Hello,

Need some help with this. One of the users thinks that the PC is infected but I have no remote access to it. So I ran remotelly Power Eraser and here is what is detected (atatched screenshot, User and Computer name are removed).

Navigating to this Registry on my machine it is showing - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Any ideas, if this Power Eraser detection helps in any way? Something additional to be checked for example?

On my list of Managed Devices there is a Version column that displays what version of Windows the device is. However, the information is too generic; it either says "Windows 7" or "Windows 10". Is there a way to add the Windows version such as 1809 or 1903 and the OS build to the Version column? So instead of seing just "Windows 10" I'd like to see something like "Windows 10-1803" or "Windows 10 1803-17134.885". Currently if I want to check the version/build of Windows for each device I have to go into the detail of each device. I'd like the information on the device list page. Is there a way for me to see that information on the Endpoint Summary Report?

Hi all,

It is about client installation of Symantec Endpoint Protection version 14.2.3335.1000

We have a big network with hundreds of client PCs.

We have a file server where the installation files for the unattended and unmaned installation. The files were created from SEPM. We using this network folder for installation and it works great.

The support have told me that this scenaria is not officially supported and that they only support that I copy all files local. By hundred of clients this leads to problems and a lot of traffic and we need to delete after that the files and I do not know how to automatize it. Anyway it is working from network and shared folders.

I have just detected only one problem but I have a workaround on it:
If my symantec folder is on A:\aaa\bbb\ccc\SEP\1.2.3.4\ and my computer has only access to A:\aaa\ and to A:\aaa\bbb\ccc\ but not to A:\aaa\bbb\ I am receiving an error about validity of the files:

2019-07-19T17:01:36.869Z INFO  Validating package contents...
MSI (s) (58!E4) [19:01:36:877]: Incrementing counter to disable shutdown. Counter after increment: 0
2019-07-19T17:01:36.875Z INFO  Failed to get long path name for \\?\A:\aaa\bbb\ccc\SEP\1.2.3.4\. Last error: 5
2019-07-19T17:01:36.955Z INFO  Failed to get long path name for \Program Files\Symantec\Name\Version\Bin\SmcGui.exe. Last error: 3
2019-07-19T17:01:36.956Z INFO  Could not open file \Program Files\Symantec\Name\Version\Bin\SmcGui.exe. Last error: 87
MSI (s) (58!E4) [19:01:36:959]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (s) (58!E4) [19:01:36:959]: PROPERTY CHANGE: Adding PackageIntegrityError property. Its value is '80070057'.
2019-07-19T17:01:36.956Z INFO  Package contents validation failed with HRESULT: 0x80070057
2019-07-19T17:01:36.959Z INFO  Package validation failed with HRESULT 0x80070057
2019-07-19T17:01:36.960Z DEBUG CheckPackageIntegrity end, return value: 0.
MSI (s) (58:9C) [19:01:36:962]: Doing action: CheckEmbeddedSystem

Error codes for accessing files are here described: https://docs.microsoft.com/en-us/windows/win32/deb...

Workaround: When I am copying it to A:\aaa\SEP\1.2.3.4\ it works.

Could you please

1) Inform your support about this workaround

2) Allow official support of SEP for installation from network folders

3) Repair this bug

I would be very happy. Thank you!

I would like an enhancement to the shared schedule. I would like the option to specific "x" days after the "Nth" weekday of the month.

For example, I would like a schedule that occurs four weeks after the second Tuesday. I would like to build an automated patch schedule that applies patches to test & dev as soon as they are released, then build a second schedule that applies patches to production with ample time in between for testing.    

If we wanted to patch our servers on Saturday, the best we could do today would be to specify the first Saturday of the month. This would deliver an inconsistent period (two or three weeks) depending on when the second Tuesday fell.  If I could specify 25 days after the second Tuesday, we would be guaranteed the fourth Saturday after patch Tuesday - giving us a more consistent experience and longer testing period is some cases.

We were automatically provisioning a system using Symantec ITMS Deployment Solution. The DriverManager64.exe (part of DeployAnywhere) task failed on the client system with the following error:

SMPPackage.cpp@772: Error in downloading file from HTTP.source :http://itms/Altiris/PackageShare/pkggroup_guid/DriversDB/BayHubTech/o2flash.exe and dest :C:\DS_SOI\Symantec\Deployment\DriversDB\BayHubTech\o2flash.exe. The COM error = HTTP error occurred
[... many similar lines ...]

