Has anybody succesfully setup SAML in the SEP cloud console? I just setup our cloud tennant and I am trying to configure access through Okta. I have went through the documentation and setup based on that, but did notice the documentation is not entirely accurate. I called support and now they are saying that it is not supported. I find that hard to believe.
I am looking for guidance from anyone who has set this up recently.
Thanks!
Hi,
At mutiple client sites we face this issue where, the SEP clients:
But upon searching for them on the SEPM results in no entries i.e., unable to find them in the Client groups?
Below are the SEPM / SEP versions from both the sites:
Did anyone else face this issue? If so any solution found?
Hello,
Am trying to move SEPM to new server, following instructions here https://support.symantec.com/us/en/article.tech160...
I have recovery files and database backup (embedded type).
On the new machine - run the SEPM installer, select "Use recovery file" - the config still asks me for information, duly filled out same as previous installation.
Sign into a blank SEPM, no clients etc.
Stop the 2 services, then run Database restore which completes succesfully.
Then the config assistant starts up again, goes through all steps again ("Use recovery file") including a 2nd run of LiveUpdate.
And I'm back at a Blank SEPM.
I've gone through https://support.symantec.com/us/en/article.tech160... with a fine-toothed comb and it's clearly missing steps.
Does anyone have full instructions for an exact like for like (same hostname and IP address) reinstall of SEPM on a new server?
Thanks.
Hello All,
We have set up the purging option from SEPM console. unfortunately the clients stil reporting SEPM console.
We have seted every 5 day if the client is not reporting to SEPm console it should be delete from SEPm console.
Any one can help me on this case.
Has anybody succesfully setup SAML in the SEP cloud console? I just setup our cloud tennant and I am trying to configure access through Okta. I have went through the documentation and setup based on that, but did notice the documentation is not entirely accurate. I called support and now they are saying that it is not supported. I find that hard to believe.
I am looking for guidance from anyone who has set this up recently.
Thanks!
Hi,
we are trying to prevent users from stopping sep services & start them if stopped.
i see an option in HI policy to restart the service if it is stopped. However, when smc is stopped HI is not going to work & this functionality is pretty much pointless. correct me if am wrong & if it works.
I also see Mick's comment in below article to use MEM SEHOP to prevent service stopping. can someone help how this can be done?
https://www.symantec.com/connect/forums/script-start-sep-service?1565754867759
thanks in advance for suggestions.
https://support.symantec.com/us/en/article.tech255...
do i understand this right? we cannot patch Windows 7 and Windows 2008 R2 machines until Symantec releases a new version of endpoint protection?
Most news sites are currently making fun about symantec because it seems that 6 months was not enough for them to test and fix this situation.
Well its not so funny and i wonder why this issue happens and they really didnt test and fix this before when they had multiple months time.
this is a security disaster.
Hi All,
We have SEP 14.2 deployed infrastructure with 2 domains. I am an admin for one of the domain and have no access to the other.
I am trying to use API to automate some tasks. All I can do is to authenticate and get back a token and to list admin information for my domain.
Any other request finish with error 401.
Example : Invoke-RestMethod -Uri $URL -Headers $header -ContentType "application/json" with $URL pointing to groups or computers.
But the SEPM Admin who has access to anything can run the command with success, so it is related to my previlege as domain admin.
Domain admins can use SEPM API or is it restricted only to SEP Admins ?
I guess that I have to specify the domain in the header ? At this moment the header contain only the token (@{Authorization='Bearer '+$token}). I tried to add Domain or DomainId (from the authentication response) but without success.
Any help is welcome.
Best regards
Just raising awareness of an upcoming webinar on Aug 22, 2019:
How to Detect Targeted Ransomware with MITRE ATT&CK™
https://www.symantec.com/about/webcasts...
Cyber criminals are turning to targeted ransomware at an accelerated pace, motivated no doubt by the success of recent attacks. Join experts from Symantec and MITRE as we explore the latest research and best practices for detecting targeted ransomware in your environment.
We will cover:• The latest trends in attacks• An in depth look at GoGalocker• How to use the ATT&CK™ knowledge base to describe these threats• Mitigations and defenses for dealing with Gogalocker
Ransomware, especially targeted variants like Ransom.Crysis and Ransom.Ryuk, remains a very real danger - do take measures to protect your organization!
Targeted Ransomware: Proliferating Menace Threatens Organizations
https://www.symantec.com/blogs/threat-intelligence/targeted-ransomware-threat
If a file is blocked by MD5 in SEDR, SEPM would forward the blocked events to SEDR. As of now SEPM only forwards risk events via the ALERTS table to SEDR.
Just raising awareness of an upcoming webinar on Aug 22, 2019:
How to Detect Targeted Ransomware with MITRE ATT&CK™
https://www.symantec.com/about/webcasts...
Cyber criminals are turning to targeted ransomware at an accelerated pace, motivated no doubt by the success of recent attacks. Join experts from Symantec and MITRE as we explore the latest research and best practices for detecting targeted ransomware in your environment.
We will cover:• The latest trends in attacks• An in depth look at GoGalocker• How to use the ATT&CK™ knowledge base to describe these threats• Mitigations and defenses for dealing with Gogalocker
Ransomware, especially targeted variants like Ransom.Crysis and Ransom.Ryuk, remains a very real danger - do take measures to protect your organization!
Targeted Ransomware: Proliferating Menace Threatens Organizations
https://www.symantec.com/blogs/threat-intelligence/targeted-ransomware-threat
I'm looking for clarification on exactly WHICH versions of SEP are causing issues with the August 2019 Windows updates which are only SHA2 signed.
The article at https://support.symantec.com/us/en/article.tech255857.html only mentions Symantec Endpoint Protection 14.2 RU1 MP1 as an affected product. Are other SEP versions also affected, or is it JUST this SPECIFIC version? Is this version mentioned only because it is the latest version?
We have several clients still running v12.1.6 RU9 and RU10 on Server 2008 R2 platforms and Windows 7 workstations - are these computers also affected? If so, will any patches be offered for those versions?
Thanks in advance for any insight!
Warren
Did Symantec release defintions to protect from vulnerbilties listed in CVE-2019-1182.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1182
Dear Support Team,
After send file to the link https://www.symantec.com/security-center/submit-virus-samples , and symantec feedback the file is clean. What does it mean? Does it mean the file is safe in next time when we open the file in client computer?
Hello everyone.
This is an informative post about something that happened to me. After updating to the latest version of Symantec Endpoint Protection 14.2 RU1 MP1 (14.2.4811.1100)
There is an error when working with an SQL server, everything works correctly in the console, however when making backups from the SEPManager, they fail.
The case is open with Symantec, this article related to the case was created:
https://support.symantec.com/us/en/article.tech255903.html
To take the forecasts of the case, before updating to the version. The recommendation is to make the backups manually on the Microsoft SQL server.
Regards,
Hello,
1) With the default setup where SEPM checks with Symantec LiveUpdate servers for new content every 3-4 hours, what is the required bandwidth (between the SEPM and Symantec LU servers)?
2) What should be the average size of the content (which includes all types of content configured in the site LU policy) downlaoded per 1 day?
Thanks
When will be the coverage for the SWAPGS attack be available?
Details
Sharing with you new Security Vulnerability Found announced by Microsoft.
The best way to prevent this is to install the latest security patch recommended by Microsoft.
A new Security Vulnerability was recently announced by Microsoft which can be considered a variant of the old Spectre vulnerability. This new vulnerability is called the SWAPGS attacks. Its name comes from the fact that the vulnerability leverages on the “SWAPGS instruction”, one of the predictive executions within the affected processors which helps improve the speed of our computers.The researchers discovered a way to manipulate this instruction to leak out information that should be available to the operating system only.
So which systems are affected?
The SWAPGS Attack affects newer Intel CPUs that use speculative execution.
“A successful attack requires a vulnerable Intel CPU, an unpatched operating system and several hours of continuous probing,” Bogdan Botezatu, Director of Threat Research at Bitdefender, told Help Net Security.
The researchers from BitDefender, the ones responsible for the discovery, have stated that the vulnerability affects all Intel CPUs manufactured from 2012 to the present. However, Red Hat has also come out with its own security advisory stating that the vulnerability affects x86-64 systems using both Intel and AMD processors, which AMD itself disputes as its own statement on this matter states they are not affected by the vulnerability. The advisory also stated that from the industry feedback, they are not aware of a way to exploit this vulnerability of Linux kernel-based systems.
Please read full article from this link: https://www.bitdefender.com/business/swapgs-attack.html
What can I do to prevent this?
Firstly, this vulnerability was already included in the July 9 security update of Microsoft, so if you’ve already up to date with the security patches you don’t have to do anything.
“As for existing Trend Micro users, given that this is a local type of vulnerability, Trend Micro IPS rule cannot be created for this. Vulnerability exploitable with only local access requires the attacker to either have physical access or be logged on to the vulnerable system. DPI can only detect attacks over the network”.
As stated above, it would be best to immediately update your OS Security Patches, you may find a list below:
SUSE: https://www.suse.com/security/cve/CVE-2019-1125/
RHEL/CentOS: https://access.redhat.com/articles/4329821
Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1125.html
Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1125
Debian: https://security-tracker.debian.org/tracker/CVE-2019-1125
Hi, is it just me or you are also seeing the discrepency on Symantec Windows Definitions Updates? Today's date is 2019/08/19.
Latest from Symantec: 2019/08/17 r3
Latest on Manager: 2019/08/18 r8
Where is the Manager getting the updates from?
Note: The manager is configured to download the updates from Symantec LiveUpdate.
Many thanks,
MabundaG
I am running SEPM 14.2.1 RU1 MP1 Build 4811, which i upgraded to recently. Even prior to the upgrade, i still had challenges installing SEP clients via the SEPM client deployment wizard. The deployment report comes with an error "The client decided to reject the upgrade package". Again some clients that do not show up on the SEPM, when i run the deployment wizard, they show that they have a client and may have lost connectivity. Even then, the Sylink drop also fails. My environment comprises of 3400 client computers. Out of this, i only have about 2700 clients and as such my compliance is compromised. Apart from SEPM Client Deployment wizard, i have also use a GPO, which i deployed using a guide from Symantec. I also have SCCM that i have also configured to install any clients discovered.
Despite these many tools, i am still far from reaching atleast 3000 clients. Installation via Powershell comes with WMI related errors. I thought off all the tools in place atleast one of them should help me move numbers.
I have an open call with Symantec support but the suggested solution entails physically going to one or some of the clients.
Where am i missing it all? Maybe start on a clean clean slate?