Hi everybody
I noticed that when exporting the "Application and Device Control Logs", there are two different time formats in the exported CSV file:
Format 1: 03/13/2018 10:29:40
Format 2: 04.03.2018 07:01:47
This, of course is messing up the processing of these exports.
Is there anything that can be done to get one format only?
Cheers
Hi I've just recently started having the problem of notifications coming up around every 10 minutes that says: Traffic has been blocked from this application: Device Association Framework Provider Host (dashost.exe).
A while back i had the same issue with svchost.exe and found a fix from a forum page which told me to change one of the settings in the firewall settings (I think it was unchecking "Enable network application monitoring" not sure exactly because it was a while ago but i'm pretty sure it was this).
Anyway now I'm having the same message for the dashost.exe and couldn't find any fixes for it. I've checked in taskmanager and the dashost.exe is running from C:/Windows/System32 and a full scan shows no threats so i don't think it is anything to do with a virus.
Testing out Symantec Endpoint Protection Cloud. How do you excluded %userprofile%\appdata\CustomApp for all users on all machines?
Windows 7 SP1 Enterprise
Patched to May Security patches for all programs
Symantec Endpoint Protection 14.0.3897.1101
Exploit/IPS definitions June 8th, R1 and June 12th R2.
Blocked Attack: Memory Heap Spray attack against C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\Acrobat.exe
Blocked Attack: Memory Heap Spray attack against C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE
Since late last week I have been seeing issues with memory exploit/IPS signatures shutting down legitimate programs before they can load, some common examples below:
Adobe Acrobat
Microsft Office Word
Microsoft Office Excel
Internet Explorer
This is when opening the program, not when opening a document or when browsing to a webpage. This seems to only impact windows 7
So far I have experienced this on the following IPS definition versions:
June 8th R1
June 12th R2
The June 8th R61 definitions stopped the issue
Support told me to upgrade Office 2013 to 2016 throughout my entire organization and to not use IE, we do not have this option.
Any other users experiencing this? If so have you found a safe version of IPS defintions to use until this is fixed?
My RHEL6 and RHEL7 machines have no problem connecting to the management server running 14 and using the reverse proxy for LiveUpdates. My RHEL5 machines running SEP 12.1.7, on the other hand, cannot seam to communicate. I'm running the latest JRE. Installation and logs after the fact on SEP show no errors. However, the client never shows up in SEPM and the client is stuck in a "Malfunctioning" state - presumably because it cannot download definitions. How do I go about troubleshooting? The client I'm testing on is running RHEL5-11. It's a test machines so it's a fresh installation. I don't have ELS with RedHat so other than manually installing the latest Java it's never been patched.
FYI - The LiveUpdate log indicates it's about to connect to the reverse proxy and download but despite the lack of an error they don't install.
Strong configuration against ransomware
I wonder what would be the best configuration to protect against ransomware? What you recommend enable, etc.
Hi. I am having issues with annoying poupus coming up every few minuits, saying SEP blocked application "svchost.exe". I have been using this PC with SEP for little over an year now and I haven't had this popup come up until yesterday. The only thing I remember changing on that time was setting up a Dropbox share folder, which I assume is unrelated from the information I show below.
I am on an unmanaged client.
I checked the network threat protection logs, and has identified the notification is coming from an incoming traffic to port 3702, from an IPv6 address. The log tells me that the applied rule is Block Web Services discovery.
Here is the exact log entry:
2018/06/14 10:10:44 遮断しました 3 着信 UDP FE80:0:0:0:6152:E281:F972:22C8 28-16-AD-21-2F-0F 64489 FF02:0:0:0:0:0:0:C 33-33-00-00-00-0C 3702 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 4 2018/06/14 10:10:20 2018/06/14 10:10:25 Block Web Services Discovery
遮断しました = blocked, 着信 = inbound (I run on a Japanese client. Sorry for the inconvenience)
I looked through other forum posts, and have figured out I can change this particular firewall rule to allow traffic, but I don't know if this is safe to do. So I want some expert advice on the matter.
I am currently supressing the popups by turning off Network Intrusion Alert but this is probably not ideal in the long term.
Hi,
I am configuring an environment where a SEPM will have several replication partners.
My question is, does each replication partner require a unique license or is the livense applied to the Primary SEPM shared with all replication partners?
Thanks.
What is the behavior if a full scan is missed because the system is offline? What is the behavior in Symantec for these scans? Scan upon login? etc. From the looks of it, the scan just simply gets missed.
J
Hello dears,
I would like to have more graphics and to Customize Summary in Monitors Page for my symantec endopoint protection manager console
How can i do it because i could not find anything.
Please any idea ?
Thnx
I have SEPM 14 MP1 installed and I want to upgrade to latest version 14 RU1 MP2.
I went through the guides and information on the symantec page, but I still have a question left.
Do I need to purchase a new license key for this upgrade or can I download the installation files from my SEPM-Server?
If yes, where can I get the installation package without purchasing a new license?
Hi,
Is it possible to configure the management console to export data via Syslog to two downstream databases (for example a SIEM and another application)?
Thanks,
Tim
SEP 14.2 is now available
https://support.symantec.com/en_US/article.ALERT26...
Hi team,
I installed SEP to my computer for a time.
But I lost my SYMC Lic and don't know how to check from my computer the expiration date of SEP.
Please help me!
Thank you!
Hi All,
In my project we are currently using SEP 14.0.2415.0200. For the past 2-3 months we are encountering an issue that was never there before.
A few of the desktops are losing network connectivity after we install SEP in them. The network works fine up until SEP asks for restart (let's call it Re1) after the installation. After the installation the desktop stays on network for a few seconds and then the connectivity drops. We have to physically go the affected desktop and give a restart (let's call it Re2). After just 1 restart the desktop comes back on the network. One common thing i have observed in the affected desktops is this : After the SEP takes Re1 i will login into the the desktop and try to open SEP from start menu and it always gives the error saying symantec services cannot be started (attached the screenshot for that). After Re2 the same installation works like normal.
The issue is happening to a few desktops (say 2-3 out of 10). There is no recurring pattern here as well. Seems like a completely random thing that can happen to any desktop. We have tried installing symantec by manually logging into the desktop as well as tried installing it using PushDeploymentWizard. Tried taking new packages for SEP Client, still the same issue comes up.
We have not made any changes to the SEP server so i have no clue how this problem popped up. I have looked up this issue but the solutions are for Windows 10. This issue is becoming a nuance for us now because we used to push symantec and leave it to update overnight but now we do not have that peace of mind. I am worried this issue might spread to a point where we have to manually interfere in every SEP installation.
Kindly provide any solutions/inputs on this.
I installed the features of "Email Scans" and disabled (we intend to use it in the future).
When disabling, the problem message appears on the client. I do not want to show these messages to the client, how do I remove this type of notification?
I am running Windows 10 Pro, 64-bit OS, Version 1803 (OS build 17134.112) with SEP client 14.0.3929.1200.
The operating system has all current MS patches applied.
Yesterday, I downloaded Sep64_To_758_EN.zip and extracted the correct executable to upgrade my client.
The client was not upgraded.
I checked the installation files and discovered that the assumed language for the upgrade was Korean!
Perhaps the reason for the failure to upgrade was due to the presumed language (Korean) being inconsistent with my system (US English).
Someone should check to assure that the proper language version is associated with the upgrade file names.
Hi,
Over the weekend, I upgraded our SEPM from 14.0 RU1 MP2 to SEPM 14.2. Our server is a Hyper-V VM running W 2008R2. I noticed after the successful upgrade, some policies disappeared from our main group. This group uses customized non-shared policies. After the upgrade the non-shared policies Firewall, Intrusion Prevention, Application and Device Control, Memory Exploit Mitigation, and Exceptions were gone from the group. Any groups with shared policies were unaffected. I also noticed some the locked settings in the remaining policies were now unlocked. I created a checkpoint of the VM before the upgrade and was able to roll back to 14.0 RU1 MP2. I tried the upgrade multiple times with same results each time.
I looks like I will have to create new policies to replace the ones that disappeared. I validated the built-in db after the update and it passed validation. I have never seen this before after dozens of upgrades over the years. Can anyone offer an explanation?
Thanks,
CQ
Hello!
We manage our Macs with the JAMF Casper Suite. Currently, we have some systems which are not updating their virus definitions. I was wondering if there is a definitive key, plist value, attribute, log string or some other data I can access, via command line, which would allow me to build smart computer group criteria in the JAMf server. This would allow us to identify all systems whose virus defs are not up to date which in turn would allow us to take remedial action through either self service or by launching Live Update remotely.
Thank you in advance for any assistance anyone may be able to provide.
Hi There,
Please excuse me if this is posted in the wrong area, I found it difficult navigating these forums.
I am looking to get some assistance with SEP whitelisting. Our SEP administrator is on leave for 2 weeks unexpectantly and issues are now coming to me. I have basic knowledge of SEP so please excuse me if the terms I am using are not technically correct.
We have whitelisting enforced across our organistation on Windows 10. We have a user who has come back from 2 months annual leave with her machine being offline during that period. She has logged in this morning and SEP was blocking application execution on many Office products. She restarted her machine and now Windows will not boot. I have seen this before, SEP appears to block Windows from loading as the logs are full of entries relating to the OS.
I have placed the machine in "Audit Mode" and connected the machine to the LAN. However, the machine will still not boot and it's still blocking Windows from booting (checked SEP application logs). It appears that the client policy is not updating. Usually we would right click on the system tray icon and "Update Policy", however I obviously cannot get into Windows.
Is there anyway to force the client to update it's policy remotely? The machine is showing online in SEP and has been in Audit mode for more than 1 hour.
Thanks for your help,