Quantcast
Channel: Symantec Connect - Products - Discussions
Viewing all 21603 articles
Browse latest View live

Out of the Frying Pan and Into the Fire -- Accumulation of .tmp Files in the DefWatch.DWH Directory

$
0
0
I need a solution

On Friday, I posted a query relating to the accumulation of .tmp files within the xfer directory and the identification of these files as being infected by the JS.Alescurf malicious code:

http://www.symantec.com/connect/forums/endpoint-protection-detection-tmp-files-within-symantec-endpoint-protection-xfer-directory-in

Several responded to my post identifying articles about similar problems with the suggestion that I should upgrade my version of EP to ver 12.1, etc.

I read the references and followed the suggestions, susequently posting some updates about my progress.  I upgraded to ver. 12.1.  I downloaded all updates to definitions and ran a complete scan of the C: drive, which identified a single file in the DefWatch.DWH directory as being infected.  This much, I related in a follow up post.

*

Sunday morning, things went from bad to worse.  When I restarted my Dell laptop from hibernation, I began to get new reports of infection by the JS.Alescurf malicious code within this directory:

c:\programdata\symantec\DefWatch.DWH

I have some meticulous notes about my experiences over the past 30 hours which are only abstracted in this post.  I will post some additional details in a follow up.

The most important thing to relate is that there seems to persist some problem with accumulation of .tmp files which are detected as being infected, albeit in a new directory.

Overall, I have come to the tentative conclusion that the files are NOT, in fact, infected but rather are being falsely REPORTED as being infected due to some unresolved BUG in the Symanantec software.

Amongst the bizarre behavior I experienced was EP continuing to report that it was finding and Quarantining files purported to be from this directory even AFTER all of the files were completely DELETED from this directory and there were NO FILES remaining in this directory at all.

In fact, I believe that the bug involves some sort of circular problem with RP identifying a file as infected, reporting such file as "Pending Analysis" or Quarantined and then rediscovering the very same file within its Quarantine and reporting it again.  Alternatively, or possibly in combination with this, EP seems to be detecting its own downloaded Virus definition files as being infected.

One reason to suspect the latter is that I began receiving a new set of messages regarding possible infections Sunday night at about 10:45 right after LiveUpdate downloaded and installed new virus definitions.

I am NOT talking about just a few files.  My system, which was reported to be free of malicious code on Saturday after installation of the newer version of EP had identified for remediation almost 3,100 files ALL in the DefWatch.DWH directory by 3:49 AM this morning but it wasn't through yet. 

To assure that I wasn't receiving any newly infected files (or EP Virus Definition files) while I continued to troubleshoot and remediate this problem, I disconnected from the Internet by physically disabling the WIFI on my system.  Even so, NEW files continued to appear within the DefWatch.DWH directory faster than the computer was able to Quarantine these files.

For this reason, finally at about 3:50 AM, I went into the Command window, maneuvered to the DefWatch.DWH directory and manually DELETED ALL the .tmp and .js files (one) in that directory.  Even so, EP continued to both identify and assert that it was Quarantining .tmp files from this directory even though both a Dir command from the Command window or viewing this directory using Explorer showed that there were no remaining files there.

By about 10:15 this morning, I had received a total of 3,532 file notifications from EP ALL asserting that it was Quarantining files (or marking them "Pending Analysis") since Sunday morning.  EP continued to report and Quarantine about 1 new infection per minute for more than six hours after ALL of the files in this directory had been deleted.

Finally, I simply re-started the machine.  When it came back up, I was presented with an EP alert window, but NO FILES were identified as infected.

I ran an Active Scan of the computer.  NO FILES were identified in this abbreviated scan. 

Then I logged off completely and logged back on under an Administrator account and ran another Active Scan under that administrator account with similar results.  Next, I ran a scan of the ProgramData directory, which was also detected no infections.

Thereafter, I reconnected to the Internet and ran LiveUpdate to obtain the latest AntiVirus definitions.  Now that the definitions have been updated, I am AGAIN running a scan of the ProgramData directory.

Thus far, this scan has detected ONLY two tracking cookies.

Interestingly, while this scan continues to run, the DefWatch.DWH directory, which was EMPTY initially, is showing the successive appearance of a single .tmp file, apparently as each new file is scanned.  But when running properly, it appears that these files make a momentary appearance and then are deleted with only a single file in the directory at a time.  It would appear that as EP was running, it was detecting these very temporary files and reporting them to be infected.

I have already spent far more time than I could afford troubleshooting what appears to be an obscure bug in the Endpoint Protection program.  I have several theories about the circumstances that might cause this problem to present.  I will post some additional comments later after I catch up on my work.

I would encourage those familiar with the inner workings of EP to carefully read and assess what I have posted above.  I would actually be interested to see whether someone else perceives the likely circumstances that would present this bizarre problem.

Even though the problem does NOT appear to occur often, I believe that there IS A BUG in EP that requires remediation.  I am reasonably confident that the problem is replicable and thus it CAN and WILL occur to other customers.


Filtering non english languages SMSMSE 6.5

$
0
0
I need a solution

How do I filter out non-english languages as a policy rule ?

How can I examin the header for specific information ?

How do I block emails that are RDNS ?

Thanks

Warning: PGPsdk running in local mode, Linux RedHat, CommandLine

$
0
0
I need a solution

Regardless of the command being issued... I get PGPsdk running in local mode... and the command takes FOR EVER to execute.

$ date; pgp --version; date

 

Mon Jun 17 15:50:22 PDT 2013
PGP Command Line 10.1 build 52
Copyright (C) 2010 PGP Corporation
All rights reserved.
Mon Jun 17 15:51:21 PDT 2013
 
$ pgp --list-keys
Mon Jun 17 15:58:52 PDT 2013
Warning: PGPsdk running in local mode.
 Alg  Type Size/Type Flags   Key ID     User ID
----- ---- --------- ------- ---------- -------
 RSA4 pair 1024/1024 [VI---] 0x79E83081 *************
*RSA4 pair 2048/2048 [VI---] 0xC78538B8 *************
 DSS  pub  2048/1024 [-----] 0xBE754D1C ***********
3 keys found
Mon Jun 17 15:59:51 PDT 2013

 

$ rpm -qa | egrep -i pgp
pgpcmdln-10.1.0.52-52
 
$ which pgp
/opt/pgp/bin/pgp
 
$ file $(which pgp)
/opt/pgp/bin/pgp: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.4.0, dynamically linked (uses shared libs), not stripped
 
$ uname -a
Linux myhostname 2.6.18-308.11.1.el5 #1 SMP Fri Jun 15 15:41:53 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux
 
What can I do to correct this situation?

 

How to include the Linux client into the SEPM 12.1.3 reporting ?

SSIM 4.8 AIX syslog collector

$
0
0
I need a solution

I have installed the AIX 4.4 collector on an SSIM 4.8 server. I can't seem to get the collector to show up in the signatures section when I go to the syslog configuration tab of the Agent Configuration. I have alread run live update on the AIX collector after installing it via the jar file on the SSIM server.

Thanks in advance for the help!

Incorrect operting system information is showing in Reports in SEPM 12.1

$
0
0
I need a solution

Hi,

 

I have recently updated the SEPM console and clients to SEP 12.1.2015.2015 from SEP 11.0.

While exporting the reports from "Reports" tab, some of the servers is showing incorrect operating system informations. These are windows server 2003 but showing as windows XP workstations x64 bit.

While checking the operating system information from "Client" tab it is showing the correct information about operating system.

Does anyone suggest me, what's going on.

 

Thanks & Regards

KK

Symantec Vulnerability Protection Add on

$
0
0
I need a solution

I do not have an Intrustion Prevention policy in my SEPM installation yet when I push out 12.1.3 clients I am noticing the Symatnec Vulnerability Protection add on is being installed in Internet Explorer as well.  I am on the understanding that this add on is part of IPS.

I have verified my Install Feature set does not enable IPS.

How can I stop this add on from being installed? 

 

 

SEP Firewall Policy Issue - False Positive

$
0
0
I need a solution

I'm getting a false positive when I'm setting up a Firewall policy to monitor users accessing specific websites. For example, if I monitor users access Twitter, or Facebook. I'll see users access the website, but then I'll see my computer accessing it as well, when I have no other browsers or web pages open to any website.

Any ideas?


Malformed MIME Unscannable Messages

$
0
0
I need a solution
Hello I am having problems with email Unscannable Malformed MIME Messages.

My rule is to Unscannable Messages sent to quarantine.
To be able to deliver the Feedback, I have to disable the rule.
is possible to create a policy of non-Malware to check for domains that are in the good list?

 
 
thank you very much!
 

 

SSIM: Is there any way I can specify the default archive location during installation?

