Quantcast
Channel: Symantec Connect - Products - Discussions
Viewing all 522 articles
Browse latest View live

How to create a custom program in Data Center Security

June 3, 2014, 3:18 pm
$
0
0
I need a solution

Hi,

I am having trouble getting an application to run with Data Center Security 6.0.  My policy is using the Hardened mode and prevention is enabled.  Unlike most apps which are blocked, the logs are not showing me why this app is being blocked.  I suspect it has something to with registry access but I am not 100%.  What I would like to do is setup a custom application for this one application, and allow everything at first but log everything - file, registry, process access.  Then I could narrow this down.  I am reading the documentation which came with the installer to see how to create the custom app, but the steps don't match what I see in my console.  Would anyone kindly point me in the right direction for setting up a custom application that starts with no restrictions?  One thing I can add is that this app is assigned to the Trusted_Updater Sandbox and if I disable that sandbox, my app will run.  

Thanks in advance,

BB

1402062680
Search

Upgrading CSP 5.2.8 to DCS advanced 6.0

June 23, 2014, 11:17 pm
$
0
0
I need a solution

We are aiming to upgrade the CSP 5.2.8 to DCS advanced, nearly 100+ CSPagents are installed on linux 6.0  VM host. Before proceding further we need to know " DCS advanced 6.0" still requires CSP agents on linux host or not.

Also looking installation guide for upgrading CSP 5.2.8 to DCS advanced.

 

 

 

1403653121

Need to know more about DCS

July 6, 2014, 5:58 am
$
0
0
I need a solution

Hi All,

I'm very new to DCS and never have installed; however, would like to know more about it.

1) Does Esxi 4.1 is supportable (I know as per the installation guide it says DCS supports VMware ESXi v5.1 and v5.5 but doesnt specify only :-) )

2) Is it possible to manage vms as individual servers?

 

Thanks,

-Syed Hussain

 

1404937035

DCSS 6.0 Internal Rules and troubleshooting events in Monitor

July 11, 2014, 7:10 am
$
0
0
I need a solution

Hi,

I am using DCSS 6.0 prevention policies.  My question involves events I see in Monitor.  Some events show a line called "Internal Rule." For example, one of my events has the following:  Internal Rule                   .OD.

In most cases, this Internal Rule references a section of the sandbox such "Sandbox Outbound Access", so it is easy to figure out why the event was triggered and how to make an exception in the Sandbox.  But when I see something like internal rule .OD, I think it is referencing one of the settings under Genernal Settings and not Registry, File, Network etc.  

My question is, does Symantec have a list or table of what these Internal Rules are?  For example, what does .OD refer to?

Thanks in advance

1405369386

Cannot apply policy when Prevention is enabled

July 17, 2014, 8:56 am
$
0
0
I need a solution

Hello,

I am running SDCSS 6.0.  I have created a hardened policy for an XP machine with Prevention disabled.  After watching events for a couple of weeks, I used the wizard to make the necessary changes.  Now I am trying to change the policy so that Prevention is enabled.  However, whenever I apply a Prevention policy to this one machine, I get the following error:

Policy Translation Failed: Failed to set Driver Configuration Registry Value Filter File:\??\C:\Program Files\Symantec\Data Center Security Server\Agent\IPS\driver\policy5716102.conf

The error appears on the client and in the management console.  As a result of the error, the new policy will not get applied to the client.  If I disable Prevention and reapply the policy, the client is fine again.  I also notice a particular prevention event when prevention is disabled and I am not sure if it is related:  

Description                     Process Modification Allowed for (CCMEXEC.EXE) on (C:\Program Files\Symantec\Data Center Security Server\Agent\IPS\bin\translate.exe).
Policy Name                     Hollister - Logging - Hardened - XP - India
Internal Rule                   .DN
Process                         C:\WINDOWS\SYSTEM32\CCM\CCMEXEC.EXE
Module Path                     \WINDOWS\SYSTEM32\CCM\MTRMGR.DLL
Target Process - Sandox         hardened_ps
Target Process Name             C:\Program Files\Symantec\Data Center Security Server\Agent\IPS\bin\translate.exe
Agent State                     Prevention Globally Disabled
Disposition                     Allow
Sandbox                         def_winsvcs_ps
Operation                       OpenProcess
OS Result                       00000000 (SUCCESS)
SDCSS Result                    00000000 (SUCCESS)
Process ID                      2692
Target Process ID               3488
Actual Permissions              00100411 (synch, terminate, vm_read, query_information)
Caller Thread ID                3416
Permissions Requested           00100411 (synch, terminate, vm_read, query_information)
Process Signature               Unsigned (00000000)
Module Signature                Unsigned (00000000)

I found this interesting because the target process is "translate.exe." The first error I provided above says Policy Translation Failed, so I wonder if translate.exe must run to be able to do the policy translation.  

I have tried changing the policy so that all sandboxes are turned off with Prevention enabled.  I still get the Policy Translation Failed error.  

I have not run into this on my other hosts so far.

Thanks in advance for your assistance,

Bob

1406654085

Dongle stops working after DCSS agent installed

July 23, 2014, 6:57 am
$
0
0
I need a solution

Hi Everyone,

a colleague installed DCSS agent (6.0) on a machine with IPS enabled.  After reboot, the machine had a null-policy.  With the null-policy enabled, my colleague reported that a dongle plugged into a parallel porton the machine stopped working.  Should the agent be conflicting with a device with a null-policy or with prevention disabled?  I checked Monitor and found nothing of interest.  I am looking for suggestions for troubleshooting.

Thanks Bob

Microsoft SQL sandbox

July 24, 2014, 10:15 am
$
0
0
I need a solution

Hi,

I am running SDCSS 6.0.  Client in question is running a Hardened policy with Prevention disabled.  I got the following event from a workstation and I am trying to figure out where I need to make a policy change.  SQLSERVR.EXE is trying access a bunch of files such as templog.ldf and templog.mdf.  I also have similar events for registry access.  SQLSERVR.exe is assigned the hardened_ps but according to info from Symantec, Rule Name :i.AN;mssqlsrv is trigged by the targed.  Do I have to turn off the SQL protection in the mssqlsrv sandbox to allow this connection?  If I do, then I lose the protection.  

 

SOURCE

Agent Name                      [replaced]
Host Name                       [replaced]
Host IP Address                 [replaced]
User Name                       NT AUTHORITY\SYSTEM
Agent Version                   6.0.0.380
OS Type                         Windows
OS Version                      XP Service Pack 2
Agent Type                      CSP Native Agent

EVENT

Event Type                      File Access
Event Category                  Real Time - Prevention
Operation                       NtCreateFile
Event Severity                  Warning
Event Priority                  45
Acknowledgement Status          false
Event Date                      24-Jul-2014 01:51:47 CDT
Post Date                       24-Jul-2014 01:54:55 CDT
Post Delay                           00:03:08
Event Duration                       00:00:00
Event Count                     1
Event ID                        1375966

DETAILS

Description                     File Write Allowed for SQLSERVR.EXE on C:\Program Files\Microsoft SQL Server\MSSQL\Data\templog.ldf
Policy Name                     Hollister - Logging - Hardened - XP - Melbourne
Rule Name                       :i.AN;mssqlsrv
Internal Rule                   mssqlsrv Data Protection No Access
Process                         C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL\BINN\SQLSERVR.EXE
Module Path                     C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL\BINN\SQLSERVR.EXE
File Name                       C:\Program Files\Microsoft SQL Server\MSSQL\Data\templog.ldf
Agent State                     Prevention Globally Disabled
Disposition                     Allow
Sandbox                         hardened_ps
Operation                       NtCreateFile
OS Result                       00000000 (SUCCESS)
SDCSS Result                    00000000 (SUCCESS)
Permissions Requested           0012019F (read_control, synch, read_data, write_data, append_data, read_ea, write_ea, read_attr, write_attr)
NT Create Disposition           1 (open)
Process ID                      180
Thread ID                       620
Process Signature               Unsigned (00000000)
Module Signature                Unsigned (00000000)

 

Bob

SDCSS Vs Change in how signatures are verified for binaries signed with the Windows Authenticode signature format

July 30, 2014, 3:57 am
$
0
0
I need a solution

Hi, Hope Symantec is aware of this below Microsoft update..

Change in how signatures are verified for binaries signed with the Windows Authenticode signature format Effective from:  August 12, 2014.

After 12th Aug the new default behavior for Windows Authenticode signature verification will no longer allow extraneous information in the WIN_CERTIFICATE structure. Note that after August 12, 2014, Windows will no longer recognize non-compliant binaries as signed.

The Security bulletin for this patch is : https://support.microsoft.com/kb/2893294

Concerned Microsoft Security Advisory : https://technet.microsoft.com/library/security/2915720

 

 Known issues as of now :

  1. Windows server 2003 :  The Remote Desktop Services service may not start – Workaround/ solution as in word doc.
  2. For Windows Vista or Windows Server 2008: After you install this security update on a computer that is running Windows Vista or Windows Server 2008, the computer name might change to "MINWINPC." When this problem occurs, you cannot log on to computer even if you restart the computer. When you try to log on, you may receive an error message that resembles the following:  The username or password is incorrect.

Workaround/ solution as in word doc.

  1. For Non MS products : Currently a very non descriptive response has been shared by MS : “In a nut shell, if you are using a components which is not following the standards, it will be considered unsigned.”
  2. Information requested from MS for known instance of issues with other products.

 

 

Does this affect SDCSS funtionality? or is there any action required from SEP?

 

 

Regards,

Sankara Subramanian

Search

Symantec Data Center Security - Very Urgent Question

July 31, 2014, 1:22 am
$
0
0
I need a solution

Good Day all,

  We're working on a project that requires Moving from Windows Server 2003 to Windows sever 2013.

The Customer will 1st move from 2003 to 2010 for some time to migrate all the accounts to be ready to move to 2013.

So he needs to internally secure the E-mail traffic and he works with 8 servers; 4 active and 4 Back up.

So i need to know how many licences of SDCS: SA to secure the 8 servers ( using Wind Serv 2010) and if they will be supported till 2013 using the same licenses????

I DO REALLY APPRECIATE UR PROMPT RESPONSE as we're runnning out of time :)

 

 

 

[SDCS] How can i like system lock down?

August 11, 2014, 8:15 am
$
0
0
I need a solution

I need trust process can run and call sub-process.

The other process can be deny.

I set the policy content below...

180px_SDCS-01.png  180px_SDCS-02.png

I can deny non-trust process, but can't allow trust process call sub-process.

Such as

cmd.exe is trusted updaters process.

cmd.exe call putty.exe can't be run.

log is deny_ps.

How can i do?

Thanks

Process Modification Allowed for (W3WP.EXE) on (SYSTEM)

August 13, 2014, 1:33 am
$
0
0
I need a solution

Hi all,

I was hoping to get some help with the following event. This is a IIS based web server and I keep getting the below event. As far as I can tell, there is no way to whitelist this behaviour. Any tips?

 

SOURCE

Agent Name                      xxxx
Host Name                      xxxx
Host IP Address                 x.x.x.x
User Name                       NT AUTHORITY\SYSTEM
Agent Version                   6.0.0.380
OS Type                         Windows
OS Version                      Server 2008 R2 Service Pack 1
Agent Type                      CSP Native Agent

EVENT

Event Type                      Process Access
Event Category                  Real Time - Prevention
Operation                       OpenProcess
Event Severity                  Warning
Event Priority                  45
Acknowledgement Status          false
Event Date                      12-Aug-2014 20:00:49 BST
Post Date                       12-Aug-2014 20:00:51 BST
Post Delay                           00:00:02
Event Count                     1
Event ID                        1648487

DETAILS

Description                     Process Modification Allowed for (W3WP.EXE) on (SYSTEM).
Policy Name                     Web server hardened policy BETA
Process                         C:\WINDOWS\SYSWOW64\INETSRV\W3WP.EXE
Module Path                     C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
Target Process - Sandox         kernel_ps
Target Process Name             SYSTEM
Agent State                     Prevention Globally Disabled
Disposition                     Allow
Sandbox                         iis_ps
Operation                       OpenProcess
OS Result                       00000000 (SUCCESS)
SDCSS Result                    00000000 (SUCCESS)
Process ID                      9440
Target Process ID               4
Actual Permissions              001fffff (delete, read_control, write_dac, write_owner, synch, terminate, create_thread, set_sessionid, vm_operation, vm_read, v
Caller Thread ID                10236
Permissions Requested           001FFFFF (delete, read_control, write_dac, write_owner, synch, terminate, create_thread, set_sessionid, vm_operation, vm_read, vm_write, dup_handle, create_process, set_quota, set_information, query_information, suspend_resume, query_limited_information)
Process Signature               Microsoft OS Component (00039437)
Module Signature                Unsigned (00000000)

Symantec Data Center Security: How do you confirm an intrusion

August 13, 2014, 6:19 pm
$
0
0
I need a solution

Hello everyone,

I have been using SEP for years. It is obvious when a risk or threat is detected. It is identifed in the logs and you may get a pop-up.

I have recently started using Symantec Data Center Security. From what it looks like there are MANY events generated. Out of all of these events how do you identify that you actually have an intrussion incident as opposed to one of 10,000 other benign logged event?

Kind regards

Cameron

Re-enable Prevention from Manager after user over-rides prevention

August 14, 2014, 11:01 am
$
0
0
I need a solution

Hi,

I am using SDCSS 6.0 on Windows 7/XP.  Is there a way to re-enable prevention from the management console on a particular agent when an authorized user disabled prevention using the Prevention Override Tool.  I tried modifying the SDCSS_Agent_Diagnostics policy to "Enable Prevention" under Diagnostic Functions > General Settings and then assigned it to an agent on which I used the policy override tool.  However, prevention still remains disabled.  I can easily re-enable prevention on the computer, but I am interested in doing this for agents which I do not access.

Thanks,

Bob

Data Center Security 6.0 client not getting ip via DHCP

August 20, 2014, 4:51 am
$
0
0
I need a solution
 

 we have Data Center Security 6.0 and using Windows core policy and applied to the clients..and the client are not getting IP from DHCP server...if i disable CSP prevention..it works fone...Please help

1408603702
3305551

Agent State Flags (peR ,PRE ,pER )

August 21, 2014, 5:39 am
$
0
0
I need a solution

Hi All,

Need help with Agent State Flags (peR ,PRE ,pER )

 

Regards,
Sankara

1408625154
Search

Legacy 2003 server CPU spikes when trying to apply DCSS policy

September 4, 2014, 1:45 pm
$
0
0
I need a solution

I have a Windows 2003 SP2 server that runs some older software that we need to keep for a while longer.  indecision
 

I have a DCSS 6.0 server and installed the agent on the target machine.  With the nul policy in place the performance is within acceptable limits, in terms of the web applications running on it, although the SISIDService is consistently using 50% of the CPU. (So not really acceptable but from the end-user POV its not that big of a hit.)  If I try to apply a policy with any restrictions the SISIPService kicks in and uses up the other 50% of CPU.  According to the Console the policy never actually loads.  I've given it over an hour and it never completes.  I can re-apply the null policy and that will take effect after a few minutes.

 

I have tried the least restrictive out-of-the-box policy that comes with it and get the same result.

 

Any know fixes or ideas for this?  

 

Thanks!

 

Jack

Cannot print when Prevention is enabled on Windows XP

September 5, 2014, 8:04 am
$
0
0
I need a solution

Hello Everyone,

Every time I enable Prevention on an XP computer, the computer can no longer print.  Seems to impact different types of printers.  Yesterday I tried enabling prevention on a computer, the user reported he couldn't print, so he overrode prevention to enable printing.  I do not see anything in Monitors to reveal the source of the problem.  Anyone else having this problem?

Bob

DCSS 6.0 upgrade

September 5, 2014, 10:55 am
$
0
0
I need a solution

Does anyone know when there will be an update to DCSS 6.0?

SCSP vs Symantec DCS

September 15, 2014, 8:12 am
$
0
0
I need a solution

Hello,

 

I have a mission to migrate existing SCSP to DCS. anyone has tested the result? I couldnt find any article regarding the SCSP product migrate to DCS

 

I just have smtg in mind, build a brand new DCS 6 and then import the polices or recreate the polices in the new DCS.

meanwhile, existing agent will be re-install using DCS agent.

Please advise if this is possible?

 

Besides, what about the exising SQL server ? how the new DCS talk to the existing SQL or build new a SQL as well?

If any one knows the best practise, pls share.

Thank y very much.

 

Cheers,

Jedi Q

6.0 MP1 release

September 15, 2014, 11:28 am
$
0
0
I do not need a solution (just sharing information)

Everyone,

I was told by Symantec support that 6.0 MP1 is supposed to be released this week.  

Bob

Viewing all 522 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>