Why SPE Doesn’t detect virus in Office files

I need a solution

Hi,

We as a user have a licensed version of SPE which we have installed in Windows Server 2012 Server.

We are using .Net Library of Symantec to send File for scanning. When we were testing out the solution we came to know that the Syamntec is not detecteing virus MS office files. We are using stand EICAR test files for the testing. Normal EICAR .txt files are dtected as a threat by syamntec and the ScanResult object gives out proper message.

But incase of EICAR MS Office files send to Symantec, server the responds as file not infected. The ScanResult object from Symantec says a proper connection to server is establised (ERR_CONN_SUCCESS) but just that file is not infected. The same file is flagged by my local laptop McAfee as infected.

Server Installed : Windows Server 2012

SPE Version : 8.0

In Symantec Console settings, set to scan all files & Bloodhound level is Medium

Could you please let us know what could be the possible issue over here and Could you also send out some Sample test file of all file types which can be tested.

It would be really great if you could respond ASAP, because our production deployment is waiting on this.

Thanks & Regads

Rahul S

0

Related:

EDR and blocking rules

I do not need a solution (just sharing information)

Good Morning,

Gartner in last report about EPP solution wrote about SEP:

Symantec EDR is missing advanced functions for large enterprise customers, such as case management workflow, remote shell response function (due 1Q20) and rapid pivot capabilities from one query to another. EDR does not provide blocking rules although automated actions can be scripted for specific detections. The user interface lacks guided investigation tips or contextual information, which makes it difficult to use for mainstream buyers. EDR and SEP are different management consoles.

What are these blocking rules?

Thanks.

0

Related:

  • No Related Posts

Symantec IP Reputation

I do not need a solution (just sharing information)

Dear All,

Our server (5.39.76.224) has suddenly been tagged with bad reputation preventing us from connecting with several customers and therefore directly impacting our business.

After trying several times to use the Symantec IP Reputation Investigation page (https://ipremoval.sms.symantec.com/ipr/remove) without any outcome, feedback or results (is such page really doing something?) I finally decided to register and create this post and see if it is more successful.

As  already reported by many other one´s in this forum, Symantec is the only entity assigning a bad reputation to our server by indicating that this host as been observed sending spam but without providing any evidences of such statement. We don´t even use mailing lists.

It is also rather confusing that we cannot even reply back to customers willing to send us their messages; in most systems this would automatically lead into a “white listing” situation.

A simple search on this subject in the Symantec forum return over 800 entries, is this not an indication that perhaps the methodology should be revisited?

I´m looking forward for your feedback and solutions.

Regards:

Eric

0

Related:

Removal issues with SEP 14

I do not need a solution (just sharing information)

I have recently begun a process to remove all old Symantec Endpoint Protection 14 installations from many machines.

The issue is about 95% of Windows 7 machines fail to uninstall and return an error of 1603. (Through command line or Powershell). Trying to remove from the control panel will have the progress proceed for a little, then the installer will revert itself. Once this process is completed Internet Explorer is no longer functional on any user logins. It modifies Internet Explorer registry keys during uninstall and doesn’t fix them during rollback. The only way to fix it, and restore functionality is to CleanWipe the machine. I have about 600 of these that need to be removed and realistically I cannot be manually running CleanWipe on each one.

What are my options here? I’ve looked many remote uninstall methods seem to be deprecated or not for use in 14. From what I can tell this is only affecting Windows 7 machines and 10 uninstalled without issues. Any input is appreciated.

0

Related:

Spotted “Chrome Elevation Service” Virus or Malware Please Help

I do not need a solution (just sharing information)

Hi Guys,

We have Symantec Endpoint Protection on our systems, however, looking through task manager I have found Elevation_Service.exe It is causing our laptops cpu usage to go up for no reason even though nothing is running in the task bar? We have run full system scans which took a couple hours and came out clean however I am still very concerned about it and wanted to ask other peoples opinions, Does it mean the chrome browsers have been hijacked? I have done some research and found out it is Google Chrome trying to do some sort of updates in the background causing load on the CPU. According to this site https://securedyou.com/what-is-google-chrome-elevation-service-exe/ I have followed what they suggested and got rid of it manually but it keeps coming back once you reboot the system? Any ideas or recommendations would be appreciated, can someone please confirm that this is not a virus and is harmless. Thank you

0

Related:

Question about Symantec Splunk Logs

I do not need a solution (just sharing information)

Hi all, 

So we get Symantec Endpoint logs from a customer pushed to Splunk, i’m looking to learn what both of the below files are actually used for

symantec:ep:risk:file
symantec:ep:security:file

The reason i’m asking is because we’re looking at what intervals these would expect to send logs to Splunk, any help is much appreciated.

Thanks

Jonathan 

0

Related:

add on license

I need a solution

Hi,
we try to buy add on license for about 4 moths now and their partner say Symantec worldwide has problem taking orders or selling license and we are not the only customer with is problem.
this is hard to believe, it you talk about hours, yes maybe, but months?
they are destroying Symantec name if this is not true.
We are in Singapore, can any one confirm this matter?>

0

1581523843

Related:

Peer-to-peer authentication

I need a solution

Hi all!

We have Symantec Endpoint Protection v 14.2.4815 on our endpoints. I’m trying to configure peer-to-peer authentication on some servers, to prevent network connection from hosts without Symantec.

When I activate firewall policy with “peer-to-peer authentication” enabled on that server, it begins to block all traffic from hosts that are not excluded,  even if SEP is installed on them and host integrity check is passed. 

Am I doing something wrong, or peer-to-peer authentication works in different manner?

Thanks in advance.

Elvin

0

Related:

  • No Related Posts

ICT – DLP have problems with ICT tags

I need a solution

Hi all,

We have Symantec ICT and DLP working together.

We just have a rule in DLP to work with ICT. The rule was created to block all documents classified as “Internal” to send to a external domain.

Is a simple rule.

Problem:
When we have just one external domain in the “recipient”, the e-mail or document is blocked to moving by e-mail, web or removible storage. But when we have a external domain and internal domain together in the “recipient”, the e-mail or documents not is blocked by prevents. Emails with “Internal” tagging is passing by Prevents.

Samebody have this problem?

Tks!

0

Related: