Hello,

We've been having issues where EDPA agent randomly stops on machines.   We use the clean utility then reinstall but every month we have random machines with the service stopping (same machines not necessarily repeating the stopped service)

Anyone else encounter this?  

can we able to integrate on primises dlp in WSS

Is there a management pack for SEP 14.x to report virus / exploit / client information up to SCOM or a powershell module I can use to extract data from it? I would like to have the data from the SEP home tab roll up to SCOM. 

Apologies if this is a silly question. Very grateful for any assistance.

We have several of the following devices ...

Blue Coat, MAA-S400-10
Operating system : Malware Analysis Appliance-4.2.11.20161207-RELEASE-

Blue Coat, CAS S400-A1
Operating system : CAS 1.3-7.5-201666

How can I list any SSL certificate information on these devices (or is it not possible/relevant to try?) ideally the command line syntax is required.

Thanks

I need to know who installed a particular Update if it was by Patch Management or if it was installed by the user and / or by another tool.
Is it possible to have this information?

Environment: SEP 14.0.2332-0100 on RHEL 7.6

Synopsis: RHEL 7.6 was released. When a host is updated to 7.6 (FWIW the first kernel to come with RHEL 7.6 is 3.10.0-957) and either the host is rebooted or the symcfgd service is restarted, the host completely wedges, silently, and is unusable.

Repeatable Steps:

1. Update to RHEL 7.6
2. Reboot. Your host will wedge as it comes up.
3. Reboot to single user mode to avoid /etc/rc3.d scripts related to SEP
4. Build new SEP kernel modules via build.sh
5. Run /etc/rc3.d/S21autoprotect by hand. Runs fine. Kernel modules load.
6. Run /etc/rc3.d/S22symcfgd by hand and the host immediately wedges and starts flashing keyboard LEDs.

Short-term Workaround: For us, for now, is to reboot the host and choose an older 7.5 kernel when the kernel selection menu is displayed. As new kernel package updates come around, let alone ones with required security fixes, this will not be possible.

Guys,

I like to know if one computer without SONAR installed can be a GUP or it's necessary this feature installed for a distribution to another computer?

Miguel Angel

This article is focused on demonstrated how you can manually uninstall the SEE for BitLocker client from an endpoint in the event that the client has failed in some manner. Whether this is generic client issues with normal operations, or failure of the uninstall/install process. It can also be used in smaller environments for testing, or where automation of the uninstall process is not an option. This method will also avoid the need for a 3rd part piece of software. This can be used when communication to the management server has been lost due to certificate expiration. 

It should be noted, that before using this method, you should follow the uninstall instructions from within the SEE Installation guide for the specific version of SEE you are using. However in the event that those methods do not work. It is then possible to use this approach to remove the endpoint client. 

It is also worth noting, that although this method can be used to uninstall all versions of the SEE Client, it is primarily focused at the BitLocker version of the client. 

Finally, all commands used in this guide must be ran from an elevated command prompt or PowerShell Prompt. 

Before Uninstalling.

Prior to uninstalling the client, you will need to ensure all of the drives in the endpoint machine have been fully decrypted. To check whether a drive is encrypted, you can either use the management console, Manage BitLocker settings in Windows, or by running the following command. 

manage-bde C: -status

You can replace "C:" with the relevant drive number. 

Upon running this command you will see the following: 

Running this command is recommended, since it allows you to see the additional values from BitLocker which we need to take a note of to progress the uninstall process. You can see in the image above, that the current Conversion Status is set to Fully Encrypted. This clearly shows the drive is encrypted. Additionally, below this, we can see the drive is unlocked, and the protection status is turned on. These two values are important, since both will need to be set to unlocked, and off respectively

In order to turn these off we can run additional commands. Before running these commands, you must make sure you either have access to your BitLocker recovery key, either by having the key saved, or by having the Recovery Key file. The key is required in order to unlock the drive. 

Firstly you will need to run the following command, in order to unlock the drive:

manage-bde -unlock C: -RecoveryKey “YOUR_BITLOCKER_RECOVERY_KEY"

Once again, you can replace "C:" with the relevant drive, and replace “YOUR_BITLOCKER_RECOVERY_KEY" with the correct Recovery Key for the drive. 

This will unlock the drive and allow you to take off the protection. 

Next you can turn off BitLocker, this will also decrypt your drive. Run the following command: 

manage-bde C: -off

You will now see a message saying decryption is now in progress. 

At this stage, you can re-run the -status command from earlier to see the status of the drive encryption. It is worth leaving this to decrypt. This can take some time, depending on the type of drive you are decrypting. Once this is complete, the status command will show something like the following:

Once your drive is decrypted, you will now be ready to run the uninstall process. 

Uninstalling the Client. 

At this point, you should be able to simply uninstall the client from Apps and Features, within Windows. However, this may give you an error if you have Removable Drive Encryption Enabled. When RME is enabled, you must first install a client that has RME turned on over the top, but has the ability to have RME turned off via the SEE management console. This usually takes the form of an "Uninstall Policy" within the SEE management console. 

Once you have generated a new client working client, with RME. Youc an then copy the msi file to the affected endpoint to run the uninstall command. 

Run the following uninstall command to remove the existing client, and install the working client. 

MSIEXEC /i [UninstallClientPath.msi] REINSTALLMODE=vemus ADDLOCAL=all /l*v “Uninstall_Log01.log”

Where [UninstallClientPath.msi] is the path of the new client. This also created an output log file in case of issues.  

Once this is ran, the uninstall process will continue as normal. You can verify the product has been uninstall by accessing the Apps and Features settings in Windows, checking the client has been removed. 

If any issues during this process are encountered, you can consult the uninstall log file created during the uninstall to review the errors. 

I hope this guide assists you in removing a SEE client from an endpoint which has experienced some form of app or OS failure preventing you from exercising the normal uninstall methods. 

When using the builtin "Power Control - Restart" task, the task instance reports as Failed in the client job's run history. This is a false negative - in reality, the computer does reboot and the client job does continue executing.

This seems to be affected by the Fast Startup feature in Windows 10, whereby the computer basically hibernates instead of shutting down.

Just curious to hear — does this affect anyone else?

Has anyone been successful in obtaining these files? 

• File Traversal Deceptor
• Network Discovery Deceptor
• DNS Lookup Deceptor
• File Share Deceptor
• Credential Theft Deceptor

• Process Termination Deceptor (This one is included in the package installer)

The KB article states to simply call support to obtain the others but i've not only created a support ticket but also spoke with several support engineers and eveyrone over in Symantec seems to be plain lost on this topic.

Can someone please advise how I obtain these files?

I want to deploy these deception techniquies in my environment and it appears to be part of the SEP 14 RU1 version (or higher).

Thank you

For one of the client i am using Napatech cards for network monitor.
After upgrading from 14.6 to 15.1, I am getting following exception "Caught exception: ntpl.exe does not exist in E:\Napatech\Tools\nt_tools_windows_1.8.A\tools\binary\Tools\amd64 [main.cpp(113)" and the packetcapture service is not staring.
Can someone assist me on this ?

Kindly include search option under policy which makes easier to get specified MD5,SH256, domain to be deleted or edited. Currently option is not available in ATP. 

Hi,

Need assitance to create API for intgration of clear pass to SEPM. Clear pass is NAC solution which will integrate with SEPM to information. 

Any information or guide will be helpfull. 

Kindly include delete user option ATP user option. Hopefully to see in the upcoming version

I've been having periodic issues deploying sysprepped images with GSS 3 (we're currently on 3.2 RU6) but managed to get it working on Windows 10 1709 and 1803 - until today. The problem has surfaced again and I think I can trace it to GSS writing files to the wrong partition. I have a deployment task for a sysprepped image with a custom unattend file that fails randomly; sometimes on certain models, and other times on models that work 99% of the time. The result is after laying down the image, it reboots to a blue screen claiming that the registry is corrupt. When I boot the machine with a recovery USB, I open the command line and run notepad. I can see that the System Reserved drive is labelled C, and in that drive is a "windows" directory, with a "panther" subdirectory (note that they aren't capitalized) that contains our unattend file named unattend.xml. I assume this is GSS copying our custom unnattend file to C:\windows\panther - except it appears that GSS (or WinPE) thinks the reserved partition is the system drive and writes the unattend file to it, causing corruption and ultimately the blue screen on boot. Another example of this is that I have a script that will write to the Windows\Setup\Scripts\setupcomplete.cmd file in order to install the DAgent on first boot (for portability, since we have multiple GSS servers in our environment), except I have to specify that drive as D: for WinPE to write to the correct partition.

REM Point DAgent to correct ghost server
md D:\WINDOWS\SETUP\SCRIPTS\
ECHO msiexec /i C:\DAgent\dagent_x64.msi /qn server_tcp_addr=%DSSERVER% server_tcp_port=402 >> D:\WINDOWS\SETUP\SCRIPTS\setupcomplete.cmd

Is there an easy way to mitigate this? I don't know of a way to either force WinPE to see the correct drive letters, or to specify where to copy the unattend file since WinPE sees the System Reserve partition as the C drive.

HI All,

I want to know if we change the CA certicate(we have installed a CA certificate in our SEP manager) on the manager, how it wil impact the sylink.xml.

Will the sylink.xml automatically get updated once the certificate import is done or it has to be pushed across via package or patch.

Please help.

Hello.

My customer receives a 421 status in return to RCPT TO command when trying to send a mail to a messagelabs customer. Please see a log example below.

Sending mail from mx00.mpac.com, 185.37.248.215, Exchange 2010

IP Investigation at http://ipremoval.sms.symantec.com/lookup/ did return that it's not blocked.

Thank you and kind regards,

Hannes

2018-11-02T10:31:33.385Z,Internet,08D640ADAEC9E854,2,192.168.2.14:52004,52.29.12.9:25,<,"220 mail555.messagelabs.com ESMTP Fri, 02 Nov 2018 10:31:33 +0000",
2018-11-02T10:31:33.385Z,Internet,08D640ADAEC9E854,3,192.168.2.14:52004,52.29.12.9:25,>,EHLO mx00.mpac.com,
2018-11-02T10:31:33.401Z,Internet,08D640ADAEC9E854,4,192.168.2.14:52004,52.29.12.9:25,<,250-mail555.messagelabs.com Hello ip-100-113-13-169.eu-central-1.aws.symcld.net [100.113.13.169],
2018-11-02T10:31:33.401Z,Internet,08D640ADAEC9E854,5,192.168.2.14:52004,52.29.12.9:25,<,250-SIZE 52428800,
2018-11-02T10:31:33.401Z,Internet,08D640ADAEC9E854,6,192.168.2.14:52004,52.29.12.9:25,<,250-8BITMIME,
2018-11-02T10:31:33.401Z,Internet,08D640ADAEC9E854,7,192.168.2.14:52004,52.29.12.9:25,<,250-PIPELINING,
2018-11-02T10:31:33.401Z,Internet,08D640ADAEC9E854,8,192.168.2.14:52004,52.29.12.9:25,<,250-CHUNKING,
2018-11-02T10:31:33.401Z,Internet,08D640ADAEC9E854,9,192.168.2.14:52004,52.29.12.9:25,<,250-STARTTLS,
2018-11-02T10:31:33.401Z,Internet,08D640ADAEC9E854,10,192.168.2.14:52004,52.29.12.9:25,<,250-PRDR,
2018-11-02T10:31:33.401Z,Internet,08D640ADAEC9E854,11,192.168.2.14:52004,52.29.12.9:25,<,250 HELP,
2018-11-02T10:31:33.401Z,Internet,08D640ADAEC9E854,12,192.168.2.14:52004,52.29.12.9:25,>,STARTTLS,
2018-11-02T10:31:33.432Z,Internet,08D640ADAEC9E854,13,192.168.2.14:52004,52.29.12.9:25,<,220 TLS go ahead,
2018-11-02T10:31:33.432Z,Internet,08D640ADAEC9E854,14,192.168.2.14:52004,52.29.12.9:25,*,,Sending certificate
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,20,192.168.2.14:52004,52.29.12.9:25,*,,Remote certificate
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,21,192.168.2.14:52004,52.29.12.9:25,*,"CN=mail555.messagelabs.com, O=Exim Developers, C=UK",Certificate subject
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,22,192.168.2.14:52004,52.29.12.9:25,*,"CN=mail555.messagelabs.com, O=Exim Developers, C=UK",Certificate issuer name
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,23,192.168.2.14:52004,52.29.12.9:25,*,00,Certificate serial number
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,24,192.168.2.14:52004,52.29.12.9:25,*,9387CEF45FD5C3EA68ADA0DDEAF6B6B7F831DA2D,Certificate thumbprint
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,25,192.168.2.14:52004,52.29.12.9:25,*,mail555.messagelabs.com,Certificate alternate names
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,26,192.168.2.14:52004,52.29.12.9:25,*,,"TLS protocol SP_PROT_TLS1_0_CLIENT negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA1 with strength 160 bits and key exchange algorithm CALG_ECDHE with strength 256 bits"
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,27,192.168.2.14:52004,52.29.12.9:25,*,,Received certificate
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,28,192.168.2.14:52004,52.29.12.9:25,*,9387CEF45FD5C3EA68ADA0DDEAF6B6B7F831DA2D,Certificate thumbprint
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,29,192.168.2.14:52004,52.29.12.9:25,>,EHLO mx00.mpac.com,
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,30,192.168.2.14:52004,52.29.12.9:25,<,250-mail555.messagelabs.com Hello ip-100-113-13-169.eu-central-1.aws.symcld.net [100.113.13.169],
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,31,192.168.2.14:52004,52.29.12.9:25,<,250-SIZE 52428800,
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,32,192.168.2.14:52004,52.29.12.9:25,<,250-8BITMIME,
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,33,192.168.2.14:52004,52.29.12.9:25,<,250-PIPELINING,
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,34,192.168.2.14:52004,52.29.12.9:25,<,250-CHUNKING,
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,35,192.168.2.14:52004,52.29.12.9:25,<,250-PRDR,
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,36,192.168.2.14:52004,52.29.12.9:25,<,250 HELP,
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,37,192.168.2.14:52004,52.29.12.9:25,*,71,sending message
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,38,192.168.2.14:52004,52.29.12.9:25,>,MAIL FROM:<xxxxxx@mpac.com> SIZE=240433,
2018-11-02T10:31:33.479Z,Internet,08D640ADAEC9E854,39,192.168.2.14:52004,52.29.12.9:25,>,RCPT TO:<xxxxxxxx@xxxxxxxxx.de>,
2018-11-02T10:31:33.494Z,Internet,08D640ADAEC9E854,40,192.168.2.14:52004,52.29.12.9:25,<,250 OK,
2018-11-02T10:31:33.494Z,Internet,08D640ADAEC9E854,41,192.168.2.14:52004,52.29.12.9:25,<,421 Service Temporarily Unavailable,
2018-11-02T10:31:33.494Z,Internet,08D640ADAEC9E854,42,192.168.2.14:52004,52.29.12.9:25,>,QUIT,
2018-11-02T10:31:33.494Z,Internet,08D640ADAEC9E854,43,192.168.2.14:52004,52.29.12.9:25,-,,Local

 SMP

Patch Management

Disable Bulletins

Patch Management has it's own Web Service.

Looks like 8.5 got a new method.

• Disable Bulletins

This takes two parameters

• bulletinGuids (string)
• deletePolicies (boolean)

bulletinGuids - This is usually a comma separated list of Guids, when the input is a string but plural.

---

FORUM

Automatically "Delete unused Software Update Packages" problem disabling staged bulletins
https://www.symantec.com/connect/forums/automatically-delete-unused-soft...

From @Sergei Kljujev

In order to disable Bulletin you can use attached script, as following:

1. Unzip DisableBulletin.zip and copy contents to C:\Program Files\Altiris\Notification Server\Bin.

NB! Make Sure to merge NSCRIPT.NRF and NSCRIPT.EXE.CONFIG to the existing ones, if you already have them modified.

2. Run C:\Program Files\Altiris\Notification Server\Bin\NSCRIPT.EXE DisableBulletin.cs <bulletin_guid>

Note that the script is working on Patch Management Solution Versions up to 8.1.*

• DisableBulletin.cs
• NScript.exe.config
• Nscript.nrf

DisableBulletin.cs

using System;
using System.IO;
using Altiris.NS.ItemManagement;
using Altiris.NS.Security;
using Altiris.PatchManagementCore.Policies;
using Altiris.PatchManagementCore.Resources;

class DisableBulletin
{
    static int Main(string[] args)
    {
        Guid bulletinGuid;
        if (args.Length != 1)
        {
            Console.WriteLine("Programmatically Disable Bulletin");
            Console.WriteLine("Usage: nscript.exe DisableBulletin.cs <BulletinGuid>");
            return 1;
        }
		
        if (!Guid.TryParse(args[0], out bulletinGuid))
        {
            Console.WriteLine("Error: Cannot create guid from '{0}'", args[0]);
            return 1;
        }

        SecurityContextManager.SetContextData();

        var bulletin = Item.GetItem(bulletinGuid, ItemLoadFlags.Writeable) as SoftwareBulletinResource;

        if (bulletin == null)
        {
            Console.WriteLine("Error: Bulletin '{0}' not found.", bulletinGuid);
            return 1;
        }
		
        var oldValue = bulletin.RaiseMessage;
        try
        {
            bulletin.RaiseMessage = false;
            bulletin.IsDisabledByUser = true;
            bulletin.Enabled = false;
            bulletin.setAdvertStagedState(false);
            bulletin.deleteAllPendingUpdates();
            bulletin.Save();
        } 
        catch (Exception ex)
        {
            Console.WriteLine("Error: Bulletin '{0}' could not be disabled. Exception: {1}", bulletin.Name, ex);
           return 1;
        }
        finally 
        {
            bulletin.RaiseMessage = oldValue;
        }
        
        Console.WriteLine("Bulletin '{0}' Disabled.", bulletin.Name);
        return 0;
    }
}

NScript.exe.config

<?xml version="1.0" encoding="utf-8"?>
<!--
SYMANTEC:     Copyright (c) 2018 Symantec Corporation. All rights reserved.

THIS SOFTWARE CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF SYMANTEC CORPORATION. USE, 
DISCLOSURE OR REPRODUCTION IS PROHIBITED WITHOUT THE PRIOR EXPRESS WRITTEN PERMISSION OF SYMANTEC
CORPORATION.

The Licensed Software and Documentation are deemed to be commercial computer software as defined
in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial
Computer Software - Restricted Rights" and DFARS 227.7202, Rights in "Commercial Computer Software
or Commercial Computer Software Documentation", as applicable, and any successor regulations,
whether delivered by Symantec as on premises or hosted services.  Any use, modification, reproduction
release, performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
-->
<configuration>
	<runtime>
		<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
			<qualifyAssembly partialName="Altiris.Common" fullName="Altiris.Common,version=7.1.0.0,publicKeyToken=d516cb311cfb6e4f,culture=neutral"/>
			<qualifyAssembly partialName="Altiris.Common.UI" fullName="Altiris.Common.UI,version=7.1.0.0,publicKeyToken=d516cb311cfb6e4f,culture=neutral"/>
			<qualifyAssembly partialName="Altiris.NS" fullName="Altiris.NS,version=7.1.0.0,publicKeyToken=d516cb311cfb6e4f,culture=neutral"/>
			<qualifyAssembly partialName="Altiris.NS.StandardItems" fullName="Altiris.NS.StandardItems,version=7.1.0.0,publicKeyToken=d516cb311cfb6e4f,culture=neutral"/>
			<qualifyAssembly partialName="Altiris.NS.UI" fullName="Altiris.NS.UI,version=7.1.0.0,publicKeyToken=d516cb311cfb6e4f,culture=neutral"/>
			<qualifyAssembly partialName="Altiris.Resource" fullName="Altiris.Resource,version=7.1.0.0,publicKeyToken=d516cb311cfb6e4f,culture=neutral"/> 
			<qualifyAssembly partialName="Altiris.PatchManagementCore" fullName="Altiris.PatchManagementCore,version=7.1.0.0,publicKeyToken=d516cb311cfb6e4f,culture=neutral"/>
			<qualifyAssembly partialName="Altiris.InventoryRuleManagement" fullName="Altiris.InventoryRuleManagement,version=7.1.0.0,publicKeyToken=d516cb311cfb6e4f,culture=neutral"/>
			<qualifyAssembly partialName="Altiris.Resource.UI" fullName="Altiris.Resource.UI,version=7.1.0.0,publicKeyToken=d516cb311cfb6e4f,culture=neutral"/>
		</assemblyBinding>
	</runtime>
<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.1"/></startup>
</configuration>

Nscript.nrf

Altiris.PatchManagementCore
Altiris.InventoryRuleManagement

---

Or from @schnyders

$ReportsMS = New-WebServiceProxy -Uri "http://altiris/Altiris/ASDK.NS/ReportManagementService.asmx" -UseDefaultCredential
$ConsoleMS = New-WebServiceProxy -Uri "http://altiris/Altiris/NS/console.asmx" -UseDefaultCredential

$Bulletins = $ReportsMS.RunReport("9e5b8923-b02b-4702-9b44-4404fa8b6e43").table | Where-Object { $_.Available_x0020_Packages -gt 0 -and $_.Policies -eq 0 -and $_.Downloaded -eq "Yes" }

ForEach($Bulletin in $Bulletins) {
    $ConsoleMS.ItemCallback($Bulletin._ResourceGuid, "ItemAction:e6e01da7-1f2e-4716-99e0-2738c214d458:")
}

---

Programatically disable the staged bulletins
https://www.symantec.com/connect/forums/programatically-disable-staged-b...

---

ALTERNATIVE TOOLS

 Workflow has it's own Project

Zero Day Patch

This is using a previous version of the WebService but could easily be updated to take advantage of this new method.

AutoPatcher
https://www.symantec.com/connect/articles/autopatcher

{CWoC} PatchAutomation and ZeroDayPatch builds for 8.0
https://www.symantec.com/connect/blogs/cwoc-patchautomation-and-zerodayp...

---

Anybody can help me to provide information (learning walkthrough) for machine learning sandboxing system ; how machine learning  content analytics ; can scan the malware to isolate the  suspicious traffic into sandboxing to identify the  next level behavior  to protect the exploitation.

What are the component for machine learning?

How machine learning would work for content analyzing and sandboxing.

Good Morning,

We have the need to encrypt emails end-to-end and I have the doubt if I can use Desktop Email Encryption having the mail service of Godaddy that is on the internet, it is POP3 type. In other words, we do not have Exchange or Lotus but checking the requirements there appear.

If the answer is affirmative, is it mandatory to install Symantec Encryption Management Server to manage it ...? They are only a few clients, maximum five.

Regards.