Posted on

ATP Endpoint Not SEP Managed

I need a solution

Hi, We are running Symantec ATP. We have integrated it with SEPM. To my surprise, there are a few machines that are running SEP clients and are reporting into the SEP Manager. ATP has listed some of these machines under "Actively Infected Endpoints", and under SEP Managed? is "No". We have verified these machines on the SEPM, and yes they do have SEP clients installed and are up-to-date. What could be happening here?

Many thanks for your responses in advanced,

MabundaG

0
Posted on

ATP Endpoint Not SEP Managed

I need a solution

Hi, We are running Symantec ATP. We have integrated it with SEPM. To my surprise, there are a few machines that are running SEP clients and are reporting into the SEP Manager. ATP has listed some of these machines under "Actively Infected Endpoints", and under SEP Managed? is "No". We have verified these machines on the SEPM, and yes they do have SEP clients installed and are up-to-date. What could be happening here?

Many thanks for your responses in advanced,

MabundaG

0
Posted on

clicktime.symantec.com change my url parameters

I need a solution

Hey, 

I represent a web company, we have a simple recover your password link.

The link is built as follows: 

https://example.com/ApproveResetPassword.aspx
?h=299ccda9d4be0539c0d9412ca61279f68dc78ebb
&u=9LCs%2bi7h2jf4ytFooB%2badOoz32ZgtLz1hOHInL%2bpl1Q%3d
&t=57d1899a02360d5a1010d3f2e04a6a134e6bd416.101654

the u parameter is username->encryption->base64->UrlEncoded.

After your ATP service the hyperlink inside the client sent email becomes:

https://clicktime.symantec.com/a/1/LmdzOJrlbvqcq4S...

Let’s examine the URL parameter: 

u=https://fake.com/ApproveResetPassword.aspx?

h%3D299ccda9d4be0539c0d9412ca61279f68dc78ebb

u%3D9LCs%2Bi7h2jf4ytFooB%2BadOoz32ZgtLz1hOHInL%2Bpl1Q%3D

t%3Dc901d7e0c549353574c82d739e51533c2cc75c9b.101606

Until now everything is ok but let’s look at the redirected url:

https://fake.com/ApproveResetPassword.aspx

?h=299ccda9d4be0539c0d9412ca61279f68dc78ebb

&u=9LCs+i7h2jf4ytFooB+adOoz32ZgtLz1hOHInL+pl1Q=

&t=c901d7e0c549353574c82d739e51533c2cc75c9b.101606

Fiddlers capture: https://ibb.co/fw25BS

As you can see all the parameters in the redirected URL are not URL Encoded anymore.

I need to know if there` something from the app side to be done so that the parameters in the query string will still be URL encoded.

0
Posted on

Symantec ATP Endpoint without SEP

I do not need a solution (just sharing information)

For ATP platform (endpoint), can a customer get this even if they do not have a SEP solution in place? How can Symantec ATP work for endpoints without any SEP agents? 

Same question for ATP email if the customer does not have Email Security.Cloud. Is this possible or it is required that they need to have Email Security.Cloud first?

Thanks

Regards

Erick 

0
Posted on

DWH.exe inserts viruses on my Computer?

I need a solution

Hello everyone, I am new to this forums and I decided to ask for help here.

Over the past few days I have been getting virus detections by Symantec that there's multiple files with the first three letters "DWH" and then there's 4 numbers and letters in the end (Ex. DWH17fd.exe)
Not only that, but there's also other file names like "APQDD86.tmp" and my computer keeps saying that there's more of them. This happens not only once,  but more than 3 times per day and it just slows down my computer whenever I'm using it or I'm playing games.

Here is a screenshot of my quarantine folder -- https://puu.sh/zgnB5/e0d3880ee4.png

Also, i tried going into Safe mode to delete the "DWH.exe" from the Program Data folder in the  symantec folder in C: Drive. It somehow managed to be back there earlier this morning and now I can't find the said file in safe mode. I'm assuming there's a virus in my computer  now.

Help me please :(

0
Posted on

Update

I do not need a solution (just sharing information)

https://support.symantec.com/en_US/advanced-threat-protection-network.64123.html

Sorry, we can't seem to find that page.

The URL may have changed, expired or never existed in the first place. If you copied it or typed it in, double check that you entered what you wanted to.

Clever :-)

0
Posted on

Update

I do not need a solution (just sharing information)

https://support.symantec.com/en_US/advanced-threat-protection-network.64123.html

Sorry, we can't seem to find that page.

The URL may have changed, expired or never existed in the first place. If you copied it or typed it in, double check that you entered what you wanted to.

