Hi Symantec,

We operate a cloud-based SaaS service which allows our users to manage marketing emails to their customers.

This is in follow-up to a previous issue, which I believe is now resolved as you have removed us from your throttling.

However, we are now receiving connection timeouts and a 421 response when we can connect. Again, this isn't necessarily a problem, but it would appear that the email is still being delivered to the recipient. Log extract is below.

Can you advise on what this 421 refers to and how we should handle this?

Thanks in advance
David

Log Extract:

I found a copy of the SERT tool but it appears to be quite old. I'm going through our documentation but can't find much about it. Can anyone assist?

Kind regards,

Cara

Hi,
When we are formatting computer, installing Symantec Endpoint Encryption, adding 6 domain users and 1 local (pgpadmin), and encrypt HDD/SSD, all users can use the computer normally without any problem for next 2-4 month. After they begin have problem with sign-on. In shift time, when one user change another they restart computer, and second user wanna to sign-on in his account - he cannot sign-on by his account, system opens with previous account, not new. What can do we with this problem? Can you give to us any suggestion?
Best Regards,
Kamran Musavi.

Hi,

Kindly suggest a best action to take when any kind of "Downloader.Dromedan Activity" is detected on endpoint.

I need the solution to protect endpoints from these activites and what to do when you detect it.

Thanks in Advance.

Hello,

By mistake I tried to upgrade SEP12 to SEP14 on win2k3 servers. Now on Clients Tab I see red dot on some clients. On Client Properties- Deployment Status: Install failed, incompatible operating system.

How I can remove Red Dot to this hosts?

Hi all,

I have User Groups configured in VIP Manager and are syncing users from the VIP Enterprise Gateway just fine. However, in addition to these synced users, I have a few local users in VIP manager that I need to also be in this group. By local users, I mean that I manually added them into VIP Manager because they do not exist in our AD. (this is because of an API we are using that has a few local accounts in it).

Is there a way to manually apply a group label to a User in VIP Manager? I have multiple applications with multiple groups of administrators (for each application) in my VIP manager. I need a way for these "local user accounts" to be put under a specific group which is just seen by a particular administrator group.

Thanks

-Alex

Good morning!  We recently upgraded from a Windows Server 2008 R2 server to a newer Windows Server 2012 R2 server.  I installed the management server and restored the database.  Everything seemed successful at first but certain groups never started communicating with the server.  These computers have connections to the server and all other software seems to be working.   When I tried to use the Client Deployment wizard the server sees the clients and allows me to start the deployment process but it always stays at 0% for all clients. I tried sending just the communication file and I tried sending a complete install.  I tried processing the deployment as a group and one at a time to different clients.  I've called tech support but I have had no luck.  I was hoping someone on here might have had a similar situation and may have some suggestions on how to start the troubleshooting process.

Hello,

Sorry if this question has been asked before. How can i generate or get a list of the manual scan results from our linux clients ?  Doesn't the sav process save the scan results somewhere in a local filesystem Or Is installing SAVLReporter as recommended by Brian , the only option ? I am using Symantec EP version 14 Mp2. 

I am using the following command to run a full system scan:

sav manualscan --scan / 

I have a bit of an odd one.  I am a contractor with Naval Sea Systems Command (NAVSEA) in Washington DC.  The Vice Admiral (NAVSEA Commander) had to have his hard drive replaced, and we sent his old drive to our local field service technicians to decrypt the drive with their tool.  They came back and said that the drive failed to decrypt due to "too many bad sectors".  Given that this is a 3-star flag officer, we could not just say "oh well" and we requested assistance from NETWARCOM, who have data recovery tools over and above that of what our local guys have.  They sent the drive back to us saying that it was "partially" decrypted.  The data portion remained encrypted.  We have engaged the services of the Department of Defense Cyber Crimes Center (DC3) because they supposedly had even better tools.  

The following is a quote from the email I received from them :

"Can you please reach out to Symantec and ask how can portion of the drive be decrypted when the drive was previously decrypted.  I would also include that the original drive was non responsive with several sector read errors which is why portion of the drive was not decrypted.  Advanced imaging tools successfully imaged the area of the drive with read errors but have the drive was decrypted.  Also, when the drive is encrypted, is there a unique identifier in the sector?  What is that identifier?"

I know this is a pretty deep dive into the software for this forum, but I had to start somewhere.  Is anyone able to provide answers to the above questions?

Thank you very much.

Timothy David

Hello:

I've raised the security policies in the Endpoint protection Manager, after that many .exe file started to be blocked (I think it's fine and normal) but, here, the developers create a lot of programs that connects and execute .exe files that the AV block and erase

For example the folder where those files tries to execute is:

c:\users\username_1\appdata\local\apps\2.0\program1.exe

c:\users\username_2\appdata\local\apps\2.0\program2.exe

c:\users\username_3\appdata\local\apps\2.0\program3.exe

And many users run those programs so I can no create an exception for each one. So to prevent this I created the following exception:

%[COMMON_APPPDATA]%\local\apps\2.0\

For 3 days I thought this has solved the problem but today another program in that folder was blocket, could anyone please help me on how to correct develop an exclution?

Thank you.

I changed the "maximum number of rows in a report table" to 500 but when the report comes out its still the default 200. Can this be fixed?

Hi Team,

We use SEP client Version 14.

Client has detected some files as malicious. But i wanted to understand what type detection it has done?

How can i say the detection is  Singnature based by looking at logs?

Please help me to understand this.

Thanks & Regards

Secroa

As an alternative to a "coaching" option, I would like to see an option to give certain users the ability to override a blocked website, but with additional requirements.

In particular, since the WSS doesn't authenticate the user explicitly, I would like to suggest something like what you'd find with a multi-factor authentication prompt.

This is different from coaching in that I could require strong authentication to affirm a user gets to a website (above and beyond clicking a link to continue [coaching]), and I could separate certain types of websites (such as suspicious, peer-to-peer, software downloads, etc. - things which may pose a different type of risk but have a legitimate use case) to require this additional step.

Basically, this would be the process:

• The website is blocked
• The user, as long as they have a username that has been sync'd to the cloud (e.g., via Bluecoat auth connector) has a known email address.
• The user has an option to "confirm override"
• Upon clicking, the user is sent an email with a link.
• The user clicks that link, which enables the override.
• This provides:
  • Intent. The user saw the warning yet continued.
  • Non-repudiation: the user clicked the link in their own email
  • Ultimately, a higher degree of confirmation that this was the intention

I'm pulling my hair out being unable to authenticate with the SEPM 14 API. The following is what I think the problem is: "password: The encrypted password to use with the username."

Here's the catch: Encrypted HOW?!

This is the command I'm using to make the test query:

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Andale Mono'; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

curl -v -H "Accept: application/json" -H "Content-Type: application/json" -d @testcreds.json $sepmapi/v1/identity/authenticate

$sepmapi is a variable with the base URL of my SEPM server (https://SEPM_IP:8446/sepm/api)

testcreds.json is a json-formated body that contains the credentials:

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Andale Mono'; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

{"username":"testadmin","password":"PASSWORD","domain":"Default"}

testadmin's password is very simple (to rule out any special character issues).

When I send the request replacing PASSWORD with his plaintext password, this is the response I get from the server:

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Andale Mono'; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

{"errorCode":"401","errorMessage":"Invalid user name or password. Please try again."}

When I send the request using a BASE64 encoded version of the password, this is the response I get back:

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Andale Mono'; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

{"errorCode":"400","errorMessage":"Invalid Username or Password or the account is locked!"}

I have verified multiple times that I am using the correct password and that the account is NOT locked. I've verified the SEPM Domain name (one site, one domain) and the account is a System Administrator.

Two people at support so far are worthless and can't answer my question. Does the password need encrypted? How? Is there something else I'm doing wrong?

Thanks for any insights!

Hi,

1. Still i could see duplicate VDI machines in SEP 14 MP2 version which is resulting in n number of offline machines. Symantec said this issue will  be fixed in SEP 14 MP2 but still i see the same as SEP 12. deleting the whole Offline machines is being a very big task and waste of time. is there any way that we could get rid of it apart from Tamper Protection disabling. 

2. while we upgraded to SEP 14 MP2, we realized AD was not synchronized which was not included in part of SEP upgrade. how do we go back to AD authentication. 

3. we deployed SEP 14 client on few machines and could see "Disable Symantec Endpoint Protection" wasn't greyed out. how could we stop this from all machines in our environment. is it not part of our policy? is there any way to grey it out for whole environment? why wasn't it greyed out?

