Dears,

I have a windows server 2008 run BACS (Broadcom NIC driver). Before I install SEP Client 12.1.x, my computer worked normally with NIC teaming mode LACP ( 2 NIC card of server connect to 2 port of a Cisco Switch run LACP mode). But after installed the NIC teaming not work, show on Cisco switch the port is up but port protocol is down.  Does the SEP Client prevent LACP Protocol on NIC Teaming mode? Can you have any solution for my problem? thank you very much!

Hi All,

We are in process of implementing IPS policy on Unix Servers. These server have different application running. We have already applied sym_unix_protection_sbp policy in disbaled mode (policy will log any event and sent to the DCS Server but won't block any violation).

I would like to know what is the best way to go about the whitelisting of the applicatio/processes using sym_unix_protection_sbp so that any running application won't get affacted.

Appriciate is someone can share any document, menthod to do whitelistig that can be used for the same.

Thanks in advance !!!

Hi All,

One of our client using Symantec DLP deployed on premises and they also use Symantec.Cloud (formally known as message lab) for the email. Deployment of Email infra is as below:

sender user --> Exchange --> Symantec DLP --> Symantec.Cloud --> recepient user

In order to stablish TLS between Symantec DLP and .Cloud, we have to import .Cloud cert to the DLP Server keystore (requirement for the integration as per Symantec integration guide). We have already doesnloaded .Cloud cert and imported.

The Symantec.Cloud cert which we have imported, is set to expire in 2018. My question is, how shall we get to know when Symantec will be renewing Symantec.Cloud cert which we need to import to the DLP Server keystore manually. Can we get notification when new cert is available or any best practice?

Note: Symantec.Cloud cert need to be imported manually to the DLP Server keystore and if we didn;t import valid cert of Symantec.Cloud before it gets expired, Email flow will be intruppted.

Appriciate any input.

I am trying to find some place that will tell which type of SEP 14 client is installed any given computer.  Every client view displays, at most, the client version and policy serial number.  Similarly, I have not found a report that lists the client type.  The only place I've found the information is an individual client's properties, which is not very useful.

I have to think I'm missing somethihng; I'd really appreciate someone telling me what it is.

Thank you!

Hi,

I have SEPM 12.1.6 (RU6) - 12.1.6168.6000 with clients of different versions (like 12.1 RU6 MP8, MP4 etc) I want to upgrade SEPM to 12.16. (RU6 - MP8) 12.1.7266.6800.

My questions are what precautions (other than backup the database) should consider before to make an inplace upgrade.

1. Do I need to withdraw policies - if not, after upgrade will the policies be intact?

2. What about the groups? 

3. Do I need to backup server private key?

4. How can I prevent restarting of SEPM PC after the upgrade?

5. If (worst case) upgrade failed then, how can I restore SEPM to the one before to the upgrade?

Thanks,

Hi All,

I spent almost two weeks spinning around and I still can't find a solution. Let me explain what exactly is going on right now.

So I have few thousand workstations with Windows 7, on this machines end user are using JAVA based application. Previously, when we were using DLP Agent in 12.5 everything was just ok once we switched to 14.6 GA strange things started to happen.In case of above machines when the end user is launching application whole Windows system freezes totally.

The only way to restore Windows to life is turned off and turn on the machine with the power button. When this issue is visible there is no warning message, no error message or BSOD it just freezes.

This issue is only visible for a specific group of the user which is using mentioned JAVA based application. Let me tell you what I have done so far:

1. I checked agent configuration looks the same like on machines when this problem doesn't exist

2. I checked Java based application logs and I found that when this issue appears there is one error message - Java.net.Socket.Excpetion (no other info like connection errors etc.) 

3. On agent side, there is no crash dumps etc, just nothing

4. I ran a simple test and I took one machine which is affected by this issue and I disable all detection channels on agent side and issue was gone. However, I also enable them one by one to find out which one is causing this strange behavior but still no luck no matter which one I enable first it could be Printer/Fax issue or CD/DVD issue is back again.

5. I tried to generate Windows memory dump ( I found few technical documents in Symantec KB how to set it up ) but because Windows is freezing memory dumps are not being generated.

6. DLP Agent version is the same like Enforce and EPS server version.

I have support case in Symantec support but they suggested to check if the issue is also visible in case of DLP Agent 14.6 MP2. I didn't check it yet and I am going to do but what in case if the issue will still be reproducible? That's why I am writing here maybe someone else on this forum had the same problem and find a way how to solve it?  It's very strange really because I am using the same configuration for DLP Agent like in case 12.5 agent which was installed in the environment previously ( additionally when I roll back DLP Agent on end user machine to 12.5 issue is also gone).

Really thank you all for help in this case I hope that someone will be able to give me a hint or advise how to solve it finally.

