Hi,
I am not able to log on SEPM. I am clicking on Forgot my password but do not know email address to which email is being sent. Can I verify the email address though I cannot access SEPM.
Thanks to help
Hello,
Since it was announced that some of the Logitech USB presenter devices (like models R400, R700 and R800) are vulnerable, I am trying to block with Device Control the model R400 but no luck.
I tested with plugging and un-plugging the USB device into the machine, checking with DevViewer the Device IDs but some of them are showing "can be disabled" - False. So I cannot block if.
Anyone having some ideas or tried to block the same presenter model?
SEPM Slowness issue below:
System configuration:
SEPM Version - 14.2 RU1 build 3332
Operating System - Win2012 R2 on Hyper-V 2012 R2
SQL DB - SQL 2016 Built 13.0.1601.5 on Cluster. Both SEPM and Database are in same network zone.
Actions done till now to Rectify the Issue:
1) System Drive(C:/)- Increased from 40Gb to 199Gb
2) D:/(SEPM Installed)- Increased from 50Gb to 99.8Gb
3) ersecreg-a. error logs shows performance degradation was because of VMware defect, hence check the configuration of the VM environment. Confirmed that the Server is a HYPER-V running on latest Updates. (https://support.symantec.com/us/en/article.tech236391.html)
4) Java Heap Size - Increased from 2048 to 3072 as SEPM runs on JAVA. (https://support.symantec.com/us/en/article.TECH93500.html)
5) SEPM console was Reconfigured and connected to DB again
6) Windows SEP Clients pulling updates(Liveupdate frequency) changed from 2 hours to 4 hours and Linux SEP clients to get Updates through Reverse Proxy to 2 Hours.
7) JAVA Reinstalled and Updated to latest 8.0.1910.12
8) SEPM Update Interval - Changed from every 4 hours to 1 day to minimize the Liveupdate to fetch the updates from Symantec cloud between (Early 1:00AM to 6:00AM)
9) Windows and Linux servers Update Interval- Changed SEP Clients to take Definitions updates from the SEPM once in a day and try between (Early 2:00AM to 6:00AM) to minimize the Load on SEPM.
11) SQL profiler to run on the SQL DB server to check for the DB performance. (https://support.symantec.com/us/en/article.tech92852.html")
Hi
I have a laptop windows 7 with Symantec endpoint
When I open chrome I receive an alert message
[SID:31043] Audit:PUA.BaisvikPCOpt Activity detected
What is the cause and how to fix it ?
Thanks in advance for your help.
Hi,
Not sure if this is the right place to post this, but since I didn't find a forum related to "live update administrator" I am posting here.
To the point...
First thing to know, I am new to everything Symantec. so, I am doing a lot of guessing and probably using wrong terminology so apologies in advance.
I installed a fresh new "live update administrator" server and configured it. I chose to download only "SEP manager"\managed clients updates, since all our clients are managed and there is no need to download updates for unmanaged clients.
I decided to split the updates into two separate distribution centers, one strictly for content updates, the second strictly for client updates. after running for the first time a download schedule and distribute schedule (total of 4 schedule, download and distribute for content, the same for client), I immediately checked the distribution centers I configured, and here is where I am puzzled:
content distribution is 12 GB.
client distribution is 85m MB.
I am assuming content is virus definitions etc. why is it so big?
Hello,
So we have set up the "Netowrk and Host Exploit Mitigation" report to run daily and give us information and so far it has been useful. However there is some features that seem to be lacking. We can see that there are network intrusion events being detected on machine and we can see their level of severity and all that but we cannot see what kind of actual events are occuring with out going into the users machine and viewing the logs. Is there a way to include this information in the report?
Also when we look at the logs we can see information like "Malicious domain blocked 22" and we can see the offending process is "CHROME.exe" which makes sense and we can get the IP address of the host but it is still not enough information. The alert happens ~40 times a day and after running full scans, power eraser, process explorer, autoruns, procmon, and hijackthis nothing ever comes up as malicious. We have a hard time replicating the issue and we want to understand more information about what is happening and why Symantec is flagging that domain yet there is nothing malicious on the machine.
The main thing I am looking for is how to add as much information into the network intrusion report as possible and how to generate as much log data as possible through Symantec. If anyone has insights into this or has experienced similar issues some insight into troubleshooting this would be much appricated.
**Note the domain referenced above is a cloudflare IP address**
Hi Folks,
Every now and then, I keep getting some sort of web injection notification as below:
[SID: 31105] Attack: Remote Command Injection Activity 2 attack blocked. Traffic has been blocked for this application: SYSTEM
[SID: 30764] Web Attack: Remote OS Command Injection attack blocked. Traffic has been blocked for this application: SYSTEM
[SID: 30842] Attack: D-Link DSL 2750B Arbitrary Command Execution attack blocked. Traffic has been blocked for this application: SYSTEM
will [SID: 31568] Web Attack: OpenDreamBox Plugin Webmin RCE attack blocked. Traffic has been blocked for this application: SYSTEM causes system down
Is this a potential danger to my computer? What steps should I take to fix this?
My server is running on Server 2016 datacenter version with SEP client version 14.0.2349.0100.
Thanks for the help,
Dear ALL
recently I have been enfected by ransome ware any haw my Domain controller have been enfected so I changed the windows but i forget to demote the symanted server from the domain and now
i cant access the symantec endpoint protection manager and also i cant istall the endpoint with is member of the new Domain
Hi Folks,
Every now and then, I keep getting some sort of web injection notification as below:
[SID: 31105] Attack: Remote Command Injection Activity 2 attack blocked. Traffic has been blocked for this application: SYSTEM
[SID: 30764] Web Attack: Remote OS Command Injection attack blocked. Traffic has been blocked for this application: SYSTEM
[SID: 30842] Attack: D-Link DSL 2750B Arbitrary Command Execution attack blocked. Traffic has been blocked for this application: SYSTEM
will [SID: 31568] Web Attack: OpenDreamBox Plugin Webmin RCE attack blocked. Traffic has been blocked for this application: SYSTEM causes system down
Is this a potential danger to my computer? What steps should I take to fix this?
My server is running on Server 2016 datacenter version with SEP client version 14.0.2349.0100.
Thanks for the help,
Hi. I need to find the clientid to delete a known client as part of an automated decommissioning workflow.
I'm finding that returning all of the clients from the server (https://localhost:8446/sepm/api/v1/computers?pageSize=100) to then search the JSON payload and grab the clientid seems really inefficient and takes a huge amount of time (I have over 2000 SEP clients)
Can anyone suggest a better way of doing this?
Thanks,
-Matt
Hello everyone,
I have been using the RESTful API for managing file fingerprint lists on my SEP Manager, for system lockdown blacklisting. This is done by means of a python script that accpepts MD5 hashes via CSV and updates the related fingerprint list on the manager using the 'update an existing blacklist' API function. This API function appears to overwrite the particular fingerprint file entirely, with the set of file hashes provided. Wherein, ideally, I would want to 'append' the existing set of hashes with the new list within the same fingerprint file. I would like to know if this feature is available via API or if it will be made available in the future. This would greatly help automation scripts to easily add and remove hashes from a fingerprint file.
Hi guys,
I have this doubt to make for Symantec EndProtection email deploy system, I am having problems editing the remote setup template, I understand that certain links are generated that do not change in order to access. My problem is that anyone who has those links can access and download the setup.exe, how I could to generate a new link for each installation and that is not accessible after the same, or delete that link .
I'm seeing spyware and adware that is not being detected or prevented with Symantec Endpoing 14.x. I wish to know what other tactics users are doing to deal with spyware/adware. Are you augmenting your Symantec with another product and if so what, are you doing something with Symantec that is not relying on autoprotect, running scans,etc. or something else.
Hello everyone. I have 14.2 RU1 SEPM which since last week is unable to update the definations if I try JDB and pase it to incoming location after few minutes it is changed to .err the Same server is also not able to replicate with an error failed to submit after it downloads the replication package 10%.
Can you please review the attached scm-server log file and let me know what the issue is. Appreciate it. Thanks
Hi,
Contents are not getting parged on one of Liveupdate Distribution centers server. It was working fine one week before.
Any steps to fix this issue.
Regards
KK
The client machine installs the wrong time and the time when the symatec scan virus is reported wrongly when the virus was detected. It should be symatec end point manager to announce the presence of a virus even if there are no more viruses
The client has set the date to 2020 so if I want to not show the virus notification I will have to wait until 2020
Hello ALL,
Im using ElasticSearsh as a SIEM for my SEPMs. Everything is working fine, Inventory, Malware... but im stuck in IPS detections, i need to knwo what is the SQL table in wich those events are stored
im using external SQL database
Thank you all for you help/assiatnce
Kind regards
N.Achraf
I have Application & Device control policy enforced to block autorun.inf.
People in software packaging team package new software to a folder so that can be deployed via SCCM.
But the package folder created also consists a autorun.inf file created as part of packaging.
The autorun.inf file is getting blocked when user tries to copy package folder to network share
I did not make any policy changes to 'block autorun.inf' ADC rules,
As part of their daily operation, a set of users creates packages with autorun.inf file and has to copy/move it from their PC to a network share.
Hence, can someone pls suggest how I can allow a successfull copy of autorun.inf file without ADC policy blocking it, only from a set of laptops, Thanks
Hey Guys
I just started testing / working with Symantec Endpoint Protection Version 14.2.1. I'd like to install a Linux Client, but I can't really figure out how. Regarding to some tutorials you should create an installation package manually, but I'm not able to find the default Package-Path to create a new Package (I already searched my drive for *.info and *.zip Files, but I can't find the default files).
Can you guys explain to me what I exactly have to do to create a linux installation package?
Thanks for your help.
Kind regards
Gabe