Reporting incorrect

December 21, 2017, 3:32 am

≫ Next: Web content filtering in organisation - legal point of view

≪ Previous: Proxy SG license failed to install

$

0

0

I need a solution

Hi all, Just joined a new company and have been tasked with getting things running a bit smoother.

I have noticed that there are a few servers that are not reporting correctly to the Endpoint Protection Manager correctly.

I am getting daily emails advising the virus definitions are older than 7 days however when i log onto the machines the endpoint is showing as up to date. I have noticed in the reporting logs they seem to be having an issue getting the definitions downloaded.

Can anyone point me in the right direction to get these up to date and reporting correctly?

0

---

Web content filtering in organisation - legal point of view

December 21, 2017, 5:39 am

≫ Next: Exception while warming up client agent for applicaton sepm (Exception java.lang.NullPointerException)

≪ Previous: Reporting incorrect

$

0

0

I need a solution

Hello,

In our company, we are trying to implement a web content filtering solution like Symantec Proxy SG or ASG in order to filter some web sites and we had some responses from other branches in Europe (we have branches in UK, France, Belgium, Italy, Germany, Poland, Hungary,…) that the web content filtering is actually against the local law in some of those countries. I know that in Czech Republic, the web content filtering is not a problem from legal point of view.  I would like to ask you if you have any experience with using Proxy SG for web content filtering across Europe and if the filtering of web content for employees is allowed without any problems? Or if you have any more detailed legal insight into this matter in order for us to explain to the management and the branches, that there is no problem in implementing such a technology.

I believe that they did not understand our request. Because they think that by EU regulation all people should have access to the internet, but they are mistaken in the area where this EU regulation does not apply to corporate infrastructure, only to ISP for private internet use and I believe that we can apply web filtering in our organization without any legal problems.

Do you have any relevant information in this area?

I would be glad for any information...

Thank you

0

Exception while warming up client agent for applicaton sepm (Exception java.lang.NullPointerException)

December 21, 2017, 7:11 am

≫ Next: Web isolation in transparent enviroment with ProxySG (WCCP)

≪ Previous: Web content filtering in organisation - legal point of view

$

0

0

I need a solution

Hi everyone,

I've observed a strange phenomenon; the manifestation of which has been discussed here but the symptom is different. I'm running SEPM on Window 2016 server and I'm starting to suspect that it's the OS which somehow wasn't tested on 12.x since even at this forum the OS drop down list does not include 2016 as an option; latest one listed is 2012.

A second very wierd thing is this: look at the actual text which is a copy/paste from the log file - the word "applicaton"? Is this just progremmers error when Symantec was compiling the product or is it significant in some other way?

Yes I do get the internal error screen when attempting to login to the SEP GUI but my log errors are different from what has been published under TECH248133

I get the following error in ajaxswing.log (location on Windows server for this log file is C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\logs):

2017/12/21 06:57:07:755 : Thread-3 : [com.creamtec.ajaxswing.core.ClientAgentFactory$1] Exception while warming up client agent for applicaton sepm (Exception java.lang.NullPointerException)
java.lang.NullPointerException

What makes this issue interesting is that if I reboot the SEPM then GUI works fine for a day or two and then its back to the java.lang.NullPointerException. I also don't see any of the accompanying errors in catalina.err described under TECH248133.

Does anyone have suggestions on where to go? My problem is that the symptom has been published with solutions and none work for me.

Thanks

0

Web isolation in transparent enviroment with ProxySG (WCCP)

December 21, 2017, 7:26 am

≫ Next: Symantec Endpoint Protection is not installing , Erro ; 2381 Directory does not exist : C:\Windows\system32\Drivers\SEP

≪ Previous: Exception while warming up client agent for applicaton sepm (Exception java.lang.NullPointerException)

$

0

0

I need a solution

Hello,

have You managed to make Fireglass work in transparent deployment where all traffic is redirected to ProxySG through WCCP on ports 80 and 443, including traffic destined to FIREGLASS host?
So basically, on ProxySG I have forwarding host to FIREGLASS as PROXY type on HTTP service for two ports 80 and 443 (both HTTP type as per instructions).

All SSL is intercepted as I don't want to import FIREGLASS cert to endpoints.
Fireglass CA is imported in CA store on ProxySG and browser trusted store on ProxySG

In policy I have two rules:

1. traffic destined to FIREGLASS forwarded to forwarding host TIE on port 443 (fireglass)
2. traffic destined to youtube.com forwared to forwarding host 8080 on port 8080 (fireglass)

So basicaly, all the traffic gets picked up by WCCP and ProxySG, converted to PROXY type and forwarded to FIREGLASS.
I have tested numerous iterations of policy, but have not managed to make it work in transparent deployment.

NOTE: In explicit deployment everything works great.

Did I miss anything for transparent deployment with ProxySG?

Thanks.

Vedran Vujasinovic

0

Symantec Endpoint Protection is not installing , Erro ; 2381 Directory does not exist : C:\Windows\system32\Drivers\SEP

December 21, 2017, 7:35 am

≫ Next: Attempting to enroll a 14 RU1 Symantec Endpoint Protection Manager after December 17th, 2017

≪ Previous: Web isolation in transparent enviroment with ProxySG (WCCP)

$

0

0

I need a solution

Can't install client, Need a solution ASAP please...

0

Attempting to enroll a 14 RU1 Symantec Endpoint Protection Manager after December 17th, 2017

December 21, 2017, 7:36 am

≫ Next: Could not connect to cluster5.eu.messagelabs.com on port 25

≪ Previous: Symantec Endpoint Protection is not installing , Erro ; 2381 Directory does not exist : C:\Windows\system32\Drivers\SEP

$

0

0

I do not need a solution (just sharing information)

Please be advised:  https://support.symantec.com/en_US/article.TECH248484.html

We are investigating alternative ways to resolve this issue for SEP 14 RU1.

SEP 14 RU1 MP1 should be available in the next week or two.

Thanks!

0

Could not connect to cluster5.eu.messagelabs.com on port 25

December 21, 2017, 7:45 am

≫ Next: Upgrade SEP 12 to SEP 14 and use new Sylink.xml

≪ Previous: Attempting to enroll a 14 RU1 Symantec Endpoint Protection Manager after December 17th, 2017

$

0

0

I need a solution

Hello,

we have a customer that could not send emails to a customer that has an account on a Symantec Server.

Data from sender:

MX: gatekeeper.schirmers-kommunikation.de

IP: 46.245.223.251

Error log:

------ First attempt from cschirmers@schirmers-agentur.de to L.Grefer@textilhemmers.de ------
RESOLVE MX textilhemmers.de
(1) Connecting to server 85.158.136.83 on port 25
(00000948) Connect to 85.158.136.83 Timed Out
(1) Could not connect to cluster5.eu.messagelabs.com on port 25
(1) Connecting to server 85.158.139.103 on port 25
(00000948) Connect to 85.158.139.103 Timed Out
(1) Could not connect to cluster5a.eu.messagelabs.com on port 25
(1) Connecting to server 85.158.138.179 on port 25
(00000948) Connect to 85.158.138.179 Timed Out
(1) Could not connect to cluster5.eu.messagelabs.com on port 25
(1) Connecting to server 193.109.254.3 on port 25
(00000948) Connect to 193.109.254.3 Timed Out
(1) Could not connect to cluster5.eu.messagelabs.com on port 25
(1) Connecting to server 195.245.230.51 on port 25
(00000948) Connect to 195.245.230.51 Timed Out
(1) Could not connect to cluster5.eu.messagelabs.com on port 25
(1) Connecting to server 85.158.139.163 on port 25
(00000948) Connect to 85.158.139.163 Timed Out
(1) Could not connect to cluster5.eu.messagelabs.com on port 25
(1) Connecting to server 193.109.255.99 on port 25
(00000948) Connect to 193.109.255.99 Timed Out
(1) Could not connect to cluster5.eu.messagelabs.com on port 25

best regards

Christian Wolf

0

Upgrade SEP 12 to SEP 14 and use new Sylink.xml

December 21, 2017, 8:28 am

≫ Next: Bitcoing Miner malware on linux running redhat 6.0

≪ Previous: Could not connect to cluster5.eu.messagelabs.com on port 25

$

0

0

I need a solution

Hi,

We are upgrading the SEP 12 client on 7,000 Windows 7 desktops to SEP 14.  We have SEPM 12 servers and new SEPM 14 servers.  The SEP 12 clients are currently being managed by the SEPM 12 servers they have to be switched to the SEPM 14 servers when upgraded.

The SEP 14 client install has the SEPM 14 SyLink.xml, but it seems to be ignored when updating the client as once the update is complete the client is still communicating with the "old" SEPM 12 servers.

I tried using KeepPreviousSetting=0 in SetAid.ini, but that results in the upgraded client being self-managed.

Is there a way to tell the SEP 14 client upgrade to use the new SyLink.xml when upgrading without having to manually run something like SylinkDrop before launching the upgrade ?

Thanks

0

---

Bitcoing Miner malware on linux running redhat 6.0

December 21, 2017, 9:02 am

≫ Next: Email category Allow and Block

≪ Previous: Upgrade SEP 12 to SEP 14 and use new Sylink.xml

$

0

0

I need a solution

Guys

One of our linux server running oracle applications is being hit by a miner malware..

