Hello,
I am trying to find out if Symantec CSP's FIM component can feed into Splunk. Does anyone have any experience with this or know if this would be possible?
According to Splunk, they can injest any log file as long as they are in text format. Are the log files from the FIM in text format? Your response will be greatly appreciated.
Thanks,
From what I have found on connect here. It looks like the Policy Authoring tool is no longer included. Is there a way to get this?
Team,
I am having difficulty in configuring integration between Active Directory server and CSP v5.2.9 server in my test environment.
Following are the steps i have done so far:
1. Setup an AD server on Win 2003 R2 x64 with all "Default" configuration (I created few logins and i able to login on specifying the <domain name>\<user name> and password on the AD server)
2. Setup CSP v5.2.9 on Win 2003 R2 x64
3. Login to web cnsole of SCSP server and navigate to Admin > Settings > Directory Server.
a. In the Host, i entered the IP address and entered AD user credentials
However, with both enable and disabled "Use encrypted communications" i keep getting Active Directory authentication failed error.
I feel that i missing some configuration step however, i am unable to identify the exact steps. On doing Google, i found only few threads related to AD - CSP integration; for example : http://www.symantec.com/connect/forums/active-directory-authentication
Also, the support data base lacks the step by step guide.
Any help in these regards will be helpful.
Thanks,
Sagar Karawa
Hi,
I am implementing SCSP at a Client site and Client is asking for a Demo for SCSP Protection i.e. Client wants me to use a third party tool like Zenmap, run an attack against a machine which has SCSP installed and show me how it protects. I tried running some attack like Syn Attack Brute Force against SMB etc. I could only configure two actions in SCSP Prevention Policy i.e. either block a Network Range or Allow a Network Range (I was using Windows Core Prevention Policy). This action cause the SCSP either to block or allow any IP or even attack. For e.g. It let the Test machine to run a Sync Attack against my test machine and did not block. I was hoping that after consecutive 10 or 20 SYN requests, it would block the IP or at least raise a warning in IDS mentioning a SYN attack but nothing !
Can anyone please help me understand the best situation under which SCSP can be used? Do I need to put in another Firewall with these features. I have to install SCSP on DMZ Servers and hence, it is quite critical.
Can anyone explicate about the rule/temple existing in SCSP to enable a rule for Network based indications for below traffic.
HTTP POST traffic containing:
HTTP GET traffic to pages with paths:
Symantec Critical System Protection
1. Website Defacement Prevention (Part-I)
http://invisibletechy.blogspot.in/2013/04/website-defacement-prevention-part-i.html
2. Website Defacement Prevention (Part-II)
http://invisibletechy.blogspot.in/2013/04/website-defacement-prevention-part-ii.html
3. Microsoft Server Service Relative Path Stack Corruption Exploitation and Prevention part-i
http://invisibletechy.blogspot.in/2013/04/microsoft-server-service-relative-path.html
4. Microsoft Server Service Relative Path Stack Corruption Exploitation and Prevention part-ii
http://invisibletechy.blogspot.in/2013/04/microsoft-server-service-relative-path_11.html
5. Desktop Phishing Attack and Its Prevention Part 1
http://invisibletechy.blogspot.in/2013/04/desktop-phishing-attack-and-its_11.html
6. Desktop Phishing Attack and Its Prevention Part 2
http://invisibletechy.blogspot.in/2013/04/desktop-phishing-attack-and-its.html
7. Trojan Attack Prevention With SCSP Part 1
http://invisibletechy.blogspot.in/2013/04/trojan-attack-prevention-with-scsp-part.html
8. Trojan Attack Prevention With SCSP Part 2
http://invisibletechy.blogspot.in/2013/04/trojan-attack-prevention-with-scsp-part_11.html
9. WebDAV Application DLL Hijacking Exploitation and Prevention Part 1
http://invisibletechy.blogspot.in/2013/04/webdav-application-dll-hijacking.html
10. WebDAV Application DLL Hijacking Exploitation and Prevention Part 2
http://invisibletechy.blogspot.in/2013/04/webdav-application-dll-hijacking_11.html
11. Microsoft Print Spooler Service Impersonation Vulnerability Exploitation and Prevention Part 1
