Author Topic: Info on Symantec Endpoint Protection  (Read 307 times)

Info on Symantec Endpoint Protection
« on: October 05, 2010, 04:36:08 pm »
The title of this post was almost, "Well bugger me sideways" but I decided that might be inviting the wrong sort of attention.

Just sorted out an issue with SEP, sharing it here in case anyone else has similar fun.

Recovering from a major Virus incident (Win32.Ramnit.C, > 3,000 files infected),  clear now (multiple scans, online and local tools) I decided that part of the issue was the Virgin Anti Virus suite I was using, so changed to SEP (have licence to use from work, although SEP is unmanaged)

Symptom was internet connectivity dropping. As this, too, was a known issue and Virgin are installing a new road section of cable tomorrow, I didn't think too much of it, just set up a ping -t to show when I had an active connection. Connection would come on for about 6 - 10 seconds, drop for about 20, a bit regular, but not a lot. Carried on a while, where the Virgin error often clears after about 30 minutes (go figger), so I ha a look on a another machine, and the Internet link was rock solid. A ping from that machine to the same Internet host would be ok, at the same time as it would time out on the other.

Firewall was obviously the main suspect, but there was no reason I could see from the (default) config why it was behaving that way. Only oddity was that packets from the local LAN (10.0.0.x) were shown in the log being blocked. Again, shouldn't be an issue, but suspect behaviour on a trusted network. So I added an allow 10.0.0.x rule and it turns out Robert is my mother's brother.

Why? Stan only knows.

(edit)

Well, turns out not to be straightforward. Now it would appear to be more likely to be that IPV6 is enabled on the card by default (Win7 64 bit).  Broadcasts appear to be coming out as IP6 (wtf?) so hit a default rule in SEP banning IPV6 on a particular port (these packets aren't on that port, but it still seems to match) Disabled IPV6 on the adapter....

Lets see how this works now.

(edit)

Still goes upf*ck.