Network Intrusion Report More Information

July 10, 2019, 2:09 pm

≫ Next: Unsolicited incoming ARP reply detected

≪ Previous: How to remove symantec popups

I need a solution

So we have set up the "Netowrk and Host Exploit Mitigation" report to run daily and give us information and so far it has been useful. However there is some features that seem to be lacking. We can see that there are network intrusion events being detected on machine and we can see their level of severity and all that but we cannot see what kind of actual events are occuring with out going into the users machine and viewing the logs. Is there a way to include this information in the report?

Also when we look at the logs we can see information like "Malicious domain blocked 22" and we can see the offending process is "CHROME.exe" which makes sense and we can get the IP address of the host but it is still not enough information. The alert happens ~40 times a day and after running full scans, power eraser, process explorer, autoruns, procmon, and hijackthis nothing ever comes up as malicious. We have a hard time replicating the issue and we want to understand more information about what is happening and why Symantec is flagging that domain yet there is nothing malicious on the machine.

The main thing I am looking for is how to add as much information into the network intrusion report as possible and how to generate as much log data as possible through Symantec. If anyone has insights into this or has experienced similar issues some insight into troubleshooting this would be much appricated.

**Note the domain referenced above is a cloudflare IP address**

↧

Unsolicited incoming ARP reply detected

July 18, 2019, 4:55 am

≫ Next: Symantec Endpoint Protection Security Virtual Appliance

≪ Previous: Network Intrusion Report More Information

I need a solution

So here goes.....

SEP 14.2, Windows installation, Within the firewall policy the checkbox for Enable anti-MAC spoofing is turned on. All is good to here.

We have 3 sites, A, B and C. All clients have the same clients on them, they have not been updated since Feb and the SEPM hasn't been touched either.

In the last month we have seen several machine get the usual popup in the botton right of the desktop with - "Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer. Packet data is shown in the right window."

Now, we can see in the logs some activity, like one here and there across the 2 other site `A` and `B`, but for the site `C` we are seeing a lot more, like 60 a day.

We know the ARP requests are coming from two (2) wireless contollers but not every client is alerting, off the 200 clients, only 3 have alerted so far.

First Question:

Is there a limit which is hit for a client which triggers the popup message on the client?

So in trying to get to the bottom of the issue and reading every community MAC/ ARP spoofing thread I have not been able to get any closer.

If I look at the logs in SEP under, monitor> logs> Network and Host exploit mitigation> Attacks and choose a device i have a question on the way it presents the log of a device when viewed in DETAIL view.

Log from the SEPM on the client

-----------------------------------------------

Client Affected

Computer Name
Current:   LaptopHostname
When event occurred:   LaptopHostname

IP Address
Current:   10.2.xx4.136 **(this is the actual Laptop's IP)
When event occurred:   10.2.xx4.254 **(This is the wireless controller/AP)
Local MAC:   1C4D7072Dxxx **(this is the Laptops MAC address)
User Name:   Username
Operating system:   Windows 10 Enterprise Edition
Location Name:   Default
Domain Name:   exampledomain.com
Group Name:   My Company\exampledomain\Client Devices\C **(site `C`)
Server Name:   xxx-SEPM-01
Site Name:   Site:xxx_SEPM

Risk Detected
Event Time:   18/07/2019 18:04:29
Begin Time:   18/07/2019 18:03:25
End Time:   18/07/2019 18:03:25
Number:   6
Event Description:   Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer. Packet data is shown in the right window.
Event Type:   MAC Spoofing
Hack Type:   0
Severity:   Minor and above
Application Name:   N\A
Network Protocol:   Other
Traffic Direction:   Inbound
Remote IP:   10.2.xx4.136**(this is the Laptops IP address)
Remote MAC:   B40C25E08010**(this is the wireless controller/AP MAC address)
Remote Host Name:   N/A
Alert:   1
Local Port:   0
Remote Port:   0

So I am confused with why the SEPM log has picked up the wireless IP address as its IP address (also actual client IP address and MAC) under - When Event Occured (under IP address section)? This then inturn looks like it then analysing the remote IP (which is the laptops actual IP address) and the Remote MAC of the wireless device, so all confused and now alerting.

