Hi,

since yesetrday our emails are bouncing back with the error code 553.

Our domain and IP addresses are not blacklisted, and emails are not being delivered to individuals we had regular conversations with last week.

I have submitted flase positive emails to your 'CLOUDfeedback@feedback-87.brightmail.com' address and was wonderring if anyone could advise on what we could do to resolve this issue.

Thanks,

Damian Danik

ddanik@iaccm.com

Background Image on Blogs "Quilted" Page: 

Tunnel%20Data.jpg

By Naveen Palavalli, Director of Product & GTM Strategy

In just the last year, we saw more than 1 million new malware variants introduced per day and the number of ransomware families tripled (ISTR22). The average ransom amount paid spiked 266 percent to $1,077. Those kind of stark numbers provide a glimpse of the herculean task that security professionals face on a daily basis. As organizations struggle to deal with the rising security demands associated with complex networks and myriad, ever-mutating external threats, it's imperative to ensure that the right endpoint security solution is in place.

In a recent blog, Gartner’s Avivah Litan advises customers to “Use a layered endpoint security approach that includes application whitelisting and blacklisting, and other controls that come bundled with most EPP platforms”.

I couldn’t agree more. Enterprises need complete endpoint security that provides full cycle protection that includes protection, detection and response specifically designed to handle a rapidly shifting security environment. The consequences for operating with more limited protection have never been clearer.

To help ensure your organization is fully protected from today's most serious threats, here is a list of the most essential technologies for complete endpoint security.

1.Total security spanning the entire attack chain

Infections are simply one link in a larger chain leading to a network breach. The best endpoint security systems fuse next generation technologies with proven ones to offer protection from threats regardless of how or where they appear. Only by taking a more holistic approach can businesses ensure they receive the best possible protection. The most powerful endpoint security offerings possess deep capabilities at all the relevant stages: incursion, infection, exfiltration, remediation, etc. Let's take a closer look at some of the core features to look for at each of these stages:

The Incursion. 

1. Protection from email borne threats: Recent research shows that 1 in 131 emails contain malware including ransomware (ISTR22). You need endpoint protection that scans every email attachment to protect you from stealthy attacks.
2. Protection from malicious web downloads: 76% of the websites scanned have vulnerabilities (ISTR22) that can be exploited by attackers to serve malware. Intrusion Prevention technology that analyzes all incoming and outgoing traffic and offers browser protection can block such threats before they can be executed on the endpoint. 
3. Powerful endpoint protection should also allow easy Application and Device Control so that you can enforce over which devices can upload or download information and access hardware or have registry access

The Infection.

Along with providing these essential protection at the incursion level, the best endpoint solutions offer advanced functionality and protection from every type of attack technique. Some of these recommended features include:

1. Advanced Machine Learning. By analyzing trillions of examples of good and bad files contained in a global intelligence network, advanced machine learning is a signature-less technology that can block new malware variants at the pre-execution.
2. Exploit Prevention. Almost every week you hear about a new 0-day vulnerability discovered in popular software like browsers and productivity software. IT organizations cannot keep up with testing and applying patches fast enough which leaves a vulnerable attack surface on these software that are exploited by attackers, many a times with memory based attacks. Exploit prevention technology protects against such 0-day vulnerabilities and memory based attacks
3. File reputation analysis based on artificial intelligence with a global reach. The most advanced analysis examines billions of correlated linkages from users, websites, and files to identify and defend against rapidly-mutating malware. By analyzing key attributes (such as the origin point of a file download and the number of times it has been downloaded), the most advanced reputation analysis can assess risks and assign a reputation score before a file arrives at the endpoint.
4. High-speed emulation at the endpoint acts like a light and fast ephemeral sandbox allowing for the detection of polymorphic or mutating malware
5. Behavioral monitoring. Should a threat make it this far along the chain, behavioral monitoring can tap into the power of machine learning to monitor a wide variety of file behaviors to determine any risk and block it. Again a great defense against ransomware and stealthy attacks such as malicious PowerShell scripts. Research shows that 95% of the analyzed PowerShell (ISTR22) scripts last year were malicious.

Smart organizations will also pay attention to the lateral movement of malware within an organization and anti-exfiltration capabilities of their endpoint solution. Intrusion prevention, firewall policies and behavioral monitoring also come into play here, and these features should be present in any advanced endpoint platform. These technologies were particularly effective in preventing propagation of the recent WannaCry ransomware.

2.Powerful Incident Investigation and Response

Most organizations understand that a determined attacker will get through. However what they crave for is powerful detection capabilities to identify the breach as soon as possible and a very easy to use workflow for incident investigation and response. Industry analysts have begun to call this Endpoint Detection and Response (EDR). Advanced EDR solutions help isolate the endpoint as you investigate the breach, contain the spread of the malware through blacklisting and allow easy remediation by deleting the malware restoring the endpoint to a pre-infection state

Overall, the most effective endpoint security offers deep protection across each level of the attack chain, detection and response. As the old saying goes, security is only as strong as its weakest link, making a comprehensive approach essential.

