Video Screencast Help
Search Video Help Close Back
to help

Endpoint Protection Truscan Issue

Created: 17 Sep 2012 | 5 comments
Mandilaras's picture
Mandilaras
0 0 Votes
Login to vote

We have recently enabled the TruScan feature from Endpoint Protection 11.

Immediatelly after that, we got informed that all the workstations with the feature enabled were attempting to connect to various IP addresses.

All of them resolved to crl.verisign.net (e.g. 199.7.51.190).

The problem is that this traffic is blocked from our firewalls, but the clients keep hammering them without being able to connect. This occurs about every 1 hour.

 

Does anyone know why Symantec Endpoint Protection is trying to connect to Verisign's servers?

Is there a way to configure this behavior?

Discussion Filed Under:
, , , , ,

Comments 5 CommentsJump to latest comment

Mithun Sanghavi's picture
Mithun Sanghavi Symantec Employee Technical Support Accredited
Endpoint Protection Truscan Issue - Comment:17 Sep 2012 : Link

Hello,

What version of SEP 11.x are you running?

What you say you have "all the workstations with the feature enabled", do you mean you have installed the PTP feature on all client machines?

Are you carrying any Authentication services OR SSL OR proxy?

PTP definitions downloads updates via Liveupdate (Internet) or directly SEPM / LUA.

 

Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3

Twitter: @mithun_sanghavi

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a

0
Login to vote
  • Actions
Mandilaras's picture
Mandilaras
Endpoint Protection Truscan Issue - Comment:17 Sep 2012 : Link

I'm using Symantec Endpoint Protection 11.0.6 MP3.

PTP is enabled on all client machines.

We're not using any authentication services as far as I know.

PTP definitions are downloaded via SEPM.

0
Login to vote
  • Actions
pete_4u2002's picture
pete_4u2002 Symantec Employee
Endpoint Protection Truscan Issue - Comment:17 Sep 2012 : Link

is liveupdate enabled on the client?

can you tell whats the traffic for ssl.verisign?

Cheers!
Pete

Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619

0
Login to vote
  • Actions
Mandilaras's picture
Mandilaras
Endpoint Protection Truscan Issue - Comment:17 Sep 2012 : Link

The LiveUpdate button is disabled. All the clients download all the definition updates from SEPM.

I can't tell what's the outgoing traffic trying to do.

All I know is that it's using HTTP (port 80).

0
Login to vote
  • Actions
Brian81's picture
Brian81 Trusted Advisor
Endpoint Protection Truscan Issue - Comment:17 Sep 2012 : Link

Perhaps the SEP client is cross checking the verisign site to see if the application uses a valid cert. If so, this would practically mean that the app is legit and it would be marked as valid and allowed.

SEP Knowledge Base

Endpoint SWAT

0
Login to vote
  • Actions