Hi All,
As I am working on Symantec SEPM and Clients issues and reporting, prepared the task summary sheet which specifies that being Syamntec Admin/engineer what are the task needs to be done daily,weekly,monthly and quarterly basis.
Attaching for your ref, postive inpute appreciated.
Oracle 11g Symantec DLP Installation
Symantec Data Loss Prevention- Triggering Endpoint Response Rules Video
At times, a customer may require the details for creating a batch file (startup script) to assist in the uninstallation of a Symantec Endpoint Encryption Device Control client that was installed via GPO. You cannot use the automatic uninstall feature in the GPO software installation package because the Device Control uninstall procedure is password protected. To uninstall Device Control you must use a startup script, please refer to the attached guide "steps.pdf" for utilization.
When a customer is using the forensics software "Encase 7" with our Symantec Endpoint Encryption Full Disk 8.2.0 software, the customer will need the appropriate DLLs so that the Encase product can successfully work with our Full Disk product.
The DLLs required are attached here and can also be located within the original product download under the subfolder "utilities". The DLLs required in this scenario are named
msvcr80.dll
msvcp80.dll
Symantec DCS Policy Utility v1.0.0.11 For Windows OS (Note .NET Framework 4.5 is required)
Designed to help you tune your policy by processing the log files from an Agent.
There's a getting started tab that explains the best steps to get the logs and events you need to troubleshoot your policy.
The program does not make any changes to the machine or policy. It parses the sisidsevents and sisrtevents log files.
How does the utility work for the real time events?
The utility will parse the log file, create an id based on policy id, process path, target, sandbox, network src/dst (ip and port), and module. It uses that to remove duplicated events.
After the utility finishes loading and parsing, it will display a Grid View of the events, filtered down by only unique events, and mulit-column sorted on policy id, then sandbox, then type, then process, then target, then module.
What to search for
If prevention is disabled, search for [EVENT_TYPE]=Warning,[DISPOSITION]=Allowed
if prevention is enabled, search for [DISPOSITION]=Denied
This utility includes cmdmatch.exe to help test out argument matching in policies
v1.0.0.10 - Add's in the test option to Argument Match Utility, and add's support for the "?" character in IDS Windows Event Argument Testing
v1.0.0.11 - Clarifies the use of wildcards and ? in Windows Event Argument Testing
Hello all,
I want to share this script to download .exe from Symantec ftp:
When we install a new machine, it is installed with the last setup.exe I have. That setup.exe usually is older than current date, and I need to download the full definition from SEP Manager ou GUP. In my case, it is a problem to me because I'm using remote link, like MPLS network and that download congestion my network in business hours, and it is a big problem.
To resolve it, I got the script below from this website: http://www.computing.net/answers/programming/auto-update-virus-definitions-using-ftp-to-get-latest-file/27772.html and I made some changes for my environment, like delete files with -3 days. You need to have "forfiles" in your C:\Windows\System32, ok?
So, dont forget to change the path according your wish.
For download 64bits, you just need to change the line with *-v5i32.exe para *-v5i64.exe, therefore, create 2 .bat files, one for each platform, it is better :)
Create a task schedule in your server, for both scripts and be happy :)
Change the script extension to .bat and enjoy!!!
I wrote Powershell script that queries the database that Symantec Endpoint Protection Manager is installed on, and retrieves the Group Name, and Group ID, and stores in .csv.
Documentation has screenshots on how to run script.
We encountered a problem at one point where a problem in our configuration caused a number of updates to sit on the manager unable to be posted using the BCP utility to the SQL database. The result of this was the details the console was showing us didn't represent what the reality was, clients loagging behind vastly on their updates when we knew that they were updating properly.
I put together the enclosed script to spot check the status of the of the files on the managers. The script requires a small amount of configuring with notepad before you run it, you need to edit the following lines:
Rem Replace the server(s) with the names of your SEPMs Set Servers=Server1,Server2,Server3,Server4 Set Interval=30 Set FullDiff=0 Setlocal Enabledelayedexpansion Rem Replace this with your install directory for the SEPM Set RootInstalDir=C$\Symantec\Symantec Endpoint Protection Manager
So the Servers value needs to have the names of your SEPM servers
Second you need to change the RootInstallDir to match what how you have installed your SEPM.