3.Performance and scale backed by advanced functionality

As detailed above, a fully-protected attack chain is of critical importance. Yet the value of high performance shouldn't be understated. The best endpoint security should be optimized to prevent user and network slowdowns. It should also scale as your enterprise grows

4.Low Total Cost of Ownership

Finally, a single agent that combines the technologies normally available only through the use of multiple agents (machine learning, exploit prevention, EDR, etc.) is highly desirable. Organizations using a single agent can reduce the burden on IT by consolidating their management and maintenance of multiple agents -- while receiving the added benefit of lowering the total cost of ownership.

5.Seamless integration for orchestrated remediation

The most advanced endpoint solutions make easy integration a priority via an open API system, so organizations can leverage their existing security infrastructure like network security, IT ticketing systems and SIEMs.

The takeaway

All endpoint security solutions are not created equal. The best, most advanced offerings have three core elements: Total protection, detection and response across the attack chain, high performance and scale without sacrificing efficacy, and seamless integration with existing infrastructure.

Ideally, these three components should arrive in a single, comprehensive yet lightweight package, as the effort of managing multiple agents lowers efficiency and increases costs. Organizations that seek these features when considering a new endpoint security solution will, without question, receive the highest level of protection for their investment.

Hi,

we have a new spam filter we are trying to put into production, but for some reason the IP address it is on has a reputation with Symantec Cloud Security for "snow shoe spamming" which isn't something I'd heard of until this issue came up.

It seems that Symantec is the ONLY spam filter that lists our IP address with this negative reputation, I've checked literally hundreds of other spam filters and they all show us as having a clean reputation, or listing us as whitelisted!  I've put in many requests to have our IP reputation investigated and cleared but nothing ever seems to come of it.  When I try to call Symantec they say they can't help since I'm not a customer, and getting our customers to get their clients to talk to Symantec to fix the issue has not gotten us anywhere.

The IP address in question is 173.239.120.245, if you can please have this IP reputation investigated and cleared.  There shouldn't be anything that still causes this reputation to occur, though if you see something we need to clear up I'm certainly happy to do that; I just need to know what that is.

If you could help me resolve this soon it would be very much appreciated!

I have read through a ton of best practices documentation to move SEPM 12.1.7 from one server 2008 32 bit to Server 2012 64bit.  New server has different name and ip, and using a sql db on another server. Nothing is changing for teh sql db.  Followed the Best Practices documents for moving SEPM. 

Worked perfect up until I noticed that the old server name is still showing under the Local Site with the new SEPM. Both servers show the new server SEPM IP address and Online. Old server is still in production but the old SEPM was decommissioned on it per running thru the procedure of moving the sepm. Clients are communication and appears tobe fine, but whats weird id if I right click server1 (old sepm), and select edit, delete, manager server it gives me server2(new server). It acts like its the same. Found someone else had an issue like this and indicated that its a stale record that can be deleted from the database but a support case has to be opened.

Any insight about what level of support I need to talk to so they understand or someone may have a better insight.

Here is the same issue. https://www.symantec.com/connect/forums/finalizing-moving-new-server-removing-old-sepm-server-list

Dear,

We are having some problems recently with some Symantec SEP Client, the problem was that some clients are not receiving updates correctly. I found that files in \ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs are differents from a computer that has correctly updated with some other that is not updated, for example a correctly updated computer usage.dat is:

[20170609.016]
SRTSP=1
NAVCORP_70=1
DEFWATCH_10=1

But a client that is not correctly updated says:

[20170530.001]
SRTSP=1
[20170530.019]
NAVCORP_70=1
[20170609.016]
DEFWATCH_10=1

definfo.dat is the same in all clients:

[DefDates]
CurDefs=20170609.016

Another thing that i see is that in the VirusDefs Folder are like 5 folders with VirusDef for example: 20160922.001 - 20160922.025 - 20170330.008 - 20170609.016 - 20170530.019

We are having a huge problem because a lot of clients are reported like outdated in SEPM, if i manually mofidy usage.dat in the client with update problems and restart the machine then later the computer is reported correctly and that allows me to delete the other folders with old virus defs.

Any ideas of how to correct this?. Thanks!

Hello

I just set a new mail server. The ip address  that the ISP assigned to me was already blocked by Messagelabs only (not by any other black list). I requested ip removal from Symantec black list and the IP now shows NEUTRAL, but my server still can't send to Messagelabs protected domains.

I read in another post that the ip was being throttled by Symantec because it was blocked in the past, so i need you to please completely free this IP address.

How can i provide my mail server's ip address securely?

Regards

June 12 - June 16, 2017

5 Days Virtual Class - Spanish

Starting at 9:00am Time Zone CST/CDT (Mexico City)

Please contact Americas_Education@Symantec.com for further details and pricing.

June 19 - June 23, 2017

Starting at 9:00am in the Asia/Dubai Timezone

5 Days Virtual Classroom

Please contact APJ_Education@Symantec.com for further details and pricing.

June 19 - June 21, 2017

3 Days Virtual Classroom - Spanish

Starting at 9:00am Time Zone CST/CDT (Mexico City)

Please contact Americas_Education@Symantec.com for further details and pricing.

I have PGP Desktop 10.1.1 and encountered such a problem. I moved Vdisk file (.pgd) to an another drive and deleted original source. Now I can open the disk but system report that disk's structure is defective and unreadable. Recuva informs “Unable to read MFT”. In PGP disk properties format of the disk is “Not available”. Is there any way to recover my data.

Hi!

I have installed Symantec Encryption Desktop 10.4.1 on Windows 8.1. x64 with BIOS (not UEFI).

The Recovery CD successfully boots from USB flash boot drive (which I created with YUMI),

BUT it cannot find the PGPWDE istallation.

What's the problem about?

Please help!!

Since the installation of Symantec, i've struggled with the same question I cannot seem to answer. Everytime I run the full scan Symantec succesfully runs hundreds of thousands of files but finds only a mere fraction of those files secure. Even though Symantec finds no issues within the files I am under the impression they are not all trusted. How do I fix this issue so Symantec is thoroughly testing and identifying my files?

Hello,

I have SEPM 14 for Windows servers and clients, need to know if there is any solution to protect virtual environments "VMware" like Sophos virtualization security?

Thank you

Hi Guys,

 I just upgraded my SPEM from 12.1 ( RU6 MP5 ) to 14 MP2, post which lots of clients went offline ( expected ) but when they did come online it was an incorrect report as those systems which were reported online by the manager were actually shut down ( as in the physical system shut down ) . Please do advice on the same 

Hello

We have SEP 12.1.4 and we have created a global exception list for our servers and assing to SEP group where thses servers are memeber of SEP group

But on these servers' SEP client I cannot see this excepiton list entries are appearing which we have created on SEPM server as global exception list

how we can confirm that global exceptino list is applied on all servers of SEP group

Thanks

Hi All,

Could anyone help me address below queries.

-    Ability to classify information as confidential based on PII /PHI information such as Bank A/C info, Pan card info/contact info etc
-    Ability to scan servers/storage etc to locate files containing such confidential information and then tag or move files to secure location
-    Ability to block images, excel files, PDFs etc containing confidential data
-    Protect against data going out via On Prem Exchange (Current) and O365 (next year). Not clear if Web channel also needs to be protected
-    Ability to protect from data going out on Gmail etc when user is outside network
-    Whether we can protect confidential data in SQL?

Appreciate your help

Thanks,

Hello all,

I am trying to create a basic workflow for Incident Management in DLP. I want the incident statuses should be follow a specific flow of process. For eg: New -> In Progress -> Escalated -> Resolved/False Positive/Configuration Error. I don't want the incident manager the ability to change back the status of an incident from In-Progress to New, or Resolved to In-Progress. I understand that the product has a limited incident management functionality however is there a way I can achieve that?

Thanks!

Rohit

Hi.

Over the weekend, our ISP had issues with reverse DNS lookups and we suffered several instances of IP Blacklisting of our SMTP servers as a result.  Our IP addresses are below which reverse DNS back correctly now - please can you check the MessageLabs configuration to remove the IPs from any blacklists:

213.212.116.132

213.212.116.133

213.212.114.132

Jun 12 10:45:45 <**supressed**> sendmail[8315]: v5C9jaBJ008315: to=<**supressed**>, delay=00:00:09, xdelay=00:00:09, mailer=esmtp, pri=40557, relay=cluster3a.eu.messagelabs.com. [216.82.251.230], dsn=4.0.0, stat=Deferred: 421 Service Temporarily Unavailable

Thanks

The SPE documentation is very very bad so I need help with a few basic questions:

I have a license file, now I am looking for most recent install files for something that could be called Symantec Protection Engine for Cloud Services Application Server.

My assumption is that this software is the most recent version of software that I know as Symantec_Protection_Engine_CS_7.0.2.4_Windows_IN.zip

This version uses Java 1.5 and a Java applet which I don't like.

I like to use a more recent version of this version that does not use a Java applet. I read somewhere that this is possible.

Where can I find this software?

Cheers,

Onno

Hello Symantec

We recive LOTS of false negatives in the last months.
It's allways just a plain image with no text but explicit subject. Not that hard to filter by a spam appliance i guess.....

Definitions are up to date, release is on 10.6.2.
I already let someone from symantec check the configuration - everything ok. Spam Score is now on 55!!! and we still get 5+ false negatives per day and user in our inbox.

Yes, we forward the mails as attachement to the eurosubmit address.

Has anyone the same problem?