SEPM Network Attack Notification

November 14, 2019, 10:10 am

I need a solution

Is it not possible to create a Notification Rule to email on a SEPM network attack detection of Critical or Higher? For example, I we received a detection on an endpoint that I was only able to see in the Log monitoring within SEPM, and did not receive an email notification for. How would I go about creating an email notification for such detections in the future? They're too severe to just not get notified about.

Client Affected

Computer Name
Current:	My-Computer1
When event occurred:	My-Computer1
IP Address
Current:	fe80::11a2:11a3:3d87:ab97
When event occurred:	192.168.0.105
Local MAC:	N/A
User Name:	none
Operating system:	Windows 10 Professional Edition
Location Name:	Default
Domain Name:	Default
Group Name:	My Company\Test
Server Name:	SYM-Server
Site Name:	Site SYM-Server

Risk Detected

Event Time:	11/14/2019 08:54:44
Begin Time:	11/14/2019 08:54:59
End Time:	11/14/2019 08:54:59
Number:	1
Signature Name:	Attack: NTLM Hash Theft Attempt
Signature ID:	31835
Signature Sub ID:	80115
Intrusion URL:	N/A
Intrusion Payload URL:	N/A
Event Description:	[SID: 31835] Attack: NTLM Hash Theft Attempt attack blocked. Traffic has been blocked for this application: SYSTEM
Event Type:	Intrusion Prevention
Hack Type:	0
Severity:	Critical
Application Name:	SYSTEM
Network Protocol:	TCP
Traffic Direction:	Outbound
Remote IP:	192.168.0.133
Remote MAC:	N/A
Remote Host Name:	N/A
Alert:	1
Local Port:	51939
Remote Port:	139

↧

SONAR Grayed Out

November 14, 2019, 12:03 pm

≫ Next: PGP Encryption Issue

≪ Previous: SEPM Network Attack Notification

I need a solution

So we have a couple of client PCs that we need to add some folder exceptions for in SONAR. Naturally, since we have server-side checked to minimize user intervention, I imagine this is why it's grayed out. So I made a separate policy with mixed control. In that, I checked SONAR on the client side, but it's still grayed out.

Any way we can make them be able to add SONAR exceptions while still following least privilege? I also tried updating the policy through the icon in my system tray, no luck.

↧

PGP Encryption Issue

November 14, 2019, 1:08 pm

≫ Next: After re-create preboot environment Error on Pxe boot - megasas2.sys

≪ Previous: SONAR Grayed Out

I need a solution

Hello all,

Our organization is currently using Symantec PGP Encryption software and a File Transfer Protocol Application called, Axway to received and send files through encrypted SFTP connections. And we found there are some several vendors/clients who cannot use our keys for some reasons such as cipers or algorithms that may be different. Or other issues. Has anyone encounter an issue with certain PGP compabilities and in what ways or how did you resolved that issue? We have some who uses PGP command line and they need to change their script/code to make it work. What other scenarios have you seen?

We have an issue where the vendor needs an email address in order to import the key. Many other vendors does not have that issue. Once we add the email address, the PGP Key Block has changed, would this affect the encryption and decryption process when delivering files?

Another issue is the vendor such as Workday is using their Integrated tool to encrypt the key but when sending the files it failed to encrypt and sign once it hits our Axway File Transfer Protocol Application.

Any suggestions and help in guidance would be appreciated!

Let me know if I need add any attachment.

Thanks,

Q G

↧

After re-create preboot environment Error on Pxe boot - megasas2.sys

November 14, 2019, 1:11 pm

≫ Next: Uninstall SEE after windows 10 upgrade

≪ Previous: PGP Encryption Issue

I need a solution

Today i uploaded some preboot drivers, after that i re-created the preboot environment. Now when i pxe boot my clients i get an error message:

Windows Failed to Start a recent hardware or software change might be the cause.

Running on WINPE10.

\Windows\System32\Drivers\megasas2.sys

Status: 0xc0000359

Already tried the following:

Delete the preboot drivers but there is no option to delete them.
Create new preboot environment.

What could i try more....?

Errormessage.png

↧

Uninstall SEE after windows 10 upgrade

November 14, 2019, 1:45 pm

≫ Next: SEP 14.2 RU2 On-Prem vs. Cloud version.

≪ Previous: After re-create preboot environment Error on Pxe boot - megasas2.sys

I need a solution

Hello,

I brought on a client that we were unaware of their use of SEE on a few of their devices. we ran the windows 10 upgrade on a windows 7 laptop that had the disk encrypted using SEE. I was able to create a PE disk and decrypt the disk to allow windows 10 to complete. At this point, I want to uninstall the Symantec software, but when I do so, though the programs and features, It states that the disk is encrypted and terminates the uninstall. I check the drives in the Client Administrator app and it shows and unencrypted. I would like to remove the Bootguard that is still there as well as the applications.

Windows 7 to Windows 10 1903 upgrade using the media creation tool

SEE 11.0.1 build 7342

Management client, disk encryption, and autologin clients installed

Dell Latitude E5570 with Samsung SSD

↧

SEP 14.2 RU2 On-Prem vs. Cloud version.

November 14, 2019, 1:51 pm

≫ Next: Granicus Livemanager files are flagged as infected by a virus

≪ Previous: Uninstall SEE after windows 10 upgrade

I do not need a solution (just sharing information)

I've been able to download and install the SEP 14.2 RU2 in our test environment to support macOS Catalina (10.15). We're planning on upgrading our production environment in about a week. My question is, why are we not seeing the update for the SEP 15 cloud console? Note that we do not have a hybrid environment. They're separate systems.

Our SEP 15 system still shows the MAC devices with the "14.2 RU1C 183" agent. Building a new installation package still provides the same "14.2 RU1C 183" version.

↧

Granicus Livemanager files are flagged as infected by a virus

November 14, 2019, 2:06 pm

≫ Next: Symantec.Cloud - Weird connection issue due to a port reconfiguration

≪ Previous: SEP 14.2 RU2 On-Prem vs. Cloud version.

I need a solution

We are using a product called Granicus Livemanager. This product allows us to schedule meetings and change between different speakers. Lately when using the product SEP 14 is flagging all the Livemanager files as infected by viruses. This files reside in the users\appdata\local area. I

Is anyone else having problems with this product.

↧

Symantec.Cloud - Weird connection issue due to a port reconfiguration

November 15, 2019, 12:36 am

≫ Next: Failed to migrate

≪ Previous: Granicus Livemanager files are flagged as infected by a virus

I need a solution

Since the 25th of October 2019, we got a weird connection issue on one of our servers to the Symantec Cloud Server. Once you open the SEP GUI on the Server (2012), all is fine and green. Everything works fine and it says it is connected to the SEP Server. On the Symantec Cloud Server, the machine is shown as offline since the 25th of October 2019. The Definitions are shown as up to date thought. I contacted the colleague that worked on the machine, on what he did. He told me that he changed some ports for a merge, but that’s all the intel I got out of him.

The system is secured and running fine, but I want to fix that.

Any ideas which port/ports might be the culprit here? Which ports are needed for the Symantec Cloud Server to see the machines online status?

↧

Failed to migrate

November 14, 2019, 9:19 am

≫ Next: Identification of Malware detected and blocked on Macs

≪ Previous: Symantec.Cloud - Weird connection issue due to a port reconfiguration

I need a solution

Dear,

Thanks for your help in advance.

We are trying to upgrade from Symantec DLP 15.1 MP1 to DLP 15.5 MP2.

First we tried to upgrade to 15.5, and we had problems.

Environment Description:
• S.The Redhat Linux 7.6 (all servers)
• Enforce, Oracle, Network Monitor, and Endpoint are separate machines.

We follow the Install Guide 15.1 chapter to secure communication between Enforce and Database.

About securing communications between the Enforce Server and the database

Pg. 63

Symantec_DLP_15.1_Install_Guide_Lin

We ran URT and all evaluated items passed the verification successfully, however, with a total of 6 Warnings.

We tried to run the Migration Utility, but it failed making the upgrade impossible.

URT

------------------------------ ------------------------------ ------------------------------ ---------------- ----------------
End : Sequence Validation - elapsed 2.19s - PASSED

Start: Oracle System Parameter Validation - 2019-11-08 19:25:41
Parameter Name Current Value Recommended Value
------------------------------ -------------------- --------------------
memory_target 0 3072
pga_aggregate_target 1073741824 0
sessions 1524 1500
sga_max_size 3221225472 0
sga_target 3221225472 0
sort_area_size 65536 0
End : Oracle System Parameter Validation - elapsed .02s - WARNING (6 warnings)

Start: Data Validation - 2019-11-08 19:25:42
End : Data Validation - elapsed 0s - PASSED

Data Objects Check Summary: There are total of 6 warnings and 0 errors.

MigrationUtility

SEVERE: Failed to create migration action context
com.symantec.dlp.migrationcommon.MigrationException: Failed to create database connection
at com.symantec.dlp.enforceservermigrationutility.EnforceMigrationContextCreator.createMigrationActionContext(EnforceMigrationContextCreator.java:60)
at com.symantec.dlp.migrationcommon.MigrationUtility.runMigrationUtility(MigrationUtility.java:108)
at com.symantec.dlp.migrationcommon.MigrationUtility.runMigrationUtility(MigrationUtility.java:70)
at com.symantec.dlp.enforceservermigrationutility.EnforceServerMigrationUtility.runMigration(EnforceServerMigrationUtility.java:17)
Caused by: java.sql.SQLRecoverableException: IO Error: General SSLEngine problem, connect lapse 90 ms., Authentication lapse 0 ms.
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:794)
at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:688)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:39)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:691)
at com.symantec.databasemigration.OracleConnectionProvider.getConnection(OracleConnectionProvider.java:22)
at com.symantec.dlp.enforceservermigrationutility.EnforceMigrationContextCreator.createMigrationActionContext(EnforceMigrationContextCreator.java:56)

Thanks.

↧

Identification of Malware detected and blocked on Macs

November 14, 2019, 11:34 pm

≫ Next: Central eMail Quarantine

≪ Previous: Failed to migrate

I need a solution

Hi,

I need a report to shows the number of malware detected and blocked on mac in SEP database. Can anyone help me to get the query please.

Thanks in Advance,

Arun

↧

Central eMail Quarantine

November 15, 2019, 1:47 am

≫ Next: Unable to extract CSV file from a PGP encrypted mail attachment

≪ Previous: Identification of Malware detected and blocked on Macs

I need a solution

Dear All,

I have Symantec Mail Security for Microsoft Exchange 7.9 running on multiple Exchange 2013 server in DAG configuration.

Is there a way to centralize quorentined email, not just virus threats by email as well. Thats say a email was quorentine becoused it viloted some file based rule, can I setup a central quorentine for all my SMSME servers, and take actions for releasing from that central place?

Thank you

b.l

↧

Unable to extract CSV file from a PGP encrypted mail attachment

November 15, 2019, 2:10 am

≫ Next: How to get a copy of Symantec Endpoint Recovery Tool (SERT)

≪ Previous: Central eMail Quarantine

I need a solution

Hi Forum members.

I am using Symantec Encryption Desktop 10.4.2 MPIHFI [Build 393] (PGP SDK 4.4.2)

Currently I am able to decrypt and extract PGP attachments containing *.XLS files and save to my desk top but not *.CSV files, the PGP attachment containing the CSV file only decrypts and opens up secure viewer.

Can someone explain what I need to do to allow this please,

Thank you.

↧

How to get a copy of Symantec Endpoint Recovery Tool (SERT)

November 15, 2019, 6:46 am

≫ Next: Embedded Database default password

≪ Previous: Unable to extract CSV file from a PGP encrypted mail attachment

I need a solution

i have some machines which are infected and i want to scan through bootable CD
May i know that how to get copy of Symantec Endpoint Recovery Tool (SERT) comes as an ISO (disk image) and it comes with latest definition or if i want to update definition, can i update latest definition ?
it will helpful to remove malware / ransomware

↧

Embedded Database default password

November 15, 2019, 7:36 am

≫ Next: we cannot send emails to any server under clusterXX.eu.messagelabs.com

≪ Previous: How to get a copy of Symantec Endpoint Recovery Tool (SERT)

I do not need a solution (just sharing information)

As we are integrating SEPM with EDR. While configuring synapse log collecter it asks for database password, but we don;t have the password. How to retrieve it.

↧

we cannot send emails to any server under clusterXX.eu.messagelabs.com

November 15, 2019, 7:56 am

≫ Next: BSOD when I deploy a Sysprepped Image

≪ Previous: Embedded Database default password

I do not need a solution (just sharing information)

Hi,

we cannot send emails to any server under clusterXX.eu.messagelabs.com

Log:

[15/Nov/2019 11:31:49][20124] {smtpc} Sending email to SMTP server cluster8.eu.messagelabs.com, delivering mail from <a.volkov@ar-co.ru>
[15/Nov/2019 11:31:49][20124] {smtpc} Connecting to server cluster8.eu.messagelabs.com (46.226.52.98:25) using local interface 0.0.0.0 ...
[15/Nov/2019 11:31:49][20124] {smtpc} Connected to SMTP server cluster8.eu.messagelabs.com
[15/Nov/2019 11:31:49][20124] {smtpc} Received greeting: 220 server-9.tower-262.messagelabs.com ESMTP
[15/Nov/2019 11:31:49][20124] {smtpc} Sending EHLO
[15/Nov/2019 11:31:49][20124] {smtpc} Switching connection to TLS
[15/Nov/2019 11:31:49][20124] {smtpc} Sending EHLO
[15/Nov/2019 11:31:49][20124] {smtpc} Sent MAIL command
[15/Nov/2019 11:31:49][20124] {smtpc} Got reply: 250 OK
[15/Nov/2019 11:31:49][20124] {smtpc} Sent RCPT TO: <aleksmorozov@azbukavkusa.ru>
[15/Nov/2019 11:31:50][20124] {smtpc} Got reply: 250 OK
[15/Nov/2019 11:31:50][20124] {smtpc} Sent DATA command
[15/Nov/2019 11:31:50][20124] {smtpc} Got reply: 354 go ahead
[15/Nov/2019 11:31:50][20124] {smtpc} Sending message body...
[15/Nov/2019 11:31:50][20124] {smtpc} DKIM: Inserting signature(id=5dce6273-0004fdea)

[15/Nov/2019 11:33:07][20124] {smtpc} Connection closed by remote host prematurely.
[15/Nov/2019 11:33:07][20124] {smtpc} Connection lost with server cluster8.eu.messagelabs.com: Connection lost
[15/Nov/2019 11:33:07][20124] {smtpc} Delivery to other mx servers was skipped

Tech.support kerio-connect:

Please contact messagelabs.com and ask if they can whitelist your server or increase the timeout for smtp.

Thanks

↧

BSOD when I deploy a Sysprepped Image

November 15, 2019, 11:20 am

≫ Next: Symantec is blocking our website

≪ Previous: we cannot send emails to any server under clusterXX.eu.messagelabs.com

I need a solution

Hi all, am having issues deploying a sysprepped image in GSS3.3 RU3. This is my setup.

Laptop Models: Dell Latitude 5400 Set to UEFI boot.

GSS 3.3 RU3

Case1. I followed the instructions on TECH249488 with the laptop connected to the internet and performed a clean OS install, and also installed all the Apps we use, Office, Adobe, Chrome ...etc. the run windows updates. I then Sysprepped the laptop (I did NOT use Ghost to Sysprep, I use the stock sysprep tool in c:\windows\system32\sysprep), and captured the image successfully.

Case2. On a second similar laptop I isolated the laptop from the internet (basically plugged out the ethernet cable) and proceeded to install a clean OS and apps, and went ahead and Sysprepped (I did NOT run windows updates on this machine) and captured the image successfully.

Results.

1. In both cases, am getting the dreaded BSOD seen in the image attached below.

2. The Laptop connected to the internet on which I run windows updates, Sysprep failed with an error about.. SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing 'Sysprep_Clean_Validate_Opk' from C:\Windows\System32\spopk.dll; dwRet = 0x975 . I searched the internet and found that it appears the Windows Update replaces or modifies the spopk.dll file so I replaced it with one from a working computer and sysprep runs without error.

3. I noticed that after deploying the captured image, the BIO boot order was modified by Ghost to boot from the NIC. (Never used to happen on GSS3.2)

PS:I tried it with a Dell Latitude 5490 and 7450 with the same result. I have recently built an new server with GSS3.3 RU3. This never happened with GSS3.2. Were there changes in GSS3.3 RU3 that are causing this? Is anyone out there experiencing something similar?

Thanks

↧

Symantec is blocking our website

November 15, 2019, 7:03 pm

≫ Next: "configuration failed while attempting configure pluggable protocols"

≪ Previous: BSOD when I deploy a Sysprepped Image

I need a solution

Our customers are calling us about symantec blocking our shopify store. Please let me know what is going on?

I have attached the message that is popping up

↧

"configuration failed while attempting configure pluggable protocols"

November 17, 2019, 2:24 pm

≫ Next: Site loading partially

≪ Previous: Symantec is blocking our website

I need a solution

I'm trying to install DS 8.5 RU3 on Windows Server 2012 R2, and about 70% of the way throught the installation, it fails with the following:

"configuration failed while attempting configure pluggable protocols".

Any thoughts?

Thanks!

↧

Site loading partially

November 17, 2019, 5:17 pm

≫ Next: Implementing Failover between (SG 600-35) and (S200-30)

≪ Previous: "configuration failed while attempting configure pluggable protocols"

I need a solution

While accessing a website aumaps.net through our proxy only partial web pages loads & I am getting the attached error from the developer's tool.

Capture.PNG

↧

Implementing Failover between (SG 600-35) and (S200-30)

November 18, 2019, 6:30 am

≫ Next: need information about Zone ID Portal and URL Presence Portal & Removable Files Portal

≪ Previous: Site loading partially

I need a solution

As per below KB, it's not recommend to implement failover between two different models

https://support.symantec.com/us/en/article.tech240...

but as we are planning HW refresh (600-35 ver. 6.7.2.2) proxy cluster with a new cluster (S200-30 ver. 6.7.4.3)

To achieve no downtime, we will remove the cables from old standby proxy and connect them to the new standby that has the same configuration; and so on with the active one but not in the same night

regardless the load point that is mentioned in above link, is there any "compatibility issue", "concerns" or "recommendation" to implement HA between both of those proxies (with different model/version)?

↧