Hello everybody. All my files in USB are changed to shortcuts. Even pictures are showed as shortcuts. According to: http://malwareprotectioncenter.com/2015/07/08/shor... it is a virus. But I can not remove it according to their steps. Are there any good removal tools to do that? Thank you.
I have a customer who sent me their new Key. I was able to import it into PGP Desktop sign and validate it but when I wen to use the key to encrypt a file it was not showing as an available key to use. I noticed that their new key had cipher and hash values set to none. Does PGP Desktop not support or recognize keys with this value?
Running as admin on a non-domain box. The Client Side Prep Tool errors with:
Failed: Incorrect version, or version could not be read. SEP 12.1 or higher is required.
I just downloaded the tool from here: https://support.symantec.com/en_US/article.HOWTO54...
Client is version NIS-22.5.2.15.
When Endpoint happens to be scanning when a user logs off or shuts down a computer, it presents this pop-up window, preventing the logout or shutdown.
Many users walk away after clicking logout and this popup poses a security risk as someone else can cancel the shutdown/logout and access the first users's files. We would like it to automatically stop the scan without prompting.
Hi, im struggeling to block certain ports with the SEP firewall. Nmap scan output shows that port 1443 is open.
I created a firewall policy > Action Block, Application Any, Host Any, Service (local/remote - TCP - Local port 1443 - Direction Both) and placed it right at the top of the rule list. Nmap is still showing port 1443 open and can see in the network activity monitor that SQL is listneing on port 1443. I have tried various combinations of the above rule with no luck. The Windows FW has been disabled by the SEP installation. Im running SEP Manager 12.1.5 and SEP Client 12 .1.6. This is a test machine, im not sure if this occurs on any other machines in our environment.
What can i do to see if 1.) the SEP FW driver is loaded 2.) if SEP FW rules are applied
Thanks,
Hi all,
I have a new Linux machine with Symantec Endpoint client RU5, which does not have access to Internet. So, this machine does not get updates from Internet.
I have followed the HOWTO article https://support.symantec.com/en_US/article.HOWTO85034.html. but It does not work for me.
The machine reports to SEP Manager, but it says "Malfunctionning" (I guess, because of liveupdate not running correctly)
The linux liveupdate log file tells that :
30 sept. 2015 19:33:34 Downloading minitri.flg to /data/symantec/LiveUpdate/tmp/1443634414287/minitri.flg ...
30 sept. 2015 19:33:34 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:34:54 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:36:14 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:37:34 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:38:54 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:39:54 Downloading livetri.zip to /data/symantec/LiveUpdate/tmp/1443634414287/livetri.zip ...
30 sept. 2015 19:39:54 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:41:14 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:42:35 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:43:55 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:45:15 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:46:15 Downloading minitri.flg to /data/symantec/LiveUpdate/tmp/1443634414287/minitri.flg ...
30 sept. 2015 19:46:15 Connecting to update.symantec.com via FTP ...
30 sept. 2015 19:47:15 Connecting to update.symantec.com via FTP ...
30 sept. 2015 19:48:15 Downloading livetri.zip to /data/symantec/LiveUpdate/tmp/1443634414287/livetri.zip ...
30 sept. 2015 19:48:15 Connecting to update.symantec.com via FTP ...
30 sept. 2015 19:49:15 Connecting to update.symantec.com via FTP ...
30 sept. 2015 19:50:15 A LiveUpdate server could not be selected.
30 sept. 2015 19:50:15
30 sept. 2015 19:50:15 The Java LiveUpdate session did not complete successfully.
30 sept. 2015 19:50:15 Return code = -2 001
30 sept. 2015 19:50:15
I have setup the Liveupdate policy to have an internal LiveUpdate serveur which IP address is "http://192.168.xx.xx" (x = numbers), but I don't know how to check on the linux client if that policy is applied or not.
Also, my SEPM apache-root folder is empty. Does it mean that it does not download content for linux/mac machines ?
Last but not least, I have found that post https://www-secure.symantec.com/connect/forums/liveupdate-server-url-linux-servers which it talks about access log file. My file never populates and I don't know if I need to change the CustomLog format to make it work to my OS language (which is french).
So, I have several questions that I am not able to answer myself.
Any help is appreciated.
Thank you.