The result looks something like this
[ 9:21:47.84] System: SEPM1 - RUNNING inbox\agentinfo: 0 (0) .Err: 0 inbox\log\client: 40 (2) .Err: 0 inbox\log\behavior: 5 (1) .Err: 0 inbox\log\system: 38 (2) .Err: 0 inbox\log\security: 0 (0) .Err: 0 inbox\log\packets: 31 (1) .Err: 1 inbox\log\traffic: 2 (-1) .Err: 0 inbox\log\tex\avman: 1 (1) .Err: 0 inbox\learnedapp\computerapp: 42 (-1) .Err: 0 **Total .Dat files: 159 (5) Total .Err files: 1
So you see the total count in the directory, the difference in the last cycle (example inbox\log\traffic reduced by 1), and finally the count of err files. Error files would indicate a problem requiring further attention. Also we can see that the SEMSRV service is running on the SEMP1 server.
I created this scrpt to address systems that have run our of disk space for various reasons and are no longer updating AV definitions. The only external utility you need is Psexec to remotely execute one of the scripts.
To clean a single system you would use: CleanMark2.cmd Systemname
To clean multiple systems, place all the systemnames in the BatchClrMk2.lst file and run the BatchClrMk2.cmd file.
As you would expect you need to run these logged in as an ID that can remotely access the admin shares and delete on these remote systems.
I had originally written this to do all the deletes via the master script file but cleaning systems that were connected via slow connections were a problem, remotely executing the commands to parse and clear the temp directories ended up speeding up the process by a serious measure.
I created a MoveClient Script using powershell.
There are actually two scripts
1 - get_group_IDs.ps1 generates a list of groups, along with their group ID to help you create an input file (based on your environment)
2 - Moveclient.ps1 is the actual script that takes the input file you created, and prompts you for information about your database
The script does the following:
1. gets a list of all SEP clients in your SEPM. Depending on the number of clients in your SEPM, and the amount of operations taking place in your SEPM at a particular time, this reading of IP address can take a minute, or even an hour, so be patient!
2. for each SEP client, goes through the input file to see if the SEP client's IP address fits in a particular IP range. If it fits, the group ID is updated, otherwise, it is not moved. And when I tested this, I noticed that going through 3,000 clients takes about an hour. Your timing may be different.
3. generates an output file, clients_that_have_been_moved.txt that indicates which clients were moved, which were not
And because this script prompts for database information, such as database schema, you may need help from your Database Administrator.
This script is different from the last script because you had to move ALL SEP clients to Default Group before the script would move it. If you work with 100,000 SEP clients, spread throughout 200 groups, and are not sure whether they belong in the right group or not, well, it can drive anyone batty
Please read the instructions - it is mostly screenshots, and I believe it is quite straightforward
This was tested numerous times on SEP 11 and SEP 12 Management Console. However, it is always safe to back up your database.
This community has been a great help to me in managing SEP, and I really hope this Moveclient script helps you all.
Attached is a perl script written by Oliver Karow from Symantec. This script is designed to allow you to automate the download of the DeepSight Vulnerability Datafeed.
Symantec Data Loss Prevention 11.5: Administration
NOTES: This course is 5 days long.
Click on links below to download course materials:
Hello guys,
I want to share with you a problem I had having.
I have Explicit proxy in my network. I have a GPO that update it for my clients.
Here, in my subnet, I have a WPAD script, to set it by DHCP and Auto-Detect by Internet Explorer. In case of my partners to use.
It is a point.
Well, we have clone images to improve delivery of new machines. These images do not have SEP installed, it is installed after, cause that problem with ID as well.
Now, is the point!!!
I noticed, some clients were using proxy to communicate with GUPs, those GUPs were in the same subnet, so, my client used my MPLS link to go to my Data Center, were the proxy is, and proxy connects in the GUPs to update the client.
I did not have the exceptions for local address and my subnets and names in the WPAD file. I fixed it anyway.
Well.. when I ran internet explorer with System Account, I saw that Auto-Detect was enabled. I just have DHCP deliver for WPAD in my subnet.
Anyway, I needed to fix the IE proxy settings for System Account. I need to set a proxy and correct exceptions.
Below, we have the most important. How to adjust it!!!
If you have an equal or similiar problem, you can follow :)
1 - Create a .bat script with these lines below:
@echo off
REM Created by Diego Maciel Gomes, at 12-14-2013
REM Script created to adjust IE proxy settings for system account
REM bitsadmin is a windows utility
REM here, we clear whole proxy config
bitsadmin /util /setieproxy localsystem NO_PROXY
REM here, we set the proxy and exceptions
REM change proxy.company.com according with your. Adjust the port and exceptions as well.
bitsadmin /util /setieproxy localsystem MANUAL_PROXY proxy.company.com:3128 "<local>*.company.com; 172.19.*; 172.20.*;"
exit
2 - Create a computer GPO and associate this script to run when Startup (at this moment, I assume you know how to do it)
3 - You can check the update by regedit:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
The key above has the stored config for system account.
