Critical System Protection
timl1228
|
November 17th, 2009
When adding an agent to a folder with policies applied. I get the following error. (actual error includes misspellings). Can anyone tell me what it means and how to fix?
** Policy Error has occurred at 17-Nov.....EST
An error occured trying to build the policy for Detection Policies (6).
Not a zip file
1 comments
zenworksb
|
November 4th, 2009
Hello I am in need of some help. I have the info below. I am in need of a explination on where this is setup and where it can be manipulated. We are discovering events and getting much chatter. We changed it to just critical but we want to know what is critical i see the numbers but more specific than that etc. i hope this makes sense coudl really use the help
Rule severity Select the severity number from the following range of rule
severity numbers:
■ Info: Events with a severity of 0-19 contain information about
normal system operation.
■ Notice: Events with a severity of 20-39 contain information
about normal system operation.
■ Warning: Events with a severity of 40-59 indicate unexpected
activity or problems that have already been handled by
Symantec Critical System Protection.
■ Major: Events with a severity of 60-79 imply more impact
than Warning and less impact than Critical.
■ Critical: Events with a severity of 80-99 indicate activity or
problems that might require...
0 comments
zenworksb
|
November 2nd, 2009
I have a need to create a report so when there are changes to the inetpub directory on the webserver I can run a report to show this who did it what server etc
I also want to send a email to predefined email when this occurs what are the steps to do this
1 comments
zenworksb
|
November 2nd, 2009
Hello,
I have a need to create a prevention policy to prevent changes to the inetpub directory on the web servers. They have the agents on the servers. Can I get help on creating this policy. I will create a foilder in prevention called webservers inetpub, and apply the policy to this folder. Thanks for any help
0 comments
cbillson
|
November 2nd, 2009
Hi, as my previous post i'm trialing Critical system protection to secure some application servers. from my userstanding with the strict windows policy enabled in logging mode i should be able to see network activity to my server.
i'd suspect if i installed something such as a ftp client i'd see logging based on the port and software activity?
on one of the servers is an application that takes telnet style connections on about 20 different ports, there are thousands of connections a day to this software yet i never see anything in the logs, should i be worried about this?
also, as a test i added some of the files of this software to the policy to deny modifications, as a test i added a file called test.txt - again when i go edit this file i see no warnings in the log.
I've checked the clients have the correct revision.
Thanks
Chris
0 comments
cbillson
|
October 30th, 2009
Hi, i'm in the process of trialing CSP and i'm not sure how i can do this.
i've got a server that is sat on two networks, it's got various security around it such as access lists on the router/gateway on each side and the server is configured to allow remote access only to certain users etc. but i need to make it more secure on one network than another if that makes sense.
on the one side i need rdp, ability to drive map, ntp etc etc but on the other network i only want a series of ports to be able to communicate with a single piece of software - is this level of locking down possible with CSP, all the policies i've created so far appear to cover all subnets / interfaces.
Thanks in advance
Chris
0 comments
arikar
|
October 26th, 2009
Normal
0
false
false
false
EN-US
X-NONE
HE
MicrosoftInternetExplorer4
Hi,
A missing feature is SCSP is when you apply an IPS policy in log mode and events start to role in, there is no way to know if the event will be blocked or allowed when going into prevention.
It would be a helpful feature to get a sign a or a status line that says what will be the action of that event when prevention is enabled.
Thank you.
0 comments
wollenslegelt
|
October 20th, 2009
We are going from a "testing" phase to production and want to clear the system & logs so that the auditors don't have to go through our existing logs. Is this possible with SCSP?
I want to keep all the clients & all the policies though.
Thanks
1 comments
AJINMD
|
October 9th, 2009
the CSP central server has stopped seeing activity from all systems for 3 days now. the only log that is being generated is a 5795787 error that says it succesfully purged events. this log event occurs a few times a day.
