Endpoint Protection

 View Only

  • 1.  Track Firewall Disabled or SEP un-installed

    Posted Oct 10, 2014 05:12 PM

    Is there any specific way to determine the following:

    1. Alert when Firewall component is disabled by a user in SEP client?

    2. Alert when SEP client is un-installed either from control panel or through cleanwipe. Uninstallation of applications can be tracked through windows logs. However, I wanted to know if SEP client could generate a log and send to SEPM when client is to be un-installed.

    Thanks in Advance!!!

    PS: I have enabled client password protection to start/stop services, un-install clients. Also, admin users also cannot disable SEPM with my policy. Cleanwipe does not prompt for password to remove the SEP client.



  • 2.  RE: Track Firewall Disabled or SEP un-installed

    Posted Oct 10, 2014 05:15 PM
    Neither are possible :( The SEPM console will show which components are disabled but no possibility to send alerts. The windows event logs may show that software was uninstalled.


  • 3.  RE: Track Firewall Disabled or SEP un-installed

    Broadcom Employee
    Posted Oct 11, 2014 04:48 AM

    Hi,

    Thank you for posting in Symantec community.

    I would be glad to answer your query.

    1. Alert when Firewall component is disabled by a user in SEP client?

    --> No specific alert can trigger however console will reflect the status correctly.

    2. Alert when SEP client is un-installed either from control panel or through cleanwipe. Uninstallation of applications can be tracked through windows logs. However, I wanted to know if SEP client could generate a log and send to SEPM when client is to be un-installed.

    --> At this point it's not possible. We do suggest the same thing i.e set the password to uninstall SEP client. 

     



  • 4.  RE: Track Firewall Disabled or SEP un-installed

    Posted Oct 14, 2014 11:42 AM

    Hi Chetan,

    Thanks for your response. 

    At this point, 

    1. I have disabled the option for even administrators to disable the NTP component. This prevents us from disabling the firewall component. However, customer has a requirement to generate an automatic alert when it is disabled. I wanted to explore other possibilities. Does SEP forward the computer status information when we configure external logging? 

    2. Yes, I have the client password protection enabled and it does not prevent me from un-installing when running a cleanwipe with admin rights. Can we do anything to prevent this?

     

    Thanks in Advance!!

     



  • 5.  RE: Track Firewall Disabled or SEP un-installed

    Posted Oct 14, 2014 11:43 AM

    Thanks for the response Brian. Yes, my last option is to trust the windows event logs.



  • 6.  RE: Track Firewall Disabled or SEP un-installed

    Broadcom Employee
    Posted Oct 14, 2014 02:25 PM

    Hi,

    1. I have disabled the option for even administrators to disable the NTP component. This prevents us from disabling the firewall component. However, customer has a requirement to generate an automatic alert when it is disabled. I wanted to explore other possibilities. Does SEP forward the computer status information when we configure external logging? 

    -->  Try by configuring Security event notification alert. 

    Go to SEPM --> Monitors --> Notifications --> Notification Conditions --> Click on 'Add' --> Select "Client Security Alert -->  Under What settings would you like for this notification select 'Network Threat Protection Events'

    2. Yes, I have the client password protection enabled and it does not prevent me from un-installing when running a cleanwipe with admin rights. Can we do anything to prevent this?

    --> Cleanwipe is a last resort to remove the SEP client. Ideally Cleanwipe tool should be available only with admin users.

     



  • 7.  RE: Track Firewall Disabled or SEP un-installed

    Posted Oct 15, 2014 12:31 PM

    Thanks for the information Chetan. I will enable the notification conditions to see if it alerts when NTP is disabled.