MAC OSX Location Awareness switching

October 24, 2018, 11:01 pm

≫ Next: Unable to login to SEPM 14.2 MP1 with domain users

I need a solution

Hi All, we are trying to setup a polices for sone of our MAC OSX clients using location awareness to switch between two policies. We are currently performing the same for our Windows clients without issue.

The condition we are using to switch between locations is the 'Can the Client Connect to the Mangement Server' = 'Cannot Connect'. The problem we are having is where the Windows Clinets take less then 30s to switch locations the MAC OSX clients can take several minutes if not a need a reboot to change location. For us this is unaceptable client behaviour we need it to switch faster.

Is this a known bug in the SEP client and MAC OSX? Or any ideas on what the problem could be?

Our SEP version is 14.MP1 Build 1015(14.2.1015.0100)

MAC OSX version is Mojave.

↧

Unable to login to SEPM 14.2 MP1 with domain users

October 25, 2018, 2:49 am

≫ Next: Can SEP-Manager integrated with both SEP-cloud and SEP-Mobile? or only one among these? [EoM]

≪ Previous: MAC OSX Location Awareness switching

I need a solution

Hi all,

After the upgrade of SEPM to the newest version 14.2 MP1, i'm unable to login with the domain user. I can login only with local SEPM user. In a server logs i get message "Symantec endpoint protection manager could not connect to the target directory server. Check the directory server configuration and try again". I have edit server properties and checked directory server settings. Everything is set correctly. For test i made a successful telnet connection to the directory server on port 389.

Please help me to resolve this issue.

Thanks in advance.

Dejan

1540475074

↧

Can SEP-Manager integrated with both SEP-cloud and SEP-Mobile? or only one among these? [EoM]

October 25, 2018, 4:08 am

≫ Next: email address for sales support

≪ Previous: Unable to login to SEPM 14.2 MP1 with domain users

I need a solution

↧

email address for sales support

October 24, 2018, 8:20 am

≫ Next: Web Attack: Remote OS Command Injection - More help

≪ Previous: Can SEP-Manager integrated with both SEP-cloud and SEP-Mobile? or only one among these? [EoM]

I need a solution

Can someone please give me an address for technical sales for endpoint protection. I placed this project in our budget for this year and I need to use the trial to set up an environmental POC.

↧

Web Attack: Remote OS Command Injection - More help

October 24, 2018, 3:15 pm

≫ Next: ccSvcHst.exe map2.hwcdn.net:80

≪ Previous: email address for sales support

I need a solution

Hello,

On one of my servers, i keep getting a Web Attack: Remote OS Command Injection.

Not much information i can find online and my alert doesn't give much information.

How can i solve this issue?

Thanks

↧

ccSvcHst.exe map2.hwcdn.net:80

October 25, 2018, 12:09 am

≫ Next: Both SONAR and IPS definition are not updated to the clients

≪ Previous: Web Attack: Remote OS Command Injection - More help

I need a solution

I have found that Symantec Endpoint Protection executable ccSvcHst.exe try to connect to map2.hwcdn.net:80. All other HTTP requests go through web proxy, it takes OS proxy settings. Why ccSvcHst.exe tries to access map2.hwcdn.net over TCP 80?

Procmon capture log below.

Time of Day	Process Name	PID	Operation	Path	Result	Detail
11:11:18	ccSvcHst.exe	2100	TCP Reconnect	host_abcd:61193 -> map2.hwcdn.net:http	SUCCESS	Length: 0, seqnum: 0, connid: 0
11:11:24	ccSvcHst.exe	2100	TCP Reconnect	host_abcd:61193 -> map2.hwcdn.net:http	SUCCESS	Length: 0, seqnum: 0, connid: 0
11:11:32	ccSvcHst.exe	2100	TCP Reconnect	host_abcd:61201 -> map2.hwcdn.net:http	SUCCESS	Length: 0, seqnum: 0, connid: 0
11:11:38	ccSvcHst.exe	2100	TCP Reconnect	host_abcd:61201 -> map2.hwcdn.net:http	SUCCESS	Length: 0, seqnum: 0, connid: 0
11:11:39	ccSvcHst.exe	2100	TCP Reconnect	host_abcd:61203 -> map2.hwcdn.net:http	SUCCESS	Length: 0, seqnum: 0, connid: 0
11:11:45	ccSvcHst.exe	2100	TCP Reconnect	host_abcd:61203 -> map2.hwcdn.net:http	SUCCESS	Length: 0, seqnum: 0, connid: 0
11:11:54	ccSvcHst.exe	2100	TCP Reconnect	host_abcd:61224 -> map2.hwcdn.net:http	SUCCESS	Length: 0, seqnum: 0, connid: 0
11:12:00	ccSvcHst.exe	2100	TCP Reconnect	host_abcd:61224 -> map2.hwcdn.net:http	SUCCESS	Length: 0, seqnum: 0, connid: 0

