Endpoint Protection

I have a global exception for SpectorSoft, known risk "Spyware.Spector", and set to Ignore. Instead of ignoring this valid software that we use, SEP 11 MR 5 quarantines this as a Risk and we get 2 alerts: 1. Action taken on risk: Excluded        2. Action taken on risk: Details pending
You then go to the All User's Profile\application data\symantec\symantec endpoint protection\quarantine and find that SEP has quarantined the "risk"
This is all happening while I have performed the steps to create a Global exception set to "Ignore".
I have numerous tickets opened with Symantec Tech Support, but after 10 days the case is automatically closed and I have to open another ticket.
This seems like a convenient way of dodging the issue.
One 1 ticket I was told to follow steps to upgrade our Spector server as well as create some additional file/folder exceptions. I have followed all of the steps exactly.
Important to note: the Registry shows the Known Risk exception, set to "Ignore".
Someone please help. I have zipped up the quarantined files to Submit.Symantec and have heard mixed reviews as to weather a hash rule will be created to properly exclude this valid software. In addition to Exclude, it must also "Ignore". Make sense?
I have a feeling I will be spending a lot of time in these forums to express my confusion and dissatisfaction with having to create 4 tech support cases for 1 issue.
older versions of SEP would not behave this way and would properly Ignore the "risk" (11 MR2 and older)

Reeling,

Symantec Customer Since 2002

It sounds like the Anti-spyware feature is working as it should. If you are going to run a spyware product and
an Anti-spyware product together in the same environment, then i would expect issues.

Can you provide a ticket number and we can look into your case?

Thomas

Here is our current ticket number: 411-687-378

and here is one other ticket number where we spent a lot of troubleshooting, only to get nowhere: 411-306-216

(we have like 4 tickets historically regarding this case. The problem with this is your tech support will close the case after 10 days of no action on our part. Other fires come up that take precedence have left the 10 day window a little tight)

Our tech support engineer, "Sean P" is alluding to MR 4 MP2 as not being affected by this issue. Do we have to downgrade from MR 5 to MR 4 MP2?

I just read your case notes. I would hold off until the support person instructs you to do so.
RU 6 is coming out soon, hopefully this will not be an issue in the new version.

Best,
Thomas

ok - I will await my technician's response as he said he linked it to a defect case.

Sorry I have no clue over the support ticket numbers...Also this suggestion might have already come through from Support...But can u try excluding the risk from Monitors > Logs > Risk logs.

Thanks sri2384 - I did try that a number of times.

We are testing Spector and I don't believe we have had any of those same issues... (I haven't seen any detections and hadn't heard any complaints, anyway...)

I found 3 different "Known Risks" in the Excpetions policy that were associated with Spector and excluded all of them. (didn't exclude anything based on filename or path, just using Known Risks)

Not sure if this is helpful, but figured I would throw it out there...

Hello djfurther
Yeah - we did have the same exceptions you speak of
the problem with file/folder exceptions is that the software morph's the file name for the EXE's and DLL's. So it will change daily... They have a generator that gives it a random name such as miwrzxb.exe. But that changes in 24 hours...

Are you on 11.0.5002.333?
We jumped from 11 MR 2 to that version and then noticed the issue. We had no problems on previous versions of SEP. Something to do with 11.0.5002.333.

I am just trying to hit the forums hard as I have heard a loose timeline of 11 MR 6 being released within 30 days...

Does anyone know when 11. MR 6 SP1 comes out?
I am told that version will fix the Spector issue with SEP?
HELP!

The RU6 MP1 release date is unknown at this time.

Just though I'd update the forum:
Our Engineer on the case informed me that our Defect Case for this did not make it on the RU6 MP1 release, but definetely is on the RU6 MP2 release, which is in its very early stages.

Anyone else out there in the Symantec community waiting on this to be fixed?

Thanks everyone

Also, our defect case ID is 1978553

Thanks for the case update.

Thomas

Hoping MP2 comes sooner rather than later to get you all taken care of SEPhatesSPECTOR. Thanks again for your patience through all this. :)

Hi All,

Pls let me know the upgrade paths of Symantec Endpoint Protection 11.0 Release version wise. Because Now i need to upgrade SEP 11.0.2000 MR2 to latest release MR6 MP1. Hope i can't directly upgrade to MR6 MP1. Pls suggest me how to proceed.

Thanks in advance.

Prasad. Sripuram.

Tech Support Engg.

Mobile # +91 800 899 6665