Symantec IP Reputation

I do not need a solution (just sharing information)

Dear All,

Our server (5.39.76.224) has suddenly been tagged with bad reputation preventing us from connecting with several customers and therefore directly impacting our business.

After trying several times to use the Symantec IP Reputation Investigation page (https://ipremoval.sms.symantec.com/ipr/remove) without any outcome, feedback or results (is such page really doing something?) I finally decided to register and create this post and see if it is more successful.

As  already reported by many other one´s in this forum, Symantec is the only entity assigning a bad reputation to our server by indicating that this host as been observed sending spam but without providing any evidences of such statement. We don´t even use mailing lists.

It is also rather confusing that we cannot even reply back to customers willing to send us their messages; in most systems this would automatically lead into a “white listing” situation.

A simple search on this subject in the Symantec forum return over 800 entries, is this not an indication that perhaps the methodology should be revisited?

I´m looking forward for your feedback and solutions.

Regards:

Eric

0

Related:

Registry values to check status of Norton/Symantec AntiVirus

I do not need a solution (just sharing information)

This is a general question. I am trying to find information to determine TimeOfLastScanPatternFileRevision and PatternFileDate etc settings directly in the registry for Norton AntiVirus on Windows 10.

I believe most Norton AntiVirus values should be located under HKEY_LOCAL_MACHINESOFTWAREIntelLANDeskVirusProtect6CurrentVersion…, but the latest Norton AntiVirus 22.19.8.65 trial version does not appear to have the same location in the Registry?

I can only see HKEY_LOCAL_MACHINESOFTWARENorton… and HKEY_LOCAL_MACHINESOFTWARESymantec…. But I cannot find these values I want to check programmatically (Time of last scan and pattern file date etc).

Have Symantec changed the design and Registry location for Norton AntiVirus at some point in the past? Or is the usual location missing because I am using the trial version?

Can someone please clarify why HKEY_LOCAL_MACHINESOFTWAREIntelLANDeskVirusProtect6CurrentVersion… is no longer visible in the latest version of Norton (Symantec) AntiVirus?

Thank you.

Trevor

0

Related:

SECURITY at RISK in combination with SEP and App volumes VmWare + Slow login/app performance. 

I need a solution

We`ve been troubleshooting slow login and poor application performance on our Non Persistent VDI for a while now. App Volumes and Symantec Endpoint Protection 14.x doesn`t seem to like each other.

Without a SEP client installed everything is performing well and user experience feels like a persistent VDI. When SEP is installed including all obvious exceptions and even using the virtual image exception tool no significant change in performance is noticed. We`ve been testing all scenario`s disabling components of SEP. Only disabling “Application & Device Control” seems to improve login and application performance.

By accident we found out that SEP didn’t work at all !! Everything looked fine from SEPM and SEP side.The SEP GUI indicated that there were no problems detected “Your computer is protected”, but stopping and then starting the smc.exe resulted in a crash. It may seem that the service is running, but in reality the Symantec client has crashed see image below. The only way to start the SEP client was rebooting. We also saw that a simple EICAR test virus was not detected even when the SEP client was running and the GUI indicating that the computer was protected. Then we discovered that this behavior only occurs when an app stack is attached. 

With the knowledge we had that this behavior only occurs when an app stack is attached, we added exceptions for Symantec in the snapvol.cfg of the App Stack. These exceptions have solved the problem that the client could be restarted/stopped and also a EICAR test virus was detected again. 

Since Symantec is working now we see better startup times of thinapps in an app stack . Login times unfortunately not. We declared all the collected log files to be unreliable before the exceptions in snapvol.cfg, because the SEPclient did not work at all. And so we believe that specific non-persistent SEP policies and exceptions may not have worked at all.  We collected a large set of logs and offered it to Symantec for a second review. 

Another Interesting fact that is noticed by ‘Scarlito’ on the VMware forum (see link at the end of this post) is that this problem only appears after I applying Microsoft Security KB4056897 or later (and of course, with SEP agent installed and AppStacks mounted)

This means the problem is not only with SEP + AppVolumes, but SEP + AppVolumes + MS Updates (starting january 2018 and all the Intel security breaches fixes).

If I remove ANY ONE of these 3 elements, everything works well.

Until now, no Monthly security updates from Microsoft has solved anything.

These are the standard exceptions in the snapvol.cfg:

>

exclude_path=ProgramDataSymantec
exclude_path=Program FilesSymantec
exclude_path=Program FilesCommon FilesSymantec
exclude_path=Program Files (x86)Symantec
exclude_path=Program Files (x86)Common FilesSymantec

These are the custom exceptions we added to the snapvol.cfg:

Disclaimer: I would like to warn you and everyone else that this is at your own risk. On the other hand, without these exclusions the virus scanner probably didn’t work at all !

For validation of these exceptions we opened a PR at VMware. Please report to VMware if you’re facing the same problem. 

>

# Custom Exclusion Symantec Performance Issues

exclude_registry=REGISTRYMACHINESOFTWARESymantec
exclude_registry=REGISTRYMACHINESOFTWAREWow6432NodeSymantec

exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesBHDrvx64
exclude_registry=REGISTRYMACHINESYSTEMControlSet001serviceseeCtrl
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesEraserUtilRebootDrv
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesIDSVia64
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesSepMasterService
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesSNAC
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesSRTSP
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesSRTSPX
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesSyDvCrtl
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesSymEFASI
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesSymELAM
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesSymEvent
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesSymIRON
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesSYMNETS
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesSysMain
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesSysPlant
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesTeefer2

exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesEventlogApplicationSymantec Antivirus
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesEventlogApplicationSymantec Endpoint Protection
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesEventlogApplicationSymantec Network Protection
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesEventlogApplicationSymantec WSS Traffic Redirection
exclude_registry=REGISTRYMACHINESYSTEMControlSet001servicesEventlogSymantec Endpoint Protection Client

exclude_path=Program FilesCommon FilesSymantec Shared
exclude_path=Program Files (x86)Common FilesSymantec Shared

exclude_process_name=ccSvcHst.exe
exclude_process_name=SmcGui.exe
exclude_process_name=SISIDSService.exe
exclude_process_name=SISIPSService.exe
exclude_process_name=SISIPSUtil.exe
exclude_process_name=sepWscSvc64.exe

>

This is the link of the topic we posted on the VMware forum. 

https://communities.vmware.com/thread/617203

I’m curious if there are more people who have this problem. Hopefully this post has also made people aware of the fact that their security may not function without them noticing. 

Currently we have cases for these problems ongoing at Symantec and Vmware

0

Related:

SED: TECH253087 Decryption blocked.

I need a solution

“SED: TECH253087 Decryption blocked. The file that you are trying to decrypt is not secure because it is not encrypted using SEIP (Symmetrically Encrypted Integrity Protected) packets.”

I’m a home user who recently upgraded Symantec Encryption Desktop (SED) to version 10.4.2 MP3 and now can’t open any of my many previously created PGP Zip files.  I found the TECH253087 tech article that says there’s a solution, so contacted support but was told they can’t help me at all because I didn’t buy a license for the product.

So is Symantec is offering no solution to this problem for long time users of this product for home use, leaving us home users with encrypted data that’s no longer accessible?

There must be something Symantec can suggest, or is Symantec saying home users must now pay for a software licence to get their data back (ransomware)?

Any thoughts or suggestions are welcome.

I’m running SED on Windows 8.1 Pro x64 OS.

0

Related:

  • No Related Posts

How to Backdate Virus Definitions in Symantec Endpoint Protection Manager

I do not need a solution (just sharing information)

***Taken From Symantec Support TECH102935 ***

You suspect that the virus definitions currently in use by Symantec Endpoint Protection (SEP) clients are corrupt, and would like to roll back to a previous virus definition set. These clients are managed by a Symantec Endpoint Protection Manager (SEPM).  You wish to configure or control the content revisions that clients use.

Please note:

the example below shows reverting AntiVirus definitions to an earlier version.  The procedure works with other SEP components as well (reverting to an earlier release of IPS definitions, etc)

To rollback definitions, the [LiveUpdate Settings] policy -> Server settings -> [Use default management server] must be enabled.

The method described below can also be used to circumvent a confirmed False Positive (FP) until definitions are available that remove the detection.  In the case of False Positives, though, creating a specific exclusion or awaiting new Rapid Release definitions is the recommended approach.  As each set of new definitions includes protection against new threats, reverting to an older revision will always introduce security risk into an organization.

SOLUTION:

Follow the steps below to roll back virus definitions in Symantec Endpoint Protection Manager:

  1. Click Policies
  2. Select View Policies
  3. Click LiveUpdate.
  4. Double-click your current LiveUpdate Content Policy Under the “LiveUpdate Content” tab. The LiveUpdate Content Policy Overview dialog box appears.
  5. From the “LiveUpdate Content” section, click Security Definitions.
  6. Enable the Select a revision option located in the “AntiVirus and AntiSpyware definitions” section,
  7. Click the Edit button. The Select Revision – Antivirus and AntiSpyware definitions dialog box appears.
  8. Expand the drop-down list and browse to the appropriate (32-bit or 64-bit) definition set.
  9. Click the desired rollback definition date.
  10. Click OK.
  11. Click OK to close the “Security Definitions” dialog box and return to the “Policies” tab.

Note: Remember to later return to your LiveUpdate Content Policy and change back to the Use latest available option.  Definitions on all endpoints must be kept current in order to protect against the latest threats in circulation. 

Click HERE to go to original TECH article

0

Related:

.dat files in Library/Application Support/Symantec/Antivirus on Mac

I do not need a solution (just sharing information)

I’m a mac user and have been running low on disk space for a while. I recently found out most of the disk space was occupied by ‘system files,’ a huge part of which consisted of various .dat files under dozens of folders named after dates (e.g., “20171212,” “20171121”) in Library/Application Support/Symantec/Antivirus folder. 

My questions are, 

1) What are these files? 

Individiual .dat file names include “tcdefs,” “viruscan,” “hp,” “hf,” “tcscan,” and some others. 

2) Is it safe to remove some of the older folders/files? This AntiVirus folder (under Library/Applciation Support/Symantec) is taking up more than a 100 GB space. 

I would much appreciate any advise/help! Thank you. 

0

Related:

Symantec antivirus API for document Upload

I need a solution

Hello,      

We are looking for a feature where we can scan the document through the Symantec antivirus API before uploading it to the application.

We checked through various documents but couldn’t find any proper solution.

Please let us know if there is any API or any other way through which we can scan the document for virus while uploading the document in c#.

0

Related: