Hi All.

I have been a Symantec partner since what seems like the begenning of time :-)

For many years I have been pleased with the company and it's products.  Recent events however have left me to seriously consider leaving the company and finding another alternative -- something I really don't want to do.  In the last few years I have experienced the following issues with various products released by the company.

What I'm looking for is simply an honest response from someone who really knows what is happening in the trenches -- development please not support staff.  Should an honest answer be provided that points to some light at the end of the tunnel that would be nice to hear and could persuade me to stay put.  Nothing short of that however is going to stop me from abandoning ship. 

I would hope Symantec understands how serious this is.  For an IT firm to get to the frustration point where they would forsake all product knowledge gained over the years (it took A LONG TIME to learn Endpoint) and relearn a new product that may also (and likely does) have issues of their own -- that is a serious reflection on the state of their product line.

At this point, in so many instances, the Symantec software has actually been the cause of more problems than the actual Malware itself.  And I'm very serious.

Issues:

- In these very newsgroups, EP11 MP1 still does not detect (or even flinch) at newly developed malware strains.  I now am looking a customer box that has a very nice installation of a fake Microsoft Security Essentials.  Symantec never (and still right now) flinched.

This I've seen for YEARS here.

I understand how hard it is to determine what is good and what is bad software.  But, if other vendors can do it, Symantec has to be able to as well.

- SMSMSE simply is a major problem.  Mostly this centers on the apps inability (inconsistent) to update definitions.  In the past releases I have seen and Symantec has documented where this failure in certain situations will kill SMTP and mail flow.  On version 5, the only fix was to remove and reinstall entire apps.  I've seen in version 6 where certain file types -- just the file -- has killed the service and SMTP.  The only fix is to reboot the server.

This occurs on version after version of the software.  Even on the current version I will get email notices that SMSMSE has experienced a critical failure.  I don't know what that failure is (there is not detail ever about the error) and often this is after reboot. 

I see the software hold on to and gum up mail queues and only on reboot are these messages released.  I can't say for certain this is Symantec, but I really am suspicious.

- Live update.  I have now had and see where Symantec has documented issues with the Live Update software on even stand alone unmanaged clients.  There are numerous Symantec internal documents that detail registry hacks, combined with removal and reinstallation proceedures -- JUST TO GET THE PRODUCT DEFS UPDATED -- and that is just so sad.

I could go on, but these are the biggest issues I'm facing.

Response appreciated.

I'm sure you've read the article on hardening policies...but just to point something out. You're still using MP1 when there is already a version RU6 MP1 that is more than a years ahead of what you're using. Or did I just misunderstood what was written. If so, skip the next paragraph.

Just an opinion here, but I think softwares - in terms of development. Anything older than a year looks obsolete. There are a lot of enhancements already made, some probably solved some of the issues you're facing.

Even RU5 was able to block most of the fake AVs from being installed, although I've still seen some false alerts in the form of an animated webpage that looks like the PCs explorer.

Also try the Symantec Brightmail Gateway. :D I too was faced with Mail Security gremlins on a client's clustered environment.

I'm also looking forward to someone from Symantec give their take on this. Don't lose hope.

Not sure if you will get a response from someone in development but I can give you my opion regarding SEP as a customer.

Out of the box settings will leave you very vulnerable. Make sure you are using all 3 components. AV/AS/PTP/NTP as well as a strong appication and device control policy. In my opinion the ADC policy is the bread and butter of SEP. I've tested it against all of the FakeAV variants that I could find and with an ADC policy, it simply does not/cannot install.

There are various KB articles on hardening SEP as well as what Symantec Security Response recommends. Some time and dedication are needed to get SEP working as it should though. Luckily, I have that time but I understand some just don't and this is where SEP fails them because they feel it should work good straight out of the box and that is just not the case.

Using all 3 components plus the ADC make SEP very strong in my opinion.

Just my two cents.....

Some more thoughts ....

mon_rarlio, the MP1 I reference is the latest release of EP.  So that would be EP11 6 MP1 I guess :-)  Whatever it's called, the last release is what I'm running on clients.

