Using HIDS

I need a solution

Hey guys,

In the middle of managing a fairly big rollut and upgrade of DCSSA where there are a number of administrators and people who prefer to use the commands to put DCS in to a buikltin mode instead of tuning or using the override.exe tool.

Is there a way to create a detection event to track who runs sisipsconfig -r ? Looking to create an event which can report the usr name that has run the command.

0

Related:

  • No Related Posts

Upgrade to SEP Manager 14.2 loses policies

I need a solution

Hi,

Over the weekend, I upgraded our SEPM from 14.0 RU1 MP2 to SEPM 14.2.  Our server is a Hyper-V VM running W 2008R2. I noticed after the successful upgrade, some policies disappeared from our main group.  This group uses customized non-shared policies. After the upgrade the non-shared policies Firewall, Intrusion Prevention, Application and Device Control, Memory Exploit Mitigation, and Exceptions were gone from the group.  Any groups with shared policies were unaffected.  I also noticed some the locked settings in the remaining policies were now unlocked.  I created a checkpoint of the VM before the upgrade and was able to roll back to 14.0 RU1 MP2.  I tried the upgrade multiple times with same results each time.

I looks like I will have to create new policies to replace the ones that disappeared.  I validated the built-in db after the update and it passed validation.  I have never seen this before after dozens of upgrades over the years.  Can anyone offer an explanation?

Thanks,

CQ

0

Related:

  • No Related Posts

Upgrade to 14.2

I need a solution

I am running Windows 10 Pro, 64-bit OS, Version 1803 (OS build 17134.112) with SEP client 14.0.3929.1200. 

The operating system has all current MS patches applied.

Yesterday, I downloaded Sep64_To_758_EN.zip and extracted the correct executable to upgrade my client.

The client was not upgraded.

I checked the installation files and discovered that the assumed language for the upgrade was Korean!

Perhaps the reason for the failure to upgrade was due to the presumed language (Korean) being inconsistent with my system (US English).

Someone should check to assure that the proper language version is associated with the upgrade file names.

0

Related:

  • No Related Posts

Attack: Ransom.Gen Activity 22

I need a solution

Hi there, I’m receiving this alert al least 40 times in a week (week-ends the most) It seems that is an internal issue as I’m behind a firewall and both, the attacker and the target are part of the network. I really appreciate comments and support. 

 

Luis

 

A high-risk intrusion was detected on PC within group Default Group on 6/18/2018 11:44:59 AM.
IPS Alert Name
Attack: Ransom.Gen Activity 20
Status
Blocked
Attack Signature
N/A
Targeted Application
N/A
Targeted IP
192.168.1.2
Targeted Port Number
445
Targeted Host Name
SERVER

Related:

  • No Related Posts

Check for SEP 14, macOS Virus Def Status via CLI?

I need a solution

Hello!

We manage our Macs with the JAMF Casper Suite. Currently, we have some systems which are not updating their virus definitions. I was wondering if there is a definitive key, plist value, attribute, log string or some other data I can access, via command line, which would allow me to build smart computer group criteria in the JAMf server. This would allow us to identify all systems whose virus defs are not up to date which in turn would allow us to take remedial action through either self service or by launching Live Update remotely.

Thank you in advance for any assistance anyone may be able to provide.

0

Related:

  • No Related Posts

Need SQL Query

I need a solution

Hi, i’m searching for a SQL query which shows me the same result as in Computer Status Report in SEEM.

I’ve tried to search in table dbo.computers but unfortunaltely i don’t know how to select “Display only computers with SEEM Agent”

Can anyone help me?

0

Related:

  • No Related Posts

Unknown Cipher Number using encrypt with public key

I need a solution

Hello!

I’m trying to encrypt using “PGP Command Line 10.4.1 build 54” and it works flawlessly but with some RSA keys, in where I get the following output:

# pgp -e test.txt -r 0xXXXXXXXX –passphrase ” ” -s –verbose

pgp:encrypt (3157:current local time 2018-06-14T08:50:49+02:00)

pubring.pkr:open keyrings (1006:public keyring)

secring.skr:open keyrings (1007:private keyring)

0xXXXXXXXX:encrypt (1030:key added to recipient list)

0xYYYYYYYY:encrypt (1051:default key added as signer)

test.txt:encrypt (3090:operation failed, unknown cipher number)

Looks like the public key from the other part (with which I want to encrypt) was created with Kleopatra but this shoudn’t be an issue as I have other colleagues that use too that software.

How could I check what’s wrong?

Thanks.

0

Related:

  • No Related Posts