SEP 12.1.7 on RHEL5 won't talk to SEPM 14.0.1

June 13, 2018, 10:18 am

≫ Next: Release to File after releasing an email

≪ Previous: Urgently need disk recovery assistance

$

0

0

I need a solution

My RHEL6 and RHEL7 machines have no problem connecting to the management server running 14 and using the reverse proxy for LiveUpdates.  My RHEL5 machines running SEP 12.1.7, on the other hand, cannot seam to communicate.  I'm running the latest JRE.  Installation and logs after the fact on SEP show no errors.  However, the client never shows up in SEPM and the client is stuck in a "Malfunctioning" state - presumably because it cannot download definitions.  How do I go about troubleshooting?  The client I'm testing on is running RHEL5-11.  It's a test machines so it's a fresh installation.  I don't have ELS with RedHat so other than manually installing the latest Java it's never been patched.

FYI - The LiveUpdate log indicates it's about to connect to the reverse proxy and download but despite the lack of an error they don't install.

0

---

Release to File after releasing an email

June 13, 2018, 11:31 am

≫ Next: Antivirus policy not working

≪ Previous: SEP 12.1.7 on RHEL5 won't talk to SEPM 14.0.1

$

0

0

I need a solution

I tried releasing an email with a quarentined attachment. However, only the email was released, the attachment stayed encrypted and quarentined. I want to now "Release to File" but I don't see a way to access the email because it no longer shows up in the Quarentine list. Is there a way to do this? 

0

Antivirus policy not working

June 13, 2018, 2:25 pm

≫ Next: windows defender block endpoint service installation

≪ Previous: Release to File after releasing an email

$

0

0

I need a solution

Hello,

I have created a new policy which i have disabled Antivirus and firewall from online portal. this is applied to few machines under a group. I can see some of them got the policy updated. but few of the machines disabled firewall, but not the antivirus. I surprise to see the policy is not working on few machines. I might suspect its happening for win 10 pro 1803.

Any suggestion???????

0

windows defender block endpoint service installation

June 13, 2018, 2:32 pm

≫ Next: DLP Custom File Type Scripting - Begin counting from double digit column

≪ Previous: Antivirus policy not working

$

0

0

I need a solution

Hello,

I am trying to install SBE cloud on windows 10 after the upgrade from 8.1. Now when i try to install it install the agent but windows defender blocks the endpoint service to be installed. i try to add services from hostedendpoint portal, it failed and was blocked by defender. I disabled windows defender and reinstall, still blocked. The funny thing is when i try to uninstall with CEDAR, defender even blocks the uninstall action. CEDAR stays upto 30% and does nothing for more than 45 minutes

any suggestions?

0

DLP Custom File Type Scripting - Begin counting from double digit column

June 13, 2018, 4:12 pm

≫ Next: Strong configuration against ransomware

≪ Previous: windows defender block endpoint service installation

$

0

0

I need a solution

Hi All,

I’m trying to identify custom file types with DLP Scripting Language.

I am able to do the following examples:
$int2=getBinaryValueAt($data, 0x0, 1)
$int2=getBinaryValueAt($data, 0x1, 1)
$int2=getBinaryValueAt($data, 0x2, 1)
$int2=getBinaryValueAt($data, 0x3, 1)
$int2=getBinaryValueAt($data, 0x4, 1)
$int2=getBinaryValueAt($data, 0x5, 1)
$int2=getBinaryValueAt($data, 0x6, 1)
$int2=getBinaryValueAt($data, 0x7, 1)
$int2=getBinaryValueAt($data, 0x8, 1)
$int2=getBinaryValueAt($data, 0x9, 1)

I am unable to do this:
$int2=getBinaryValueAt($data, 0x10, 1)

It seems like the syntax will not allow me to begin counting from a double digit numbered column (I.e. 10).

What am I missing?

0

Strong configuration against ransomware

June 13, 2018, 5:09 pm

≫ Next: SEP blocking Web Services Discovery, should I allow?

≪ Previous: DLP Custom File Type Scripting - Begin counting from double digit column

$

0

0

I need a solution

Strong configuration against ransomware

I wonder what would be the best configuration to protect against ransomware? What you recommend enable, etc.

0

SEP blocking Web Services Discovery, should I allow?

June 13, 2018, 6:27 pm

≫ Next: Restarting DHCP Service Attempt X, Can I Skip This?

≪ Previous: Strong configuration against ransomware

$

0

0

I need a solution

Hi. I am having issues with annoying poupus coming up every few minuits, saying SEP blocked application "svchost.exe". I have been using this PC with SEP for little over an year now and I haven't had this popup come up until yesterday. The only thing I remember changing on that time was setting up a Dropbox share folder, which I assume is unrelated from the information I show below.

I am on an unmanaged client.

I checked the network threat protection logs, and has identified the notification is coming from an incoming traffic to port 3702, from an IPv6 address. The log tells me that the applied rule is Block Web Services discovery.

