Quantcast
Channel: Symantec Connect - Security
Viewing all 10764 articles
Browse latest View live

Sequence Makes Sense

$
0
0

Introduction

This is the fourteenth in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles.

With the cross-referencing trick illustrated in this article, you will swiftly be able to determine if your Symantec products have the definitions necessary to combat a new threat.

There is also mention of funny cat photos.  The Internet was invented to facilitate the sharing of cat pictures.

What Are You Talking About, Mick2009?

Every new set of definitions that are released by Symantec Secuirty Response has a unique numerical designation called a Sequence.  Every Rapid Release set has one, every Certified set of definitions has one- everything.  Each new sequence includes all detections that has gone before it.  So: the higher, the better.

Virus Definition Update FAQ
http://www.symantec.com/docs/TECH103326

Here's an illustration of where this can get confusing: let's say I have just identified a suspicious file on one of my office's computers and submitted it to Security Response for examination.  I have then isolated the computer from the network (pulled its network cord) to keep the potential threat from spreading or the hacker from exfiltrating all the .jpgs of my co-worker's cat that are on this workstation.  (Why so many personal pictures on a business machine, anyway-?  Isn't their smartphone a better place for snaps of Bobbins-?)

Before I can finish my lecture about the proper use of company property, Security Response have confirmed that my submission was indeed malware and sent a CLOSING mail with details, "Protection available in Rapid Release Sequence Number: 178940 or greater."

sequence_1.png

I need Sequence 178940 or higher in order for a scan to detect and remove that newly-discovered threat- good news!  But looking through the Symantec Endpoint Protection 12.1 client GUI, though, the only Sequence numbers I can find look competely different: how do I know if this computer is protected by the definitions on there?

sequence_2.png

I've Seen That Somewhere Before, Though....

The Sequence listed there under Troubleshooting is actually the date and version, minus the first two digits.  160627001 is 2016-06-27 001

This is displayed in more "user friendly" way on the main SEP 12.1 GUI: 27 June 2016 r1

sequence_5.png

Yes, this is completely different Sequence.  The Sequence Number from the Closing mail is not displayed anywhere in the SEP client GUI.

Now It All Makes Sense

Luckily there is are online resources where the Sequence number from the Closing mail is listed side-by-side with the human-readable date-and-revision information.  The first is on Security Response's page about Certified Definitions - Detections Added.

sequence_3.png

Checking that, I can see that the Sequence Number of the June 27 2016 revision 1 definitions on this client are too low to detect this new threat.  That date and revision corresponds to Sequence 178934.  I need Sequence 178940 or higher, remember.  Running LiveUpdate will check for new Certified definitions, but a set which includes the necessary protection is not expected for several more hours.  (Usually, there are three Certified sets each weekday.)

I could keep that infected computer isolated until Certified definitions become available, but that is not necessary.  I can check on Security Response's page of Rapid Release Definitions - Detections Added to see if the protection with Sequence 178940 or higher is available.  Hey, I am in luck!

sequence_4.png

Rapid!

Definitions which will clear the infection are available via http or FTP.  (FTP is the recommended protocol for large downloads.) 

  • Tip Number One: Download the very latest!  You don't need the exact sequence from the Closing mail- anything higher will do. 
  • Tip Number Two: There's a little newdefs.txt file which will provide a human-readable description of the latest Rapid Release definition set's date and revision.

This article will help to deploy this Rapid Release protection throughout the organization:

How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
Article URL http://www.symantec.com/docs/TECH102607

Or the "RR defs" (as they are popularly known) can be applied to a single client:

How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
Article URL http://www.symantec.com/docs/TECH104979

Now is the time to check the definitions have been applied by the new date displayed in the SEP GUI (cross-reference that on the Rapid Release Definitions - Detections Added to confirm a high enough Sequence) and then scan away! 

The threat is soon detected and eliminated, and the computer can safely be joined to the network.  I'm back in business!  The day-to-day enterprise of emailing funny cat pics around can continue without further interruption.

bobbins.png

Conclusion

Many thanks for reading!  Bobbins and I hope this article helps. Please leave comments and feedback below. 


SEPM LU policy with GUP enabled

$
0
0
Oui, j'ai besoin d'une solution

Hello,

I have the following question. We have 1 LiveUpdate policy with Multiple/Explicit GUP enabled and it is applied to the whole environment.

Max time after which clients will bypass GUP (if it is not available) and will go to the SEPM for updates is set to 4 hours. So if there are machines which don't have neither Multiple or Explicit GUP from the policy, does it mean that they will try 4 hours to connect to a GUP (starting from the top of the GUP list to the bottom and doing it 4 hours) and after that will go to the SEPM or once they go through the list with GUPs and cannot find their GUP, they will go to the SEPM and not waiting 4 hours? How it is by design?

