Questions[symantec-endpoint-protection](server)

As part of my Apache logs, I can frequently observe a sequence of consecutive GET like :

• 46.235.158.196 - Requesting a file
• Some other host requesting the exact same file within the same second with the same user agent

Being said that :

• 46.235.158.196 is said belonging to Symantec
• But said by the SpamHaus infected or NATing for a computer infected with matsnu
• The other host IP varies but is systematically owned by one or another reknown institution

I am wondering wether it is a legal protection service from symantec or a sign that the other host is infected or NATing too ?

I'm having a problem where I have a local server machine that shouldn't have anything to do with our local web server, but yet the web server's Symantec Endpoint protection is showing the local server (IP) is constantly hitting the web server and being blocked. The application is showing as svchost.exe. Getting a new log entry ever few seconds.

We have SEP 12.1 RU1 Small Business Edition and we're deploying to Windows 2008 R2 machines. It seems that SEP is disabling the native firewall. Has anyone seen this?

Specifically, The SEP Firewall policy on the management server does not have the "Enable this Firewall Policy" checkbox checked -- that is, the policy is disabled. I've pushed the client out to some of our servers and the client is modifying the native Windows firewall, Windows now shows that the native firewall is "Active", but it's also "managed by Symantec" and if you look at the list of active rules there are none. I've confirmed that the firewall is indeed not active by accessing the server on ports that should be blocked. I've also confirmed that I'm setting up the native firewall correctly by doing the same config on another server that doesn't yet have SEP and traffic gets blocked.

Has anyone configured SEP 12.1 SBE and left the native Windows firewall enabled? If so, how? And before you suggest I just enable the SEP firewall, I'd need a different policy for each server as there are different needs/services on each server so that just seems like a silly thing to do.

I have done some Googling but I cannot get a definitive answer certainly not from the Symantec KB.

I have a Virtualised Win 2003R2 server 32bit. It has been provisioned to me with Symantec Endpoint Protection 11.0.62xxx CLIENT (not a definitions server)

the directory C:\Program Files\Common Files\Symantec Shared\VirusDefs is 750MB

IT doesn't contain .tmp directories so it is NOT a corrupt definitions server. IT does contain directories named with a date pattern YYYYMMDD.xxx

Some of these folders are 12 months old and I would like to recover the space. The sysmantect forums are full of this stuff but a lot of the postings contain links back to documents that are not specific to End Point Protection Client.

It appears that I should be able to delete the older folders and all will be OK. with a service restart however there is a warning about having Live Update Administrator Installed

Firstly I have no idea if I have this installed how to I check and secondly can I just ditch these old files and restart?

I have followed some instructions found on the Symantec site and assumed that the response from Nixphoe would resolve my issue. It appears that as I am on a provisioned VM from a central IT unit I cannot run the Symantec commands from the Run prompt as my admin creds to get me in. (smc -stop)
Basically I need to claw back some Diskspace from the c: drive which is being filed up with WSUS patches and Symantec files. I have managed to delete one symantec cache through the live update control panel and recovered 470Mb

I suppose my last question for those more experienced than myself is, can I simply remove say the two oldest virus definition folders without completely foobaring the End Point protection and the server?

we're upgrading to Symantec Endpoint Protection 12 using group policy in a mixed environment from SAV 10. how can we tell which machines are 32-bit v. 64-bit? we tried looking at the properties in AD Users and Computers to no avail thinking we'd create separate OUs for the machines. our dc is running windows 2003, but we have a 2008 machine we can create policies with. any ideas?

thank you!