Endpoint Protection

Guys,

I have a client who recently upgraded from version 11.0.5002 to 12.1.671.4971 The Upgrade has worked perfectly fine. All clients are working fine and updating definitions perfectly fine. The LiveUpdate policy for client groups is designed to get update from the SEPM only. The clients do have access to the Internet. Only the SEPM connects to the Internet to get the Updates.

The office have a Proxy software configured to monitor the network traffic. Recently we have observed that all the clients were trying to connecting to an Unknown IP address 143.127.102.40 frequently. After doing a whois lookup I came to know that the IP address belongs to Symantec.  Liveupdate policy is designed in a way to make the clients to connect to SEPM only. So I am not sure why the clients are connecting to this IP address? How can I stop the clients from connecting to the IP address ?

When I type this IP address bar in IE, it opens up a LiveUpdate page, If the policy for client is designed to get update from the SEPN, then why the clinets are conneting to the Internet ?

I do not have a support contract with Symantec, so calling for support is not an option for me. Please advise on this forum.

http://www.ip-adress.com/whois/143.127.102.40

Your help is appreciated !!!

is the LU disabled on client side?

do you have any other symantec product?

You can configure the firewall rule to block this IP.

That IP has been blocked on the hardware firewall already. But I see clients trying to connect to that IP address.

As far as I know Pete there is no other Symantec product installed on the client machines.The server has backup software from Symantec. The proxy software that I have only tell me about the URLs and IPs browsed in a day, It dosent tells me how much data was transferred from a specific IP address.

My concern is that, is there a way to stop the clients from connecting to the IP address by making changes in the Symantec Policy ? apart from LiveUpdate what else can I need to disable to make client to stop from connecting to that IP address ?

Any advise ?

What proxy are you using?If you are using proxy server then you have to put your proxy address in SEPM.

http://www.symantec.com/business/support/index?page=content&id=TECH167247&actp=search&viewlocale=en_US&searchid=1321509409952,folow this link or go to server control pannel click on symantec live update-http-select I want to customize my http settings for live update.

another thing you have to do is that,log on to SEPM-liveupdate policy-Use the default management server (recommended).unchek second option.

In the Liveupdate Policy Uncheck Use Symantec Live Update server and Uncheck Allow users to manually Launch Live Update

Nisha,

We have our group policies within SEPM setup in a similar fashion in that clients which are primarily internal to the firewall will only pull updates from our SEPM server. 

Just today we noticed in our firewall several clients are accessing an IP address of 143.127.102.41 which is one bit off from the one you've noticed which also belonging to Symantec.

My thoughts are that this traffic is submissions to Symantec's repository for huristical and reputation-based data protection (see attached screen shot).

I'm now testing this theory by temporarily turning off these submissions in my client and monitoring the firewall logs from my PC.  I stress temporarily because I believe this data collection to be an important tool for Symantec in determining what is and isn't a threat however, If this turns out to be the case I am hoping we can use our SEPM server as a proxy to handle this reporting much like it does our definition updates.

To turn off the submissions do the following:

Open SEP client > Change Settings > Configure Settings for Client Management > Submissions tab > Heed warning and deselect all

I will post back after some monitoring with my results.

Chris

I reviewed my firewall logs today and didn't see any communications with the IP address 143.127.102.41 since I changed my client settings on 11/18.  Since these communications were happening at least once per day I'm confident the features I turned off were what was trying to communicate with Symantec.

I'd like to turn them back on for security reasons but would prefer if our SEPM server could act as a proxy for these requests instead of every individual PC trying to hit a Symantec server, especially to reduce traffic and for our shop floor computers which don't have access to the internet.

SEP 12.1 Needs to connect to Internet for SONAR Scan.

Symantec recommends that you create exclusions on your proxy servers to allow network traffic for Download Insight servers. Exclusions are as follows:

You made my day !!!

Dear Vikram.

Admittedly I have not read all SEP v12 documentation. Is the information you posted above available in the setup manual (What section)? Is there a specific KB article for this (Link)?