what is difference between Critical System Protection and Endpoint Protection ( Antivirus + Proactive Threat Protection + Network Threat Protection )
If Server being installed SEP, it can be installed CSP Agent ?
Thanks so much !
Does anyone know where I can find the SNMP MIB file to look up all the OID’s for Symantec Critical System Protection?
Hello I would like to know 2 thing about symantec critical system protection:
1. How can I use live update to download policies for my clients
2. In Policies I see Windows and Unix Policies but I cannot see Linux policies. How can I get Linux policies?
If you deploy agents on servers and exceed your license agreement, does an error show up on the console once that threashold is exceeded? We have purchesed 100 licenses, but wasn't sure what would happen if we installed the 101st agent. Thanks.
Hello All!
I'm having trouble getting SCSP to accept authentication from Active Directory. I have successfully added a Directory Server. The ONLY configuration that would work was to enter an IP address for the Host field and uncheck the Use enrypted communications box. All other combinations failed.
Next an Active Directory User was created...
The user exists in the AD and has a sufficiently complex password (in this case Symc4now!) to satisfy the requirements of CSP.
Login like so....
... and get this.
The server.xml file has been edited to allow unenrypted communications and the service has been stopped and restarted.
Any ideas?
Has anyone been able to use the LiveUpdate feature in the Policies > Prevention/Detection View > LiveUpdate icon? I get an error "Directory liveupate\Downloads unable to be deleted" I do see a directory \Symantec\Critical System Protection\Console\liveupdate\Downloads and it is empty.
Struggling to find any information about SCSP management server topologies to maintain segregation (as distinct from high-availability)
I am working with a client that has both public facing and highly restrictive systems, and currently has a high degree of segregation between them (e.g. no direct connections from a low security zone to a high security zone, management must reside in a zone which is at least as secure as the zones it is managing)
If the standard SCSP topology was used, agents in both low and high security zones could initiate connections to the same management server. This introduces the possibility that tomcat and/or network stack vulnerabilties could be exploited and used to cross between zones. While this risk is probably low, it would be preferable to avoid it by using separate management servers for low and high zones. It would be preferable to maintain a single pane of administration (i.e. shared database) to avoid additional operational management complexity. i.e. Agents in each security zone connect to management servers in that security zone, all management servers connect to single database in a database zone as per http://www.symantec.com/docs/TECH112965
Are there any existing patterns for this kind of topology, or an alternative solution that would address this risk?
The documentation mentions that NAT is supported between agent and management server, but does not mention if a reverse proxy is supported.
Obviously the proxy would need to be capable of SSL offload, and have the certificate of the management server installed.
I have Norton through Concast. I have on NUMEROUS occasions received a 8504,104 Error message. Power eraser has been ran with minimal sucess. I have had 2 runs from my Windows registry internal system telling me that I have corruption within my system and to get it checked. I also had feedback from Mozilla telling me I had issues with my system. Each time I called Norton and I was reassured that "they were just trying to sell me their product" My system was secure and there was no infections within my system. This is my 4th computer in 1 year so you can understand my anxiety....don't want to buy another one. So my concern is HOW did I get this:
Ransomware.UkashVirus/FBI Moneypak is a ransomeware alert claiming that your PC is blocked. Once installed,Ukash Virus/FBI Moneypakwill display a scary fake alert stating that your are visiting ilegalwebsits.UkashVirus/FBIMoneypak completeely locks your system so you will not be able to preform any tasks. SetStretch.exe along with 7 other cookies with double click and goes on.
When I do scans constatntly on my system. check this address for virus and malware info http://www.ic3.gov/media/2012/121130.aspx
Hello - I am new to this forum as well as SCSP. Can anyone tell me if applying the 'out-of-box' Detection polices such as---- sym_win_protection_core_sbp, sym_win_protection_strict_sbp, sym_win_protection_ltd_exec_sbp ...etc--- without any editing of those polices, does much good in terms of protection? I really need to get a base layer of protection in place very quickly and have not had enough time to create any type of customized polices. Any basic advice on getting started with SCSP would be really helpful as a new user to this product. Thanks in advance!