Here is the exact log entry:

2018/06/14 10:10:44    遮断しました    3    着信    UDP    FE80:0:0:0:6152:E281:F972:22C8    28-16-AD-21-2F-0F    64489    FF02:0:0:0:0:0:0:C    33-33-00-00-00-0C    3702    C:\Windows\System32\svchost.exe    LOCAL SERVICE    NT AUTHORITY    Default    4    2018/06/14 10:10:20    2018/06/14 10:10:25    Block Web Services Discovery    

遮断しました = blocked, 着信 = inbound (I run on a  Japanese client. Sorry for the inconvenience)

I looked through other forum posts, and have figured out I can change this particular firewall rule to allow traffic, but I don't know if this is safe to do. So I want some expert advice on the matter.

I am currently supressing the popups by turning off Network Intrusion Alert but this is probably not ideal in the long term.

0

Restarting DHCP Service Attempt X, Can I Skip This?

June 13, 2018, 6:45 pm

≫ Next: Security/Roles

≪ Previous: SEP blocking Web Services Discovery, should I allow?

$

0

0

I need a solution

Hello, I just started using 3.2 (I am used to 2.5 and back) and I am having some issues trying to get a multicast session going. I want to image multiple machines through a switch using the multicast server, something I have had no problem doing in the past on 2.5 (note: this means there is no DHCP server on this little network). I am so close to getting things going with one issue, when I try and boot from my bootable I get hit with the "restarting DHCP Service Attempt X." I have looked around and found that a lot of people say its a driver issue, so I added in all the NICs for my clients with no luck (Because there is no DHCP Server, I figured this would happen but tried it anyway). It works perfectly after ~20 attempts to restart DHCP when it just says failed. Is there a way I can skip that and jump straight to the multicast setup?

0

---

Security/Roles

June 13, 2018, 6:50 pm

≫ Next: Can Content Extraction Plugin process message body on Email Prevent?

≪ Previous: Restarting DHCP Service Attempt X, Can I Skip This?

$

0

0

I need a solution

Management of Altiris has been handed over several times to different admins.  Currently there is no one  actively working with  the Dekstop group that utilizes the product.  I have been trying to disable the 'right click menu' option to delete ( specfically a computer).  When I look at the Symantec Level 2 Workers  Role which contains  the Desktop Support users' domain ids, the box is greyed out and  it states to find the parent.  The Role is only in Everyone which has no check boxes enabled, and in Reporting.  Trying to track down where this is coming from has been impossible for me. Could use some help in figuring this out, if this IS possible at all.

0

• RCM Delete.JPG

Can Content Extraction Plugin process message body on Email Prevent?

June 13, 2018, 10:20 pm

≫ Next: Proxy UA Certificate issue

≪ Previous: Security/Roles

$

0

0

I need a solution

I am trying to write a custom content extraction plugin to read a specific hyperlink for external attachments in email body.

On developers guide document, it says that if the message contains am attachment, the Content Extraction component is invoked.

I had a little experiment about this and it seems like DLP invokes Contents Extraction component also for email body, not only attachments.

So, here is my question: Can I write a content extraction plugin for email body?

0

Proxy UA Certificate issue

June 13, 2018, 11:35 pm

≫ Next: Configuration steps for F5 BIG-IP with DLP 15.0

≪ Previous: Can Content Extraction Plugin process message body on Email Prevent?

$

0

0

I need a solution

Hi,

I am using proxy UA and it is continuously throwing certificate expire error.

Need to know whether we need to push new certificate in users laptop ? Or any other option is available.

0

Configuration steps for F5 BIG-IP with DLP 15.0

June 14, 2018, 1:01 am

≫ Next: Do replication partners require separate license files?

≪ Previous: Proxy UA Certificate issue

$

0

0

I need a solution

Hi,

Please help me the configuration steps for F5 BIG-IP and DLP Network Prevent for Web.

Thanks,
Awanish

0

Do replication partners require separate license files?

June 14, 2018, 3:12 am

≫ Next: Security and Roles

≪ Previous: Configuration steps for F5 BIG-IP with DLP 15.0

$

0

0

I need a solution

Hi,

I am configuring an environment where a SEPM will have several replication partners.

My question is, does each replication partner require a unique license or is the livense applied to the Primary SEPM shared with all replication partners?

Thanks.

0

1528973536

Security and Roles

June 14, 2018, 4:23 am

≫ Next: Full Scan Schedule at night--what is computer is offline?

≪ Previous: Do replication partners require separate license files?

$

0

0

I need a solution

Management of Altiris has been handed over several times to different admins.  Currently there is no one  actively working with  the Dekstop group that utilizes the product.  I have been trying to disable the 'right click menu' option to delete ( specfically a computer).  When I look at the Symantec Level 2 Workers  Role which contains  the Desktop Support users' domain ids, the box is greyed out and  it states to find the parent.  The Role is only in Everyone which has no check boxes enabled, and in Reporting.  Trying to track down where this is coming from has been impossible for me. Could use some help in figuring this out, if this IS possible at all.

0

• RCM Delete.JPG

Full Scan Schedule at night--what is computer is offline?

June 14, 2018, 6:58 am

≫ Next: Incident reporting of attachment names

≪ Previous: Security and Roles

$

0

0

I need a solution

What is the behavior if a full scan is missed because the system is offline? What is the behavior in Symantec for these scans? Scan upon login? etc. From the looks of it, the scan just simply gets missed.

J

0

---

Incident reporting of attachment names

June 14, 2018, 7:15 am

≫ Next: Add/Customize Summary in Monitors Page

≪ Previous: Full Scan Schedule at night--what is computer is offline?

$

0

0

I need a solution

Sanity check please. I'm using DLP v15 / email prevent. If I create a report using a filter based on the attachment file name (see attached image) shouldn't that criteria only apply to attachments that matched the policy rule?

I have a policy i am tuning. it is configured to delete non-violating attachments and has been working for some time.  Even though the non-violating attachments are not included in the incident they are listed in the Incident Details.  I found an incident with a false positive from a common report.  I want to review other incidents with the same root file name so i use the above mentioned filter but the results include incidents with attachments that did not meet the policy rules but were part of the email message.  Is that the way it's always worked? I thought not.

0

• filter.JPG

Add/Customize Summary in Monitors Page

June 13, 2018, 11:55 pm

≫ Next: Credentials not loading in Endpoint Machine

≪ Previous: Incident reporting of attachment names

$

0

0

I need a solution

Hello dears,

I would like to have more graphics and to Customize Summary in Monitors Page for my symantec endopoint protection manager console

How can i do it because i could not find anything.

Please any idea ?

Thnx

0

• Screenshot_1.jpg

Credentials not loading in Endpoint Machine

June 14, 2018, 4:08 am

≫ Next: Upgrading SEPM - Where to find installation package?

≪ Previous: Add/Customize Summary in Monitors Page

$

0

0

I need a solution

Hello,

I am using FlexResponse plugin for my custom solution and I pass certain parameters to the plugin through a Credential created on the Enforce server. But for some reason, the credential would not load.

I found this out when I checked the Endpoint Agent log. Is there a configuration to push the Credential to the Endpoint Agent?

Following is the log snippet. The bold line shows 0persisted credentials loaded. Sometimes I see the credentials loading fine, in which case I see the number of credentails in logs.

I have tried restarting the services and servers. Would appreciate if anyone can provide some inputs.

-----------------------------------

03/24/2018 12:49:02 | 12952 | SEVERE  | CoreServices.AgentServices | The reference count for the Thread Pool agent service is 1 instead of 0. | AgentServicesBase.cpp(126)
03/24/2018 12:49:02 | 12952 | INFO    | CoreServices.AgentServices | Agent service has been shut down: Thread Pool Factory
03/24/2018 12:49:02 | 12952 | SEVERE  | CoreServices.AgentServices | The following logger has not been released: AgentServices.ThreadPool | AgentServicesBase.cpp(198)
03/24/2018 12:49:02 | 12952 | SEVERE  | CoreServices.AgentServices | The following logger has not been released: AgentServices.ServerCommunicatorService.CServerConnectionInformationPublisher | AgentServicesBase.cpp(198)
03/24/2018 12:49:02 | 12952 | SEVERE  | CoreServices.AgentServices | The following logger has not been released: AgentServices.NetworkInformation | AgentServicesBase.cpp(198)
03/24/2018 12:49:02 | 12952 | INFO    | CoreServices.AgentServices | Agent service has been shut down: Log Manager
03/24/2018 17:40:53 |  5064 | INFO    | AgentServices.NetworkInformation | EndpointLocationResolver is Started
03/24/2018 17:40:53 |  5064 | INFO    | AgentServices.NetworkInformation | AddressChangeMonitor task is Started
03/24/2018 17:40:53 |  5064 | INFO    | AgentServices.NetworkInformation | Endoint Location Marshallable receiver is initialized
03/24/2018 17:40:53 |  5064 | INFO    | AgentServices.NetworkInformation | NetworkInformation is initialized and service is started
03/24/2018 17:40:54 |  5064 | INFO    | AgentServices.CredentialManager | Loaded 0persisted credentials.
03/24/2018 17:40:54 |  5064 | INFO    | CoreServices.AgentServices | Agent services initialized successfully

-----------------------------------

0

Upgrading SEPM - Where to find installation package?

June 14, 2018, 8:55 am

≫ Next: SEP 14, Exporting data to MULTIPLE Syslog servers

≪ Previous: Credentials not loading in Endpoint Machine

$

0

0

I need a solution

I have SEPM 14 MP1 installed and I want to upgrade to latest version 14 RU1 MP2.

I went through the guides and information on the symantec page, but I still have a question left.

Do I need to purchase a new license key for this upgrade or can I download the installation files from my SEPM-Server?

If yes, where can I get the installation package without purchasing a new license?

0

SEP 14, Exporting data to MULTIPLE Syslog servers

June 14, 2018, 9:02 am

≫ Next: DAgent displays Client Record Updated but job never starts

≪ Previous: Upgrading SEPM - Where to find installation package?

$

0

0

I need a solution

Hi,

Is it possible to configure the management console to export data via Syslog to two downstream databases (for example a SIEM and another application)?

Thanks,

Tim

0