Endpoint Protection

Hey all.

Had a wierd and very distrubing issue friday. 
9 of my servers stopped communicating with the network and would not start again till SEP was either uninstalled or disabled.

I have over 5000 systems right now heading towards 15k, 200 being servers, have 5000 groups, and a headache.

I have 5 Citrix servers that stopped communicatibng with the network at 7 pm on friday, they are in a seperate container
I have 2 BES servers that also stopped communicating at the same time, different container.

I thought it was because of Policy inheritence, but that is unchecked, and the policies are speciffically assigned to a container.

What logs would I be able to look at that tells me what happened?

Thanks
Dan

Check if you have Network threat protection enabled on these clients.
if so please uninstall, usually this component is not installed on servers
whats the version of sep u r running?

Hi there.

It is enabled and has been for a while now (at least 3 months), I have specific exclusions for these systems in place, and this has not been an issue
The management servers are 11.6a and the clients are 11.5

Thanks
Dan

on your clients
open sep
on the NTP click on logs; do u see any logs; with rules saying blocked; at the end u wil find the rule name; if you find one make necessary exculion in the firewall policy

BTW: I really wish Symantec had a default policy for the tech support.

you are now the third person to tell me different on NTP on Servers.  I have had Symantec tell me to not put it on, put it on, now not put it on.  The one person so far to tell me to put it on was the Western Canadian support rep here in Calgary.

I was under the impression that it should be on.

thanks
Dan

Can see nothing in logs about anything being blocked.
This has me really concerened as I have found nothing to indicate why this happened.

Support has been back and forth regarding if network threat should be installed. Most of the reasons you have been told that it should not is because of people implementing the firewall without testing and expecting to not have down time in their production environment.

Recommendations from Security Response states that your machine is more protected with running network threat protection because of the use of IPS even if you dont use the firewall to filter it should still be there.

I would call support and create a case to determine what can be done to troubleshoot the issue as I suspect it may take a custom version to troubleshoot.

can  you open sepm
monitors ---logs--NTP; have any?

Network Threat Protection contains a firewall which does have the potential to block needed communication. Removing NTP may be a good test as the cause of the issue, however normally all features should be installed on all SEP clients including servers for the the reasons specified in the following document.

Title: 'Best practices regarding Intrusion Prevention System technology'
Document ID: 2009080314433948
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009080314433948?Open&seg=ent

If there is concern for the firewall portion of NTP blocking needed communication, a work around is to withdraw the firewall policy as specified in the documentation.

My question would be what changed in the environment relating to those servers.

In the SEPM, monitors > logs, log type = system, log content = client activity, may show if any policy changes were applied.
log type = Network Threat Protection, log content = traffic or packet may indicate what was being blocked.

I recommend it to be on, but tested before deployed to the production environment since it could block critical server communications (though the default rules are better than they were with the RTM release).

sandra

Okay, so this doc is about IPS, not NTP.

I already know how to disable NTP and in fact remove it.  But I just got off the phone with Tech and they told me explicitly that NTP is NOT to be used on servers.  Just AV.

Case# 412-368-888

Thank you
Dan

I will try to address this so we(symantec) are all on one page. I have confirmed this with our team to be the case that we recommend all technologies be installed on every machine.

Do you done any policy changes recently like adding a firewall policy or a group policy which is related to windows firewall?Or do you observed this problem after installing some os patches..?