Hi all,
We currently have SEPM installed and occasionaly need to run specific reports and the information from the Monitors page/Reporting Tab returns too much information. Is there a tool or way we can more custimize the reports and the date we retrieve?
Thanks,
Hello,
I see that new SEP version was released yesterday, it is build 14.2.4815.1101.
But I cannot find any release notes, what's new, what was fixed in this version.
Anyone managed to find it?
Regards
Offline Non-Persistent VDIs are not showing in Computer status report. We are able to see the offline NPVDIs on Dashboard but its not reflecting in Computer Status report. Please suggest.
Thanks
We are getting repeated SEP alerts from a client based on a temp file from Outlook and a file from a flash drive, both of which were deleted last week (flash drive isn't even in machine), but is triggering alerts every day. We have confirmed that the files are not on the host. A sample of the alert follows. Note the event date/time vs last updated time. We get multiple alerts per week from other machines with same config but have never seen this behavior before. We've run multiple full scans and reboots. Ideas?
2019-09-25 08:22:28,Virus found,IP Address: xxxxx,Computer name: xxxx,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number: ,Source: Auto-Protect scan,Risk name: ISB.Downloader!gen279,Occurrences: 1,C:\Users\xxxx\AppData\Local\Packages\oice_16_974fa576_32c1d314_1ab\AC\Temp\FB8C2FE1.doc,AP realtime deferred scanning,Actual action: Cleaned,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2019-09-19 10:23:17,Inserted: 2019-09-19 10:27:41,End: 2019-09-19 10:23:18,Last update time: 2019-09-25 08:22:28,Domain: Default,Group: My Company\Client PCs\Windows Laptops,Server: symantec,User: xxx,Source computer: ,Source IP: ,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: outlook.exe,Prevalence: Unknown,Confidence: This file is untrustworthy.,URL Tracking Status: On,,First Seen: Symantec has known about this file approximately 2 days.,Sensitivity: ,Not on the permitted application list,Application hash: 44193897B15E5B25ABD4FDAEC44923B9B44EEF2D49B330934BC47F91D6A82107,Hash type: SHA2,Company name: ,Application name: FB8C2FE1.doc,Application version: ,Application type: 127,File size (bytes): 327040,Category set: Malware,Category type: Heuristic Virus,Location: On Network
Hi All,
Is it possible to replicate 2 embedded databases?
I am planning to have 2 SEPM with two embedded databases. Is it a good practice to replicate the embedded DB? I heard like, embedded DB will not work properly. Is it true?
Kindly suggest on this.
Hi,
Hope someone can help.
SEPM 14.2.1
Have rolled out Kingston Datalocker USB sticks across the estate.
Using Device control to lock down all USB sticks except these by device ID.
All is fine except for 3x machines.
Error - "DTLocker+ requires two free drive letters. One free drive letter is available at [sic] but an additional drive is not available"
On all 3 machines, there are at least 5 free letters available after the last physical drive.
Originally there wasn't (F and G were used) but I changed the mappings to ensure F to K are free.
If I remove SEP from the machines then the Datalocker works fine and launches the passphrase capture and assigns a free drive letter.
As soon as I put SEP back on, the error returns. - Again only on 3 machines though.
Have looked for cached drives, old MRU entries etc, but can't find anything that's stopping them working except for SEP.
Any ideas?
Thanks in advance.
Hello,
Please guide me on how to download Current Report of an agent communicating with Symantec.
Hello,
When I select the client's tab then my company, Then right click on the computers it is showing incorrect count. Please help me out how to check the Total number of Systems connected to Symantec.
Looking forward to your response.
To my understanding, the GUP communicates to Client in following method.
1) The Clients will connect to SEPM till the GUP is enabled in one of the clients.
2) Once a GUP is enabled, the policy is Pushed to the client from SEPM / Pulled by the client from SEPM according to Heartbeat,
3) When the policy is Pulled from the SEPM by the client, Manager provides the GUP contact to the client.
4) Then as per the policy client communites with GUP for definition and SEPM for policies.
(OR)
A Group Update Provider (GUP) is a client computer that distributes content updates directly to other clients. According to the Article HOWTO80959. Does that mean that GUP broadcasts definitions to the client.
Request you to clarify this confusion. If anybody has an article regarding this please share.
Thanks in Advance.
hy,
i have a sepm and 120 clients with sep 14.2.4814.1101
i have not problems about this
do i update to 14.2.4815.1101 or not ? what is the best choice ?
Hello Team,
How to download Current online and offline report which users are connected to Symantec. Please guide me.
Hi Guys,
I need some help creating a batch scrip to clear out corrupt defintions. Im not good at any scripting, but have come up with this. Can you guys take a look and make some adjustments. i cant get it to work as desired.
@ECHO OFF
; rem BATCH FILE TO REMOVE VIRUS DEFINITIONS FOR SEP CLIENTS
cd %ProgramFiles(x86)%\Symantec\"Symantec Endpoint Protection"\14*\Bin\smc.exe -stop
; rem NOTE: If you are unable to stop the Symantec Management Client
; rem you will need to temporarily disable Tamper Protection.
