Endpoint Protection

Hello chaps

Another query (I have this as an open case at the moment with support)

There appears to be a lot of discussion with regards to the Quarantine server, it's role  and /or usefulness in the SEP11 environment, and the client submission functionality and how it operates.
I have an issue with the quarantine server wherein it doesn't actually appear to do anything - accepts the files for analysis and then does nothing with them - i've enabled logging using the registry tweaks, the avis .txt  files are created with a whole bunch of things happening, and then near the end it appears to can out. I won't post the last section here as the support guys already have it (don't want to pre-empt what they have to say). The symantec line is that it shouldn't be used in an environment of less that 10,000 machines, will be phased out etc, etc - distinct impression that they are giving it a wide berth.

Anyhoo, the other option is to submit the samples direct from the client, but that (from what I've read) appears to be a painstaking manual process - am I right? If not, and it can be automated, can someone provide a little advice on the process? I kow that it involves the policies.

Cheers

Mr Miyagi


...Wax On, Wax Off...

In the antivirus and antispyware there is an option to submit quarentine  items to symantec rights?

policies-antivirus and antispyware - click submissions.


if that option is checked it sends out the info online to symantec.

when you say samples, ( are these quarentine or one u find using esugdrop.exe) , if you want to upload suspected files  using esugdrop u need to do it manually..

Hi Rafeeq
These are just simply ones found and put into quarantine - not using the tool you mention.

I'll take a look at the area you state above and see what we have.

Cheers

Mr Miyagi

...Wax On, Wax Off...

quarantine server running with the later versions of IE need to have this change:
Under the properties of your quarantine server (highlight it and right-click) you need to go to the web communication tab and UNcheck secure submission and secure download.
Then it will function.

Yes, in the configuration - go to the antivirus policy, edit it, choose the submissions menu button on the left from that list of options, then you can configure from there to let it submit quarantined samples. If it doesn't quarantine something, you can manually quarantine it, and manually submit it - but it must be done from the workstation. (tell a social worker who already hates computers that's what they must do.........)

SEP submitting from the client appears to do nothing at all. at least I never get any email or feedback, the client never knows if it went ot worked.  Never get any info back, no feedback, nothing as to what it was, defs needed, etc. - it's pretty worthless to the customer - PLUS, our users are not computer people so don't even think you are going to have THEM submit a sample. They think pushing the button on the monitor shuts off their computer for the night.......... and changing from plain paper to letterhead requires a page of explanation. So it's really pretty lame to figure the users or clients are going to submit.

Even for ME, using that process is a hassle.
What I have to end up doing is to have the client SEP submit to the quarantine server, then I use the q-server, restore the sample to the local server drive and manually submit it via web. Otherwise, you are simple sending them file and get no feedback at all - and why bother if you arne't going to get info about what you submitted, what it is, how it works, and what defs will catch it or clean it?

----------editorial content below--------------------------------
This:
>>The symantec line is that it shouldn't be used in an environment of less that 10,000 machines,<<

Is the biggest line of BS I've seen come out of support, sorry and no offense, but whoever says that is clueless and has obviously never WORKED on the real world where we have to support many computers  - just ONE person has to support hundreds of computers and deal with viruses on a DAILY basis. Their numbers are way off. It's useful and needed for only 300 computers.
Guys we are in the trenches and need automation and most of all, INFORMATION. Information is how we learn what's there and how we prepare our defenses - plus, it's what the boss wants to know!

-----------------------------------------------------------------
(and yes those watching over my shoulders now - I'm not going to drop this - not until someone in the company gets a clue as to what we have to do in the real world, not just in a lab)

We are short-staffed and in the U.S. economy, it's not getting better. IT is seen as a necessary evil, so management wants as few of us around as possible anyway. We have to support hundreds of computers at times with just 1 or 2 IT staff. We must automate and centralize management where we can, however we can, using whatever is available. We need an updated quarantine server, not to see it killed off.

wow....thanks for the input.

I take it you are using the quarantine server yourself? if so (and it works for you) is the only issue you have regarding support on it? 
I think I have the secure submissions check boxes unticked, but i'll double check.

Cheers

Mr Miyagi

...Wax On, Wax Off...

 

Yes I use quarantine server. I started using it at my last job where I was av administrator over 1,200 servers and 16,000 client computers around the world.
It was nice to see at a glance what was being quarantined, how many, where they came from, and be able to collect, test, submit, etc. and have automation for rolling out new defs! If the q-server submitted something and it was analyzed and new defs built, it would get those defs and would propegate those new defs for that sample to all computers in the company.

I guess I just don't get why they think it's not needed or not useful - why not fully support it? It still works noce in a while.
With a few updates, it would be one of the most useful av tools we own! Create defs for it - in fact, have it automatically use BETA defs! What better place to have them, or to try new defs out?

It's very handy to have - I've not used it in a production environment before, but I'm in an environment now with a large number of machines (over 800) across a number of sites - I just wasn't sure that it was a) working and b) what to expect.
At the moment (from what I can see in the avistrace.txt logs) it checks every hour for definitions, doesn't find any (or at least any to compare as the definitions and submissions folders are empty) and then closes off. The quarantine area is empty also, but that's just because no virus's exist on the network at the moment. There were a number, as a couple of suspect machines were introduced; the client was rolled out and updated and immediately detected that they were riddled - there were over 300 samples in the Q. The support guy cleared it down as he thought that the submissions were choked and that was why nothing was being submitted. I'm just not sure that now it's all cleared up and appears to be communicating, what I should be expecting?

I think I need to introduce a virus or two and see what happens ... :-)) OK.. maybe not....

Cheers

Mr Miyagi

...Wax On, Wax Off...

Unfortunately a lot of unwanted stuff has been quaratined on my pc. A reminder of these appears every time the pc is switched on which a list of quarantined files is displayed.

I cannot delete from that reminder but have traced them to: C:\Documents and Settings\All Users\Application data\Symantec\Symantec Antivirus Corporate Edition\7.5\Quarantine

Here there resides a list of various toxic items. Is it safe to simply delete these?

Apologies if this has already been dealt with elsewhere?