Hi All,

Recently I have installed one of the machine with unmanaged sep package. After that I am trying to update it by replacing the Sylink.xml file which I have extracted from SEPM server. But, still after importing the sylink file, the client machine status is still showing offline. Please suggest any solution.

Thanks in advance.

Hello all,

Here's the run down, I'm curious if anyone else has seen this behavior.

Up until recently, we have had only a single (default) SEP domain as we were only running SEP on workstations and about four servers (out of 300).

About 3 weeks ago, our server admin team decided to finally move to SEP.  At that time, I created a new SEP domain called "Servers", set them up as domain admins, and they've been happily installing SEP in their own domain without a problem.  All servers they have installed it on so far are communicating with the SEPM and are pulling policies from the Servers domain.

Now, when I try to migrate one of the four servers that originally connected to the Workstations domain over to the Servers domain, the client loses connection to the SEPM and shows an "Internal Error" on the Help>Troubleshooting>Connection screen. (see attached screenshot)

I've attempted the change over a couple of ways.

1) Exporting a sylink.xml file from the group in the Servers domain I want them to move to, and manually importing it into the client.

2) Uninstalling the client entirely, running the Cleanwipe utility, and then installing the package exported from the Servers domain.

In both cases I get the same results.  From everything I've read this should be very easy to do, am I overlooking a step?

Any advice or suggestions are greatly appreciated.

This is SEP 12.1.4 MP1a

All affected servers are Windows 2008R2

Hello,

What of type of key management I must use?

Thank you for help.

Regards,
Greg

I have a DLP 12 platform with Enforcer + Endpoint agents.

We configured some rules to detect incidents, related to financial data.

We'd like to search across incidents to find any entry that matches with specific data. i.e. "we need to find any incident related to a specific credit card number".

It's possible to get that results only with Enforcer + Endpoint Server + Endpoint Agents?

If yes, can you explain me how to do that?

Thank a lot in advance.

Goltrek

I am running Symantec Endpoint Protection Manager on a small intranetwork used by software developers.We have no Internet access, in fact, we are completely self contained.  I update the antivirus definitions weekly by downloading the .jdb file to external media and loading it onto the server.  I am not really worried about anything other than the ability for the clients to initiate/cancel virus scans.  The big problem is that the default policies are so intrusive that every time a developer changes a file in his application, it takes forever to launch it; presumably because the endpoint protection client is rescanning everything anytime a change is made.  I guess to put it simply, I have a Cadillac and I need a Yugo.  Can I limit the invasiveness enough via policy to make the SEPM activities more "transparent" to the user.  If so, how?  All I really want to do is be able to run a scheduled scan once a day at midnight and allow the users to scan at will.  I really don't care about all of the other functionality.  What can I turn off and how do I do it?

Make sure I understand this report before I report back to our client.

They run a daily report that shows 1 critical top target attacked by client.

It appears to show a external public IP as the system?

If so since the rest of the report says they are ok and if I am right how is the best way to explain this to them?

Or is there something they should do about that system that appears to be tring to get in?

Thanks

Mike

See picture.

The Vulnerability Assessment (VA) scan is a service that each week performs a scan searching for common entry points for the domain you enrolled in for with a purchase of certain SSL certificates. 

If the scan finds any potential weakness within that domain that if breached could threaten your online security, an e-mail will be sent out informing the technical contact to pick up the results of the scan in a downloadable PDF report highlighting the most critical vulnerabilities if any are found.

The Vulnerability Assessment scan is a service that is available for following account types and products:

You may have lots of questions or may want to know more regarding the technicalities of the Vulnerability Assessment scan. Such as..

• What IP address does it scan from?
• What types of Vulnerability’s does the scan detect?
• What are its limits? ETC...

The majority of your questions can be answered by visiting the Authentication Services knowledge base article Vulnerability FAQ. Other related articles regarding its technicalities can also be found by visiting the knowledge base article Vulnerability Basics

is there any protection for GameOver Zeus and CryptoLocker malware from symantec end point

Hi folks,

Here is my main topic: I would like to try Symantec Full disk encryption on MacBook Pro laptops with a dual boot (Windows/Mac OS X) installed.

On the Symantec brochure, I have read that one of the key feature is "True full disk encryption for multiple fixed disks and multiple partitions on Microsoft Windows® and Mac® computers".

On the other hand, on the installation guide (SSS-DF 8.2.1 Installation Guide.pdf), I've read that :

"Mac Client Computers

Basics
Disks formatted using Apple Partition Map (APM) or the Unix File System (UFS) are not supported. Mac OS
Extended (not journaled) file systems are not supported. RAID configurations are not supported. Dual-boot
and multi-boot systems are not supported. BootCamp is not supported. Fast user switching is not
supported. Safe Mode boots are not supported. Opal-compliant drives are not supported.
You must decrypt the disk before repartitioning, reformatting, or resizing any partitions.
Decrypt the disk before running any disk recovery applications, such as DiskWarrior from Alsoft.
Full Disk must be uninstalled before an upgrade to the operating system occurs."

Therefore, is it possible to install Symantec Endpoint Encryption Full Disk on Macbook pro or not ?

Maybe another version than 8.2.1 would make it ?

Thanks a lot,

Guillaume

Hello all how are you . I am faced with the following requirement for one of my client.  Please kindly tell me the following things and help me to set it up.

1. Can I integrate DLP with Universal Access Gateway ( UAG ) Web proxy ? What steps Am i required to do for this Integeration ?

2 . How can I integrate DLP with file server ? SharePoint ? Kindly tell me the steps to do and follow .

3. How can I  integrate Symantec DLP network prevent for email with baracode email security ? What steps am i required to do ? Place it between the exchange 2013 and baracoda ? 

I am waiting for your kind and helpful replies. Thanks and Regards

My customer is looking Following clarification on the question below.  Can anyone assist?

"Does Symantec have customers today that are successfully running their Endpoint and Enforce (v 12.0) servers in the AWS cloud?" 

I've a strange problem and it seems to affect a fairly large amount of endpoints. I've a client with about 150,000 endpoints and a pretty good percentage (3-5%) of them have stopped updating. Taking a small subset of them I've been investigating the endpoints manually to see what is going on. What I've found is that sure, some of them have corrupt definitions or can't communicate with the SEPM and with these I remediate and they work from then on out just fine. But by far the largest amount of them do not fall into this category. They are connected to a SEPM and logs show that they are at least connecting to the SEPM daily if not more often (they're on a 2hr heartbeat). When I manually check and run SymHelp it doesn't show any corrupted definitions. Essentially, for some reason the endpoints just stop updating. If I restart the SMC service (SMC -stop/start) or run intelligent updater it fixes most of them. But why is this happening? Other than not updating everything is running fine on the endpoints. They checkin, update policy and they will even run a command to update definitions but nothing happens.

Any ideas?

Zero Day initiative published this advisory on May 22, 2014. http://zerodayinitiative.com/advisories/ZDI-14-140/

I do not see any Symantec response to this. What antivirus definitions cover this being exploited? What IPS definitions deter this exploit? Any other information on it?

I'm experiencing an issue with intermittent LiveUpdate failures on a clean install of SPE 7.5.0.34

This is a clean install on a 2008 R2 server.  No proxy servers, firewall is letting the traffic through clear.  Sometimes it does update successfuly but we usually see 2 -3 failures a day with LiveUpdate checking every 2 hours.

If I manually go in and run the LiveUpdate it is always successful or comes back "Up To Date"

