Based on lack of any good ideas here in connect lately, looks like I'll be opening a few support tickets soon. I've got a whole slew of issues since the upgrade to 12.1 and they all need to be resolved, but I'm not even getting close :-(
It would appear I've been playing stump the volunteer - as well as stumping a few who seem like maybe they are Symantec support employees.
I've got a whole list of them, and I guess the best bet is to start a "ticket" on each one of them individually so they don't get tangled up.
It appears we are the only ones having any real issues with an upgrade from 11.07 to 12.1 since no one is admitting to seeing these issues! LOL.
Here goes.............
Look for support calls on:
* Logs don't show user or logged in user name in alerts or logs roughly 40% of the time. Instead, since the upgrade to 12.1, I now must use the IP address or the computer name, and go into the computer and figure out WHO is logged in. Further, since the upgrade, SEP now retains the name of a user who was logged in 2 days ago, but not the CURRENTLY logged in user! So some people are getting blamed for things someone did on their computer a day or two ago. It's not updating the logged in user as a new person logs in, even if that new person has been logged in for multiple days.
* Logs are SINCE 12.1, showing several processes touching SEP files, and alerting in the logs, common processes, well-known processes are now logged as "touching" SEP files or registry keys - not changing them, etc. The logs don't give any details - no rule name, no violation type, a lot of missing information! (the logs are really bad since the upgrade to 12.1 - no real useful info that might aid in letting me know what's up, and WHY NOW, and not before 12.1
* The alerts and logs for device control now tell me when devices are ALLOWED! OUCH, I get hundreds of alerts that devices we WANT to use are being allowed - but alas, this is killing us, and we never saw the alerts when devices were BLOCKED. Before 12.1, the alerts were only when something was blocked, not when it was allowed. Now it's the reverse - SEP sent me an email each time our allowed dictation devices were connected. I had to shut off all of the alerting and logging on this, it was flooding us.
* There are a whole lot of things showing up that appear to be new SEP 12.1 things - like some sort of Symantec service host that replaces the Windows service host SVCHST? In any case, that, too, now is flooding out logs and alerts. There is no documentation on this change. Is Symantec launching services with its OWN SVCHST EXE now, replacing the Windows SVCHST? It sure appears so..... ccSvcHst.exe now appears to be attempting to launch bridge.sys WHY?? We block access to bridge.sys so no one can connect a wired and wireless network here. It seemed the most simple solution since Microsoft in their infinite (or is that finite?) security wisdom likes to let folks connect anything that will fit together, even if requires duct tape to do so. So we had someone connect to a wireless AP with a cool name, while on our network, and we got all sorts of weird alerts over the net. So I solved that - block bridge.sys from being launched by Windows' own svchst.exe NOW, however, I see Symantec is attempting to launch bridge.sys using their ccSvcHst.exe file! What's up with that? And why no explanation?
I could go on, but won't - I'll save it for support regulars and start a case on each of the above, and about 2 or 3 more for now, and see if anyone there has any clues since I've struck out so far.
Well, we tried.... right? ;-)
IF I get any answers (and for 2 or 3 of these, I hold little hope of a solution), I'll post what I find so that hopefully I can help prevent others from having to spend months sorting out an upgrade that went less than perfectly, and has left them totally confused with logs and alerts that are so bad, so broken, almost all had to be totally turned off or removed. Apparently it works quite well if you totally delete and blow away your policies and alerts and configurations prior to the upgrade, but it took us years to develop what we had, I wasn't about to go there and have to start from scratch.
Lest you see dispair in this, have heart - We are the most secure agency in this whole state thanks to SEP - (AND ME, of course!!) so we can't let these issues discourage us. I am going to guess that no one else in this organization can make a claim "totally infection free for 13 months" - that's correct, SEP (with my custom configurations) has prevented anything from actually getting in and/or infecting for over a full year, on over 350 computers that are constantly on the web hitting who-knows-what on a daily basis.