Thanks

0

Which is the last version for SNAC Appliance 6100?

$
0
0
Oui, j'ai besoin d'une solution

Hi guys!

I just want to know that, I have the 12.1.4 ISO for this appliance but, there's a later version?... And if it's, where can I get it?

Hope anyone can help me.

Greetings!

0

Viber の写真と動画を盗み出す悪質なアプリが Google Play で発見される

$
0
0
Beaver Gang Counter というアプリが、時間差攻撃を使ってセキュリティ対策を回避しようとしています。

Read More

谷歌市场发现的恶意应用程序可盗取Viber中的图片和视频

$
0
0
海狸帮计数器(Beaver Gang Counter)应用程序使用延时性攻击以试图躲避安全检查。

Read More

A lot of Symantec Endpoints are vulnerable - Google Project Zero

$
0
0
Oui, j'ai besoin d'une solution

Hello,

I found this interesting link which I think should be looked at by Symantec developers.

https://googleprojectzero.blogspot.be/2016/06/how-to-compromise-enterprise-endpoint.html

Today we’re publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.

These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.


As Symantec use the same core engine across their entire product line, all Symantec and Norton branded antivirus products are affected by these vulnerabilities, including:


Norton Security, Norton 360, and other legacy Norton products (All Platforms)
Symantec Endpoint Protection (All Versions, All Platforms)
Symantec Email Security (All Platforms)
Symantec Protection Engine (All Platforms)
Symantec Protection for SharePoint Servers
And so on.


Some of these products cannot be automatically updated, and administrators must take immediate action to protect their networks. Symantec has published advisories for customers, available here.


Let’s take a look at a sample of the vulnerabilities we found.

Kind Regards,

0

Symantec Mail Gateway : description dans les expéditeurs approuvés et non approuvés

$
0
0

Bonjour,

Nous utilisons Symantec Mail Gateway 10.5.4 depuis quelques temps maintenant. Nous utilisons les listes d'expéditeurs Symantec Global, et de plus en plus de noms de domaines ou d'IP sont blacklistés, et pour cette raison il peux nous arriver de temporairement ajouter des IP en tant que "adresse IP d'expéditeur approuvé en local".

Cepandant, ces ajouts doivent rester temporaires le temps que le client fasse la demande afin d'être retiré de vos blacklists. Pour faciliter cela, il suffirait de pouvoir mettre un commentaire à côté d'une adresse IP ou d'un domaine approuvé ou non approuvé, cela permettrait d'indiquer par exemple "à retirer le 28/06/2016".

Cordialement,

Romain

Rolling back during install - Windows 10

$
0
0
Oui, j'ai besoin d'une solution

Hi,

I am try to install Symantec_Endpoint_Protection_12.1.6_MP3_Win32-bit_Client_EN.exe in Windows 10 but its rolling back during install.

SEP_INST.log file attached for your kind perusal.

Thanks,

Prathap

0

cluster5.eu.messagelabs.com[193.109.255.99]:25: Connection timed out

$
0
0
Oui, j'ai besoin d'une solution

Hi,

I'm having a linux mail server with some domains on it and sending Mail's to different reciepients are getting this error message:

connect to cluster5.eu.messagelabs.com[193.109.255.99]:25: Connection timed out

Could you help me clean or verify this ?

Server's IP: 

IPv4 148.251.90.206

IPV6 2a01:4f8:202:70cd::2

Thank you.

0

ADC: Define Publisher as argument for processes to allow

$
0
0
Oui, j'ai besoin d'une solution

Hi everyone,
does someone know the syntax I can use in an ADC policy to allow all processes signed by a defined publisher?

120px_Unbenannt.png

My idea is to permit all processes signed by Citrix in this case.

Thank you,
Caroline

0

Intrusion Alert - Attacking IP Now Missing from Event Details!!

$
0
0
Oui, j'ai besoin d'une solution

In the past, I used to be able to go into in our endpoint portal and open the Event Details of an Intrsuion Alert or warning and see the IP address of the attacking (source) computer. Once I had that info, I would then go into our firewall and block that IP address (or somtimes a full range). For some reason or another, and I'm not sure when this happened, Symantec did an update or something to the portal/website and the attacking IP information has been removed (see attached) from the Event Detail page. Now the Event page just shows the basic information that comes in the email notice. The attacking IP address was invaluable information to us and one of the main reasons I have chosen to stick with this product through the years.

Can someone at Symantec PLEASE add information this back ASAP!!!???? Either that or tell me where I can find it? 

0

connect to cluster5.eu.messagelabs.com[193.109.255.99]:25: Connection timed out

$
0
0
Oui, j'ai besoin d'une solution

Hi,

I'm having a linux mail server with some domains on it and sending Mail's to different reciepients are getting this error message:

connect to cluster5.eu.messagelabs.com[193.109.255.99]:25: Connection timed out

Could you help me clean or verify this ?

