Posts tagged ‘SEP’

« Previous Entries
Next Entries »

SEPM Y2k.1

January 12, 2010, 8:34 pm

As anyone using Symantec Endpoint Manager (SEPM) to manage SEP11 clients should already know, SEPM has an issue where it thinks virus definition updates from 2010 are older than updates from 2009.

If you aren’t on top of this, you should be subscribed to Symantec emails here. I’d also apparently subscribed to something at the Symantec Forums at www.symantec.com/connect.

Symantec is just now starting to push out patches. Currently patches are available for 11.0.3. Keep an eye on this knowledge base article for updates.

So far this has caused three problems that I care about.
1. We use Forescout Counteract to monitor for virus definitions more than a week out of date. I came in one day and found all my computers in the “old definition” group. The defined action was run live update once. That wasn’t too big a problem.
2. Like most SEP admins, I have SEP configured to use SEPM for updates when on my corporate lan or VPNed in, but use Symantec’s liveupdate servers when on the Internet. It’s important for people to get updates even when away from the office, and that is a simpler solution than putting a live update server in the DMZ. The problem is the Y2K.1 issues was specific to SEPM. As a result Symantec foolishly used different virus definition numbers for their liveupdate servers and for updates through SEPM. So my internal clients are getting 12/31/2009 rev xyz definitions (where xyz is a incrementing number) and people who update directly from Symantec get normal updates dated today. If you are external to the company and you update from Symantec, your defs are dated 1/10/2010. If you go back to work, the defs offered from the server are 12/31/2009. You’ll never get updated while on the corporate network until Symantec fixes the original problem. To my understanding is you are now out of date. Kind of a big problem
3. Symantec by default notifies users of managed clients when the virus definitions are more than 30 days old. I take this to mean that unmanaged systems get no notification by default. In my environment managed systems are set to notify users if the virus definitions are more than 14 days out of date. Since we’re coming up fast on January 14th, I’ve disabled the notification. Of course any computer that isn’t on our network in the next couple of days wont get the new configuration.

Hopefully Symantec will get this issue resolved soon. Not sure why they couldn’t be ready to patch all SEPM builds at once. Why is MR3 so favored?

Tags: , ,
Category: Antivirus  |  Comment

SEP11 and MS090-35

August 10, 2009, 2:19 pm

The vulnerability scanner is finding a bunch of systems with %windir%\system32\atl71.dll version 7.10.5057.0 and the registry key HKLM\Software\Microsoft\VisualStudio\7.1. This indicates that the system may be MS09-035 vulnerable. The patched version of atl71.dll is 7.10.6101.0.
I also have some systems that dont have that registry key but have atl71.dll.
I decided to do some testing to determine how the file is getting on the computer. We haven’t rolled out Visual Studio .Net 2003, but clearly some application is putting it there.
A clean load of XPsp3 has no atl71.dll is present on the system. However after installing Symantec Endpoint Protection 11, I find that I have atl71.dll. This test system does not have the registry key.
So it appears that Symantec is using Microsoft’s ATL library and distributing a vulnerable version of the DLL.
I couldn’t find anything about this at the Symantec forums or in the knowledgebase. I may have to open a support ticket. I’m not sure I’m prepared for that kind of crap shoot today.

Symantec now has a knowledgebase article available. See comments on this post.
Symantec reports they are not actually vulnerable. A future version of SEP will have a updated file to avoid the detection by vulnerability scanner.

Tags: , ,
Category: Antivirus  |  3 Comments

BridgeChecker

June 26, 2009, 10:42 pm

I’ve blogged several times about the desire to disable the wireless card when the wired card is connected.
A comment on one of my older entries points out that there is free software to do this now.

http://www.wlanbook.com/disable-wireless-connected-lan-xp-vista/

http://www.wlanbook.com/bridgechecker/

I’m now using SEP11 for this but passing it on in case others are still looking for a solution.
My older articles:
New version of Autoswitch out
Disable Wireless when Wired Connected
SEP11 and Wireless Management
Disable Wireless on LAN Access

Tags:
Category: General  |  3 Comments

Virus Alerts and SEP 11 MR4

February 16, 2009, 1:06 pm

Since upgrading from SEP11 MR2 to MR4, my virus alert email to admins no longer works.
As a side note, SEP11 has never allowed me to include the path and file name in the virus notifications. They did allow that in SAV10 and earlier. This is a big step back.
Before the upgrade, the email was sent as system@servername. I believe my mailserver was helpfully making the servername fully qualified. The mail had no issues.
Since upgrading, the notifications are no longer getting through. According to the Symantec Knowledgebase, they did this on purpose.

As of SEP 11.0 Maintenance Release 3 (MR 3), a “.com” suffix has been addred (sic) to the “From:” address used by SEPM (SYSTEM@computer_name.com) which should help reduce rejections by the mail server.


Help reduce rejections? Help reduce rejections! How does sending mail as system@servername.com help? That is guaranteed to be rejected by anyone who verifies the sender is a valid domain name.
I’ve opened a case with support asking for them to fix this.
Symantec does not allow you to configure your own sender address in SEP11. They suggest you lower the security posture of your mail server by accepting email regardless of how invalid the From address is. Validating the envelope from domain is a common, easy antispam technique. I dont want to change it.
Looks like I need to add %Server_Name%.com to my internal DNS as a temporary workaround.
Another “improvement” in MR4.
UPDATE 2/17/09
See the comments, there is a way to do this afterall. I’ve asked Symantec to update the KB I referenced.

Tags: , , , ,
Category: Antivirus  |  3 Comments

Symantec Endpoint Protection 11 MR4

December 16, 2008, 2:53 pm

SEP11 MR4 release notes have been posted here.
I suspect this is now available on the platinum site. I’ve been told by our sales guy that we should have access to that, but all I can ever get to is fileconnect. Rumor is January 6th for Fileconnect. I’m more interested in the msp update files than the full CD for a full SEPM install. I dont see those on the KB or via FTP right now.
Here’s one fix that I’m waiting for.

Wireless connections at 104Mb/second do not register with Location Awareness as Wireless connections.
Fix ID: 1441489
Symptom: Auto Location Awareness does not work when using 104Mbps wireless network.
Solution: Added 130Mbps/117Mbps to the list that detects when the wireless speed is not stable.

That information would have been helpful to me last week. I wasted quite a bit of time troubleshooting a users problems with 802.11N.
I think I have more issues with smc.exe than rtvscan.exe. However every lowered amount of CPU helps.
Constant 5% Rtvscan CPU usage.
Fix ID: 1389006
Symptom: Constant 5% Rtvscan CPU usage seen from Process Explorer or Task Manager.
Solution: Changed to cache the state of Auto-Protect ,thus reducing excessive calls which gather state information. The state is now updated once on startup, on change notification from Auto-Protect, and occasionally on the main timer, eliminating this issue.

Tags: ,
Category: Antivirus  |  1 Comment

SEP11 MR3 Performance Improvements

November 25, 2008, 6:18 pm

Symantec posted some performance numbers touting the improvement of SEP11 M3 over MR2 and even SAV 10.
The slides are posted here.

Tags: ,
Category: Antivirus  |  Comment

EFS and SEP11

November 21, 2008, 9:10 am

Occasionally when I try to open EFS encrypted text files on my Windows XP PC, the files are not decrypted and appear to be corrupt. If I reboot, I’m able to access the files again. These occurrences began when I installed Symantec Endpoint Protection 11 MR2.
A review of the Symantec Forums and Knowledgebase isn’t particularly helpful. MR4 is rumored to be coming out in December, maybe that will help. Fortunately the problem is rare. I haven’t had a user reported yet, though I’ve seen this a couple of times myself.

Tags: ,
Category: Antivirus  |  Comment

SEP11 and CPU usage on Virtual Machines

November 17, 2008, 4:09 pm

Since deploying Symantec Endpoint Protection (SEP) 11 MR2 MP1, I’ve been fielding complaints from the System Administrator that the virtual machines are running 20-30% higher in total CPU usage than before the upgrade. He that SMC.exe a SEP11 process is the culprit. SMC.exe is the process for administrative communication. So it seems odd that it would be constantly using so much CPU.
I first checked the Symantec Forums (forums.symantec.com) and found some people with the same problem but no solutions.
First I found an old problem. It seems that in the initial release when no user is logged in SMC.exe would average 50% of the CPU. Its my guess that this is only partially fixed. It looks to me like with MR2, when a user is logged in CPU usage for SMC.exe is 0-10% and with no user logged in it is 10-20%. The SA doesn’t agree with my assessment due to some spikes in SMC, but I think those spikes are explainable by definition downloads or spikes right after logging in.
People in the forums also suggested turning things off. The problem is most of those things are already off in my environment. I don’t believe in tamper protection. Proactive Threat Protection shouldn’t be installed on servers either. I did turn off location awareness which I wasn’t using anyway, and the application monitoring. I also changed the communications from push to pull and from every 5 minutes to every 60 minutes.
Nothing I changed helped. I even tried upgrading a server to MR3 to see if that would help.
Having done all I could I opened a case with Symantec. At this point, the case has been open over a week. I’ve gathered logs for them, but there hasn’t been a resolution yet.

Tags: ,
Category: Antivirus  |  2 Comments

SyKnApps update for SEP11

October 6, 2008, 8:43 pm

Symantec released a SyKnApps update last week for Symantec Endpoint Protection 11. The update notice I received didn’t say much, just that “The new revision of
SyKnApps improves the performance and overall functionality of TruScan.” The email also said the update was available through liveupdate.
I had been wondering if the update would reach SEP clients who get their updates from a corporate SEPM server. By comparing file versions, I found that it appeared my internal clients did get c:\documents and settings\all users\application data\symantec\syknapps\syknapps.dll updated.
A Symantec KnowledgeBase article confirms this belief. It specifically says running liveupdate on SEPM will update the clients. It also confirms that this update fixes the cosmetic bug where the SEP client GUI displays the Proactive Threat definitions as July 30th.

Tags: , ,
Category: Antivirus  |  Comment

Guardian Edge Hard Disk Encryption 8.7 , SEP 11 and IP6 over IP4

August 29, 2008, 11:06 am

I am planning to upgrade to Guardian Edge Hard Disk Encryption 8.7. Its been over a year since we deployed 8.2.4 and I wanted to get some of the assorted fixes out to our computers.
While reading the release notes, I noticed a known issue with Symantec Endpoint Protection 11.

“Following the installation of GuardianEdge
Hard Disk on the Client Computer, a
Network Threat Protection message may
be displayed, alerting the end user to a
change in the EAFRCliADSI application.”

The solution is to allow IP6 over IPv4.
Personally I am not a big fan of this solution. Until I have a personal firewall that works with IPv6, I think we should default deny it. Until there is a need for IPv6, we should default deny it.
The solution doesn’t adequately explain the problem to me. I don’t use SEP11 to monitor what applications can go out (management overruled me). I’m thinking users would never be alerted if an application changed. Thus their workaround should be unnecessary.
I called support but that only resulted in a guy reading the release note back to me. I guess I’m going to upgrade the server and install 8.7 on my computer and see what happens.

Tags: , ,
Category: FDE  |  Comment
« Previous Entries
Next Entries »