Symantec Reporting and Notifications

January 16, 2013, 12:20 pm

≪ Previous: Encrypting email attachments with mail policy rules

I need a solution

Good Afternoon Everyone,

I am new to this software and needing some insite on how everything will work. The software seems to be good at what it is supposed to be. I am a new hire at a fairly large company and hired as a Technical Security Analyst. I have a few questions if someone is able to help out on that would be great.

1- For out-of-date virus definitions, is there a way to only see those connected directly to our domain?

The reason for this question is most of the end users are in sales. They will hop on the VPN to get files, etc and hop off. I am not needing to capure this information right now. Also, we have a corporate office, plant, and warehouse. Could these also be split in the reporting?

2-What are some of the best reports and notifications to setup with this software?

I have set up a daily risk report to show me risk that have been detected, quaranteened, active, and deleted. I have also set up a notification for the same critiria for cat3 or above for risk. I have a weekly network compliance report and a weekly out-of-date definition report(which i hope to be able to cut out sales that vpn in)

I want to thank for anyones reply in advance. Hopefully be seeing you around here more offten responding once I get a hang of everything!

↧

DLP v12 release date?

January 16, 2013, 12:30 pm

≫ Next: Detected Virus Changes Locations in Action Summary Pane

≪ Previous: Symantec Reporting and Notifications

I need a solution

There was a Forum Discussion in January 2012 called DLP v12 (https://www-secure.symantec.com/connect/forums/dlp-v12) which mentioned the new version could possibly come out early 2013. Do we know if this is still the case?

I'm anxiously waiting to scan Exchange 2010 for PCI data to meet our compliance requirement and we were told by Symantec Support (ticket # 03415995) that we'd need to wait for v12. I know the DLP Admin guide provides instructions to scan Exchange 2010 but unfortunately there's some LDAP issues. We get "Failed to read ldaps://[DC_name.domain.com]:636; error: Unknown error. See the log files for details." errors and also a "User [domain\username] does not have appropriate privileges to access mailbox [mailboxname]" error for each mailbox despite having the appropriately assigned permissions on the account used to scan. Any info would be appreciated.

↧

Detected Virus Changes Locations in Action Summary Pane

January 17, 2013, 9:05 am

≫ Next: LiveUpdate thinks is is 6 months in the future and won't update definitions

≪ Previous: DLP v12 release date?

I need a solution

I have been experiencing a problem where a detected BLOCKED and/or QUARANTINED Virus will keep changing computer/user/ip address

locations as I cycle between the panes in the Management Console. For instance, when I click on the number of Blocked Virus, a screen will open

saying the virus was detected at 150L/System/10.16.0.5. If I close out and reopen a number of times, the location will change the computer

location to a different location, let us say Music room/System/10.16.1.119. I can keep up this action, and the location continues changing, giving

a false location. Is there a fix action for this issue? I have three other separate locations with SEP installed and they are not acting in this manner.

Using SEP 11.0.6200.754. Please do not tell me to update unless you can positively concur this problem has been corrected in an update.

Thank you.

↧

LiveUpdate thinks is is 6 months in the future and won't update definitions

January 17, 2013, 9:14 am

≫ Next: HOWTO - Custom Report for "Failed to download from Group Update Provider"

≪ Previous: Detected Virus Changes Locations in Action Summary Pane

I need a solution

We have about 300 computers that are managed by SEPM, and the server will not get the latest updates from LiveUpdate. When I manually force a LiveUpdate, I noticed the date and time are over 6 months in the future. See the results below. Does anyone know what the issues is, and where SEPM is getting this Date and Time from?!