Problem:

DLP incidents showing the date format as MM/DD/YY and you wish to change it to DD/MM/YY

Solution:

By default DLP incidents date format shows as MM/DD/YY (08/29/17) and if you wish to change it to DD/MM/YY (29/08/17), follow the steps given below:

1) Login to the Enforce Server and navigate to \SymantecDLP\Protect\bin

2) Execute the LanguagePackUtility.exe with the argument as shown below:

    LanguagePackUtility.exe  -c  "en_GB"

3) After the enforce service is restarted, go to “system” -> “Settings” -> “General” and click “configure” Then change the System Default Language to “English (United Kingdom) - English (United        

    Kingdom)”     

4) Log off and log back in. Then incidents date format should be chnage to DD/MM/YY format

Cheers !!!  :)

Hello,

Here is system requirements for Symantec Endpoint Protection 12.1.2 and 12.1.3, for enterprise version and Small Business Edition, and Network Access Control.

These sytem requirements for equally to the "enterprise version" and "Small Business" Edition of Symantec Endpoint Protection 12.1 RU2 and 12.1.3, ( Network Access Control is a component of the enterprise version only.)

Specified, all updates, editions, and Service Packs (SPs) for a listed Windows version are supported, e.g. Windows 7 = Windows 7 Home Premium, Professional, and Ultimate editions, all SPs. As Microsoft releases new Service Packs for Windows, these requirements may need to be re-evaluated--the newest Service Pack may require an updated version of the Symantec product.

Here, we include following list of system requirement:

• Symantec Endpoint Protection Manager
• Symantec Endpoint Protection client (Windows and Macintosh)
• Virtual Image Exception Tool (enterprise version only)
• Symantec Network Access Control client
• Symantec Network Access Control On-Demand client

Additional requirements:

• Internationalization requirements

Virtual Image Exception Tool (enterprise version only)

The Virtual Image Exception tool must run in one of the following supported virtual environments:

• VMware ESX 4.0 Update 1 or later
• Microsoft Hyper-V 2008 or later
• Citrix XenServer 5.6 or later

The Symantec Endpoint Protection client must meet all of the following requirements:

• The client must be installed in one of the supported virtual environments.
• The client must run Symantec Endpoint Protection client software version 12.1 or later.

Some Language Requirements and limitations:-

Restrictions apply when you install Symantec Endpoint Protection Manager in a non-English or mixed-language environment.

Computer names, server names, and workgroup names

Non-English characters are supported with the following limitations:

• Network audit may not work for a host or user that uses a double-byte character set or a high-ASCII character set.
• Double-byte character set names or high-ASCII character set names may not appear correctly on the Symantec Endpoint Protection Manager console or on the client user interface.
• A long double-byte or high-ASCII character set host name cannot be longer than what NetBIOS allows. If the host name is longer than what NetBIOS allows, the Home, Monitors, and Reports pages do not appear on the Symantec Endpoint Protection Manager console.

English characters:

• Deploying a client package to a remote computer.
• Defining the server data folder in the Management Server Configuration Wizard.
• Defining the installation path for Symantec Endpoint Protection Manager.
• Defining the credentials when you deploy the client to a remote computer.
• Defining a group name.
  You can create a client package for a group name that contains non-English characters. You might not be able to deploy the client package using the Push Deployment Wizard when the group name contains non-English characters.
• Pushing non-English characters to the client computers.
  Some non-English characters that are generated on the server side may not appear properly on the client user interface. For example, a double-byte character set location name does not appear properly on non-double-byte character set named client computers.

License Activation Wizard:

Do not use double-byte characters in the following fields:

• First name
• Last name
• Company name
• City
• State / Province

Introduction

This is the nineteenth in my Security Series of Connect articles but the first to reference a sequel starring Billy Crystal, Jack Palance and Jon Lovitz.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles.

Symantec Security Response and Technical Support are always advising end users, "Be suspicious and think before you click: Never view, open, or execute any email attachment unless you expect it and trust the sender."  In What NOT to Click we saw how malicious Office attachments (Word, Excel and so on) would attempt to "social engineer" end users into enabling content and unleashing Macro mayhem on their organization.  Office spam is not your attackers' only trick, though.  This article illustrates what recent phishing PDFs look like so that you are not bamboozled into giving away your valuables to identity thieves.

Let me show you.... Part 2

All of the screenshots below are from .pdf documents sent out in recent phishing spam campaigns. Stampedes of these mails are whipped up every day by no-good varmints, in hopes that at least a few unsuspecting newcomers will be trampled.  The mails have .pdf attachments which open in Acrobat Reader and present some sort of message, often imitating a trusted brand (Including "Norton Secured" logos), designed to hoodwink recipients into clicking on a link.  Those links will (usually) open a phishing webpage or (sometimes) download a malicious file.  

Now, dear reader, I humbly ask your kind pardon in advance for all the Wild West terminology....     

It's For Your Own Protection Part 2

Just like with malicious macro spam, phishing spam will often pretend that the end user's necessary actions are done in the cause of Security. "Secured PDF Online Document"!

"View On Adobe" - as if that makes any sense.  If it sounds like a stranger is trying to hornswoggle you, they probably are. 

Here's another very secret and secure example: "This Document is Password Protected" 

Yessir, I always trust anything that switches font in mid-sentence. 

This next phishing lure seems to tell that network security measures are working!  "Your system firewall rules have stored files online.  Show received doc here." 

Now, I am no firewall expert, but... trust me: storing files online ain't what Symantec's firewalls do.  If in doubt about how your company's firewalls work, ask the IT security team.  Guaranteed, that posse will be glad you did rather than blindly clicking.

Wait Mr. Victim, You're Missing Something Part 2

Oh no! "This pdf version is outdated. Click here to preview online"

No thanks!  I'd rather not get bilked out of my riches by some villain.

Packed Full of Goodness! 2

Oh! Excitement!  Someone is sending me a package!  That's always mighty pleasant.

Too bad there is no www.dhl.cn site.  And that page presented when clicking "View File" has a different country's TLD, and looks nothing like a legit DHL site....

Please don't send the scammers a present! Don't give 'em nothing.

Here's a similar phishing lure, but for a document....

Looks official! Why getting a document is dear like a letter from my auntie back East!  Better click....

Wait a tick.... how come this URL is some site in India, by hooky, rather than the legitimate https://www.dropbox.com/ ?  And how come it looks kinda flim-flam? 

This here's from some bunko artist.

Wait, Is That A Real Stagecoach-?

Now a national chain in the US, Wells Fargo is a bank that dates back to the Gold Rush days of the Wild West.  Here's a screenshot of some modern-day rustler trying to hijack a greenhorn's claim:

"Dear Valued Customer"? The capitalization, punctuation and spelling mistakes are big smoke signals that something's not right.  Stranger yet is that I don't even have one of them WellsaFargo online profiles.  Let's click anyway and see where this trail leads us....

What in tarnation-? This website with the long random domain name is about as legitimate as snake oil.

Sometimes The Creative Juices Just Won't Flow 2: The Legend of Curly's Gold

Here are a couple "Coffee Boiler" phishing lures, plumb-lazy offerings by some skunk who would rather sit around the fire all day than do any work.

This one does not bother with any fancy graphics.  "Click HERE to login and unlock file."

For who?  Why-?  I ain't some dumb dude, no sir.

This next example can't decide it if it is imitating Dropbox or Docusign. 

So font and punctuation are not their strong suit.  And getting the logo turned the right way around.  Maybe the sender of this important document will earn extra credibility bonus points on spelling-?

Nope.

So What Should We Do?

Remember: Curly looked a lot like his twin brother Duke.  Phishing mails and webpages might seem at first glance to be the real McCoy, but ease on back in the saddle, pardner, and take a good, slow gander...

1. Keep your eyes peeled for pigs in a poke.  That is, low quality text, graphics, phrasing... these are sure give-aways.
2. Pay close attention to the URLs.  Go to the legit sight rather than being led up whatever blind trail them outlaws planned.
3. Submit the suspicious mail and its phishing attachment to your AntiSpam vendor.  They will be able to determine if the attachment is safe or something that will dry gultch ya.
4. Unless you are certain it is safe, leave it be!  Ride off into the sunset, amigo!

Conclusion

Thanking you kindly for reading!  And for cogitating before opening documents or clicking links. 

Final word:  "When in Doubt, don't click it!"

Please leave your weapons at the saloon door and your comments below. 

Will I need to still block the Autorun.inf files from running from the Symantec Device Control even though Windows 10 dropped the Autorun feature? Autorun was a security concern in Windows XP.

Hi Guys,

I need some clarification on DNS queries by the client PC enabled with web proxy on its browser. 

Whether the PC defined DNS servers will do DNS resolution or the proxy server does it while browsing websites?

If proxy server does the DNS resolution, what is the solution to get the DNS queries directly from the PC defined DNS servers?