Symantec企业产品知识库文章--EndpointProtection

《Symantec企业产品知识库文章--EndpointProtection》由会员分享，可在线阅读，更多相关《Symantec企业产品知识库文章--EndpointProtection（21页珍藏版）》请在装配图网上搜索。

1、Symantec企业产品知识库Endpoint ProtectionS Business Support 搜索结果 KB 文章不受控管的SEP客户端定制升级定义失败，但是手动升级没有问题文章: TECH157766 | 创建日期: 2011-04-11 | 更新日期: 2011-04-11 文章类型Technical Solution 产品 Endpoint Protection - 11.0 语言 中文 (简体) (Simp. Chinese) Problem检查所有的权限问题，都不能解决此问题。它只发生在win2000服务器上。手动点击升级或者运行luall，都能够正常升级定义。但是定制的

2、定义升级，没有运行。Environmentwin2000.Version under SEP ru6 Mp2Solution这个问题已经提交给研发，请查看Etrack2329484获得最新的更新和方案。文章 URL 赛门铁克端点保护(SEP 11)客户端安装失败，提示消息“Symantec Endpoint Protection 检测到需要重新启动的挂起系统更改，请重新启动系统并重新运行安装”文章: TECH146653 | 创建日期: 2010-12-21 | 更新日期: 2011-03-11 文章类型Technical Solution 产品 Endpoint Protection - 1

3、1.0 - 11.0 RU5 - 11.0 RU5 (Hosted Endpoint) 语言 中文 (简体) (Simp. Chinese) Problem在安装赛门铁克端点保护(SEP 11)客户端时系统提示：“Symantec Endpoint Protection 检测到需要重新启动的挂起系统更改，请重新启动系统并重新运行安装”。安装中止，重新启动计算机并重新安装SEP客户端，仍然提示该错误信息。ErrorSolution打开Windows注册表编辑器（Regedit.exe），浏览到以下注册表项：HKEY_LOCAL_MACHINE sytem CurrentControlSet Co

4、ntrolSession Manger。在右侧的面板寻找是否存在该字符串值：PendingFileRenameOperations 。如果您没有找到该字符串值， 继续在以下位置寻找：HKEY_LOCAL_MACHINE System ControlSetXXX Control SessionManager PendingFileRenameOperations。右键单击包含该值的注册表项SessionManager，然后选择导出并保存。从注册表中删除PendingFileRenameOperations值。重新启动计算机并重新安装SEP。文章 URL 如何防护W32.Stuxnet?文章: T

5、ECH142348 | 创建日期: 2010-10-21 | 更新日期: 2011-03-11 文章类型Technical Solution 产品 AntiVirus Corporate Edition - 10.0 - 10.0 MR2 MP2 (10.0.2.2) AntiVirus Corporate Edition - 10.0 - 10.0 MR2 MP1 (10.0.2.1) AntiVirus Corporate Edition - 10.0 - 10.2 显示全部 AntiVirus Corporate Edition - 10.0 - 10.1 AntiVirus Corpo

6、rate Edition - 10.0 - 10.0 MR2 (10.0.2) AntiVirus Corporate Edition - 10.0 - 10.0 MR1 (10.0.1) Endpoint Protection - 11.0 AntiVirus Corporate Edition - 10.0 - 10.0 MR1 MP1 (10.0.1.1) AntiVirus Corporate Edition - 10.0 - 10.2 MR2 (10.2.2) 显示部分 主题 Security/Threat 语言 中文 (简体) (Simp. Chinese) Problem如何防护

7、W32.Stuxnet?Solution1. Symantec什么时候开始检测到此病毒？W32.Stuxnet was first categorized in July of 2010. Originally Symantec named the detection W32.Temphid based upon the information originally received but later renamed it Stuxnet to bring our naming convention in line with other vendors, and therefore viru

8、s definitions dated July 19, 2010 or earlier may detect this threat as W32.Temphid.2. W32.Stuxnet如何传播？1) 利用微软漏洞：- Microsoft Windows Shortcut LNK/PIF Files Automatic File Execution Vulnerability- Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability- Microsoft Windows Prin

9、t Spooler Service Remote Code Execution Vulnerability2) 网络共享；3) U盘。3. W32.Stuxnet有什么危害？Stuxnet searches for industrial control systems, often generically (but incorrectly) known as SCADA systems, and if it finds these systems on the compromised computer, it attempts to steal code and design projects

10、.It may also take advantage of the programming software interface to also upload its own code to the Programmable Logic Controllers (PLC), which are mini-computers, in an industrial control system that is typically monitored by SCADA systems.4. 有哪些操作系统受到W32.Stuxnet的影响？Our in-field data shows that mu

11、ltiple versions of Windows are seeing these malicious files. However, not all versions may be vulnerable to the exploit being used. 5. 如何防护W32.Stuxnet？1) 更新微软相关补丁：- Microsoft Windows Shortcut LNK/PIF Files Automatic File Execution Vulnerability- Microsoft Windows Server Service RPC Handling Remote C

12、ode Execution Vulnerability- Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability2) 使用Symantec专门提供的的应用程序和设备控制策略：下载并导入以下ADC策略：具体使用方法如下：To use the policy, import the .dat file into your Symantec Endpoint Protection Manager. When distributing it to client computers, we recommend

13、using it in Test (log only) mode initially in order to determine the possible impacts of the policy on normal network/computer usage. After observing the policy for a period of time, and determining the possible consequences of enabling it in your environment, deploy the policy in Production mode to

14、 enable active protection.For more information on ADC and how to manage and deploy them throughout your organization, please refer to the Symantec Endpoint Protection Administration Manual (PDF).3) 关闭系统还原、及时更新病毒定义并进行全面扫描；The latest Intelligent Updater virus definitions can be obtained here: Intellig

15、ent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.4) 更新IPS：为了防护此病毒的传播，Symantec已经发布以下IPS进行防护：- HTTP W32 Stuxnet CC Activity （SID: 23791）- HTTP W32 Stuxnet CC Activity 1 （SID: 23792）5) 删除相关的注册表：Important: Syma

16、ntec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.1. C

17、lick Start Run.2. Type regedit 3. Click OK.Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.4.

18、Navigate to and delete the following registry entries:o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMRxClsImagePath = %System%driversmrxcls.syso HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMRxNetImagePath = %System%driversmrxnet.sys5. Exit the Registry Editor.Note: If the risk creates or m

19、odifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.6

20、) 禁止不必要的网络共享；7) 增强用户的密码强度。/apps/media/inquira/resources /resources 文章 URL 点击管理员-服务器后SEPM会变得非常慢文章: TECH142730 | 创建日期: 2010-10-27 | 更新日期: 2011-03-11 文章类型Technical Solution 产品 Endpoint Protection - 11.0 - 11.0 RU6 MP1 环境 Microsoft - Windows Server 2003 - Standard Server 语言 中文 (简体) (Simp. Chinese) Probl

21、em从RU5升级至RU6MP1，点击管理员-服务器后SEPM会变得非常慢，点击其他选项也会相应的变慢很多。关闭SEPM重新登录后会正常，但在此点击服务器后仍会变慢。Cause点击管理员-服务器前日志窗口并未激活，第一次点击后会激活，即使点击其他按钮，如客户端、策略也仍然继续加载所有日志，使得响应变慢。Solution此问题在RU6MP2中修复。有个workaround的方法：点击管理员-服务器变慢后，尝试点击管理员-域或安装包或Adminstrator可终止日志加载使SEPM正常。Related Articles文章 URL 非受管SEP客户端无法更新定义文章: TECH143240 | 创建

22、日期: 2010-11-02 | 更新日期: 2011-03-11 文章类型Technical Solution 产品 Endpoint Protection - 11.0 - 11.0 RU6 环境 Microsoft - Windows Server 2003 - Standard Server 语言 中文 (简体) (Simp. Chinese) Problem非受管客户端点击执行liveupdate时，立刻完成并报错LU1803。Solution添加删除程序中卸载Liveupdate 3.3，然后使用LUSetup.exe安装liveupdate后，再次运行liveupdate即正常。

