Advanced Threat Protection

Hi, 

We are running SEPM on a 2k12 VM, User that has a problem is on Win10pro system running SEP

I have a user that has Cygwin tools that specifically has netcat and SEP is flagging & quarantining netcat (nc.exe)  I realize the security risks but this user cannot do his work.  

I went under policies> exceptions> exceptions policy -workstation > right clicked edit> then hit exceptions> add exception.  

Anyways, that exception was created about a week ago.  The user has been in the office has synced up to the server and pulled down the new policies but still says that SEP is blocking it.  I have confirmed his statement by creating a VM and replicating his environment and SEP also blocks nc.exe for me as well.

Thanks in advance for all of the help and I apologize if I do not post in the correct section, first time poster.  

I can't see the screenshot but can you verify which component is blocking it? If a component other than AV is blocking it, such as SONAR, and you added the exception for AV than this could be the reason. Also, did you verify the client has the same policy as what the SEPM shows?

Yes, all of the policies and such match.  This is from my test VM.  

Did you add the exact path to the file or did you just add the file name?

Just added the file name.  

Needs to be the full path to the file.

I edited the current exception with the full path to the file.  I'm on the test VM and have done live update and update the policy but I'm still receiving the same error.  Is there a period of time I should be waiting for the new policies to sync up? 

There is no reason to run liveupdate as that just grabs the latest content and has nothing to do with exceptions.

The client should pick up the policy change next time it heart beats in.

It may be easier to add this to the policy via the risk log. I can barely read the screenshot. You can follow the steps outlined here:

http://www.symantec.com/docs/HOWTO80928

Just go into your SEPM and go to the Monitors page >> Logs tab

Set the Log type to Risk put a check in the box next to the detection and select the + and allow application, select the pol.icy you want to add it to and click Save Changes

I took your last post and made it happen. However I'm still getting the same results.  I'll check back in the morning.  I'm still not sure when the new policy is pulled from the server.  Thanks for your help so far.  

Ok so the actions taken yesterday don't work.  SEP on my VM still blocks nc.exe.  Anything else I can try? 

May just need to open a support case so someone can get on your machine. This typically isn't this problematic assuming the client can connect to the SEPM and grab policy updates and you added exceptions per the link.

Sorry for the late reply but I got it to work finally.  Created a exception from log.  Last question is there a way to not have the alert pop up on the user's screen? 

In the AV policy on the Auto-Protect >> Notification tab just uncheck the option:

Creating an exception though the log file worked.  Thank you.  Last question is there a way to stop the notifications that pop up everytime my user tries to use the system for nc.exe? 

Sorry did not see that.  Thanks again.  

Happy to help out, you're welcome.