Can any one answer 2 questions:
Can an symantec encrypted data folder be permanently unencrypted. (if we decide to stop using the Symantec encryption service).
Will the folder encryption work with all cloud data storage services. Eg Dropbox , Cubby, GoogleDrive etc If not which ones?
many thanks
Hello,
I have a DLP user who is facing an issue with failed network discover scans amongst their SharePoint sites. Some work, while others fail, resulting in an "invalid credentials" message. The credentials have been verified, and the user has also verified that the correct persmissions have been established for the account used for the scans: "browse directories,""use remote interfaces,""enumerate permissions."
To further troubelshooting, what logging should be referred to, and at what levels? So far, FINEST has been enabled for Discover Trace logs, but nothing insightful has been generated. Is there more logging that can be obtained in this situation, other than just invalid credentials? Need something more to go off of in order to pinpoint where the issue(s) may lie.
Any help appreciated!
Endpoint protection SBE. We would like to have an email alert that lets us know when someone inserts a USB drive to a workstation or server. Ideally the alert would include the workstation/server and time of attempt. Though it would also be nice to know the currently logged in user as well. Thanks for considering.
We are an educational instituation - and a long time Symantec customer - well over a decade. We license a host of Symantec products, but I'd like to focus on Symantec Endpoint Protection (SEP). We install SEP on all university-owned computers, as well as provide it to all students (in fact we require it to connect to our network and enforce with a NAC solution). Of course we can control OS upgrades on university-owned assets to accommodate Symantec's (sometimes painfully) delayed product updates to enable support for new operating systems, but we cannot do so on student-owned computers. With a BYOD environment, we need to have product updates on day 1 of a new operating system release. Today, students are upgrading to Mac OS X 10.11 El Capitan, and we do not have an officially supported version of SEP to provide them that is compatible with El Capitan. We need Symantec to provide us with a timeline of when an updated version of SEP will be compatible so that we can plan accordingly. It seems like we need to do this "song and dance" for SEP compatibility releases for each new OS that is released. Even if a product update cannot be provided right on time - it is imperative that Symantec be more transparent in its plans and at least provide the date it will be available as institutions need to be able to plan. Vague answers, such as "in the near future" or "in a few weeks" is not practical for planning in the enterprise environment. It should also not require opening up an enterprise support case just to get this information. It is very frustrating that Symantec cannot have product releases, especially critical apps, such as antivirus protection, available the same day as a public release of a new operating system. There are developer and beta releases of new operating systems released months in advance for Symantec to do product development and testing on, it would be appreciated to have Symantec product releases on time with new OS releases - especially when BYOD is involved where institutions cannot control OS updates on the BYOD systems.
Regards,
Brady Gallese
Susquehanna University
Hello,
I just upgraded to SMSME 7.5.2 at the request of Symantec support. He recommneded I enabled DNS IP Reputation which I was abotu to do until I read the warning.
"Warning: Network bandwidth will be heavily consumed if you enable DNS IP Reputation as well as Sender Reputation Service."
We have about 65 users and they are all using network shared drive. I'm concerned that they will have issues connecting to this drive.
If you have enabled DNS IP Reputation have you noticed any network issues?
Guys, I am installing SEP12.1.6 on windows 2012 64 bit and SQL 2014. Is SP1 for SQL 2014 supported? below document dosent say. Thanks
When I attempt to run the uninstall.sh script as root I get the following error:
/tmp/uninstall.sh : /opt/Symantec/symantec_antivirus : bad interpreter permission denied
Does anyone have any ideas on how to fix this issues or why it is happening?
por Vladimir Amarante
Ataques direcionados baseados em engenharia social - técnica que busca conhecer os hábitos dos colaboradores da empresa para facilitar a entrada de malwares - são uma estratégia crescente em todo o mundo. Eles são formulados com foco em companhias específicas, centrando esforços em grupos de usuários determinados e utilizam como base o comportamento de navegação na internet e de comunicação para facilitar a invasão. Dois muito comuns são o spear-phishing e o watering hole.
Evitar esse tipo de ação é trabalho complexo, porque o invasor investe tempo e foco na elaboração de uma estratégia certeira e discreta, baseada em muita pesquisa. Mas isso não significa que seja uma tarefa impossível. É importante, então, conhecer bem o inimigo, para poder combatê-lo.
O que é o spear-phishing?
O spear-phising funciona como um spam: o usuário recebe um e-mail que o convida a clicar em um link malicioso. A diferença para as ações de massa é que pelo spaer-phishing tanto a mensagem quanto a oferta são direcionadas para seu perfil de atuação na empresa. Um departamento de Recursos Humanos, por exemplo, dificilmente vai se negar a abrir um currículo enviado anexo a um e-mail, assim como um vendedor não achará estranho baixar uma apresentação institucional de um cliente em potencial. Em 2014, o mundo lidou com uma média diária de 73 spear-phishing, segundo o Relatório de Ameaças de Segurança na Internet, produzido pela Symantec com dados referentes a 2014.
O que é watering hole?
Em ataques do tipo watering hole, os cibercriminosos conhecem o comportamento de navegação na internet de um grupo de usuários e infectam os sites mais visitados com links maliciosos. A chance de sucesso aumenta, já que os malwares ficam "escondidos" em um ambiente aparentemente seguro.
O que motiva as invasões?
Há duas grandes motivações por trás de um ataque direcionado: ou se trata de ganho financeiro - obtido com o roubo de informações bancárias, campanhas de marketing, base de clientes, propriedade intelectual em geral - ou o foco é o ciberativismo, seja porque o invasor quer causar um prejuízo para a empresa, seja para ganhar visibilidade.
Quem são os alvos?
O estudo da Symantec mostra que colaboradores individuais (27%), estagiários (26%), diretores (19%) e gerentes (6%) foram alvo de ao menos um ataque do tipo spaer-phishing no ano passado. Por ramo de atividade, manufatura (20%); serviços não-tradicionais (20%); finanças, seguros e imóveis (18%); serviços profissionais (11%); e atacado (10%) são as indústrias mais visadas pelos invasores.
Quais as portas de entrada mais comuns?
Eles podem entrar na infraestrutura corporativa por meio de falhas de segurança convencionais, não corrigidas por falta de atualização de ferramentas como antivírus, por exemplo, mas tendem a ser produzidas para se esgueirarem por meio de brechas do tipo dia zero, ou zero-day - aquelas totalmente desconhecidas pelo mercado, ainda não catalogadas pelos criadores do software ou empresas de segurança. A Symantec identificou 24 vulnerabilidades do tipo em 2014, sendo que as cinco principais levaram, em média, 59 dias para serem resolvidas.
Como evitar?
Obviamente, há softwares de segurança desenvolvidos para proteger as empresas e dar os alertas em casos de comportamento suspeito, mas fica a pergunta: a equipe de segurança da informação está treinada e em número suficiente de colaboradores para atender a todas essas demandas? Levando em consideração que o alvo do ataque são os colaboradores, eles estão conscientes sobre os riscos e preparados para evitar os riscos desses dois tipos de ataque direcionado?
por Vladimir Amarante
Ataques direccionados basados en ingeniería social - técnica que busca conocer los hábitos de los colaboradores para facilitar la entrada de malwares o ganar acceso privilegiado - son una práctica creciente en todo el mundo. Ellos son formulados con foco en compañías específicas, centrando esfuerzos en grupos de usuarios determinados y utilizan como base el comportamiento de navegación en Internet y de comunicación para facilitar la invasión. Dos muy comunes son el spear-phishing y el watering hole.
Evitar ese tipo de acción es un trabajo complejo, porque el invasor invierte tiempo y foco en la elaboración de una estrategia certera y discreta, basada en mucha investigación y persistencia. Sin embargo, eso no significa que sea una tarea imposible. Es importante, entonces, conocer bien al enemigo, para poder combatirlo.
¿Qué es spear-phishing?
Por el spear-phising, el usuario recibe un correo electrónico que lo invita a pinchar un enlace malicioso. La diferencia en relación a las acciones masivas es que por el spear-phishing tanto el mensaje como la oferta son direccionadas para su perfil de actuación en la empresa. Un departamento de Recursos Humanos, por ejemplo, difícilmente va a negarse a abrir un currículo enviado en adjunto a un correo electrónico, de la misma forma que a un vendedor no le parecerá raro bajar una presentación institucional de un potencial cliente. En 2014, el mundo lidió con un promedio diario de 73 spear-phishing, según el Reporte de Amenazas de Seguridad en Internet, producido por Symantec con datos referentes a 2014.
¿Qué es watering hole?
En ataques del tipo watering hole, los cibercriminales conocen el comportamiento de navegación en Internet de un grupo de usuarios e infectan los sitios web más visitados con enlaces o contenido maliciosos. La posibilidad de éxito aumenta, ya que las amenazas quedan "escondidas" en un ambiente aparentemente seguro.
¿Qué motiva las invasiones?
Hay dos grandes motivaciones por tras de un ataque direccionado: o se trata de ganancia financiera - obtenida con el robo de informaciones contables, campañas de marketing, base de clientes, propiedad intelectual en general - o el foco es el ciberactivismo, sea porque el invasor quiere causar un perjuicio para la empresa o para ganar visibilidad.
¿Quiénes son los blancos?
El estudio de Symantec muestra que colaboradores individuales (27%), pasantes (26%), directores (19%) y gerentes (6%) fueron blanco de al menos un ataque del tipo spear-phishing el año pasado. Por sector de actividad, manufactura (20%); servicios no tradicionales (20%); finanzas, seguros e inmuebles (18%); servicios profesionales (11%); y mayorista (10%) son las industrias más visadas por los invasores.
¿Cuáles son las puertas de entrada más comunes?
Se puede entrar en la infraestructura corporativa mediante fallas de seguridad convencionales, no corregidas por falta de actualizaciones o configuraciones adecuadas, por ejemplo, pero vemos crecimiento del uso de la vulnerabilidad del tipo día cero, o zero-day - aquellas totalmente desconocidas por el mercado, todavía no catalogadas por los creadores del software o empresas de seguridad. Symantec identificó 24 vulnerabilidades de ese tipo en 2014, mientras las cinco principales llevaron, en promedio, 59 días en ser resueltas por los fabricantes y, quizás, más tiempo aún, por las empresas vulnerables.
¿Cómo evitar?
Obviamente, hay softwares de seguridad desarrollados para proteger las empresas y dar las alertas en casos de comportamiento sospechoso o vulnerabilidades, pero queda la pregunta: ¿el equipo de seguridad de la información está entrenado y en número suficiente de colaboradores para atender todas esas demandas? Considerando que el blanco del ataque son los colaboradores, ¿ellos están conscientes acerca de los riesgos y preparados para evitar los riesgos de esos dos tipos de ataque direccionado?
Hi Guys,
I am experiencing a strange error since today. It seems like Sysfer.dll is crashing the Windows Logon and Group Policy management of our clients.
Here is The windows Application Log Excerpt (sorry, its German ;) ):
Name der fehlerhaften Anwendung: svchost.exe_gpsvc, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc3c1
Name des fehlerhaften Moduls: SYSFER.DLL, Version: 12.1.4013.4013, Zeitstempel: 0x526480b2
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0000000000038243
ID des fehlerhaften Prozesses: 0x418
Startzeit der fehlerhaften Anwendung: 0x01d0fce651a269c7
Pfad der fehlerhaften Anwendung: C:\Windows\system32\svchost.exe
Pfad des fehlerhaften Moduls: C:\Windows\System32\SYSFER.DLL
Berichtskennung: b52a8c85-68d9-11e5-8039-4437e6d0c392
Anyone experiencing similar issues today?
Brgds
Stephan
Hi All,
Quick question as usual. I am making sure that all our servers are now on the same version of SEP client so it will be the very latest 12.1.6 MP1a version. I have some older servers that are still on SEP 11.0.6200.754 client. The OS's are:-
Windows Server 2003 family Standard Edition
Windows Server 2003 Family Enterprise Edition
Will my current 12.1.6 client install upgrade these in the usual way? Does anyone know of any problems?
Thanks
PaulC
Hello,
We are using SEPM 12.1.6,we are configured in the sepm to get the update through proxy server.Which account sepm server will use to download the definition? is it service account?
Hi everyone
Just upgraded SEPM from RU6 MP1a to RU6 MP2 and couple of clients reported Host Integrity Failed, with below error in logs.
HI policy applied is pretty much default
Tried CleanWipe/reinstall on one of the clients, error still active.
Affected clients are Windows, different OSs, latest SP/fully updated, RU6 MP1a, have in common that all are 32 bit. That being said, most of the 32-bit clients are not affected.
Anyone else seeing this?