On the ITMS server, I explored C:\Program Files\Altiris\Deployment\DriversDB and found that the BayHubTech subdirectory was a unique case:

DriversDB\Adaptec.cda1000.4.20.38
DriversDB\Adaptec.cda1000.4.20.38\drivers.manifest.txt
DriversDB\Adaptec.cda1000.4.20.38\CDA1000.inf
[... other files ...]

*versus*

DriversDB\BayHubTech
DriversDB\BayHubTech\O2Micro.O2FJ2RDR.2.2.2.1076
DriversDB\BayHubTech\O2Micro.O2FJ2RDR.2.2.2.1076\drivers.manifest.txt
DriversDB\BayHubTech\O2Micro.O2FJ2RDR.2.2.2.1076\o2fj2x64.inf
[... other files ...]

Notice how the BayHubTech subdirectory contains a further directory structure ("O2Micro"). None of the other drivers in this folder contained additional "layers" of directories — only BayHubTech. I determined that this driver is Dell's O2 Micro OZ777xxx/OZ621XX memory card reader Driver, and upon further inspection I saw that the INF file contains (after variable substitution) the following line:

Provider = "BayHubTech/O2Micro"

I suspect that the forward-slash in this directive is being incorrectly interpreted in two different ways: it causes the ITMS DeployAnywhere DriversDB to create an extra layer of subdirectories, and it causes the DeployAnywhere client to stop parsing the name after "BayHubTech." Furthermore, it is impossible to delete the impacted driver from the ITMS Driver Management interface; instead, the following lines appear on the server-side logs:

Altiris.Deployment.Web.DeployAnyWhereDriverDB: ArgumentsList:/del="BayHubTech/O2Micro.O2FJ2RDR.2.2.2.1060" /ddb="D:\Altiris\Deployment\DriversDB"
Altiris.Deployment.Web.DeployAnyWhereDriverDB: Delete Drivername passed:BayHubTech/O2Micro.O2FJ2RDR.2.2.2.1060
Altiris.Deployment.Web.DeployAnyWhereDriverDB: Delete Driver Database return code is :11
Altiris.Deployment.Web.DeployAnyWhereDriverDB: Incorrect parameter(s) provided.

Can this behavior be fixed? I have needed to resort to recreating drivers.manifest.txt (as suggested in this forum discussion) in order to clear the bad driver.

Hi Team

My environment is:

Windows 2016 Server

SEP v 14.2 RU1

0 Clients

0 Security Content or Installation packages replicated on the initial stage.

The primary site took less than 20 minutes to complete, the secondary site between the installation of the SEPM and the enablement of the replication partner took 2 hours.

I don't remember something like this long time ago, so I decided to open a case and do some troubleshooting, my question for you is: what was wrong?

The logs showed inactivity for more than 1:50 hour to finally show this error (install_log.err) :

Jul 19, 2019 4:54:48 PM  STDERR: com.microsoft.sqlserver.jdbc.SQLServerException: The connection is closed.
Jul 19, 2019 4:54:48 PM  STDERR:     at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:191)
Jul 19, 2019 4:54:48 PM  STDERR:     at com.microsoft.sqlserver.jdbc.SQLServerConnection.checkClosed(SQLServerConnection.java:395)
Jul 19, 2019 4:54:48 PM  STDERR:     at com.microsoft.sqlserver.jdbc.SQLServerConnection.prepareStatement(SQLServerConnection.java:2292)
Jul 19, 2019 4:54:48 PM  STDERR:     at com.microsoft.sqlserver.jdbc.SQLServerConnection.prepareStatement(SQLServerConnection.java:1931)
Jul 19, 2019 4:54:48 PM  STDERR:     at com.sygate.scm.common.license.LicenseUtils.querySemConfigRoot(LicenseUtils.java:1406)
Jul 19, 2019 4:54:48 PM  STDERR:     at com.sygate.scm.common.license.LicenseUtils.cleanPulblishedLocalLicenseFile(LicenseUtils.java:1256)
Jul 19, 2019 4:54:48 PM  STDERR:     at com.sygate.scm.install.ui.MainFrame.configureDB(MainFrame.java:2198)
Jul 19, 2019 4:54:48 PM  STDERR:     at com.sygate.scm.install.ui.MainFrame.nextBtnActionPerformed(MainFrame.java:4852)
Jul 19, 2019 4:54:48 PM  STDERR:     at com.sygate.scm.install.ui.MainFrame.access$500(MainFrame.java:312)
Jul 19, 2019 4:54:48 PM  STDERR:     at com.sygate.scm.install.ui.MainFrame$5$1.construct(MainFrame.java:4382)
Jul 19, 2019 4:54:48 PM  STDERR:     at com.sygate.scm.util.SwingWorker$2.run(SwingWorker.java:153)
Jul 19, 2019 4:54:48 PM  STDERR:     at java.lang.Thread.run(Thread.java:748)

Best Regards

Google Drive File Stream is being detected as removable drive on endpoints. We have a policy to block transfer to USB and since file stream is loaded as a removable drive, any writes to this is being blocked now. We use google drive for business so this is impacting users.

IDE/SCSI Devices have been whitelisted, but unfortunately the file stream is detected as an unknown device in many cases and treated as a removable drive.

Local disk , Network share or AFAC exclusions are not applicable here since this is purely detected as a removable drive. So destination or location based white listing is not working.

Symantec knows about this issue, but doesnt have a solution.

Hi guys,

I've a problem in tracing SSL-Interception rules in ProxySG trace file,

I can see all of other layer rules match/miss statements, but i cannot see the whole SSL Interception Layer.

My Question is, do i suppose to see them or it's normal not to see them in tracing file.

I'am attaching sample of a tracing data in a .txt file, and noting that <SSL-Intercept> layer is place after <ssl> layer in VPM.

Thanks.

Attempting to scale up the current dlp enviornment. One factor in consideration is enforce server and its ability to conduct multiple scans at once. Is there are way to define and configuire this on the eforce server via a configuration file? What is the number of scans you can run simultaniously with one enforce server. My observation is that it is no more than 2-3 at a time and that is probably becuase of the size of the data repository being scanned. Goal is to have at least 40+ endpoint and network prevent/discovery servers report into one Enforce console. Any hardware scaling guidance would be appreciated. Thank you. 

HI 

would be really good if you could consider the following functionality from the SEP SBE product under SEP15 - 

with SEP SBE there is an option to allow for a password to disable USB device control this isnt available under SEP15 at all, there is only the option to have the policy set for a group of devices to disable the USB device control, 

Under SBE if the user has the password to disable device control the functionality is enabled at next reboot so if a user forgets its auto re-enabled next reboot

the enhancement request is to create the ability to set a password for temporary disable of the SEP 15 device control based on policy group and with similar functionality to that of SBE.

Under the current SEP15 functionality the device would need to move group then the endpoint would need a policy refresh the user could then use USB and then the admin would need to move that device back to the correct group to restrict it again, 

Hi, everyone. 

I would like to know why are "Information Tracking" and "Blacklist" options greyed out? I'm currently logged in with an user with all permissions except ICT_Auditing

Hi all,

I have a computer with Endpoint Encryption installed recently.  When he has the wire connected into the Company network the laptop works perfectly, if the user doesn't have the wire connected (even it's at home or on the company using wifi as he is not phisically connected), after login into the Symantec,the screen become as black and the O.S. never start as usuall.

There is any option to let the user log in without been on the business network? Some times he is at home and needs to start propertly.

I've discovered that the AD service is not running since January, this could be the cause of all my problems? 

regards 

Please confirm whether the below SEP files exclusions are needed for SEP 12.x & 14.x versions ? Any documents related to this would be helpful. 

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Symantec Client Security\Symantec AntiVirus\SymCorpUI.exe

We would like to be able to put the Symantec dashboard on a wall screen in the office. However, the time-out means we keep having to log back in when it logs out. 

Please can you provide a way to suppress the time-out so we can view email stats on the wall screen. If we could create a read ony account it would eliminate a lot of the security and privacy concerns. 

Thanks. 

Hi, can you please help on my below query. 

I would like to gather information like Risk logs from the SEPM server in CSV format, Scan information with respect to the specific host if I connect directly query from SEPM Database? Because though Symantec endpoint doesn't support many API to get the risk log details I need it to go by connecting Database directly.

Can you please help to do the needful to find the location of Risk logs database table. or locations of the file

or any website where the detail information is available. 

