Batching DLP API Requests

November 13, 2019, 1:19 pm

≫ Next: Got Error On Updating SEPM to14.2 RU2

I need a solution

We have recently created a Python script utilizing the API that retrieves incident details, copies these details to a SQL server, and then tags a custom attribute that we can later filter on for a deletion job.

The script is working correctly however is a bit slower than we need to keep up with volume. We're getting about 5000 incidents an hour but unfortunately we on occasion have more incidents than that (using DLP to monitor USB activity).

The documentation for the API mentions a way to batch calls....

The client can request these incidents individually, or the client can make a Web Service call that uses a "batched" approach where the client requests incident data for multiple incidents in a single call. When you request incident IDs in batches, you can improve performance of the client. Symantec recommends that you use batches of 50 to 100 incidents for best performance.

....however they don't mention how to do this. I have played around with the script and SOAP UI to try to pass more than one incident ID through at a time however I haven't had any luck getting results that way.

I believe our issue is mainly network latency so bulk requesting these should make a huge difference in performance. Any thoughts?

↧

Got Error On Updating SEPM to14.2 RU2

November 13, 2019, 1:39 pm

≫ Next: Is it possible for SEPM to notify me when a new version is available?

≪ Previous: Batching DLP API Requests

I do not need a solution (just sharing information)

Run the New SEPM installation File on server.

Error occurred. on 64%

I put log file on attachment as well.

↧

Is it possible for SEPM to notify me when a new version is available?

November 13, 2019, 4:43 pm

≫ Next: How to control Application and URL Categories concurrently

≪ Previous: Got Error On Updating SEPM to14.2 RU2

I need a solution

HI,

I just discovered that my client versions for SEP were way out of date (pre-14.2). As a consequence, user's Chrome crashed due to an incompatibility with SEP versions ealier than 14.2

It is possible for SEPM to nortify m when new versions are available?

Many Thanks!

↧

How to control Application and URL Categories concurrently

November 14, 2019, 1:10 am

≫ Next: System Infected: Trojan.Nancrat Activity 4

≪ Previous: Is it possible for SEPM to notify me when a new version is available?

I need a solution

Hi,

It is possible to control application and URL categories at the same time, for example I want to block youtube for application and brokerage/trading url categories.

I tried but seem unsuccesful, only one method at one time.

Thanks

↧

System Infected: Trojan.Nancrat Activity 4

November 14, 2019, 3:06 am

≫ Next: EX64.sys 20151.1.5.120 bluescreen with 13112019 r20

≪ Previous: How to control Application and URL Categories concurrently

I need a solution

Running 14.2 RU1MP1 build 4815

SEP popped up the message :

System Infected: Trojan.Nancrat Activity 4

The entry is logged in : Client Management / Security Log

A full scan of the server does not find anything

How do I find the source of this Trojan ?

Steve

↧

EX64.sys 20151.1.5.120 bluescreen with 13112019 r20

November 14, 2019, 4:00 am

≫ Next: PGP: El mensaje esta bloqueado. Error en la conexión con la bandeja

≪ Previous: System Infected: Trojan.Nancrat Activity 4

I do not need a solution (just sharing information)

Random BSODs across our x64 estate, does not affect all endpoints. Issue appears to be with ex64.sys, however the version has not changed with r22 (supposedly fixes?) of the definition (still 20151.1.5.120)?

↧

PGP: El mensaje esta bloqueado. Error en la conexión con la bandeja

November 13, 2019, 9:32 pm

≫ Next: Where can i download the old version of Reporter

≪ Previous: EX64.sys 20151.1.5.120 bluescreen with 13112019 r20

I need a solution

Hello! Every Body I have this Problem; I use PGP to encript my E-mails. If I take out the complement on outlook called plugin of PGP and reset my outlook. This message desapear but if I turn of the computer appear the same message and I hace to take out the plugin again. What I have to do to solve the issus. Could You help me please! Regards.

