Endpoint Protection

 View Only
  • 1.  Logs don't show Client User Name Since Upgrade to SEP 12.1

    Posted Mar 06, 2012 02:56 PM

    Been using SEP since way back, years. When I check the NTP logs/attacks, I see the time, event type, domain/group, computer, client name, Severity, etc. etc.

    Uh, well, I did! I did in SEP 11.xxxx

    Now, however, I see the Client User Name only in a few entries.

    Otherwise, it's blank, and if i click on "Details" I get this - can anyone tell me "what's up" ??? Why now are at least half empty? There are users logged in and using the computer obviously.

    They are in the same group, and when I show the details, under the same management server. I can't see any differences as to why some show the logged in user and others do not. 

    (They all show under SEP2 -  SEP1 has been moved to a lower priority level so I can have all clients on SEP2, then blow away SEP1 and make a brand new one since the upgrade was less than, well, smooth)

    In the clients tap, client status, the computers all show the logged in user. (or last logged in user)

     

     

    Computer Name
    Current:
    When event occurred:
    IP Address
    Current:
    When event occurred:
    Local MAC:
    User Name:
    Operating system:
    Location Name:
    Domain Name:
    Group Name:

     



  • 2.  RE: Logs don't show Client User Name Since Upgrade to SEP 12.1

    Posted Mar 12, 2012 02:23 PM

    WOW - I've stumped 'em again! Seems like I'm coming up with a lot of things about 12.1 that no one seems to know anything about.

    I guess now when I'm wondering WHO did what, I'll just have to do things the old-fashioned SAV way, or was it NAV - I'll have to manually look at the computer to see who was logged in at the time.

    I guess since no one knows anything about this - I'll add this to the growing list of reasons I wish I'd have left us at 11 and not messed with 12 until it was mature and more reliable than 11.



  • 3.  RE: Logs don't show Client User Name Since Upgrade to SEP 12.1

    Posted Apr 11, 2012 04:42 PM

    Based on lack of any good ideas here in connect lately, looks like I'll be opening a few support tickets soon. I've got a whole slew of issues since the upgrade to 12.1 and they all need to be resolved, but I'm not even getting close  :-(

    It would appear I've been playing stump the volunteer - as well as stumping a few who seem like maybe they are Symantec support employees.

    I've got a whole list of them, and I guess the best bet is to start a "ticket" on each one of them individually so they don't get tangled up.

    It appears we are the only ones having any real issues with an upgrade from 11.07 to 12.1 since no one is admitting to seeing these issues! LOL.

    Here goes.............

    Look for support calls on:
    * Logs don't show user or logged in user name in alerts or logs roughly 40% of the time. Instead, since the upgrade to 12.1, I now must use the IP address or the computer name, and go into the computer and figure out WHO is logged in. Further, since the upgrade, SEP now retains the name of a user who was logged in 2 days ago, but not the CURRENTLY logged in user! So some people are getting blamed for things someone did on their computer a day or two ago. It's not updating the logged in user as a new person logs in, even if that new person has been logged in for multiple days.
    * Logs are SINCE 12.1, showing several processes touching SEP files, and alerting in the logs, common processes, well-known processes are now logged as "touching" SEP files or registry keys - not changing them, etc. The logs don't give any details - no rule name, no violation type, a lot of missing information! (the logs are really bad since the upgrade to 12.1 - no real useful info that might aid in letting me know what's up, and WHY NOW, and not before 12.1
    * The alerts and logs for device control now tell me when devices are ALLOWED! OUCH, I get hundreds of alerts that devices we WANT to use are being allowed - but alas, this is killing us, and we never saw the alerts when devices were BLOCKED. Before 12.1, the alerts were only when something was blocked, not when it was allowed. Now it's the reverse - SEP sent me an email each time our allowed dictation devices were connected. I had to shut off all of the alerting and logging on this, it was flooding us.
    * There are a whole lot of things showing up that appear to be new SEP 12.1 things - like some sort of Symantec service host that replaces the Windows service host SVCHST? In any case, that, too, now is flooding out logs and alerts. There is no documentation on this change. Is Symantec launching services with its OWN SVCHST EXE now, replacing the Windows SVCHST? It sure appears so..... ccSvcHst.exe now appears to be attempting to launch bridge.sys  WHY?? We block access to bridge.sys so no one can connect a wired and wireless network here. It seemed the most simple solution since Microsoft in their infinite (or is that finite?) security wisdom likes to let folks connect anything that will fit together, even if requires duct tape to do so. So we had someone connect to a wireless AP with a cool name, while on our network, and we got all sorts of weird alerts over the net. So I solved that - block bridge.sys from being launched by Windows' own svchst.exe NOW, however, I see Symantec is attempting to launch bridge.sys using their ccSvcHst.exe file! What's up with that? And why no explanation?

    I could go on, but won't - I'll save it for support regulars and start a case on each of the above, and about 2 or 3 more for now, and see if anyone there has any clues since I've struck out so far.

    Well, we tried.... right?  ;-)

    IF I get any answers (and for 2 or 3 of these, I hold little hope of a solution), I'll post what I find so that hopefully I can help prevent others from having to spend months sorting out an upgrade that went less than perfectly, and has left them totally confused with logs and alerts that are so bad, so broken, almost all had to be totally turned off or removed.  Apparently it works quite well if you totally delete and blow away your policies and alerts and configurations prior to the upgrade, but it took us years to develop what we had, I wasn't about to go there and have to start from scratch.

    Lest you see dispair in this, have heart -  We are the most secure agency in this whole state thanks to SEP - (AND ME, of course!!) so we can't let these issues discourage us. I am going to guess that no one else in this organization can make a claim "totally infection free for 13 months" - that's correct, SEP (with my custom configurations) has prevented anything from actually getting in and/or infecting for over a full year, on over 350 computers that are constantly on the web hitting who-knows-what on a daily basis.