I have inherited a minimally documented SEPM environment and have been tasked with upgrading it.  It is a SEPM 12.1.4 environment consisting of 5 SEPM servers with about 5,000 clients.  For now, this upgrade is to SEPM 12.1.6.  Also, there is new server hardware for this upgrade. All of the 5 current SEPMs are each in their own site, I think.  3 of the SEPMs, I believe can be removed from the environment, as 1 only has 1 client (itself) and the 2 other SEPMs aren’t accessible as the SEPM service fails to stay started with 1 SEPM also having had its SQL DB instance server deleted and no backups. The other 2 SEPMs appear to be the primary & secondary (or failover) with site replication. The primary shows about 5,000 clients Online and the secondary shows about 5,000 clients Online on remote site.

What would be the best way to clean up this SEPM environment?  Should I first cancel replication, delete replication partners, and delete remote sites (for the deleted rep partners) on the primary & secondary SEPM’s.  Then cancel replication, delete replication partners and delete all remote sites on the SEPM with just 1 client (itself), and finally un-install SEPM from all 3 SEPMs to be removed.

Next I would install SEPM 12.1.4 on 2 new servers.  For this, I would have 2 SQL server DB instances setup on the SQL servers cluster, 1 for the new primary SEPM and the other for the new secondary SEPM.  Install SEPM 12.1.4 with a custom configuration, of Install an additional site, so each of the new SEPMs are in their own sites. Once the installs are complete, replication between the 4 SEPM servers will be configured and executed.  Up to this point the clients should not have been impacted.  Does this seem correct?

Once the replication has executed for several cycles, and EVERYTHING appears to be working fine (daily reports are running, client definition files are current,…), the Management server lists priorities would be changed so that the 2 new SEPM servers have a 1 and 2 setting, with the old SEPMs getting moved down or even deleted from the server list.  Once all of the clients are Online or Online on remote site for the new primary and secondary SEPM servers we can remove the old SEPM servers from the environment (On the old servers; cancel replication, delete replication partners, delete remote sites, and then finally un-install SEPM).

At this point, the 2 new 12.1.4 SEPM servers (Primary and Secondary) are setup in failover configuration, with 2 new DB servers configured all on new hardware. The next step is to upgrade to 12.1.6…

Is my process correct?  Did I leave anything out?

How to change the lcal site name from srv-kdms-hydav to srv-kdms-av.

Please find the SS for your refference

Hi to all!!!

We have a D-link DFL-210 and a lot of computers with SEP Cloud installed. This computers cant have internet connection but they need to comunicate with cloud console. 

For installing, we have to open firewall restrictions because the installer cant comunicate with console, but after installation we have closed their comunications. After that console dont detect computers as connected and we cant send commands from console to this computers.

We have seen in firewall that during installation, computers connect to two IP 's. We have opened trafic for this IPs in port 443 and antivirus have installed well. But after this, console cant comunicate with this computers (traffic to this Ips are allways opened in port 443 but only for this two IPs, we think they are symantec servers). We have read symantec documentation but it says a lot of ports and a range of ports, are all necessary?

The question is: what ports should be opened in firewall to establish connection with console?

Its a very important question for us.

Thank you very much!!!!

PD: sorry for my english, i hope you can understand me.

How to replace sylink file in n number machines at time(Services also need to restart).

Can SEP 12.1 detect attacks from the Grizzly Steppe campaign?

Hi,

We are planning to deploy Symantec Encryption Management Server (SEMS) for managing File Share Encryption and Drive Encryption. They Key Mode that we are planning to use is either SKM or GKM. Its to be decided. Management will like an answer to below query to make a planning decision.

Query: What is the process to renew/restore key to the users if the Key expires due to user inactivity or admin key revocation?

Can anyone help me out with this?

Hi All,

We have a Windows 2000 Server with SEP 11.0.6300.803.
As per business requirements, we cannot upgrade OS and for upgrading SEP will take three moths due to internal process.
Today, we have an issue that SEP causing more CPU utilization. Please find attached file for teh same.
All computers in that group has below components.
AV
IPS
SONAR

Please let us know how to solve this problem.
 

Trying to install Symantec Endpoint in a 64 bit Windows7 system.  I get the error: 

"The network configuration interface is currently in use by another process. please ensure it is available before installing symantec endpoint protection. A reboot may be neccessory to free this interface."

Reboots, network connected, not connected, ip fixed or DHCP doesn't solve the problem.

SEPM client version is 12.1.6318.6100

Exact error described in 

https://www.symantec.com/connect/forums/symentec-e...

But I didn't find a solution there.

Why when SEP detect test virus and send log to SEPM, it takes like 10 minute before i get my dump risk file? Same when i try syslog server.
 

Dears 

i am trying to detect any pst files copied outside the users machine. so i created a simple policy to detect the extension .pst and it worked but when i tried to put the pst file in .7z format .
i weren't  able to detect any thing .

hint : it works with .zip

Please advice. 

I have problems to use the tools; when I loud the file "removableaccessutility.dmg" from the device the message is that I have to launch the program from the device (that I am doing). Could you pleasa help me? thank you

I want to know the application profiling procedure for DCS:SA 6.7.

How to change the parner name from hyderabad(srv-kdms-hydav) to  global(srv-kdms-av).I have manually changed the replication site properties and changed the replication server to golbal(srv-kdms-av) but i dont have any option to change the parnername.

How to change the parner name from hyderabad(srv-kdms-hydav) to  global(srv-kdms-av).I have manually changed the replication site properties and changed the replication server to golbal(srv-kdms-av) but i dont have any option to change the parnername.

Hello,

One of our clients is getting the following bounceback errors:

TPreiswerk@ctc.ch
   host cluster8.eu.messagelabs.com [85.158.137.19]
   SMTP error from remote mail server after initial connection:
   501 Connection rejected by policy [7.7] 3908, please visit
www.messagelabs.com/support for more details about this error message.
 MHeierli@ctc.ch
   host cluster8.eu.messagelabs.com [85.158.137.19]
   SMTP error from remote mail server after initial connection:
   501 Connection rejected by policy [7.7] 3908, please visit
www.messagelabs.com/support for more details about this error message.
Reporting-MTA: dns; srv.redokslab.com

We have tried the blacklist removal tool availible here:

http://ipremoval.sms.symantec.com/lookup/

But does not seem to have helped. The IP address is 78.47.168.232

Let me know if there is anything we can do from our end to help get this removed.

Thanks

Hi,

We encouter this problem on windows 2012. We are using SEP12. When i disable SEP12, windows will not haging and operate as normal. If we enable SEP12, a few days server will hanging and we need to force reboot. After google around, we do not find any related solution. Please advice.

Thanks.

Hello,

We have SEP System Lockdown enabled in whitelisting mode but are having some trouble with the contents of the C:\Windows\assembly folder in Windows 10.

From what we can tell the contents of this folder is dynamic so a hash fingerprint of the contents on one device is not gurenteed to match that of another, despite all devices in our fleet being built from the same image.

To workaround this we have tried setting a definition rule for C:\Windows\assembly\* in the System Lockdown policy however we still see various dll files in the directroy being blocked.

Has anyone else come across this or something similar?

I am also interested to know how others have implemented whitelisting with SEP Lockdown on Windows 10.

Hello all,

I have an problem with my SEP 12.1 for linux that after installation the liveupdate didn't get update from Liveupdate server. The issue that i found probably the JAVA failed to encrypt the liveupdate.conf. Below debug output when i run debugging for by using this command :java -classpath jlu.jar com.symantec.liveupdate.LiveUpdate -d

============================================================================================================

Using character set UTF-8
Command-line Product Selections to update:
(ProdName, Version, Lang, ItemSeqName, SeqNum)
Debug - output[nIdx] = uid=0(root) gid=0(root) groups=0(root)
Adding JLU to the current command line
  JLU Linux, 3.10.2, English, LiveUpdateSeq, 13
Trying to load jar file from null/LiveUpdate/bcprov-jdk15on-148.jar
Trying to load jar file from current directory or mentioned in classpath
JLUException [
Nested Exception is:
 [ java.lang.ClassNotFoundException ] org.bouncycastle.jce.provider.BouncyCastleProvider

java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider
    at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:264)
    at jlucn.a(Unknown Source)
    at jlucn.load(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.c(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.b(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.main(Unknown Source)
]
    at jlucn.a(Unknown Source)
    at jlucn.load(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.c(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.b(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.main(Unknown Source)
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider
    at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:264)
    ... 7 more

java.io.IOException: org.bouncycastle.jce.provider.BouncyCastleProvider
    at jlucn.load(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.c(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.b(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.main(Unknown Source)

An error was encountered when reading in the liveupdate.conf file /etc/liveupdate.conf
Checking to see if JLU can connect to its own listener thread.
Checking to see if a session of JLU is running at port 56598.
An active JLU session has been detected.
JLU was able to successfully connect to its own listener thread.
createConfiguration failed.

The Java LiveUpdate session did not complete successfully.
Return code = -1

ProductInventory: parsed default inventory file: /etc/Product.Catalog.JavaLiveUpdate
Inventory File Product Selections to update:
(ProdName, Version, Lang, ItemSeqName, SeqNum)
ProductInventory.save: Saving updates to product inventory file
Trying to load jar file from null/LiveUpdate/bcprov-jdk15on-148.jar
Trying to load jar file from current directory or mentioned in classpath
JLUException [
Nested Exception is:
 [ java.lang.ClassNotFoundException ] org.bouncycastle.jce.provider.BouncyCastleProvider

java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider
    at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:264)
    at jlucn.a(Unknown Source)
    at jlucn.load(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.c(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.d(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.c(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.<init>(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.a(Unknown Source)
    at jlufo.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.b(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.main(Unknown Source)
]
    at jlucn.a(Unknown Source)
    at jlucn.load(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.c(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.d(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.c(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.<init>(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.a(Unknown Source)
    at jlufo.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.b(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.main(Unknown Source)
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider
    at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:264)
    ... 11 more

java.io.IOException: org.bouncycastle.jce.provider.BouncyCastleProvider
    at jlucn.load(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.c(Unknown Source)
    at com.symantec.liveupdate.config.JluConfiguration.d(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.c(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.<init>(Unknown Source)
    at com.symantec.liveupdate.event.EventTransporterFactory.a(Unknown Source)
    at jlufo.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.a(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.b(Unknown Source)
    at com.symantec.liveupdate.LiveUpdate.main(Unknown Source)

An error was encountered when reading in the liveupdate.conf file /etc/liveupdate.conf

====================================================================================================

Below is some of output that running

=====================================================================================================

Using character set UTF-8
Command-line Product Selections to update:
(ProdName, Version, Lang, ItemSeqName, SeqNum)
Debug - output[nIdx] = uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Adding JLU to the current command line
  JLU Linux, 3.10.2, English, LiveUpdateSeq, 13
Trying to load jar file from /opt/Symantec/LiveUpdate/bcprov-jdk15on-148.jar
Initializing the log file: /opt/Symantec/LiveUpdate/liveupdt.log
trying to write into log file
Java Version 1.8.0_101.
Linux 2.6.32-642.6.1.el6.x86_64
Java LiveUpdate version 3.10.2 Build 13.
Checking location of jlu.jar ...
Java LiveUpdate directory is /opt/Symantec/LiveUpdate
Found /opt/Symantec/LiveUpdate/jlu-3.10.2.13.jar
ProductInventory: parsed default inventory file: /etc/Product.Catalog.JavaLiveUpdate
Inventory File Product Selections to update:
(ProdName, Version, Lang, ItemSeqName, SeqNum)
  Avenge MicroDefs25 SavCorp10 Linux, MicroDefsB.CurDefs, SymAllLanguages, HubDefs, 0
  Avenge MicroDefs25 SavCorp10 Linux, MicroDefsB.CurDefs, SymAllLanguages, CurDefs, 161128001
The property maxZipFileSize in config file is 614,400
The property maxTriFileSize in config file is 10,485,760
The property maxPackageSize in config file is 1,073,741,824
The property maxPackageContentSize in config file is 1,342,177,280
The property enableIPv4Preference is not set in config file
Checking to see if JLU can connect to its own listener thread.
Checking to see if a session of JLU is running at port 33925.
An active JLU session has been detected.
JLU was able to successfully connect to its own listener thread.
Downloading minitri.flg to /opt/Symantec/LiveUpdate/tmp/1483414578885/minitri.flg ...
Connecting to [IP Address]:7070 via HTTP ...
Connected to [IP Address] sending request ...
pleaseResume is false
resumeSupported is null
Waiting for response ...
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: public
Cache-Control: max-age=0
Content-Disposition: attachment;filename="minitri.flg"
Content-Type: application/octet-stream
Content-Length: 1

===========================================================================================

I found this is some of the computers. All java JRE including JCE has been installed and read successfully when pre-check step in agent installation.

Kindly help to share the solution to fix.

Thanks

Giovanni

I'm looking to upgrade my SEP from version 12 to version 14 but i want to make sure before I do, that all clients with version 12.X.XXX installed will still receive definitions and updates from the new management console? Or do i have to install the version 14 client straight away?

Ideally i want to test the version 14 client on a number of servers before rolling out the latest version to the rest of my infrastructure.

I'm a System Admin/ISSO for a federal defense contractor and we have mulitiple systems running 12.1.6 MP6 SEP/SEPM. All of our systems are completely offline and cannot be allow to connect to the internet. We are utilizing the manual methods of updating the virus defenitions on the standalone and managed clients/servers. I'm evaluating potential issues with upgrading to the newest SEP/SEPM verison 14. Additionally, we have a particular set of Windows Security Settings, Account, Local System and User rights policies that must be configured on the Windows 7 SP1 and Server 2008 R2 SP2 OS we must utilize. I have run the Symantec System Diag Tool on all the systems and it doesn't seem to give much specific configuration issues. I can provide the particular Windows security settings, etc,... as well. I'm needing some more in-depth assessment of everything before we can begin to upgrade our SEP/SEPMs.