↧

Where can i download the old version of Reporter

November 13, 2019, 10:47 pm

≫ Next: Unable to change keyboard at preboot screen

≪ Previous: PGP: El mensaje esta bloqueado. Error en la conexión con la bandeja

I do not need a solution (just sharing information)

I can download the latest version of Reporter at MySymantec > Download page. However i want to download the old version for teseting. I already created a case to support, but they are able to download the latest verions only. So, how can i download the old version?

↧

Unable to change keyboard at preboot screen

November 14, 2019, 2:52 am

≫ Next: Todays definition 11/13/2019 rev. 20 causes BSOD???

≪ Previous: Where can i download the old version of Reporter

I need a solution

Hi everbody

I've new Lenovo T490s computers. At the SEE preboot screen i cannot change the keyboard. It is default on US international. Well you can change it to eg German and it accepts but remains typing in US international . Nomather whick kb layout you choose it always types US internationl

I tried by command line, and allthough rêporteed operation succesfull it does not help

Anyone has a solution???

I only have this on the new T490s machines , the former T480s posed no problem

Fredd Meiresonne

ESS schneider Electric

Belgium

↧

Todays definition 11/13/2019 rev. 20 causes BSOD???

November 14, 2019, 3:35 am

≫ Next: Windows 10 1909 support?

≪ Previous: Unable to change keyboard at preboot screen

I do not need a solution (just sharing information)

Can this be confirmed?

↧

Windows 10 1909 support?

November 14, 2019, 4:37 am

≫ Next: ProxySG | WCCP configuration

≪ Previous: Todays definition 11/13/2019 rev. 20 causes BSOD???

I do not need a solution (just sharing information)

A question before we can rollout Windows 10 1909, is this version fully supported by the current release or will there be an update for this?

↧

ProxySG | WCCP configuration

November 14, 2019, 4:39 am

≫ Next: Formerly on Message labs and having issues recieving emails from Message labs

≪ Previous: Windows 10 1909 support?

I need a solution

I have issue about my customer would like to configuraiton WCCP on Proxy

we config following recommend from guide but it still not working sgos 6.7.4.9 i have saw Proxy send state Here i am send to home router already.

but cannot received and we check log from switch we found log message concern about bad received from IP proxy.

but for this config wccp on switch we tried use with proxy older sgos version 6.2.x.x. it normal to working.

Please help to check and recommend for resolve this issue. Customer redirect traffic from Switch CISCO CATALYST 6513.

Best Regards,

↧

Formerly on Message labs and having issues recieving emails from Message labs

November 14, 2019, 5:03 am

≫ Next: Multiple required ?random? restarts

≪ Previous: ProxySG | WCCP configuration

I need a solution

I am an IT support technician and we have a client who's emails are hosted on Office 365, formerly hosted on Outsourcery/GCI during which time we belive message labs was being used also.

The client is haveing issues recieving emails from their affiliates who use message labs, they are able to send emails to them but are not able to recive emails from them. we were under the assumption that the issue was on the senders side however in contacting their IT support guys they have provided us with the following.

As Promised here is the problem in 2 versions.

Easy Answer.

There is a problem at messagelabs with the old setting from when they were on that system.

Tech Answer.

The Messagelabs internal system which aitkenalexander.co.uk is still on is not pointing to the correct place it is a relay error and it is coming from Messagelabs the domain needs to be properly removed from the client portal.

This information has been provided by Vipre Email Security that cannot use there portal to affect other domains on the Messalabs portal.

This makes perfect sense to us however we cannot seem to see if there is any access to a client portal for message labs and are unsure if there ever was any to begin with.

Our client emails were migrated to Office 365 earlier this year and can confirm that all DNS records are up to date and in line with Office 365 recommendations following these changes.

A sample of the error:

#< #5.7.1 smtp; 550 5.7.1 Unable to relay> #SMTP#

I can also confirm that there are at least 2 domains using message labs which the client are not able to recieve emails from. We have tried everything we can on the clientrs side so far ie. IP whitelsiting, domain whitelisting etc.

