Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog
Showing posts tagged with Endpoint Protection (AntiVirus)
Showing posts in English
hemu | 25 Aug 2009 | 1 comment

Dear Friends please find attached SQL query for DB report.....

use sem5
select pat.version as vd_version,i.MAC_addr1, i.CURRENT_LOGIN_USER, i.computer_name, i.ip_addr1_text,OPERATION_SYSTEM,
dateadd(s,convert(bigint,i.TIME_STAMP)/1000,'01-01-1970 00:00:00'),
dateadd(s,convert(bigint,CREATION_TIME)/1000,'01-01-1970 00:00:00'),i.DELETED,
dateadd(s,convert(bigint,LAST_UPDATE_TIME)/1000,'01-01-1970 00:00:00') lastupdatetime,agent_version, as group_name from
sem_agent as sa with (nolock) left outer join pattern pat on sa.pattern_idx=pat.pattern_idx
inner join v_sem_computer i on i.computer_id=sa.computer_id
inner join identity_map g on
inner join identity_map p on
inner join identity_map s on
inner join identity_map q on where
(sa.agent_type='105' or sa.agent_type='151') and sa.deleted='0'
and (sa.major_version >...

thaller | 24 Aug 2009 | 0 comments
Hello Everyone,

So like I said in my last blog post, whenever something interesting or useful happens to me with regards to my dealing with SEP, I'll post about it, so here is the latest.

Last week we had an interesting "incident" with one of our clients.

The Client:

The client is a Windows XP SP2 Machine, that was on our Guest Network (Removed from the Corporate Network by Firewalling).
It was running SEP MR4 MP1 as an unmanaged client.

The client was set to auto-update from symantec every 4 hrs, and do a daily full scan.

The Problem:

We first noticed a problem when an end-user was complaining about "spyware" like symptoms, browser hijacking, popups, etc...

upon inspection SEP had not found anything, and the logs showed it was behaving as normal.

Upon furth investigation (using "other" tools) we found out that the machine was infected with Win32.XiaJian.bk Trojan.

As part of our incident response (Which I suggest every business create one...
Shaizad | 23 Aug 2009 | 1 comment

Issue                 :-  SEP Client Install roll back  on Windows Vista Enterprise Machine . (SEP 11)

Sep Install log :-  MSI (c) (8C:24) [12:02:40:166]: Invoking remote custom action. DLL: C:\Users\ADMINI~1.TEA\AppData\Local\Temp\MSI6C91.tmp, Entrypoint: CheckInstallPath
Action ended 12:02:40: CheckInstallPath. Return value 3.
Info 2896.Executing action CheckInstallPath failed.
Action ended 12:02:40: InstallWelcome. Return value 3.
MSI (c) (8C:34) [12:02:40:201]: Doing action: SetupCompleteError
Action 12:02:40: SetupCompleteError.
Action start 12:02:40: SetupCompleteError.
Action 12:02:40: SetupCompleteError. Dialog created

In Windows Vista

Open Control Panel
Open Regional and Language Options
Under 'Current Formats' select 'US English'
Click OK

Should be able to install Sep 11

Abhishek Pradhan | 23 Aug 2009 | 1 comment
When it comes to fighting malware, you may be asking as a security professional, “Why would I need to perform malware analysis? I don’t work for an anti-virus vendor.” If you are responsible for the security of a network, at some point in your career you will most likely have to perform malware analysis.
The goal of malware analysis is to gain an understanding of how a specific piece of malware functions so that defenses can be built to protect an organization’s network. There are two key questions that must be answered. The first: how did this machine become infected with this piece of malware? The second: what exactly does this malware do? After determining the specific type of malware, you will have to determine which question is more critical to your situation.
Types of Malware Analysis
There are two types of malware...
Satyam Pujari | 21 Aug 2009 | 5 comments

Symantec’s Web site ratings service Norton Safe Web presents the Dirtiest Web Sites of Summer 2009 – the top 100 infected sites based on number of threats. Norton Safe Web is a new reputation service from Symantec. 

What makes these sites so dirty?
Symantec explained it by pointing out the fact that the average number of threats per malicious site rated by Norton Safe Web is 23. With that said, the average number of threats on the Dirtiest Web Sites list is a staggering 18,000 per site. Forty of the top 100 have more than 20,000 threats per site. Moreover, 75-percent of sites on the list have distributed Malware for more than six months.

“This list underscores what our research shows. There has been exponential growth in the number of online threats that are constantly evolving as cybercriminals look for new ways to target your money, identity, or assets. In 2008, most new infections occurred while people were...

Warrior6945 | 21 Aug 2009 | 0 comments

Clients move to the Default Group Automatically

Even after replacing the sylink.xml the clients move to the Default group automatically.
This happens as a lot of tmp and dat files are generated in the AgentInfo Folder


1. Stop the Symantec Endpoint Protection Manager service
2. Browse to the following location
    C:\Prog Files\Symantec\ Symantec Endpoint Protection Manager\data\inbox\AgentInfo
3. Delete all the files in the above folder.
4. Start the Symantec Endpoint Protection Manager service
5. Update the policy on the client.

Paul Mapacpac | 20 Aug 2009 | 4 comments

1. Your role in the organization/company (CTO, CIO, CEO, SysAdmin, etc)?

To give you a background, the company that I have been working for deals with Resarch, Media/Public Relations, Crisis Issue Management and everything with regards to relations communications. I worked here before as a technical support/network engineer and we have been using Symantec Antivirus 10.x.x for 5 years. We also act as an IT consultant for this company serving all kinds of their IT needs in all categories (cellphones, desktops, servers, etc)

Due to an unpleasant events, we were replaced by a group of IT which replaced the anti-virus system. I am not sure why they replaced the virus system since the SAV Antivirus System was very reliable for the company. My guess is that this group wanted to get cut from the antivirus seller.

Now, I was re-hired and working as the MIS Manager/Officer for the company. Based from my techsupport group, they encounter numerous issues...

Doug Kerr | 20 Aug 2009 | 4 comments

For several months I have been using a music notaton program. I actually had the current commercial release of the "lite" version, the current commercial release of the "professional" version, and two beta versions installed (I have been working with the publisher on features).

Last night was added to the Norton visus defintions the signature for a newly-dsicovered virus, w32.Induc.A. Evidently, the exe files for all those installed versions of the program carried common code that NAV 2009 recognized as the signature of that virus. So it removed all of tthem and quarantined them.

I had NAV send one of the files to Norton for anlysis (the filename is Magicscore6.exe.).

If this is a false detect, I would hope that anlyss of teh file would show that it does not carry a virus, and the virus defintion would be updated to recognize the legitimacy of these files.

In the meantime, my music editing work is off-the-air.

Doug Kerr

binayak | 19 Aug 2009 | 0 comments

If you need to install Active Directory or any Windows Components using Add/Remove Windows Components feature such as IIS in Windows Server 2003, there are certain files that need to be copied from the Windows Server Setup Disk and these files are stored inside the i386 folder. So everytime you install Windows Components you have to carry the Windows Installation Disk with you and define the path of that folder.

Here is the solution:

1.  Copy the i386 folder in the System Driver (generally C: drive).

2.  Open Registy Editor.

3.  After you open the Registry Editor, navigate to :

HKEY_Local_Machine\SYSTEM\ CurrentControlSet\Services\HealthService\Parameters\ConnectorManager 4. Doubleclick the EnableADIntegration key. Change the Value to 1 and click OK.

Now you don't have to define the path everytime, required...

jeffwichman | 17 Aug 2009 | 0 comments
Good day everyone,
My name is Jeff Wichman, from the "Symantec Twin Cities Security & Compliance User Group." If you are responsible for your organization’s Information Assurance, use Symantec for some part of your security program, and in the Minneapolis/St Paul area I highly suggest you join us at one of our quarterly meetings. No I do not work for Symantec, I am just happy with what I have experienced with the SEP product. I am going to leave the name of my employer out of this article simply because these are my opinions and not necessarily those of my employer. We are a currently running close to 10,000 clients with SEP (11.0.4202.75). Approximately half of our clients are remote users connecting to various WiFi hotspots, untrusted third party networks, and occasionally in one of our main remote offices. The other half consists mainly of windows based servers and 4,000 internal...