Hi folks, can you please help on my below query.
I would like to gather information like Risk logs, Scan informations with respective to the specific host if I connect directl query from SEPM Database ? Becaause though Symantec endpoint doesnt support many API to get the risk log details I need it to go by connecting Databse directly. Please help.
Hi,
I have a computer displaying message "System infected: Miner.Bitcoinminer Activity 7 detected" since 3/08. Is Symantec client dealing with the threat? What should I do so that risk is removed?
Thanks to help!
Hello everybody
I have a SEP manager server, where I use AD discovery to add clients.
Now we have total of 18 servers and 20 workstations in the domain, but SEP shows that it has 40 clients.
The two clients that should not be considered by SEP are 2 cluster records (of course, they are not real servers\computers, so they don't have SEP agents installed).
That's cousing a license overuse alert.
How can I remove these two records from SEP, so it doesnt see and count them as clients?
Hello Everyone,
As you all might be aware of, Google, Apple, Microsoft, and Firefox announced to distrust Symantec vendor issued certificates to uphold user’s security and privacy when browsing the web. Currently endpoints which are still on Symantec certificates will no longer work once Browser and OS vendors rollout update as early as fall 2018.
How this would impacted any organization and also how we can mitigate this issue.
Also will it impact accessing SEPM console via web browser and also will SEPM and SEP client communication get impacted. Please let us know.
Thanks,
Sundeep
I'm having multiple errors and autofix won't acquire definitions. I've tried to upload the diagnostic tool product and create a case however there's an error logging in despite the fact that I've attempted to log in multiple times.
Hello All,
We have a requirement of Blocking SMBv1 Protocol from SEP Level.
Currently we are blocking SMBv1 from Windows Group Policy while allowing SMBv2 (More Secure).
Issue is that we have a lot of machines that are not part of our domain, and hence do not get Group policies.
We would like to block SMBv1 while keeping SMBv2 open from SEP client level itself.
They do use the same port 445, so not sure how to get this done.
Any Help would be appreciated.
Thanks
AJ
Hi
I am having difficulties with an java application in the browser. When I disable smantec, the application works. I have disabled the intrusion protection for browsers and removed the final block all rule. I seem to get the application to work with these two components disabled. I get quite a bit of blocked traffic from localhost 0.0.0.0 to remotehost 0.0.0.0 over port 0. I am not certain if this is simply broadcast traffic. Please see below example. the ethernet type is sometimes different. From the client, I also see some the below associated with cisco MAC addresses 01-00-0C-CC-CC-CC.
Client Affected
Computer Name
Current: AirPro
When event occurred: AirPro
IP Address
Current: 192.168.2.41
When event occurred: 0.0.0.0
User Name: adear
Location Name: Default
Domain Name: Republic
Group Name: My Company\Airpo
Server Name: RB-SEPM
Site Name: Site RB-SEPM
Risk Detected
Event Time: 08/13/2018 16:18:08
Begin Time: 08/13/2018 16:17:54
End Time: 08/13/2018 16:17:54
Number: 1
Event Type: Ethernet packet
Severity: Info and above
Action: Blocked
Application Name:
Network Protocol: ETHERNET [type=267]
Traffic Direction: Inbound
Remote IP: 0.0.0.0
Remote Host Name:
Alert: 0
Local Port: 0
Remote Port: 0
Rule Name: Block all other traffic and don't log
Any insight is greatly appreciated.
Thanks.
corey
Hi,
My client machine is installed with Symantec Endpoint Protection Ver14 and is running. Will there be any conflict if "Windows Defender service" is running at the same time? If no conflict, why I am not able to start up "Windows Defender Service" at the windows service tab?
Cheers
Suan Leng
Good day,
I have Symantec Endpoint Protection 14.0.1904 version installed in my environment.
I need the latest version of install package for my clients.
In general, i try to generate latest package from Symantec Endpoint Protection Manager but it gives me the following - 14.0.2349 version.
I know that the latest SEP Client version is 14.2.770.
So, how to generate/create this latest edition client of SEP, please share your experience with us about this issue.
thanks in advance,
I want to create Application Device Control Policy to detect Mimikatz in memory, has our red teamers keep by passing SEP AV SONAR and Signatures.
Refernce for mimikatz https://securityriskadvisors.com/blog/detecting-in-memory-mimikatz/
Example scenario, mimikatz is spawned in the context of rundll32.exe, then always loads two specific DLL's (vaultcli.dll and wlanapi.dll). Is there a way to setup ADC to log and block process if proccess image loads both (vaultcli.dll and wlanapi.dll).
I have alredey tested where, monitor all processes, then if process loads codition either (vaultcli.dll and wlanapi.dll) then log event. In reality what is being logged is if process x spawns vaultcli.dll OR process X spawns wlanapi.dll. This is not very helpful since I have thousands of events generated.
Has anyone done this in SEP 14.x I have read numurous documentation and found no clear answer if this possible, I need help??
Guys,
Through this information, is it possible to say that TLS is enabled or not?
If it is not possible, by the console where I see if it is enabled or not? Or where I check this information.
hi everyone, i was looking for some table or view in SEPM database order to query this kind of device control policy -rule information, like the paths\executables added on "Apply to the following processes" and "Do not apply to the following processes".
Is this a kind of information possible to be queried or something encrypted in .dat files?
I looked schema, but could not found anything so far.
thanks
Hi,
I'm looking to generate the Advanced Machine Learning report referrenced here: https://support.symantec.com/en_US/article.HOWTO125816.html
I've followed the steps of Scheduled Reports > Add > Computer Status but there is not an option for Advanced Machine Learning (Static) Content Distribution
We're currently on 14.0.1 as suggested. And I confirmed all of the required AML settings are enabled in our environment. Am I missing something or has this report option been removed? Any help would be appreciated.
Thanks.
Ok, so we are retiring our old v14.0 SEPM server in favour of Windows 2012 server, and I performed the database backup and copied the recovery file to the new server and everything went well, and now I'm being prompted to log on. The Admin password doesn't work, and my own network password doesn't work.
Would someone be able to tell me how to download the resetpass.bat file for password resets in v14.0 MP2?
This is fairly urgent, I can't do any further changes until this is done.
Why did the disaster recovery not include the existing admin user ID & password?
Thanks!
Hi guys,
What is the argument for leaving on the SEP firewall when you are on your corporate LAN and behind the corporate firewall?
The argument to disable the firewall would be to reduce complexity and any potential issues with some applications, but why would this be a bad idea?
Location awareness is in use when off LAN (i.e can't connect to management server) to then enable the firewall, so remote users are still protected.
Cheers,
Sam
Hello All
I need to know SEPM way to know list of all unmanaged detectors(UMD) deployed in network.
Prefebly using API/DB query to know all details of UMD and match with my network segments if there is any IP segment without UMD.
Hi,
Looking for some verification regarding the Firewall Ports which are used got SEPM to SEPM communication (Java application).
My understanding is port 8443 does all server to server communication.
Does port 8014 also get used for server to server communication, or is this only for server to client communication?
Thanks,
Jamie
Hi,
We have 1300+ offices in our organization spread acorss the globe and have SEP client configured to protect workstations in these offices. Some offices have below 100 computers and some offices have 200 computers. Do we need the GUP server for offices where SEP client count is 100.
Presently, Our enviorment have SEP 14 version configured on GUP and SEP Clients.
Any suggestions are welcome.
Thanks
KK
I have a software vendor that is claiming that SEP is causing slowness in their application. For a test we disabled SEP and made sure all the services were stopped and tested. They said that they still saw activity in the Windows Event Viewer logs after SEP was disabled. Is this possible?
Hello,
when i push a new package trough our network i got this message on client windows 10 System event viewer :
"The VPRemote Install Bootstrap Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly."
What should i do ? i still run cleanwipe but with no effect.
Thanks in advance