↧

Both SONAR and IPS definition are not updated to the clients

October 25, 2018, 3:41 am

≫ Next: SEP version 14.2.1023.0100

≪ Previous: ccSvcHst.exe map2.hwcdn.net:80

I need a solution

Hi,

One day when I checked the definition update status for the clients, I found only Virus Definition are up-to-dated. Both SONAR and IPS definition are not updated. It freezed in one day. Checked the LU server the download and distribution are no problem. Try perform manual update from LU server can't fix the problem. But download the JDB then feed to SEPM is working that is my workaround I can do.

Appreciate if anyone can give me some hint to address the root cause or guidance. Thanks!

↧

SEP version 14.2.1023.0100

October 25, 2018, 7:09 am

≫ Next: Number of machines that one SEPM 14 with SQL database can support

≪ Previous: Both SONAR and IPS definition are not updated to the clients

I need a solution

Hello,

Around 10 days ago I downloaded from FileConnect SEP 14 RU2 MP1 (14.2.1015.0100).

Today I logged on FileConnect and downloaded it again but this time it shows version 14.2.1023.0100.

Can someone from Symantec give some information, is this again some Refresh Build or what exacty?

Another thing that I noticed is that usually with the previous versions when I download the EXE and run it, it was asking me where to extract. However with this one 14.2.1015.0100 it doesn't ask and starts with progress bar showing "Extracting..."

1540488746

↧

Number of machines that one SEPM 14 with SQL database can support

October 25, 2018, 11:00 am

≫ Next: Information is currently unavailable

≪ Previous: SEP version 14.2.1023.0100

I need a solution

Is it true that one SEPM 14 with SQL database now can support up to 18 000 machines? This is what I can see in this article:

https://support.symantec.com/en_US/article.HOWTO81036.html

But so far with SEPM 12 it was written that it can support up to 45 000 - 50 000 machines:

https://support.symantec.com/en_US/article.HOWTO81147.html - this article says "Connect up to 45,000 to 50,000 clients to a management server"

And this old forum thread even says "In SEPM 12.1 with SQL database supports upto 80,000 clients per SEPM" - https://www.symantec.com/connect/forums/how-many-clients-1-sepm

↧

Information is currently unavailable

October 25, 2018, 12:01 pm

≫ Next: TLS 1.2 support is a requirement for 14.2 MP1 and sql server communication?

≪ Previous: Number of machines that one SEPM 14 with SQL database can support

I need a solution

Anyone else see "Latest from Symantec: Information is currently unavailable" in your SEPM console today? SEPM is still downloading current virus definitions like usual and I did those URL checks and nslookup I saw in a Symantec KB article without any problems. To my knowledge, nothing changed on our end and Latest from Symantec had current info just yesterday.

↧

TLS 1.2 support is a requirement for 14.2 MP1 and sql server communication?

October 25, 2018, 12:11 pm

≫ Next: Source server Symantec LiveUpdate is in middle of uploading content.

≪ Previous: Information is currently unavailable

I need a solution

Hello,

TLS 1.2 support is a requirement for 14.2 MP1 and sql server communication? If sql server or sepm wasn't configured for TLS 1.2 support only, does SEPM 14.2 MP1 work correctly?

↧

Source server Symantec LiveUpdate is in middle of uploading content.

October 25, 2018, 2:08 pm

≫ Next: HTTP 500 on weekly_report URL

≪ Previous: TLS 1.2 support is a requirement for 14.2 MP1 and sql server communication?

I need a solution

Guys,

Maybe you cant tell me in who time is possible to force a download of definition , I tried to download from the LUA server and this event is create

Source server Symantec LiveUpdate is in middle of uploading content. Hence skipping download of some content viz. SEPM Virus Definitions Win32 12.1 RU6, SEPM Virus Definitions Win64 (x64) 12.1 RU6. This content can be downloaded in the next download cycle.

I like to know this information for the future.

Miguel Angel

↧

HTTP 500 on weekly_report URL

October 26, 2018, 4:37 am

≫ Next: Silent Installation/Upgrade SEP Client V 14.2.770

≪ Previous: Source server Symantec LiveUpdate is in middle of uploading content.

I need a solution

Hi all,

We are running SEPM 14.2 on Windows 2012, upgraded from SEPM 12.

All upgrades worked just fine, only now we get constant server events <machine_name>:8553/Reporting/weekly_report.php?filReport_Idx=16, every minute, together with 'Unexpected server error.

In scm-server-0.log this error shows up:

2018-10-26 10:17:38.906 THREAD 39 SEVERE: in: com.sygate.scm.server.task.ScheduledReportingTask
java.io.IOException: Server returned HTTP response code: 500 for URL: https://Machine:8553/Reporting/Reports/weekly_repo...
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)
at com.sygate.scm.server.task.ScheduledReportingHelper.doRequest(ScheduledReportingHelper.java:479)
at com.sygate.scm.server.task.ScheduledReportingHelper.doRequest(ScheduledReportingHelper.java:417)
at com.sygate.scm.server.task.ReportWriter.generateReport(ReportWriter.java:456)
at com.sygate.scm.server.task.ScheduledReportingTask.generateReport(ScheduledReportingTask.java:586)
at com.sygate.scm.server.task.ScheduledReportingTask.execute(ScheduledReportingTask.java:463)
at com.sygate.scm.server.task.MonitoredTimerTask.run(MonitoredTimerTask.java:47)
at java.util.TimerThread.mainLoop(Timer.java:555)
at java.util.TimerThread.run(Timer.java:505)

I know that there are quite some articles about the HTTP 500 errors, but none of them seem to apply to either v14 or these weekly_report errors.

It doesnt seem to affect any normal functionality but I would like to resolve these errors.

Anyone having the same issue or has a resolution?

↧

Silent Installation/Upgrade SEP Client V 14.2.770

October 26, 2018, 6:29 am

≫ Next: developer

≪ Previous: HTTP 500 on weekly_report URL

I need a solution

We are using a software distribution tool to push the SEP Clients. So far we have been successful with the Windows Clients.

I got a .zip file from the SEP Admin that contains two folders "Additional Resources"& "Symantec Endpoint Protection Installer.app".

The Folder "Additional Resources" contains the file SEP.mpkg which I tried installing with the following parameters:

installer __Download/SEP.mpkg -target /

However, it didn't work. I haven't found a document that explains how to install the client in silent mode. Whether the client is not installed or there is an older version, we want to get a script to install this version of the agent on MAC OSx.

What is the approach that we should follow?

↧

developer

October 29, 2018, 10:29 am

≫ Next: Virus Def from Today

≪ Previous: Silent Installation/Upgrade SEP Client V 14.2.770

I need a solution

Hi,

We have a SEP (*14.0) installed on Linux box. Real time scan is enabled on the same.

Our application is uploading the files in the directory and we have to move the files to another directory.Our requirement is to write a script that can identify if the file from upload directory is scanned or not ?Does SEP maintains the logs of the same on which we can make decsion ?

I do understand that if SEP is ON then the file is scanned before placed in the directory. The real concern is if SEP gets down in between and application continues to upload.so we need decision criteria to identify if file was scanned or not

↧

Virus Def from Today

October 29, 2018, 11:34 am

≫ Next: Upgrade LUA Server

≪ Previous: developer

I need a solution

Hello,

Im using a LUA server for download virus def and this sent to the SEPM console to deploy to the computers, but this morning run the download and distribution task , this two task running OK but in the sepm console figure this:

How check if the the download from LUA is correct and if this contents is send to the SEPM?

↧

Upgrade LUA Server

October 29, 2018, 2:11 pm

≫ Next: SEP 14 Client on SEPM Server

≪ Previous: Virus Def from Today

I need a solution

Guys,

I going to upgrade the lua server to the Version: 2.3.5.99 to Version: 2.3.7.51, the idea is clone the computer and unistall the actual version and do a Clean Install, in this case the content of the Temporary Directory and the Download Directory has to be clean? or the current definitions dont be deleted?

Regards

Miguel Angel

↧

SEP 14 Client on SEPM Server

October 29, 2018, 5:27 pm

≫ Next: SEPM communication issue

≪ Previous: Upgrade LUA Server

I need a solution

I'm setting up a new SEPM 14 server and was wondering if there are any recommendations when installing the SEP 14 client itself to protect the server? Like my old server, leaning towards an unmanaged client although not sure whether this time around I should just take the defaults or do a Custom install to pick & choose what to load and, if so, what should I exclude. The last thing I want is for SEP to interfere with SEPM functionality where a Default install might give me grief in the future.

↧

SEPM communication issue

October 30, 2018, 12:34 am

≫ Next: I am seeing lot of event logs related to SEPM files, the linux server used reverse proxy using apache.

≪ Previous: SEP 14 Client on SEPM Server

I need a solution

Hi All,

We have configured FW rules as mentioned below for SEP deployment in DMZ but client are unable to communicate with SEPM

Activity: Communication
Source: DMZ computers
Destination: SEPM servers IP
Port: TCP 8014, 443

Activity: Definitions update
Source: DMZ computers
Destination: Respective GUP server
Port: TCP 2967

I have gone through Symantec article for ports & protocals information but didn't find information to troubleshoot this issue.
I'm yet to receive secars test results.
Please let me know if I have to open any other port for the same.

↧

I am seeing lot of event logs related to SEPM files, the linux server used reverse proxy using apache.

October 30, 2018, 3:22 am

≫ Next: Intrusion prevention - System is clear

≪ Previous: SEPM communication issue

I need a solution

I am seeing lot of Windows event logs related to SEPM files, the linux server uses reverse proxy using apache to get liveupdates.

Would be helpful to identify, why these many logs are generated.

The Events are related to access of Symantec setup files, and event there of. I have enclosed the errors related to to logs and it creates for everyfolder.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/30/2018 10:46:33 AM
Event ID:      4663
Task Category: Removable Storage
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      SECLPRVSECSEP01.cloudfabric.intraxa
Description:
An attempt was made to access an object.

Subject:
   Security ID:       NT SERVICE\semwebsrv
   Account Name:       semwebsrv
   Account Domain:       NT SERVICE
   Logon ID:       0x1F8B7

Object:
   Object Server:       Security
   Object Type:       File
   Object Name:       D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\tex\legacy
   Handle ID:       0x14d4
   Resource Attributes:   S:PAINO_ACCESS_CONTROL

Process Information:
Process ID: 0x83c
Process Name: D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin\httpd.exe

Access Request Information:
   Accesses:       ReadData (or ListDirectory)

   Access Mask:       0x1
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4663</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12812</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2018-10-30T09:46:33.103434100Z" />
    <EventRecordID>1485466415</EventRecordID>
    <Correlation />
    <Execution ProcessID="544" ThreadID="556" />
    <Channel>Security</Channel>
    <Computer>SECLPRVSECSEP01.cloudfabric.intraxa</Computer>
    <Security />
</System>
<EventData>
    <Data Name="SubjectUserSid">S-1-5-80-948765316-811284391-187558744-2005173589-387111393</Data>
    <Data Name="SubjectUserName">semwebsrv</Data>
    <Data Name="SubjectDomainName">NT SERVICE</Data>
    <Data Name="SubjectLogonId">0x1f8b7</Data>
    <Data Name="ObjectServer">Security</Data>
    <Data Name="ObjectType">File</Data>
    <Data Name="ObjectName">D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\tex\legacy</Data>
    <Data Name="HandleId">0x14d4</Data>
    <Data Name="AccessList">%%4416
               </Data>
    <Data Name="AccessMask">0x1</Data>
    <Data Name="ProcessId">0x83c</Data>
    <Data Name="ProcessName">D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin\httpd.exe</Data>
    <Data Name="ResourceAttributes">S:PAINO_ACCESS_CONTROL</Data>
</EventData>
</Event>

Subject:
   Security ID:       NT SERVICE\semwebsrv
   Account Name:       semwebsrv
   Account Domain:       NT SERVICE
   Logon ID:       0x1F8B7

Object:
   Object Server:       Security
   Object Type:       File
   Object Name:       D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\tex\RepMgtMan
   Handle ID:       0x14d4
   Resource Attributes:   S:PAINO_ACCESS_CONTROL

Process Information:
Process ID: 0x83c
Process Name: D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin\httpd.exe

Access Request Information:
   Accesses:       ReadData (or ListDirectory)

   Access Mask:       0x1
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4663</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12812</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2018-10-30T09:46:33.103434100Z" />
    <EventRecordID>1485466422</EventRecordID>
    <Correlation />
    <Execution ProcessID="544" ThreadID="556" />
    <Channel>Security</Channel>
    <Computer>SECLPRVSECSEP01.cloudfabric.intraxa</Computer>
    <Security />
</System>
<EventData>
    <Data Name="SubjectUserSid">S-1-5-80-948765316-811284391-187558744-2005173589-387111393</Data>
    <Data Name="SubjectUserName">semwebsrv</Data>
    <Data Name="SubjectDomainName">NT SERVICE</Data>
    <Data Name="SubjectLogonId">0x1f8b7</Data>
    <Data Name="ObjectServer">Security</Data>
    <Data Name="ObjectType">File</Data>
    <Data Name="ObjectName">D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\tex\RepMgtMan</Data>
    <Data Name="HandleId">0x14d4</Data>
    <Data Name="AccessList">%%4416
               </Data>
    <Data Name="AccessMask">0x1</Data>
    <Data Name="ProcessId">0x83c</Data>
    <Data Name="ProcessName">D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin\httpd.exe</Data>
    <Data Name="ResourceAttributes">S:PAINO_ACCESS_CONTROL</Data>
</EventData>
</Event>

↧