Question 2

Am i reading the above log correctly?

Any help would be appreciated.

Thanks

↧

Symantec Endpoint Protection Security Virtual Appliance

July 18, 2019, 6:33 am

≫ Next: How to use SEPM to update definition for Linux client

≪ Previous: Unsolicited incoming ARP reply detected

I need a solution

Hi,

where can i find Virtual Appliance for my Symantec Endpoint Protecion? When i login in my accont in mysymantec in download i can't anything. Maybe i should login to https://support.symantec.com/us/en/security-analyt...? My username and password from from mysymantec don't work.

↧

How to use SEPM to update definition for Linux client

July 18, 2019, 9:05 am

≫ Next: SEP 14.2 RU1(3335): service "SepMasterService" crashes randomly on Windows 10

≪ Previous: Symantec Endpoint Protection Security Virtual Appliance

I need a solution

Hi Guys,

We are testing Symantec endpoint protection 14.2 in our new project, which contains both windows OS and Linux OS.

My questions are as below:

1. I am not able to find Linux install package in trail version SEPM 14.2. However, I can see there is Linux install package in our licensed SEPM 14.0. why there is no Linux package in 14.2?

2. I managed to install SEP 14.0 Linux package to my Linux server and imported client-server communication file also. Now I am able to see the Linux client in SEPM 14.2. Since our SEPM server is an offline server due to security concern, My question is how to update this Linux client definition from SEPM14.2 by offline actiton? Will it be updated by importing latest jdb file to SEPM like windows? We got a lot of Linux servers so I don't think Intelligent Updater definitions is a good choice to us.

Thanks in advance if anyone can give any idea.

Regards,

Feng

↧

SEP 14.2 RU1(3335): service "SepMasterService" crashes randomly on Windows 10

July 18, 2019, 9:32 am

≫ Next: Just upgraded to 14.2 RU1 and clients are getting errors after upgrade

≪ Previous: How to use SEPM to update definition for Linux client

I need a solution

Hello guys,
It happens sometimes, like one time per several days on latest Win 10 x64 1903 Enterprise
Event log says "The Symantec Endpoint Protection service terminated unexpectedly. It has done this 3 time(s).". Error: 7034
When I start service manually after that failure it works properly but it can't be recovered aromatically because there is no recovery option after third failure.
I was trying to add it but I have no access even during command prompt.
Please see screenshots.

I would like to fix that crashes and if it's possible add additional recovery restart service option to 3rd or later failures.

I also have SEP clients on Windows 8.1 and they have no problem, no one crash was noticed.

Any suggestion would be highly appreciated.

↧

Just upgraded to 14.2 RU1 and clients are getting errors after upgrade

July 18, 2019, 10:22 am

≫ Next: **Ryuk Ransomware Attack**The City of Memphis is limiting access to Collierville's network

≪ Previous: SEP 14.2 RU1(3335): service "SepMasterService" crashes randomly on Windows 10

I need a solution

So far, I've installed ithe latest client on 3 machines. The SEPm server and 2 - windows 10 1607 LTSB VDI machines (horizon). The server was fine but both clients reported warnings after the reboot.

"Download Insight is malfunctioning. File System Auto-Protect is malfunctioning

Details: Download insight is not functioning correctly due to the file system autoprotect status.

File System auto protect is not functioning correctly. Your protection definitions may be damaged or your product installation may be corrupt. "

For client 1, i rebooted a 2nd time and it has been green for the last 2 hours. For client 2, i didnt want to do a 2nd reboot and I was told by the Symantec tech that it is trying download files from the internet so just leave it and it will fix itself. It has been 2 hours and still shows the warning.

↧

Ryuk Ransomware AttackThe City of Memphis is limiting access to Collierville's network

July 18, 2019, 1:55 pm

≫ Next: MSL modification is not working for One SEPM to another SEPM Migration

≪ Previous: Just upgraded to 14.2 RU1 and clients are getting errors after upgrade

I need a solution

Good day,

Seems like a Collierville TN. was hit with a ransomware attack. Collierville is a community in metro Memphis.

From what we are understanding, it was hit with the ryuk ransomware. Does anyone have any symantec configurations for this or any similar type of

ransomware?

Thanks for your help in advance.

↧

MSL modification is not working for One SEPM to another SEPM Migration

July 19, 2019, 2:28 am

≫ Next: SEPM API Questions

≪ Previous: **Ryuk Ransomware Attack**The City of Memphis is limiting access to Collierville's network

I need a solution

Hi,

I have two different SEPMs as parent company aquired the seconday organization. Now i have to migrate all the SEP clients from secondary SEPM to parent company SEPM. I have modified the MSL however this is giving the internal error while connecting new SEPM. All the firewall access are already open. Sylink.xml deployement is not possible as these systems are in workgroup and all have different admin and Symantec's client deployemnt wizard cannot be used as they are not ready to share the admin password.

Any solution or suggestion how to migrate all these clients without re-installation or manual effort.

↧

SEPM API Questions

July 19, 2019, 7:26 am

≫ Next: Power Eraser analysis - Bloodhound.SMR.1 detection

≪ Previous: MSL modification is not working for One SEPM to another SEPM Migration

I need a solution

For context, I'm using Powershell as the scripting environment.

I'm attempting to assemble my own report that I can drop directly into our ticketing system as a scheduled task. In particular, I'm looking for the following information for each computer SEPM knows about:

Computer Name
SEP Version
Client Definition File Version
Last date client contacted SEPM
List of AV events in the past week

Using the /sepm/api/v1/computers URI, I've found computer name and SEP Version. Can anyone confirm that the client defintion file information is available on a per computer basis? Is it at this URI or another?

For the last date of contact, I've found lastUpdateTime and wanted to see if anyone knew if this is what I think it is (last date of client-SEPM contact).

Finally, I'm not entirely sure which endpoint I should use for the list of AV events, so I'm open to suggestions here.

Thanks to everyone for their help in advance.

↧

Power Eraser analysis - Bloodhound.SMR.1 detection

July 19, 2019, 8:18 am

≫ Next: 2 Hours to complete an installation of a SEPM on a new site (replication)

≪ Previous: SEPM API Questions

I need a solution

Hello,

Need some help with this. One of the users thinks that the PC is infected but I have no remote access to it. So I ran remotelly Power Eraser and here is what is detected (atatched screenshot, User and Computer name are removed).

Navigating to this Registry on my machine it is showing - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Any ideas, if this Power Eraser detection helps in any way? Something additional to be checked for example?

Power_Eraser.JPG

↧

2 Hours to complete an installation of a SEPM on a new site (replication)

July 19, 2019, 4:01 pm

≫ Next: Exclusions of SEP files

≪ Previous: Power Eraser analysis - Bloodhound.SMR.1 detection

I need a solution

Hi Team

My environment is:

Windows 2016 Server

SEP v 14.2 RU1

0 Clients

0 Security Content or Installation packages replicated on the initial stage.

The primary site took less than 20 minutes to complete, the secondary site between the installation of the SEPM and the enablement of the replication partner took 2 hours.

I don't remember something like this long time ago, so I decided to open a case and do some troubleshooting, my question for you is: what was wrong?

The logs showed inactivity for more than 1:50 hour to finally show this error (install_log.err) :

Jul 19, 2019 4:54:48 PM STDERR: com.microsoft.sqlserver.jdbc.SQLServerException: The connection is closed.
Jul 19, 2019 4:54:48 PM STDERR:    at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:191)
Jul 19, 2019 4:54:48 PM STDERR:    at com.microsoft.sqlserver.jdbc.SQLServerConnection.checkClosed(SQLServerConnection.java:395)
Jul 19, 2019 4:54:48 PM STDERR:    at com.microsoft.sqlserver.jdbc.SQLServerConnection.prepareStatement(SQLServerConnection.java:2292)
Jul 19, 2019 4:54:48 PM STDERR:    at com.microsoft.sqlserver.jdbc.SQLServerConnection.prepareStatement(SQLServerConnection.java:1931)
Jul 19, 2019 4:54:48 PM STDERR:    at com.sygate.scm.common.license.LicenseUtils.querySemConfigRoot(LicenseUtils.java:1406)
Jul 19, 2019 4:54:48 PM STDERR:    at com.sygate.scm.common.license.LicenseUtils.cleanPulblishedLocalLicenseFile(LicenseUtils.java:1256)
Jul 19, 2019 4:54:48 PM STDERR:    at com.sygate.scm.install.ui.MainFrame.configureDB(MainFrame.java:2198)
Jul 19, 2019 4:54:48 PM STDERR:    at com.sygate.scm.install.ui.MainFrame.nextBtnActionPerformed(MainFrame.java:4852)
Jul 19, 2019 4:54:48 PM STDERR:    at com.sygate.scm.install.ui.MainFrame.access$500(MainFrame.java:312)
Jul 19, 2019 4:54:48 PM STDERR:    at com.sygate.scm.install.ui.MainFrame$5$1.construct(MainFrame.java:4382)
Jul 19, 2019 4:54:48 PM STDERR:    at com.sygate.scm.util.SwingWorker$2.run(SwingWorker.java:153)
Jul 19, 2019 4:54:48 PM STDERR:    at java.lang.Thread.run(Thread.java:748)

