Endpoint Protection

 View Only

  • 1.  External Envision Logs Issue.

    Posted Aug 04, 2014 11:39 AM

    SEPM Version: 12.1.4104.4130

    I recently was contacted by the SOC team of the following issue: 

    the Symantec log files have the word “null” instead of “,” in them now as opposed to back on July 17 when we saw the last alert.  See for example if I looked for logs with “cleaned by deletion” what logs looked like then as opposed to what they look like now.

     

    Then

    2014/07/17 06:01:32.353 CDT      165.136.218.94  Jul 17 06:53:28 SymantecServer USORSMS182: Virus found,IP Address: 10.145.50.147,Computer name: 63CQ6BS,Source: Real Time Scan,Risk name: Trojan.ADH.2,Occurrences: 1,C:\ProgramData\Symantec\SRTSP\Quarantine\APQ2793.tmp,"",Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2014-07-15 11:20:59

     

    Now

    2014/08/04 08:56:52.129 CDT      165.136.218.94  Aug  4 09:42:22 SymantecServer USORSMS182: Virus foundnullIP Address: 192.168.20.120nullComputer name: 4G57LQ1nullSource: Real Time ScannullRisk name: Trojan.SemnagernullOccurrences: 1nullC:\Users\vosed\AppData\Roaming\Movies Toolbar\SafetyNut\components\SafetyNutHlpFF31.dllnull""nullActual action: Cleaned by deletionnullRequested action: CleanednullSecondary action: QuarantinednullEvent time: 2014-08-03 23:01:18nullInserted

     

    One of the rules depends on actions listed in a watchlist to alert.  The items in the watchlist obviously do not have null appended to them so I suspect that may be part of our problem.



  • 2.  RE: External Envision Logs Issue.

    Posted Aug 04, 2014 11:48 AM

    Have you contacted support on this?

    How to create a new case in MySymantec

    http://www.symantec.com/business/support/index?page=content&id=TECH58873

    Phone numbers to contact Tech Support:

    Regional Support Telephone Numbers:

        United States: https://support.broadcom.com (407-357-7600 from outside the United States)
        Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
        United Kingdom: +44 (0) 870 606 6000

    Additional contact numbers: http://www.symantec.com/support/contact_techsupp_static.jsp



  • 3.  RE: External Envision Logs Issue.

    Posted Aug 04, 2014 11:58 AM

    I'd second the call for support.

    I don't suppose there've been any changes to your environment in the last month at all?  From a purely-speculative/gut-reaction standpoint (with very little to back it up wink), I'd be inclined to think DB Collation disparity myself...



  • 4.  RE: External Envision Logs Issue.
    Best Answer

    Posted Sep 02, 2014 03:13 PM

    1. Stop the SEPM services

    2. Browse to .\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\ 3. Edit conf.properites file in notepad 4. Add the following text entry to the file: scm.extlog.deli=, (Notice the comma is the value for this entry.)

     

    3.Restart Services.