Endpoint Protection

Dear All,

Please provide me solution for as stated problem:

I'm using SEP-M MR4 application and all member windows 2K3 servers are members of SEP server client.

Now My Business Security Team has implemented RSA Envision application on onther machines and now they are saying to enable the event viewer logs such as Application/System & Security on rest of member servers of SEP client. My problem is once I enable the Security logs (Success/Failure) then event viewer logs are not reporting to RSA Envision server.

Once I disabled the SEP client services on other servers then all require event viewer logs are getting on RSA Envision server and Telnet port is open for both enviroment from Hardware Firewall.

If I disable the SEP client services on other servers than most challenging task for virus attack within Intranet/Internet network. Please suggest me to how to get this event logs with running SEP client.

I am assuming; may be somewhere I have to do changes on SEP-M MR4 server but How thats I don't know (:?

I appreciate you all; if you may help me on this.

My Best,

Simon SD

For troubleshooting purposes, try adding an "Allow All" rule to the top of your firewall ploicy. Test and see if the logs are getting to the RSA server. Keep moving the rule down the list until the issue comes back, then troubleshoot the FW rule just above the last one tested.

if you have network threat component of SEP installed 

go to add/remove programs

select sep

modify

remove it

Configuring Symantec Endpoint Protection Manager to use RSA SecurID Authentication

If your corporate network includes an RSA server, you need to install the software for an RSA ACE Agent on the computer on which you installed Symantec Endpoint Protection Manager and configure it as a SecurID Authentication client.

To configure Symantec Endpoint Protection Manager to use RSA SecurID authentication

1. Install the software for the RSA ACE Agent on the same computer on which you installed the management server. You can install the software by running the Windows .msi file from the RSA Authentication Agent CD.
2. Copy the nodesecret.rec, sdconf.rec, and agent_nsload.exe files from the RSA ACE server to the computer on which you installed the management server.
3. At the command prompt, type the following command:

   agent_nsload -f nodesecret.rec -p password for the nodesecret file

4. In the console, click Admin, and then click Servers.
5. Under View Servers, select the management server to which you want to connect an RSA server.
6. Under Tasks, click Configure SecurID authentication.
7. In the Welcome to the Configure SecurID Authentication Wizard panel, click Next.
8. In the Qualification panel of the Configure SecurID Authentication Wizard panel, read the prerequisites so that you can meet all the requirements.
9. Click Next.
10. In the Upload RSA File panel of the Configure SecurID Authentication Wizard panel, browse for the folder in which the sdconf.rec file resides.You can also type the path name.
11. Click Next.
12. Click Test to test your configuration.
13. In the Test Configuration dialog box, type the user name and password for your SecurID, and then click Test.

    It now authenticates successfully.

Not promising this will fix it, but if you really are using MR4 (11.0.4000) then you're over two years behind on improvements to the product and bug fixes (and patching identified security vulnerabilities). You may wish to consider migrating up to the newest:

Release notes for Endpoint Protection and Network Access Control 11
http://www.symantec.com/docs/TECH103087

Migrating to Symantec Endpoint Protection 11.0 RU6/6a
http://www.symantec.com/docs/TECH131653

Migrating to Symantec Endpoint Protection 11.0.6300 (RU6 MP3)
http://www.symantec.com/docs/TECH155655

sandra

Thanks for your comment. But suggest, If I beyond of techonolgy years than It will not say us to block such smaller objective like my mail request.

I will move forward with your comment later on. But will u suggest me to how to get rid with current situation?

Its simple, If I disable SEP services than my request will get according me but If I have SEP client than I can't stop it SEP client on prodcution environment. Let me suggest; if have any good way to safe my environment with SEP client and logs.

Thanks,

Simant D.

Dear Cycletech,

Plz see the attached file. I'm not much aware with firewall setting. Kindly let me know the changes with steps. It may help to go on production and do.

My Best,

Simon

Attachment(s)

sep.doc   311 KB 1 version

Dear Rafeeq,

In my environment NTP has not enabled for entire SEP client machines. Plz let me know any other way.

Plz see the also attached SEP client report which help us to understand about my prod environment.

my best,

Simon

Attachment(s)

sep_0.doc   311 KB 1 version

Dear ABN,

Thanks for your comment. As my request is only for security logs and I'm not using any RSA client on this machine. Simple installed the sep client and facing issue with current situation.

Plz suggest any alternet option.

My Best,

Simon SD

Dear All,

Thanks for your comment. As my request is only for security logs and I'm not using any RSA client on this machine. Simple installed the sep client and facing issue with current situation.

My Business Security team needs to be security logs (Application/System/Security) of sep client machine.

Kindly see the attached sheet for more details. Plz suggest any alternet option.

My Best,

Simon SD

Attachment(s)

sep_1.doc   311 KB 1 version