Hi,
I have 2 bluecoat proxies, and i am hearing beep noise from both of the devices.
i have verified sysinfo and eventlogs, and did not find any hardware related errors.
Health is critical on both due to BCWF subscription expired.
I want to know what would be the actual reason for the beep sound from these devices ?
Kindly assist.
Box is 900-10B
regards
Rajesh
Hi Team,
I have an requirement where i need to allow some external webesite access to user. I know in static bypass we can define IPs only. So i resolved IPs for example NDTV.COM site as like below and added in static bypass list in destination IP tab. but it didnt worked for me(Note:-I have explicit rule to block NDTV website in VPM policy). I know i can add specific rule in CPL or VPM and give access to user for external sites. But is it possible to by adding external website public IP in static bypass list to provide access to all users.
> www.ndtv.com
23.57.229.12
>
Thanks,
Mayur
Hi, I think I know the answer to tis question but wanted to see if someone could verify for our DB Admins.
Background:
We currently have DLP verrsion 15 and are moving to version 15.5. Since version 15 is on old hardware and EOL O/S we are going to do a fresh install of 15.5 in parallel with 15.
Question:
Is it required for “protect” to be the database name (we only have one database server)?
Is it OK to create a new DB called “protect2” or something like that for the new install without creating any issues?
I couldn't find anything related to this... Any help is greatly appreciated. Thanks.
Created a new install of SEE 11.3, in my stepup of the msi I followed the admin guide, I have a AD group created called g-dep-see-admin access, with all of the members want to have access to the admin console.
My settings in the msi are put in like this:
Key: "de.clientAdmin.adGroupName", Value: "ourdomain\G-APP-SEE-Admin Access"
Key: "de.autoLogon.allowSystemUserManagement", Value: "True"
Install SEE to a test device, but when I try to login with an account that should be in the AD group it just tells sorry wrong username of password
Any idea what I am doing wrong?
Hello Everyone.
I see the KB at this link showing if running SGOS 6.7.4.x, will can use feature "Domain Fronting Attack Detection"
https://support.symantec.com/us/en/article.tech252...
In this CPL describe about how to block client attack with compare Domain URL at message header and Request Header "Host"
The http.connect.host can be used with $(url.host) substitution variable to compare the value of the url.host against the value of http.connect.host.
For example:
<proxy>
http.connect.host =! "$(url.host)" Deny
This policy would block any request if the HTTP CONNECT host differs from the host in the URL.
But In My case, My customer cannot upgrade firmware to version 6.7.4.x but need use this feature.
I tried in my lab for comparing object url.host and request.header.Host/request.x_header.Host but it's not working.
Pls. send your idea or the solution to me if you have it.
BR
Sakkarin Pichetskul
I need to disable Policy Memory Exploit. I can't uncheck Policy Memory Exploit.
I don't need SEP agent show error in image below. Do you have solution ?
Hello all,
I am trying to scan a Solaris File System (64-bit) by enabling and exposing the file system via NFS. On a Unix platform, in order to parse a file system you need root or root like privileges. Does anyone from out there have an understanding of what level of access a service account requires in order to scan a Unix file system like Solaris? Any guidance is greatly appreciated. Thank you.
Hello,
We are running into an error when we are on step 14 - theOracle Database Panel in the 15.5 Syamtec upgrade.
We are upgrading from 15.0 and have run through all the readiness tools and upgraded our DB to 12c.
We confirmed that the password is correct and verified the username. The service name is protect as usual and we have that fully qualified as we see in the tnsname.ora file. We have tried the user name as fuly qualified, not, capital, not any combo you can think of - we still get the below error.
Error Calling OCISessionBegin: ORA 01017: invalid username/password; login denied
thank you!
Hello.
We have a product with setup developed with Wise for Windows Installer 6.20.
One of the dlls from there (WiseApi.dll) is used as a custom action.
For security reasons, we would like to have it be signed.
Could you please help with that?
