Endpoint Protection

If we are run some software and it getting block by SEP then on which Log I need to check.

I have already check NTP àTraffic and package log found nothing.

I think this file is getting block through True scan.

I have enable to SMC log but unable to see anything getting block on it.

Client version:-11.0.6200.754

Console version: RU7.

Client OS: - Window 7 professional 32 bit(services pack 1)

Component on client system: All

Antivirus & Antivirus Spyware.

NTP:-Network threat protection.

PTP:-Protective threat protection.

NAC: Network access Control.

Please suggest.

does disabling the SEP helps to run the software?

did you check application event viewer?

Thanks Pete_4u2002

Yes if we disable the SEP then it’s working .

is there anything in application event viewer related to this incident?

do you have application and device control policy in place? can you check if the application rule has been set not to execute?

Yes we have ADC but there is no such rule we have added

Actually this is a software which are directly create Some ZIP (compares file) and upload to the Share folder. We have observed it working first 2 times but when the size of the file gets increase then it not working. Even we are not getting any error massage also.

TruScan logs:

SEPM: Monitors > Logs > PTP logs

SEP client: Logs > Proactive Threat Protection > Threat Log

If it is really a TruScan false positive, you may create a centralized exception exclusion for your application.

nothing found on above log.

please sugest

Hi,

I have observed if we are uploading ZIP file which are more the 50 MB from the local system to network share drive then it is getting block but we disable the SEP then it working properly.

Both the system having SEP 11.0.6200.745 version and having all the SEP component.

HI Nagesh,

Have you create centralized exception exclusion for application ?

Can you sharing Blocked Snap Shot ?

Thank Ashish,

But we are not getting any error message only we will disable the SEP then it is started working.

And yes we have put the same application in centralize exception then also problem persist.

Hi,

Try to disable only NTP feature and check .

Hi Ashish,

Then also it's not working. We have disabled the NTP as well as PTP but result is same.

Actually the first time it’s working and if we are doing same then next time then it’s not working.

Can you please tell me how I can enable the log to check?

HI,

Do you have any policy create in NAC ?

What happed if you have disabled NAC service Or disable ?

Unable to get you. Can you please elaborate?

Are you taking about SNAC policy?

Yes, I think you have enabled SNAC ?

Hi All,

After Trouble shooting we have found if we disable the NTP + PTP on client system then software is working fine but as our requirement we need to disable the USB as well as External drives.

Please suggest.

Try only disabling ADC policy..if successded then check the ADC rules.

If ADC is blocking you can check control log on client side or application and device control log on SEPM.

HI Nagesh,

You can raised Support ticket for symantec support.

are you using the latest version? if not , can you try that?

and is it seen on Win XP ?

Hi pete_4u2002,

We have window 7 system and my Antivirus version on client system is RU6 MP2 and SEPM version is also RU6 MP2,

so please tell me is it’s bug in this version?

Hi All,

This is a bug in RU6 and after upgrade the SEP Version on client system from RU6 to RU7 it is started working.

Thanks to all.

http://www.symantec.com/docs/TECH103087
 

mostly it matches this ,