The first rule of Symantec is you don't talk about symantec On Thu, Nov 8, 2012 at 6:54 AM, Robert Cato <cato.rob...@gmail.com> wrote:
> > It is SEP12, I'm sorry I do not know the definition file, that is handled > by the security group...and they don't really want to talk about Symantec > right now. > > > On Thu, Nov 8, 2012 at 9:05 AM, Erik Goldoff <egold...@gmail.com> wrote: > >> curious, SEP 11 or 12, and what definitions when this happened ? >> >> Thanks >> >> On Thu, Nov 8, 2012 at 8:57 AM, Robert Cato <cato.rob...@gmail.com>wrote: >> >>> >>> Yep, all on its own. Granted this was based on setting that were made >>> during installation, based on recommendations from the onstie Symantec >>> vendor/engineer. >>> >>> >>> >>> On Thu, Nov 8, 2012 at 8:48 AM, Kennedy, Jim < >>> kennedy...@elyriaschools.org> wrote: >>> >>>> “SEP quarantined the files and then went to all machines on the >>>> network and quarantined them on all machines…”**** >>>> >>>> ** ** >>>> >>>> Holy smokes, it decided to do that on it’s own? And quarantined the >>>> machines that had NOT been updated yet?**** >>>> >>>> ** ** >>>> >>>> So glad I don’t run AV.**** >>>> >>>> ** ** >>>> >>>> ** ** >>>> >>>> *From:* Robert Cato [mailto:cato.rob...@gmail.com] >>>> *Sent:* Thursday, November 08, 2012 8:45 AM >>>> >>>> *To:* NT System Admin Issues >>>> *Subject:* Re: Symantec %@(*&OI:TNGF(P***** >>>> >>>> ** ** >>>> >>>> Ken**** >>>> >>>> **** >>>> >>>> These two updates were only installed on a couple of Win7 machines at >>>> most. They were approved during the day for install overnight, a couple of >>>> users saw the pop-up and installed. SEP quarantined the files and then went >>>> to all machines on the network and quarantined them on all machines (Win7, >>>> Vista, and XP).**** >>>> >>>> **** >>>> >>>> It would be nice if we had a separate network, but I'm not sure that >>>> will get approved.**** >>>> >>>> **** >>>> >>>> Robert**** >>>> >>>> ** ** >>>> >>>> On Thu, Nov 8, 2012 at 6:41 AM, Ken Schaefer <k...@adopenstatic.com> >>>> wrote:**** >>>> >>>> Even if you don’t have a separate network, you can create a separate >>>> group in WSUS, and put a test machine(s) with your SOE image in that group. >>>> **** >>>> >>>> **** >>>> >>>> That would allow you to test patches prior to mass deployment. Checking >>>> for AV issues would be just one thing – I’d recommend that you have some >>>> test cases for all your important apps as well.**** >>>> >>>> **** >>>> >>>> Cheers**** >>>> >>>> Ken**** >>>> >>>> **** >>>> >>>> *From:* Robert Cato [mailto:cato.rob...@gmail.com] >>>> *Sent:* Thursday, 8 November 2012 9:48 PM >>>> >>>> *To:* NT System Admin Issues >>>> *Subject:* Re: Symantec %@(*&OI:TNGF(P* >>>> **** >>>> >>>> **** >>>> >>>> Ken,**** >>>> >>>> **** >>>> >>>> That was my first question, but it is still unanswered. I am still new >>>> at this %dayjob%. **** >>>> >>>> **** >>>> >>>> In this case, the testing would have had to be done in a separate >>>> network, which I am fairly sure we don't have. I will take that suggestion >>>> to the table when we analyze the breakdowns of this incident.**** >>>> >>>> **** >>>> >>>> Robert**** >>>> >>>> **** >>>> >>>> On Wed, Nov 7, 2012 at 9:37 PM, Ken Schaefer <k...@adopenstatic.com> >>>> wrote:**** >>>> >>>> No matter who you migrate to, you’ll also run into issues (false >>>> positives seem to occur all the time, with all vendors).**** >>>> >>>> **** >>>> >>>> Did you test the patches before releasing to Production? Might be worth >>>> beefing up the testing regime.**** >>>> >>>> **** >>>> >>>> *From:* Robert Cato [mailto:cato.rob...@gmail.com] >>>> *Sent:* Thursday, 8 November 2012 5:22 AM >>>> >>>> *To:* NT System Admin Issues >>>> *Subject:* Symantec %@(*&OI:TNGF(P***** >>>> >>>> **** >>>> >>>> **** >>>> >>>> FYI**** >>>> >>>> **** >>>> >>>> We approved two MS patches yesterday (KB2574819 KB2592687) in WSUS. One >>>> user installed the two updates in the afternoon and Symantec Endpoint >>>> Protection 12 with several advanced features enabled (threat protection, >>>> hurestics, SONAR, etc). SEP quarrantined 15 system files, run32.dll among >>>> them. The real problems started when SEP decided to quarantine the files >>>> across all ~600 workstations taking us completely offline.**** >>>> >>>> **** >>>> >>>> The fix was to boot each workstation into safe mode and removing SEP.** >>>> ** >>>> >>>> **** >>>> >>>> It was a long night.**** >>>> >>>> **** >>>> >>>> The good news:**** >>>> >>>> None of the advanced features were enabled on the servers.**** >>>> >>>> We are migrating away from SEP as of this morning.**** >>>> >>>> **** >>>> >>>> Robert**** >>>> >>>> **** >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to listmana...@lyris.sunbeltsoftware.com >>>> with the body: unsubscribe ntsysadmin**** >>>> >>>> **** >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to listmana...@lyris.sunbeltsoftware.com >>>> with the body: unsubscribe ntsysadmin**** >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to listmana...@lyris.sunbeltsoftware.com >>>> with the body: unsubscribe ntsysadmin**** >>>> >>>> ** ** >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to listmana...@lyris.sunbeltsoftware.com >>>> with the body: unsubscribe ntsysadmin**** >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to listmana...@lyris.sunbeltsoftware.com >>>> with the body: unsubscribe ntsysadmin >>>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to listmana...@lyris.sunbeltsoftware.com >>> with the body: unsubscribe ntsysadmin >>> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