Brian, you make a good point.  EP does have nice features.  App and control makes sense and I do like the location awareness side of things.  This has been valuable for road users and firewalling and so forth.

My main issue are things like what just happened to me this evening.

I update a server for the recent .net OOB update.  Prior to updating everything with SEP is fine.  I disable SEP on the server (just the client anti virus implementation , not the manager) run the update, reboot and after logging in after the reboot, I see a message on this server that autp protect is malfunctioning -- the "yellowed out" section of anti virus says that either the problem is with definitions or that the installation is corrupt.

So, now I need to troubleshoot this server, reininstall, download the manual defs and try to resolve.  Whatever.  This takes SOOOOO MUCH TIME!!

After installing SEP on two client systems last week, two of the clients just never updated definitions.  I had to reinstall and then they started updating.

I have problems like this weekly with Symantec stuff from multiple clients.

Just curious, but why did you disable SEP before updating the server? Not to say that's what caused it but just wondering...

Was this server previously on SAV or was it a fresh install of SEP?

Same with the clients, were they upgraded from SAV or fresh SEP installs?

Except the hardening policies don't work on 64-bit computers.

Hey Brian.

Many vendors recommend disabling anti virus before installing and so I do this as a matter of practice.

This server was previously on SAV.  On the server, I removed SAV and installed a clean SEP.  On non server machines I roll over SAV.

Thanks.

In my experience, upgrading from SAV to SEP has been a HUGE problem for me. Even though it is supported. We have 10k+ machines and the majority were a SAV to SEP upgrade. I had to deal with numerous issues, mainly the install would roll back with the below error or something similar:

Seriously, it cannot be removed??!! Lmao....and actually this machine is still on SAV not SEP as the error states but whatever....of course cleanwipe takes care of the issue and I've found it to be a very useful tool. Although in some cases, cleanwipe blew away the NIC. That's fine if your working local but remotely it's just too hard to fix because you have to walk a non techie user through re-installing the NIC.

Also, when upgrading, some of the SAV install is left behind in C:/ as well as the registry.

I've not yet had a problem with a fresh SEP install.

I have no data to back me up, just my experience but I would lean more towards a SAV to SEP upgrade as the issue.
 

I've never disabled the AV for an upgrade and have been fine but if that works for you then I wouldn't change it.

Yes Brain.  While I have not had any issues (so far) pushing out SEP over SAV the error message that you reference is what I'm talking about and what makes me want to walk away.  BTW, with SAV I had so many issue rolling over 10.x I just gave it up.

Here's another gem.  If you upgrade a server from 10.x to EP, you have to remove System center.  When you do that, all the old Intel services (alert management if this was installed at some point on the box) are left behind.  this causes major problems I think on system load because other related services are waiting on these services to start (which they won't because they're halfway removed) and that causes issues.  There is a Symantec article that resolves this but it takes about 30 minutes to walk through.

When you walk through this article, you get a real good feeling about how poorly Symantec cleans up apps.  There are TONS of remains of 10.x in the registry and folder structure AFTER using add/remove programs to remove SSC and AV.

If anyone from Symantec is listening, do you get the picture?

I'm just going to continue posting items here as they come back from the sub conscious

:-) 

Oops.  Brian not Brain.  I do that all the time.  Not sure why :-)

No worries, everyone does :-)

You may want to look into SEPPrep. I've had really nice success as it seems to remove SAV completely (as well as competing products) and gets SEP on there. Of course, I wouldn't use this as a full blown deplyoment method but good for those stragglers.

You should be able to find it on the DVD under \Tools\NoSupport\CompetitiveUninstall

Any idea if this can be used in a batch script? Uninstall then reinstall. Thanks.

I believe it can but it requires two reboots and don't think it can really be done completely silent

https://www-secure.symantec.com/connect/forums/run-cleanwipe-silently-and-no-reboots

Another frustrating example -- ccApp hangs.

