+1 on that...
Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, November 08, 2012 11:32 AM To: NT System Admin Issues Subject: Re: Symantec %@(*&OI:TNGF(P* No, the first rule of Symantec is you don't use any of their products :-) On 8 November 2012 16:23, Steven Peck <sep...@gmail.com> wrote: The first rule of Symantec is you don't talk about symantec On Thu, Nov 8, 2012 at 6:54 AM, Robert Cato <cato.rob...@gmail.com> wrote: It is SEP12, I'm sorry I do not know the definition file, that is handled by the security group...and they don't really want to talk about Symantec right now. On Thu, Nov 8, 2012 at 9:05 AM, Erik Goldoff <egold...@gmail.com> wrote: curious, SEP 11 or 12, and what definitions when this happened ? Thanks On Thu, Nov 8, 2012 at 8:57 AM, Robert Cato <cato.rob...@gmail.com> wrote: Yep, all on its own. Granted this was based on setting that were made during installation, based on recommendations from the onstie Symantec vendor/engineer. On Thu, Nov 8, 2012 at 8:48 AM, Kennedy, Jim <kennedy...@elyriaschools.org> wrote: "SEP quarantined the files and then went to all machines on the network and quarantined them on all machines..." Holy smokes, it decided to do that on it's own? And quarantined the machines that had NOT been updated yet? So glad I don't run AV. From: Robert Cato [mailto:cato.rob...@gmail.com] Sent: Thursday, November 08, 2012 8:45 AM To: NT System Admin Issues Subject: Re: Symantec %@(*&OI:TNGF(P* Ken These two updates were only installed on a couple of Win7 machines at most. They were approved during the day for install overnight, a couple of users saw the pop-up and installed. SEP quarantined the files and then went to all machines on the network and quarantined them on all machines (Win7, Vista, and XP). It would be nice if we had a separate network, but I'm not sure that will get approved. Robert On Thu, Nov 8, 2012 at 6:41 AM, Ken Schaefer <k...@adopenstatic.com> wrote: Even if you don't have a separate network, you can create a separate group in WSUS, and put a test machine(s) with your SOE image in that group. That would allow you to test patches prior to mass deployment. Checking for AV issues would be just one thing - I'd recommend that you have some test cases for all your important apps as well. Cheers Ken From: Robert Cato [mailto:cato.rob...@gmail.com] Sent: Thursday, 8 November 2012 9:48 PM To: NT System Admin Issues Subject: Re: Symantec %@(*&OI:TNGF(P* Ken, That was my first question, but it is still unanswered. I am still new at this %dayjob%. In this case, the testing would have had to be done in a separate network, which I am fairly sure we don't have. I will take that suggestion to the table when we analyze the breakdowns of this incident. Robert On Wed, Nov 7, 2012 at 9:37 PM, Ken Schaefer <k...@adopenstatic.com> wrote: No matter who you migrate to, you'll also run into issues (false positives seem to occur all the time, with all vendors). Did you test the patches before releasing to Production? Might be worth beefing up the testing regime. From: Robert Cato [mailto:cato.rob...@gmail.com] Sent: Thursday, 8 November 2012 5:22 AM To: NT System Admin Issues Subject: Symantec %@(*&OI:TNGF(P* FYI We approved two MS patches yesterday (KB2574819 KB2592687) in WSUS. One user installed the two updates in the afternoon and Symantec Endpoint Protection 12 with several advanced features enabled (threat protection, hurestics, SONAR, etc). SEP quarrantined 15 system files, run32.dll among them. The real problems started when SEP decided to quarantine the files across all ~600 workstations taking us completely offline. The fix was to boot each workstation into safe mode and removing SEP. It was a long night. The good news: None of the advanced features were enabled on the servers. We are migrating away from SEP as of this morning. Robert ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- James Rankin Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk <http://appsensebigot.blogspot.co.uk/> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin