Users could still disable the SEPMv11 in the client's tray
Hi Team,
Just curious that afetr making a policy in a group of computers, they still could disable SEPM.
It is very paculiar. had this issues before team?
Here is what I had done, please check if I had missed something. thanks.
1. Created a Client Group and move the managed client to the folder.
2. Go to Policy Tab of the Client Group
3. Go to General Settings under Location-independent Policies and Settings
4. Check the boxes needed on the Client password protection under security settings tab.
5. The boxes to check are: require a password to stop client service & require a password to uninstall the client.
6. Set the password and apply settings.
7. Update the content on the client group or individually request for updates from the client side.
8. Reboot clients if needed.
After doing this.. the users still could disable SEPM...
Any advance technical thoughts on this...
Many thanks Team...
Comments
Hi, i believe you are talking
Hi,
i believe you are talking of the SEP service. did you verify is the policy has been applied on the client by comparing the policy number in SEPM console and the same on SEP client GUI.
this settings is only prevent the smc service, not the SEP service (real scan). TO stop end users disabling SEP service, enable tamper protection.
Pete!
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Re
Hi Nel can you check this document?
http://service1.symantec.com/SUPPORT/ent-security....
you can lock the respective features
you can lock the respective features from the antivirus and antispyware policies, like file system auto protect, internet email auto protect, lotus notes auto protect, microsoft outlook auto protect. In yours case if you lock the file system auto protect then users will not be able to disable SEP, as disabling SEP means disabling the auto protect feature
That is right Sapta... all
That is right Sapta...
all policies could be bypassed if they would disable it in the tray...
here is a screenshot below.
@paul: I will be reading the link you sent thoroughly.
Give you feedback later after I implement it.
thanks.
Nel Ramos
Hi Login to the management
Hi
Login to the management console---Clients---Select a Group---Policies----Location specific settings---Cliock Server-Control--Select server control and click Customize---Uncheck Allow the user to Enable or Dissable Network Threat protection--Click Ok---Assign.
Ajit
Regards'
Ajit Jha
Technical Consultant
STS
@Paul Mapacpac: I had already
@Paul Mapacpac: I had already implemented it.
few changes were made to cater our org.
It has been several minutes now and they could still disable it..
By the way, How many minutes would the update contets command take effect on the clients?
I might wait for another 10 minutes for resolution..
might also reboot the clients..
Will give progress afetrwards.
thanks..
Nel Ramos
it seems
it seems that there is no way to block the disabling the antivirus protection
stoping client service only stops the connection SEP with SEPM
i set 3 minutes (minimal time) to enable protection after disabling
If a client is logged in as a domain
if a client is logged in as a domain user then the disable SEP option is automatically disabled, but in administrator login it is not disabled, have you tried to lock the features?
Re
Hi Sapta, what if he is logged in as a domain user, but added to the local administrators group?
Hi paul
hi paul,
normally clients are not added to the local administrators group, this is a wild guess i told about, considering the fact that the user is login as a normal domain users a/c. But if it is already added to the local administrators group then user can disable it as per your saying.
hi, administrator
hi,
administrator domain/local the feature is not disabled.
Pete!
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Disable the option of "Disable Symantec Endpoint Protection"
Hi,
Please try the following steps. Also please do remember to check the policy serial number on the SEPM as well as on the clients so that we are sure that the policy has been updated on the clients.
Step 1: Remove the right to disable Network Threat Protection:
Open the "Symantec Endpoint Protection Manager."
Click Clients.
Select the group that contains the clients you want to be affected.
Click Policies.
Expand Location-specific settings.
Click Tasks to the right of "Client User Interface Control Settings", then click Edit.
Select Server control or Mixed control if it is not already set to one of these.
Click Customize.
If Server control is enabled this will open the Client User Interface Settings dialog.
If Mixed control is enabled this will open the Client User Interface Mixed Control Settings dialog.
Uncheck Allow users to enable or disable Network Threat protection.
Click OK> OK.
Step 2: Remove the right to disable Threat detection:
Open the "Symantec Endpoint Protection Manager."
Click Clients.
Select the group that contains the clients you want to be affected.
Click Policies.
Expand Location-Specific Policies
Click Antivirus and Antispyware Policy.
Click File System Auto-Protect, then "lock this feature" by clicking the lock symbol next to Enable File System Auto-Protect.
Click Internet Email Auto-Protect, then "lock this feature" by clicking the lock symbol next to Enable Internet Email Auto-Protect.
Click Microsoft Outlook Auto-Protect, then "lock this feature" by clicking the lock symbol next to Enable Microsoft Outlook Auto-Protect.
Click Lotus Notes Auto-Protect, then "lock this feature" by clicking the lock symbol next to Enable Lotus Notes Auto-Protect.
Click Proactive Threat Scan, then "lock this feature" by clicking the lock symbol next to Scan for trojans and worms and Scan for keyloggers.
Click OK.
Step 3: Force clients to update policy:
This step is not necessary as clients will receive the policy during their normal check-in
From the manager:
Open the "Symantec Endpoint Protection Manager."
Click Clients.
Select the group that contains the clients you want to be affected.
Click Run Command on Group.
Click Update Content.
The client will receive a prompt to heartbeat and update its policy. Once the policy has been updated the option to Disable Symantec Endpoint Protection will be grayed-out when users right-click the Symantec Endpoint Protection system tray icon.
On the client:
Right-click the Symantec Endpoint Protection system tray icon.
