Monthly Archives: February 2014

Symantec Endpoint Protection NTP Best Practices

Here is a god doc from Symantec to understand Firewall and Policies

Understand Symantec firewall1

Advertisements

Importing an Existing Virtual Machine(OVA) into Oracle VirtualBox

Below is a document showing how to import a OVF file into Oracle Virtual box

Importing an Existing Virtual Machine into VirtualBox

Server Health Report on the SEPM to identifying issues

Below is the document from Symantec  to identify and solve the issues

sepm-checkfor-alert

FTP getting 500 error on RHEL5 in EC2 machine

While setting up VSFTPD in Amazon EC2 machine , i have received following error and over with some solution. hope this will help others to.

Type getenforce for getting SELinux boolean value

getsebool -a | grep ftp  and check ftp_home_dir –> off

Make this ON using setsebool command

[root@COE1 ~]# setsebool -P ftp_home_dir on
coe homedir /var/www/html/ or its parent directory conflicts with a
defined context in /etc/selinux/targeted/contexts/files/file_contexts,
/usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly
defined system account.  If it is a system account please make sure its login shell is
/sbin/nologin.

Huge amount of files from a directory in Linux

when removing huge amount of files from a directory in linux,will get below error.

“resolve the ‘/bin/rm: Argument list too long’ error   when try to rm -rf files from a directory due to huge amount of files”

Use below commands to remove all the files

[root@ip-10-251-142-224 clientmqueue]# find . -name ‘qfo*’ | xargs rm
[root@ip-10-251-142-224 clientmqueue]# find . -name ‘dfo*’ | xargs rm
[root@ip-10-251-142-224 clientmqueue]# find . -name ‘*’ | xargs rm

How to Enable swap partition in Linux

enable swap partition
#!/bin/bash

mkdir /mnt/swap/

dd if=/dev/zero of=/mnt/swap/swapfile bs=1024 count=4194304

mkswap /mnt/swap/swapfile

## if need take bkp of fstab
##cp -pfr /etc/fstab.org /etc/fstab

sleep 5

swapon -a

##check any swap is already there.if it is remove
##swapoff /dev/sda3

##add to rc.local,take bkp
##cp -pfr /etc/rc.local.org /etc/rc.local

Vim /etc/fstab
********************

/mnt/swap/swapfile swap  swap    defaults 0 0

Few Registry Tweaks from Symantec for Symantec Endpoint Protection

1. To check the Version of currently installed SEP client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC

ProductVersion  

Value will be something like 11.0.4014.26

 
2. Client is communicating with SEPM or is OFFLINE

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

PolicyMode  1 – means communicating 0- means offline.

3. Which Group the client is pointing to

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

Preferredgroup

4. Policy Serial Number on Client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

SerialNumber

Value will be something like 2DD9-09/09/2009 00:05:14 125

5. To know the Hardware ID for the Client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

HardwareID

6. What is the version of Virus Defintion the client is currently using .

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs

DEFWATCH_10

The value will be some like C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090907.050

7. To know what IPS Signature SEP is using

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-cndcipsdefs

cndcIps

The value will be like: C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\CNDCIP~1\20090826.002

8. To check if Network Threat Protection is installed and is Turned ON.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC

smc_engine_status  0 – means turned OFF 1- turned ON.

9. Exclusion –Centralized Exceptions

32 bit

i. Security Risk Exceptions

User Defined Exceptions

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ClientRiskExceptions

Lock – 0- means the client can create Centralized Exceptions for Known Security Risks 1 – means this optioned is locked by the administrator in SEPM.

And Under the ClientRiskExceptions\1234567890 (normally a 10 digit numerical folder )  you will find the Known Security Risk exceptions created by the users.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\AdminRiskExceptions

Under the AdminRiskExceptions\1234567890 (normally a 10 digit numerical folder )  you will find the Known Security Risk exceptions created by the Admin from SEPM.

 

ii. Proactive Threat Protection Exclusions

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\HeuristicScanning\FileHash

\Client\ 0728bd2bb1774b9728f60d33bc1f95172374e950–(The long hexadecimal numbers point to the filehash for the excluded file )  For the exclusions created by the user

\Admin\ 0728bd2bb1774b9728f60d33bc1f95172374e950 – (The long hexadecimal numbers point to the filehash for the excluded file ) –  For exclusions made by Admin from SEPM.

Same with Directory , Files and Folder Exclusions

iii. Directory

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory

\Admin  and \Client

iv. Files

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\FileName

\Admin  and \Client

 
v.Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Extensions\

\Admin  and \Client

vi. Symantec also excludes it own Embedded Database from Scanning

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Symantec Embedded Database\FileExceptions

Out.log, Sem5.log and Sem5.db are excluded.

vii. To Verify Exchange Server exclusions on 32 Bit System

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Exchange Server

\FileExceptions and \NoScanDir

On 64 Bit system

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions

\FileExceptions and \NoScanDir

 

10. Now say you have remote laptops you exported a Default client install package and sent them.

Now you want to change them to Unmanaged.

You replaced sylink.xml for Unmanaged SEP Cd1\SEP\Sylink.xml

Still clients are not able to do the liveupdate and the default admin defined Scan runs.

Here is the default Admin Defined Scanand if you have created few more scans for this users it will also be listed in the same location but with a different name.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\5df13630-79f7-4c70-002b-16b8952f5533 ( name can be any hexadecimal name )

So you can delete this and then you can create your own scan.

Liveupdate button is greyed out even after replacing sylink.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate

AllowManualLiveUpdate  0- means liveupdate button will be greyed out. 1-means it will be available to click.

In the same place you can enable product updates by changing the value of

EnableProductUpdates  to 1

For Scheduling and Enabling automatic liveupdates.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate\Schedule

Change the value of

Enabled to 1 – for Automatic updates.

11. Handling Quarantine

Sometimes due to infection the size of the quarantine folder grows huge.

It is not accessible via the GUI.So to know where and to change settings for Quarantine for the client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine

Important keys

QuarantinePurgeBySizeEnabled set it to 1 –To enable Sizing of quarantine folder then

QuarantinePurgeBySizeDirLimit   Default value is 50 ( Megabytes)  either leave it at 50 or reduce it as much you want.

You can also lower the age of purging Quarantine items from default 30 days to any number of days you want

QuarantinePurgeAgeLimit   30 days by default.

12. How to disable Application and Device Control via registry

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant

Change the Value of Start to 4 . 1 –means enabled.

13. Check this discussion on Creating Scan via registry
https://www-secure.symantec.com/connect/forums/way-create-scan-registry

14. For Logging options via registry
How to debug the Symantec Endpoint Protection 11.x client
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007090611252048

 15. GUP information via registry
Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008040113243148

16. Enable debugging of Auto Location switching (ALS) and this Reg key

HKLM\SOFTWARE\S ymantec\Symantec Endpoint Protection\SMC\Trident\AutoLocationDump

Deleting Symatec client old definition files from windows clients

Sometimes Symantec installed systems C drive will show low disk space and unable to remove old virus definitions. In that case check check which is latest updated file used by programs and remove old files manually. Below are the steps to perform on windows PCs.

deleting semclient old def

Cloud Providers

Public Clouds

A public cloud is a multi-tenant Infrastructure-as-a-Service (IaaS) that typically includes compute, networking, and storage resources. These resources are available via API, provisioned through self-service, and metered by usage. RightScale supports a range of popular public clouds with data centers around the globe.

Private Clouds

A private cloud is a single-tenant IaaS that may be located in a private data center or hosted by a vendor. Private clouds are similarly accessible via API, provisioned through self-service, and metered by usage. RightScale supports the three most popular private cloud technologies and several hosted private cloud offerings.

http://aws.amazon.com/
http://www.rackspace.com/
http://www.rightscale.com/
https://cloud.google.com/
http://www.windowsazure.com/en-us/
http://opencloudconsortium.org/
http://www.datapipe.com/
http://www.hpcloud.com/
http://www.softlayer.com/

cloudproviders

Export an OVF Template

An OVF package captures the state of a virtual machine or vApp into a self-contained package. The disk files are stored in a compressed, sparse format.

Required privilege:vApp.Export
Procedure
1.Select the virtual machine or vApp and select File > Export > Export OVF Template.
2.In the Export OVF Template dialog, type the Name of the template.

For example, type MyVm
Note

When exporting an OVF template with a name that contains asterisk (*) characters, those characters turn into underscore characters (_).
3.Enter the Directory location where the exported virtual machine template is saved, or click “…” to browse for the location.

The C:\ drive is the default location where the template is stored.

For example, OvfLib
4.In the Format field, determine how you want to store the files.
■ Select Folder of files (OVF) to store the OVF template as a set of files (.ovf, .vmdk, and .mf) This format is optimal if you plan to publish the OVF files on a web server or image library. The package can be imported, for example, into the vSphere client by publishing the URL to the .ovf file.
■ Select Single file (OVA) to package the OVF template into a single .ova file. This might be convenient to distribute the OVF package as a single file if it needs to be explicitly downloaded from a web site or moved around using a USB key.
5.In Description, type a description for the virtual machine.

By default, the text from the Notes pane on the virtual machine’s Summary tab appears in this text box.
6 Select the checkbox if you want to include image files attached to floppy and CD/DVD devices in the OVF package.
Note

This checkbox only shows if the virtual machine is connected to an ISO file or if the floppy drive is connected to a floppy image.
7.Click OK.

The download process is shown in the Export window.
Example: Folder Locations for OVF and OVA Files

If you type OvfLib for a new OVF folder, the following files might be created:
■ C:\OvfLib\MyVm\MyVm.ovI
■ C:\OvfLib\MyVm.mf
■ C:\OvfLib\MyVm-disk1.vmdk

If you type C:\NewFolder\OvfLib for a new OVF folder, the following files might be created:
■ C:\NewFolder\OvfLib\MyVm\MyVm.ovI
■ C:\NewFolder\OvfLib\MyVm.mf
■ C:\NewFolder\OvfLib\MyVm-disk1.vmdk

If you choose to export into the OVA format, and type MyVm, the file C:\MyVm.ova is created.

exportOVF

%d bloggers like this: