SEP 14 upgrade gone awry

December 8, 2016, 2:32 pm

≫ Next: LiveUpdate Administrator server drive space issue

≪ Previous: SEP 14 Query Failed Error when tried to login

$

0

0

I need a solution

Hi all,

I saw the upgrade was available a while back so last Thursday I updated our server infrastructure to SEP 14.

Our installation is a bit different than others I have been reading - we don't use SEP on our workstations, only on our servers. Some of the symptoms I've been reading about sound very familiar but it sounds like a local client/workstation issue.

Some background:

• Windows 2012 AD environment, with only one 2008 server, and one 2003 server for legacy software.
• We have redundant DCs, on two sites connection by WAN/VPN, two DCs at each site
• We also use DFS, two servers at each site, using WAN/VPN site links
• We also have on-site Exchange
• We exclusively have Windows 7 workstations, with the exception of one Surface Pro
• We also have HA DHCP servers

Ever since the upgrade I've noticed some really bizarre problems, and my networking hardware checks out, which leaves SEP14 as the most recent change.

Here are some issues:

• Windows 7 logons the next day (or last Friday) were not working. Would get the spinning wheel "Welcome" screen and it could take up to 15 minutes to log on (it was getting stuck at GPO processing) Restarting the DCs mostly fixed this, it is still happening but intermittent
• The DHCP servers completely stopped responding, workstations started dropping off the network. Restarting the server with the DHCP fixed this issue
• We use network shared/folder redirection extensively and this is the major problem for us. It is randomly dropping network connections to the DFS servers. This results in timeouts bringing up file dialogs and the like. Restarting the workstations does not appear to fix this issue. Sometimes a reboot will bring the network back online.

This is happening all over the place and the frustrating thing is that there's no log on the servers (event log or SEP itself) that indicates any sort of communication problem.

Note: When installing, I exported packages with server settings from SEPM and upgraded our servers.

As this doesn't seem to be a client issue as we don't use SEP on clients, has anyone else experienced this? It's so intermittent that it's hard to pinpoint any issues. The only thing I know for sure is our workstations point to connectivity issues to the servers via vague GPO processing delays.

Dan

0

---

LiveUpdate Administrator server drive space issue

December 9, 2016, 5:15 am

≫ Next: I need to block specific IP addresses in SEPM

≪ Previous: SEP 14 upgrade gone awry

$

0

0

I need a solution

I have recently been having issues with my LiveUpdate Administrator servers that I would like some help with. This is a general overview of what my environment is like:

I have a single LUA server downloading updates for SEP 12.1 RU6 and SEP 14.0 products. I have multiple Symantec Endpoint Protection Manager servers which all of the clients connect to, and each of those SEPM servers look to the LUA server to get their updates from. Since none of my clients connect directly to this LUA server, I have it configured to only download the 'Manager' definitions.

Shortly after adding the SEP 14 products, the drive began to rapidly fill. I currently have the LUA server configured to Purge updates in the Manage Updates folder daily, with the rule set to purge anything older than 2 revisions back. I also have the Purge updates in Distribution Centers set to run Daily.

Even with these setting I am seeing my \ProgramData\Symantec\LiveUpdate Administrator\Downloads folder clocking in at over 38GB (with some files from back in 2015) and my \Program Files (x86)\Symantec\LiveUpdate Administrator\clu-prod folder clocking in at over 20GB (though those files only go back a couple of days)

I find it difficult to believe that Symantec Endpoints require that much data and it's very possible I have the system configured incorrectly for what I actually need to download. At one point I was forced to delete files in the \ProgramData\Symantec\LiveUpdate Administrator\Downloads folder, which results in errors in the Purge schedule now.

If any of you out there are LiveUpdate Gurus I would really love to get some help with this. Thanks!

0

1481302824

I need to block specific IP addresses in SEPM

December 9, 2016, 12:58 pm

≫ Next: Download protection definitions does not updated on clients (LUA)

≪ Previous: LiveUpdate Administrator server drive space issue

$

0

0

I need a solution

Hello everyone! I need to block about 200+ IP addresses in Symantec Enpoint Protection Manager.  The rules have been added already to our unmanaged clients manually.  We have about 40 PCs on our network.  We just purchased SEPM and wanted to export the firewall rules from one client to the SEPM. Unfortunately, it will only export the policy as .XML or .SAR.  SEPM only accepts .DAT.  So I figured I can just create the 5 firewall rules on the client to the manager, but when I go to Policy, Firewall Rules, Add a blank rule, and go to add......I can only choose 1 single IP address or a range of IP addresses.  The problem is....these 200+ IP addresses are from different subnets, etc.  I cannot do this by blocking a range!  In Symantec Endpoint Protection clients, you can just copy and paste the addresses divided by commas and add multiple different IPs in the firewall rule.  But you cannot in the manager.  

0

Download protection definitions does not updated on clients (LUA)

December 10, 2016, 4:55 am

≫ Next: Symantec Endpoint Protection Does not detect threat

≪ Previous: I need to block specific IP addresses in SEPM

$

0

0

I need a solution

Dears,

hi,

After upgrading LUA console to the latest version (2.3.5.99) and configuring the console from the begining, everything is fine and clients which point directly to the internal LiveUpdate server are getting all definitions except the Download protection definitions and as the result after couple of days they will consider as out of dated systems in SEPM.

please note that from LUA console events everything is working without any failed log and both download and distribution schedules complete successfully.

would you please assist?

please have the content list in our configuration.

Thanks.

0

Symantec Endpoint Protection Does not detect threat

December 10, 2016, 11:31 pm

≫ Next: Traffic Log - Network & Host Exploit Mitigation Logs Question

≪ Previous: Download protection definitions does not updated on clients (LUA)

$

0

0

I need a solution

I don't know if this is the right forum category to post, so i apologize if i post this in the wrong forum.

One of my user recently open an email attachment with a .zip file which after we detect after around 6+ hours that the .zip contains a ransomware which encrypt all the documents into .osiris extension.

The Endpoint protection does not give any warning about this ransomware, so we does not know about it until the ransomware has encrypt almost all the user data.

The problem is that the encryption range has reached our main server and we did not know how far and to where it has spread.

We has disconnected the source computer and after we check around the internet on how to detect the ransomware, we does not found the trace of the ransomware in the registry or the application list or in the startup list. The only thing remaining is the .zip file that the user has downloaded and the suspicious FILE and .ZK extension file inside the TEMP folder. At this point, we does not know if the ransomware is still active or not and how does it work.

My question, could upload the ransomware source to symantec and could symantec check the ransomware source (.zip) and check it's variant, how it works and how to check if the ransomware is still active, and does it bring any other threat like trojan with it? And if you could, where do we submit the file to?

Thanks.

0

1481598821

Traffic Log - Network & Host Exploit Mitigation Logs Question

December 11, 2016, 5:46 pm

≫ Next: Will SEP Client version 11 will still report in SEP 14?

≪ Previous: Symantec Endpoint Protection Does not detect threat

$

0

0

I need a solution

Hi

Looking at the SEP network and host mitigation traffic log on my workstation, I see a lot of traffic not destined for my PC. This traffic shows up as blocked. For example, the majorityof it is UDP SNMP traffic on port 161 between printers and various other IP addresses.  

Why does this traffic show up in my workstation's SEP traffic log when it's not destined for my PC?

0

Will SEP Client version 11 will still report in SEP 14?

December 11, 2016, 7:04 pm

≫ Next: SEP Actual Action left alone

≪ Previous: Traffic Log - Network & Host Exploit Mitigation Logs Question

$

0

0

I need a solution

Our current SEPM version is 12.1.4 and SEP still reporting in our console and we are planning to upgrade the SEPM to version 14 or latest version of 12.1.6. Does the SEP 11 still report in both SEPM 14 and latest version 12.1.6?.

0

SEP Actual Action left alone

December 11, 2016, 8:01 pm

≫ Next: SEP for linux report in SEPM

≪ Previous: Will SEP Client version 11 will still report in SEP 14?

$

0

0

I need a solution

hello all ,  i would like to know why these files are left alone and not identified and removed by SEP   ? 

also it says actual action Left alone and secondary Action Quarantine , so did SEP quarantine these files ? how to confirm ?

