Endpoint Protection

Hi

We are running SEP 11 MR6Mp3 with over than 2000 clients.

Attacks per hour in Home tab and Risk Distribution by Attacker in Monitors tab is empty as you can see in attached screenshots.

When I create a report in console by attacks it is empty too.

All clients have Network threat Protection.

All clients are using Intrusion Prevention policy.

All clients are using Antivirus and Antispyware policy that Risk tracer is Enabled in that (File System Auto-Protect -->Risk Tracer-->Enable Risk Tracer)

Can you please help me to solve this problem?

Thanks

By the what is the Platform used for SEPm and D???Have you checked the databse Log settings page??

Hi i checked them all and these are results:

SEPM is running on Windows server 2003 R2.

Database is on SQL on another server in Cluster mode.

I checked in admin -->Servers-->Site Properties -->Log Settings and Database tab and all are chek marks have been marked and all the fields have numbers.

Thanks any thing else to check?

Hello,

I highly appreciate you uploading the screenshots.

Upon checking the Screenshots, I found few things quickly.

Plan of Action:

Concentrating on the above Screenshot,

Antivirus Engine off - 3 machines, Auto-protect off - 7, Tamper Protection off -1. For these machines, please uninstall SEP client and reinstall them back again.

Restart required  - 21, for these clients please restart the machine and run a full scan again.

Concentrating on the above Screenshot, 

Majority of the Threats found on the Network are Trojan.Gen.2 which is a Generic Threat.

I would highly appreciate, if you could Message me the Risk Logs from the Symantec Endpoint Protection Manager.

I would also recommend you to follow the following steps:

1) Edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".

2) Make sure you have the Latest Microsoft Security Patches updated on ALL the machines.

I would be looking forward for the same.

Hi,

Thanks for your really good tips.

Latest microsoft patches will be installed by WSUS.

these clients with Antivirus engine off and auto protect will be investigated

but my problem:

as you can see in my screenshots Monitors tab-->Summary tab-->Risk Distribution by attacer is empty it ?

and as you can see in my screenshots too in Home tab-->Attacks per hour is empty too?

it means that i do not have any attacks...

but i think that it is a problem with logging of SEPM

can you please help us about these two logging problems.

Thanks

Hello,

You are partially correct. However, I do not think it is an issue with logging reports with SEPM.

However, could you please provide me the Required Risk Logs asked above.

Again, I would also recommend you to also follow this articles:

Hi i posted the data for you

thanks

Attachment(s)

risks_report.txt   519 KB 1 version

Hello,

After Looking at the Risk Logs, here are the Key Observations below:

1) W32.Virut.CF, W32.SillyFDC Threats have tried to access via a Removable Media (G: and F: drives).

2) Trojan.Gen.2 is found to be infected at System Restore Points.

Suggestions:

1) Please Turn off the System Restore.

2) Disable the Autorun.inf from the Domain.

3) Systems are not Fully Patched with Microsoft Security Patches. Please upgrade all the Microsoft Security Patches on all machines as soon as Possible.

4) Once the Microsoft Security Patches are up to date, you can turn on the System Restore.

Any particular Reason for excluding the above hosts from IPS??

Hi can you help about this issue which why here is empty please?

attacks per hour and Risk distribution by attacker?

Hello,

Could you please try the following steps:

1. Go to home tab on SEPM console
2. Click on preferences under Security status
3. Under the preferences windows, go to Home and Monitors, change the Time range to past 48 hours
4. Then, go to Logs and Reports
5. Change the Date Format to DDMMYY

and check if that works.