SEP 12.1 RU6 MP2 (12.1.6465.6200) Enterprise Edition has been released & available to download on Flexnet.

October 2, 2015, 6:01 am

≫ Next: Show attempt to stop the SEP service with the SMC command in antivirus security logs

≪ Previous: SEPM to RU6 MP2, some clients "Fail to execute Host Integrity check"

$

0

0

Hello Everyone,

SEP 12.1 RU6 MP2 (12.1.6465.6200) is now available on Flexnet to download.

This version of Symantec Endpoint Protection includes new features in the following.

System Requirements:

• The Symantec Endpoint Protection client adds support for Mac OS X 10.11
• Symantec Endpoint Protection Manager adds browser support for Google Chrome through 45.0.2454.99, and for  Firefox
  through 40.0.3

Release Notes: http://www.symantec.com/docs/DOC9101

Fix notes: http://www.symantec.com/docs/INFO2883

System requirements: http://www.symantec.com/docs/TECH231877

---

Show attempt to stop the SEP service with the SMC command in antivirus security logs

October 2, 2015, 6:59 am

≫ Next: Switching to Symantec Endpoint Protection

≪ Previous: SEP 12.1 RU6 MP2 (12.1.6465.6200) Enterprise Edition has been released & available to download on Flexnet.

$

0

0

Hello everyone,

After opening a case at Symantec I could tell that the antivirus does not log the User's attempts to stop the antivirus service if someone share this password with it.

Some companies have problems to share passwords for administrators and some security auditors questioned if we can get it in antivirus logs, because that way we can open a ticket of incidence and the User will be warned not to run more this process.

As my suggestion I believe the following information below already would be helpful:

1. If the User has the password and run the command: SMC -STOP: "The User stopped antivirus service manually with the administrator password"
2. When the User start the service manually: SMC -START:  "The User started the antivirus service manually"
3.  If the User try to stop the service but enter the wrong password: "The User tried to stop the antivirus service manually"

I sincerely hope thatthis suggestionis acceptedand made availablein future releases

Thank you

LucianoSantos

Switching to Symantec Endpoint Protection

October 2, 2015, 7:47 am

≫ Next: Error: "This package is not signed with a valid Symantec Signature..." when you run the Intelligent Updater or Rapid Release

≪ Previous: Show attempt to stop the SEP service with the SMC command in antivirus security logs

$

0

0

I need a solution

We have about 6000 machines with Panda Endpoint Protection (v7.2) and we are planning to switch for SEP. Will SEP installer uninstall Panda automatically or does someone know a good solution for this (script or something already tested method)?

Error: "This package is not signed with a valid Symantec Signature..." when you run the Intelligent Updater or Rapid Release

October 2, 2015, 8:26 am

≫ Next: Washington D.C. User Group Meeting - Nov 3, 2015

≪ Previous: Switching to Symantec Endpoint Protection

$

0

0

I need a solution

Hi team,

Getting bellow error when we try to update Intelligent updater on SMSMSE

Error: "This package is not signed with a valid Symantec Signature..." when you run the Intelligent Updater or Rapid Release

Washington D.C. User Group Meeting - Nov 3, 2015

October 2, 2015, 10:13 am

≫ Next: no se pudo establecer una conexion con el servidor

≪ Previous: Error: "This package is not signed with a valid Symantec Signature..." when you run the Intelligent Updater or Rapid Release

$

0

0

Location: 

Symantec Washington D.C. Office

Time: 

Tue, 03 November, 2015 - 10:00 - 14:00 EST

Please join us for the next Washington D.C. User Group Meeting on Tuesday, November 3, 2015, from 10am to 2pm at our Symantec Washington D.C. office!



You will have an opportunity to network with your peers, participate in a Data Center Security demonstration, and learn more about Unified Authentication. 

Lunch will be served!


Please be advised that agenda details will be updated with more detail as we get closer to the event.... Thank you!



Agenda 

• Welcome/Introductions
• Customer Presentation
• Data Center Security Demonstration
• Lunch/Networking
• Unified Authentication Presentation
• Conclusion & Feedback

DATE:  Tuesday, 03-Nov-2015
TIME:  10am to 2pm

LOCATION:
Symantec
700 13th Street NW
Washington, DC 20005
Foggy Bottom Conf Room

no se pudo establecer una conexion con el servidor

October 2, 2015, 1:34 pm

≫ Next: Ensuring compatibility without compromising security: the case of ECC/RSA hybrid certificates

≪ Previous: Washington D.C. User Group Meeting - Nov 3, 2015

$

0

0

I need a solution

Buena tardes

Soy nuevo en este blog  tengo el siguiente problema:

Al intentar ingresar a la consola de Symantec Endpoint Protection Manage  12. 

me deja digitar el usuario y el passs, pero al momento mesale un mensaje:

" No se pudo establecer uan conexion con el servidor.

Asegurese de que el servidor se este ejecutando y de que no haya terminado el tiempo de espera de su sesion.

Si puede establecer conexion con el servidor pero no puede iniciar sesion, verifique que los parametros proporcionados sean correctos.

Todoas las conexiones se encuentarn correctamente, el usuario  y pass correctos

me podrian colaboral con este tema

gracias

Ensuring compatibility without compromising security: the case of ECC/RSA hybrid certificates

October 2, 2015, 2:43 pm

≫ Next: Basic Q&A about Symantec Endpoint Protection

≪ Previous: no se pudo establecer una conexion con el servidor

$

0

0

Twitter Card Style: 

summary

We have talked a lot about ECC (Elliptic Curve Cryptography) for the past year. Although the use of elliptic curves is not exactly new, their use in our industry is fairly recent: ECC is a new cryptographic algorithm used for key exchange and authentication purposes in the SSL/TLS protocols (see this previous blog article for more details). 

It is expected that RSA – the current standard - will be replaced by ECC as its scalability is becoming an issue with the arrival of IoT (Internet of Things):  explosion in number of devices, machine to machine (M2M) communications, ever-growing amount of data transfers, etc.

We expected this change to happen. This is why Symantec’s ECC roots have been added to all major root stores back in 2007. Most CAs followed years later.

ECC, RSA and compatibility

The reliability and performances of ECC no longer need to be demonstrated. However, a significant obstacle to the adoption of ECC lies on the lack of support for this relatively new algorithm in legacy products.  While all modern servers and browser fully support ECC, some legacy system will not trust ECC roots, or will not be able to support ECC at all.

Browser compatibility (root ubiquity) as of today

Client	ECC Support	Pure ECC	ECC & RSA Hybrid
PC	Windows HP or older	Not supported	Not supported
	Windows Vista or newer	Supported	Supported
	Mac OSX	V10.9 or newer	V10.6 or newer
Mobile	Android	Android 3.x or newer	Android 4.0 or newer
	iOS	iOS 7.x or newer	iOS 3.x or newer
Ecosystem	Server to Server	Depends on the customer environment	Depends on the customer environment

Current Server compatibility as of today

Vendor	Product	ECC CSR	ECC cert install
Mircrosoft	Win Server 2008 (IIS 7.0) or newer	Supported	Supported
Apache, nginx	OpenSSL 1.0.1e	Supported	Supported
Oracle	Sun Java System Web Server 7.0	Supported	Supported
F5	11.5 or newer	Supported	Supported
IBM	HTTP Server 8.0 + PM80235	Supported	Supported
Citrix	Netscaler	Not Supported	Not Supported

There are devices and systems that are unable to proceed with ECC due to a trust deficit due to the missing trusted ECC root certificate and it is not always possible to upgrade, change servers or switch to another application easily. To overcome this issue, Symantec has created a solution for devices and systems that can support ECC but don’t have ECC roots in their trust stores: hybrid ECC/RSA hybrid SSL certificates.

Hybrid certificates use ECC for encryption and authentication but are chained to a well-trusted RSA root. Hybrid ECC/RSA certificates enable you to benefit from the best protection for your current infrastructure and mitigate potential compatibility issues at the same time.

How does it work?

It’s fairly simple: when you enroll, we give you the choice between a full ECC certification chain (fig.1) and a hybrid ECC/RSA certification chain (fig.2). The full ECC chain comprises of your ECC SSL certificate, signed by an ECC intermediate, signed by an ECC root.

Fig. 1:full ECC chain

In order to offer hybrid RSA/ECC certificates, we have created a new ECC intermediate signed by an RSA root. This intermediate can be installed as direct intermediate, or as a cross certificate to a full ECC chain.

The direct intermediate is the solution we recommend. You benefit from ECC encryption for your infrastructure, while using a globally trusted RSA root.

Fig.2: hybrid ECC/RSA chain

If you are unsure which certification path is made for you, or if you have questions or concerns, please contact us! We are happy to help and to advise.

Basic Q&A about Symantec Endpoint Protection

October 3, 2015, 7:58 am

≫ Next: SEP SBE Upgrade

≪ Previous: Ensuring compatibility without compromising security: the case of ECC/RSA hybrid certificates

$

0

0

I need a solution

Questions we need to be aware about Symantec Endpoint Protection for an Interview.

