Endpoint Protection

 View Only
  • 1.  Need SEP to eliminate threats at the USER level.

    Posted Mar 07, 2012 10:53 AM

     I have several users who have Window 7 64 BIT workstation PC's. They are using SEP version 11.0.7 and on....The problem is, if a user downloads Spyware SEP will NOT delete the file with their access level, if I sign in as an admin or Domain admin, the file is immieiately deleted. How can I have this done so the files are deleted as the user and will not present with further threat or damage?

    I had a user who had to send in their laptop because Symantec took no action on the infected file, this was a remote user so we could not provide this person with an administrator acccount. Once I received the laptop, and as SOON as I signed in with administrative rights, SEP INSTANTLY took the threat and eliminated it...I would like Symantec Endpoint protection to be able to do this at the user level, is there ANY way to enable SEP to work at administrative level WITHOUT giving the user(s) administrative rights? This will greatly reduce the number of threats on our network and possibly eliminate the need to install and run Malwarebytes or any other program.

    I have tried to contact Symantec support online by submitting a case, but I continually run into an error I can not get past...

     

    There error is as follows "Summary and Error Code fields exceed maximum

    I have filled out all fields accordingly and continue to encounter this.

    I really would like to know if there is a way that this can be done. All services under SEP are running under the "Local service" account with the exception of SNAC, which is disabled.



  • 2.  RE: Need SEP to eliminate threats at the USER level.

    Posted Mar 07, 2012 11:29 AM

    I don't know about Symantec but, I do have some applications running here that the "local system" account just doesn't cut it.  When trying to run certain commands, it simply fails. 

    In the services console, I change the service logon account from Local System (which is supposed to be the highest authority) to an "Administrative" account.  This could be Domain, Enterprise or even local (depending on what it is used for). 

    I don't have an infection to test with, but I would think this should work and do as you wish in order to eliminate at the user level.



  • 3.  RE: Need SEP to eliminate threats at the USER level.

    Posted Mar 07, 2012 11:36 AM

    ...I will give the local admin account the right over all Symatec services and test it with an infected PC.

    Many thanks...



  • 4.  RE: Need SEP to eliminate threats at the USER level.

    Posted Mar 07, 2012 11:54 AM

    I tried changing the services to a domain admin account, then they would not start.



  • 5.  RE: Need SEP to eliminate threats at the USER level.

    Posted Mar 07, 2012 12:01 PM

    Scan with NSS tool.....

    • please check the system updated with microsoft patches and SEP definitions are upto date 
    • check startup programs to confirm any unwanted applications starting with system
    • Remove temp files


  • 6.  RE: Need SEP to eliminate threats at the USER level.

    Posted Mar 07, 2012 01:59 PM

    The only other thing, I could think of, without giving the user complete Admin rights to the system would than be folder/file rights.

    I would assume that most users download to their desktop, which in turn is in their personal profile folder.

    C:\users\[username] for Windows 7/Vista

    &

    C:\documents and settings\[username] for almost every other version

    * * * * * * * * *

    And the quarantine area is:

    C:\ProgramData\Symantec\Symantec Endpoint Protection  (on 

    on Windows 7 with 12.1 installed

    or

    c:\documents and settings\all users\Application Data\Symantec\Symantec Endpoint Protection\... 

    The question than becomes, is it from the "quarantine" folder that the system is incapable of deleting from.

    Of course, no one wants to purposely infect a machine in order to find this out.  You can try with "full rights" on one or both of those locations, user profile and quarantine area.

    * * * * * * *

    I often see in my quarantine/deleted files on the SEPM server, file with the name Keygen. Symantec REALLY doesn't like those.  It should catch anything you "purposey" try to infect a machine with and quarantine/delete it.  Of course, removing the machine from the network would be best practice for esting purpose.  And as a "normal user"...