Are there any helpful suggestions or steps to take if some agents are showing offline in the Management Console? I have had the Agent Collect Info detection policy applied to a few machines in the hopes it would come online in the last week, but they have not come back online. The machines are up and the OS varies from AIX to Solaris to Windows.
Any suggestions on an "Offline Agent Troubleshooting" procedure would be helpful.
Thanks & Best Regards,
-Dan
How do I manage/purge the logs from the management server? The reporting is taking longer and longer as more events are recorded. I am in the midst of modifying the "strict" policy and want to purge events after I install a new/modified policy.
Hi There,
IHAC customer that running on SCSP 5.2.4 - SQL SVR 2000 SP4 and now they want to migrate into SCSP 5.2.9 - SQL SVR 2008 R2 SP1
Using the same IP Address & Host Name on the new hardware
The same condition has been posted previously on:
https://www-secure.symantec.com/connect/forums/dat...
But the information about the step-by-step is still not quite clear. I have seek for the articles and found this :
http://www.symantec.com/docs/TECH114430
And I have a challenge in prioritizing which step should i started first, especially to do the DB Migration
Could anyone of you shed some light for this case? Appreciate your response
I have been doing the RT*M and see that it is "suggested" that we start with the CORE policy and tailor from there. I cannot find any White Papers on CSP/Exchange best practice. Core is applied and prevention is "disabled" on the 9 nodes in the cluster for the time being while I gather logs. With the generic config described, if I enable as is, will it break Exchange? Does anyone have documantation that describes a CSP/Exchange deployment?
Suggestions on appropriate tailoring would be appreciated.
Warnings on what to avoid would be VERY welcome.
Thank you.
Background for my question:
Currently I do not use Symantec Critical System Protection. I notice that the published system requirements for Symantec Critical System Protection specifies SQL Server Enterprise. Currently, I use a hardware Symantec Endpoint Protection Manager (SEPM). In the near future I plan to replace it with a Virtual SEPM. After I have the Virtual SEPM in place, I plan to expand that SEPM's management ability to manage Symantec endpoints that are not in my WAN. That means setting up a public IP Address for that SEPM so that the 'out of WAN' clients can be managed by the SEPM. My total SEP client count is about 550. I want to install SCSP on that Virtual SEPM to harden it, considering it will be a public facing server. That will be the only use of SCSP in my environment. Now, the question...
Question:
When installing SCSP in the scenario above is SQL Server Enterprise still a requirement? I ask because I will have no SCSP endpoints to manage, nor will I have any other servers managed by SCSP. So, I do not see that will have a need for the robustness of the Enterprise version of SQL. SQL Server Enterprise is rather expensive. Is there another alternative besides SQL Server Enterprise?
I Have four Redhat Linux 5.0 32 Bit is VMware Virtual Machine and installed SCSP Agent 5.2.9 MP1.
The Virtual Macine hvae some error messages and hold the start boot machine.
I have some picture and some messages.
Error Picture :
Error Messages:
在日誌中顯示sisips是3rd party的模組
var/log/messages:Jan 21 13:15:19 ndoc1 kernel: sisips: module license
'Proprietary' taints kernel
在系統的calltrace中,也能發現sisips在其中,因此能夠合理推測與系統panic有關
var/log/messages:Jan 23 16:24:08 ndoc1 kernel: [<f8be4877>]
_ZN20ProcessHashInterface10keyCompareEP11_LIST_ENTRYPv+0x37/0x90 [sisips]
var/log/messages:Jan 23 16:24:08 ndoc1 kernel: [<f8be7bd1>]
_ZN8HashList4findEPv+0x71/0x80 [sisips]
var/log/messages:Jan 23 16:24:08 ndoc1 kernel: [<f8be5146>]
_ZN7Process4findEi+0x16/0x20 [sisips]
var/log/messages:Jan 23 16:24:08 ndoc1 kernel: [<f8bd2fe1>]
hook_stat64+0xc1/0x1d0 [sisips]
var/log/messages:Jan 23 16:24:09 ndoc1 kernel: [<f8be7bd1>]
_ZN8HashList4findEPv+0x71/0x80 [sisips]
var/log/messages:Jan 23 16:24:10 ndoc1 kernel: [<f8be5241>]
_ZN7Process24checkNetworkAcceptAccessEP4PSETiRK11IPV6AddresstS4_tR15NetworkResponse+0x91/0xd0
[sisips]
var/log/messages:Jan 23 16:24:10 ndoc1 kernel: [<f8be5146>]
_ZN7Process4findEi+0x16/0x20 [sisips]
var/log/messages:Jan 23 16:24:10 ndoc1 kernel: [<f8bd2fe1>]
hook_stat64+0xc1/0x1d0 [sisips]
var/log/messages:Jan 23 16:24:11 ndoc1 kernel: [<f8bd4d35>]
hook_open+0xf5/0x200 [sisips]
var/log/messages:Jan 23 16:24:11 ndoc1 kernel: [<f8bca68d>]
hook_accept+0x1d/0xa0 [sisips]
var/log/messages:Jan 23 16:24:11 ndoc1 kernel: [<f8bca68d>]
hook_accept+0x1d/0xa0 [sisips]
var/log/messages:Jan 23 16:24:16 ndoc1 kernel: [<f8be5779>]
_ZN7Process15releaseInternalEv+0x29/0x50 [sisips]
var/log/messages:Jan 23 16:24:18 ndoc1 kernel: [<f8bd5831>]
_ZN7AppFire10getProcessEi+0x11/0x50 [sisips]
var/log/messages:Jan 23 16:24:18 ndoc1 kernel: [<f8be4a2a>]
_ZN7Process17acquireAssignLockEv+0xa/0x10 [sisips]
var/log/messages:Jan 23 16:24:18 ndoc1 kernel: [<f8bd035c>]
_Z10GetProcessi+0x1bc/0x270 [sisips]
var/log/messages:Jan 23 16:24:18 ndoc1 kernel: [<f8be5779>]
_ZN7Process15releaseInternalEv+0x29/0x50 [sisips]
var/log/messages:Jan 23 16:24:18 ndoc1 kernel: [<f8bd3587>]
hook_rename+0x107/0x2a0 [sisips]
var/log/messages:Jan 23 16:24:19 ndoc1 kernel: [<f8be5779>]
_ZN7Process15releaseInternalEv+0x29/0x50 [sisips]
var/log/messages:Jan 23 16:24:19 ndoc1 kernel: [<f8bcaaca>]
hook_dgram_recvmsg+0xba/0xe0 [sisips]
var/log/messages:Jan 23 16:24:20 ndoc1 kernel: [<f8be5241>]
_ZN7Process24checkNetworkAcceptAccessEP4PSETiRK11IPV6AddresstS4_tR15NetworkResponse+0x91/0xd0
[sisips]
var/log/messages:Jan 23 16:24:20 ndoc1 kernel: [<f8bd5831>]
_ZN7AppFire10getProcessEi+0x11/0x50 [sisips]
var/log/messages:Jan 23 16:24:20 ndoc1 kernel: [<f8be4a2a>]
_ZN7Process17acquireAssignLockEv+0xa/0x10 [sisips]
ges:
I'm in the process of creating compliance checks that will run in Tenable Nessus. These checks will audit and report the staus of system services on Microsoft servers. To do this I need the shortnames for the service... ex. the display name is Symantec Critical System Protection IDS Agent, the short name is SISIDSService. I cannot find the "short names" for the system service "Display names" listed below, so I thought this would be a good place to look or ask for assistance.
Thanks in advance for any assistance.
Symantec Endpoint Protection Manager
Symantec Critical System Protection Server
I need some assistance in fine tuning the detection policies as the SCSP events are piling up the database and the size is increasing drastically. I have identified that some of the policies like File Tampering, Windows success logon are set to default so i need to know if we can fine tune to reduce the events.
Thanks,
Jayakumar