Click Update Policy
The client will request the new policy from the manager. Once the policy has been updated the option to Disable Symantec Endpoint Protection will be grayed-out.
Thanks & Regards Sandip C Sali
I have this problem
Hi Pete,
I read your thread, and I have the exact same issue- domain user, not domain user, admin, not admin, only on 30 machines.
You did not mention the OS that the users were using. In my experience, and it is well known at Symnatec, this feature does not work on 64 bit machines. All 30 of my machines that are experiencing this are 64 bit...
Are your clients in 64 bit?
If you open up the SEPM console, on the main page, in the bottom left hand side, below status summary, there is an indicator that states: "Tamper protection off" with a number. Clicking on the number should give you a list of all the machines that this feature is not working for.
Is it all the machines? A specific group? Or possibly a specific OS?
Let me know if this helps:
Let me know if this helps:
Kedar Mohile http://kedarmohile.blogspot.com
What "Disable SEP" means
Hi,
just to clarify: "Disable SEP" does not mean "disable anything" but just what it is possible to disable. If some features are not disabled and locked as described above (Paul and Sandip's posts) you will still see "Disable SEP" enabled to disable them.
Just for example: if you lock the auto-protect for file system but not the outlook protection, you have "disable SEP" in your clients to disable the outlook protection but not the auto-protect.
If you test the "DIsable SEP" function under different conditions you will see that the interface of SEP will tell you exactly which components are disabled.
It is already well tested.
Regards,
Giuseppe
I second Kedar's help
What Kedar has said is actually the right way to go ahead and disable the users ability to disable SEP.
Abhishek Pradhan, PMP, MCT
Consultant | Microsoft Corp.
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org
How-to
Here's a link to help you out:
http://service1.symantec.com/support/ent-security....
“Your most unhappy customers are your greatest source of learning.”
btw.
It seems that a few users have been having this problems since:
https://www-secure.symantec.com/connect/forums/disabling-user-access-disable-symantec-endpoint-protection?sym=TRUE
I think users should not have access to the option to disable SEP by default imho.
“Your most unhappy customers are your greatest source of learning.”
@sandip_sali: Already did
@sandip_sali: Already did that but still having issues.
@Kedar Mohile: I had already implemented it. "To restrict access to the Symantec Endpoint protection tray icon, un-check the Display the notification area option. "
I had already update content from the server console and click update policy in the client.
but it is still not working maybe i shall need some time for it to take effect... normally, how long would it take? thanks.
Nel Ramos
Re
Please make sure that the upper level policies are not inherited to that group.
@Paul Mapacpac: not
@Paul Mapacpac: not inherited. thanks.
Nel Ramos
@all: Thanks! It worked on
@all: Thanks! It worked on all user accounts like what Sapta told on the thread...
@Sapta: I voted you a point for that comment.. it helped... thanks..
@paul: thanks for the constant advices... you rock...
@all: Just one more follow up... could we make several admin accounts not disable SEP in the tray?
thanks...
Nel Ramos
@Dperfectgent: Which in
@Dperfectgent: Which in particular made it to work? Maybe it's time to update the KB for that. As for the admin account, this could be a new thread.
“Your most unhappy customers are your greatest source of learning.”
it worked on the user
it worked on the user accounts.. it is totally grayed out..
but using an admin account, it could still disable symantec.. even though i had already made all possible procedures in this thread...
We just need to know if an admin account could be blocked from disabling symantec.
thanks..
Nel Ramos
If your client admins share
If your client admins share the same policy as your users then they shouldn't have any more rights to the client.
If you open the GUI itself and click the options buttons, which ones have "Disable..." not greyed out?
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
@Paul Murgatroyd: the user
@Paul Murgatroyd: the user accounts are already disabled but the admin still could right click the symantec icon on the system tray and disable it. What I did was to hide the tray totally but it is just a remedy.. hope we find a solution since other admins would just disable Symantec and no AV at all.
thanks.
Nel Ramos
Thats why I want to know
Thats why I want to know WHICH components can be disabled in the GUI. As previous people have said, the "Disable SEP" link in the system tray only relates to those components which for some reason havent been locked down. If your users are unable to disable the product then the same should be true for your administrators. It could be a bug in the system tray code, but check the client GUI and tell us which components do not have "Disable..." greyed out.
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
@Paul, What you're saying is
@Paul,
What you're saying is that the Disable option would only allow clients to disable the items not greyed out in the GUI?
I currently have "Network Threat Protection" locked on the GUI in the "Change Settings". On the "Options" on the "Status Page", I can see that the "Change Settings..." is greyed out. I can still disable the SEP in the System tray and the Network Threat Protection was also disabled when I do so.
“Your most unhappy customers are your greatest source of learning.”
Clarification
The disable option allows clients to disable the items not locked down via the policy.
For example the user can disable this feature:
but he can't disable this feature:
Cheers,
Regards,
Giuseppe
Re
I have tried to re-create the scenario and it seems if you are a member of the admin group the policy to disable SEP is available. But for a normal user (no admin rights) the policy is applied.
I also have same problem is
I also have same problem is there any other option if a user has admin rights not disable the sep.
I just wanted to ask you to
I just wanted to ask you to open a new thread for you subject. This thread is already solved and is very old (35+ weeks) and will most likely be ignored by most users in the forums. You would get more answers if you posted a new thread and then provided a link to this one of you feel it is relavent.
Thanks
Grant
Please don't forget to mark your thread solved with whatever answer helped you : )
Would you like to reply?
Login or Register to post your comment.