July 26, 2013 5:18:18 AM PDT: LiveUpdate will start next on Friday, July 26, 2013 9:18:18 AM PDT on <Server Name>. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:18 AM PDT: LUALL.EXE finished running. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:18 AM PDT: LiveUpdate succeeded. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:18 AM PDT: LUALL.EXE successfully updated the content. Return code = 0. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:13 AM PDT: No updates found for Symantec Endpoint Protection Win64 12.1 (English). [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:13 AM PDT: No updates found for Symantec Endpoint Protection Win32 12.1 (English). [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:13 AM PDT: No updates found for Centralized Reputation Settings 12.1. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:13 AM PDT: No updates found for SONAR scan engine Win32 11.0. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:13 AM PDT: No updates found for AP Portal List 12.1 RU2. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:12 AM PDT: No updates found for TruScan proactive threat scan commercial application list Win32 11.0. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:12 AM PDT: No updates found for SONAR scan whitelist Win64 11.0. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:12 AM PDT: No updates found for Virus and Spyware definitions Win32 12.1. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:12 AM PDT: No updates found for Intrusion Prevention signatures Win64 11.0. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:12 AM PDT: No updates found for Client Intrusion Detection System signatures 12.1. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:12 AM PDT: Successfully downloaded the Revocation Data security definitions from LiveUpdate. The security definitions are now available for deployment. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:12 AM PDT: Cleaned up 1 LiveUpdate downloaded content [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:11 AM PDT: No updates found for SONAR scan engine Win64 11.0. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:11 AM PDT: No updates found for Submission Control signatures 11.0. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:11 AM PDT: No updates found for Submission Control signatures 12.1. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:11 AM PDT: No updates found for SONAR scan data 11.0. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:11 AM PDT: No updates found for Symantec Whitelist 12.1. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:11 AM PDT: No updates found for SONAR Heuristics engine 12.1. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:11 AM PDT: No updates found for SONAR scan whitelist Win32 11.0. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:11 AM PDT: No updates found for TruScan proactive threat scan commercial application list Win64 11.0. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:11 AM PDT: No updates found for SONAR scan commercial application engine 11.0. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:11 AM PDT: No updates found for SEPM LiveUpdate Database 12.1. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:10 AM PDT: No updates found for Extended File Attributes and Signatures 12.1 RU2. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:10 AM PDT: No updates found for Virus and Spyware definitions Win64 12.1. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:10 AM PDT: No updates found for Symantec Endpoint Protection Manager Content Catalog 12.1. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:18:10 AM PDT: No updates found for Intrusion Prevention signatures Win32 11.0. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:17:46 AM PDT: LUALL.EXE has been launched. [Site: <Site Name>] [Server: <Server Name>]

July 26, 2013 5:17:41 AM PDT: LiveUpdate started. [Site: <Site Name>] [Server: <Server Name>]

8215911

1358449799

↧

HOWTO - Custom Report for "Failed to download from Group Update Provider"

January 17, 2013, 9:50 am

≫ Next: Symantec Mail Security For Exchange

≪ Previous: LiveUpdate thinks is is 6 months in the future and won't update definitions

I need a solution

Hello,

I would like to know how to create a custom report that lists all SEP clients with the Event Type "Failed to download from Group Update Provider".

When I go to SEPM (SEP 12 RU2) > Monitors > Log type: System, Log Content: Client Activity

I don't see the option under Event type to select "Failed to download from Group Update Provider". Instead, the closest I can get to filtering for this event type is to specify Event Source as "SYLINK"

In our environment we have over 1000 GUPs (SEP 11 RU7 MP1 ) for nearly 200K clients (Varying versions of SEP 11), so I really need a streamlined way to make sure all these clients are receiving defs from the GUPs wink

↧

Symantec Mail Security For Exchange

January 17, 2013, 9:54 am

≫ Next: SEP 12.1.2 Exceptions Prefixes

≪ Previous: HOWTO - Custom Report for "Failed to download from Group Update Provider"

I need a solution

Noob question i can install a Mail Security for Exchange on a diferent server out of the my exchange server

↧

SEP 12.1.2 Exceptions Prefixes

January 17, 2013, 10:22 am

≫ Next: Where to download the latest SEP-M?

≪ Previous: Symantec Mail Security For Exchange

I need a solution

Just curious about the prefixes and how they work specifically.

