
hi, I have a doubt about the configuration of the doors of the central SEPM 14.2 that I am installing. 
It's not clear to me if the 8447, 8765 and 1100 ports have to be configured on the perimeter firewall 
or if they are only to be configured on the SEPM server local firewall. In particular it is not clear 
to me if port 8447 is used to perform operations with elevated privileges from console to clients or only
into server SEPM

Thank you
0

Crashes Mac 10.13.6 with Adobe CC InDesign 2018

July 13, 2018, 1:16 pm
$
0
0
I need a solution

Open Adobe InDesign CC 2018 and Mac OS 10.13.6 crashes because Symantic End Point 14.1. I uninstall SEP 14.1 and install SEP 12.1.7 and Indesign works. I had the same problem with El Capitan 10.11. and Symantic End Point 14.1. I would like Mac user on SEP 14.1

0

Manager reports no longer readable - javascript toggle/collapse

July 13, 2018, 2:18 pm
$
0
0
I need a solution

Hi,



After installing the latest version 14.2.758.0000 alle reports send from the manager that contain collapse/toggle items are no longer able to be viewed.

Tried the browsers, IE, FireFox, Brave and Chrome.



Is this a know issue, is there a workaround (without reading the source-code)?

 

0

How to Install Symantec Endpoint Protection for Raspbian on Raspberry PI 3B

July 14, 2018, 1:37 am
$
0
0
I need a solution

I have install Raspbian for Raspberry PI 3B and I have tried install Symantec Endpoint Protection for this.

when i install with ./install i, Symantec Endpoint Protection need check environment and show message for me :

- You need install 32bits glibc library - Where i can install it? i have tried other way, but can't install it

- you have missing X11 library - where i can install it?

Pls help me

Thanks.

0

Creating a Legacy Installer in SEPM 14

July 14, 2018, 7:59 am
$
0
0
I need a solution

In our environment, we have several Windows 2003 servers. We are working to update them, but it will take some time. We want to make sure that these devices are safe while we go through the upgrade process.  We have an old 12x SEPM server that will be going away soon due to the license expiring. I'm trying to figure out how to get an installer for Server 2003 machines so they are added to SEPM 14x. I'm currently installing the machines onto the SEPM 12x server and then using a communication package to have them talk with our new SEPM 14x server, but I'd like for them to directly install on the SEPM 14x server since the 12x server will be going away soon.  Any help would be appreciated.

0
Search

Any issues with upgrading to ver 14.2?

July 15, 2018, 1:43 pm
$
0
0
I need a solution

That's been out for a while I think.  Any issues with Windows 10 versions or Macs for the client or for ver 14.2 SEPM?

0

Endpoint Protection Manager not working after reinstalling .NET Framework 4.7.2

July 16, 2018, 7:51 am
$
0
0
I need a solution

After repairing .NET Framework 4.7.2, SEPM no longer works.

I try to log in, and it keeps giving me "Unexpected Server Error".

I made sure all of the Symantec related services are running, ran the dbvalidator and it gave no errors. I haven't run the repair for SEPM at this point.

I'm not sure what the problem is, but please let me know what log files I need to provide ifanyone can help.

Thank You.

0

14.2 compatibility

July 16, 2018, 8:07 am
$
0
0
I need a solution

Can 14.2 clients be used with a 14.0 RU1 MP1 SEPM? Are there any known compatibility issues?

0

Testador de expressões regulares

July 16, 2018, 12:16 pm
$
0
0
I need a solution

Olá, recentemente iniciei algumas atividades no ADC do SEP, e uma delas era tentar otimizar simplificar as regras utilizando Expressão regular, porém a Symantec tem sua propria notação de Regex.

Eu abri um chamado 15148396, referente a dúvidas em sua utilização, uma vez que a Symantec possui uma notação própria, porém não possui um validador destas expressões, com isso só consigo validar se uma expressão está certa, testando sua eficácia, mas não consigo determinar aonde está o erro (debug), de acordo com sua complexidade.

Seria possível a Symantec disponibilizar uma ferramenta própria para este tipo de validação? assim evitamos testes de laboratório dentro da propria engine.

obrigado.

0

SEPM now needs Windows Server??

July 16, 2018, 7:53 pm
$
0
0
I need a solution

Apparently I need to read documentation.  I let this one slide.  I just purchased licenses for a small biz client that has a PC acting as the server, and planned to put SEPM on there.  Nope it says, has to be Server 2008 or above.  

Ok so my fault for not keeping up with the Jones apparently.  Now, is there any scenario where I can manage clients, using SEP 14.2, and not have a SEPM? I haven't yet looked into the cloud portal thing.  I have plenty of customers running SEP SBE and SEPC, but have not yet put any SEP customers' SEPM's into version 14.1 or the cloud portal or whatever it is.  

If no option exists, that sucks.  I'm willing to go with an older release of SEP while I advice my customer that I screwed up and they now need a server (or I eat the cost of SEP and just go with SEPC), or something.  

Please let me know my options, thanks!

0
Viewing all 10484 articles
Browse latest View live
Search