Endpoint Protection

Hi all,

So I have just upgraded IT to SEP version 12.1 with no issues......until the developers rocked up to work :(

It looks like the issue is that when they run one of their in house programs that they are creating, and when it talks to 2 databases it error's (see screen-shot)

Now when they try another on of their programs that talks to one database it loads up perfectly fine.

Any help would be muchly appreciated :)

Did you check symantec client logs? does it give u any info?

Do u have network threat protection component installed? check the logs for any blocked msges in the rule

does disabling SEP allows to communicate to both the DB without error?

Is there any evident in the application event viewer?

I did check the symantec client logs but with no success :(

We do have the NTP comonent installed but there were no logs that were created. I was also watching the Network Activity graph when running the program and the 'blocked' line didnt move one bit.

Yes, disabling SEP does allow program to communicate between both DB without error. Also just checked the application event viewer but nothing there either.

Any more ideas?

May be good thing to open a ticket with Symantec at the same time seeking response on the forum.

It is possible it may be a application and device control issue. In your exception policy on the SEPM check the following.

1. Click exceptions

2. Click add->windows exceptions->application

3. If you see the in house program here highlight it then change action to ignore and click ok. Then click ok again to save policy.

4. If you don't see this program in the list in step 3 click add an application to monitor and add this program to the list. After the client gets the policy try running the program again a few times then go back to step 3 and see if the program shows in the application list.

Yea I think im going to have to open up a job for it.

I looked in the execptions but the program isnt in the list, I also tried to add the application for monitoring but nothing has come up since adding it.

I just finished running through this processes in order:

Uninstalling Application and Device Control then restarting - no luck

Uninstalling SONAR then restarting  - no luck

Uninstalling Proactive Threat Protection then restarting - no luck

Uninstalling Intrusion prevention then restarting - no luck

Uninstalling Firewall then restarting - no luck

Uninstalling Network Threat Protection then restarting - no luck

Uninstalling Virus, Spyware, and Basic download protection then restarting - LUCK

After the program was then able to run I started to slowly re-install the parts to SEP that I had uninstalled and restarting after each install. Now the program worked all the way up to the Firewall feature. As soon as that was installed it stopped working. So then what I did was uninstall the Firewall again just by itself and restarting but still no luck. So it has been kind of messing with my head a little.

Thoughts?

Have you tried Disabling Tamper Protection ?

To test it

Go to devmgmt.msc

View -Show Hidden Devices--Non Plug and Play devices

Select SPBBCDrv --right click and un-install reboot the machine and check if everything is working fine.

I too Mark am having problems with SEP 12.1 on a server and software running against a DB. Only way I too can resolve it is to disable SEP totally so it can be used....so I am eager to see the results please keep posting. 

BTW, I don't have SPBBCDrv listed at all under devmgmt after showing hidden devices and looking at Non Log and Play, not sure about you Mark....

Have you tried disabling Tamper Protection from SEPM or from Client?

Not to take away from Mark and his thread here, but I am pretty sure I have with no effect...the only that that really seems to work is disabling the AV totally. Worked fine in 11.x which makes it odd. They only run it every week so I will continue to test with teh above suggestions and report back.

Sorry to derail the thread a bit Mark, all yours and ill be reporting back. Hope we can find a solution!

if using Network threat protection on servers

you must enable firewall rule to "allow all applications"  as  topmost rule

in your server group firewall policy

I'm with KarbonKopy here the only way I would get it to work was disabling the AV totally, and also it worked fine with 11.x.

@Geodyte, i'm not using any firewall policies on any of our servers

@Vikram Kumar, Didnt try disabling Tamper Protection as I got around to another solution.

I have got to a solution hopefully Karbon can use it as well.

The other day I added the .exe that was giving me greif to be monitored in the 'Application to Monitor' list within the exception policies. Coming in the next day I tried running the .exe again and SEP came up with a Notification telling me that it has detected a virus and logged it. Because it was logged I was then able to go in and create an Exception policy and add this program to that policy with an action of 'Ignore'

After apply this policy to my test container I was then able to run the .exe with no issues.

To wrap up, the solution is to create an execption policy and to make sure that you select your application that has been defined a 'File Fingerprint' and set the action to 'Ignore'

Any questions please dont hesitate to ask.

Interesting Mark. My issue is that I don't get any warnings or popups or logs saying what file is the issue....it just won't work unless the AV is disabled. I;'ve dug everywhere I can think or to try and track it down without sucess yet. I am going to try your post a few up talking about uninstalling the parts of SEP then reinstalling just the basic ones and see what happens...

Karbon, What you need to do is find the .exe name that is trying to be run and then put it in to the 'Application Monitor' under an exception policy. Like it says you will need to give it a few hours to make it work but also make sure the exception policy is applied to the group that has the computers in it that are trying to run the program, and It should be set to logging.

After not sure how long and you try to run the program you will then get a Antivirus messages saying that the program has been detected and under action it has been 'logged'. once you have seen that it has been logged then go in to that same exception policy and try to add an 'application' there should be a list of applications that have been logged over the past how ever long u have had SEP installed. Find your .exe that is causing you issues (there might be a few instances of that one .exe) and then add it (all of them) in to the policy with the action set to ignore.

Hopefully that should sort out your issue.

I recommend adding an exception for this application into both AV and Application Control.  To do this you will need to create a "file" exception and an "Application Control" exception:

1. Edit the Exceptions policy

2. Click Exceptions

3. Click Add->Windows Exceptions->Folder

4. Type in the name full path and name of the application that is having this issue. and click OK.

5. Click Add->Windows Exceptions->Application Control

6. Type in the name full path and name of the application that is having this issue. and click OK.

Note: you may also want to try a folder exception to exclude the whole folder where this application is in.  In some cases you will also need to exclude the folder where the data files are stored which us under the %ProgramData% folder.  However this may open a security concern.

Well, it seems to run this time. What I did was follow Marks info above talking about removing all but the core files...then adding them back in one by one. As my main intrest is AV protection..I don't really need the other modules much on these machines. I readded the basic AV protection to the server and rebooted...and the other day the program ran without incident. I will continue to play with it, but wanted to post back and update you all. Thanks!

I will be trying your above suggestions as well with more modules added back in :)