Hello,
I am in the process of reviewing our exception policies and I've run accross several file and/or folder exceptions that appear to be duplicates but with slight syntax differences.
For example:
T:\FolderName\
T:\FolderName
and
\FolderName
Is there any real difference between the examples above in SEP when the exceptions are in place?
Good day, we are new and the previous admin provide us unusable user/pwd for the local Symantec endpoint protection manager (SEPM) server.. Is there a way/backdoor for us to get back the access? We will be finding for a new vendor to renew our SEP but we cannot install more users to our SEPM.
SEPM is synced to our AD. We have hundreds of groups and OUs. Over the years and many SEPM admins, groups have had their "Inherit policies and settings from parent group..." messed with. Nothing's been documented.
I'd like to generate a list of groups that have policy inheritance turned off so I can review them without having to manually click on each and every one in SEPM.
Anybody know a way to do that? An SQL query on the database perhaps? (I can spell SQL and that's about it.)
Thanks.
This morning I started receiveing these kinds of messages to include svchost.exe, ntoskrnl.exe, dashost.exe. I have Windows 10 and Version 14.2 RU1 build 3333 of Endpoint. Any help would be appreciated.
Hello,
I am in the process of reviewing our exception policies and I've run accross several file and/or folder exceptions that appear to be duplicates but with slight syntax differences.
For example:
T:\FolderName\
T:\FolderName
and
\FolderName
Is there any real difference between the examples above in SEP when the exceptions are in place?
Hello,
For the past days I see some IPS detections like this one:
[SID: 31650] Audit: Malicious Domain Request 2 attack detected but not blocked. Application path: C:\TOOLS\IRONPORTABLE\IRONPORTABLE\IRON\CHROME.EXE
Note that the machines are with the latest IPS definitions. Also from the IPS policy I can see that this signature "[SID: 31650] Audit: Malicious Domain Request 2"is with default action Block
My question is why I see for some machines this particular detection showing as blocked, then on the next day it is showing "detected but not blocked"? What could be the reason for this?
Thanks
Hello!
There are couple of SSR tickets -- #43339145, #43343152 and #43343325. They all have resolution " is not malicious itself, but may be an artifact of a threat", but all files in those tickets are malicious. How can I try to force Symantec to add detection for these files, if I'm on trial license for SEP 15 and I have no license number to put for Support Center request?
Thanks for advice!
I recently noticed that the last IPS update was on 8/2 for 14.2 RU1 but for 14.2 and earlier the definitions are current 8/8. Is there some reason they're not being released for 14.2 RU1?
I am using the SEP Cloud Console, Client version 14.2.4559.1100.
I created a rule last week to block and not log all ICMP traffic (that is not explicitly allowed by a previous rule) which has been working until tuesday of this week.
Starting on tuesday I saw a high number of firewall events from "Block All IP Traffic" that is all ICMP traffic
The rule is All Applications, All Hosts, All Traffic from the following Protocol: ICMP, All Adapters, and All the time.
Is there any way other than an old fashioned "ping", to know if my LUA server has network connectivity with the Live Update servers on the internet?
I need to check towards
liveupdate.symantecliveupdate.com
and
liveupdate.symantec.com
The server does have internet access.
Thanks in advance.
I have setup a new SEPM. While building policies and testing deployment scenarios I am missing where I edit the URL or at least the host prefix for the client install notification email. I created a new management server entry in "Management Server Lists" that only has a single (Priority 1) fqdn entry in it and its selected to only use https protocol. So in the list it reads "sepm.mydomain.com:443". My "My Company" group has this new management server entry listed in its policy under location specific settings / communications settings and the default group is inheriting it.
However when I run the client deployment wizard and use Web Link and Email, the generated email still has http:// and the :8014 port specified after the FQDN server name. If I manually remove that from the URL and change it to https:// the download begins and all is well. I would just rather not have to edit the email every time I send one out.
Any help would be appreciated.
Hi team,
As a result of one of my networks not being able to contact the SEPM server for months all the clients are now showing as offline in the management console. I've adjusted firewall rules and now the requried ports are open I need them to start checking in and picking up updates again, however they all remain in an offline state.
I've tried repairing the install and pushing out the client to these servers, however they still don't check in. I've even tried a full uninstall and reinstalled, the client now shows good (green circle icon on it) however on the management server it's still showing as offline!
