Endpoint Protection

Dears,

I've configured integration between CAS and Symantec endpoint protection, in the recent threat on CAS I check list in the blacklist and run remediation policy on the client eventhough I downloaded the infected sample to my pc but SEP didn't detect the file. is there any configuration on SEPM required to make this action effective??

 

please advise,

Thanks,

Maher

If it was a test EICAR you downloaded then you need to enable logging. Admin > click on database server > edit database properties > log settings > near the bottom of the logg settings you will see Delete EICAR events untick that and click ok. Then try your test again. 

Hello GeoGeo,

the problem isn't related to the event if a file is detected. the problem is that SEP doesn't detect that the file is infected at all.

I triedto disable that option with nothing to new to mention.

any advise?
 

Hi Maher,

Thansk for the post.  Have you suibmitted the file to Security Response for examination-?  They will be able to confirm whether or not it is something that SEP and its AV technologies should detect.

Please do feel free to share the Tracking Number here in this thread!

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

 

I'm not aware of an integration beween SEPM and CAS, only ATP. Where in CAS?

Hi Mick,

I can't upload the sample here as that might be prohibited, but anyway the behaviour should be as below.

the user first downloads the sample from internet >> sample is caught by CAS via sandboxing Engine >> based on the integration between CAS and SEPM on the recent threats on CAS statistics I edit the action on CAS to submit the file to SEP blacklist (which informs SEPM about the file), and run remediation policy on the client.

once the file is present on any endpoint in the network, the file should be caught by the SEP agent.

Thanks in advance.

 

Definitely don't attach here!  Get the file to the submissions portal.  If all you have is the hash, use Public Hash submissions.

Does Symantec Detect This: An Illustrated Guide to Public Hash Submission

https://www-secure.symantec.com/connect/articles/does-symantec-detect-illustrated-guide-public-hash-submission

Hi Mick,

no need to upload the file to the submession portal,as for me it is preferred not to be listed in SEP reputation databases.

this file can't be detected by normal antivirus, it can only be detected via sandboxing and definitely it's not listed in symantec database. but the way that SEP can detect this file is that it's been sent to the manager blacklist via CAS. just like blacklisting a hash manually on SEPM.

I hope you got what I mean..

I found out that SEP takes action on the file after half an hour.

Thanks Gents.

it seems to be working, but not in realtime.

Cheers,

Are you running SEP 14 RU1? At least for ATP:Endpoint you have to be on 14 RU1 to get instant blacklisting. If not it depends on the heart beat interval. suppose the CAS integration uses the same API and works the same way.

Hi Torb,

I'm using SEP 14 MP2, how do I know the interval the SEPM pushes the blacklist to the client and is it configurable or not??

Thanks,

You can see it under a groups communication settings and pull interval. https://support.symantec.com/en_US/article.HOWTO80912.html

 

we have the pulling interval set to 30 Min, even if I grapped the policy from the client manually, the client doesn't take action on the file.

Actually it seems to be there something that needs to be amended in the configured policy.