Quantcast
Channel: Symantec Connect - Endpoint Protection - Discussions
Viewing all 10484 articles
Browse latest View live

Intrusion prevention - System is clear

October 30, 2018, 10:50 am
$
0
0
I need a solution

Hello,

for a few days now, one of our servers is beeing attacked on Port 443, or at least what SEP says:

Name of IPS:

Attack: an intrusion attempt was blocked.

Status:

Blocked

Signature:

System Infected: Trojan.Naid Activity 2

Attacked:

System

Attacked Port:

443

We already checked the registry, for the files and the services like it is written here, but we can't find anything on the system. The services AppMgmt and BITS do exist, but they are disabled/set to manual. A full scan isn't able to find anything suspicious on the machine either.

Any suggestions or ideas on how to fix this?

0
Search

Logs: Administrative

October 30, 2018, 1:38 pm
$
0
0
I need a solution

Hello,

An SEP administrator had create an Deployment Package for a group, I have the logs (Monitors - Logs - System - Administrative) but I don't have the group name that received this package, I have only the stating record that the package was created.

Do you know if there is another way to show the group name received the package?

Thank you.

Adriano Abreu.

0

Assertion failed: 200130 (16.0.0.1324)[sem5] Invalid page found in index

October 31, 2018, 1:15 am
$
0
0
I need a solution

Hello all,

I have a problem about database.

I've followed the steps below to repair sem5.db.but the problem is repeated.

  1. Stop the Symantec Endpoint Protection Manager and Symantec Embedded Database services.
  2. Rename or delete the current sem5.log
  3. Click Start Run and type CMD then click OK
  4. In the command prompt type CD C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\ASA\win32\ 
    • For 64-bit: dbsrv16 -f "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\db\sem5.db" 
       
  5. Press Enter
  6. Click Start > Run.
  7. Type services.msc
  8. Click OK.
  9. Start the following services:
    • Symantec Endpoint Protection Manager
    • Symantec Embedded Database

Do you have any other suggestions for solving the problem?

10/26 08:55:19. *** ERROR *** Assertion failed: 200130 (16.0.0.1324)[sem5]
Invalid page found in index
10/26 08:55:22. Fatal error:  Internal error.
10/26 10:19:45. *** ERROR *** Assertion failed: 200130 (16.0.0.1324)[sem5]
Invalid page found in index
10/26 10:19:46. Fatal error:  Internal error.
10/26 10:46:36. *** ERROR *** Assertion failed: 200130 (16.0.0.1324)[sem5]
Invalid page found in index
10/26 10:46:36. Fatal error:  Internal error.
10/26 12:21:47. *** ERROR *** Assertion failed: 200130 (16.0.0.1324)[sem5]
Invalid page found in index
10/26 12:21:47. Fatal error:  Internal error.
10/30 00:02:07. *** ERROR *** Assertion failed: 200130 (16.0.0.1324)[sem5]
Invalid page found in index
10/30 00:02:08. Fatal error:  Internal error.
10/30 08:50:04. *** ERROR *** Assertion failed: 200130 (16.0.0.1324)[sem5]
Invalid page found in index
10/30 08:50:04. Fatal error:  Internal error.
10/30 09:52:04. *** ERROR *** Assertion failed: 200130 (16.0.0.1324)[sem5]
Invalid page found in index
10/30 09:52:04. Fatal error:  Internal error.
10/30 10:14:34. *** ERROR *** Assertion failed: 200130 (16.0.0.1324)[sem5]
Invalid page found in index
10/30 10:14:35. Fatal error:  Internal error.
10/30 19:34:07. *** ERROR *** Assertion failed: 200130 (16.0.0.1324)[sem5]
Invalid page found in index
10/30 19:34:07. Fatal error:  Internal error.

0

ATP server unavialable

October 31, 2018, 2:44 am
$
0
0
I need a solution

Hi

In our environment we have implemented SEPM 14.2 and ATP.

ATP-SEP integration is also done but when we check in the computer status report there is a column ATP server which is showing unavailable.

Can anyone please suggest how to fix it.

Thanks

0

SEP Client Repair in VDI systems

October 31, 2018, 3:58 am
$
0
0
I need a solution

Hi

We are not able to repairing the SEP client(14.0) in Citrix Environment.

Please share the solution or article.

Thanks

0

Find Mac OS Computer

October 31, 2018, 6:46 am
$
0
0
I need a solution

Guys,

The sepm only showme computers with Windows , and I like to know if I have any mac os computer,.

Its possible to find for another way?

0

SEP EMBEDDED DB down

October 31, 2018, 12:04 am
$
0
0
I need a solution

hi everyone

 I got a lot of mail from sep like "Database of down". when I was restarted sep than sep manager is running. but one hour later our problems is continuing.

