Endpoint Protection

 View Only

  • 1.  Update policy

    Posted Jun 11, 2013 10:03 AM

    Looking for a way to force a policy update without having to log into the client.

    Current config:

    • "Pull" Mode
    • Heartbeat 8 hours

    The context here is incident handling when a machine may or may not have had a virus removed and we want to launch a full scan from the to confirm. 

    My method is to create a folder in SEP called "investigate"-this switches the client from Pull Mode to Push mode to get real time scan results.

    Again, the question is-is there any way without logging into the potentially affected system(which may introduce risk) to force the policy update (so the client gets the policies associated with my "investigate folder" without having to wait the full 8 hours(at worst, without the randomization figured in).

     



  • 2.  RE: Update policy

    Posted Jun 11, 2013 10:07 AM

    The only way would be send an smc -stop/start remotely. You can do it with a script or via something like PSExec.

    The client initiates communication via the heartbeat so this is a little limited.



  • 3.  RE: Update policy

    Posted Jun 11, 2013 10:09 AM

    Right click on the client in sepm and select update content. This should force the client to communicate.

    The heartbeat is initiated from the Client end when the counter is reached.

    or else you can use psexec to stop and start the smc service.

    http://www.symantec.com/connect/forums/restart-smcexe-remotely#comment-3857851

    About Accelerated Heartbeat in Symantec Endpoint Protection (SEP) Clients.



  • 4.  RE: Update policy

    Posted Jun 11, 2013 10:10 AM

    As per this document,  it states that whenever there is a policy chance or new content defs, as I mentioned earlier the client will take those immediately

    About Accelerated Heartbeat in Symantec Endpoint Protection (SEP) Clients.

     

    http://www.symantec.com/business/support/index?page=content&id=TECH93724



  • 5.  RE: Update policy

    Posted Jun 11, 2013 10:42 AM

    "Thumbs Up" to the above.  The heartbeat is always client initiated, so you need something to prompt the client to check in (i.e. the SEP Client doesn't ever "listen" for commands so you can't tell it what to do, you need to wait until it "asks" via teh heartbeat).

    As the chaps above have mentioned, PSExec can be used to talk to the OS of the target computer, to tell it to prrompt the SEP Client software to check-in to the SEPM.

    Another way to do this is with the SEP Integration Component, which is based off of Altiris.  More info on the SEPIC can be found below:

    http://www.symantec.com/docs/HOWTO73212
    http://www.symantec.com/docs/DOC3986
    http://www.symantec.com/docs/HOWTO59445
    http://www.symantec.com/docs/HOWTO59434