---

SEP SBE Upgrade

October 3, 2015, 1:35 pm

≫ Next: Hyperv machine exclusion

≪ Previous: Basic Q&A about Symantec Endpoint Protection

$

0

0

I need a solution

I have just renewed SEP SBE 12.1 (at a noticably higher price BTW) and since I wish to continue to maintain the clients via SEPM and not in the cloud, I entered the new serial number in the current SEPM.    But when I tried to download an updated version of SEP & SEPM, fileconnect claims that same serial number does not exist.    So how do I obtain these updates?    Thanks.

Hyperv machine exclusion

October 12, 2015, 5:51 am

≫ Next: Cannot decrypt laptop with admin credentials

≪ Previous: SEP SBE Upgrade

$

0

0

I need a solution

Team,

I had installed guest  vm on hyper v please help me to know all the files and folders need to excluded while installing symantec client.

Cannot decrypt laptop with admin credentials

October 12, 2015, 7:16 am

≫ Next: Scanning Oracle DB BLOB DataType

≪ Previous: Hyperv machine exclusion

$

0

0

I need a solution

I'm trying to decrypt my laptop's hard drive. In Window's command prompt I cd to the directory in which Symantec Endpoint Encryption is installed and type the following commands:

eedAdminCli --decrypt --disk 0 --au admin --ap password

To which I receive the following error:

Admin could not be authenticated

Please provide the correct managed Admin credentials using --au and --ap

Operation start decrypt failed:

Error code -11500: PGPClientError #-11500

Admin is the only account on the laptop. There are no other users on this laptop. I am running command prompt as the administrator. My password is correct. 

I have tried different iterations of "admin" to no success. I am using Windows 8.0. 

Any assistance would be great. 

Scanning Oracle DB BLOB DataType

October 12, 2015, 10:32 am

≫ Next: Need a Query to Find and Delete duplicate entries in SEPM database

≪ Previous: Cannot decrypt laptop with admin credentials

$

0

0

I need a solution

Hello,

We have setup our scanner to scan an Oracle DB and the objective is to scan a table which has information with the BLOB data type. Files/Attachments are stored in this and we need the capability to extract the content and look for sensitive data. Unfortunately our tests show that even though the file names can be read, the actual content in the file itself is not being scanned. Any thoughts from anyone who had success on this?

Thanks in advance

Sachin

Need a Query to Find and Delete duplicate entries in SEPM database

October 12, 2015, 11:02 am

≫ Next: Installation de security Virtual Appliance

≪ Previous: Scanning Oracle DB BLOB DataType

$

0

0

I need a solution

I've been looking through the forum's, and have come up with a few SQL queries to identify duplates and to delete them, however it doesn't appear to have any affect on the license counts in use as per the GUI on the home screen of the SEPM.

We are running 12.1 RU6MP1a.

Also in querieng the SEM_COMPTTER, SEM_CLIENT and SEM_AGENT tables as well as doing inner joins og each table on the COmputer_ID field, the SQL query results all vary with different ammounts, and the SEPM Licensing window (showing t he number of licenses in use) shows a different number as well, none of the number match up.

Here are my sample queries, I also have them for the SEM_Client table as well.

Please advise how I can write the correct query to find and delete all duplicates so that my in use license count decreases, as currently the only way to do this is to delete them manyaually form the SEPM and with over 600 machines a day to remove it is not feasible to do manually.  Changing the SEPM system setting to auto-purge machines older than X days can;t be adjusted below the set 30 day limit for auditing purposes.

Find all machines in the table:

DECLARE @TimeZoneDiff int    
SELECT @TimeZoneDiff = datediff(minute, getutcdate(), getdate())

SELECT computer_ID
 , computer_name
 , TIME_STAMP
 , dateadd(minute, @TimeZoneDiff, dateadd(second, TIME_STAMP/1000, '01-01-1970 00:00:00')) as [TimeStamp]
 , dateadd(s,convert(bigint,TIME_STAMP)/1000,'01-01-1970 00:00:00') LastUpdateTime
 , DATEDIFF(dd,(dateadd(s,convert(bigint,TIME_STAMP)/1000,'01-01-1970 00:00:00')),GETDATE()) as [TCddDate Diff]
 , DATEDIFF(hh,(dateadd(s,convert(bigint,TIME_STAMP)/1000,'01-01-1970 00:00:00')),GETDATE()) as [TChhDate Diff]
 , DATEDIFF(mm,(dateadd(s,convert(bigint,TIME_STAMP)/1000,'01-01-1970 00:00:00')),GETDATE()) as [TCmmDate Diff]
FROM SEM_COMPUTER
 GROUP BY computer_name, TIME_STAMP, computer_ID
 Order by computer_name, TIME_STAMP