There is enough disk space and we update the sem5 log but our problem is continuing.

our sep version is  14.2.770.    

error: unexpected server error.

thanks

Semra 

0

SEP 14.2 "Product Error Requires Attention"

October 31, 2018, 1:51 pm
$
0
0
I need a solution

Recently, we upgraded out Windows 10 PCs to SEP 14.2.  Some users recieve the following message in the bottom right corner upon login:

My own PC does the same. Upon opening the client, I see on the Status page that it detects an issue with Memory Mitigation. This is disabled and is, in fact, disabled by default when upgrading. When I select "Fix" and restart the error message doesn't pop up in the bottom right and I don't see it on the Status page anymore.

Any idea why this is happening? Does any one know of a way to disable this or to at least do the "Fix" task remotely? A couple other users have complained about this and being about to do this remotely would help.

Windows 10 Enterprise

SEP 14.2.770.0000

Thanks in advance.

0
Search

Do we need a license from Oracle for Java use with the SEPM Java Remote Console?

October 31, 2018, 2:18 pm
$
0
0
I need a solution

I can’t get a straight answer with Symantec’s horrible tier 1 support, therefore hoping a Symantec employee can provide an answer here instead.

Starting January 2019, Oracle is changing Java 8 (and later) licensing requiring non-personal/home-use to purchase a Java licensing to run or use Java 8 or later. Since the SEPM's Java Remote Console requires and uses Java 8 do we (my organization) need to purchase a license? When I contact Symantec support, they referred me to INFO5218 (https://support.symantec.com/content/unifiedweb/en...). I replied nicely that yes, I understand the Symantec Endpoint Protection (“SEP”) client doesn’t use Java, but I was inquiring about the Java Remote Console. Their response was that Java Remote Console didn’t use Java and therefore doesn’t apply. I replied with a screenshot showing that the Java Remote Console requires Java (it’s launched via C:\ProgramData\Oracle\Java\javapath\javaws.exe -localfile -J-Djnlp.application.href=https://sepm.compnay_name.com:8443/servlet/JnlpServlet?osSF=true "C:\Users\<user_name>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\123a456-78b9b12c) and https://support.symantec.com/en_US/article.TECH236.... Support’s last response was “So we [Symantec] do not require to purchase additional license” but refuses to answer if we (my organization) needs an Oracle Java license to continue to use SEPM’s Java Remote Console. How I read Oracle’s licensing we need to purchase the Oracle Java license for every user of the Java Remote Console. Can a Symantec employee clear this up?

Thanks in advance.

0

Monitoring Pack

November 1, 2018, 7:42 am
$
0
0
I need a solution

Is there a management pack for SEP 14.x to report virus / exploit / client information up to SCOM or a powershell module I can use to extract data from it? I would like to have the data from the SEP home tab roll up to SCOM. 

0
1541091574

14.0 symcfgd completely wedges RHEL 7.6 hosts

November 1, 2018, 8:49 am
$
0
0
I need a solution

Environment: SEP 14.0.2332-0100 on RHEL 7.6

Synopsis: RHEL 7.6 was released. When a host is updated to 7.6 (FWIW the first kernel to come with RHEL 7.6 is 3.10.0-957) and either the host is rebooted or the symcfgd service is restarted, the host completely wedges, silently, and is unusable.

Repeatable Steps:

  1. Update to RHEL 7.6
  2. Reboot. Your host will wedge as it comes up.
  3. Reboot to single user mode to avoid /etc/rc3.d scripts related to SEP
  4. Build new SEP kernel modules via build.sh
  5. Run /etc/rc3.d/S21autoprotect by hand. Runs fine. Kernel modules load.
  6. Run /etc/rc3.d/S22symcfgd by hand and the host immediately wedges and starts flashing keyboard LEDs.

Short-term Workaround: For us, for now, is to reboot the host and choose an older 7.5 kernel when the kernel selection menu is displayed. As new kernel package updates come around, let alone ones with required security fixes, this will not be possible.

0

GUP and sonar feature installled

November 1, 2018, 9:20 am
$
0
0
I need a solution

Guys,

I like to know if one computer without SONAR installed can be a GUP or it's necessary this feature installed for a distribution to another computer?

Miguel Angel

0
1541089690

SEP Deception | Deceptors

November 1, 2018, 12:25 pm
$
0
0
I need a solution

Has anyone been successful in obtaining these files? 

• File Traversal Deceptor
• Network Discovery Deceptor
• DNS Lookup Deceptor
• File Share Deceptor
• Credential Theft Deceptor

• Process Termination Deceptor (This one is included in the package installer)

The KB article states to simply call support to obtain the others but i've not only created a support ticket but also spoke with several support engineers and eveyrone over in Symantec seems to be plain lost on this topic.

Can someone please advise how I obtain these files?

I want to deploy these deception techniquies in my environment and it appears to be part of the SEP 14 RU1 version (or higher).

Thank you

0

Clear pass integration for SEPM

November 2, 2018, 3:03 am
$
0
0
I need a solution

Hi,

Need assitance to create API for intgration of clear pass to SEPM. Clear pass is NAC solution which will integrate with SEPM to information. 

Any information or guide will be helpfull. 

0

SSL Cert renewal on SEP manager and its impact on sylink

November 1, 2018, 9:18 pm
$
0
0
I need a solution

HI All,

I want to know if we change the CA certicate(we have installed a CA certificate in our SEP manager) on the manager, how it wil impact the sylink.xml.

Will the sylink.xml automatically get updated once the certificate import is done or it has to be pushed across via package or patch.

Please help.

0
Search

Scans and Client

November 2, 2018, 9:10 am
$
0
0
I do not need a solution (just sharing information)

So we've been using endpoint for over ten years now.  For the past ten years the settings have been set to not allow the user to open the client and also for scans run in the management console to run silently on the client PC.  For some reason now the standard user can go into the start menu and open the client and when I push out a scan to the PC it pops up on their computer. I can't find where these settings are on the manager and I don't remember where they were when we originally set this up.  We are at the newest version of manager and client.  Basically what I want is that when the user clicks on the endpoint shortcut it gives them a message saying only and admin can open it (not exact wording) and that when I push a scan out it doesn't pop up on their computer.  Any help would be appreciated.  

0

Exceptions for Veeam

November 2, 2018, 11:46 am
$
0
0
I need a solution

Hello,

I need to do a exceptions form Veeam with Sep 14 and I have a doud about how to exclude this:

Folder on Guest OS for VSS:

  • C:\Windows\VeeamVssSupport
  • C:\Windows\VeeamLogShipper
  • \Device\HarddiskVolume*

Its possible to exclude \Device\HarddiskVolume* ?

0

[Virus Help] Kept Having conhost.exe Detection From Different Locations

November 2, 2018, 11:20 pm
$
0
0
I need a solution

Recently I've been getting repeated SONAR risk detections from SEP about conhost.exe, Risk type Trojan.Gen.2/SONAR.MalTraffic!gen1. The locations change with every detection as well, at first they come from c:\program files\system updates\windows driver system update\conhost.exe, then it started popping up from c:\programdata\performance tool\, which is really weird. Everytime I restart the trojan comes back, but full scans didn't reveal any problem. 

For some reason, I couldn't run SEP in Safe Mode with Networking, the services are stopped and cannot be manually started. I've also been having problems with Symantec Network Access Control not running on start up despite tamper control turned on and the service's property set to automatic.

I restarted my computer just now and I'm staring at a fresh conhost.exe sitting in the performance tools folder, which I know isn't where conhost.exe is supposed to be, but for some reason running a scan on the folder returned nothing.

I am running SEP 14.0 MP1 build 2332 on my personal computer, hopefully I'm in the right place to ask this kind of question.

0

Monitoring File Changes

November 4, 2018, 10:31 pm
$
0
0
I need a solution

I have a requirement to try and monitor changes to a file.  The file in this instance is the "HOSTS" file for any machine on the network (this is c:\windows\system2\drivers\etc\hosts).  This is to simulate a bad actor modifying a HOSTS file to redirect traffic elsewhere.  Symantec A&DC has a pre-built rule that works fine if the file is done from the local machine.  As I discovered today if a bad actor modified a file from a remote location (for example accessing the UNC path of a device on the network) this doesn't work.  Is there a way to detect this?  It seems a little short sighted to monitor a file but not being able to monitor the file if the change was done remotely.  To illustrate this point a bit clearer

Workstation 1 has a monitored file (HOSTS) ==> Local Admin logged into (or running administratively) on Workstation 1 and modifies HOSTS file ==> SEP A&DC will detect and log this event

Workstation 1 has a monitor file (HOSTS) ==> Administrator on Workstation X or Server X (using administrator privileges accesses UNC path of Workstation 1 and modifies HOSTS file ==> SEP A&DC does not detect or log this event.

Is this something that is able to be worked around or should this be configured through something like File Integrity?

0

SEPM 14 RU2 MP1 reports wrong data from Reports -> Computer Status report

November 5, 2018, 1:05 am
$
0
0
I need a solution

Hi All,

Just FYI

There is again issue with the Computer status report in SEPM 14 RU2 MP1 as we had in previous SEP 14 release:

https://www.symantec.com/connect/forums/scheduled-...

It is the same story, the machines which are showing 0 under Sequence number in Computer Status log are not appearing in the Computer Status report.

@ Symantec - any news? Are you aware of this? Should we use the same workaround as before with the replacement of the php file?

0
Viewing all 10484 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>