$
0
0
I need a solution

I want to have the installation of SSIM 4.8 and the default archive in separate disks but during installation I haven't seen any option to assign partitions or drives. the installation just take all disks(I think) and then install.

 

Is there any way I can specify the default archive location during installation, or after?

SAV for Linux

$
0
0
I need a solution

Hi,

Need some guidance.
Where can i get some recent information on SAV for Linux?
Is this still available?

ELAM

$
0
0
I need a solution

Hi,

Four edition for Windows 8
 
a) Windows 8
b) Windows 8 Pro
c) Windows 8 Enterprise
d) Windows 8 RT
 
Windows Group Policy editor is not supported in windows 8 as type A .
 
When reviewing our ELAM feature , we found HOWTO81107 . And it suggests to make Windows ELAM driver enabled via Windows Group Policy editor .
 
Would you please help give the answer to the following question :
 
1. Does ELAM in SEP 12.1 RU2 (or above) fully support type a) of windows 8 or not ?
 
2. Is there any registry that could be modified instead of Windows Group Policy editor ?
 
Thank you

Moving embedded database to Microsoft SQL Server 2008 - Benefits?

$
0
0
I need a solution

Hi people

I'm thinking to move the SEP Manager embedded database to MS SQL 2008. Actually We have almost 5000 machines and I would like to know the real benefits to do this migration.

May you help me?

Thank you

Martins

Protect PGP Desktop?

$
0
0
I need a solution

We have PGP Desktop installed and using WDE  (whole disk encryption)

The problem -  Any windows users is able to open PGP Desktop and delete/add/change PGP users.

Is there anyway to prevent this?.    We are curently using  version 10.2.0.

Thank you

Grouping users to create a report within Data Loss Prevention

$
0
0
I need a solution

I would like to create a report to monitor a specific 300 users within my organization. My thought is to create a User Group from the Directory server. Does anyone know another way this task would work best with?

Thanks in advance.


Custom IPS Signature for allowing traffic on UDP port 161

$
0
0
I need a solution

Hi recently I have some equipment which utlises port 161 to transfer data into my server. Somehow SEPM is blocking the traffic on port 161. I should create a custom IPS signature to allow traffic on this port ?

 

If yes, should i leave the content syntax blank so that it will allow all traffics at this port ? 

I search through the forum and usually the disccussion is on blocking of ports, websites and services. please help. Thank you

Welcome to DeepSight Product Forum - Join the conversation!

$
0
0
I do not need a solution (just sharing information)

Welcome to the DeepSight Product Forum!

Symantec is committed to providing the best support possible for our products and we want to enable the community to help each other, as well as provide another avenue for you to receive product announcements and receive answers to your various questions, support related or otherwise.

Below you will find some basic information and webcast/overview videos for your reading pleasure.

DeepSight Product page - here you can find datasheets and white papers:

http://www.symantec.com/deepsight-products

Webcast - Next Generation GIN and DeepSight portal:

https://www-secure.symantec.com/connect/videos/new-deepsight-portal-webcast

DeepSight Early Warning Services Overview:

https://www-secure.symantec.com/connect/videos/deepsight-early-warning-services-overview

 

Thank you for your interest in the DeepSight product and we look forward to your questions and views.

See you in the next post!

 

-Shishir

Clear SEP 12.1.2 client virus definitions on computer running windows 8

$
0
0
I need a solution

Hello,

i have a computer that is running Windows 8. Installing SEP as managed client (using the package exported from the console).

But SEP did not start; i decided to launch symhelp that tolds me that virus definition are damaged.

This technote is applicable; But not for windows 8? http://www.symantec.com/docs/HOWTO59193

the ability to disable theBASH driver as it said on the technote, but it seems that in windows 8 it's not possibile to make visible hidden drivers.

Somebody had already incontred this issue?

My workaround was to uninstall reinstall SEP but i prefer something from technote if possible.

Thanks

 

Another quick question, hoping it's not to tough.

$
0
0
I need a solution

I have re established all of my exception, files, folders, drives and extensions. What I would like to do now is export this information to a text file. I do not want to use the database backup, I just want to have all of these in a text file for refernce.

Thank you.

Can not see the client version RU3

$
0
0
I need a solution

I just upgraded my SEPM to RU 3 and now I can not see what versions the clients have insalled. No matter which selection I make, that information is not there. How can I get it back?

Viewing all 21603 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>