What is the process for getting these clients checking in again?
Thanks
Hello,
I just updated LUA to the latest version. However this LUA has no internet connection and recives virus def from external LUA that has internet access. How do I update the catolog on LUA without internet so I can download and distribut viris def?
After upgrading from SEP 14.2 to Symantec_Endpoint_Protection_14.2.1_MP1, which went through successfully, i was to then do some config through the Management Server Configuration wizard.
Step 1.
Authentication type: Database Server Authentication
Database server: <Database_server_name\instance_name>
SQL server port: 1443
SQL Server client folder: e:\folder_name
Step 2
Database Name: SEPMDB
Database user name: sepmuser
Database Password: <Password>
I click next and i am presented with an error
"Connection to the named instance of SQL Server is available on database server port 51220. This port is not matched to the port that is currently configured for database connectionss. Check the Symantec Endpoint Protection Manager database port settings and be sure that it matches the actual database server port".
I tried google and nothing really makes sense on this error. Shouldnt an upgrade assume that this info was already there prior to the upgrade?
As a result, i am unable to use the SEPM. Any work around?
I have the latest LUA ver installed and wanted to know what is the password for user:lua
This is in the distribution center.
After upgrading from SEP 14.2 to Symantec_Endpoint_Protection_14.2.1_MP1, which went through successfully, i was to then do some config through the Management Server Configuration wizard.
Step 1.
Authentication type: Database Server Authentication
Database server: <Database_server_name\instance_name>
SQL server port: 1443
SQL Server client folder: e:\folder_name
Step 2
Database Name: SEPMDB
Database user name: sepmuser
Database Password: <Password>
I click next and i am presented with an error
"Connection to the named instance of SQL Server is available on database server port 51220. This port is not matched to the port that is currently configured for database connectionss. Check the Symantec Endpoint Protection Manager database port settings and be sure that it matches the actual database server port".
I tried google and nothing really makes sense on this error. Shouldnt an upgrade assume that this info was already there prior to the upgrade?
As a result, i am unable to use the SEPM. Any work around?
Hi all,
I have an SEP 14.2 Infra deployed and need to automate some tasks (move computers from group to another, add/apply exception or other policy, etc.) with Powershell.
To use the API, I have to authenticate, this is good, but is it a way to use a secured password and not plain text ?
The only way I found and that work is by using a json file (or a hash table converted to json) with password in plain text. Get-Credential or Read-Host -AsSecureString don't work and always generate errors. Even demo scripts from Symantec are with plain text password.
Any help please ?
Karim Kanoun
Hi All,
I'm an Endpoint Admin and I'm looking to explore the API Integration feature with SEPM 14. Hoping to automate some redundant tasks for the AV-Admins.
I've been trying to test the response status of SEPM for API requests, However I am not getting a proper JASON formatted reply instead I'm getting a message saying there was an error with reply from the host and that the connection was closed along with some proxy information within the Error Body.
Please advise how to proceed or if there is something that can be done from SEPM to get a reply to the GET request from the API.
Query:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
[Net.ServicePointManager]::SecurityProtocol =[Net.SecurityProtocolType]::Tls12;
$access_token="0410bba5-YYYY-4104-a7f1-XXXXXXXXXXXXXX"
$header=@{Authorization='Bearer '+$access_token}
Invoke-RestMethod-Urihttps://SEPM_IP:8446/sepm/api/v1/computers-Headers$header
Testing using PostMan and Powershell
Thanks in Advance!
Regards,
EK
Hi all,
I have an SEP 14.2 Infra deployed and need to automate some tasks (move computers from group to another, add/apply exception or other policy, etc.) with Powershell.
To use the API, I have to authenticate, this is good, but is it a way to use a secured password and not plain text ?
The only way I found and that work is by using a json file (or a hash table converted to json) with password in plain text. Get-Credential or Read-Host -AsSecureString don't work and always generate errors. Even demo scripts from Symantec are with plain text password.
Any help please ?
Karim Kanoun
Hello All,
We have set up the purging option from SEPM console. unfortunately the clients stil reporting SEPM console.
We have seted every 5 day if the client is not reporting to SEPm console it should be delete from SEPm console.
Any one can help me on this case.