CPU utlization was going pretty high (400 to 500%) due to one of the process : smartd and watch-d

Below are the details associated :

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 15.0px; font: 12.8px Arial; color: #1155cc; -webkit-text-stroke: #1155cc; background-color: #ffffff} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 15.0px; font: 12.8px Arial; color: #222222; -webkit-text-stroke: #222222; background-color: #ffffff; min-height: 15.0px} p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 15.0px; font: 12.8px Arial; color: #222222; -webkit-text-stroke: #222222; background-color: #ffffff} span.s1 {font-kerning: none; color: #222222; -webkit-text-stroke: 0px #222222} span.s2 {text-decoration: underline ; font-kerning: none; color: #1155cc; -webkit-text-stroke: 0px #1155cc} span.s3 {font-kerning: none}

domains:"pool.minexmr.com"

hosts:"37.59.51.212:80" 

_http://72.11.140.178/files/l/default

__http://72.11.140.181/files/l/default 

176.31.117.82 

Can anyone suggest any steps for RCA ?

0

Email category Allow and Block

December 21, 2017, 10:42 am

≫ Next: Encryption Solutions for Email, Powered by PGP

≪ Previous: Bitcoing Miner malware on linux running redhat 6.0

$

0

0

I need a solution

Hi,

Can we block email category and allow few email urls in same VPM rule.

Thanks

Anil

0

Encryption Solutions for Email, Powered by PGP

December 21, 2017, 10:13 pm

≫ Next: Retain Original Message in local files is possible?

≪ Previous: Email category Allow and Block

$

0

0

I do not need a solution (just sharing information)

Does this product must be working in a Centralized Management mood or it can be installed on a stand a lone machine (MAC OS, MS outllok).

ALso, can I somewher see a video explaining how the recipent wiht no PGP solutioncan open an encrypted email he gets, if there is no demo can you pls try to explain?

Thanks

0

Retain Original Message in local files is possible?

December 22, 2017, 6:15 am

≫ Next: CCS Questions

≪ Previous: Encryption Solutions for Email, Powered by PGP

$

0

0

I need a solution

Dear,

I like to now if its possible to retain the files if there is in the local drive, in the rule created only work with removable store device.

The rule using a EDM profile to mach and this is the configuration of the enpoint 

The version of dlp is 14.6 MP1 - three tier instalation.

Endpoint Destination: Detect when users move data on the endpoint to these places:
Local Drive CD/DVD Removable Storage Copy to Network Share Printer/Fax Clipboard Cloud Storage
Endpoint Applications: Detect when applications access files:
Application File Access
Match On:	Envelope Subject Body Attachments

Using a excel file to test the policy and in the application monitoring from excel is set in read

      Application Monitoring Configuration

Select the channels to monitor:

For 14.5.x and earlier agents, selecting any of Removable Storage, Local Drive, Copy to Network Share, or Application File Access enables monitoring for all of the following channels: Removable Storage, Local Drive, and Copy to Network Share.

Likewise, for 14.5.x and earlier agents, selecting either HTTP or FTP enables monitoring for both HTTP and FTP channels.

• Destinations

  • Removable Storage
  • Printer/Fax
  • Local Drive

  Clipboard

  • Clipboard
    • Copy
    • Paste

  Web

  FTP

  • HTTP
  •  

• Application File Access

  • Application File Access
    • Open
    • Read

  Network Shares

  • Copy to Network Share

0

CCS Questions

December 22, 2017, 6:00 am

≫ Next: DLP 15 Prevent for Web v. Google Drive

≪ Previous: Retain Original Message in local files is possible?

$

0

0

I need a solution

What are the Roles of CCS?

What type of data it collects?

What is Agent Based and Agentless Targets?

What is Raw Based DC and Message Based DC?

What user roles are available in CCS?

When a CER Job is run on a set of assets, in some assets I get something called as UNKNOWN or NA.  What is mean by that and what are the possiblities?

0

DLP 15 Prevent for Web v. Google Drive

December 22, 2017, 7:23 am

≫ Next: SEPFL: How do I make sure many clients don't render network drives unusable?

≪ Previous: CCS Questions

$

0

0

I need a solution

Hi,

I have DLP 15.0 (not yet the MP1) and I have realized the browser based Google Drive upload is not blocked on proxy - Prevent for Web level. I have the https decryption policy in place on Cisco IronPort. I see the ICAP requests that goes into the Prevent (small file, large file):

10.254.62.10 "CENSOREDtTUC9iZWhhbHA=" 22/Dec/2017:10:11:11:069+0100 "POST https:CENSORED//clients6.google.com:443/upload/drive/v2internal/files HTTP/1.1" 204 59487 "https:CENSORED//drive.google.com/drive/folders/1yxAnaSEkRlRD1Y1rkgXuyCENSORED""Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" 203 10544 10.254.87.245 18038 5 1 1 50CB1729-5917-4A0C-BD72-4F080DB14FEB

10.254.62.10 "CENSOREDMLUtTUC9iZWhhbHA=" 22/Dec/2017:14:05:07:228+0100 "PUT https:CENSORED//clients6.google.com:443/upload/drive/v2internal/files HTTP/1.1" 204 48388169 "https:CENSORED//drive.google.com/drive/folders/1dcQWH3gsy-0aRn1Fn_CENSORED""Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" 4313 20614 10.254.87.245 25058 5 1 1 89751D1D-DE53-4500-A801-A09E430F7A32

But, I always see action code 5 = ALLOW_WITHOUT_INSPECTION .

