Video Screencast Help

Endpoint Protection Truscan Issue

Created: 17 Sep 2012 | 5 comments

We have recently enabled the TruScan feature from Endpoint Protection 11.

Immediatelly after that, we got informed that all the workstations with the feature enabled were attempting to connect to various IP addresses.

All of them resolved to crl.verisign.net (e.g. 199.7.51.190).

The problem is that this traffic is blocked from our firewalls, but the clients keep hammering them without being able to connect. This occurs about every 1 hour.

 

Does anyone know why Symantec Endpoint Protection is trying to connect to Verisign's servers?

Is there a way to configure this behavior?

Comments 5 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

What version of SEP 11.x are you running?

What you say you have "all the workstations with the feature enabled", do you mean you have installed the PTP feature on all client machines?

Are you carrying any Authentication services OR SSL OR proxy?

PTP definitions downloads updates via Liveupdate (Internet) or directly SEPM / LUA.

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Mandilaras's picture

I'm using Symantec Endpoint Protection 11.0.6 MP3.

PTP is enabled on all client machines.

We're not using any authentication services as far as I know.

PTP definitions are downloaded via SEPM.

pete_4u2002's picture

is liveupdate enabled on the client?

can you tell whats the traffic for ssl.verisign?

Mandilaras's picture

The LiveUpdate button is disabled. All the clients download all the definition updates from SEPM.

I can't tell what's the outgoing traffic trying to do.

All I know is that it's using HTTP (port 80).

.Brian's picture

Perhaps the SEP client is cross checking the verisign site to see if the application uses a valid cert. If so, this would practically mean that the app is legit and it would be marked as valid and allowed.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.