Endpoint Protection

Hi there,

a few weeks ago we installed the SEPM version 11.0 RU7 MP2 and updated round about 100 Vista and Windows 7 (64Bit) clients. After a successful testing phase (no incidents recognized) we updated nearly 1000 clients (mostly Windows 7 64 Bit) on a different Managementserver, which also was updated to 11.0 RU7 MP2.

Now, after a few weeks in prdouction we have only a few clients that have problems with the Symantec firewall (NTP). After a while the firewall modul starts blocking http traffic, https still working. Furthermore the firewall blocks only public IP adresses via http, I can still reach private adresses (i.e. my routera at home).

Any ideas where I can start my investigation in this bug (?) or did someone expected the sam issues ?

My second question : How can I downgrade these clients within the SEPM console ?

Kind regards

mmrayy

Hello,

In your case, I would suggest you to check the Traffic Logs on the SEP clients machines first and identify if these traffic are legitimate.

Are these Clients updated with Latest MS security patches, service packs, with latest vendor patches (like Adobe, etc).?

IPS signatures do block such traffic when they are exploiting vulnerabilities.

Hope that helps!!

http://www.symantec.com/docs/TECH102412

TSE debugging

So, i'm not alone with this (https://www-secure.symantec.com/connect/forums/issues-portscan-detections) Do you know when exactly it has started happening for you? Because we also had testing group and it was fine for 2 weeks. So i have upgraded all our PCs to 11.0.7200.1147 on 07.04 and internet connection loss issues started right after this. But maybe it was only a coincidence and it is actually some definition change since 07.04.

.. of our SEPM to Version 11.0 RU7 MP2 and update of our clients. Before that everthing was good. In our environment we have location based policy profiles, when we leave one location where NTP is inactive and went to a location where the policy demands the NTP module it prevents access to HTTP.

I will upload some traffic logs by the end of this week, because I have no actual logs.

@Mohan Babu: I have generated some debug.logs

Attachment(s)

debug.log__3.txt   255 KB 1 version

Can you give a date when did you update your SEPM and clients? I want to rule out the definitions bug probability (if it started to behave like this before the July 4).

Sorry I have no clue when it starts exactly, but it starts definitely before the 4th of july.

regards

we tested the behavior with a complete emtpy firwall ruleset and without Intrusion Prevention and the error still appears.

I have created new group and disabled firewall policy for it, then i moved all clients to this group and this fixed the issue for the time being. I'm now downgrading to older version (yeah 200+ manually downgrading..). 12 version has issues with some software on our servers, so can't do upgrade on top either.

disabled firewall or removed the complete ruleset ?

same for ips ? removed or disabled ?

do you need to uninstall the "old" version before you can downgrade ?

cheers

Disabled firewall policy (you can enter the policy and uncheck it inside, then ir becomes pale in the list). Can't say for sure for IPS and i have already rebuild the server. Probably you can do the same just to be sure. Personally i don't see much use of it :)

Yes, you will have to uninstall 11.0.7200 version as 11.0.7101 won't install on top and will say that you already have newer version. You will have to restart after the uninstall and then restart after the 11.0.7101 install (to enable NTP module).

We're experiencing the same problem here with NTP and SEP 11.0.7200.1147:  Internet traffic will stop however internal traffic will work.  I've seen users go for a few days, sometime only a few hours before the problem comes back.

• All Windows 7 SP1 32 and 64 bit
• Disabling NTP temporarily sovles the problem
• Rebooting Windows temporarily solves the problem
• Restarting the SEP service does not help
• The NTP Traffic logs have stopped logging traffic before the problems occurs, sometimes hours before it occurs. 
• Uninstalling, Cleanwiping, and re-installing the same SEP 11.0.7200.1147 does not help. 

The only solution has been to uninstall, reboot, and downgrade to 11.0.7 MP1.  11.0.7 MP1 had been rock solid, so was 11.0.6 MP3 (which solved that nasty 64bit SMB 2.0 problem). 

Luckily we're testing this and it's only deployed to 5 or so computers.

Looks like a 12.x migration is my future sooner than later.  Once 12.1.2 is Windows 2012/Windows 8 ready, time to leave this and move up. 

We are in a testing phase of 12.1.x Beta2 and will prepare an update of our Symantec structure as soon as the RU2 is available.

As I´ve heart from Symantec they will release the final version by the end of october 2012.

The Beta2 runs smoothly on our 2012 Servers and 8 Clients.

So raise your glasses ... cheers