Here, I show a line of my squid proxy that shows the wrong connection:
1387277796.586 9188 172.20.163.158 TCP_MISS/200 1454326 GET http://172.20.163.21:2967/content/{55DE35DC-862A-44c9-8A2B-3EF451665D0A}/131216011/xdelta131213011.dax - DIRECT/172.20.163.21 text/plain
After ran this script above, the machine does not use proxy anymore. The traffic is direct and save my bandwidth.
I hope it helps you like helped me!
Feel free to ask me something :)
Regards,
Diego
Here is my presentation from 1.15.2014 Chicago security and compliance user group meeting. Along with this powerpoint deck are some sample policies to try in your own environment.
DHCPFind è un programma portatile per identificare se vi sono più serverDHCPattivisulla rete. Con una semplice scansione con questo tool, in pochi secondiverranno mostrate diverse informazioniutilicome l'indirizzoIPoffertodal server DHCP, la maschera di rete,gateway,serverindirizzo di rete e la lease DHCP.
È uno strumento molto utile per verificare se vi sono dei server DHCPintrusi, come ad esempio un router wireless introdotto nella rete con un dhcp attivo..
Ma può anche servire semplicemente per un rapido controllosulla rete e per verificare che la rete e il server DHCP siano regolarmente funzionanti.
Sistemi Operativi: Windows 9x/Me, Windows NT 4, Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8
Let me know if you have questions.
English version : Detect rogue DHCP servers on a network
Credits : DHCP Find
To make use of stop-words for russian language, download attached file, unzip it and place to the "Protect\config\stopwords" subfolder in the Symantec DLP installation directory. Then go to the "Advanced settings" page of selected detection server and set the variable "Lexer.StopwordLanguages" to "en,ru".
Do it for every detection server you have.
Ever had the CCS Agent registered with wrong name or agent IP changed? In some situations it can be pain to fix this as it requires going to agent and running the registration again (imaging you do not have access to agent server and you have to raise ticket to 3rd party supplier and he asks you to raise a change request).
Well with these two simple scripts, you can change both agent name and IP directly in CCS. All you need is little windows batch skill, sql skill and account that has permissions to modify few records in CCS_DB.
DISCLAMER: the script is performing modification of records directly in CCS_DB. Scripts are provided as is, use them at our own risk, author is not bearing any responsibility for any damage done.
I created this scrpt to address systems that have run our of disk space for various reasons and are no longer updating AV definitions. The only external utility you need is Psexec to remotely execute one of the scripts.
To clean a single system you would use: CleanMark2.cmd Systemname
To clean multiple systems, place all the systemnames in the BatchClrMk2.lst file and run the BatchClrMk2.cmd file.
As you would expect you need to run these logged in as an ID that can remotely access the admin shares and delete on these remote systems.
I had originally written this to do all the deletes via the master script file but cleaning systems that were connected via slow connections were a problem, remotely executing the commands to parse and clear the temp directories ended up speeding up the process by a serious measure.
I created a MoveClient Script using powershell.
There are actually two scripts
1 - get_group_IDs.ps1 generates a list of groups, along with their group ID to help you create an input file (based on your environment)
2 - Moveclient.ps1 is the actual script that takes the input file you created, and prompts you for information about your database
The script does the following:
1. gets a list of all SEP clients in your SEPM. Depending on the number of clients in your SEPM, and the amount of operations taking place in your SEPM at a particular time, this reading of IP address can take a minute, or even an hour, so be patient!
2. for each SEP client, goes through the input file to see if the SEP client's IP address fits in a particular IP range. If it fits, the group ID is updated, otherwise, it is not moved. And when I tested this, I noticed that going through 3,000 clients takes about an hour. Your timing may be different.
3. generates an output file, clients_that_have_been_moved.txt that indicates which clients were moved, which were not
And because this script prompts for database information, such as database schema, you may need help from your Database Administrator.
This script is different from the last script because you had to move ALL SEP clients to Default Group before the script would move it. If you work with 100,000 SEP clients, spread throughout 200 groups, and are not sure whether they belong in the right group or not, well, it can drive anyone batty
Please read the instructions - it is mostly screenshots, and I believe it is quite straightforward
This was tested numerous times on SEP 11 and SEP 12 Management Console. However, it is always safe to back up your database.
This community has been a great help to me in managing SEP, and I really hope this Moveclient script helps you all.