Often times on logout after upgrading to SEP had noted on XP boxes that this program would hang on logout.  Would get  the "this program could not be close, or, is not responding, or whatever the message is that is thrown when a TSR app doesn't close up on logout.  Often times if you click cancel the app will close.

Searched the hardrive for ccApp and it is a Symantec software program.

That happens to my machine, probably thrice a week. Always just click End Now to stop it but never know why it happens

In my opinion the ADC policy is the bread and butter of SEP. I've tested it against all of the FakeAV variants that I could find and with an ADC policy, it simply does not/cannot install.

Brian can you point us to information regarding the ADC policies and settings you recommend to make SEP hardened?

I'm not sure the developers read the forums. That said, you most likely will not see a response from them. These are peeer to peer forums, so the Symantec employees that are in here do it on a volunteer basis.

If I was a Symantec product manager it would be the 1st thing I would require developers to do :-)

I usually create my own to fit our environment but here is a good starting point:

Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security

http://www.symantec.com/business/support/index?page=content&id=TECH132337&actp=search&viewlocale=en_US&searchid=1291482102948

Except that Product Management, doesn't manage the developers.  Thats like saying marketing manages the product features.  Does not compute.

Maybe if Symantec has a job opening for this forum, where in part of the job is to answer these threads, replicate and test the problems. Maybe I'll consider it. I'm not working for points. :P

But I guess you have technical support for that. ;)

Seriously.  I spend more time fixing and putting out Symantec software caused fires these days than anything else I do.  And when this stuff breaks it's really a problem.

For example, just now I checked on a client workstation to perform some basic (non Symantec related) work and noted that the Symantec client definitions were out of date. 

That was an hour ago and I have been working on a "live update issue" ever since.   Live update says is successful.  The logs show that the definitions don't need updating.  But, the defs are old on all systems and there is no new def folder in \common files on the mgmt server.

This kind of stuff happens ALL THE TIME WITH Symatnec software.  Reminds me of Microsoft about the time of Windows 98 and the technical community was up in arms about the crap coming out of Redmond.

MS did something about it and these days I have NO ISSUES ever with MS stuff -- it just works.  Even their free stuff like WSUS.  

Symantec should take heed and resolve these issues.

How to clear out corrupted definitions for a Symantec Endpoint Protection Client manually

http://www.symantec.com/business/support/index?page=content&id=TECH103176&locale=en_US

Here's a reply to your original post:

In these very newsgroups, EP11 MP1 still does not detect (or even flinch) at newly developed malware strains. 

We have technology coming in SEP 12 that will better deal with this that has been testing in the consumer group for a while. The newer technology we have will address this long term.

As for our competitors detecting it, there are a few key reasons:

-The majority of the time these pieces of software are not rolled out on such a large scale that Symantec is. If they fail to fix a threat and/or break a machine from removing something no big deal as its free software, Symantec on the other hand cannot allow that to happen so we have to be more strict with how we handle things.

-Symantec is the largest vendor used in most businesses. When a threat writer makes a threat that he wants to infect on as many machines as possible what does he do? Ensures the largest vendor doesn't detect it and then sends it. There are numerous sites that you can send samples to to see who detects it. They won't be looking to get around software that a minority use, the software is coded to evade the big guys.

Please note these are not excuses, we here at Symantec know we have a shortcoming here though again we are putting processes in place to fix this long term.

SMSMSE simply is a major problem

Unfortunately I do not know anything about Mail Security so I will have to skip this.

Live update

We have newer versions of Liveupdate that address a ton of these issues. The downside is a lot of our corporate customers use a mixed bag of older Symantec software. All of our software shares the same Liveupdate so we can't release an AV product that uses a newer LU while they may still have Backup Exec/Mail Security/LUA/etc. running in their environment that requires an old LU. The resources required to go through and update our catalog to use the newer Liveupdate I imagine would be rather large. Based on my personal view on it, it appears we are waiting for our legacy products such as SAV to disappear before we make a switch to the new LU so we can do so safely without affecting corporate environments.

As a disclaimer, I am not a developer. These are just my views from what I see happening internally at Symantec.