Server's IP: 
IPv4 148.251.90.206
IPV6 2a01:4f8:202:70cd::2

Thank you.

0

Default firewall rules - is there a new Excel-list available? Suggestion for FW-rules needed.

$
0
0
Oui, j'ai besoin d'une solution

Hello,

I am struggling a little bit with SEP and the firewall rules on a few machines.

A colleague from our subsidiary complained about that he was not able to connect to a projector system by USB on customer's site. Additionally he has many problems to connect to WLAN hotspots.

With this info I had a look at the default rules that came with SEP and found a rules that is named "Allow USB over IEEE802" - USB over Ethernet. Is this maybe the missing rule the colleague needed? I have no experience with projectors which are running over USB.

Strange is that another colleague who was joining the same meeting was able to connect to the projector. Same rules on his laptop.

The second thing is the one with the hotspot. What is your experience, are there any exotic system out there which need special handling in the firewall rules that the client is able to login?

The attached picture shows my current rule set for the network location "offline" - that mean no connection to the company network. New since this morning is the rule for EAPOL and USB over Ethernet.

Which firewall rules do you use as default or as base rules? Is my "offline" rule set to strong?

Another question: Is a new Excel-list available like this (https://support.symantec.com/en_US/article.TECH180...) but for the newest version?

Your help is much appreciated! Thank you.

0

Requirement for Symantec DLP 14.5

$
0
0
Oui, j'ai besoin d'une solution

Hello,

What is the minimum requirement of Linux version is required to upgrade Symantec DLP to 14.5?

0

Enable Relaying With Office365 for SEPM

$
0
0

Our organization is in the midst of an Exchange migration from On-Premise to Office365. Relaying from the SEPM console doesn't work so I'm forced to use another cloud based relay. Symantec needs to fix this issue.


VIP Load Balancing (F5 BIG-IP)

$
0
0
Oui, j'ai besoin d'une solution

I am at a customer that would like to make their VIP installation as redundant as possible, utilizing their F5 BIG-IP load balancers. From the documentation, what I can tell is there is two components that can be load balanced,

1. Self Service Portal

2. Enterprise Gateway

The Self Service Portal makes enough sense, as it is exposed to the Internet, basically we will make a virtual IP for the multiple Self Service Portals and expose that virtual IP address  to the Internet via NAT.

What I dont understand is how to Load Balance the Enterprise Gateway. This is not exposed to the Internet and seems to make outbound connections to Symantec (more like say Logmein on a PC). Putting a load balancer in front of two enterprise gateways seems like it would not help in any way, as there is nothing making a connection the Enterprise Gateway. Am I correct in this, or is there something I am overlooking. The guide on page 82 describes load balancing but jsut talks about offsetting LDAP synchronization schedules, which I understand that portion but nothing about how to load balance. Any comments or suggestions would be greatly appreciated.

0

Upload Latest Client Install Package to SEPM

On-Premise solution for newest buffer overflow error

$
0
0
Oui, j'ai besoin d'une solution

Today I read that all Norton and Symantec Virus products are in jeapardy, because of a buffer overflow attacking check of compressed files.
There was a list attached for most products on what to do. Most are already fixed. BUT:
Endpoint Protecion Small Business Edition 12.1.5 is not on that list. Since I have at least two dozend server installations all over my costumers servers I am really worried.
Due to company restrictions for most companies the cloud based version (which might or might not be protected against this error) is off limits.

And an easy and cheap upgrade to bigger version seems not to be available through Symantec. Most of those contracts are still running a year or two - so just offering an xgrade gives those costumers a huge disadvantage. We are already exchanging all to be renewed contracts, but those long term ones....!?!

Will there be a work around for 12.1.5?
What can I do to make it work, if the cloud is off limits.

Thanks for your time
Helmut Lieb

0

SNAC Support and Operability with 12.1 RU6 MP5

$
0
0
Oui, j'ai besoin d'une solution

Does anyone know if SNAC is supported with Endpoint 12.1 RU6 MP5 (12.1.7004.6500) released 6/28/16?  We are seeing issues with clients not responding to 802.1x requests from the enforcers and failing NAC checks.

0

Symantec vulnerability - Google project zero

$
0
0
Oui, j'ai besoin d'une solution

Google project zero reported the following today: http://googleprojectzero.blogspot.fr/2016/06/how-to-compromise-enterprise-endpoint.html

I honeslty thought this was patched but people are being adamant about this being a different vulnerability. Does Symantec have any plans to patch this via LU? What can we do in the mean time.

0
1467235754
Viewing all 10764 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>