Security Notifications Delayed Due To Replication Interval

July 31, 2018, 12:07 pm

≫ Next: Using Custom intrusion prevention for anomalous traffic.

≪ Previous: SEP 14 RU1 MP1 installation error

I need a solution

Hi All,

You know how SEP client communicaiton Settings can be set to immediately upload security events to the SEPMs? We use this feature to enable "near real-time" notifications of security events for all of our customers via a SIEM.

This capability is controlled via a checkbox located under the client Communication settings:

Accelerated Heartbeat Setting

I need to know whether or not a similar capability is built into the replication settings for additional sites, so that security events from the second (and third and fourth...) site(s) can be "accelerated" back to the main site and thereby reported out in near real-time.

I can learn to live with logs that are several hours old, but I need (close to) immediate notifications for security incident response purposes. Without such an explicit mechanism, I have to assume that security events will simply sit in the remote site's database until replication occurs, which, of course, would be a total deal-breaker since notification is one of our key features. :(

In the absence of this "accelerated heartbeat" option, if we could keep SYSLOGGING in place for our SIEM and add SYSLOGGING for our second (and third and....) site, then this could be a viable work-around, but I can't find any documentation on such a capability as this either. Might there be other viable work-arounds?

Thanks in advance for your astute insights!

Mark

Accelerated_Heartbeat_Setting.jpg

↧

Using Custom intrusion prevention for anomalous traffic.

July 31, 2018, 12:46 pm

≫ Next: Upgrading hard to reach SEP clients

≪ Previous: Security Notifications Delayed Due To Replication Interval

I need a solution

Hello,

I just finished up a support case with Symantec and they told me this cannot be done. But i'm still going to ask in case anybody has any experience on doing this and found a workaround

Basically what we want to do is to use custom intrusion prevention signatures to monitor all traffic going to port 80 and 443 that is not produced by browsers. For doing this we thought that on the signature creation we could filter by process as the process name and full path is shown when the alert is created. Ie, don't alert us if the connection is generated by iexplorer.exe or chrome.exe or firefox.exe. Unfortunately, this I have been told that cannot be done.

So I'm wondering if anyone has tried out something similar on the past and what has been it's results.

Safe to say our organization is big enough and just activating the signature to check port 80 and port 443 would probably kill SEP DB in minutes.

Thoughts?

Kind regards,

↧

Upgrading hard to reach SEP clients

July 31, 2018, 10:27 pm

≫ Next: How to download only new updates

≪ Previous: Using Custom intrusion prevention for anomalous traffic.

I need a solution

Hi,

We're a large site and have successfully upgraded 99.9% of our workstations to SEPv14 but still have 40 or so laptops on SEPv12. They are all remote and only come on line intermittently on the VPN when they will check into the old SEPM. We’re struggling to update these with our usual methods. We’re now wondering if there's some way we can set the old SEPM to install the new SEPM client? Or, set it to move them over to the new SEPM for management when they check in??.

In the meantime I've set Live Update Policy on the old SEPM so clients go direct to Symantec for defs if we can't move them over. Is there more we should be doing for any clients that get left behind?

Appreciate any help.

Thanks

↧

How to download only new updates

August 1, 2018, 12:19 am

≫ Next: Access of VPN Client to LAN network

≪ Previous: Upgrading hard to reach SEP clients

I need a solution

Hello

I have Symantec Liveupdate Administrator set up and running good. There is only one thing what's bother me.

I download updates once a week and every time Liveupdater is downloading 18 GB of updates.

I have try to change options in:

Configure> Preferences > Purge updates in Manage Updates folder >Rule: Older than 1 revisions back

Configure> Preferences > Purge updates in Manage Updates folder >Retrieved more than 7 days ago

And nothing changed.

How to set up Liveupdater so it will download only new updates (checking what i have already downloaded) not WHOLE Databes

Best regards
Sebastian

↧

Access of VPN Client to LAN network

August 1, 2018, 3:04 am

≫ Next: settings possible to get a better network performance with installed IPS ?

≪ Previous: How to download only new updates

I need a solution

We are trying to allow access to LAN network through VPN from SEP client but not successful even after disabling firewall policy. Before installing SEP client on our computers, We didnt have issue with VPN to LAN access and we were able to access resources within LAN network. With SEP installed, We are able to connect to VPN but cant access internal network. Is there a way to enable VPN access to resources within LAN network?

↧

settings possible to get a better network performance with installed IPS ?

August 1, 2018, 5:05 am

≫ Next: Does SEP detect Hermes V2 Ransomware?

≪ Previous: Access of VPN Client to LAN network

I need a solution

Windows server 2012 R2 Standard

Network 10 Gbps

Sep 14.2.758.0000 installed

Installed feature : Virus spyware and basic download protection, advanced download protection, sonar protection, intrusion – prevention

Virus and Spyware Protection Policy, scan files on remote computer are not active

test with iperf3
without symantec client installed	4.41 Gbits/sec
ips disabled	3.56 Gbits/sec
ips enabled	1.59 Gbits/sec

any special settings to get better performance ?

↧

Does SEP detect Hermes V2 Ransomware?

August 1, 2018, 7:37 am

≫ Next: updateagent.dll Detection

≪ Previous: settings possible to get a better network performance with installed IPS ?

I need a solution

Hello everyone. Can anyone please tell me if SEP 14 detect Hermes V2 Ransomware. Is there are signature for it?

Appreciate your response. Thanks

↧

updateagent.dll Detection

August 1, 2018, 2:20 pm

≫ Next: Deploy SEP 14.2 via GPO

≪ Previous: Does SEP detect Hermes V2 Ransomware?

I need a solution

Has there been any known false positives with SEP 14 detecting updateagent.dll as Trojan.Gen.NPE.2? I know there was a known false-positive for sechealthui.exe recently. Basically, my question is has anyone else experienced this recently, and does anyone know if Symantec is aware already, or should I submit a report?

Risk name:	Trojan.Gen.NPE.2
Risk severity:	1
Discovered:	12/20/2016 00:00:00
Download site:	N/A
Downloaded or created by:	N/A
File or path:	C:\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.16299.245_none_bacd821279b53501\updateagent.dll
Application:	updateagent.dll
Version:
File size:	199729
Category set:	Malware
Category type:	Virus
SHA-256 Hash:	C940426955135B9690FD7AD0ABBE62E75D2DDC26A2A232BC60FE0DEF81AE2F7D
SHA-1 Hash:	C724F3E7A509D8FFA114448F2913C857292B0B1D
MD5 Hash:	74016824F3F7C55082DFB52C7556DF32
Company:	N/A
Certificate issuer:	N/A
Certificate signer:	N/A
Certificate SHA-1 thumbprint:	N/A
Certificate serial number:	N/A
Signature timestamp:	N/A

Risk Detection

Date found:	07/27/2018 09:14:00
Description:
Actual action:	Cleaned by deletion
Specified primary action:	Clean
Specified secondary action:	Quarantine
Detection source:	Auto-Protect
Risk detection method:	Signature-based Detection
URL tracking:	Off
Source computer:
Event type:	Virus found
Database insert date:	07/27/2018 09:14:35
Event end date:	07/27/2018 09:14:00
Event client date:	07/27/2018 09:14:00
Permitted application reason:	Not on the permitted application list
Intensive Protection Level:	Level 1

Risk Reputation

First seen:	Symantec has known about this file approximately 2 weeks.
Reputation:	There is strong evidence that this file is untrustworthy.
Prevalence:	This file has been seen by fewer than 5 Symantec users.
Performance impact:	High
Overall rating:	High
Detection reason:	Antivirus engine
Minimum sensitivity level:	N/A

↧

Deploy SEP 14.2 via GPO

August 1, 2018, 3:06 pm

≫ Next: Unable to Remote Push 14.2

≪ Previous: updateagent.dll Detection

I need a solution

Hello guys. Does any of you have been installed SEP 14 via GPO? How smooth was the process? Did you face any issues?

Can anyone share with the steps or screenshots for the whole process that would be great.

Also, does deploying SEP via GPO supported by Symantec?

Your support is appreciated. Thanks

↧

Unable to Remote Push 14.2

August 1, 2018, 3:12 pm

≫ Next: Endpoint Protection Error intermittently causing application to crash

≪ Previous: Deploy SEP 14.2 via GPO

I need a solution

Hello guys. I have SEP 14.2 which I am trying to remote push from the SEPM. All the pre-requsites have been met on the client for remote push. Even I run the Symdiag on the client to make sure I am not missing and it returned no error for remote push installation.

Now when I try to push from SEPM. I put in the credentials in the deployment wizard and it succuesfully authenticate. After that I click Send to push the package and I get the message failed.

I verified the scm-server logs on SEPM and seeing the below error message in the log file below the login succuesful line..