Thanks in advance

Hi,

I am new to Symantec DCS Agentless AV Protection for our VMware vSphere 6.5 NSX. We were using a different agentless AV protection.

What are your recommendations on the DCS - Policies - Virtual Machine (All Agentless Protection) Policy settings below? These are default installation settings.

1. Choose "AV Policy Windows - Scan on Access with Deny Access"  OR  "AV Policy Windows - Scan on Apply with Delete threat"?
     What is your reason?

2. Under each policy, it looks like that I can choose "Deny access", "Delete threat", and "Quarantine file." What are your thoughts?

 I am a little concern about choosing "Delete threat." What if it is a false positive and delete the "good" files?

Thank you for helping,

Dean

I am trying to add Symantec VIP soap services (https://services-auth.vip.symantec.com/mgmt/soap) as "Web Reference" in my Asp.net Web application to consume the same.

i have downloaded trail symantec certificate and installed in my system. while adding "Web referenece", i am getting below error. and i have downloaded the wsdl files from symantec VIP manager and dont know where to add those files.

The document at the url https://services-auth.vip.symantec.com/ was not recognized as a known document type.
The error message from each known type may help you fix the problem:
- Report from 'XML Schema' is 'Data at the root level is invalid. Line 1, position 1.'.
- Report from 'DISCO Document' is 'Data at the root level is invalid. Line 1, position 1.'.
- Report from 'WSDL Document' is 'There is an error in XML document (1, 1).'.
  - Data at the root level is invalid. Line 1, position 1.

please help me to add web reference and move further.

I learned long ago to never assume...so...

If I want to block USB devices I can add the USB class in Blocked Devices, right?  Then, if I want to allow certain USB devices (such as human interface devices and individual USB devices) I can add those in Devices Excluded From Blocking. Right?  Devices Excluded From Blocking will override the Blocked Devices class. Right?  

Thanks.

Hello,

Our client purshased SEP mobile but today they receive error that the platform has expired.

We have serial number, how can SEP mobile be activated?

Many Corporate environments have a security setup on the local network. One of the frequently used deployment scenarios includes Proxy Server on the way to the internet to control, or monitor, outbound traffic.

Traffic secured by Secure Access Cloud has no essential reason to pass through SWGs or Proxy Servers, since the auditing done by Secure Access Cloud itself. Consequently, passing this data through the organizational proxy will not gain additional security value but will increase the resource requirements on the proxy server itself.

An additional reason to avoid passing Secure Access Cloud traffic through a Proxy is certificate-based trust. In order to keep the commination secured the SWGs or Proxy Servers will have to be authenticated with their own certificate. This will prevent Secure Access Cloud to authenticate connectors placed behind the Proxy with its unique certificate to guarantee the connector identification.

Getting a more detailed look on a topology, it would be recommended to allow connectors a direct outbound connection to Secure Access Cloud Front End URLs specified below by defining relevant Firewall rules:

• US tenants: https://download.us-west-2.luminatesec.com/public-ips
• EU tenants: https://download.eu-west-1.luminatesec.com/public-ips

Note: In some cases, the IP addresses of the Secure Access Cloud may change, hence its recommended to use URLs for the firewall rules.

However, due to the different constraints & considerations (such as the inability to configure Firewall exclusions), some organizations prefer to keep the Proxy Server for the whole organization’s traffic.

The example in the picture below describes the scenario where one application (app1.tenant.com) secured by Secure Access Cloud & Firewall is assumed to provide connectivity from the Proxy Server only:

Symantec Secure Access Cloud fully supports this topology, by setting Proxy parameters as part of the Site Provisioning process.

Configuration steps for Proxy Use Case

Proxy Server configurations placed on a Site level and applied to all Site connectors once saved.

1. As a first step switch the “Use a Proxy Server for outbound connection” toggle button to “On” state
2. Proxy Server URI should be set
3. Set Proxy username and password (if needed)

Note 1:

The Proxy configuration support requires 2.6.3 connector version and up. Please upgrade your connector appropriately to allow the functionality.

Note 2:

Proxy configuration takes effect as part of connectors provisioning process only. Such in case any Proxy configuration (including on/off) need to be changed, you will be asked to re-deploy connectors, while you can keep the other Site configurations

When you have connectors, which weren’t deployed with the new configuration, you will have the following indicative warning: