Enterprise Intrusion Analysis, Part One

Responding to a Brute Force SSH Attack

Data Recovery on Linux and <i>ext3</i>

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

WiMax: Just Another Security Challenge?

Time to Squish SQL Injection

Lazy Workers May Be Deemed Hackers

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

The Scale of Security

Hacker-Tool Law Still Does Little

News, Infocus, Columns, Vulnerabilities, Bugtraq ...

I need a solution

We found that the Google Chrome was logged by SEPM Network Threat protection and Compliance Event. I would like to know if whether Google chrome does contain some malicious traffic or it was just SEPM mist-definite the traffic to trigger the alarm?

I need a solution

I am configuring email prevent with google mail for my company. Exchange was easy and we configured a load balancer correctly and got it to work right off the bat.

Our DCS group is now having issues configuring an F5 to forward the mail through our email prevent server. They say that our F5 cannot see the server and they believe that it is because of the port not being configured correctly on email prevent. The only port that I can think of is under configure and it says port 8100. I tried to set it to port 25 but it will not go that low. Also I have turned windows firewall off till we can figure this out.

 

Has anyone had any issues setting up an F5 as a load balancer to forward mail to the email prevent server? Did I miss and configurations?

I need a solution

 

 

Time Severity Event Type Description 2/5/2012 16:14 Warning LiveUpdate manual task failed LiveUpdate failed. 2/5/2012 16:14 Warning LiveUpdate All process failed to launch LiveUpdate encountered one or more errors. Return code = 4.

 Yesterday I was faced above live update issue but on that time I have got resolution but today I have still not recieve update and below event have generated on server. Pls help

LiveUpdate returned a non-critical error. Available content updates may have failed to install.

I need a solution

Hi,

I would like to know if there will be any problems by using the version 11.0.6300.803 on the SEPM and a newer/the newest version 11.0.7000.975 on the client side. The background for this configuration is that I will stay at 11 RU6 MP3 because of the direct upgrade path to version 12.1. The newest client version was shown up some times ago on the console and therewith I will push that version to all my clients.

 

Regards

Stefan

I do not need a solution (just sharing information)

Our clients use the Kofax Capture 9.0 software for scanning all types of paper.  Our main Kofax server onsite handles the administration functionality and routes the batches (documents) to the clients database so they can be used for retrieval.  Recently our IT department informed me they will be installing Symantec Endpoint Protection Suite Enterprise Edition 12.1 on our web server and main Kofax server.....This makes me worried.

This Kofax software is very sensitive. I was wondering if Symantec had any documentation/configuration guides that would have any important info regarding this (i.e.  Getting started guide, developer’s guide, etc…)?  

I did find this on Kofax's website. QAID 11948 lists some directories that should be excluded.    

http://knowledgebase.kofax.com/faqsearch/results.aspx?QAID=11948

I’m a little worried that when a batch passes through our KFXAC server, the antivirus software might think the batch is a virus and will block it.  I know when you install antivirus you can you can enable a feature called network intrusion prevention.  This basically acts like a firewall but it could potentially stop our Kofax client/server communication.  

If there is anyone out there that knows about this please let me know as we are installing this software soon.

I need a solution

We are experiencing some problems with SEP small business edition 12.1 (clients are running SEPM version 12.1.671.4971).

We receive a lot of emails regarding "Access denied SONAR" c:\windows\system32\svchost.exe" 

I have no idea which program may be the cause for this warning. We have no VPN client software running. Maybe it is the network driver, or other 3th party program...

The problem is you can only enable or disable the SONAR feature in the SMB edition. In the enterprise edition you can change the behavior when such risk as above listed is detected (see image below). We have to find the program that causes this or disable sonar completely to get rid of the warnings. 

 

I've created a case with symantec, to ask if there is a way to list the process id from the svchost.exe. After weeks of troubleshooting, they suggest to upgrade to enterprise edition. There is no way to log more information in the smb edition.

First symantec told that my policies are corrupt, they found some settings which should not be able to set in the SMB edition. This was a clean installation, no upgrade, so I don't understand this. Next step (  I had to this a few times) was to collect logs on both server and affected clients. Nothing was found. I had also to collect some process monitor logs. But a few days later, they told me I had to look in the logs by myself. Symantec doesn't support procmon, but they asked me to send it to them in the first place....

I need a solution

Hi,

 

I have SEPM ver 11.0.6005 and after update some clients to 12.1.1000 not take the latest definitions but all 11.0.6005 take the definitions without any problems, how to force the update to 12.1 clients?

 

Thank you

I need a solution

Hello,

I'm using Symantec Endpoint Protection 11.0.6 version in my enterprise, with 3000 active users on it.

So, i have a question about SEP's Antivirus solution, that it exist some kind of viruses in our LAN which Symantec doesn't see and doesn't know these files as viruses. We've found these files not in two or four users machine, they exists almost on half of Endpoint members.

In general, The case deals with the two virus files, they are: ACC1.exe and Worm.Win32.Generic.

As for ACC1.exe i have submitted this file in the symantec security response team a long time ago - in december 2011, but no results.

I've used also a site virustotal.com to scan these two files and to unsure they known as viruses. Symantec's fields in both cases are blank. Outcome is the following:

• ACC1.exe_.png
• Untitled29.08.11.png

I need a solution

Hi

I want a list of old product versions that exist in the network.

I am getting this report in the monitor tab the same as following way.

but the report is empty.

After getting many different reports i added  "  \* " in group section and it gave me about 6 clients that have older versions.

I mean like the following        "    My Company\Clients\*          ".

but when i check in Clients tab -->Double Click on client-->Client tab -->

I found about 100 clients that have older version procucts like MR6Mp3 - MR5-Mr4Mp2 and ....

Can you please help me to solve this problem please?

Is my reporting wrong or there is a problem?

Thanks

I need a solution

Hello,

We have DLP with Network Discover and Endpoint Prevent modules for 500 node. I need the sizing and long-term retention (archiving) guidlines, as well as database maintenance guidlines to use in our environment - especially that we've recently purchased additional 3500 licenses and are very concerned about storage and data retention needs. For our 500 users, the DB size is approaching 150 GB for a period of about only 6 months!!

 

Any KB article or user manual will be absolutely appreciated.

Thanks.

 

- Moh

• PartnerNet Group

I need a solution

I have a configuration where by 90% of it will be in Site A, with 10% devices in Site B, and a further 2 x network devices in Site C.

Site A and B are in the same country. C is in a different one.

How does this impact the number of Base SSIM Servers required? Will I need a base SSIM server per location, of per region?