23、文章 URL SEP客户端无法下载病毒定义文章: TECH140151 | 创建日期: 2010-09-17 | 更新日期: 2011-03-11 文章类型Technical Solution 产品 Endpoint Protection - 11.0 语言 中文 (简体) (Simp. Chinese) ProblemSEP客户端可以下载策略，客户端图标绿点存在，但是无法更新病毒定义Error察看Sylinkdump存在以下报错09/08 15:04:43 2052 Request is: action=52&hostid=BCDD3AB00A8CF0D3017577F9403CA8E9&g

24、roupid=C4520DD10A8CF2290062A8D2C50E07C5&fn=hex7B43363044433233342D363546392D343637342D393441452D3632313538454643413433337D&cdn=hex54573030364350574B30303034&lun=hex74775F6B6174655F7775&udn=hex5457444F4D2E434F5250&lu=6&luseq=90415033,&lulasttriedseq=&lutargetseq=100907002&lucontentstate=009/08 15:04:

25、43 2052 URL: /secars/secars.dll?h=9B9A04EC3C9684BAE76EF452E65E8B5B228E1FE332FA4473B553F23254C1B2378EA2043886B3B87D5019CE205AEB02DCE8650EAA71F5232C6769A149B958985AFF487F6D85B4124208CB6B58E4D4421CD462625DBCD100D96A568FCA26ACFCA990ED04CD0F0F8293724EA506E96E9F8D49304AC83CA1F7B53D1BA51BA805BEF60925B5E1DB

26、9B49D7B4C0C9C76D96B31339E9F8A7ADC5F4D13C1CDA5D6F8D20B6BAE494D5D37C6EA2F967CB311E69A59957224D7AC2FB4668F5E7762F0CBB92897E4FB8550E549F54E9D5CCB51E8BD4A6D668A624779294E7771B47686E7DF8EEB46998606FC051211514BA525BEDCFF19E5849E9FD33FD87D7A98EACDB19D3E44C05FB521C76C7B71A2FE8EA10DB6727F328A0DCDEE97B88714D8C

27、CE574D2A8347CFC5680B17D3835D06A9E043DFA76768B69FE285455D6D7BFB85D9447BD62BA3318A433D5EC6015390E30A115E6B71D37BA4D0A357D4159F2B966F4B59EFDC94B2606E003D0896D52B3A2F9CF2E01109/08 15:04:43 2052 http:/10.140.240.211:80/secars/secars.dll?h=9B9A04EC3C9684BAE76EF452E65E8B5B228E1FE332FA4473B553F23254C1B2378E

28、A2043886B3B87D5019CE205AEB02DCE8650EAA71F5232C6769A149B958985AFF487F6D85B4124208CB6B58E4D4421CD462625DBCD100D96A568FCA26ACFCA990ED04CD0F0F8293724EA506E96E9F8D49304AC83CA1F7B53D1BA51BA805BEF60925B5E1DB9B49D7B4C0C9C76D96B31339E9F8A7ADC5F4D13C1CDA5D6F8D20B6BAE494D5D37C6EA2F967CB311E69A59957224D7AC2FB46

29、68F5E7762F0CBB92897E4FB8550E549F54E9D5CCB51E8BD4A6D668A624779294E7771B47686E7DF8EEB46998606FC051211514BA525BEDCFF19E5849E9FD33FD87D7A98EACDB19D3E44C05FB521C76C7B71A2FE8EA10DB6727F328A0DCDEE97B88714D8CCE574D2A8347CFC5680B17D3835D06A9E043DFA76768B69FE285455D6D7BFB85D9447BD62BA3318A433D5EC6015390E30A11

30、5E6B71D37BA4D0A357D4159F2B966F4B59EFDC94B2606E003D0896D52B3A2F9CF2E01109/08 15:04:43 2052 15:4:43=Send HTTP REQUEST09/08 15:04:43 2052 15:4:43=HTTP REQUEST sent09/08 15:04:43 2052 SMS return=20009/08 15:04:43 2052 200=200 OK09/08 15:05:13 2052 AH: (InetWaiting) time out. Timeout period: 3000009/08 1

31、5:05:13 2052 Throw Internet Exception, Error Code=4294967287;Internet Session Timeout09/08 15:05:13 2052 CInternetException: : 09/08 15:05:13 2052 Request Timed out with Wait time (in ms): 30000 Setting the session timeout to 2 min.Environmentwindows xp sp3, IE7CauseIE6升级IE7,导致http设置在升级时出现损坏Solution

32、1。确认IE设置 菜单栏-工具-internet option-高级中需要选择http1.1设置2。删除相关注册表键值，重起操作系统HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections/apps/media/inquira/resources /resources 文章 URL SEPM升级后更新不成功文章: TECH143414 | 创建日期: 2010-11-04 | 更新日期: 2011-03-11 文章类型Technical Solution 产品 Endpoint Pr

33、otection - 11.0 - 11.0 RU6 MP1 Endpoint Protection - 11.0 环境 Microsoft - Windows Server 2003 - Standard Server 语言 中文 (简体) (Simp. Chinese) Problem从MR4升级到RU6MP1后，SEPM更新不成功提示返回值4。Solution添加删除程序中删除liveupdate 3.3。删除文件夹c:documents and settingsall userapplication datasymantecliveupdate。使用lusetup.exe重新安装liv

34、eupdate后执行liveupdate仍然返回代码4，但在c:documents and settingsall userapplication datasymantecliveupdatedownload可看到已经有下载的内容了。修改settings.liveupdate中PREFERENCESINTERNET_CONNECT_TIMEOUT 和 PREFERENCESINTERNET_READ_DATA_TIMEOUT的值，从45改为300，再次执行liveupdate即可成功。文章 URL 利用MR4的备份数据库恢复的SEPM（Symantec Endpoint Protection

35、Manager）病毒定义过期但是无法升级，运行LUALL.EXE时显示病毒定义已经是最新的。文章: TECH143630 | 创建日期: 2010-11-08 | 更新日期: 2011-03-11 文章类型Technical Solution 产品 Endpoint Protection - 11.0 - 11.0 MR4 (11.0.4) 语言 中文 (简体) (Simp. Chinese) ProblemSEPM的病毒定义已经过期，但运行LUALL时提示病毒定义已经是最新的，无需升级。Error1， SEPM病毒定义无法升级（互联网访问正常，SEPM服务器可以访问Symantec病毒定义下

36、载网站）；2， 运行Lucatalog修复后，重新启动服务器故障依旧；3， 尝试运行补丁修复程序：SEPServerPatch-v6.01.exe， SEPServerPatch-v5.01.exe提示“无法在该服务器上运行”。Environment1， SEPM版本 MR4；2， SEPM 服务器重新安装，SEPM通过备份数据库恢复得到（备份的SEPM版本为MR4，恢复后的SEPM版本不变）。Solution1，将SEPM从MR4版本升级为RU6；2，重新配置SEPM服务器。/apps/media/inquira/resources /resources 文章 URL SEPM上找不到新安装

37、的客户端文章: TECH144033 | 创建日期: 2010-11-12 | 更新日期: 2011-03-11 文章类型Technical Solution 产品 Endpoint Protection - 11.0 - 11.0 RU5 环境 Microsoft - Windows Server 2003 - Standard Server 语言 中文 (简体) (Simp. Chinese) Problem通过部署向导安装客户端后，客户端上有绿点，显示的组不是安装包导出的组。在SEPM上相应的组中找不到这个客户端，也搜寻不到。Solution在数据库的sem_client中按照计算机名称

38、可查到这个客户端的记录，但对应的policymode=0，而且还有一些客户端的policymode也为0。安装包确认导出时使用的是计算机模式，但手动对客户端操作时将其转为了用户模式，使得新安装的客户端出现异常。使用工具将用户模式的客户端都先转为计算机模式，然后使客户端重新注册，则其出现在正确的组当中。文章 URL 使用.jdb文件更新SEPM病毒定义失败文章: TECH141965 | 创建日期: 2010-10-15 | 更新日期: 2011-03-11 文章类型Technical Solution 产品 Endpoint Protection - 11.0 - 11.0 RU5 - 11.

39、0 RU5 (Hosted Endpoint) 语言 中文 (简体) (Simp. Chinese) Problem由于用户的SEPM无法访问Internet，所以使用.jdb文件来更新SEPM的病毒定义。用户把.jdb文件下载后存储在C:Program FilesSymantecSymantec Endpoint Protection Managerdatainboxcontentincoming，能看到.jdb文件已经被解压缩并处理，但在SEPM上显示防病毒和防间谍软件的定义并没有被更新，SEP客户端也无法得到最新的病毒定义。EnvironmentPlatform: Windows 7 P

40、rofessionalSEP version: 11.0.RU5Cause很可能是由于Symcdata或 VirusDefs中的文件损坏。Solution 打开控制面板管理工具服务找到Symantec Endpoint Protection Manager 停止此服务 同时停止Symantec Endpoint Protection服务. 打开目录 Program FilesSymantecSymantec Endpoint Protection Managerdatainboxcontentincoming 删除所有的.jdb文件以及其他释放出的文件 打开目录 Program FilesCo

41、mmon FilesSymantec SharedSymcdata- 删除 sesmvirdefs32 和 sesmvirdefs64中的所有文件- 删除 VirusDefs 中的所有文件 打开控制面板管理工具服务找到Symantec Endpoint Protection Manager 启动此服务 启动Symantec Endpoint Protection服务 再次把.jdb文件存放到Program FilesSymantecSymantec Endpoint Protection Managerdatainboxcontentincoming 查看是否SEPM能够成功升级病毒定义/ap

42、ps/media/inquira/resources /resources Related Articles文章 URL Symantec Endpoint Protection (SEP) 11.0 中的 Live Update 故障补救文章: TECH102787 | 创建日期: 2008-01-05 | 更新日期: 2008-01-07 文章类型Technical Solution 产品 Endpoint Protection Small Business Edition - 11.0 Endpoint Protection - 11.0 环境 Microsoft - Windows X

43、P - Home 5.1 Microsoft - Windows 2000 - Professional 语言 Deutsch (German) English Espaol 显示全部 Franais Italiano Portugus Brasiliero 中文 (简体) (Simp. Chinese) 中文 (繁體) (Trad. Chinese) 显示部分 ProblemLive Update 可以运行，但不能更新定义。Cause.Documents and SettingsAll UsersApplication DataSymantecLiveUpdate 文件夹损坏Solution

44、要解决此问题，请遵循以下各步骤：1. 启动“Windows 资源管理器”（或“我的电脑”），并导航到以下位置： Documents and SettingsAll UsersApplication DataSymantecLiveUpdate2. 在 LiveUpdate 文件夹中，将所有Settings.LiveUpdate 文件剪切并复制到另一个文件夹作为备份。 3. 在同一个文件夹中，删除Log.LiveUpdate 文件。 4. 删除 Downloads 文件夹中的内容。（不要删除 Downloads 文件夹本身） 5. 重新运行 LiveUpdate。 如果问题仍然没有解决，则您需要

45、卸载并重新安装 LiveUpdate。有关详细信息，请参考以下文档：如何在安装了 Symantec Endpoint Protection Manager 或 Symantec Endpoint Protection 客户端时卸载并重新安装 LiveUpdateReferencesSymantec AntiVirus Case # 290-882-156 Technical Information如果补救过程失败，则请客户转发新的 Log.LiveUpdate 文件，以便查看 /apps/media/inquira/resources /resources 文章 URL How to Unin

46、stall and Reinstall LiveUpdate When a Symantec Endpoint Protection Manager or Symantec Endpoint Protection Client is InstalledArticle: TECH102609 | Created: 2007-01-09 | Updated: 2010-08-13 Article TypeTechnical Solution Product(s) Endpoint Protection Small Business Edition - 11.0 Endpoint Protectio

47、n - 11.0 Environment Microsoft - Windows XP - Home 5.1 Microsoft - Windows Vista - Enterprise 6.0.6000 Microsoft - Windows Server 2003 - Standard Server Show all Microsoft - Windows 2000 - Professional Show less Languages English Espaol 日本語 (Japanese) Show all 中文 (简体) (Simp. Chinese) 中文 (繁體) (Trad.

48、Chinese) Show less ProblemYou need to uninstall and reinstall Symantec LiveUpdate on a computer where Symantec Endpoint Protection Manager (SEPM) or a Symantec Endpoint Protection (SEP) client is installed.SolutionUse Add or Remove Programs in the Control Panel to uninstall LiveUpdate. Run the LiveU

49、pdate installer to install LiveUpdate again.To uninstall and reinstall LiveUpdate:1. In Windows Explorer make a back-up copy of the following files:On Windows 2000, XP and 2003: C:Documents and SettingsAll UsersApplication DataSymantecLiveUpdateProduct.Inventory.LiveUpdate C:Documents and SettingsAl

50、l UsersApplication DataSymantecLiveUpdateSettings.LiveUpdateOn Windows Vista, 7 and 2008: C:ProgramDataSymantecLiveUpdateProduct.Inventory.LiveUpdate C:UsersAll UsersApplication DataSymantecLiveUpdateSettings.LiveUpdateWARNING: It is important to follow this step in order to avoid having to register

51、 SEPM or SEP with LiveUpdate or having to reconfigure LiveUpdate proxy settings.2. Click Start Settings Control Panel. 3. Click Add or Remove Programs. 4. Click LiveUpdate. 5. Click Change/Remove. 6. Follow the on-screen instructions to uninstall LiveUpdate. 7. In Windows Explorer, delete the follow

52、ing folders if they are present: On Windows 2000, XP and 2003: C:Documents and SettingsAll UsersApplication DataSymantecLiveUpdate C:Program FilesSymantecLiveUpdateOn Windows Vista, 7 and 2008: C:ProgramDataSymantecLiveUpdate C:UsersAll UsersApplication DataSymantecLiveUpdate8. Install LiveUpdate us

53、ing LUSETUP.EXE located in the SEP installation files, in one of the following folders:.CD1SEPM or .CD1SEP-Or- Download the LUSETUP.EXE file from the following Symantec LiveUpdate Web Page. Be sure to download the version of LUSETUP.EXE that is appropriate for your version of Symantec Endpoint Prote

54、ction.9. Browse to:C:Documents and SettingsAll UsersApplication DataSymantecLiveUpdateProduct.Inventory.LiveUpdateand replace the newly created Product.Inventory.LiveUpdate and Settings.LiveUpdate files with the files you backed-up in step 1. Note: If you did not back-up the Product.Inventory.LiveUp

55、date file before deleting the LiveUpdate folder you must register SEPM or SEP with LiveUpdate for it to update correctly.Note: If you did not back-up the Settings.LiveUpdate file before deleting the LiveUpdate folder you must reconfigure the LiveUpdate proxy settings in the SEPM to make the changes

56、propagate back down to LiveUpdate.To register SEPM with LiveUpdate:1. Click Start, then Run. 2. Type cmd, then click OK. This will bring up a command prompt. 3. At the command prompt type cd and the path to lucatalog.exe. By default the command would be: cd C:Program FilesSymantecSymantec Endpoint P

57、rotection Managerbin4. Type lucatalog.exe -update To register the SEP Client with LiveUpdate:1. Click Start Settings Control Panel. 2. Click Add or Remove Programs. 3. Click Symantec Endpoint Protection. 4. Click Change. 5. Click Next, select Repair, and click Next again. 6. Click Install. 7. Click Finish. /apps/media/inquira/resources /resources Article URL