Please advice us on the best way to proceed with this

↧

Multiple required ?random? restarts

November 14, 2019, 6:16 am

≫ Next: New SEP Blocking Office 365 Login

≪ Previous: Formerly on Message labs and having issues recieving emails from Message labs

I need a solution

While looking at some monitoring I noticed some interruptions in the data.

It seems the server has been restarted because of Symantec.

Log Name:      System
Source:        User32
Date:          5-11-2019 19:54:03
Event ID:      1074
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      gup02.network.lan
Description:
The process C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.4814.1101.105\Bin\ccSvcHst.exe (GUP02) has initiated the restart of computer GUP02 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
 Reason Code: 0x80070000
 Shutdown Type: restart
 Comment: 
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="User32" Guid="{b0aa8734-56f7-41cc-b2f4-de228e98b946}" EventSourceName="User32" />
    <EventID Qualifiers="32768">1074</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2019-11-05T18:54:03.190864200Z" />
    <EventRecordID>699759</EventRecordID>
    <Correlation />
    <Execution ProcessID="388" ThreadID="440" />
    <Channel>System</Channel>
    <Computer>gup02.network.lan</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="param1">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.4814.1101.105\Bin\ccSvcHst.exe (GUP02)</Data>
    <Data Name="param2">GUP02</Data>
    <Data Name="param3">Legacy API shutdown</Data>
    <Data Name="param4">0x80070000</Data>
    <Data Name="param5">restart</Data>
    <Data Name="param6">
    </Data>
    <Data Name="param7">NT AUTHORITY\SYSTEM</Data>
  </EventData>
</Event>

For the reason I looked in the system log:

5-11-2019 19:55:18    Information    Connected to Symantec Endpoint Protection Manager (server01)    
5-11-2019 19:55:13    Information    Symantec Management Client has been started.    
5-11-2019 19:55:13    Information    Symantec Endpoint Protection -- Engine version: 14.2.4814    
5-11-2019 19:55:13    Information    Number of ‘Mapped Group Update Providers usable by the client’ in the policy: 1    
5-11-2019 19:55:13    Information    Number of ‘Group Update Provider Mapping entries usable by the client’ in the policy: 1    
5-11-2019 19:55:13    Information    Start serving as the Group Update Provider (proxy server).    
5-11-2019 19:54:53    Information    Number of ‘Group Update Provider Mapping entries’ in the policy: 57    
5-11-2019 19:54:05    Information    Symantec Management Client is stopped.    
5-11-2019 19:54:05    Information    Disconnected from Symantec Endpoint Protection Manager (server02.network.lan)    
5-11-2019 19:54:04    Information    User is attempting to terminate Symantec Management Client....    
5-11-2019 19:54:03    Information    Symantec Endpoint Protection requires a restart, requested by: the client management component

Is there within SEPM maybe more info why the clients needs a restart?

Thanks in advance for any that can help with more info!

↧

New SEP Blocking Office 365 Login

November 14, 2019, 7:26 am

≫ Next: Ghost disk numbering

≪ Previous: Multiple required ?random? restarts

I need a solution

Very strange issue here, we are using SEP with Seamless integration on WSS. I have upgraded my own machine from 14.2.4815.1101 to 14.2.5280.2000 and now when on WSS I cant login to my Office Online Apps like Word etc.

Any ideas on this I cannot roll out this version of SEP if it does this.

↧

Ghost disk numbering

November 14, 2019, 8:04 am

≫ Next: SEPM Network Attack Notification

≪ Previous: New SEP Blocking Office 365 Login

I do not need a solution (just sharing information)

Ghost and gdisk both use one-based indexing for disk numbers.

Diskpart and some other disk tools use zero-based indexing corresponding to the "physicaldisk" numbering Windows uses. For instance, Disk 0 in diskpart is "\\.\PHYSICALDISK0" (deviceID used by Windows).

I need a way to tie the disk numbering in gdisk to diskpart programmatically. Can I simply increment the disk number used by Windows to get the Ghost/Gdisk number? Does Ghost used a different method to enumerate the HW?

Diskpart can give me the geographic location of a disk in the system (select disk #, detail disk). My system can change the number and type of disks, but they can be identical models, so the location is one of the only ways to identify a target disk. Does Ghost/gdisk provide any similar options?

Thanks!

↧

SEPM Network Attack Notification

November 14, 2019, 10:10 am

≫ Next: SONAR Grayed Out

≪ Previous: Ghost disk numbering

I need a solution

Is it not possible to create a Notification Rule to email on a SEPM network attack detection of Critical or Higher? For example, I we received a detection on an endpoint that I was only able to see in the Log monitoring within SEPM, and did not receive an email notification for. How would I go about creating an email notification for such detections in the future? They're too severe to just not get notified about.

Client Affected

Computer Name
Current:	My-Computer1
When event occurred:	My-Computer1
IP Address
Current:	fe80::11a2:11a3:3d87:ab97
When event occurred:	192.168.0.105
Local MAC:	N/A
User Name:	none
Operating system:	Windows 10 Professional Edition
Location Name:	Default
Domain Name:	Default
Group Name:	My Company\Test
Server Name:	SYM-Server
Site Name:	Site SYM-Server

Risk Detected

Event Time:	11/14/2019 08:54:44
Begin Time:	11/14/2019 08:54:59
End Time:	11/14/2019 08:54:59
Number:	1
Signature Name:	Attack: NTLM Hash Theft Attempt
Signature ID:	31835
Signature Sub ID:	80115
Intrusion URL:	N/A
Intrusion Payload URL:	N/A
Event Description:	[SID: 31835] Attack: NTLM Hash Theft Attempt attack blocked. Traffic has been blocked for this application: SYSTEM
Event Type:	Intrusion Prevention
Hack Type:	0
Severity:	Critical
Application Name:	SYSTEM
Network Protocol:	TCP
Traffic Direction:	Outbound
Remote IP:	192.168.0.133
Remote MAC:	N/A
Remote Host Name:	N/A
Alert:	1
Local Port:	51939
Remote Port:	139

↧

SONAR Grayed Out

November 14, 2019, 12:03 pm

≫ Next: PGP Encryption Issue

≪ Previous: SEPM Network Attack Notification

I need a solution

So we have a couple of client PCs that we need to add some folder exceptions for in SONAR. Naturally, since we have server-side checked to minimize user intervention, I imagine this is why it's grayed out. So I made a separate policy with mixed control. In that, I checked SONAR on the client side, but it's still grayed out.

Any way we can make them be able to add SONAR exceptions while still following least privilege? I also tried updating the policy through the icon in my system tray, no luck.

↧

PGP Encryption Issue

November 14, 2019, 1:08 pm

≫ Next: After re-create preboot environment Error on Pxe boot - megasas2.sys

≪ Previous: SONAR Grayed Out

I need a solution

Hello all,

Our organization is currently using Symantec PGP Encryption software and a File Transfer Protocol Application called, Axway to received and send files through encrypted SFTP connections. And we found there are some several vendors/clients who cannot use our keys for some reasons such as cipers or algorithms that may be different. Or other issues. Has anyone encounter an issue with certain PGP compabilities and in what ways or how did you resolved that issue? We have some who uses PGP command line and they need to change their script/code to make it work. What other scenarios have you seen?

We have an issue where the vendor needs an email address in order to import the key. Many other vendors does not have that issue. Once we add the email address, the PGP Key Block has changed, would this affect the encryption and decryption process when delivering files?

Another issue is the vendor such as Workday is using their Integrated tool to encrypt the key but when sending the files it failed to encrypt and sign once it hits our Axway File Transfer Protocol Application.

Any suggestions and help in guidance would be appreciated!

Let me know if I need add any attachment.

Thanks,

Q G

↧