No changes occurred on the system prior to this occuring, except the addition of adding 5 new solaris clients to report to the server five days earlier.
The server also had started notating several systems as offline before this occured, but it still recieved and alerting on logs from these systems.
the only log message that I am getting now is:
SOURCE
Agent Name SCSP Manager (REDACTED)
Host Name REDACTED
Host IP Address ...
3 comments
miatwork
|
October 5th, 2009
Dear all,
Our server is running SCSP Management Server V5.2.0.519 with windows agents V5.2.0.510
Would like to ask if this version supports Windows 2008 ? As we have some windows 2008 server, and would like to know if the agent version is supported on Windows 2008.
If not, anything need to change on server / agent side If we need to support agents on Windows 2008 ?
Thanks in advance
1 comments
neil_rogers
|
September 17th, 2009
Everyone knows USB drives are a huge chance for losing data. I found a way to make that worse.
I bought a USB drive for my wife to use on her personal laptop. We all carry at least one of these. Her drive stopped be recognized, let alone work on the system.
Since it had only been used 3 times, i wanted the manufacturer to replace it under warranty. They offered to exchange it only if i send it back with drive intact. I was shocked that they required me to send it back. They had a fax number that if i was with the government and can send letterhead of such an organization asking to not send the drive, and they will exempt it.
So a new drive cost $60-$150 depending on size. Having personal, let alone any corporate data on the drive and it falls into the wrong hands, which if it is being sent in a box that says what company makes the drive or is addressed to the company, it would be easy for someone to take a look inside to...
Altiris Client Management Suite, Emerging Threats, Security, Evolution of Security, Endpoint Management and Virtualization, Online Fraud, Security Risks, Vulnerabilities & Exploits, Control Compliance Suite, Critical System Protection, Data Loss Prevention (Vontu), Endpoint Encryption
1 comments
Jeff Vandervoort
|
September 13th, 2009
Prelude
Initially, I wrote this about Backup Exec, because that's where I ran into this problem. I'm also a SAV & SEP veteran but don't recall seeing this heinous language in their KB articles. So maybe it's a Veritas thing. But, whatever...
...then it occurred to me that while BE may (or may not) be the only Symantec enterprise product to which the symptom applies, the cure is universal. Because it bridges a huge gap between the goals of Symantec Sales, Support, Connect, Knowledge Base, and Product Managers. So I've taken the unusual-and-hopefully-not-presumptuous step of tagging it to all available products. It is global.
That kinda makes it Ideas spam, I know. Never done it before; probably never will again. Hope you can forgive me!
Don Quixote Battles Symantec
Two KB articles I've browsed recently contain variations on this boilerplate (emphasis mine):
"There are currently no plans to address this issue by way of a patch or hotfix in the...
11.x, 12.x, 8.x, Altiris Client Management Suite, Security, 10.x, 11.x, 7.x and Earlier, Altiris Deployment Solution, Vision User Conference, 10.x and Earlier, 9.x and Earlier, Altiris IT Asset Management, Storage Management, Altiris Notification Server, Backup and Archiving, Altiris Recovery Solution, Clustering and Replication, Altiris Server Management Suite, Endpoint Management and Virtualization, Inside Symantec, Brightmail Gateway, Cluster Server One, Control Compliance Suite, Critical System Protection, Data Loss Prevention (Vontu), Dell Management Products, Endpoint Encryption, Endpoint Protection (AntiVirus), Endpoint Protection Small Business, Enterprise Security Manager, General Symantec, Ghost Solution Suite, Helpdesk Solution, Hosted Mail Security, HP Management Products, IM Manager, Mail Security for Exchange/Domino, Mobile Security, Network Access Control, Online Backup, Online Storage for Backup Exec, pcAnywhere, Replication Exec, Security Information Manager, SecurityExpressions, ServiceDesk, SFHA Management (SFM, VIAS, VOS), Storage Foundation for Windows, Symantec Connect, Symantec Vision, Volume Replicator, Web Gateway, Wise Application Packaging, Wise Installation Development, Workflow Solution, Workspace Corporate, Workspace Remote, Workspace Streaming, Workspace Virtualization
15 comments
HelenBellew
|
August 28th, 2009
How do I remove Adware.gen? I ran a virus scan and it directed me to your website. Why doesn't my scan automatically remore this virus?
12 comments
cashqoo
|
August 26th, 2009
what is the exact supported database for MS SQL? for CSP 5.2
As indicated in the installation manual, it was MS SQL 2005 SP1/SP2.
However, it did not indicate which edition. So which exact edition (express, standard, enterprise) are supported? does it mean all editions?
5 comments
Vikram Kumar-SA...
|
August 11th, 2009
Symantec Critical System Protection 5.0 Overview and Feature Comparison with Symantec Host IDS 4.1.1 and Symantec Intruder Alert 3.6.1
This document assists in explaining the differences between Symantec Host IDS, Symantec Intruder Alert and their update called Symantec Critical System Protection 5.0.
The document contains three sections.
The first section outlines the differences between the host intrusion prevention of the solutions.
Section two provides an overview of the out of the box intrusion prevention policies for SCSP 5.0.
Section three provides an overview of the out of the box detection policies included in SCSP 5.0
Security, Basics, Inside Symantec, Features, Critical System Protection, Enterprise Security Manager, General Symantec, Symantec Connect
3 comments
JoeGons
|
August 7th, 2009
I think it would be of great benefit if there is a default scan of the Root and Windows OS files.
This would be a much faster scan and would address the most vulnerable part is the system.
Joe
2 comments
queryitaly
|
August 7th, 2009
Hello,
i'm using SCSP 5.2, i want monitor my as400 by virtual agent, but i'dont understand how can i do.
Some of you have tried this configuration ?
Please Help Me !!!!!!!
Thank You
Angelo
1 comments
Zvi
|
August 6th, 2009
Hello,
The basic scenario for CSP clients is to connect to the management server via port 443, so if you are using an internal firewall, or have strict ACL configured you need to allow all the clients to pass trought them.
in your corporate rules.
I was wondering if any one had an experience of configuring some kind of secondary firewall/proxy/SOCKS server that all off the client traffic would go trough it, and the proxy will open a single session to the managment server trought the internal firewall/acl rules.
This ofc cannot be done trough somthing as simple as configuring a default gateway since all the other traffic should remain as it was.
Thanks in advance for any ideas you might share.
0 comments
teong27
|
July 31st, 2009
Hi..just trying to udnerstand here how the buffer overflow prevention feature works..
i have been doing some tests...use metasploit and doing the rpc buffer overflow (ms03-026) on an unpatched windows server 2003 machine...
noticed that the exploit will work (payload is to add admin user) everytime even thought all "Buffer overflow detection" checkboxes are ticked for the policy....the only item that can stop the exploit from working is to stop cmd.exe from running as a service (general service options>additional parameter settings> do not allow service execution of these programs)...
anyone else tried this before?
another weird thing i found is that if the payload is the start a shell and connect back...then the policy will work (some how it denies the outbound connection back to the attacker even though i have allowed all connections)
the problem im having here is...i am trying to design a really light and lenient prevention policy for my company....one that i...
0 comments
Prashant Sinha
|
July 22nd, 2009
Hello Friends,
I am very new to these type of forums and this is my first article on any issue.
I am working as software engineer with an estemmed organization . I am currently in US on client side and I faced the Hacktool.Rootkit last week , I had to spare my weekend in the removal of this. This virus made my system so slow , that even I can not open a simple notepad in normal mode.
Since , I am here , I could not ask for windows repair as my laptop was configured in India and it was not possible for IT here to provide me everything. Therefore , I had to work hard by self and to remove that. But , the best thing was , I was getting Internet access in SAFE MODE WITH NETWORKING boot. This helped me alot in trying so many things.
I am currently using SYMANTEC ENDPOINT PROTECTION (corporate virus protection).
This virus comes from an infected file or link ( generally sent by one who's ID has already been attacked once). One more interesting things...
11.x, Security, 10.x, 9.x and Earlier, Basics, IT Risk Management, Inside Symantec, Security Risks, Windows, Critical System Protection, Performance, Endpoint Protection (AntiVirus), Tip/How to, Symantec Connect
3 comments
Peterpan
|
July 22nd, 2009
Any one can give me documentation on what are necessary policy to apply in SCSP, in IPS and IDS
2 comments
mon_raralio
|
July 16th, 2009
Hi,
I'm setting up SCSP for our client and I need to know what ports are being used. I've already checked the manual. Which port does it use for LiveUpdates?
There are also some ports that is found in the xml file that is not in the manual.
Thanks
8 comments
Anthony Flaviani
|
July 9th, 2009
Product Excellence through Effective Collaboration
Overview
We believe that building great software begins and ends with the customer – by understanding your business objectives for governance, risk management and compliance, and the challenges you face in getting there, we can build better software solutions to help you realize your goals. To that end, the Symantec Security & Management team has created a Customer Advisory Program (CAP) for our most valued customers and partners. This forum will provide members of the user community the opportunity to provide feedback, advice and suggestions directly to the Product Management team(s), which will influence strategic direction and next generation of products.
Objectives
The primary objectives of the Customer Advisory Program are:
• Discuss current and future customer objectives for our solutions, and identify specific investment areas in which can our solutions be used to facilitate achieving these goals
•...
11.x, Events, Security, 10.x, 9.x and Earlier, Brightmail Gateway, Critical System Protection, Endpoint Encryption, Endpoint Protection (AntiVirus), IM Manager, Security Information Manager
0 comments
TomSchroeder
|
June 26th, 2009
Gartner Information Security Summit, Sept 21-22, London, Royal Lancaster Hotel, UK
Visit Symantec - the Premier Sponsor at Gartner Information Security Summit and and learn how you can protect and manage today’s ever-growing variety of endpoints and systems—smartphones, laptops, mail servers, gateways, and more
The Gartner Information Security Summit will give you the information you need to create a layered approach combining risk management and compliance, secure business enablement and infrastructure protection. Hear the latest analysis revealing market trends, opportunities and threats to you and your organization.
Topics: Business Continuity Management, Customer Security and Privacy, Identity and Access Management, Infrastructure Protection, Managed Security Services, Mobile Security, Securing the Workplace, Security Management, Security Risk Management, Security Software
For further questions please contact Ilka Eimkemeier, EMEA Events (ilka_eimkemeier@symantec.com...
Agents, Altiris Client Management Suite, Emerging Threats, Security, Altiris Deployment Solution, Evolution of Security, Altiris IT Asset Management, Internet Security Threat Report, Altiris Notification Server, IT Risk Management, Altiris Recovery Solution, Drivers, LiveUpdate, Altiris Server Management Suite, Endpoint Management and Virtualization, Malicious Code, Inside Symantec, Online Fraud, Compatibility, Security Risks, Configuring, Spam, Vulnerabilities & Exploits, MS Exchange, Brightmail Gateway, VMware, Windows, Control Compliance Suite, Critical System Protection, Data Loss Prevention (Vontu), Reporting, Endpoint Protection (AntiVirus), Tip/How to, Endpoint Protection Small Business, Enterprise Security Manager, General Symantec, Hosted Mail Security, Mobile Security, Network Access Control, Security Information Manager, SecurityExpressions, Workspace Virtualization
2 comments
david_roman
|
June 3rd, 2009
I've looked through the options and the manuals and can't find a way to schedule reports within SCSP. Seems like a simple task that is either missing or just difficult for me to find. Does anyone have any experience getting this to work? Is this another selling point for SSIM?
3 comments