Would like to verify if symantec already have signature for UNITEDRAKE malware?

http://www.zdnet.com/article/shadowbrokers-return-with-the-release-of-unitedrake-exploit/

thank you!

Hi Guys,

I have been trying to let Radius users login to the proxySG management UI but am unable to.

An Admin Authentication Layer and rule to the Radius server has been added

An Admin Access Layer and rule specifiying Read/Write access for all Radius users have been added

Tested Radius login via Configurations > Authentication > Radius > Test Configuration and it is successful.

However I am unbale to login to webUI https://x.x.x.x:8082 via my radius credentials which was successful tested under the Test configurtaion setting. Is there anything else that I missed out? Cant find any KB on this for proxySG. I am using 6.5.10.4. Appreciate any help on this!

Thanks :)

Hi,

im have some dificult to block email that spooging my domain. What is the best way to block these e-mails?

Thanks.

Hi,

im have some dificult to block email that spooging my domain. What is the best way to block these e-mails?

Thanks.

Where can I find the Oracle Fix \ Download for this vulnrability ?  We have the Oracle Licenses through Symantec 

Oracle Database Multiple Vulnerabilities (July 2017 CPU) (POODLE) (SWEET32)

Synopsis

• Description

  The remote Oracle Database Server is missing the July 2017 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities :

  - A man-in-the-middle (MitM) information disclosure vulnerability, known as POODLE, exists due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.
  (CVE-2014-3566)

  - A vulnerability exists, known as SWEET32, in the 3DES and Blowfish algorithms due to the use of weak 64-bit block ciphers by default. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session.
  (CVE-2016-2183)

  - An unspecified vulnerability exists in the RDBMS Security component that allows a local attacker to impact integrity. Note that the attacker would need to have Create Session or Select Any Dictionary privileges.
  (CVE-2017-10120)

  - An unspecified vulnerability exists in the OJVM component that allows an authenticated, remote attacker to impact confidentiality, integrity, and availability.
  Note that the attacker would need to have Create Session or Create Procedure privileges. (CVE-2017-10202)

• Solution

  Apply the appropriate patch according to the July 2017 Oracle Critical Patch Update advisory.

In our company we have laptops for sales department and sales team mostly travel outside. my requirement is that can i get logs of those laptop in SEPM ( our office) without VPN when these laptop connect through internet out of my office. is it possible?

Background Image on Blogs "Quilted" Page: 

Williams-IP.jpg

As CIO for the Williams Group, I think a lot about how to secure our information and intellectual property – and we clearly generate a ton of it.

During a typical race weekend, our Formula One team generates about 60 gigabytes of telemetry and 80 gigabytes of additional data, delivering a total of 140 GB that requires analysis in order to determine each critical decision made throughout each practice session, qualifying, and the race on Sunday.

That’s just the half of it.

Throughout qualifying and races, our team also needs to relay that massive amount of data back to our UK headquarters in real time for analysis. All the while, our engineers working in the race pits are accessing streams of information on their laptops to make on-the-spot recommendations on the timing of pit-stops, making fractional front and rear-wing adjustments, and to constantly tune vehicle performance.

So when I say that our company thrives on its intellectual property, this is far beyond being a business truism: IP is our organization’s lifeblood and it’s behind our success winning 16 Formula One championships.

As we’ve digitized our operations, we now face escalating threats from cyber criminals. Each year, attackers show increased sophistication and skill in changing up their tactics. We know there’s a steep price to pay for failure. If any malicious outsiders were to get their hands on our car designs or any other of our IP, it would put Williams’ competitive advantage at dire risk.

A breach would also risk dealing a blow to our reputation for safeguarding the closely-held secrets of partners and customers who regularly share their intellectual property with us. In addition to our own Formula One race car division, Williams Advanced Engineering group also works with a range of other industries.  

For instance, we partnered with Jaguar Land Rover to produce the Jaguar C-X75. Film-goers may recognize it as the vehicle used by one of the bad guys in the film, `Spectre,’ chasing James Bond through the streets of Rome. We also do work in aerospace, medical sciences, defense and a range of other industries where partners rely on us to maintain a safe and secure supply chain and meet strict security requirements governing the handling of their most valuable information. 

Keeping Users Secure

I often get asked what keeps me up at night. There's only one thing I really worry about: Losing data. It’s what I hate the most.

That job has become increasingly fraught given the multiplicity of digital endpoints that we now need to protect, and exacerbated by the fact that our teams are frequently on the road, where they connect via mobile devices in order to access Williams’ intellectual property. Roughly 60% of our workforce regularly now works away from the home office and they need to be able to download data safely from anywhere in the world.  

Given the different types of data and intellectual property we’re regularly involved with, we put a premium on finding a way to ensure that our users remain secure, no matter where they work and no matter what networks they use.  

In the past, we only had antivirus to protect the endpoints. There was no intrusion prevention or detection system at all. So last year, we partnered with Symantec to help us deal with these myriad endpoint security needs and fill the gaps in our network defense.

Symantec’s breadth of intrusion prevention and detection technology made an immediate impact. Our first race of the 2016 season marked the first time that we had endpoints that I felt were fully protected. With Symantec Endpoint Protection and Endpoint Encryption, which were deployed at the same time, everyone on our team who went to Australia for that race had fully protected endpoints they could trust.

Endpoint protection involves a lot more than just loading antivirus onto our systems. Here’s an example:

One of our laptops was stolen during the Italian Grand Prix at Monza in September 2016. In the past, we would have had to escalate that kind of incident to the boardroom since the theft of data kept on those machines could potentially compromise our IP. Not this time. Symantec’s technology completely enveloped all the data stored on the stolen device in the protective shield. The thieves had one of our machines in their possession, but they had no way to access what was inside. Symantec’s endpoint protection technology had made it impossible for outsiders to access any of our information.  

We’ve also extended Symantec Endpoint Protection to safeguard our virtual machines and cloud, where a lot of our intellectual property gets stored. That came in handy when attackers subsequently tried to hack into our cloud. Symantec Endpoint Protection detected the attempt and sent out an alert. The upshot: We foiled their attempt to access our data, bring down our systems or use them as bots, which is probably what they were trying to do.

The partnership with Symantec has translated into a vastly improved risk management posture–which further enhances our reputation and enables us to give customers and partners even more confidence in our ability to protect their IP. Symantec has equipped Williams with the necessary tools and technology so that we can turn to our customers and assure them that, "Your data is safe with us."

Learn more about how Symantec protects Williams on our dedicated microsite.

I want to allow USB devices for specific user and my SEPM is not integrated with AD

it is possible that without AD user sync i can make a user based USB policy. In single computer two user login, user A allow USB and user B block USB

Nessus Scans showed the following 3 vulnerabilities, they are related to need assistance to SSL Cert Loop back configuration.

Plugin   Plugin Name
45411   SSL Certificate with Wrong Hostname
51192   SSL Certificate Cannot Be Trusted
57582   SSL Self-Signed Certificate

===============

SSL Certificate with Wrong Hostname (45411)

Synopsis: The SSL certificate for this service is for a different host.

Description: The 'commonName' (CN) attribute of the SSL certificate presented for this service is for a different machine.

Solution: Purchase or generate a proper certificate for this service.

================

SSL Certificate Cannot Be Trusted (51192)

Synopsis: The SSL certificate for this service cannot be trusted.

Description:

The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which the chain of trust can be broken, as stated below :

- First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority.

- Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.

- Third, the certificate chain may contain a signature that either didn't match the certificate's information or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessus either does not support or does not recognize.

If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the remote host.

Solution: Purchase or generate a proper certificate for this service.

====================

SSL Self-Signed Certificate (57582)

Synopsis: The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

Description: The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host.

Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.

Solution: Purchase or generate a proper certificate for this service.

When i apply host integrity in any group, inside the group all computer start getting pop up notification security compliance scan failed. and client start calling to support team they have some problem. May i know is it possible that disable this notification on client.

Hi all,

I'm currently testing a new 2012 R2 hypervisor with two 2012 R2 VMs before putting it into a podcution

and noticed that when running a restore job on the 2012 R2 file server VM I get E00084F9 error code.

However if I disable the SEP 12.1.6 installed on that VM the restore job goes through.

Are there any exceptions that I need to create in the SEP firewall for the BE16 restore jobs?

The backup jobs are running fine with the SEP active on both hyeprvisor and the VMs.

Thanks

Friday Sept 8, at home (I'm retired), phone call from outside US: "Hi [Pretty sure didn't greet me by name], we're from Symantec. Our monthly report to you [Antivirus? Endpoint?] has been blocked. Do you have a problem there? May we access your computer to see what's blocking us? Shouldn't take longer than 20 minutes or so."

Unfamiliar with Symantec procedures, I begged off--doctor's appt--said why not call Saturday? They said sure. The last I heard from them.

Were they for real?

After Migrating to SEP14.0 MP2 from SEP12.1RU6MP6 Windows 7 Enterprise Editions Shows Windows Vista Enterprise in Computer Status logs.

And also in Client Inventory report. The clients are still in SEP 12.1RU6MP6. When we see the clients in Groups It shows Windows 7 Enterprise Editions.

We had opened a case with Symantec Support  and Symdiag logs uploaded.

After Migrating to SEP14.0 MP2 from SEP12.1RU6MP6 Windows 7 Enterprise Editions Shows Windows Vista Enterprise in Computer Status logs.

And also in Client Inventory report. The clients are still in SEP 12.1RU6MP6. When we see the clients in Groups It shows Windows 7 Enterprise Editions.

We had opened a case with Symantec Support  and Symdiag logs uploaded.