Clever :-)

0
Posted on

[sid: 30253] system infected: bitcoinminer activity 6 detected

I do not need a solution (just sharing information)

Hello

We have a machine on our network that is getting the following message from Symantec EPP:

[sid: 30253] system infected: bitcoinminer activity 6 detected

A full system scan has been run using SEPP, Norton power eraser and Malwarebytes...Nothing is found / removed. System restore has been turned off.

I've looked on the Symantec website but cant seem to find much on the issue. Any advice would be appreciated.

0
Posted on

PUA.JScoinminer regedit entry

I need a solution

Hi all,

This week Symantec client detected a possible PAU.Jscoinminer attack, of course the *.htm file detected was placed on quarantine. And we thougt that it did not infect the PC. And cheking regedit values we saw and strange entry on this path:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\4294908528

That entry has information related to PAU.JScoinminer virus. Our doubt is, why symantec client add an entry about that virus?, or is not client? .

S.O: Windows 10 64bits.

SEP: 12.1.6

We attached a JPG file of that entry.

Thanks in advanced.

0
Posted on

Bitcoin Processors

I do not need a solution (just sharing information)

Hi,

I have an environment and unfortunatley whenever system started then BITCOIN Processor also get started with differenct extensions,Just need info If  I installed Symmentice Endpoint Protection 14 , Will it grab and kill that kind of Malware Processor,since it is a production environment and also processor names are idfferent every day.

Please guide

Regard:

Saad

0
Posted on

Linux – Exclusions needed for working with another endpoint protection

I need a solution

Hi,

I wish to know which exclusions are needed in order to work properly with another parallel endpoint protection.

I know what I need to exclude in Windows systems and it's well documented,

I need it for Mac and Linux.

Do you have a kb for that so I can follow?

0
Posted on

WEBINAR: 2/21/18: Are you ready for the new MFA requirements for PCI Compliance?

Location: 
Online
Time: 
Fri, 26 January, 2018 - 13:00 PST

WEBINAR:Are you ready for the new MFA requirements for PCI Compliance?

TIME: 10:00 AM PT / 1:00 PM ET

 SPEAKER:  Alex Wong, Senior Product Manager, Symantec                   

 

PCI just made changes to the MFA requirements.

With rapid cloud adoption, how do companies protect data, secure access & keep employees productive all while meeting compliance requirements?

Key Takeaways:

- Learn the scope of the new and future Payment Card Industry MFA & SSL (PCI) requirements

- Understand common ways to comply & why companies fall out of compliance

- Review best practices to secure access to your data

Register Today                      

 
Posted on

Migration SEPM to New Hostname and IP Address.

I need a solution

Dear Guys,

Good day!

I has tried to install a new SEPM at the new server with a new hostname and new IP address. Below is the error message that I was taken from logs.

com.sygate.scm.common.communicate.CommunicationException: Unexpected server error. ErrorCode: 0x10010000
at com.sygate.scm.common.communicate.Communicator.sendFileRequest(Communicator.java:919)
at com.sygate.scm.server.replication.RemotePartnerCommunicator.getChangedMetadata(RemotePartnerCommunicator.java:424)
at com.sygate.scm.install.util.SiteSynchronizer.getChangedMetadataFromRemoteSite(SiteSynchronizer.java:75)
at com.sygate.scm.install.util.SiteSynchronizer.synchronizeSite(SiteSynchronizer.java:33)
at com.sygate.scm.install.ui.MainFrame.replicateData(MainFrame.java:2669)
at com.sygate.scm.install.ui.MainFrame.configureDB(MainFrame.java:1308)
at com.sygate.scm.install.ui.MainFrame.nextBtnActionPerformed(MainFrame.java:3528)
at com.sygate.scm.install.ui.MainFrame.access$400(MainFrame.java:250)
at com.sygate.scm.install.ui.MainFrame$4$1.construct(MainFrame.java:3124)
at com.sygate.scm.util.SwingWorker$2.run(SwingWorker.java:145)
at java.lang.Thread.run(Thread.java:662)
 
DB type: Embedded Database
SEPM Version: 12.1.1
WinServer: 2008 R2
 
I am using the replication method.
 
Please advice.
 
Thanks,
 
Regards,
Martin
 
0
Posted on

Can the user see the contents of the folder, exception handling of the file?

I do not need a solution (just sharing information)

If the policy allows exception handling
Can SEPM see your exception handling entries?

For example
192.168.0.11 User exception handling entries: C: \, D: \ file.exe and so on.

I want to see the client exception handling entry in sepm

0