Using ADC to block Chrome extensions

There may be situations where you wish to block end-users from utilizing a specific Google Chrome browser extension. This can be accomplished, fairly easily, via Application and Device Control in Symantec Endpoint Protection. The first part of this process is identifying not just the extension to block, but more importantly the unique ID associated with the extension. Below are the steps to find this UID and put the rule in place.

Find the Chrome Extension UID:

1) Open up Chrome and type in chrome://extensions in the URL bar, or go to Settings > Extensions.

2) Enable "Developer Mode" by checking the checkbox top right.

3) Open up the Chrome Web Store via the "Get more extensions" hyperlink.

4) Search for the extension(s) you wish to block.

5) Click on the "Add to Chrome" button to install the extension.

6) Confirm you wish to install by clicking the "Add extension" button in the new prompt.

7) Return to the chrome://extensions page and locate the extension in question.

8) Note that with "Developer Mode" enabled you will now see an ID: parameter. The string value listed is what we are after.

Create your new ADC block policy:

1) Within the SEP Manager console click on Policies then highlight Application and Device Control.

2) Either edit an existing policy or create a new one.

3) Within the policy, visit the "Application Control" section and add a new rule set.

4) Give your rule a meaningful name. (e.g. Block Chrome Extensions)

5) To the right under Properties, click "Add..." and either assign the * wildcard or the process name chrome.exe, click "OK".

6) At the bottom, under "Rules" click the "Add..." button, then "Add Condition", finally selecting "File and Folder Access Attempts".

7) Again provide a meaningful name, then click "Add..." to the right under properties.

8) For the "File or Folder Name To Match" field use the following path with the Chrome extension ID appended:

• %systemdrive%\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake
• Alternatively, you could use an asterisk (*) wildcard in place of the extension ID to block all Chrome extensions.

9) Leave the option to "Use wildcard matching" enabled and click OK

10) At top, switch to the "Actions" tab and set the Read Attempt as well as Create, Delete or Write Attempt options to "Block access"

11) Additionally you can set your notification and logging options as needed.

12) Save the policy and assign to a test group to ensure that attempts to install the configured extension are blocked.

Things to consider:

• Test, test and test again. ADC is a very powerful tool, but if configured incorrectly it can ruin your day.
• Keep in mind that pre-existing extensions will not be blocked properly with this policy
• This is meant only to prevent future extension installation.
• Chrome users will be able to disable or delete an extension from within the browser, but the files will be left untouched on the system as ADC won't allow access.
• The extension ID may change when it is updated on the Google Web Store, so you may have to revise or add to the block rule.
• A similar configuration can be used with other browsers, but will require tweaking to the file/folder path and how extensions are identified.

One day, you look in the Windows Task Scheduler and see the message:

The selected task “{0}” no longer exists.  To see the current tasks click Refresh

Well after you click OK and then click Refresh, you are still missing that task.  And Windows is really great about not informing you of what that task is.

Other articles on the Internet suggest going through the actual Tasks folder to determine where the disconnect is.  I think I have an easier solution for anyone using a Symantec security product, particularly the Symantec Endpoint Protection Small Business Edition (also known as Symantec.cloud).

Open an elevated command prompt and issue the following commands:

cd \
cd program files\symantec.cloud\antivirus
avagent –SHOW_UI

The GUI will be displayed. (Norton Internet Security users simply open their product.)  Depending on your version, the screen’s appearance may differ from the one shown below (which is from NIS 21.5.0.19)

Click on Settings, and select the General tab.

When you click the question mark to the right of the Idle Time Optimizer, you see the web page that explains that this “feature” automatically defragments the hard drive when the user is inactive for a period of time.

I find this too pretentious for words.  If I have set a disk defragment schedule on my computer, or any of my clients’ computers, I fully expect that those schedules will be maintained and adhered to.  I certainly don’t expect my security software to come along and interfere with them.  Even worse, is the error message that ends up being displayed as a result of Symantec’s change.

So, turn off the Idle Time Optimizer.  Click OK to apply.  Close the GUI, and the command prompt.

After you turn off this setting, click the Windows Start button, type "defrag" (without the quotes) in the Search bar to launch the Windows Defragmenter.  Change any one of the existing settings to force the entry back into the Task Scheduler.   You can reset the minor change immediately, and then close the Defragmenter.

Now, go back to the Task Schedule and see that there is no error message.

There you have it, an amazingly simple solution to a vexing (and stupidly annoying) error message.

Windows DCS Agent Installation

Manual Install

In the Welcome panel, click Next.

In the Agent Configuration panel, accept or change the default settings and then click on Next

In the Management Server Configuration qualified host name or IP address of the primary server that is used to manage this agent (10.10.0.0). Default settings, and then click is un-checked (for detection mode only). Panel, in the Primary Management Server box, type the fully

Roles and responsibilities as Symantec Admin

• Monitor client-to-SEPM communication.
• Maintain a Symantec Endpoint Protection environment.
• Upgrade the Symantec Endpoint Protection environment.
• Monitor and troubleshoot a Symantec Endpoint Protection environment.
• Monitor and troubleshoot SEPM and client content delivery.
• Monitor and troubleshoot protection technologies.
• Use best practices when troubleshooting and remediating a virus outbreak.

Common issues and troubleshooting task of Symantec SEP client

• Definition update issues

• Ping and telnet to SEPM (172.0.1.1) on port 8014 and check whether its reachable or necessary port is allowed.
• Check Server details is Offline or SEPM host name/IP address reflecting in Help->troubleshooting page
• Check Last connected time- reflecting latest or too old date
• Run command smc –stop and again smc –start in Run window
•  

• Symantec malfunction

• Run command smc –stop and again smc –start in Run window
• Repair the Symantec client from Control Panel->Add and Remove Programs
• If repair fails or no repair option visible then copy latest Symantec Package on machine and run Sep.msi/Sep64.msi file to upgrade/install.
• If this will also not work then run Cleanwipe tool ver 11/ver 12 as per client version
• If this doesn’t resolved issue then contact Symantec Support on 1 800 342 0652 Support ID 6682200000

• Virus Outbreaks ( SOC alert and  SEPM Risk reports )
• Identify the machine or source of threat /attack like Host name, IP address, Location etc.
• Isolate from all network except  provide remote access to you for investigation
• Verify whether system has Symantec antivirus client is properly installed and healthy
• Verify the virus and other definitions are updated or not on SEPM , if not then please update asap
• Verify all the logs in Symantec client ->View Logs
  • Control
  • Packet
  • Risk
  • Security
  • System
  • Traffic

1.     If Risk has been identified and logged , you can trace the threat and submit to Symantec support else research further to get removal steps

2.     If no threat found then Run SymHelp and Norton Power Eraser tool on Server and Workstation respectively.

3.     This tool needs to be run with Threat scanning or load point analysis mode in order to identify boot level viruses, root kits etc. which antivirus unable to scan.