; rem Please see the Technical Information at the bottom of this document for instructions
ECHO
ECHO =======================
ECHO Delete definition files
ECHO =======================
ECHO
del /F /Q C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\BashDefs\*.*
del /F /Q C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\ccSubSDK_SCD_Defs\*.*
del /F /Q C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\EfaVTDefs\*.*
del /F /Q C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\HIDefs\*.*
del /F /Q C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\IPSDefs\*.*
del /F /Q C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\IronRevocationDefs\*.*
del /F /Q C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\IronSettingsDefs\*.*
del /F /Q C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\IronWhitelistDefs\*.*
del /F /Q C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\SRTSPSettingsDefs\*.*
del /F /Q C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs\*.*
ECHO
ECHO ===========================
ECHO Remove values from Registry
ECHO ===========================
ECHO
REG delete HKLM\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs /v DEFWATCH_10 /f
REG delete HKLM\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs /v NAVCORP_70 /f
REG delete HKLM\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs /v SRTSP /f
; rem Start Symantec Services
ECHO
ECHO ==========================
ECHO Starting Symantec services
ECHO ==========================
ECHO
smc -start
; rem Future addition of auto execute latest patch
; rem cd %homepath%\Desktop
ECHO Definitions removed. Upload new definition files.
pause
After upgrade to SEPM 14.2.1, we lost the ability to log in to the Management Console with AD authentication. This is a known issue:
https://support.symantec.com/us/en/article.tech251819.html
If you use AD authentication to log in to SEPM, MAKE SURE you have a working local administrator account before you perform the 14.2.1 upgrade. You will not be able to use your AD account on SEPM login page. You will have to be able to log in using a local admin account in order to fix the AD authentication problem:
Admin/Servers/Select management server below Local Site (My Site)/Edit the server properties/Directory Servers tab/Select a Directory Server and click Edit/Enter a FQDN in the "Server IP Address or Name" field - not just the hostname
I found that the IP address of a DC did not work for me, but a FQDN did.
Also, if you are running SEPM in a virtualized environment, create a snapshot of the server before attempting the 14.2.1 upgrade.
Dear admin,
Can you help check Symantec endpoint Protection have update worm Win32/Mofksys.NA!MTB, my company does exist this Worm and Symantec Endpoint Protection can not found this worm, but Windows Defender is ok. Pls help add it on Symantec Endpoint Protection. Thanks you
Since a week i see these events 400 in the application log:
Web Attack: Malicious Scan Request 2 attack blocked. Traffic has been blocked for this application: SYSTEM |
Since system is the windows kernel i worry what this could mean.
The symantec signature description doesn't bring any clarity, it only makes me worry more:
https://www.symantec.com/security_response/attacks...
Does somebody know what is happening here and if action is needed and what?
gr,
Ronald
Hi team!
I'm looking info to create a bootable USB or disk, in order to make a full scan on a server which we suspect is currently infected.
I was searching but I only find this info for older versions of SEP.
Thank you for all your help on this!
Windows Server 2008 R2
SEPM 14.2 RU1 MP1 - build 4814 (14.2.4814.1101)
Just began upgrading clients to same.
I am in the process of setting up a new server to replace the 2008 R2 server in my production environment. After a series of events, I had to contact support because I needed to restore my database on the 2008 R2 server. After the restore, I found I am missing the client install package for 14.2.4814.1101 and when I attempt to add the missing client install package, "Failed to retrieve the build number of the package for the package list generation" I realize this means I have chosen the wrong package but I have downloaded the package(s) from the portal.
I also think I need the 4814.1101 build - I think there was an update to this but I'm not sure if the build number changed ... I need the package from mid September'ish.
Any assistrance is greatly appreciated.
Thanks!
Hi,
I have customer with Endpoint Prevent detection is used only for confidential files, the question is, how to configure the policy to prevent the user from uploading these confidential document to be uploaded to gmail attachment or facebook, or any other public file hosting in the internet?
Thanks
Hello,
there are some things that I don't understand regarding the download protection feature.
On my environment there is the Basic Download Protection feature that is enabled but without Download Insight.
From what I saw on internet that this features allows: " Endpoint Protection the ability to track URLs " but I don't understand what is the capacity of Download protection without Download Insight ?
I saw that almost every client has a "Download Protection Content" out of date. What is this content used for ?
Best Regards,
Joris KIEFFEr
We are facing issue that client entries are showing as offline in SEPM & the under "properties" most of the fields are blank.
But, when checked locally on those machines, SEP clients show as Up-to-date & connected under "Server connection status " with very recent time stamp. Out of 650 odd windows VM's we have, around 15 VMs we are facing this issue.
The client & SEPM version = 14.2.1031.0100
Logged a support case and they as well suggested its due to clonning. But these were not built via clone process.
Hence, as suggested by support team we had deleted the offline entries and ran rebuild DB indexing.
This showed up no progress.
Hence, please some one have an idea of this issue please help, Thanks