Our version for WFWI was purchased a time ago, and has s/n [removed]
BR, Eugene
Interested in implementing EDR. The chart on the last page of https://www.symantec.com/content/dam/symantec/docs/solution-briefs/complete-endpoint-defense-en.pdf says EDR is only available in Medium Maturity and High Maturity EndPoint security suites. Is this correct? And how do I know which suite I have?
Symantec 14.2_RU1(3335) - have a question about Default Network for Symatec.
I have a lot of NICs and some of theam are disabled. When I'm trying to do remote push - Symantec trying to use by default wrong network.
Is it possble to statically configure the network interfaces for SEPM / SEP to use?
Please see screenshots
Hi,
I'm trying to configure Web Isolation to forward the traffic to "Next Hop" - ProxySG.
I did it, and when I tried to browse from the client, I can see a page from ProxySG that asked for Username and Password.
It looks like the ProxySG does not get the X-authentication from the Web Isolation.
I did not configure anything from ProxySG side. what do I need to configure in Proxysg for accepting the X-authentication from the Web Isolation?
Greetings,
I have 4 Windows 7 Standard Embeded machines on my network. I have the Symantec 14.2.0.1030.0010 Client installed on them with just A/V function. According to the Troubleshooting window for the server connected it shows "Connected" on port 443.
In the SEPM Console I added the A/D container under clients which shows all 4 computers. Funny part is all 4 show offline.
So what do I believe? The client or the SEPM?
And how do I fix it?
Is it just me or is Symantec TRYING to be the most frustrating company to deal with?
I wanted to buy SEP15 for my premises, the th web site says it's only cloud, so i click on BUY - and it takes me to buy SEP14
I find another path, click on SEP 15 click on Upgrade and it takes me to a link that explains I have to select TRIAL and then after the Trial is initiated I can UPGRADE.
So then I select Trial, I have to become a "tenant" whatever that means ... and then when I fill out this preposterous form that asks information that really is well and truly NONE of their business .... I get a page telling me that my request is being processed and i will receive an email when I am approved.
?? This is more steps than it takes to buy a gun in 27 states ??
Is there any reason it needs to be THIS difficult?
Hello Folks,
Just want to know if we can have time-based partitions and limits in a stand-alone PacketShaper.
Cannot find any feature in the WebUI
Regards
FM
Hello,
we have a job of type "Import assets and agents" that is not working correctly for more than 6 months now. The job is scheduled to run every day, normally it finishes in 1-2 minutes. However sometimes it gets stuck with no message, no job run summary and no obvious reason. It keeps executing until aborted (tens or hundreds of hours). When manually restarted, it does the same. The only solution so far is to restart all the CCS services on the application server and then the job starts working and finishes again in 1-2 minutes. Restarting the services however kills all the other jobs that are executing. We had 3-4 support cases open with Symantec, it always ends with restarting the services (or the server) and then it is "solved". However the issue re-appears within 1-2 weeks again. We also tried moving the agent XML files away from <CCS install dir>/Reporting and Analytics/ESM/assets and <CCS install dir>/Reporting and Analytics/ESM/assets/processedassets, but even with no XML to process (= no agent to import), the job won't finish.
Anyone else came across this? Did you find a permanent solution? Thanks
I'd like to suggest some additional management or policy options to allow extra control over Memory Exploit Mitigation policies, and their deployment.
Currently, the below article is all the options we have to effectively tune MEM policies.
https://support.symantec.com/us/en/article.howto127949.html
What I would like to suggest is some form of additional controls, either by adjusting the aggressiveness for example, or by some form of scheduling, for when MEM policies are initiated.
For context. When a MEM policy is initiated on an endpoint, especially for the first time, they will inject a dll file into memory during the operation of one of the applications listed within the policy or will force the app to load into memory. There is currently no control, apart from effectively switching these off and on at this moment in time.
What I've noticed (and maybe others have also), is that this process - at the very least initially - can negativity impact the performance on endpoints. In some instances this is an accepted risk/drawback. However, in many situations, this has seen noticeable user feedback, and performance related concerns around it's deployment to more critical infrastructure or endpoints.
We have noticed this impact has increased since the move to SEP 15. So as an example, some customers who previously had their SEPM enrolled into SEP Cloud, were switched to SEP 15. SEP 15 has then replaced many MEM policies (whether intended or not) with it's own default policy. This has led to several instances where estates have been impacted significantly while this new policy starts the vulnerability scan process.
Ideally, some form of scheduling, or even a "randomize start" type feature - as with administrator defined scans - to help mitigate the risk of this impacting large numbers of endpoints at once.
Regards,
Andrew.
So here goes.....
SEP 14.2, Windows installation, Within the firewall policy the checkbox for Enable anti-MAC spoofing is turned on. All is good to here.
We have 3 sites, A, B and C. All clients have the same clients on them, they have not been updated since Feb and the SEPM hasn't been touched either.
In the last month we have seen several machine get the usual popup in the botton right of the desktop with - "Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer. Packet data is shown in the right window."
Now, we can see in the logs some activity, like one here and there across the 2 other site `A` and `B`, but for the site `C` we are seeing a lot more, like 60 a day.
We know the ARP requests are coming from two (2) wireless contollers but not every client is alerting, off the 200 clients, only 3 have alerted so far.
First Question:
Is there a limit which is hit for a client which triggers the popup message on the client?
So in trying to get to the bottom of the issue and reading every community MAC/ ARP spoofing thread I have not been able to get any closer.
If I look at the logs in SEP under, monitor> logs> Network and Host exploit mitigation> Attacks and choose a device i have a question on the way it presents the log of a device when viewed in DETAIL view.
Log from the SEPM on the client
-----------------------------------------------
Client Affected
Computer Name
Current: LaptopHostname
When event occurred: LaptopHostname
IP Address
Current: 10.2.xx4.136 **(this is the actual Laptop's IP)
When event occurred: 10.2.xx4.254 **(This is the wireless controller/AP)
Local MAC: 1C4D7072Dxxx **(this is the Laptops MAC address)
User Name: Username
Operating system: Windows 10 Enterprise Edition
Location Name: Default
Domain Name: exampledomain.com
Group Name: My Company\exampledomain\Client Devices\C **(site `C`)
Server Name: xxx-SEPM-01
Site Name: Site:xxx_SEPM
Risk Detected
Event Time: 18/07/2019 18:04:29
Begin Time: 18/07/2019 18:03:25
End Time: 18/07/2019 18:03:25
Number: 6
Event Description: Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer. Packet data is shown in the right window.
Event Type: MAC Spoofing
Hack Type: 0
Severity: Minor and above
Application Name: N\A
Network Protocol: Other
Traffic Direction: Inbound
Remote IP: 10.2.xx4.136**(this is the Laptops IP address)
Remote MAC: B40C25E08010**(this is the wireless controller/AP MAC address)
Remote Host Name: N/A
Alert: 1
Local Port: 0
Remote Port: 0
So I am confused with why the SEPM log has picked up the wireless IP address as its IP address (also actual client IP address and MAC) under - When Event Occured (under IP address section)? This then inturn looks like it then analysing the remote IP (which is the laptops actual IP address) and the Remote MAC of the wireless device, so all confused and now alerting.
Question 2
Am i reading the above log correctly?
Any help would be appreciated.
Thanks
Hello community,
We are trying to setup the AD authentication method in order to enable users to log into the DLP console with their AD accounts, we followed all the steps (Spring) in order to setup the config on the enforce server installed on a RedHat OS, but with no success. This is what has been done up to now: (I followed these steps mentionned on this article https://www.symantec.com/connect/forums/how-do-integrate-ad-console-dlp-15?1563449739592)
After those modifications, the logon screen on the GUI changed and it shows the domain name, but when authenticating we are facing an authentication error, in the ltomcat logs it shows it as a normal authentication failure.
We think that we're missing some thing but we need your help to identify what is it.
Kind regards.
Hi Idea-Team,
the usability of the SEPM Console doesn't exist at all. It is slow and you can't even maximize a window or automatically expand the columns to see content. I spend minutes, hours and days with needless "mouse"-work
Pls. improve this desater.
Stefan Blohm-Sievers