We were promised  SEP 14.1 was coming out in May and no word of it. It has several fixes we need.

Is there an approximate date.

Thanks

I am trying to implement file scanner usinf doscan.exe in C#. below is my sample code

string symantecFilePath = "C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\12.1.7061.6600.105\\Bin\\Doscan.exe";

string targetPath =  "C:\Temp\UploadDocs\test.docx";

using (Process process = new Process())
            {
                process.StartInfo = new ProcessStartInfo(symantecFilePath, "/ScanFile " + targetPath);
                process.StartInfo.WindowStyle = ProcessWindowStyle.Normal;
                process.StartInfo.WorkingDirectory = Path.GetDirectoryName(symantecFilePath);

                var result = process.Start();
                process.WaitForExit();

}

Code executes with no errors. But I dont see anything in error logs.

Does anybody knows what is happening here.

Good day dears,

I've setup sepm v14 according to this article Using Application and Device Control in Symantec Endpoint Protection (SEP) to block activity in common loading points for threats - https://support.symantec.com/en_US/article.TECH967... and receive logs regarding the policy.

But there is no parameter in the logs. Accordint to mentioned article:

"Parameter: What was the process trying to touch? "

How can I get this "parameter" shown in logs?

Thank you in advance.

Hello everyone,

     First, I want to say that I have a case open with Symantec already for this but they can't find a resolution. I can't believe we are the only organization having this issue.

On May 1st 2018 I upgraded my SEP 14 from 14.0 to 14.0.1.2 with the assistance of Symantec. Before upgrading to the newest version, I had no issues. We made esure we did a backup of everything before starting. Now that we are on on 14.0.1.2 everything is fine, except that I cannot create client upgrade packages. Which may not sound like a big deal but it is since the only way I can do any client upgrades, as new packages come out, is to uninstall SEP from the clients and install the newest version.....not feasible at all. It has been over a month since opening a case with Symantec but they cannot find a resolution. Has anyone else seen this issue recently? 

When I try to create an upgrade package I get the attached error

Hello everybody,

I have a SEPM console with 800+ endpoints.

Something happened on monday (4th of June) and all the endpoints are now offline with this message (error in heartbeat response (4) ).

I have verified some endpoints and they have definitions from yesterday (5th of June) so it's a little bit confusing because on the Endpoint (Help/Troubleshooting/Connection Status) appears Status: Not Connected (to

SEPM Console).

In Symantec Endpoint Protection/View Logs/Client Management/System Log there are some logs like:

-Failed to contact server for more than 10 times.

-Connected to Symantec Endpoint Protection Manager. (repeating)

-Disconnected from Symantec Endpoint Protection Manager. (repeating)

I have imported the Sylink.xml file but the problem persists. I used also SymDiag (attached). I have modified DNS addresses still nothing changed.

I have added the hostname's server in "hosts" but nothing changed. For the moment i can't uninstall any endpoints because i need a maintenance window for restarting the server.

Thank you!

When Integrating Symantec Endpoint Protection Manager 14.x with MS SQL server 2016 database on Windows server 2016 datacenter edition OS, the integration fails with Error 11501.

Windows Event viewer system logs error reads "An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed." - Source- Schannel

Few facts:

1. TLS 1.2 is enabled through registry settings on Windows server 2016. TLS 1.0 and TLS 1.1 are not enabled for client/server options, both were disabled in the registry.

2. SQL server 2016 supports TLS1.2 by default. Microsoft lacks proper documentation on SQL Server 2016 TLS 1.2 specific settings. The Microsoft documentation is more specific and relevant for SQL 2014 and below.

3. Since the MS SQL 2016 and SEPM was on the same server ( though not the symantec best practice), the error on event viewer was TLS 1.2 cipher suites incompatibility issue.

4. On the Windows server 2016 datacenter edition only AES 256 bit cipher was allowed. Refer attached snapshot

5. Tried enabling "Force encryption" on SQL server configuration manager, with new certificate but did not work.

Error log in SEP manager tomcat/logs/ suggest the SSL handshake could not be established.

Upon further troubleshooting through IIS Crypto tool (Nartac Software), it appeared that customer had disabled PKCS key exchange, and only ECDH was allowed. Upon enabling PKCS the integration between SQL server 2016 and SEP Manager worked successfully.

Hi,

Looks like SEP 14 RU1 has some issues with SRTSP64.SYS causing a critical lock on the system and server becomes non-esponsive. Unable to RDP, remote PS etc. Only hard reset comes to rescue. Does anyone face similar issues? 