[Session Parameters - BEGIN]
03:43:23.932734  Working Path: C:\Program Files (x86)\Symantec\Scan Engine\definitions\AntiVirus
03:43:23.932734  Product ID: {x}
03:43:23.932734  Monikers:
03:43:23.932734   {x}
03:43:23.932734  HST Path: Not Set
03:43:23.932734  Ignore HST Errors: Not Set
03:43:23.932734  Custom Download Path: Not Set
03:43:23.932734  Check For Updates Only: Not Set
03:43:23.932734  Servers:
03:43:23.932734   Server 0:
03:43:23.932734    Protocol: HTTP
03:43:23.932734    Hostname: liveupdate.symantec.com
03:43:23.932734    Port: 80
03:43:23.932734    Path:
03:43:23.932734  Proxies:
03:43:23.932734   Empty
03:43:23.932734  Progress Callback:
03:43:23.932734   Yes
03:43:23.932734 [Session Parameters - END]
03:43:23.932734 [Component List - START]
03:43:23.932734  {x} : SPE 7.5 AV Definitions for x86-windows : SPE 7.5 AV Definitions for x86-windows_MicroDefsB.CurDefs_SymAllLanguages
03:43:23.932734 [Component List - END]
03:43:23.932734 [Session Initialization - START]
03:43:23.932734  Result code: 0x00010000
03:43:23.932734  Component Status Changes:
03:43:23.932734   None
03:43:23.932734 [Session Initialization - END]
03:43:23.932734 [Inventory Synchronization - BEGIN]
03:43:26.026497  Result Code: 0x00010000
03:43:26.026497  Result Message: OK
03:43:26.026497  Component Status Changes:
03:43:26.026497   None
03:43:26.026497 [Inventory Synchronization - END]
03:43:26.026497 [Server Selection - START]
03:43:26.182748  Result Code: 0x00010000
03:43:26.182748  Result Message: OK
03:43:26.182748  [Server - START]
03:43:26.182748   Host ID: {x}
03:43:26.182748   Status Code: 2
03:43:26.182748   Status Message: Server was selected
03:43:26.182748   Protocol: HTTP
03:43:26.182748   Hostname: liveupdate.symantec.com
03:43:26.182748   Port: 80
03:43:26.182748   Path:
03:43:26.182748   Proxy ID: {00000000-0000-0000-0000-000000000000}
03:43:26.182748   Proxy Bypass: true
03:43:26.182748  [Server - END]
03:43:26.182748  Used proxy list was empty
03:43:26.182748 [Server Selection - END]
03:43:26.198374 [Check for Updates - START]
03:43:26.464000  Result Code: 0x00010000
03:43:26.464000  Result Message: OK
03:43:26.464000  Component Status Changes:
03:43:26.464000   None
03:43:26.464000  [Component - START]
03:43:26.464000   Component ID: {x}
03:43:26.464000   Available Updates: 1
03:43:26.464000   [Package - START]
03:43:26.464000    Item: Virus Definitions
03:43:26.464000    Description: Norton AntiVirus Definitions
03:43:26.464000    File: 1397107610jtun_csapix86en140409023.m35
03:43:26.464000    Sequence Name: CurDefs
03:43:26.464000    Sequence Number: 140409035
03:43:26.464000   [Package - END]
03:43:26.464000  [Component - END]
03:43:26.464000 [Check for Updates - END]
03:43:26.464000 [Package Download - START]
03:43:26.464000  Component: {x}
03:43:26.464000  File: 1397107610jtun_csapix86en140409023.m35
03:43:26.964003  Result Code: 0x00010000
03:43:26.964003  Result Message: OK
03:43:26.964003 [Package Download - END]
03:43:26.964003 [Package Decompression - START]
03:43:26.964003  Component: {x}
03:43:26.964003  File: 1397107610jtun_csapix86en140409023.m35
03:43:26.995254  Result Code: 0x00010000
03:43:27.010879  Result Message: OK
03:43:27.010879 [Package Decompression - END]
03:43:27.010879 [Initialize Package Installs - START]
03:43:27.010879  Result Code: 0x00010000
03:43:27.010879  Result Message: OK
03:43:27.010879  Component Status Changes:
03:43:27.010879   None
03:43:27.010879 [Initialize Package Installs - END]
03:43:27.010879 [Package Install - START]
03:43:27.010879  Component: {x}
03:43:27.010879  File: 1397107610jtun_csapix86en140409023.m35
03:43:27.010879  Action Item: CSWin.dis
03:43:27.010879  Result Code: 0x00010000
03:43:27.010879  Result Message: OK
03:43:27.010879 [Package Install - END]
03:43:27.010879 [Finalize Pacakge Installs - START]
03:43:29.104642  Result Code: 0x00010000
03:43:29.104642  Result Message: OK
03:43:29.104642  Component Status Changes:
03:43:29.104642   None
03:43:29.104642 [Finalize Pacakge Installs - END]
03:43:29.104642 [Finalize Session - START]
03:43:29.104642  Result Code: 0x00010000
03:43:29.104642  Result Message: OK
03:43:29.104642  Component Status Changes:
03:43:29.104642   None
03:43:29.104642 [Finalize Session - END]
03:43:29.104642 [Session Results - START]
03:43:29.104642  Session Result Code: 0x00010000
03:43:29.104642  Session Result Message: OK
03:43:29.104642  [Component Result - START]
03:43:29.104642   Component ID: {x}
03:43:29.104642   Display Name: SPE 7.5 AV Definitions for x86-windows
03:43:29.104642   PVL: SPE 7.5 AV Definitions for x86-windows_MicroDefsB.CurDefs_SymAllLanguages
03:43:29.104642   Result Code: 0x00010000
03:43:29.104642   Result Message: OK
03:43:29.104642   [Package Result - START]
03:43:29.104642    File: 1397107610jtun_csapix86en140409023.m35
03:43:29.104642    Result Code: 0x80012000
03:43:29.104642    Result Message: UNKNOWN
03:43:29.104642   [Package Result - END]
03:43:29.104642  [Component Result - END]
03:43:29.104642 [Session Results - END]
03:43:29.104642 [Session Summary - START]
03:43:29.104642  Components: 1
03:43:29.120267  Packages:   1
03:43:29.120267  Success:    0
03:43:29.120267  Fail:       1
03:43:29.120267 [Session Summary - END]