http://invisibletechy.blogspot.in/2013/04/microsoft-print-spooler-service.html
12. Microsoft Print Spooler Service Impersonation Vulnerability Exploitation and Prevention Part 2
http://invisibletechy.blogspot.in/2013/04/microsoft-print-spooler-service_11.html
13. Adobe Reader Buffer Overflow Exploitation and Prevention part-i
http://invisibletechy.blogspot.in/2013/04/adobe-reader-buffer-overflow.html
14. Adobe Reader Buffer Overflow Exploitation and Prevention part-ii
http://invisibletechy.blogspot.in/2013/04/adobe-reader-buffer-overflow_11.html
15. Wireshark Stack Buffer Overflow (Remote) Exploitation and Prevention Part-I
http://invisibletechy.blogspot.in/2013/04/wireshark-stack-buffer-overflow-remote.html
16. Wireshark Stack Buffer Overflow (Remote) Exploitation and Prevention Part-II
http://invisibletechy.blogspot.in/2013/04/wireshark-stack-buffer-overflow-remote_11.html
17. VLC ModPlug ReadS3M Stack Buffer Overflow Exploitation and Prevention Part-I
http://invisibletechy.blogspot.in/2013/04/vlc-modplug-reads3m-stack-buffer.html
18. VLC ModPlug ReadS3M Stack Buffer Overflow Exploitation and Prevention Part-II
http://invisibletechy.blogspot.in/2013/04/vlc-modplug-reads3m-stack-buffer_11.html
19. AbsoluteFTP LIST Command Remote Buffer Overflow Exploitation and prevention part-i
http://invisibletechy.blogspot.in/2013/04/absoluteftp-list-command-remote-buffer.html
20. AbsoluteFTP LIST Command Remote Buffer Overflow Exploitation and prevention part-ii
http://invisibletechy.blogspot.in/2013/04/absoluteftp-list-command-remote-buffer_11.html
21. MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow Exploitation and Prevention part-i
http://invisibletechy.blogspot.in/2013/04/ms11-021-microsoft-office-2007-excel.html
22. MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow Exploitation and Prevention part-ii
http://invisibletechy.blogspot.in/2013/04/ms11-021-microsoft-office-2007-excel_11.html
23. Wireshark console.lua pre-loading vulnerability Exploitation and Prevention part-I
http://invisibletechy.blogspot.in/2013/04/wireshark-consolelua-pre-loading.html
24. Wireshark console.lua pre-loading vulnerability Exploitation and Prevention part-II
http://invisibletechy.blogspot.in/2013/04/wireshark-consolelua-pre-loading_11.html
25. Wireshark Stack Buffer Overflow (Local) Exploitation and Prevention Part-I
http://invisibletechy.blogspot.in/2013/04/wireshark-stack-buffer-overflow-local.html
26. Wireshark Stack Buffer Overflow (Local) Exploitation and Prevention Part-II
http://invisibletechy.blogspot.in/2013/04/wireshark-stack-buffer-overflow-local_11.html
27. Microsoft LSASS Service Buffer Overflow Exploitation & Prevention Part 1
http://invisibletechy.blogspot.in/2013/04/microsoft-lsass-service-buffer-overflow.html
28. Microsoft LSASS Service Buffer Overflow Exploitation & Prevention Part 2
http://invisibletechy.blogspot.in/2013/04/microsoft-lsass-service-buffer-overflow_11.html
For more articles visit: http://symantecfans.blogspot.in/
Is it possible to block a list of IPs (Close to 30K) using SCSP Agent? I found the option of adding Blacklisted IPs in Detection Policy under the Windows Base Policy but could not find the same under any Prevention Policy.
My understanding is, that SCSP relies on Whitelist to allow traffic from specific machines rather than Blacklist to block traffic from a handful of machines and allowing the rest. Also, please do share the format in which the CSV file is configured to add the Batch IP List.
Thanks in advance,
Amit Bhatnagar
Symantec crtical system protection agent is not getting policy , below is the exact error
SOURCE
Host Name: abm-flfh7rr865e
User Name: Administrator
Agent Version: 5.2.9.568
OS Version: Server 2003 Service Pack 2
DETAILS
Message: Policy Translation Failed: In int_safepriv_ps; <map pset="1;int_fullpriv_ps"1; info="1;SISIPS Agent Config Tool full priv for specific users"1;>: Unable to lookup id: shoaib
Service: UpdateThread
Disposition: F
Operation: Translation
Message ID: 10133
I am needing to know if CSP Monitoring Edition will provide Active Ditectory Change monitoring like the full version of CSP does. I havea customer who does not need the full version if this is available through the Monitoring Edition. I have dug through all of the resources i can find but have not found this feature specifically listed in the monitoring edition of CSP. Can anyone assist? Thanks.
,Hello
.I have few questions about SCSP 5.2.9 and would appreciate it when somebody can help
?How to block devices on windows and linux
?How to block accessing to specific folder for example windows folder or program files
?How to block service from running and not one of the built-in services in SCSP manager
.Thanks
Please let me know how can i make rule to block pop3 \ smtp protocol traffic. I mean would i manage users to restrict sending emails only through white list i have created in symantec endpoint protection 11 manager.
We will be upgrading from 5.2.8 to 5.2.9 and I was wondering what others experience was for the upgrade. It seems too easy looking at the steps I was provided. Here are the steps as I understand them:
Step 1 - run server.exe, enter the scspdba credentials (is this the only account needed?), click Finish to complete the upgrade.
Step 2 - run console.exe, confirm the upgrade, click Finish to complete the upgrade.
Step 3 - upgrade the agents.
Step 4 - push out new policies.
There is no mention of backing up anything such as databases, files or folders. We will be backing up our database just in case. But, are there any other critical items that need to be backed up prior to the upgrade? My coworker who is upgrading SEP is backing up a folder that holds the ssl certs and other items.
Thanks.
Hello,
I am just looking online for general help. I have AVG Free, Malwarebytes, and now Registery Super Fix it installed. I would like to get rid of Malware and Registry Superfix it antivirus. I think I know how to get Malwarebytes off but here's the thing, Registry SuperFixIT keeps stopping me, it then tells me that my actions are a virus. Now I've tried turning it off but it keeps turning itself back on, which is annoying. I've tried asking Adobe for help with this since it's their anti-virus beast but they won't say a word and it's been months.
I got AVG free because my bro being a super-techie for egghead before he ran off for china highly recommended it. I picked up Maleware because AVG couldn't find the rootkit/virus I picked up playing Facebook games, and I clicked a link by mistake and suddenly had it. Now I've got Adobe's FixIT software which keeps shutting down my computer, generating hundreds of false reports, annoying the hell out of me, etc, etc. The thing is I'm stuck in the midst of trying to install an old version of Adobe Suite software that I recently purchased but my dvd drive is just super-finicky when it comes to installing anything and I have more time than moneys to go get another one.
So I'm wondering can someone please tell me what to do? My brother is in China, and I'd normally just have him work his magic on my system and have it back together in under a week. So now i have to fix it and I'm just not very good at this sort of thing.
Hi,
I will like to check how do we schedule a shrinking of Database at SQL Server 2008 for scsp_logs?
Hi,
I will like to check how do I schedule for the deletion of the SCSP real_time logs?
Refer to the attached picture for the highlighted time and date.
When running the server setup (5.2.9 MP1), I get to the point where it asks for the owner of the existing database. When I enter in the username and password, I get the error: "Unable to connect to the Database with the specified username and password. Please verify the Database settings."
Our SQL database is on a different server than our management server. All servers are 2008 R2, and the SQL server is also SQL 2008 R2. I suspect that the problem is because we have moved the database to a different server than it was originally on (the move was about 6 months ago). The SCSP services are all running fine at the present, but I wonder if the install is looking for the old database. Anyone have any troubleshooting steps?
So far I have tried looking through the xml files in the "C:\Program Files (x86)\Symantec\Critical System Protection\Server\tomcat\conf" folder and updated the references to the database server (the server.xml file was updated with the database move, but the others weren't touched). That didn't seem to make any difference.
I have also logged directly into the SQL server and connected to the database with the scspdba account to verify the username and password are correct and that the scspdba account is the database owner.
What are the timelines for giving support to Server 2012 (agent and console) and for running the SCSP DB on SQL 2012?
Hi,
I would like to know whether the SEPM latest version compatible with CentOS operating system.
If not, is SCSP (critical system protection) compatible with centOS ?
Waiting for your advice and related article..
Thanks in advance..
Hi all,
I am looking to create a CSP prevention policy that will block mods to a set of application. I need certain users to be able to modify though. Is this possible? I can't see anything that resembles this in the targeted policy.
Any help would be appreciated.
Cheers!