4.     Boot level scanning with above tool required reboot and at the end it provided scan result of identified threats. You can remove threat by selecting  the threat among

5.     In case of attack, investigate whether attack happened from inbound or outbound. If inbound then block external public IP source to inside. If outbound then block inside any to external public (C2C) malicious server.

• NTP  (Firewall component removal)

• Once any NTP component disable/removal request comes, ask for valid business justification and take necessary approval from business.
• Once Justification provided by user, seek approval from  IT security Manager
• After approval, we can remove/uninstall Firewall components only for given period and not complete NTP(keep IPS)

• Exclusion of Business application

• Once any exclusion request comes, ask for valid business justification and forward the response to IT security Manager.
• Once  IT security Manager approved the exclusion, implement changes and apply into Global or custom exception group  

• Definition /Symantec issue of Roaming User

• If roaming user having issue then take WebEx session to perform above troubleshooting steps.
• If Symantec client malfunctioning then upload latest Symantec package 32/64 bit (Basic content) on fileshare site and share the download link.
• Download the Symantec from above link and try above describe troubleshooting

Important Note:

• Always check first the below Symantec Window->Help->Troubleshooting
• If any Symantec issue in unknown then run SymHelp tool to collect logs and find threat
•  

Hello,

I wanted to share this in case if this can be of help to other SEPM admins.

Problem:  Default group or the default installation group in SEPM keeps getting populated by machines every time there is a new install or a client reconnecting to management servers after default timeout period.  We then had to manually figure out where the client should go based on their IP addresses and subnet information. Of course we can use move client .vbs group to automate this, but keeping the ipgroups.txt updated required for the vbs script was  still a manual process.  Our group heirarchy is based off of locations in our Active Directory Sites and Services (ADSS).  We were looking to completely automate this issue of manually moving clients and keeping SEPM in sync with subnets that are listed in ADSS.

Solution: The powershell script listed below. The main goal of the script is to get a dump of all subnets and their sites from ADSS and convert this information into a format that move-client.vbs tool requires.  i.e: IPGroups.txt . Secondary goal of this script is to run all the move client scripts after creating the IPGroups.txt.  Couple things about the powershell script and our background setup.

1. This script was created mainly for workstations.  We do not move servers based off of scripts
2. In our environment, all workstations start with W.    So the staging.vbs (move-client) that is called in the powershell is set up so that it looks for any machines that starts with W and moves them to a group in SEPM called "Staging"
3. Once machines are in staging group, then another (Move-Client.vbs) script runs, that moves the machines based on their active directory subnet information. 
4. Powershell by default outputs all text and csv files into Unicode format, therefore, you will notice that a convert.bat is called from within the powershell script.  convert.bat converts from unicode to ANSI format, as this is the only format that the move-client.vbs tool is compatible with.
   • the content of the convert.bat file is the following command without the quotes
     • TYPE D:\Scripts\Move-Clients\Main\Staging\temp.txt > D:\Scripts\Move-Clients\Main\Staging\IPGroups.txt
5. You will notice that there are a lot of import and exports happening in the powershell script, the reason is so that we can get the right data from ADSS into the right format that move-client.vbs tool requires (removing quotes etc.)
6. The main folder where all the scripts are running from in this powershell script is D:\Scripts\Move-Clients, feel free to change the path in the script to match your folder structure. 
   1. • Move-Clients folder has the main powershell script
      • Main has the move-client.vbs that moves clients from default group (installation group) to staging based on naming standard
      • staging has the move-client.vbs that moves clients from staging group in SEPM based on their ADSS subnets.
7. Once the script is test and adjusted to your enviornment, schedule it using windows task schedular.  I have it scheduled for daily so that I can keep SEPM insync with ADSS subnet information atleast once a day.

Script:

[cmdletbinding()]
param()

$Sites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites
$obj = @()
foreach ($Site in $Sites) {
foreach($sub in $site.subnets){

  $obj += New-Object -Type PSObject -Property (
   @{
    "SiteName"  = "Put your SEPM group path here\" + $site.Name
    "SubNet"  = $sub.name
   }
   )}
  
 }
$obj | export-csv D:\Scripts\Move-Clients\1st.csv -NoTypeInformation
$csv = Get-Content D:\Scripts\Move-Clients\1st.csv
$csv = $csv[1..($csv.count - 1)]
$csv > D:\Scripts\Move-Clients\2nd.csv
$csv = (Get-Content D:\Scripts\Move-Clients\2nd.csv) | % {$_ -replace '"', ""} | out-file -FilePath D:\Scripts\Move-Clients\3rd.csv -Force 
Rename-Item D:\Scripts\Move-Clients\3rd.csv D:\Scripts\Move-Clients\temp.txt
Remove-Item D:\Scripts\Move-Clients\1st.csv
Remove-Item D:\Scripts\Move-Clients\2nd.csv
Copy-Item D:\Scripts\Move-Clients\temp.txt D:\Scripts\Move-Clients\Main\Staging\temp.txt -Force
Remove-Item D:\Scripts\Move-Clients\temp.txt
start d:\Scripts\Move-Clients\Main\Staging\convert.bat
sleep  -Seconds 5
Remove-Item D:\Scripts\Move-Clients\Main\Staging\temp.txt
d:
cd\
cd "D:\Scripts\Move-Clients\Main"
cscript main.vbs
sleep -Seconds 5
d:
cd\
cd "D:\Scripts\Move-Clients\Main\Staging"
cscript staging.vbs
cd\
cd "D:\Scripts\Move-Clients"

FYI:  I am not a powershell guru, henceforth I may have done this the long way, if anyone has easier way of doing this, please feel free to share.

Because of increasing number of CryptoLocker-like infections, attacks and fast malware mutations the need to enforce the user application policy in our SEP managed systems became urgent.

Presently, the only secure way against these new, unknown viruses is, to disallow any application to run from User Profile directories, like Local and LocalLow with the help of the Application and Device Control feature. We should keep in mind while constructing our rules, that new generations of these Ransom-ware applications install themselves into many directories apart from Local(Low)/Temp. This is a very strict policy, exceptions are required to ensure user experience.

These settings can be achieved in SEP Manager → Policies as follows:

In the blocklist and exception list we can use “regular expressions” to describe rules. With regular expressions we can use wildcards in any part of the paths we supply, simplifying the selection of allowed/blocked directories.

More about this at:

https://support.symantec.com/en_US/article.HOWTO82512.html

The way to add a new block/allow rule:

After adding our settings we can specify actions to take on the “Actions” tab. We set up blocking, logging and notifications in mail:

It’s important to run our settings in Testing mode first, and only enable Production mode after tuning our exception lists to prevent undesired behavior.

The rules:

Application and Device Control Policy 

Block:

C:\\Users\\[^\]*\\appdata\\[^\]*\\[^\]*\.exe

C:\\Users\\[^\]*\\appdata\\Local\\[^\]*\.exe

C:\\Users\\[^\]*\\appdata\\LocalLow\\[^\]*\.exe

C:\\Users\\[^\]*\\appdata\\Local\\Temp\\[^\]*\.exe

C:\\Users\\[^\]*\\appdata\\LocalLow\\Temp\\[^\]*\.exe

C:\\Users\\[^\]*\\appdata\\Local\\Temp\\[^\]*\\[^\]*\.exe

C:\\Users\\[^\]*\\appdata\\LocalLow\\Temp\\[^\]*\\[^\]*\.exe

Exceptions (example):

C:\\Users\\Administrator\\appdata\\Local\\[^\]*\.exe

C:\\Users\\Administrator\\appdata\\LocalLow\\[^\]*\.exe

C:\\Users\\Administrator\\appdata\\Local\\Temp\\[^\]*\.exe

C:\\Users\\Administrator\\appdata\\LocalLow\\Temp\\[^\]*\.exe

C:\\Users\\Administrator\\appdata\\Local\\Temp\\[^\]*\\[^\]*\.exe

C:\\Users\\Administrator\\appdata\\LocalLow\\Temp\\[^\]*\\[^\]*\.exe

More exceptions (example):

C:\\Users\\[^\]*\\appdata\\Local\\Mozilla Firefox\\firefox\.exe 

C:\\Users\\[^\]*\\appdata\\Local\\IE Tab\\[^\]*\\ietabhelper\.exe

C:\\Users\\[^\]*\\appdata\\Local\\Temp\\Foxit Reader Updater\.exe

C:\\Users\\[^\]*\\appdata\\Local\\Google\\Google Talk Plugin\\googletalkplugin\.exe

C:\\Users\\[^\]*\\appdata\\Local\\Google\\Update\\GoogleUpdate\.exe

The purpose of this article is to show how to properly configure File Share Encryption using Symantec Encryption Desktop (SED) and/or Symantec Encryption Management Server (SEMS). It is assumed that machines which will access the File Share Encryption belongs to the same domain as the File Server where the Share is configured.

I. On standalone SED:
1. Install SED standalone on a server and client machines which requires the access to encrypted File Share
2. On server create a folder ("Share" in this example) and set proper NTFS/Share permissions to it (test if users can access it before encrypting)
3. On server, drag and drop the folder "Share" in File Share Encryption on SED interface and assign Administrator, or other super user who will have the "Admin" role in the group
4. Export the public keys of users and import them in SED on the server (go to PGP Keys, then select menu "File > Import" and select the *.asc file to import)
5. In SED select the File Share Encryption folder and click on "Add User".
6. Add imported keys of users and confirm with OK
7. Apply then the settings in SED. You will notice that users will have "User" role:

8. On each user's SED you will notice that you it can only see its own key. Other users will be listed as "Unknown Key".

On "user1" computer:

On "user2" computer:

II. On managed SED:
You will generate and add Group Key to the File Share Encryption, so you don't need to add many users' keys to the share. There are 2 methods of creating Group Keys:
Method 1:
1. Create a Security Group in Active Directory and add users to it
2. Generate AD Group Keys from Symantec Encryption Management Server (SEMS) > Keys > Generate AD Group Keys
3. Select the AD group created in step 1
4. You will notice a new key in "Keys > Managed Keys":

5. Check in "Consumers > Groups" - you will see new group created:

6. You can then modify the group settings to apply consumers policy to this group's members:

Method 2:
1. In "Consumers > Groups" click "Add Group" to create new group.
2. Enable "Apply Consumer Policy to members of this group" and assign proper Consumer Policy
3. Configure Membership if users will be synchronized from Active Directory. You can also add manually users to this group
4. Under Group Keys click on "Generate" button to generate the group and save:

5. Check in "Consumers > Groups" - you will see new group created:

Now, you need to create a File Share - similarly to what was done on Standalone installation (follow steps 1-3). This time installations will be managed. Then follow these steps:
1. Select the File Share Encryption folder and click on "Add User".
2. On top menu select the SEMS server and in right-top corner write the group key name and then search. Add the key and confirm with OK:

4. Apply then the settings in SED. You will notice the Group Key was added to the File Share Encryption folder with the "User" type. You might also see the ADK if that was created in SEMS before.

You will see this on Server:

And user's computer:

Hi All,

As I am working on DLP since long almost more then 4 years which includes different role right from planing, implementation,Administration,incident management and consulting. Below best practices is consolidated from various sources like Symantec etc

Successful DLP program required below 5 attributes

DLP Data Governance Framework

• Below are some of the best practices that should be adopted in order to have a successful pre and post DLP deployment.

• While choosing a DLP product, organizations should check whether the DLP product supports the data formats in which data is stored in their environment.
• After choosing a DLP product, DLP implementation should start with a minimal base to handle false positives and the base should be increasing with more identification of critical or sensitive data.
• DLP operations should be effective in triaging to eliminate false positives and fine tuning of DLP policies.
• A regular updating of risk profiles and a thorough documentation of the DLP incidents.
• A proper DLP Discovery tool will accurately locate unencrypted PCI wherever it resides, DLP processes guide users to automatically encrypt the information, remove the information or other remediation according to the defined policies of the organization
• Continuous DLP Discovery scanning may be applied at desired frequency or on demand to audit security status and maintain awareness of PCI data locations. DLP Endpoint will control the copying of unencrypted PCI on connected devices.
• Identify potential places where PCI information might leak. For most organizations it is recommended to inspect the following channels:

• Email – Consider all out bound email traffic including attachments.
• Web traffic – Gmail, and other web mail providers, Facebook and other social media sites should be monitored
• Other protocols – In particular unencrypted communications should not be crossing the organizational firewall without first identifying the information
• Data storage – Identify and categorize the information on all storage under control of the organization, including file servers, file shares, SAN, SharePoint servers, user home directories, workstations and laptops in order to determine the assets requiring review and inspection.
• USB, DVD – Consider workstations that allow USB m ass storage or DVD burning and any devices that can be physically disconnected and carried away.
• Scan data stores for PCI information. Once assets have been determined, identify any potential regulated or sensitive information on that information asset.
• Apply controls. Repeat these steps until a satisfactory level of understanding is developed in the form of a map to the protected information and appropriate controls are in place and understood by the stakeholders and system users.
   

• Best practices which can be implemented as per organization culture and policy

• Identify and classify the data
• Provide view only access
• Implement data management life cycle
• Do not allow unauthorized devices in your network
• Do not permit copying for sensitive data onto Removable media
• Improve authorization and access control measure
• Understand the flow of data in your network
• Understand your policies and create awareness
• Audit your own compliance
• Blocking wireless communication
• Making all USB removable storage read-only except authorized devices
• Blocking files containing personal identity information
• Disabling all CD/DVD burners from writing
• If policies matured then start blocking one by one policy

I had to check several different documents for information on preparing and installing SEP 12.1.6 on RHEL 7.2 so I decided to create the following concise guide. 

Pre-installation Requirements

1. Download and install Oracle Java from: http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html.

   I prefer the RPM version of the JDK because it will run immediately and automatically after the download completes. Alternatively, the command line to manually install the rpm version is:  rpm -i <filename.rpm>
    

2. Install the JCE components
   1. Download the files from: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html. (This link will change slightly as new versions are released. This link was the latest version available as of February 2016.)
   2. Unzip the file. It will contain two .jar files which may be in a subdirectory similar to "UnlimitedJCEPolicyJDK8".
   3. Copy the two *.jar files to the following directory, overwriting the original files with the same name. (Make a backup of the two original files beforehand, if desired.)

            /usr/java/<java build #>/jre/lib/security/
       

3. Run the following command to install other required and recommend components:
    
   1. "yum install glibc.i686 libgcc.i686 libX11.i686"
   2. See: http://www.symantec.com/docs/TECH228118 for related info.

SEP Installation:

1. The SEPM should have a linux package file named: SymantecEndpointProtection.zip.  Copy (using scp, pscp or similar tool) the zip file to the linux box.
2. Put the zip file in a new subdirectory and unzip SymantecEndpointProtection.zip.
3. Run: chmod 755 install.sh
4. Run: "./install.sh -i" (without quotes).

The installation should complete, barring any other issues. 

Installation logs:

• /root/sepap-install.log
• /root/sepap-legacy-install.log
• /root/sepfl-install.log
• /root/sepfl-kbuild.log
• /root/sep-install.log
• /root/sepjlu-install.log
• /root/sepui-install.log

Note: Not all of the above install log files may be present, depending on version, components, etc.

Main Client Log Directory

‘ll’ list of /var/symantec/Logs/

============================

-rw-------. 1 root root      1489      Feb  9 16:29                 02092016.log
-rw-------. 1 root root 5989001      Feb 10 12:14               02102016.log
-rw-------. 1 root root 5988807     Feb 11 01:02                02112016.log
-rw-------. 1 root root      1227      Feb 11 01:06                AVMan.log
-rw-------. 1 root root        238      Feb  9 15:48                 debug.log ***
-rw-------. 1 root root            0      Feb  9 15:48                 LUMan.log
-rw-------. 1 root root          72      Feb  9 15:48                 seclog.log
-rw-------. 1 root root        151      Feb 11 01:02                serialize.dat
-rw-------. 1 root root      3640      Feb 11 08:42                syslog.log

============================

Other Log files:

• /opt/Symantec/LiveUpdate/liveupdt.log
   
• /opt/Symantec/symantec_antivirus/vpdebug.log  ***
   
• /opt/Symantec/virusdefs/defutil.log ***
   
• /var/log/messages  (system daemon logging for smcd, rtvscand, and symcfgd)                       

*** These logs do not exist until they are specifically configured. See links to articles below for more details. 

For information on running sadiag.sh for linux, see: http://www.symantec.com/docs/HOWTO111042.
 

For additional configuration and logging info, see http://www.symantec.com/docs/TECH229238.

Installation Logs

/root/sep-install.log

/root/sepap-install.log

/root/sepap-legacy-install.log

/root/sepfl-install.log

/root/sepfl-kbuild.log

/root/sepjlu-install.log

/root/sepui-install.log

*** Not all of these logs may be present, depending on version, components installed, etc.

System startup files

/etc/init.d/autoprotect

/etc/init.d/rtvscand

/etc/init.d/smcd

/etc/init.d/symcfgd

/etc/rc*.d/ with the four files list in init.d

Main SEP directory

/opt/Symantec/

/opt/Symantec/autoprotect/

/opt/Symantec/autoprotect/symap*.ko

/opt/Symantec/autoprotect/symev*.ko

/opt/Symantec/bin/

/opt/Symantec/bin/navdefutil

/opt/Symantec/LiveUpdate/

/opt/Symantec/LiveUpdate/bcprov-jdk15on-148.jar

/opt/Symantec/LiveUpdate/jlu-3.10.0.26.jar

/opt/Symantec/LiveUpdate/jlu.jar

/opt/Symantec/LiveUpdate/jluold.jar

/opt/Symantec/LiveUpdate/liveupdt.log

/opt/Symantec/LiveUpdate/tmp

/opt/Symantec/LiveUpdate/uninstall-3.10.0.26.sh

/opt/Symantec/LiveUpdate/uninstall.sh

/opt/Symantec/symantec_antivirus/

/opt/Symantec/symantec_antivirus/libecomlodrlin.so

/opt/Symantec/symantec_antivirus/libpatchapp.so

/opt/Symantec/symantec_antivirus/libsep-cve.so

/opt/Symantec/symantec_antivirus/libsep-cve.so.1 -> libsep-cve.so

/opt/Symantec/symantec_antivirus/libsep-util.so

/opt/Symantec/symantec_antivirus/libsep-util.so.1 -> libsep-util.so

/opt/Symantec/symantec_antivirus/libsepcommon.so

/opt/Symantec/symantec_antivirus/libsepcommon.so.1 -> libsepcommon.so

/opt/Symantec/symantec_antivirus/libSlicMan.so

/opt/Symantec/symantec_antivirus/libSlicMan.so.1 -> libSlicMan.so

/opt/Symantec/symantec_antivirus/libSyLog.so

/opt/Symantec/symantec_antivirus/libSyLog.so.1 -> libSyLog.so

/opt/Symantec/symantec_antivirus/plugins/

/opt/Symantec/symantec_antivirus/plugins/AVMan.plg

/opt/Symantec/symantec_antivirus/plugins/LuMan.plg

/opt/Symantec/symantec_antivirus/rtvscand

/opt/Symantec/symantec_antivirus/sadiag.sh

/opt/Symantec/symantec_antivirus/sav

/opt/Symantec/symantec_antivirus/savluwrap

/opt/Symantec/symantec_antivirus/savtray

/opt/Symantec/symantec_antivirus/smcd

/opt/Symantec/symantec_antivirus/symcfg

/opt/Symantec/symantec_antivirus/symcfgd

/opt/Symantec/symantec_antivirus/symcfgdata.inf

/opt/Symantec/symantec_antivirus/symcfgpop

/opt/Symantec/symantec_antivirus/tools/

/opt/Symantec/symantec_antivirus/tools/libgcc_s.so.1

/opt/Symantec/symantec_antivirus/tools/liblog4cpp.so.4

/opt/Symantec/symantec_antivirus/tools/libstdc++.so.6

/opt/Symantec/symantec_antivirus/uninstall.sh

/opt/Symantec/symantec_antivirus/unsupported/

/opt/Symantec/symantec_antivirus/unsupported/xsymcfg

/opt/Symantec/symantec_antivirus/update_java_home.sh

/opt/Symantec/symantec_antivirus/upgrade.sh

/opt/Symantec/symantec_antivirus/vpdebug.log

/opt/Symantec/virusdefs/

/opt/Symantec/virusdefs/20160210.052/

/opt/Symantec/virusdefs/20160210.052/*dat, *sig, *txt, *so, *grd, *inf files (35 files total)

/opt/Symantec/virusdefs/20160211.002/

/opt/Symantec/virusdefs/20160211.002/*dat, *sig, *txt, *so, *grd, *inf files (35 files total)

/opt/Symantec/virusdefs/binhub/

/opt/Symantec/virusdefs/binhub/*dat, *sig, *txt, *so, *grd, *inf files (35 files total)

/opt/Symantec/virusdefs/definfo.dat

/opt/Symantec/virusdefs/defutil.log

/opt/Symantec/virusdefs/incoming

/opt/Symantec/virusdefs/temp

/opt/Symantec/virusdefs/texthub

/opt/Symantec/virusdefs/usage.dat

Main SEP Configuration & Log directory

/var/symantec/

/var/symantec/auto/            

/var/symantec/commandStatus.xml     

/var/symantec/communicationData.xml 

/var/symantec/heartbeatStatus.txt 

/var/symantec/index2.xml           

/var/symantec/licenseInfo.xml     

/var/symantec/Logs/ 

/var/symantec/Logs/02092016.log

/var/symantec/Logs/02102016.log

/var/symantec/Logs/02112016.log

/var/symantec/Logs/AVMan.log

/var/symantec/Logs/debug.log

/var/symantec/Logs/LUMan.log

/var/symantec/Logs/seclog.log

/var/symantec/Logs/serialize.dat

/var/symantec/Logs/syslog.log

/var/symantec/pending/

/var/symantec/pending/AVManOpstateInfo.xml

/var/symantec/pending/LUManOpstateInfo.xml

/var/symantec/pending/sepOpstateInfo.xml

/var/symantec/Quarantine 

/var/symantec/registration.xml

/var/symantec/registrationInfo.xml 

/var/symantec/sent/

/var/symantec/sent/AVManOpstateInfo.xml

/var/symantec/sent/LUManOpstateInfo.xml

/var/symantec/sent/sepOpstateInfo.xml

/var/symantec/serdef.dat

Other Configuration Files

/etc/liveupdate.conf

/etc/Symantec.conf

/etc/symc-defutils.conf

/etc/symantec/

/etc/symantec/dec3.cfg 

/etc/symantec/log4j.properties 

/etc/symantec/NLS 

/etc/symantec/NLS/15/rtvscan.msg

/etc/symantec/sep.slf 

/etc/symantec/setAid.ini 

/etc/symantec/setup.ini 

/etc/symantec/sylink.xml 

/etc/symantec/VPREGDB.BAK 

/etc/symantec/VPREGDB.DAT 

/etc/symantec/VPREGDB.SAV

Process Related Files
 

/etc/sysconfig/smcd

/etc/sysconfig/rtvscand

/etc/sysconfig/symcfgd

Hint: Try running this command to see the smcd, rtvscand and symcfgd processes:

      systemctl -a | grep -i symantec.

Note that the ‘autoprotect’ service may also be running, depending on configuration settings.

1. Create an "Application and Device Control" rule.

"Apply this rule to the following processes:" *

Add "File and Folder Access Attempts"

1.1. "Properties" of File and Folder Access Attempts

Apply to the following files and folders:

decrypt all*.txt

decrypt_instruction*.txt

*.doc.???????

*.docx.???????

*.xls.???????

*.xlsx.???????

*.pdf.???????

*.rtf.???????

*.txt.???????

*.zip.???????

*.pst.???????

*.locky

*.crypted

*.encryptedRSA

do not apply the following files and folders:

*.???.???

*.partial

1.2. "Actions":

Under the "Launch Process Attempts":

properties:

Apply to the following processes:

new "cryptolocker" and "download.ponic" variants md5's

Actions:

Terminate process, Enable logging, severity - 0, Send e-mail alert.

2. Create a "Notification condition" under Monitors/Notifications:

Done.

When the malware makes an action (encrypts any files), SEPM generates a mail to system administrators.

This is the moment you’ve been waiting for – Symantec has released Symantec Endpoint Protection (SEP) 12.1 Release Update 6 Maintenance Pack 4 (12.1.6 MP4). The exact version is 12.1.6860.6400. Hooray!!!

You can grab a copy from FileConnect using your serial number.

This release includes the fixes where SEP Client would roll back if you have “Cumulative Update for Windows 10” (KB3140743) installed on your Windows 10 Build 1511 platform. So if you have been experiencing this issue, this newly released update is for you.

And there are other fixes as well – have a read at http://www.symantec.com/docs/INFO3517

The Release Notes can be found at http://www.symantec.com/docs/DOC9223 where you can download the PDF.

The System Requirements has been updated as well to include the latest version, but I can’t see any much change compared with the previous revision - http://www.symantec.com/docs/TECH231877

And finally, the bonus with this new release is that it has fixed a few security vulnerabilities, which you can read more at https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160317_00– this is covered on both SEPM and SEP client. So it’s worthwhile an upgrade to the SEPM console too.

As always, TEST, TEST, TEST. And TEST this on the development network before releasing this to your live production network. Unless you’re feeling brave. ;)

Has anyone come across any issue/bugs with this new release? If so, share your findings by replying here.

At some point it might happen that the computer encrypted with Symantec Encryption Desktop (SED) cannot be accessed. There are many reasons why this happens and here are some tips which can be used to find a way for authenticating or decrypting the drive:
1. First of all, if the machine is not locked, ensure the correct passphrase is entered. In BootGuard window, "tab" key can be pressed to show the characters for passphrase.
Here is the sample passphrase “MyP@ssphras3” written with hidden characters (default):

And here is revealed once “tab” was pressed:

2. In that case, authentication can be to another user’s passphrase (if another user was added to the disk) or using the Admin passphrase.

3. Usually after few unsuccessful attempts the disk is locked. Here is shown when the disk is already locked:

If this is the case, the next attempt would be to use Local Self Recovery (LSR) if it was configured before. This is a set of 5 questions to be answered. At least 3 of the answers need to be correct to authenticate. To use it, select "Forgot Passphrase" from bottom-right corner:

and answer the questions (answers will be visible by default):

Failed attempt will get you back to the first question with the “Incorrect authentication, please try again” message:

4. If LSR was not configured, or the answers were incorrect, Whole Disk Recovery Token (WDRT) can be used. This is 28-character long token (it looks like “ECYH0-BY95Y-YCDPH-UKB29-3A2F5-6MJ”, without quotes “”). On managed environments, this is one-time use only (the new one is generated after each use). Helpdesk or Administrator should be asked for current WDRT. If SED is standalone, WDRT generates on first encryption showing in the following pop-up:

and it can be used multiple times until it is manually regenerated, or disk is decrypted and then encrypted again. Since it displays only once, it had to be kept in a secure place as informed by a pop-up displayed on first encryption.
WDRT needs to be entered in the same place as the passphrase. Ensure to click “tab” key so all characters can be seen. The token is not case sensitive, so it can be written with small/capital letters and with/without dashes between characters:

5. In some rare cases, WDRT is not accepted. One of the reason is that the old WDRT was used. In that case, in managed environments, the list of all generated tokens might be taken directly from the database. In this situation a formal case with Technical Support should be opened.

6. If still no solution, the disk should be slaved to another machine with PGP installed and those pgpwde commands from command line can be executed. Be aware that all command options after pgpwde are followed with double hyphen (-):
- Navigate to the “PGP Desktop” with:
cd "C:\Program Files (x86)\PGP Corporation\PGP Desktop"

- In order to check what is the disk number for the encrypted boot drive, run:
pgpwde --enum

- Assuming that the affected drive is "1", run this in order to see the status of the disk (is it encrypted, or only instrumented):
pgpwde --disk-status --disk 1

- Check if there are users assigned to this disk – passphrase for any of that assigned user would be used for the decryption. The command is:
pgpwde --list-users --disk 1

- Next command to run is the decryption command:
pgpwde --decrypt --disk 1 --passphrase <user-passphrase>

where "<user-passphrase>" is the passphrase of any user found in previous step.

- If, for some reason, this is not working the following command can be used to check if any of the known passprases are correct:
pgpwde --auth --disk 1 --passphrase <user-passphrase>

Again, if the passphrase is found, it can be used for the decryption described in the previous step

- Decryption can be also done with the Admin passphrase (if the Drive Encryption policy has Admin added for disk decryption). The syntax for the decrypting will be the same.

7. If still unsuccessful, there is also a chance to decrypt the disk if the Additional Decryption Key (ADK) was created before the disk was encrypted. The keyID of ADK and its passphrase will need to be checked as these are used in the command. Once these are already known, the following command will be used to decrypt the drive:
pgpwde --decrypt --keyid <ADK-keyID> --disk <disk-number> --passphrase <ADK-passphrase>

In SEP Manager UI, there is no settings available to set whether the system should download Rapid virus definitions automatically. These definitions can be downloaded manually, The latest Rapid definitions can be installed by downloading and copying to a certain folder manually. Sometimes it might be crucial to automatically install the latest Rapid definitions, e. g. when a fast mutating virus emerges or when a previously unknown virus outbreak happens to meet your systems.

To solve this problem, here is a PowerShell script. On the server, in the Task Scheduler, schedule it to automatically run in a given interval, e. g. every 3 hours. The script checks the Symantec FTP for Rapid definitions, and downloads them if they are newer than the last one downloaded previously. It copies the downloaded definitions into SEPM incoming folder (e. g.: „D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming”), where SEP Manager automatically detects and installs it. After this, it saves the last definitions name into a simple text file, later used to identify if there were any updates.

If the situation normalizes and the virus attacks fall back to the usual numbers, simply disable the script in Task Scheduler, so the system will only install only the certified definitions again.

The script's contents, copy it to your directory of choosing (e.g.: "D:\_scripts"):

$proto='ftp://'

$fqdn='ftp.symantec.com'

$docLibURN='/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/'

$usr='anonymous'

$pwd='pass'

$dstFolder='D:\_RapidRelease'

$RelVersion =$dstFolder+'\ReleaseVersion.txt'

$TargetFolder='D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming'

$verinfo = get-content $RelVersion

$verinfolast = $verinfo | sort-object | select-object -last 1

$docList=@{}

$proxy = [System.Net.WebRequest]::GetSystemWebProxy()

$proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials

$req = [system.Net.WebRequest]::Create($proto+$fqdn+$docLibURN)

$req.Credentials = new-object System.Net.NetworkCredential($usr, $pwd);

#$req.PreAuthenticate = $true

$req.proxy = $proxy

$req.Method = [System.Net.WebRequestMethods+FTP]::ListDirectoryDetails


try {

  $res = $req.GetResponse()

  $sr = [Io.StreamReader]($res.GetResponseStream())

  $webpage = $sr.ReadToEnd()

  $sr.Close()

  $res.Close()

  $weblines=$webpage -split "`r`n|`r|`n"

  switch -regex ($weblines) {

    '.*href="(?<docRelPath>.*\.jdb)".*\>(?<docFolderName>.*)\<.*' {

       $docList[$matches.docFolderName]=$matches.docRelPath

    }

  }


  $webclient = New-Object System.Net.WebClient

  $webclient.Credentials = new-object System.Net.NetworkCredential($usr, $pwd);

  $webclient.proxy = $proxy

  $docList.keys | sort-object | select-object -last 1 | % {

    if ($verinfolast -eq $_)

       {

           write-host ($dstFolder+'\'+$_+' Exists')

       }

       else

       {

        $webclient.DownloadFile($($proto+$fqdn+$docList.Item($_)),$dstFolder+'\'+$_)

        echo $_ >>$RelVersion

        Move-Item $dstFolder\*.jdb $TargetFolder

       }

  }


} catch [System.Net.WebException]  {

    $res = $_.Exception.Response

}

If you need to deploy Symantec Data Center Security: Server Advanced in an evaluation installation, or you just need to install several DCS agents on the critial business server, you can use SQL Server express edition.

The installation of the DCS:SA will install the server and the SQL Server express automatically.

After the installtion, you can use the following steps to backup the database:

1. Create a sql file named backup.sql which contains these SQL statements:

GO   
DECLARE   
@backupTime VARCHAR(20)  
DECLARE   
@fileName VARCHAR(1000)    
SELECT  
 @backupTime=(CONVERT(VARCHAR(8), GETDATE(), 112) +REPLACE(CONVERT(VARCHAR(5), GETDATE(), 114), ':', ''))    
SELECT  
 @fileName='E:\DCSDB_backup\DCSDB_'+@backupTime+'.bak' 
backup database SCSPDB to disk=@fileName

2. Create a bat file named backup.bat which contains the following statement:

sqlcmd -S localhost\SCSP -i E:\DCSDB_backup\backup.sql

3. Copy these two files to the backup folder, for example: E:\DCSDB_backup\:

4. Launch Task Scheduler from Windows start:

5. Right click 'Task Scheduler Library', select 'Create Basic Task':

6. Input the task name and description:

7. Select the trigger as 'Daily':

8. Set the task start time:

9. Select 'Start a program':

10. Select the backup.bat as the program/script:

11. Select 'Open the Properties dialog for this task when I click Finish':

12. Select 'Run whether user is logged on or not':

13. You can test the configuration of the task by start it manually:

14. After the task finished, there is a database backup file created on E:\DCSDB_backup\:

Most Consultants are hired in the DLP space these days for several reasons. Improving Detection rate and reducing false positives is one of the most highly fetched reasons in today's market. Improved detection rate means several points here:

(1) Effort saving in terms of the incident management teams

(2) Database Space savings (lesser incidents written to the Database)

(3) Smaller Database means better TTB (Time to backup) & TTR (Time to restore)

(4) Improved performance on Enforce Reporting

Overall, as per mine and by the experience of a few old time consultants in the DLP space - the valid data breach/violation detection rate is between 3-7% in most environments for SMTP Gateway. Additionally, most of these 93-97% unwanted incidents are found to be system and group IDs. In other words, how many times has this happened that you have sorted you incidents by top senders or run the "top 10 or 20 violators report" and found most of them as group or system IDs top the list. Example: retirals_documents@anycompany.com or systemadmin_alert@anycompany.com er even something like vendorname_helpdesk@anycompany.com. Most of the times, these constitute to more than the 5-% of the false detections which are then dismissed after first review by the incident response teams.

Group ID to me = Email addresses with sending rights which is shared & used by two or more members in a team for sending emails

System ID to me = Email address configured into Tools & Systems directly which send preconfigured alerts, traps, texts as per schedule/trigger

Knowing the above information gives us several options. Depending upon the sensitivity of the data involved there would be variations in the below approach however still writing further considering an average case scenario:

(1) List all SMTP events in the database sorted by sender (column sort by total) & export to Excel

(2) Remove all senders wherein total is less than 100

(3) Keep only System & Group IDs like Administrator@abc.com, helpdesk_1@abc.com, etc. & remove all individual users like scott.tiger@abc.com, tom.best@abc.com

Now, the above is our list of System & Group IDs. This needs further filtering and finalization as below:

(1) There are no violations/valid detections previously sent via this Sender

(2) Exception would be added only if the Supervisor/Lead/Team Manager is also part of the Group ID

(3) The system ID is limited to email sending via the tool/system itself and its password is not shared to any users except the custodian/owner

Once the final list is available, we could then create Sender/Recipient Patterns (from v12 onwards) and add them as exceptions to Policies. The choice of policy to apply this exception would also vary depending on the trustworthiness of the custodian, owner, the result of the above filtering parameters we used & overall severity of the data detected & controlled by the policy. An example would be: Do not include any exceptions in a policy which deals with IP or PCI data.

Let me know what you think about this, whether you like it or you don’t. Thank you for reading. Happy Data Protection!!!

Find the Attachment For More Details ( With Screenshots )

Table of Contents

About backup and recovery on Windows

Symantec recommends that administrators perform backups of their entire system.

Perform system backups in case the Symantec Data Loss Prevention system crashes and needs to be restored

Administrators should follow all of the backup instructions that are in this section in the order in which they are presented.

Administrators who would prefer to back up only part of their system must determine which subsets of the system backup instructions to follow.

Recommendations:

1. Symantec recommends that administrators perform backups of their entire system.

2. Perform system backups regularly.

3. Complete system backups should be performed at the following times:

    ■ After installation

    ■ Before any system upgrades

    ■ Any time the system changes, such as when a Symantec Data Loss Prevention          

     ■ Server is added to or removed from the system configuration

Calculating the total size of the backup on Windows:

To calculate the total size of the backup

1 Enter the size of the database here: ____133.31 GB

2 Enter the size of the file system files here: _____426 MB + 22.3 MB (\SymantecDLP\Protect\plugins,\SymantecDLP\Protect\logs)

3 Enter the size of the server configuration files here: ____483 KB (\SymantecDLP\Protect\config)

4 Add the size of the database to the size of the configuration files and file system files for a total size here: ____134 GB Approx  

Calculating the size of the database:

1. Run SQL PLUS as Administrator

2. Perform the following Tasks

Connect to database as SYSDBA

Run The Following Query

SELECT ROUND(SUM(bytes)/1024/1024/1024, 4) GB

FROM (

SELECT SUM(bytes) bytes

FROM dba_data_files

UNION ALL

SELECT SUM(bytes) bytes

FROM dba_temp_files

UNION ALL

SELECT SUM(bytes) bytes

FROM v$log

);

Calculating the size of File System:

Calculating the size of Server Configuration:

Creating backup directories on Windows:

Create the following directories, preferably on a external storage device.

To create the backup directory structure

1.  Create a directory in which to store the backup files:

\SymantecDLP_Backup_Files

Remember that this directory should be created on a computer other than the

one that hosts the database, the Enforce Server, or the detection servers.

1.  Create the following subdirectories in which to store the backup files:

\SymantecDLP_Backup_Files\File_System

\SymantecDLP_Backup_Files\Server_Configuration_Files

\SymantecDLP_Backup_Files\Database

\SymantecDLP_Backup_Files\Recovery_Aid

Performing a cold backup of the Oracle database on

Windows

Cold backups are recommended primarily for non-database administrator users.

You perform a cold backup by

■ Stopping the Symantec Data Loss Prevention system

■ Shutting down the Oracle database

■ Copying important files to a safe backup location

You should create recovery aid files for use in recovery procedures. A trace file of

the control file and a copy of the init.ora file are very helpful for database recoveries.

The trace file of the control file contains the names and locations of all of the data

files.

The init.ora file contains the initialization parameters for Oracle, including the names

and locations of the database control files.

To generate a trace file of the control file

1.  At the command prompt,

 enter sqlplus /nolog.

1.  At the SQL> command prompt, to connect as the sysdba user, enter

connect sys/password@protect as sysdba where password is the SYS password.

1.  After receiving the Connected message, at the SQL> command prompt, enter:

alter database backup controlfile to trace as

'C:\SymantecDLP_Backup_Files\Recovery_Aid\controlfile.trc';

Success is indicated by the message "Database altered."

With this command you are generating a copy of the backup control file and

outputting this file to the \SymantecDLP_Backup_Files\Recovery_Aid directory

that you created previously.

1.  Issue the following command to backup the init.ora file.

create pfile='C:\SymantecDLP_Backup_Files\Recovery_Aid\init.ora' from spfile;

exit;

1.  Navigate to the C:\SymantecDLP_Backup_Files\Recovery_Aid directory. You

should see the controlfile.trc and init.ora files in this directory.

1.  Rename the file controlfile.trc so that it can be easily identified.

controlfilebackupMMDDYY.trc

Connect To Database as sysdba

Collecting a list of files to be backed up

You can create a list of files that need to be backed up. These lists are used in a

later step.

To create a list of files for back up

1. Open SQL*Plus using the following command:

sqlplus sys/<password> as sysdba

2. Enter the following SQL commands to create lists of files that must be backed

up:

SELECT file_name FROM dba_data_files

UNION

SELECT file_name FROM dba_temp_files

UNION

SELECT name FROM v$controlfile

UNION

SELECT member FROM v$logfile;

3. Save the list of files returned by the query to use in the following procedures:

C:\SymantecDLP_Backup_Files\Recovery_Aid\oracle_datafile_directories.txt.

4. Exit SQL*Plus:

exit;

Creating a copy of the spfile on Windows

After you generate a trace file of the control file, you must create a copy of the

spfile.

Performing a cold backup of the Oracle database on Windows

To create a copy of the spfile

1. In Oracle SQL*Plus, at the SQL> command prompt, enter:

create pfile='C:\SymantecDLP_Backup_Files\Recovery_Aid\inittemp.ora' from spfile;

2. To exit Oracle SQL*Plus, enter: Exit

Shutting down the Symantec Data Loss Prevention system on Windows

To shut down the system

1. On the computer that hosts the Enforce Server, navigate to Start > All

Programs > Administrative Tools > Services to open the Windows Services

menu.

2. Open the Services menu and stop all running Symantec Data Loss Prevention

services, which might include the following:

Vontu Update

Vontu Incident Persister (on the computers that also host the Enforce Server)

Vontu Manager (on the computers that also host the Enforce Server)

Vontu Monitor (on the computers that also host a detection server)

Vontu Monitor Controller (on the computers that also host the Enforce Server)

Vontu Notifier (on the computers that also host the Enforce Server)

3. On the computer that hosts the database, stop the OracleService

databasename, where databasename is the Global Database Name and SID

selected during installation.

Stop All Vontu Services

Stop All Oracle Services

Copying the database files to the backup location on Windows

The database files that should be backed up include the files in the \protect directory and the database password file.

To copy the database files to the backup location

1. Make sure that the Oracle services are stopped.

If the Oracle services are not stopped, the backup files may be corrupt and unusable.

2. On the computer that hosts the database, copy the files from the list that you

Collected in the procedure collecting a list of files to be backed up to the computer that hosts the backup files.

Copy the protect directory into the c:\Symantec_DLP_Backup_Files\Database directory of the computer that hosts the backup files.

3. On the computer that hosts the database, select the

%ORACLE_HOME%\database\PWDprotect.ora file and copy it into the c:\Backup_Files\Database directory of the computer that hosts the backup files.

OR

Run the  Database_Files_Backup.bat From Attachment to Backup All the Files.

Modify .bat File if required.

Restarting the system on Windows

To restart the system

=> Start all of the Oracle services:

     OracleServiceDATABASENAME

=> On the computer that hosts the Enforce Server, start the Vontu Notifier service

     before starting other Symantec Data Loss Prevention services.

=> Start the remaining Symantec Data Loss Prevention services, which might

     include the following:

Vontu Manager

Vontu Monitor

Vontu Incident Persister

Vontu Update

Vontu Monitor Controller

Backing up the server configuration files on Windows

To back up the server configuration files

1. Select the \SymantecDLP\Protect\config directory.

Copy it to the

\SymantecDLP_Backup_Files\Server_Configuration_Files Directory on the computer that hosts the backup files.

OR

Run the Config_Files_Backup.bat as Administrator to Backup All Files in One Shot.

You Can Modify This File According to your Environment.

Backing up files stored on the file system on Windows

Some files that are stored on the file system for the Enforce Server and detection

servers should be backed up whenever they are changed. These files include:

=> Custom configuration changes

=> System logs

=> Keystore file

Copy All Files and Folders from Following location and store it to \SymantecDLP_Backup_Files\File_System

\SymantecDLP\Protect\plugins\

\SymantecDLP\Protect\logs\

 \SymantecDLP\Protect\tomcat\conf\.keystore

OR

Run the File_System_Backup.bat as Administrator to Backup All Files in One Shot.

You Can Modify This File According to your Environment.

The Windows recovery information worksheet

Modify Recovery Information Worksheet According to your setup.

=> Print this page containing the Recovery Information Worksheet.

=> Store this worksheet in a secure location because it contains sensitive data.

At last! Someone have managed to crack the Petya Ransomware's Encryption and is offering a tool for you to generate a key for FREE! And knowing that many if you were hit with this, and having to resort to your last good backup (where it could be a day or a week out of date), this is your chance to get your whole data back!

Basically, in a nutshell...

* Remove affected HDD to another PC (or HDD docking)

* Run the Petya Sector Extractor tool to get the 512 byte data - http://download.bleepingcomputer.com/fabian-wosar/PetyaExtractor.zip

* Go to https://petya-pay-no-ransom.herokuapp.com and enter the details that you got from the tool above.

* It will generate the key for you to enter on your infected PC

* Put the HDD back in your computer and boot it up and wait for it to reach the Petya Ransomware lock screen - enter the key.

* Once entered, it will begin decrypting the HDD

* Your data is back! \o/

If you prefer to follow the guides with further details, you can do so at http://www.bleepingcomputer.com/news/security/petya-ransomwares-encryption-defeated-and-password-generator-released/

How did it go for you? Did it work for you? Share your experience.