Endpoint Protection

Hello... First time poster, long time troller.

I have done a fresh install of 11.0.6005.562. I have installed the Management on a server. I have created custom client installs which have been successfully deployed to clients. I have set the client policies for communications settings to pull @ heart beat 5 minutes.

Here is where the questions come into play:

I have configured the server to monitor and send out E-mail notifications. Currently, E-mails take 7+ minutes to be sent from the server to administration E-mail accounts. I have seen them take up to 30 minutes some times. What is the deal with this. Is it because of the heart beat? That still does not explain the extra 2+ minutes. Can someone please break this down so I can resolve this issue asap. (Symantec 8.X never had this delay issue) I also just noticed that one computer had about 7 different infected files... and all I got were 2 E-mails. All the files were quarantined...so why were only 2 E-mails sent and how do I allow it to send one e-mail per infected file.

The delayed E-mails I see in my inbox are something like this:

------------------------------
Message from:

Server name: servernamehere

Server IP: serveriphere

At least one security risk found:

Risk name: riskname

File path: c:\WINDOWS... Event time: ... GMT Database insert time: .... GMT

User: usernamehere

Computer: computernamehere

IP Address: ipaddresshere

Domain: Default

Server: servernamehere

Client Group: Groupnamehere Action taken on risk: whateverwasset

-----------------------------------

I want to customize the E-mails, but the Symantec reps keep telling me it is not possible. For example... I only want something basic that does not show database insertion time, server name, server ip address. It says that this notification would be triggered by any kind of scan.. but it does not show the scan type in the E-mail notification which is something I would like to be able to turn on or off. If there is some way to modify what is sent out to E-mail notification, please tell me how to do it.

Is it only Quarantined Items that trigger notification? For example, I have "new risk detected" and "single risk event" event triggers setup. Previously I had a policy where items would be attempted to be cleaned or otherwise deleted. Those items only showed up on the server. Only items that were quarantined would trigger a notification to be sent out. So what officially triggers E-mail alerts?  

Email alerts have a damper on them. Once an email is triggered, a second one won't show up until the damper time has expired. There is no way to remove the damper period... sorry.

There is no way to modify what is included in the email notifications... sorry.

Email notifications are meant to be a notification, not a full risk report. The email tells you something is happening... then you're expected to go to the SEPM to get all the details.


"New Risk Detected" will only send one email per threat, regardless of how many instances of that threat were found. The second time it's detected, it's no longer a new threat, since we've seen it before.

"Single Risk Event" will only apply when a threat is detected once or twice. After it gets detected a 3rd time, it becomes an "Outbreak"

Issue 1:
Can you please address the extremely delayed E-mail notifications from the server issue. 8.x did not have this issue. All the descriptive info regarding server config is in my first post above.

Can you please define the damper used by Symantec in greater detail. E-mails will be dampered if they are concerning the same virus... emails will be dampered if the same file is found repeatedly... or emails will be dampered if the same computername comes up with one or more viruses during a scan... the IF statements are what I am looking to understand specifically.

Issue 2:
Is it only Quarantined Items that trigger notification? For example, I have "new risk detected" and "single risk event" event triggers setup. Previously I had a policy where items would be attempted to be cleaned or otherwise deleted. Those items only showed up on the server. Only items that were quarantined would trigger a notification to be sent out. So what officially triggers E-mail alerts?  

Issue 3:
The deployment program that comes with this 11.0.6005.562 has a function called something to the tune of 'Find unmanaged computers.' You can search for unmanaged clients a variety of different ways using this tool, but managed computers still show up in the query. IE... you can see which version of Symantec is installed on each machine in the queried list. If the program is designed to 'find unmanaged computers', why do managed ones show up in this query?




-------------------------------

I had the damper question answered in another thread created by another moderator after I mistakingly created an article/moderated removal/moderated thread created with my username. Can be found here: https://www-secure.symantec.com/connect/forums/sepm-questions-1106-and-delayed-emails Not wanting to create a double thread so I included the damper settings description here.

Nirav Mistry

Damper Settings.

BUMP! Still need solid advice on Issues 1, 2 & 3.

In regards to issue 1.. I am still experiencing a huge delay from server detection of the client with the virus being quarantined to having a notification E-mail sent out. What can I tweak to remove this delayed E-mail notification. The server settings are described in my first post.


Issue 4:

Centralized Exceptions. I have a file that could be located anywhere on a user's harddrive, meaning it is not in a static location. How do I setup a centralized exception to ignore a filename regardless of where it is located? Where it says file.. it expects me to 'include full path' How do I make it so this filename is removed from scan regardless of where it is located.

As well, when a client receives a policy update about centralized exceptions, from my understanding they do not force a reboot? Can someone list the policy updates that would force a reboot. I have seen a policy update force a reboot, but I did not log which changes I made to incur it. You can understand that having production computers randomly reboot would be a major issue, so I would like some clarification.

Issue 5:

Symantec 8.1 server allowed the administrator to view client virus detection history from the administration console, but only when the client was online and talking to the server. How can I view a client's history from the server console on 11.0.6x? For example, I would like to be able to view the Scan logs, Risk logs, and System logs all from the server.  I can view all sorts of client computer specs but I do not see where to view client histories etc.. I'm going to look through the administration manual, but if anyone already knows a page number or can offer some kind of advice, excellent.

Title: 'About the different types of Symantec Endpoint Protection Manager Reports'
Document ID: 2009081409151448
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009081409151448?Open&seg=ent




Title: 'How to create a Scheduled Report in Symantec Endpoint Protection Manager ?'
Document ID: 2009101503441148
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009101503441148?Open&seg=ent

Please, if you are going to respond, state the Issue # you are responding about. I do not see how 'reports' tie into any of the 5 issues I have posted.

For example:

#2 - solution with detailed explanation and possibly a link after a detailed explanation.

#4 - solution with detailed explanation and possibly a link after a detailed explanation.


Thanks! Your help is much appreciated.

Issue 4:
Centralized exception works only for File/Folder if complete path is given or extensions. Just Fle name will not work.
For that you can create Local Exclusions ( User-Defined Exclusions ) from the Clients. Each client will have to create a exclusions for such files locally.

Only Application and Device Control policy when it is applied for the first time requires a reboot to get activated.

Issue 5:
You can view the log of Individual client from SEPM - Monitor -Logs -Advanced- Enter the Client Name.

Thanks for the response Vikram. Sounds like I will need to turn on a centralized exception on a particular security threat type and have it log only. My only concern is when a true threat comes through and I created an exception for it :|

Can someone please assist me with issues 1-3.
 
Thanks!

Okay. Still looking for issue resolves for issues 1-3.

I have a new issue and I'll call it issue # 6

Issue #6:

I have cookies set to be automatically be deleted (which is a default setting). Commercial Apps (tru scan), I have set to LOG ONLY (not a default setting).

So the user has no valid choices on how to handle the detections between these two filetypes that show up. Yet the client sees a popup window saying "Auto-Protect has acted on the risks." in a window called "Symantec Antivirus Detection Results"  The user has no choice on these two detections, yet they are confronted with a window where they have to click close? Where is the logic in presenting the user with this window? How do I disable this window from showing up every time a cookie is deleted or a Commercial App is detected while set to Log Only?

You can disable notification dialogs on clients by changing notification settings on SEPM.

Policies->Antivirus & Antispyware -> Appropriate AV & AS policy -> Select appropriate option from left side such as "File-System Auto-protect", etc. -> Select Notification tab from right side

and you can disable whichever kind of notifications you would like to disable on clients.
Make sure to lock the feature if you would like that clients can not change these settings.

Thank-you. Makes sense that it would be part of a policy setting.

Help with Issues 1, 2, and 3 would be splendid!

Issue #7

I have users utilizing a program called TFTPD32.exe which is a tftp program. What happens is users are now having this program detected as Trojan.Gen because it has the following characteristic: Opens different port and connects to remote location. (http://www.spywareguide.com/product_show.php?id=3504)

Now I know that this program is trusted. I do not want Symantec to pick it up. The program, when you download it from the internet, does not require an installation, so users can place it anywhere on their computer and still run it regardless of the location of the executable file. I have examined the centralized exceptions, and from my understanding, it does not allow me to ignore a file just by its name... it requires knowledge of the exact static location of the file... for example C:\tftpd32.exe. But if I create that exception and the user puts the executable in C:\downloads\tftpd32.exe, it will still be picked up by the scanner.

If I were to create a centralized exception for a specific threat called Trojan.gen, I could potentially be allowing any program that exhibits the functioning characteristics of: Opens different port and connects to remote location..... to potentially run on any client.

So how do I allow people to run tftpd32.exe regardless of the location of the executable while still letting any other file picked up as Trojan.gen to be quarantined. What is my solution?

Hi Puzzled,

For issue 7, a couple of options considering users are allowed to install it to the location of their choice:

- Have the end users create a local centralized exception in the SEP client after installing the program (allowing portable programs to run from a usb would need to be a security policy discussion as this is a pretty big security risk)
- Only authorize installation of the program to one location (e.g. %Program Files%) to be able to create a Centralized Exception in SEPM.  If the end user installs the program to any other location, they're out of luck.

It comes down to a "limitation" of how Centralized Exceptions work, the whole idea is to allow a known file in a known location.  Application and Device control is better suited to allowing a program installed to random locations access.  This article explains how A&D works.  It may be more of what you're looking for.  Note: A&D require the Network Threat Protection component of SEP to be available.

Thank-you for your response to Issue #7. I was just "hoping" there would be a way to do what is not possible. I assume it has to do with extra processing power avoiding a filename during a scan. A design engineer's explanation of why it is not possible would be excellent.
 
Issues 1-3, still need assisstance.

Issue #3
Managed clients (those actively communicating with a SEPM) shouldn't be appearing in the Find Unmanaged Computers results.  If there are machines running SEP that are 'orphaned' they will show in this list.  

Server Config Details:
I have done a fresh install of 11.0.6005.562. I have installed the Management on a server. I have created custom client installs which have been successfully deployed to clients. I have set the client policies for communications settings to pull @ heart beat 5 minutes.
 
Issue 1:
My server takes about 10+ minutes to send out E-mail notifications from the time the client receives an infection/quarantine. Sometimes, notification takes 30 minutes, even though the server can see it on the 'home' screen much sooner. What can I modify to stop this massive delay.

Issue 2:
Is it only Quarantined Items that trigger notification? For example, I have "new risk detected" and "single risk event" event triggers setup. Previously I had a policy where items would be attempted to be cleaned or otherwise deleted. Those items only showed up on the server. Only items that were quarantined would trigger a notification to be sent out. So what officially triggers E-mail alerts?

Issue 8:
Computers that I exported the installer for with the custom group policies preset... These computers show up in the unmanaged clients when using the Symantec provided tool Search for unmanaged clients. However the computers that had the package deployed with the Search for unmanaged clients deployment tool do not show up in this search list. Why does one method of deployment (running a .exe file on the client) versus the other (using the Search for unmanaged clients utility and deploying with this utility) treat clients differently when seaching for unmanaged clients after the package has been successfully deployed.

Please rephrase the issue and be more clear about what tools you're comparing...
"Find Unmanaged Computers" is the tool that's built into the SEPM. It scans all the computers (in the range you specify) and filters out the ones that it already has as managed computers. So once a computer has the client and is registered with the SEPM, it should no longer be found* by Find Unmanaged Computers.

The other common push tool is the "Migration and Deployment Wizard". You also seem to be referring to a "Local Install", which is simply running the setup.exe file directly from the machine where you want to install the client.

*Note: Technically, it is still found, it just doesn't get listed as a possible candidate for deployment, because it sees that it already has SEP installed and it's already being managed by the SEPM).