Event

IP Address

Computer Name

Source

Risk Name

Occurrences

File Path

Description

Actual Action

Requested Action

Secondary Action

Event Date

Event Insert Time

Domain

User Name

Source Computer Name

Source Computer IP

Application Name

Application Hash

Hash Algorithm

Company

Version

File Size

Category set

Category type

Detection Reason

Minimum Sensitivity Level

Permitted Application Reason

Web Domain

Download site

Downloaded by

Prevalence

Reputation

First Seen

URL Tracking Status

Event End Date

Timestamp

Operating System

Deleted

Virus found

10.10.10.243

XYZ

Scheduled scan

Trojan.Gen.NPE

1

e:\program files (x86)\sbqh\data.txt

Left alone

Clean

Quarantine

06-12-16 11:34

06-12-16 11:34

Default

SYSTEM

0.0.0.0

data.txt

68D1046D087FAAEC4DC0DD2900356D900F7E2C05C22A647C7998434F464D76C1

SHA-256

76054

Malware

Virus

Antivirus engine

N/A

Reputation was not used in this detection.

Reputation was not used in this detection.

Reputation was not used in this detection.

On

06-12-16 11:34

06-12-16 11:34

Windows 7

0

Compressed File

10.10.10.243

XYZ

Scheduled scan

Trojan.Gen.2

1

E:\Program Files (x86)\sbqh\data.txt

Still contains 1 infected items

Left alone

Quarantine

Leave alone (log only)

06-12-16 11:34

06-12-16 11:34

Default

SYSTEM

0.0.0.0

Not Available

0

Malware

Virus

Antivirus engine

N/A

Reputation was not used in this detection.

Reputation was not used in this detection.

Reputation was not used in this detection.

Off

06-12-16 11:34

06-12-16 11:34

Windows 7

0

Virus found

10.10.225.212

ABC

Scheduled scan

SMG.Heur!gen

1

f:\new\aa_v3.5.exe

Left alone

Clean

Quarantine

05-12-16 15:56

05-12-16 16:21

Default

SYSTEM

0.0.0.0

Ammyy Admin

7A836E718B70F586695D1BCED9EACFB1AA1B67387B051D0536669754B391FE81

SHA-256

Ammyy LLC

3.5

769528

Malware

Heuristic Virus

Antivirus engine

N/A

Reputation was not used in this detection.

Reputation was not used in this detection.

Reputation was not used in this detection.

On

05-12-16 15:56

05-12-16 16:21

Windows 7

0

Virus found

10.10.225.212

ABC

Scheduled scan

SMG.Heur!gen

1

f:\old pc all files\aa_v3.3.exe

Left alone

Clean

Quarantine

05-12-16 15:52

05-12-16 16:21

Default

SYSTEM

0.0.0.0

aa_v3.3.exe

B5F65158F6713AA2FB7DD0B09D5F6DD39AE3CD1212AD330DA207244D522AEE20

SHA-256

743704

Malware

Heuristic Virus

Antivirus engine

N/A

Reputation was not used in this detection.

Reputation was not used in this detection.

Reputation was not used in this detection.

On

05-12-16 15:52

05-12-16 16:21

Windows 7

0

Virus found

10.10.225.212

ABC

Scheduled scan

SMG.Heur!gen

1

f:\data\old pc all files\aa_v3.3.exe

Left alone

Clean

Quarantine

05-12-16 15:50

05-12-16 16:21

Default

SYSTEM

0.0.0.0

aa_v3.3.exe

B5F65158F6713AA2FB7DD0B09D5F6DD39AE3CD1212AD330DA207244D522AEE20

SHA-256

743704

Malware

Heuristic Virus

Antivirus engine

N/A

Reputation was not used in this detection.

Reputation was not used in this detection.

Reputation was not used in this detection.

On

05-12-16 15:50

05-12-16 16:21

Windows 7

0

Virus found

10.10.225.212

ABC

Scheduled scan

SMG.Heur!gen

1

f:\all files\aa_v3.3.exe

Left alone

Clean

Quarantine

05-12-16 15:48

05-12-16 16:21

Default

SYSTEM

0.0.0.0

aa_v3.3.exe

B5F65158F6713AA2FB7DD0B09D5F6DD39AE3CD1212AD330DA207244D522AEE20

SHA-256

743704

Malware

Heuristic Virus

Antivirus engine

N/A

Reputation was not used in this detection.

Reputation was not used in this detection.

Reputation was not used in this detection.

On

05-12-16 15:48

05-12-16 16:21

Windows 7

0

0

---

SEP for linux report in SEPM

December 12, 2016, 12:10 am

≫ Next: SEP 14 Upgrade and Replication

≪ Previous: SEP Actual Action left alone

$

0

0

I need a solution

When we install SEP 12.1.6 or SEP 14 in the linux or unix machine will it be able to report in SEPM console or is it standalone?

0

SEP 14 Upgrade and Replication

December 12, 2016, 3:40 am

≫ Next: Blue screen after upgrade

≪ Previous: SEP for linux report in SEPM

$

0

0

I need a solution

Hello everyone. We have two sites in different geographical locations and are configured as replication partners. Below are the details

Site 1:- SEPM 12.1.4 with SQL backend

Site 2:- SEPM 12.1.4 with embedded database 

Now we intend to do the upgrade to version 14. Prior to performing the upgrade do we have to break the replication and then perform the upgrade. Or when performing the upgrade on site 1 we simply need to stop the SEPM service on site 2 and vice versa when doing the upgrade on site 2?

Thanks 

0

Blue screen after upgrade

December 12, 2016, 7:53 am

≫ Next: JS.Downloader!gen25

≪ Previous: SEP 14 Upgrade and Replication

$

0

0

I need a solution

Hello,

We have recently updated our Symantec on the clients machine with the latest version (14.1904). After the upgrade we have noticed many users are getting the blue screen and window will keep restarting:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 1033

Additional information about the problem:
BCCode: 27
BCP1: BAAD0073
BCP2: 9FB499F4
BCP3: 9FB495D0
BCP4: 8D3DF0CF
OS Version: 6_1_7601
Service Pack: 1_0
Product: 256_1

Files that help describe the problem:
C:\Windows\Minidump\120716-22183-01.dmp
C:\Users\manar.alseddiqi\AppData\Local\Temp\WER-121446-0.sysdata.xml

Attached screenshot is what we get from the dump file.

Could you please help.

Thanks in advance.

0

• image007.png

JS.Downloader!gen25

December 12, 2016, 8:06 am

≫ Next: Multiple Warnings on Endpoint Client

≪ Previous: Blue screen after upgrade

$

0

0

I need a solution

I am seeing this detect a lot more frequently over the last few days, is anyone else seeing this?

0

Multiple Warnings on Endpoint Client

December 12, 2016, 9:02 am

≫ Next: Best Practices for Deploying AntiVirus Definitions

≪ Previous: JS.Downloader!gen25

$

0

0

I need a solution

I have a Symantec Enpoint client v 12.1.671.4971 running on a Windows 2003 server. Then computer gave me a message that it required a reboot and it reported that it was not running SONAR or Intrusion protection. After rebooting the computer I receive a message that there are "Multiple Warnings(3)". After selecting details I see the following:

1. Download Insight is not functioning correctly due to an intrusion prevention component

2. Network Intrusion Protection is not functioning correctly. Your protection definitions may be damaged or your product installation may be corrupt

3. Browser Intrusion Prevention is not functioning correctly. Your protection definitions lmay be damaged or your product installation may be corrupt

I tried running a repair from add/remove programs and rebooting but that didn't resolved the issue. What are the next steps and are there any logs that I can provide you to help in the troubleshooting.

0

• Symantec Errors.PNG

Best Practices for Deploying AntiVirus Definitions

December 12, 2016, 12:28 pm

≫ Next: HA Design Question - Do you use the MS in 2nd site on the 1st site MSL?

≪ Previous: Multiple Warnings on Endpoint Client

$

0

0

I need a solution

Hello Community,

I'm looking for a way to deploy AntiVirus definitions through a testing process. Traditionally we let SEPM deploy to all clients but I have a requirement to test first then release to production. There don't appear to be any options within SEPM to support this... I'm okay with using a third-party tool for this.

Any input is appreciated.

Thanks!

0

HA Design Question - Do you use the MS in 2nd site on the 1st site MSL?

December 13, 2016, 1:08 am

≫ Next: SEP Causes video stuttering in certain scenarios

≪ Previous: Best Practices for Deploying AntiVirus Definitions

$

0

0

I need a solution

Hi,

We're just looking at re-doing our SEP design - we currently have one SEP site, containing 2 MS's, 1 DB server (SQL) - All clients have the MSL configured to point to the second MS in the event of a failure. Everything is hosted in one Data Centre. We want to achieve both MS and DB redundancy by utilising our second DC which contains all DR related infrastructure.

The plan is to install a second SEP site with 1 MS and 1 DB server. All clients in the second DC will then point to this SEP site , replication with the 1st SEP site will be enabled and we will decomm the second MS in the first site, amending the 1st SEP site's clients MSL to point to the MS of the second SEP site, located in the second DC.

Does the above sound viable? 

0

4722951

---

SEP Causes video stuttering in certain scenarios

December 13, 2016, 8:01 am

≫ Next: SEP 14 Scheduled Tasks??

≪ Previous: HA Design Question - Do you use the MS in 2nd site on the 1st site MSL?

$

0

0

I need a solution

Hello,

One of my users is having an issue with a three monitor setup. When he has SEP on his computer, streamed videos stutter. When he takes SEP off, it works fine. This is the same across multiple browsers and multiple streaming sites.

He says that the issue is probably unique to his three monitor setup. I tested turning the firewall off SEP and the issue remained with the firewall off.

Any ideas as to what is causing the issue? I couldn't find anything else like this in the forums.

Thanks,

- Alex

0

SEP 14 Scheduled Tasks??

December 13, 2016, 1:52 pm

≫ Next: Where Can I Get Latest Symantec Endpoint Protection Admin Guide

≪ Previous: SEP Causes video stuttering in certain scenarios

$

0

0

I need a solution

Sometimes I'm a bit slow, and don't notice all the intricacies of new SEP builds. Take for example SEP 14, I just happen to notice the new Task Manager group "Symantec Endpoint Protection", and the three new tasks (Norton Autofix, Norton Error Analyzer and Norton Error Processor). Sadly I cannot reach the SEP 14 release notes website, where I'm sure these tasks are covered. While I can probably guess what each of them do, what I'd really like to know is how to remove them from my install package before I deploy to my enterprise.

Thanks for your time,

-Mike

0

Where Can I Get Latest Symantec Endpoint Protection Admin Guide

December 14, 2016, 2:14 am

≫ Next: Manual scans get stuck on Notepad.exe

≪ Previous: SEP 14 Scheduled Tasks??

$

0

0

I need a solution

Good Day,

Is there anyone can help me to get Symentec Endpoint protection Admin guide ?

I am new to this blog. Please help me !!!

Tx and Regds,

Sathiskumar Raman

0

Manual scans get stuck on Notepad.exe

December 14, 2016, 3:48 am

≫ Next: Port scan activity from domain controller IP

≪ Previous: Where Can I Get Latest Symantec Endpoint Protection Admin Guide

$

0

0

I need a solution

When our nightly scan runs I don't see this issue but when I manually run the Active Scan it gets stuck on notepad.exe. Runs fine up until that point but it will never complete the scan. Happens on all systems. Never used to do this, has been doing this for at least a few weeks. Can't imagine why this one point causes such an issue for the scanner.

Anyone else ever seen this.

0

Port scan activity from domain controller IP

December 14, 2016, 4:24 am

≫ Next: External user for LiveUpdate

≪ Previous: Manual scans get stuck on Notepad.exe

$

0

0

I need a solution

Hi ,

We have detected port scan activity in different UDP port from domain controller IP. Can you please provide the reason for this activity and solution .

Logs 

Somebody is scanning your computer.  Your computer's UDP ports:   52223, 64280, 64692, 55009 and 50074 have been scanned from  X.X.X.X

0