Hello,
Today i recieved 2 notification from my SEPM's that i never saw before.
I checked the log files and didnt found anything "suspicious"
The first e-mail: Security alert: suspicious activity from x.x.x.x was detected on Symantec Endpoint Protection Manager 1. Check the log files for details.
right after that from my Symantec Endpoint Protection Manager 2:
All accounts for system administrators are currently locked. Go to the Forgot your password link on the logon page and change your password to unlock an account.
Im not sure but i think the following could have caused this issue:
The first email about suspicious activity from x.x.x.x and on SEPM1 is one and the same server, so SEPM1 detects activity on itself.
After that SEPM2 kicks in and locks all system admin accounts, because SEPM1 might be compromized.
After some research i found the SEP that protects the SEPM1 server had problems updating itself for the past kopple of day, i think somehow SEPM1 marked the update process for the SEP as suspicious activity.
Deinstalled and reinstalled SEP, ran liveupdate, no more e-mails.
Could this be the case?
LEVD