Symantec on a Domain Controller – Safe Mode

I need a solution

Hello.

We have a (physical) Windows 2016 Domain Controller with Symantec Endpoint Protection on it, version 14.0.3929.1200.

We can install SEP and it works, but we have experienced twice in a few months now that after a reboot, the DC will enter Safe Mode and refuses to work anymore. We need to deinstall SEP, use bcdedit to restore normal boot mode before it functions again.

We have configured all exceptions for Domain Controllers and 5 other DC’s are working without any problems with the same Server OS and SEP version.

Does anybody have any idea how to troubleshoot this?

0

Related:

  • No Related Posts

URGENT, Our business can not email our bank who are using messagelabs

I need a solution

I see from the forums a few people having similar issues so I’ll cut to the chase;

Our details (sender);

198.54.121.121 > server1.ssab.ws
198.54.121.122 > mail.ssab.ws

Our Bank details (receiver);

anz.com MX preference = 10, mail exchanger = cluster3vk.eu.messagelabs.com
anz.com MX preference = 20, mail exchanger = cluster3vka.eu.messagelabs.com

The issue;

When we send emails from ____@ssab.ws they are not being received by ____@anz.com ; No bounce back error.

Our hosting services have confirmed that the emails snet has been received by the bank’s email server.

We can receive bank emails fine.

Please whitelist us or whatever needs to be done so we can resolve this issue, crtitical that we have email comms with the bank!

I hope that is enough info, please email rick@ssab.ws if you need more details

Thanks in advance and hope to have resolved within 8 hours 🙂

0

Related:

  • No Related Posts

Alert for : Malicious traffic blocked: Web Attack: Fake TechSupport Domains 2

I need a solution

Hi Team,

We are using 14.0.3929 verion in our environment along with ATP version  3.1.0-678 . From the last couple of days we are getting this alert in ATP:
 

2018-07-18 14:21:59 UTC
4124: Endpoint (IP/URL/Domain) Detection

Malicious traffic blocked: Web Attack: Fake TechSupport Domains 2

    app_name    
    C:/PROGRAM FILES/INTERNET EXPLORER/IEXPLORE.EXE
    categories    
    Attack
    data_source_url_domain    
    172.*.*.*
    deepsight_domain    
    notavailable
    description    
    Malicious traffic blocked: Web Attack: Fake TechSupport Domains 2
    device_ip    
    172.*>*>*
    device_name     hostname
    device_time    
    2018-07-18 14:21:59 UTC
    device_uid    
    39c4147
    domain_name     abc
    event_desc    
    [SID: 30529] Web Attack: Fake TechSupport Domains 2 attack blocked. Traffic has been blocked for this application: C:PROGRAM FILESINTERNET EXPLORERIEXPLORE.EXE
    event_id    
    206: Intrusion detected
    external_ip    
    172*>*>*
    host_name     hostname
    infected    
    false
    intrusion_url    
    www.bing.comwww.bing.com:443
    local_host_mac    
    000000000000
    log_time    
    2018-07-18 14:25:06 UTC
    network_protocol    
    2: TCP
    remote_host_mac    
    000000000000
    severity    
    3: Critical
    sid    
    30529
    signature_id    
    30529
    signature_name    
    Web Attack: Fake TechSupport Domains 2
    symc_device_action    
    1: Blocked
    time    
    2018-07-18 14:21:59 UTC
    timezone    
    UTC
    traffic_direction    
    1: Inbound
    type_id    
    4124: Endpoint (IP/URL/Domain) Detection
    user_name    
    60891

    Could you please explain what this attack actually means? Bing.com is blocked already in this environment . 

    Regards,
    Jagadeesh

    0

    Related:

    • No Related Posts

    Symantec Endpoint Protection Cloud component versions

    I need a solution

    Hi,

    When a machine is scanned there are 4 components detected : 

    Symantec Endpoint Protection.cloud

    22.9.3.13

    Symantec.cloud – Cloud Agent 3.00.10.2737
    Symantec.cloud – Endpoint Protection 6.60.10.800

    And the add/remove program entry shows 

    Symantec.cloud 3.00.10.2737

    I want to understand what each component indicates and why are 3 different versions being detected in the same product?

    Are they the same product? Then why do they have different versions for the same product?

    And what product does the version 6.60.10.800 belong to?

    Can anyone help me undertand the correlation?

    0

    Related:

    • No Related Posts

    DLP Integration

    I need a solution

    Hi, 

    We have configured 2 Interface on proxy. One for Mangement Console and Second is for getting Internet access to proxy.

    We observed that Management Console IP is making connection with DLP server IP instead of Second interface.

    Can we define from which interface we can send connection to DLP.

    0

    Related:

    • No Related Posts

    ProxySG-Policy evalution

    I need a solution

    Hi Team,

    We have transparent mode setup. Client enable TCP tunnel services in the protocol.

    We have configured block rule to block social media and porn categories.

    But user can access those blocked category url’s. whicl we are checking in the policy trace it shows in the IP addresses instead of the url

    tunnel: get :/63.53.67.12

    Even those rule is not matching in the policy execution.

    Please advise on this.

    Thanks,

    Ram.

    0

    Related:

    • No Related Posts

    proactive threat protection and network threat protection not updating from manager

    I need a solution

    Hi,

    I am using Endpint Protection manager 12.1.67

    My clients not updating PTP and NTP automatically from server, but Virus and spyware protection updates without any problem. This is a closed network and not connected to internet. I downloads all the three jdb file and updates manager regularly. Now, for PTP and NTP I download the .exe file and manually updates all clients.

    Suggest some solution.

    Sajith

    0

    Related:

    • No Related Posts