Old Legacy software blocked by the SEP 12.1 RU1 MP1
Created: 11 Nov 2012 | 21 comments
Hi,
Some of my users in the office complained to me again becaus of this SEP 12.1 deployment, the most common now when it is working is:
SID 20903: FTP generic command overflow detected
How can I make sure that this attack is put into the white list as this is happening between the internal server and the workstation in the office.
Thanks
Discussion Filed Under:
Comments 21 Comments • Jump to latest comment
see the above screen shot.
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
John,
Have you put the target server in question into the whitelisted server ?
Go to SEPM
then go to Clients Tab, select the Group, then go to Policies, then at the default location click on the intrusion prevention (edit)
then settings, and click the Excluded host, then add the IP address in there.
hope this helps.
Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP
thanks Dushan for the reply.
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
Dushan,
It doesn't work as I have tried that yesterday.
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
John,
How come that it doesn't work ?
if that still causing an issue, I suggest to log call to Symantec Enterprise Tech Support. But don't forget to share the solution here :-)
Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP
HI John,
You can add it to the Excluded Hosts list in the IPS policy.
Setting up a list of excluded computers
http://www.symantec.com/business/support/index?page=content&id=HOWTO27084
Check your Thread
https://www-secure.symantec.com/connect/forums/how-unblock-or-white-list-internal-production-ftp-sep-false-positives
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Thanks Ashish for the reminder.
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
Ashish,
The whitelist trick doesn'ty work :-\ users still comlaint that their legacy application that uses FTP to transfer files into the UNIX server is still blocked by Symantec.
I guess the only way here is to roll back the Symantec AV deployment into 11.0.7 MP3
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
Can you post the log or screenshot of whats going on?
SEP Knowledge Base
Endpoint SWAT
lately I'm getting busy with various call regarding application malfunction (-_-)" this is mostly due to Symantec Endpoint Protection client v 12.1 RU1 MP1 rolled out to my WIndows XPSP3 users...
just now another call about another 3rd party application using Microsoft Outlook has been crashed, before it was working fine, so I wonder where can I find the log or event in the AV client to see which component did the blocking ?
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
Can you try with the RU2 when it comes out today? RU2 has fixes regarding XPSP3
http://www.cstl.com
Hi Alex,
I have upgraded the SEP client but somehow it doesn't work as expected.
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
If this is caused by the IPS, rolling back to RU7 won't matter. The IPS signatures are the same whether it's 11.x or 12.1. You need to either whitelist the IP or disable the signature.
If you can check the logs, this may give a better idea of what's happening.
SEP Knowledge Base
Endpoint SWAT
I'll try by adding the binary file of the application to the white listi.
I'll keep you guys posted.
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
So confused today (-_-)", the problem still exist, and the user still complaints that the new Symantec Endpoint broke it :-/
I have already upgraded tge client to RU2, but still no effect, the application is still not functioning as it should.
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
HI,
Best bet you can raised support ticket for same
How to create a new case in MySupport
http://www.symantec.com/business/support/index?page=content&id=TECH58873
Phone numbers to contact Tech Support:-
Regional Support Telephone Numbers:
Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Yes, that is the next step :-/
because I don't use that legacy application, it would be trickier to install on my WIndows 7 64 bit laptop of mine, because the user is on WIndows XP SP3 32 bit desktop.
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
Hi John,
Always remember if you don't received any answer please don't waste time and raised support ticket.
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Yes for sure, and I will also update this thread with the solution.
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
Did adding the IP address to the Excluded Hosts list not work??
SEP Knowledge Base
Endpoint SWAT
yes, unfortunately it doesn't work as the application is still not functioning properly. :-/
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
Would you like to reply?
Login or Register to post your comment.