Critical Section: services!ScServiceStartCriticalSection Owning Thread ID: 0x15b4

Hi everyone,

I have computer A and file text.txt I Create a policy to allow view file text.txt but terminate process if user try to write to this file. I share the folder cntain this file. The computer work fine with all computer has SEP Client Install. But computer without SEP Client, they have full permission on this file. They can read, write, move, delete ... How can i block all permission but read of file text.txt for those computer that don't have SEP client install using SEP, not File permission of Windows ??

Hi All,

We have a file which is getting blocked when downloaded from our portal in zip format and then getting run it gets blocked due to WS reputation 1

Any one any idea on this ?

We are on 14.0.1 RU1 MP1

Regards

Vivek P

Hi,

I have a Symantec Endpoint server installed with Symantec Endpoint Manager Version 14. There is a hardening requirement to configure my Computer Browser service to "Disable" for the server itself as well as all the member servers and client machines connected to it. Will there be any issues? Am I still able to push down my anti-virus definition files, updates as well as the installation package if there is a need to re-install Symantec Endpoint protection?

Cheers

Suan Leng

Hi,

one of our customers complained about the Browser Intrusion Prevention. As soon as it's activated, it takes 1-3 minutes to open a PDF file (33mb) from the internal sharepoint server. Once they disable IPS, the file opens within a couple of seconds. We already tried to exclude the host but according to the customer it didn't help...

Clients are running on 14 RU1 MP1b with Windows 10 and IE 11.

Any advice? Thanks in advance!

I was able to import the 3 deception policys. I could not find any documention on what to do next. LOL

We have several old versions of Symantec AV deployed with two different operative SEP Manager: versions 12.1 and 14. We know that the SEPM v14 supports 14 and 12.1 agents . Which are the agent versions manageable officially by the SEPM v12.1? I cannot find any explicit documentation on it. I would know if SEP agent 11.x (or older 10.x) can be managed and kept updated using the 12.1 console.

I have installed the manager for endpoint, seems to have not issues. But when I push the client out to the other systems on the network, network drives and other computers that can be seen on the network disappear. Also, I have SEPM 14 on one LAN, and it will not show the win 7 enterprise and pro system, but will show win 10 system with out an issues. Only way to update definitions is to go through the process of adding a client again for the win 7 OS system. Are there any fixes or workarounds found that may resolve these issues?

I am using an Apple MacBook Pro laptop computer.  My anti-virus software found a virus in the following directory but can not delete it.  The directory path is /volumes/Install/Install.app/contents/MacOS/Install  OSX.Trojan.Gen.  When I use the anti-virus software (Endpoint Protection) I get a message that the repair failed!!!!  It calls the virus "OSX Bundlore activity 2".  I have updated the anti-virus signatures but this does NOT delete the virus.  I found out about this when I tried to update Adobe Acrobat reader software.  I need a solution to this issue please!

Hi all,

how can i monitor and block attempts accesso to local folder C:\Users from remote computers (\\mymachine\c$\users) ?

I cannot remove BUILTIN\Administrators' group from Security Folder of the folder.

Thanks

M

We have a number of Macs running v14.x connected to a 14.x SEPM server.  The virus definitions on these macs are continually out of date on SEPM.  For instance, even though a handful show having last communicated with SEPM today the 11th, all of their virus definitions are listed as the 5th or 6th.  Often time most of them are offline.  For instance 5 of them are virutal machines running on a Mac ESXi host, which means they are always on, yet even after reboot they often show as being offline, but having had talked to the server today, so I know the components are running.  Further more even though I have a scheduled scan set for every night  at 1 am and to cancel if its still running by 6 am, the systems will have times that the last time they completed a scan as long a week or more ago.  Even some of the virtual machines report this, or no scans completed at all, when they have nothing on them except the os and a few apps, and a small disk size(80gb).  

However, then I log into the console of any mac the menu bar application shows the state as "connected", even when the server states it is offline.  The client side applciation usually lists the definitions as being up to date(today or yesterday), yet the SEPM console lists them being vastly out of date.  It appears that after logging in to the console of a mac, the SEPM updates with new information, sometimes.  

This leads me to believe that SEPM getting properly updated information is entirely dependant on a user being logged into the client.  I read this was the case in 12.1.x.  Is this correct in version 14?  I hope not as that's the worst client/server AV application design I've ever seen.    Both the LiveUpdate and SymDaemon processes run full time as root. They should not need a user logged in to perform any communications with the server.  I have tried to ssh into clients to see if I could determine the definition date from the command line, thus not causing the gui menu bar application to open, and have no found a way to check connection status or AV def version information from the terminal.  From the only real mac document I've found on symtantec's site, the Mac FAQ, it doesn't appear there is a way to check defintion versions or communication status except using the gui app, which makes troubleshooting in the scenerio nearly impossible.  Not to mention if I could check that information from the command line I'd script reporting back to our mac management software for compliance and forego the appearingly faulty SEPM<->SEP relationship for reporting. But alas it seems there are no commandline options for sepm 14 except to restart the daemon and run lutool.

Does anyone have any reliable information from symantec on if this behavior is expected, or any suggetsions on how to get the SEPM console to reflect the client status without having users loging in just to get that information updated?  Is there a way to pull definition date, connection status, last scan date from the command line? 

SEPM not having accurate information makes if very difficult to report compliance to our overlords.  I'm not going to chase users around every week begging them to log into their systems so it security can get the compliance it needs, and IT security isn't going to continually accept submitting garbage reports to their higher-ups. 

We have a number of Macs running v14.x connected to a 14.x SEPM server.  The virus definitions on these macs are continually out of date on SEPM.  For instance, even though a handful show having last communicated with SEPM today the 11th, all of their virus definitions are listed as the 5th or 6th.  Often time most of them are offline.  For instance 5 of them are virtual machines running on a Mac ESXi host, which means they are always on, yet even after reboot they often show as being offline, but having had talked to the server today, so I know the components are running.  Furthermore even though I have a scheduled scan set for every night at 1 am and to cancel if it’s still running by 6 am, and two scans to run, Monday and Thursday, during the day until they complete, yet the systems will have times that the last time they completed a scan was a week ago or more.  Even some of the virtual machines report this, or no scans completed at all, when they have nothing on them except the os and a few apps, a small disk size(80gb), and no users logged in to interrupt an scanning.  

However, then I log into the console of any mac the menu bar application shows the state as "connected", even when the server states it is offline.  The client side application usually lists the definitions as being up to date(today or yesterday), yet the SEPM console lists them being vastly out of date.  It appears that after logging in to the console of a mac, the SEPM updates with new information, sometimes.  

This leads me to believe that SEPM getting properly updated information is entirely dependent on a user being logged into the client.  I read this was the case in 12.1.x.  Is this correct in version 14?  I hope not as that's the worst client/server AV application design I've ever seen.    Both the LiveUpdate and SymDaemon processes run full time as root. They should not need a user logged in to perform any communications with the server.  I have tried to ssh into clients to see if I could determine the definition date from the command line, thus not causing the gui menu bar application to open, and have no found a way to check connection status or AV def version information from the terminal.  From the only real mac document I've found on symtantec's site, the Mac FAQ, it doesn't appear there is a way to check definition versions or communication status except using the gui app, which makes troubleshooting in the scenario nearly impossible.  Not to mention if I could check that information from the command line I'd script reporting back to our mac management software for compliance and forego the appealingly faulty SEPM<->SEP relationship for reporting. But alas it seems there are no command line options for sepm 14 except to restart the daemon and run lutool.

Does anyone have any reliable information from symantec on if this behavior is expected, or any suggestions on how to get the SEPM console to reflect the client status without having users logging in just to get that information updated?  Is there a way to pull definition date, connection status, last scan date from the command line? 

SEPM not having accurate information makes it very difficult to report compliance to our overlords.  I'm not going to chase users around every week begging them to log into their systems so it security can get the compliance it needs, and IT security isn't going to continually accept submitting garbage reports to their higher-ups. 

Thank you for any feedback,

Paul

I am using Symantic end point protection anti-virus software on an Apple MacBook Pro laptop computer.  The software detects a virus called OSX.trojan.Gen on the computer.  It also lists this as "OSX Bundlore Activity 2" The virus is located at /volumes/Install/install.app/MacOS/Install.  The software does NOT clean the virus for some reason?????  I have updated by anti-virus software but this does NOT get rid of the virus!  I tried to delete the virus file and that did not work.  This started when I went to update Adobe Acrobat software.  What can I do to get rid of this virus? 

The problem that I would like to solve (and I'm not sure if there is a viable solution for this), is that I would like my client machines running SEP to be able to receive policy updates while working remote. Content updates are not a problem, my clients already receive those from Symantec. However, the policy updates are specific to the SEPM server, and thus the clients need a way to somehow talk to the SEPM from the outside internet. Obviously we have a VPN which users can connect to and then receive policy updates from the SEPM server, but I would like clients to receive policy updates without connecting to the VPN. Sometimes users work remote for several days, and they don't necessarily connect to the VPN. It would be helpful if they could still receive policy updates. I do not want the SEPM server to have a public IP for obvious reasons, either. Perhaps some sort of proxy located in the DMZ could act as a middleman to push policy updates to clients as long as they have internet access, since they can access the DMZ from anywhere.

I exercised the idea of having a GUP client in the DMZ, but realized that GUP only sends out content updates, not policy. If there is any way at all to do this, I would really appreciate knowing. Every option will be considered, even paid solutions.

Thanks

We have disabled endpoints showing up in the console, can HI Policy solve this?