Been doing some reading and know enough that it depends on the system variable...

https://www-secure.symantec.com/connect/forums/exceptions-using-prefix-sep-121

[program files] in SEP = %programfiles% in the system

My question goes more to a 64-bit system where the is Program Files and Program Files (x86). Is this accounted for in any way or will it be stuck to just Program Files, where everything in Program Files (x86) is not excluded?

I am trying to create an application exception for CA ArcServe and they seem to have files in both paths, and the exception created does not seem to work. Therefore, I want to get a better understanding of it. If it is not able to compensate for both, then I will need to use the specific paths or even go as far as excluding the entire CA directories. Any thoughts or advice would be great, since the backups went from running 9 hours before SEP 12.1.2 to 14+, so SEP is obviously stepping on something.

In the past, the system was running SEP 11, with AV only, no PTP, IPS or NTP installed.

Thanks

↧

Where to download the latest SEP-M?

January 17, 2013, 10:48 am

≫ Next: DLP work with images

≪ Previous: SEP 12.1.2 Exceptions Prefixes

I need a solution

I have updated some of our clients to sep 12.1 ru2 and now my management console (12.0) is not fully recognizing those devices properly.

Where can I get/download the most recent version of SEPM for my server?

↧

DLP work with images

January 17, 2013, 10:50 am

≫ Next: PGP and Windows Password out of sync

≪ Previous: Where to download the latest SEP-M?

I need a solution

Hi!During testing, the question arose as DLP protects against unauthorized copying of images or eliminates the possibility to make screenshot "secret" document?

↧

PGP and Windows Password out of sync

January 17, 2013, 11:30 am

≫ Next: Installing 12.1.x - which version of SQL Server client tools?

≪ Previous: DLP work with images

I need a solution

Hello. A user recently changed their password on Windows but upon logging in to their laptop through the PGP boot screen, they still need to use their old password. I tried having the user run an update policy on PGP (which usually works) but this did not help. Is there any other means of syncing the 2 passwords?

↧

Installing 12.1.x - which version of SQL Server client tools?

January 17, 2013, 1:54 pm

≫ Next: Trying to enter a licence key for PGP desktop and getting a dump.... ntdll.dll

≪ Previous: PGP and Windows Password out of sync

I need a solution

I'm looking at a popup dialog box on my server where I'm trying to install SEP 12.1. It's at the Database setup portion of the install and it's telling me that I have to have the SQL Server client tools installed. My DBA tells me that there are a lot of versions and wants to know which to install? What can I tell him?

Thanks,
Mark

↧

Trying to enter a licence key for PGP desktop and getting a dump.... ntdll.dll

January 17, 2013, 2:08 pm

≫ Next: Web gateway appliance 8450 vs 8490

≪ Previous: Installing 12.1.x - which version of SQL Server client tools?

I need a solution

I have 10.3 installed in windows 8. All was perfect with the trial key.

I bought the key and got my e-mail. Now I'm going to the desktop, select license, change license and enter the key. If I get it wrong all is good and I get a error.

If I get it right.... I get a dump. I've tried uninstall, reboot, reboot, reinstall with the same results .

The event log shows:

Faulting application name: PGPdesk.exe, version: 10.3.0.8741, time stamp: 0x50c11ea9

Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505aaa82

Exception code: 0xc0000374

Fault offset: 0x000da94f

Faulting process id: 0x146c

Faulting application start time: 0x01cdf4ec3c12d4ad

Faulting application path: C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPdesk.exe

Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll

Report Id: 85994ecc-60df-11e2-be8c-f0def180fb8a

Faulting package full name:

Faulting package-relative application ID:

Thanks in advance.

Derek

↧

Web gateway appliance 8450 vs 8490

January 18, 2013, 7:03 am

≫ Next: Would like to know what this does.

≪ Previous: Trying to enter a licence key for PGP desktop and getting a dump.... ntdll.dll

I need a solution

Hi ,

Can anybody tell me how many users are required for each appliance model ?

Is there a max? or it doesnt matter?

8220871

1358526476

↧

Would like to know what this does.

January 18, 2013, 7:15 am

≫ Next: LU Policy Question

≪ Previous: Web gateway appliance 8450 vs 8490

I need a solution

Please take a look at the attached screen shot, I would like to know what the purpose of this function is? It is pretty much the only thing in SEP I have never used.

Thank you

8220971

1358535837

↧

LU Policy Question

January 18, 2013, 7:54 am

≫ Next: Same CCS Standard, same data collection, different results

≪ Previous: Would like to know what this does.

I need a solution

We have an LU policy defined which stipulates that clients will use explicit GUP's. Additionally, the option to use the Management Server is selected.

My problem is that any client that does not meet the criteria for usage of an explicit GUP, does not appear to be obtaining any updates at all.

With this configuration, I presume that the client should use the explicitly defined GUPs first (so long as they match the criteria) and then fallback to the management server.

Is my thinking correct?

8221011

1358527215

↧

Same CCS Standard, same data collection, different results

January 18, 2013, 9:24 am

≫ Next: NAVENG.SYS is causing BSOD in SEP12.1.2 installations

≪ Previous: LU Policy Question

I need a solution

Does anyone experience different results runnning the same CCS standard based from same data collection and having completely diffrent results?

Looks like some time evaluation process cannot get the data from data colection.....

↧

NAVENG.SYS is causing BSOD in SEP12.1.2 installations

January 18, 2013, 9:41 am

≫ Next: A couple of clients have a picture with a red circle with an x in it and a yellow arrow pointing down.

≪ Previous: Same CCS Standard, same data collection, different results

I need a solution

Anyone came across a situation where by SEP 12.1.2 client bluescreens during installation and the Dump file point s to NAVENG.SYS as a cause? Dump file results are below. I have cleaned wiped the system. The system had SEP 11.x before this upgrade and now I cannt even get back to 11.x. It just crushes as soon as it finishes downloading updates. I dont think is licking RAM. I have swapped with another system and that system has no issues at all and its on SEP 12.1.2

Any ideas?

Dump File:	Mini
Crash Time
Bug Check String	MEMORY_MANAGEMENT
Bug Check Code	0x0000001a
Parameter 1	0x00041785
Parameter 2	0xc0e00000
Parameter 3	0x82efd88c
Parameter 4	0x0000000
Caused By Driver	NAVENG.SYS
Caused By Address	NAVENG.SYS+0

Processor	32-bit

Crash Address	Ntoskrnl.exe+22f9f

↧

A couple of clients have a picture with a red circle with an x in it and a yellow arrow pointing down.

January 18, 2013, 10:28 am

≫ Next: DLP and Credit Card Data

≪ Previous: NAVENG.SYS is causing BSOD in SEP12.1.2 installations

I need a solution

What does this mean? The definitions are up to date, the only thing I see is that the Sonar definitions are about 11 days old.

If this is what is causing it, how do I get the Sonar to update, if not, what is causing this?

OS = Windows 7 64 Bit

8221661

1358535512

↧

DLP and Credit Card Data

January 18, 2013, 12:26 pm

≫ Next: If a client is already on a current version, will the Auto upgrade option re-install the client?

≪ Previous: A couple of clients have a picture with a red circle with an x in it and a yellow arrow pointing down.

I need a solution

I currently monitor CC information through email prevent in DLP. What do you do when you see a user emailing personal credit card information that is not related to the business. When a user emails CC info for business they are flagged as in progress and worked. What do you for these? Any and all help would be greatly appreciated.

↧

If a client is already on a current version, will the Auto upgrade option re-install the client?

January 18, 2013, 12:52 pm

≫ Next: Need some help confirming something...

≪ Previous: DLP and Credit Card Data

I need a solution

I use SCCM and during the imaging of new computers a SEP client gets installed. If an autoupgrade policy gets applied to an ou that has some computers with uptodate clients, will those clients get re-installed?

8222141

1358545982

↧