Best Regards

↧

Exclusions of SEP files

July 22, 2019, 3:59 am

≫ Next: Collect Risk logs from SEPM server database

≪ Previous: 2 Hours to complete an installation of a SEPM on a new site (replication)

I need a solution

Please confirm whether the below SEP files exclusions are needed for SEP 12.x & 14.x versions ? Any documents related to this would be helpful.

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Symantec Client Security\Symantec AntiVirus\SymCorpUI.exe

↧

Collect Risk logs from SEPM server database

July 22, 2019, 4:59 am

≫ Next: Stupid Question About Configuring Device Control

≪ Previous: Exclusions of SEP files

I do not need a solution (just sharing information)

Hi, can you please help on my below query.

I would like to gather information like Risk logs from the SEPM server in CSV format, Scan information with respect to the specific host if I connect directly query from SEPM Database? Because though Symantec endpoint doesn't support many API to get the risk log details I need it to go by connecting Database directly.

Can you please help to do the needful to find the location of Risk logs database table. or locations of the file

or any website where the detail information is available.

Thanks in advance

↧

Stupid Question About Configuring Device Control

July 22, 2019, 8:28 am

≫ Next: SEPM Unable to Update Definitions and Replicate

≪ Previous: Collect Risk logs from SEPM server database

I need a solution

I learned long ago to never assume...so...

If I want to block USB devices I can add the USB class in Blocked Devices, right? Then, if I want to allow certain USB devices (such as human interface devices and individual USB devices) I can add those in Devices Excluded From Blocking. Right? Devices Excluded From Blocking will override the Blocked Devices class. Right?

Thanks.

1563814512

↧

SEPM Unable to Update Definitions and Replicate

July 14, 2019, 6:48 am

≫ Next: Contents are not getting parged on Liveupdate distribution centers server

≪ Previous: Stupid Question About Configuring Device Control

I need a solution

Hello everyone. I have 14.2 RU1 SEPM which since last week is unable to update the definations if I try JDB and pase it to incoming location after few minutes it is changed to .err the Same server is also not able to replicate with an error failed to submit after it downloads the replication package 10%.

Can you please review the attached scm-server log file and let me know what the issue is. Appreciate it. Thanks

scm-server-0.zip

↧

Contents are not getting parged on Liveupdate distribution centers server

July 15, 2019, 5:01 am

≫ Next: The client machine installs the wrong time and the time when the symatec scan virus is reported wrongly when the virus was detected

≪ Previous: SEPM Unable to Update Definitions and Replicate

I need a solution

Hi,

Contents are not getting parged on one of Liveupdate Distribution centers server. It was working fine one week before.

Any steps to fix this issue.

Regards

↧

The client machine installs the wrong time and the time when the symatec scan virus is reported wrongly when the virus was detected

July 15, 2019, 7:30 am

≫ Next: Exclusions of SEP files

≪ Previous: Contents are not getting parged on Liveupdate distribution centers server

I do not need a solution (just sharing information)

The client machine installs the wrong time and the time when the symatec scan virus is reported wrongly when the virus was detected. It should be symatec end point manager to announce the presence of a virus even if there are no more viruses
The client has set the date to 2020 so if I want to not show the virus notification I will have to wait until 2020