Endpoint Protection

 View Only

  • 1.  How to determine when offsite machine w/SEP checks in?

    Posted Jul 23, 2014 12:19 PM

    Ok,

    We had a laptop stolen.  Laptops are under a separate policy than desktops. Laptops do a check to see if they can find out DNS servers. if not, then they fall back to a "remote" Live Update policy.  This allows them to contact Symantec LU servers directly.

    Is there a way from this configuration to determine when that laptop reconnects to the network?

    If not, is there a way in the future to change our configuration so that a machine would check in with us even when off network?

    We do not have a Liveupdate Server.

    We currently do have a lockdown group that I've placed this laptop in to and the only approved application is "calculator".  But then, that wont work unless he checks back in on our network.

     

    Ideas would be greatly appreciated.

    Thanks.



  • 2.  RE: How to determine when offsite machine w/SEP checks in?
    Best Answer

    Posted Jul 23, 2014 12:21 PM

    You would need to have a SEPM in a DMZ so it can communicate over the Internet.

    I assume you have an internal SEPM only here with no access from the outside?

    Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

    Security recommendations regarding SEP client installed on server located in DMZ



  • 3.  RE: How to determine when offsite machine w/SEP checks in?

    Posted Jul 23, 2014 12:26 PM

    That is correct Brian - only internal SEPM.

    Can this DMZ SEPM be placed on an existing server in the DMZ?  Does it need IIS?



  • 4.  RE: How to determine when offsite machine w/SEP checks in?

    Posted Jul 23, 2014 12:40 PM

    It can be although I'd suggest using a separate box for it. Also, if 12.1 then no IIS is needed as 12.1 uses Apache.

    But you still need to replace a sylink on the stolen laptop to get it communicating..if stoeln I doubt this is possible.



  • 5.  RE: How to determine when offsite machine w/SEP checks in?

    Posted Jul 23, 2014 01:26 PM

    Yeah, we're just praying that it is some thug who stole it and will pawn it off right away.  I'm just trying to determine a path for future issues.

    Thanks for the links.



  • 6.  RE: How to determine when offsite machine w/SEP checks in?

    Posted Jul 23, 2014 02:00 PM

    You had all the components of sep installed on that machine, include NTP / Application and device control.

    this would me my approach as the laptop is stolen. These steps takes place whenever he connects to sepm

    1) create a new group, move the client 

    2) if NTP is not already installed,  follow this to install NTP

    http://www.symantec.com/business/support/index?page=content&id=TECH90936

    3) download this policy, check block excutables from running, under blocked process use *.*

    or *.exe, this would block all the apps, including explorer or even winlogon.exe, 

    http://www.symantec.com/business/support/index?page=content&id=TECH132337

    this policy for that GROUP only

    once he connects, he will gone for ever