I'm not familiar with all of the features of the product, that is handled by the security team. They were on the phone with Symantec over 15 hours straight. The two features I kept hearing coming up was Sonar and proactive threat protection.
I had the exact same question about why it would quarantine files on other machines where the hash did not change. Right now, the security team is focusing on testing replacement products, so I have not been able to get any specifics on what went wrong. Robert On Thu, Nov 8, 2012 at 8:41 PM, Ken Schaefer <k...@adopenstatic.com> wrote: > What setting is this? **** > > ** ** > > If it’s quarantined new files that have just been deployed, I’m surprised > that it’s quarantining older files on other machines that would have a > different signature.**** > > ** ** > > Cheers**** > > Ken**** > > ** ** > > *From:* Robert Cato [mailto:cato.rob...@gmail.com] > *Sent:* Friday, 9 November 2012 12:57 AM > *To:* NT System Admin Issues > *Subject:* Re: Symantec %@(*&OI:TNGF(P***** > > ** ** > > **** > > Yep, all on its own. Granted this was based on setting that were made > during installation, based on recommendations from the onstie Symantec > vendor/engineer.**** > > **** > > ** ** > > On Thu, Nov 8, 2012 at 8:48 AM, Kennedy, Jim <kennedy...@elyriaschools.org> > wrote:**** > > “SEP quarantined the files and then went to all machines on the network > and quarantined them on all machines…”**** > > **** > > Holy smokes, it decided to do that on it’s own? And quarantined the > machines that had NOT been updated yet?**** > > **** > > So glad I don’t run AV.**** > > **** > > **** > > *From:* Robert Cato [mailto:cato.rob...@gmail.com] > *Sent:* Thursday, November 08, 2012 8:45 AM**** > > > *To:* NT System Admin Issues**** > > *Subject:* Re: Symantec %@(*&OI:TNGF(P***** > > **** > > Ken**** > > **** > > These two updates were only installed on a couple of Win7 machines at > most. They were approved during the day for install overnight, a couple of > users saw the pop-up and installed. SEP quarantined the files and then went > to all machines on the network and quarantined them on all machines (Win7, > Vista, and XP).**** > > **** > > It would be nice if we had a separate network, but I'm not sure that will > get approved.**** > > **** > > Robert**** > > **** > > On Thu, Nov 8, 2012 at 6:41 AM, Ken Schaefer <k...@adopenstatic.com> wrote: > **** > > Even if you don’t have a separate network, you can create a separate group > in WSUS, and put a test machine(s) with your SOE image in that group. **** > > **** > > That would allow you to test patches prior to mass deployment. Checking > for AV issues would be just one thing – I’d recommend that you have some > test cases for all your important apps as well.**** > > **** > > Cheers**** > > Ken**** > > **** > > *From:* Robert Cato [mailto:cato.rob...@gmail.com] > *Sent:* Thursday, 8 November 2012 9:48 PM > *To:* NT System Admin Issues > *Subject:* Re: Symantec %@(*&OI:TNGF(P***** > > **** > > Ken,**** > > **** > > That was my first question, but it is still unanswered. I am still new at > this %dayjob%. **** > > **** > > In this case, the testing would have had to be done in a separate network, > which I am fairly sure we don't have. I will take that suggestion to the > table when we analyze the breakdowns of this incident.**** > > **** > > Robert**** > > **** > > On Wed, Nov 7, 2012 at 9:37 PM, Ken Schaefer <k...@adopenstatic.com> wrote: > **** > > No matter who you migrate to, you’ll also run into issues (false positives > seem to occur all the time, with all vendors).**** > > **** > > Did you test the patches before releasing to Production? Might be worth > beefing up the testing regime.**** > > **** > > *From:* Robert Cato [mailto:cato.rob...@gmail.com] > *Sent:* Thursday, 8 November 2012 5:22 AM > *To:* NT System Admin Issues > *Subject:* Symantec %@(*&OI:TNGF(P***** > > **** > > **** > > FYI**** > > **** > > We approved two MS patches yesterday (KB2574819 KB2592687) in WSUS. One > user installed the two updates in the afternoon and Symantec Endpoint > Protection 12 with several advanced features enabled (threat protection, > hurestics, SONAR, etc). SEP quarrantined 15 system files, run32.dll among > them. The real problems started when SEP decided to quarantine the files > across all ~600 workstations taking us completely offline.**** > > **** > > The fix was to boot each workstation into safe mode and removing SEP.**** > > **** > > It was a long night.**** > > **** > > The good news:**** > > None of the advanced features were enabled on the servers.**** > > We are migrating away from SEP as of this morning.**** > > **** > > Robert**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
