Endpoint SWAT: Protect the Endpoint Community

 View Only

  • 1.  IS there a way to uniquely identify SEP clients using only the communication information when a client pulls updates

    Posted Oct 06, 2014 06:23 AM

    Does anyone know of a way to uniquely identify SEP clients using only the communication information when a client pulls updates and not through the SEPM?

    We need to verify from which client is pulls updates from the communication information(eg, wireshark ??) to set network reporting.

     

     



  • 2.  RE: IS there a way to uniquely identify SEP clients using only the communication information when a client pulls updates

    Posted Oct 06, 2014 06:26 AM

    Yep you can use wireshark. Example is here:

    https://www-secure.symantec.com/connect/articles/using-wireshark-detect-fullzip-downloads-sep-client-machines

    Just install it on the SEPM and look for traffic over 8014.



  • 3.  RE: IS there a way to uniquely identify SEP clients using only the communication information when a client pulls updates

    Posted Oct 06, 2014 06:28 AM

    OK, but  is there a unique idenitifier that points to the client to get it's update from a specific location ?



  • 4.  RE: IS there a way to uniquely identify SEP clients using only the communication information when a client pulls updates

    Posted Oct 06, 2014 06:34 AM

    Any way this will work for SEP 12:

    http://www.symantec.com/business/support/index?page=content&id=TECH123419

     

     



  • 5.  RE: IS there a way to uniquely identify SEP clients using only the communication information when a client pulls updates

    Posted Oct 06, 2014 06:34 AM

    Perhaps, but never went thru the packet detail in depth. You can start there.



  • 6.  RE: IS there a way to uniquely identify SEP clients using only the communication information when a client pulls updates
    Best Answer

    Posted Oct 06, 2014 06:40 AM

    It does



  • 7.  RE: IS there a way to uniquely identify SEP clients using only the communication information when a client pulls updates

    Posted Oct 06, 2014 06:44 AM

    If you're playing with WireShark, then you should be able to use the MAC address filter:

    https://www.wireshark.org/docs/dfref/e/eth.html

    What are you trying to find exactly?  As this is not going to show you everything through a routed network.

    Not to mention, all clients are going to be communicating with the SEPM over 8014 (default) anyway, so there's no way from networking information alone, that you're going to be able to tell whether it's doing a normal hearbeat or grabbing defs.

    I'd suggest you look in the SEPM logs instead for this sort of information.  I've found the below logs handy:

    Log Type: System

    Log Content : Client Activity

    Event Source: SYLINK

    These logs will tell you which client is downloading defs, and where from, as per the below example:

    06-10-2014 10:36:57 Content Update Server SYLINK Default Downloaded new content update from the management server successfully. Remote file path: http://TEST_SEPM:8014/content/TempCache/{07B590B3-9282-482f-BBAA-6D515D385869}/141001023/xdelta141001023_To_141005001.dax Site TEST TEST_CLIENT Informational 

    In the place of TEST_SEPM, I've also got entries that state a GUP instead... 



  • 8.  RE: IS there a way to uniquely identify SEP clients using only the communication information when a client pulls updates

    Posted Oct 06, 2014 06:13 PM

    Agree 100% with SMLatCST and the SEPM logs. Why reinvent the wheel with something that the SEPM provides natively, without any extra (wireshark) as again expressed by SMLatCST and his response is the answer and solution here. Export your query and sort via Excel and present to management with such data again natively collected by the SEPM from the SEP endpoints.