Advanced Threat Protection

Roles and responsibilities as Symantec Admin

• Monitor client-to-SEPM communication.
• Maintain a Symantec Endpoint Protection environment.
• Upgrade the Symantec Endpoint Protection environment.
• Monitor and troubleshoot a Symantec Endpoint Protection environment.
• Monitor and troubleshoot SEPM and client content delivery.
• Monitor and troubleshoot protection technologies.
• Use best practices when troubleshooting and remediating a virus outbreak.

Common issues and troubleshooting task of Symantec SEP client

• Definition update issues

• Ping and telnet to SEPM (172.0.1.1) on port 8014 and check whether its reachable or necessary port is allowed.
• Check Server details is Offline or SEPM host name/IP address reflecting in Help->troubleshooting page
• Check Last connected time- reflecting latest or too old date
• Run command smc –stop and again smc –start in Run window
•  

• Symantec malfunction

• Run command smc –stop and again smc –start in Run window
• Repair the Symantec client from Control Panel->Add and Remove Programs
• If repair fails or no repair option visible then copy latest Symantec Package on machine and run Sep.msi/Sep64.msi file to upgrade/install.
• If this will also not work then run Cleanwipe tool ver 11/ver 12 as per client version
• If this doesn’t resolved issue then contact Symantec Support on https://support.broadcom.com Support ID 6682200000

• Virus Outbreaks ( SOC alert and  SEPM Risk reports )
• Identify the machine or source of threat /attack like Host name, IP address, Location etc.
• Isolate from all network except  provide remote access to you for investigation
• Verify whether system has Symantec antivirus client is properly installed and healthy
• Verify the virus and other definitions are updated or not on SEPM , if not then please update asap
• Verify all the logs in Symantec client ->View Logs
  • Control
  • Packet
  • Risk
  • Security
  • System
  • Traffic

1.     If Risk has been identified and logged , you can trace the threat and submit to Symantec support else research further to get removal steps

2.     If no threat found then Run SymHelp and Norton Power Eraser tool on Server and Workstation respectively.

3.     This tool needs to be run with Threat scanning or load point analysis mode in order to identify boot level viruses, root kits etc. which antivirus unable to scan.

4.     Boot level scanning with above tool required reboot and at the end it provided scan result of identified threats. You can remove threat by selecting  the threat among

5.     In case of attack, investigate whether attack happened from inbound or outbound. If inbound then block external public IP source to inside. If outbound then block inside any to external public (C2C) malicious server.

• NTP  (Firewall component removal)

• Once any NTP component disable/removal request comes, ask for valid business justification and take necessary approval from business.
• Once Justification provided by user, seek approval from  IT security Manager
• After approval, we can remove/uninstall Firewall components only for given period and not complete NTP(keep IPS)

• Exclusion of Business application

• Once any exclusion request comes, ask for valid business justification and forward the response to IT security Manager.
• Once  IT security Manager approved the exclusion, implement changes and apply into Global or custom exception group  

• Definition /Symantec issue of Roaming User

• If roaming user having issue then take WebEx session to perform above troubleshooting steps.
• If Symantec client malfunctioning then upload latest Symantec package 32/64 bit (Basic content) on fileshare site and share the download link.
• Download the Symantec from above link and try above describe troubleshooting

Important Note:

• Always check first the below Symantec Window->Help->Troubleshooting
• If any Symantec issue in unknown then run SymHelp tool to collect logs and find threat
•  
•