The question is for the Mail Monirtor instance.

I am trying to programatially extract the Messages and Incidents count from the Database. I was able to get the incidents count by using combination of incident and message tables.

The question is how we'd get the count of all email messages scanned by a particular monitor, as shown on the System -> Overview screen as Messages (Today)?

Is this statisctic stored someplace in the oracle?

Thank you!

Alex

Is there a solution for this issue, the epda.exe is using large amount of memory and I am unable to open other applications/large files on my laptop.

I've configured my LiveUpdate Content Policy to use "Explicit GUP for roaming clients" while on my internal network.

Curious to see if anyone found a way to alert on cases where:

The client can't communicate to a GUP for updates = GUP is down or non-responsive

The client has moved to a different network, which has no GUP defined.  = Policy needs to be updated to define the unknown network.

I fear clients either not getting updates and/or trying to overload a WAN link by getting updates from the Managers in other geographic site.

Thanks in advance,

Rich

Anyone give me idea to configure the auto email process when any system will kept old definition?

this mail send direct to user of that system.

I am running SEPM 12.1.4013.4013 on Windows Server 2008 R2 Enterprise on a 50/10mb connection.  I have 75 clients that are disbursed throughout 13 different locations which are all on a 1.5mb or 3mb connection (T1 or Dual T1).

The issue I am having is with what I can only assume are the LiveUpdates.  All of my clients seem to be constantly pulling data from the SEPM Server, which is killing the bandwidth on both the server end, and all of my remote connections.  Looking at the Resource Monitor on the server, shown below, it shows that the httpd.exe process (located at: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin) has dozens of connections open (one for pretty much each of my Clients) where it is sending data to each one at the rate of 30K/s.  Now I know 30K/s is not alot, however when you multiply that by 75 it adds up quickly.

Looking around at the Policies that I have in place, I am unable to see any option where I can force the Client to update using Symantec's LiveUpdate Servers.  And quite honestly, I have no idea if that is even possible.  If it is possible, how would one go about it? 

I have the LiveUpdate Policy configured to update Daily, starting at 9:55PM.  However, it is now 9:00AM (11 hours later) and it is STILL going, and causing my network latency to skyrocket.

Is there anything that I can do to help prevent this from happening?  Updating from a LiveUpdate Server that is not in-house would be best, as it would be faster overall, and would cause less network usage on the SEPM server itself.

Any thoughts?

---------
Jason M. Hecker
Director of Information Technology
Great Lakes Dermatology
jhecker@glderm.com

When I try to update policy on Symantec Encryption Desktop, it fails to update policy.

Tried all these:

Re-enrolled

Updated tp latest version 10.3.2 MP1

Deleted the machines from the Un server

Uninstalled & reinstalled the client, still same problem..

This happens to one user on some machines.

Any suggestions?