Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Retina Scans with SEPM Client Installed

Created: 29 May 2008 • Updated: 08 Jul 2010 | 7 comments
I hope someone can provide some insight to what is going on.  I've created a firewall rule to allow retina traffic and what I think is an intrusion protection exception to allow retina and assigned the policies to the respective groups where the clients reside.  When I start a scan retina says it was not granted access to the registry.  When I check the logs in SEPM they say that the traffic coming from the retina server were blocked.  Can someone provide any suggestions?  Thanks in advance...

Comments 7 CommentsJump to latest comment

Paul Murgatroyd's picture
whats the full message from SEP?
 
Sounds like IPS is blocking it... at the moment you can't create process exceptions for IPS, just based on signatures.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

gorman's picture

The only way I can get the Retina scans to work is to disable SEP on all my servers.  Is there a solution other than to lose protection or install a different AV product?

 

This is from the SEP client security log:

 

[SID: 20519] HTTP CF GetTempDirectory Attempt detected.
Traffic has been blocked from this application: C:\WINDOWS\system32\ntoskrnl.exe

[SID: 20337] HTTP MS IIS ExAir Search DoS detected.
Traffic has been blocked from this application: C:\WINDOWS\system32\ntoskrnl.exe

Traffic from IP address xxx.xxx.xxx.xxx is blocked from 11/17/2008 12:10:42 PM to 11/17/2008 12:20:42 PM.

Active Response that started at 11/17/2008 12:10:42 is disengaged. The traffic from IP address xxx.xxx.xxx.xxx was blocked for 600 second(s).

Abhishek Pradhan's picture

You could create a HOST GROUP first, and then a HOST RULE to allow traffic To and FROM your retina server.

 

This will ensure that all the SEP clients do not blobk the traffic orignating To-Fro m the retina server for say "xyz" number of seconds.

 

 

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

gorman's picture

Thanks for the quick response.  I have made the changes and scheduled a Retina scan for tomorrow.  I will post the results.

 

Gorman

gorman's picture

I am still getting the same entries in the SEP security log and the retina scan fails.

 

This is how the rule is setup:

 

Rule Summary:
Allow both incoming and outgoing traffic to/from: xxx.xxx.xxx.xxx. This applies to traffic from the following protocols and ports: All IP protocol types. For these network adapters: All network adapters.

 

PS: I am running "unmanaged" SEP clients, therefore no host groups.

 

 

Plum's picture

I am having the same issue with SEP and Retina and need resolution.  I have opened a support ticket with eEye and they have tossed the ball back to Symantec.  Even if I disable everything I can on the SEP side, I cannot get Retina to touch the registry.  I know there has to be a solution - the government is running SEP and is mandated to scan with Retina; someone must have this figured out.

L.D.'s picture

We am also having trouble with SEP and Retina.  We have discovered that if you disable Intrusion Prevention, the Retina scan works.  What we need to know is how to allow retina on unmanaged SEP machines without having to disable Intrusion Prevention.