I think, I have filter sizes correct, I do not filter the Google domain, but no inspection happens.

Is it error or misconfiguration? Does it improve after 15.0 MP1? Any temporary solution idea?

Thank you,

Pavel

0

SEPFL: How do I make sure many clients don't render network drives unusable?

December 22, 2017, 8:09 am

≫ Next: Endpoint Detection and Response Status "no status reported"

≪ Previous: DLP 15 Prevent for Web v. Google Drive

$

0

0

I need a solution

We are running SEPFL on CentOS, and we're concerned that a large number of managed clients running their scheduled scans at the same time will basically DDoS the file server.  Users' home directories are stored on a networked drive.  If every single client runs its scheduled scan at 00:30, we're worried that people using applications that require data on the network will be unable to get their work done.

The first question is simply: Is this something that we need to be worried about?  or is SEP really smart about these things so that it doesn't create issues with this?

The second question is, supposing that this is a very real issue: How do I make sure SEP doesn't render the network drives unusable during scheduled scans?  One possible, though potentially messy to maintain solution I've come up with is setting individual clients to stagger their scans.  As I understand it, this would be done with the sav scheduledscan command; however, I would need to delete the default scheduled scan.  The command to delete the scan requires the scan ID.  I do not know how to get it.  I run the list command, but it apparently doesn't give the scan ID.  It has a column called S.No which says the default scan is number 1, but when I run the info command for scan ID 1, it says "Scan not found".

Any help is appreciated.
 

0

---

Endpoint Detection and Response Status "no status reported"

December 22, 2017, 2:08 pm

≫ Next: sepm upgrades

≪ Previous: SEPFL: How do I make sure many clients don't render network drives unusable?

$

0

0

I need a solution

Hi- I am running SEP on both Mac and Windows, versions 12 and 14 on both OSs. When I run the scheduled report Client Status\Client Inventory Details, I have all of the clients show the Endpoint Detection and Response Status field as either "no status reported" or "disabled".

I discovered that "disabled" indicates that one or more components on the client have been diabled. What does "no status reported" mean?

This is on both OSs, both versions of SEP. Virus definitions and IPS signatures are updating as expected. SEP Manager is version 14.0.2349.0100 running on Winodws Server 2008 R2 

Thanx

OregonSteve

"Never, never doubt what nobody is sure about." -Willy Wonka

0

sepm upgrades

December 23, 2017, 6:30 pm

≫ Next: ProxySG Integration with DLP

≪ Previous: Endpoint Detection and Response Status "no status reported"

$

0

0

I need a solution

Hi, may we have sepm upgrades procedure to get to latest version of the sepm 14?

tia

0

1514084890

ProxySG Integration with DLP

December 24, 2017, 10:42 pm

≫ Next: Linux Machines (RedHat, Ubuntu, etc) are not directly taking updates from the SEPM

≪ Previous: sepm upgrades

$

0

0

I need a solution

Hi !

We planned to integrate DLP with proxysg using ICAP Request mode.

Has there any way to forward the traffice to DLP for specific source  ?? Becuase in testing phase we don't want enable for all users.

Thanks in Advance...

0

Linux Machines (RedHat, Ubuntu, etc) are not directly taking updates from the SEPM

December 25, 2017, 12:31 am

≫ Next: Symantec File Share (Backup) - unknown key

≪ Previous: ProxySG Integration with DLP

$

0

0

I need a solution

I have linux machines with different Linux OS RedHat, Ubuntu, etc..

issue is all Linux Machines are not directly taking updates from the SEPM 

currently i am updating all linux machines with Intelligent Updater (IU) definitions. is it possible that all machine take definitions from SEPM?

0

Symantec File Share (Backup) - unknown key

December 25, 2017, 8:53 pm

≫ Next: Complete process of migration and upgradation of SEPM from 12.1.6 to 14.1

≪ Previous: Linux Machines (RedHat, Ubuntu, etc) are not directly taking updates from the SEPM

$

0

0

I need a solution

Hi,

I used robocopy with /efsraw option to copy encypted file to another computer (called Computer A)

When I logged in to Computer A with the same user (domain user)  which I used to encrypt the file before.

But I cannot open the file, "Access Denied"

Check the file Properties - Symantec File Share says: "Unknow key, Key ID 0xEE323ECC"

Please help.

0