Endpoint Protection

 View Only

  • 1.  ccSvcHst.exe connecting to public ip-addresses

    Posted Dec 08, 2017 01:21 PM

    Hello, We are on SEPM 14 MP2. We have 1 SEP Manager and about a dozen endpoints/client machines running Windows OS. We are noticing that the ccSvcHst.exe process on all the endpoints tries communicating with some public ip-addresses very often. These public ip's belong to Microsoft and the traffic is over port 443. Please see below screenshot.  We understand this is safe/legit communication but how can we disable the clients from not making these connection attempts at all ?

    The issue is our network firewall is getting overwhelmed because all the clients (that have symantec endpoint) keep trying to connect to those public ips every now n then. I am fine if the SEPM manager server communicates out to internet for updates and other normal stuff but we dont want clients to keep going out as well.   I have checked with Symantec support n they are saying this is default behaviour of SONAR and Auto Protect feature as it does ip-reputation lookups.  

    In the SEPM Manager, Under "Policies >> LiveUpdate Settings Policies"  we have made sure that the Windows client settings are set to use the "Default Management Server" only for updates .  This has been verified with tech support so there should be no reason for clients to check further online for anything.    The other option somewhere to send anonymous data has also been disabled.

    Surely in an environment which has 1000s of endpoints, this can cause lot of un-necessary traffic on the firewall leading to frustation.  Any words of advise ?

     

     

     

     



  • 2.  RE: ccSvcHst.exe connecting to public ip-addresses

    Posted Dec 08, 2017 07:36 PM

    All I know is that would be from Insight lookups, as indicated. Maybe hitting Microsoft for certificate checks. Other than thatm support should continue to investigate their product.



  • 3.  RE: ccSvcHst.exe connecting to public ip-addresses
    Best Answer

    Posted Dec 11, 2017 05:03 PM

    yeah, its SEP Reputation, but for some of our system we had to disable it due to excess network traffic to ent-shasta-rrs.symantec.com, we went to that SEP Group > Policies > "External Communications" and uncheck both boxes to disable both Client Submission and Client Queries, but of course no more Symantec Reputation checks for those SEP clients.

     



  • 4.  RE: ccSvcHst.exe connecting to public ip-addresses

    Posted Dec 12, 2017 10:15 AM

    Hello Denliu,  Thanks for the reply. I went in to the "External Communications" option , however both the optios for Client Submission and Queries are grayed out. So i can't check/uncheck from here. Please see below screenshot.  Where did you then uncheck both boxes from ?



  • 5.  RE: ccSvcHst.exe connecting to public ip-addresses

    Posted Dec 12, 2017 10:22 AM

    Then it may be due to the fact that this group has policy Inheritance enabled so you need to uncheck this from the parent group.



  • 6.  RE: ccSvcHst.exe connecting to public ip-addresses

    Posted Dec 12, 2017 11:53 AM

    Thanks Brian.