"Failed to connect to the Service Control Manager on \\ Client IP because the RPC server is unavailable"

Can anyone tell me how can I fix the above?

Your support is appreciated. Thanks

↧

Endpoint Protection Error intermittently causing application to crash

August 1, 2018, 6:35 pm

≫ Next: mscorwks.dll False Positive ?

≪ Previous: Unable to Remote Push 14.2

I need a solution

application often crash with the following error. Appreciate if you could help with the error attached. Thanks.

IMG_0013.jpg

↧

mscorwks.dll False Positive ?

August 2, 2018, 3:42 am

≫ Next: Cannot install Symantec client even after deleting PendingFileRenameOperations

≪ Previous: Endpoint Protection Error intermittently causing application to crash

I need a solution

Hello, during last days i'm facing multiple risks detections that looks like FP

c:\windows\winsxs\x86_netfx-mscorwks_dll_b03f5f7f11d50a3a_10.0.16299.125_none_8288815e706706fc\mscorwks.dll

SHA-256
D2727AF33E15BB84 7EEFAD349A1D2317 D767B030A86443E0 1A2A5DD71AA448C2

C:\Windows\WinSxS\x86_netfx-mscorwks_dll_b03f5f7f11d50a3a_10.0.16299.15_none_4d70fb8a8c22159c\mscorwks.dll

Not Available

Is anyone facing that issue too?

Anyone could confirm that it is False Positive?

Regards!

↧

Cannot install Symantec client even after deleting PendingFileRenameOperations

August 2, 2018, 4:28 am

≫ Next: Device are pingable but in SEPM console its visible like "The device is in offline "

≪ Previous: mscorwks.dll False Positive ?

I need a solution

Hi,

I need install Symantec client, having error "...pending system changes that require a reboot" when installing. I followed https://support.symantec.com/en_US/article.TECH98292.html; i.e., Search for the entry "PendingFileRenameOperations" in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
If you find the entry, first back up each key, and then delete the entry in each key.

Problem I am having is that the entry "PendingFileRenameOperations" is appearing again. I delete the entry from registry, but once installation of SEP is launched; the entry appears again.

Thus I cannot install the client. Please help.

Thanks

↧

Device are pingable but in SEPM console its visible like "The device is in offline "

August 2, 2018, 4:31 am

≫ Next: SEP clients wont change to a specific group policy

≪ Previous: Cannot install Symantec client even after deleting PendingFileRenameOperations

I need a solution

Hello All ,

1.Devices are in online but its reflecting in SEPM Console with offline status .

2. Servers are not connected with the SEPM Management Server ,So its not taking the content policy from the SEPM .

How to rectify this Above issues?

↧

SEP clients wont change to a specific group policy

August 2, 2018, 7:28 am

≫ Next: Sonar and Tamper Not Reporting Issue

≪ Previous: Device are pingable but in SEPM console its visible like "The device is in offline "

I need a solution

Hi guys im facing an issue, hope you can help me with this.

Right now in SEPM i have the following group policy distribution:

1 My Company

1.1 Dept 1
1.2 Dept 2
1.3 Dept 3
1.4 Dept 4

Those policy groups have different kinds of access and restriction,

Since two days ago when i move a client from dept 4 to dept 1 was okay, but when i tried to return the client to original group, i can see in SEPM that client pc its already change but in SEP client is still in previous policy group.

No matter how many times i update policy in client PC the policy wont change, weird thing is that just happens in some groups not all,

Right now in Dept 4 group cant add any client PC,

Do you have any idea how to troubleshoot this ?

Regards

↧

Sonar and Tamper Not Reporting Issue

August 2, 2018, 9:01 am

≫ Next: Where I can submit hash values of suspicious files on Symantec portal

≪ Previous: SEP clients wont change to a specific group policy

I need a solution

HI Everyone,

I my infra we are getting multiple machines are Sonar and Tamper not reporting.

We are using 14 RU1 MP1 version

Do any one knows why this issue is happening and how to fix this issue?

↧

Where I can submit hash values of suspicious files on Symantec portal

July 31, 2018, 5:41 am

≫ Next: Sonar and Tamper Not Reporting Issue

≪ Previous: Sonar and Tamper Not Reporting Issue

I need a solution

Hi Guys,

I have some suspicious hash values and I want to check them on Symantec portal to know if they are really malicious or not. I tried Virustotal but no luck at all. Submitting sample on Symantec portal will not help as I have many hash values. Now can someone please share direct link on Symantec portal where we can check reputation of hash values.

↧