Find Duplicates in the table:

DECLARE @TimeZoneDiff int    
SELECT @TimeZoneDiff = datediff(minute, getutcdate(), getdate())

  SELECT Table1.computer_ID
  , Table1.COMPUTER_NAME
  , Table2.computer_name
  , COUNT(Table2.COMPUTER_NAME) AS NumOccurrences
  , Table1.TIME_STAMP
  , dateadd(minute, @TimeZoneDiff, dateadd(second, Table1.TIME_STAMP/1000, '01-01-1970 00:00:00')) as [TimeStamp]
  , dateadd(s,convert(bigint,Table1.TIME_STAMP)/1000,'01-01-1970 00:00:00') LastUpdateTime
  , DATEDIFF(dd,(dateadd(s,convert(bigint,Table1.TIME_STAMP)/1000,'01-01-1970 00:00:00')),GETDATE()) as [TCddDate Diff]
  , DATEDIFF(hh,(dateadd(s,convert(bigint,Table1.TIME_STAMP)/1000,'01-01-1970 00:00:00')),GETDATE()) as [TChhDate Diff]
  , DATEDIFF(mm,(dateadd(s,convert(bigint,Table1.TIME_STAMP)/1000,'01-01-1970 00:00:00')),GETDATE()) as [TCmmDate Diff]
  , COUNT(Table1.COMPUTER_NAME) AS [NumOccurrences]
  , row_number() OVER(PARTITION BY Table1.COMPUTER_NAME ORDER BY Table1.TIME_STAMP) AS [rn]
  FROM SEM_COMPUTER As Table1
    inner join SEM_COMPUTER as Table2 on Table1.COMPUTER_NAME = Table2.COMPUTER_NAME
  Where DATEDIFF(dd,(dateadd(s,convert(bigint,Table1.TIME_STAMP)/1000,'01-01-1970 00:00:00')),GETDATE()) > 2
        and table2.COMPUTER_NAME != 'CTXTEMPLATE'
        and table2.COMPUTER_NAME != 'DALW2K8R2UPDT'
        and table2.COMPUTER_NAME != 'W2K8R2CTXUPDT'
        GROUP BY table2.computer_name, Table1.computer_name, Table1.COMPUTER_ID, table1.TIME_STAMP
        HAVING (count(table2.computer_name)>1)
 Order by Table1.COMPUTER_NAME, Table1.TIME_STAMP
 

Delete duplicates form the table:

DECLARE @TimeZoneDiff int    
SELECT @TimeZoneDiff = datediff(minute, getutcdate(), getdate())

  SELECT Table1.computer_ID
  , Table1.COMPUTER_NAME
--  , Table2.computer_name
  , COUNT(Table2.COMPUTER_NAME) AS NumOccurrences
  , Table1.TIME_STAMP
  , dateadd(minute, @TimeZoneDiff, dateadd(second, Table1.TIME_STAMP/1000, '01-01-1970 00:00:00')) as [TimeStamp]
  , dateadd(s,convert(bigint,Table1.TIME_STAMP)/1000,'01-01-1970 00:00:00') LastUpdateTime
  , DATEDIFF(dd,(dateadd(s,convert(bigint,Table1.TIME_STAMP)/1000,'01-01-1970 00:00:00')),GETDATE()) as [TCddDate Diff]
  , DATEDIFF(hh,(dateadd(s,convert(bigint,Table1.TIME_STAMP)/1000,'01-01-1970 00:00:00')),GETDATE()) as [TChhDate Diff]
  , DATEDIFF(mm,(dateadd(s,convert(bigint,Table1.TIME_STAMP)/1000,'01-01-1970 00:00:00')),GETDATE()) as [TCmmDate Diff]
--  , COUNT(Table1.COMPUTER_NAME) AS [NumOccurrences]
  , row_number() OVER(PARTITION BY Table1.COMPUTER_NAME ORDER BY Table1.TIME_STAMP) AS [rn]
into #temp FROM SEM_COMPUTER As Table1
inner join SEM_COMPUTER as Table2 on Table1.COMPUTER_NAME = Table2.COMPUTER_NAME
  Where DATEDIFF(dd,(dateadd(s,convert(bigint,Table1.TIME_STAMP)/1000,'01-01-1970 00:00:00')),GETDATE()) > 2
and table2.COMPUTER_NAME != 'CTXTEMPLATE'
and table2.COMPUTER_NAME != 'DALW2K8R2UPDT'
and table2.COMPUTER_NAME != 'W2K8R2CTXUPDT'
GROUP BY table2.computer_name, Table1.computer_name, Table1.COMPUTER_ID, table1.TIME_STAMP
HAVING (count(table2.computer_name)>1)
--Order by Table1.COMPUTER_NAME, Table1.TIME_STAMP

delete from SEM_COMPUTER where COMPUTER_ID in(select COMPUTER_ID from #temp)

drop table #temp

Installation de security Virtual Appliance

October 12, 2015, 12:03 pm

≫ Next: SDCS - Server Advance

≪ Previous: Need a Query to Find and Delete duplicate entries in SEPM database

$

0

0

I need a solution

Bonjour tout le monde,

Je voudrais savoir si je peux lancer un test d'installation et de configuration de "Symantec_Endpoint_Protection_12.1.5_Security_Virtual_Appliance_ML" sur la platforme "VMware Workstation".

Aussi, d'aprés vos experiences sur ce produit, est ce quil est fortement recommandé d'utilser ce produit ou il faut juste utiliser l'ancien platforme c-a-d sur la platforme Windows Server.

Merci d'avance de vos réponses et aides.

Salutations.   

SDCS - Server Advance

October 12, 2015, 1:02 pm

≫ Next: SymHelp Log reader tool

≪ Previous: Installation de security Virtual Appliance

$

0

0

I need a solution

Hi guys,

I am looking for a comprehesive information on data center security product. 

How it can help to prevent the zero day and what need to be configured.?

What are core features of this product ?

How it works ?

How can we utilize the IPS feature

How much effort is required to implement the IPS in mixed enviroment desktops+servers (windows+non-windows) > 50000 (SEP Full protection is already installed including IPS) Is it really necessary to install SDCS - IPS even though SEP IPS is installed.

I want to know what valud this product can add to our environment

any good presenation on this product

a good competitive battle card as well on zero day if someone can share it with me for the latest version 6.5

---

SymHelp Log reader tool

October 12, 2015, 1:07 pm

≫ Next: Download Clean Wipe

≪ Previous: SDCS - Server Advance

$

0

0

I need a solution

I am looking for a tool which can read in depth the SymHelp logs other than symhelp tool which gives a very basic information. Can anyone support me if there is any tool which will extract detail information.

Download Clean Wipe

October 12, 2015, 1:22 pm

≫ Next: 日本の企業を標的とするマルウェアスパム攻撃が活発に

≪ Previous: SymHelp Log reader tool

$

0

0

I need a solution

Hey guys,

i dont have a serial number, but i want to download clean wipe. Can the support help me?

All the best

Luke

 

日本の企業を標的とするマルウェアスパム攻撃が活発に

October 12, 2015, 6:50 pm

≫ Next: Android を狙うランサムウェア、Material Design を利用して支払いを強要

≪ Previous: Download Clean Wipe

$

0

0

日本国内のプリンタなどの機器販売業者から送信された注文確認に偽装した偽メールが、Infostealer.Shiz を拡散しています。心当たりのないメールには十分に警戒してください。

Read More

Android を狙うランサムウェア、Material Design を利用して支払いを強要

October 12, 2015, 7:48 pm

≫ Next: DLP Network Discover scan error: Local Drive for mount is in use

≪ Previous: 日本の企業を標的とするマルウェアスパム攻撃が活発に

$

0

0

Android.Lockdroid.E は、Google のデザイン言語とオープンソースプロジェクトを利用して、身代金を支払うようユーザーを欺こうとしています。

Read More

DLP Network Discover scan error: Local Drive for mount is in use

October 14, 2015, 12:52 pm

≫ Next: PGP Public Key To long - Encryption Desktop

≪ Previous: Android を狙うランサムウェア、Material Design を利用して支払いを強要

$

0

0

I need a solution

I have seen this error recently on some of my discover scans. This is against shares on a Windows 2012 (std) server or CIFS shares on NAS.

The drive letters vary.

"Failed to complete Share: //<server.domain>/<share>; error: The Local Drive for mount is in use -- m:."

"Failed to complete Share: //<server.domain>/<share>; error: The Local Drive for mount is in use -- z:."

The scan may include another share on the same server that functions just fine.

Any ideas?