That's way beyond an AV remit. If that happened on my watch I'd have a legal person on to Symantec. No way should AV decide to arbitrarily remove files on other systems.
---Blackberried -----Original Message----- From: "Kennedy, Jim" <kennedy...@elyriaschools.org> Date: Thu, 8 Nov 2012 13:48:52 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> Reply-To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com>Subject: RE: Symantec %@(*&OI:TNGF(P* “SEP quarantined the files and then went to all machines on the network and quarantined them on all machines…” Holy smokes, it decided to do that on it’s own? And quarantined the machines that had NOT been updated yet? So glad I don’t run AV. From: Robert Cato [mailto:cato.rob...@gmail.com] Sent: Thursday, November 08, 2012 8:45 AM To: NT System Admin Issues Subject: Re: Symantec %@(*&OI:TNGF(P* Ken These two updates were only installed on a couple of Win7 machines at most. They were approved during the day for install overnight, a couple of users saw the pop-up and installed. SEP quarantined the files and then went to all machines on the network and quarantined them on all machines (Win7, Vista, and XP). It would be nice if we had a separate network, but I'm not sure that will get approved. Robert On Thu, Nov 8, 2012 at 6:41 AM, Ken Schaefer <k...@adopenstatic.com<mailto:k...@adopenstatic.com>> wrote: Even if you don’t have a separate network, you can create a separate group in WSUS, and put a test machine(s) with your SOE image in that group. That would allow you to test patches prior to mass deployment. Checking for AV issues would be just one thing – I’d recommend that you have some test cases for all your important apps as well. Cheers Ken From: Robert Cato [mailto:cato.rob...@gmail.com<mailto:cato.rob...@gmail.com>] Sent: Thursday, 8 November 2012 9:48 PM To: NT System Admin Issues Subject: Re: Symantec %@(*&OI:TNGF(P* Ken, That was my first question, but it is still unanswered. I am still new at this %dayjob%. In this case, the testing would have had to be done in a separate network, which I am fairly sure we don't have. I will take that suggestion to the table when we analyze the breakdowns of this incident. Robert On Wed, Nov 7, 2012 at 9:37 PM, Ken Schaefer <k...@adopenstatic.com<mailto:k...@adopenstatic.com>> wrote: No matter who you migrate to, you’ll also run into issues (false positives seem to occur all the time, with all vendors). Did you test the patches before releasing to Production? Might be worth beefing up the testing regime. From: Robert Cato [mailto:cato.rob...@gmail.com<mailto:cato.rob...@gmail.com>] Sent: Thursday, 8 November 2012 5:22 AM To: NT System Admin Issues Subject: Symantec %@(*&OI:TNGF(P* FYI We approved two MS patches yesterday (KB2574819 KB2592687) in WSUS. One user installed the two updates in the afternoon and Symantec Endpoint Protection 12 with several advanced features enabled (threat protection, hurestics, SONAR, etc). SEP quarrantined 15 system files, run32.dll among them. The real problems started when SEP decided to quarantine the files across all ~600 workstations taking us completely offline. The fix was to boot each workstation into safe mode and removing SEP. It was a long night. The good news: None of the advanced features were enabled on the servers. We are migrating away from SEP as of this morning. Robert ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin