When creating a workflow which uses Windows Authentication it is impossible to retrieve the current user (Get Current User-component) when debugging the workflow.
Each time you need to debug the workflow you have to disable the Get Current User-component and put a fixed result in there.
I have created an additional component to overcome enabling and disabling the get current user-component when debugging and publishing the application.

This is an overview of a simple workflow. It uses Get Port Number (Code (Script) Component) to retrieve the port number from which the workflow is being accessed. In non-debug situation it is most likely port 80 (HTTP) or 443 (HTTPS). Debug sessions always run at a random port number above 1024.
If it is port number 80 then we go to the Get Current User-component. If it is a different port number then we put a static value (Add Data Element-component)

Here follow the steps to recreate this workflow

Step 1: Locate the Code (Script) Component. This component is included in library LogicBase.Components.Scripting.dll

Step 2: Drag it into your workflow and edit it.

Step 3: Leave the Input Parameters empty and click Next

Step 4: Configure Result variable with type "Number (integer)" and a variable name (eg. iPort)

Step 5: Configure namespaces

System
System.Web

As source code enter

return HttpContext.Current.Request.Url.Port;

Step 6: Just click Finish.
REMARK: Run test will generate an error.

Step 7: Add a compare number component. And Compare the result with port 80 (HTTP)

Step 8: Add Get Current User component after path equal to

Step 9: Add new data element component after paths less than and greater than

Step 10: When running the workflow the current user will result in value DEBUG.
Running it in production it will give the actual user name.

Hi All,

As I am working on DLP since long almost more then 4 years which includes different role right from planing, implementation,Administration,incident management and consulting. Below best practices is consolidated from various sources like Symantec etc

Successful DLP program required below 5 attributes

DLP Data Governance Framework

• Below are some of the best practices that should be adopted in order to have a successful pre and post DLP deployment.

• While choosing a DLP product, organizations should check whether the DLP product supports the data formats in which data is stored in their environment.
• After choosing a DLP product, DLP implementation should start with a minimal base to handle false positives and the base should be increasing with more identification of critical or sensitive data.
• DLP operations should be effective in triaging to eliminate false positives and fine tuning of DLP policies.
• A regular updating of risk profiles and a thorough documentation of the DLP incidents.
• A proper DLP Discovery tool will accurately locate unencrypted PCI wherever it resides, DLP processes guide users to automatically encrypt the information, remove the information or other remediation according to the defined policies of the organization
• Continuous DLP Discovery scanning may be applied at desired frequency or on demand to audit security status and maintain awareness of PCI data locations. DLP Endpoint will control the copying of unencrypted PCI on connected devices.
• Identify potential places where PCI information might leak. For most organizations it is recommended to inspect the following channels:

• Email – Consider all out bound email traffic including attachments.
• Web traffic – Gmail, and other web mail providers, Facebook and other social media sites should be monitored
• Other protocols – In particular unencrypted communications should not be crossing the organizational firewall without first identifying the information
• Data storage – Identify and categorize the information on all storage under control of the organization, including file servers, file shares, SAN, SharePoint servers, user home directories, workstations and laptops in order to determine the assets requiring review and inspection.
• USB, DVD – Consider workstations that allow USB m ass storage or DVD burning and any devices that can be physically disconnected and carried away.
• Scan data stores for PCI information. Once assets have been determined, identify any potential regulated or sensitive information on that information asset.
• Apply controls. Repeat these steps until a satisfactory level of understanding is developed in the form of a map to the protected information and appropriate controls are in place and understood by the stakeholders and system users.
   

• Best practices which can be implemented as per organization culture and policy

• Identify and classify the data
• Provide view only access
• Implement data management life cycle
• Do not allow unauthorized devices in your network
• Do not permit copying for sensitive data onto Removable media
• Improve authorization and access control measure
• Understand the flow of data in your network
• Understand your policies and create awareness
• Audit your own compliance
• Blocking wireless communication
• Making all USB removable storage read-only except authorized devices
• Blocking files containing personal identity information
• Disabling all CD/DVD burners from writing
• If policies matured then start blocking one by one policy

I had to check several different documents for information on preparing and installing SEP 12.1.6 on RHEL 7.2 so I decided to create the following concise guide. 

Pre-installation Requirements

1. Download and install Oracle Java from: http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html.

   I prefer the RPM version of the JDK because it will run immediately and automatically after the download completes. Alternatively, the command line to manually install the rpm version is:  rpm -i <filename.rpm>
    

2. Install the JCE components
   1. Download the files from: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html. (This link will change slightly as new versions are released. This link was the latest version available as of February 2016.)
   2. Unzip the file. It will contain two .jar files which may be in a subdirectory similar to "UnlimitedJCEPolicyJDK8".
   3. Copy the two *.jar files to the following directory, overwriting the original files with the same name. (Make a backup of the two original files beforehand, if desired.)

            /usr/java/<java build #>/jre/lib/security/
       

3. Run the following command to install other required and recommend components:
    
   1. "yum install glibc.i686 libgcc.i686 libX11.i686"
   2. See: http://www.symantec.com/docs/TECH228118 for related info.

SEP Installation:

1. The SEPM should have a linux package file named: SymantecEndpointProtection.zip.  Copy (using scp, pscp or similar tool) the zip file to the linux box.
2. Put the zip file in a new subdirectory and unzip SymantecEndpointProtection.zip.
3. Run: chmod 755 install.sh
4. Run: "./install.sh -i" (without quotes).

The installation should complete, barring any other issues. 

Installation logs:

• /root/sepap-install.log
• /root/sepap-legacy-install.log
• /root/sepfl-install.log
• /root/sepfl-kbuild.log
• /root/sep-install.log
• /root/sepjlu-install.log
• /root/sepui-install.log

Note: Not all of the above install log files may be present, depending on version, components, etc.

Main Client Log Directory

‘ll’ list of /var/symantec/Logs/

============================

-rw-------. 1 root root      1489      Feb  9 16:29                 02092016.log
-rw-------. 1 root root 5989001      Feb 10 12:14               02102016.log
-rw-------. 1 root root 5988807     Feb 11 01:02                02112016.log
-rw-------. 1 root root      1227      Feb 11 01:06                AVMan.log
-rw-------. 1 root root        238      Feb  9 15:48                 debug.log ***
-rw-------. 1 root root            0      Feb  9 15:48                 LUMan.log
-rw-------. 1 root root          72      Feb  9 15:48                 seclog.log
-rw-------. 1 root root        151      Feb 11 01:02                serialize.dat
-rw-------. 1 root root      3640      Feb 11 08:42                syslog.log

============================

Other Log files:

• /opt/Symantec/LiveUpdate/liveupdt.log
   
• /opt/Symantec/symantec_antivirus/vpdebug.log  ***
   
• /opt/Symantec/virusdefs/defutil.log ***
   
• /var/log/messages  (system daemon logging for smcd, rtvscand, and symcfgd)                       

*** These logs do not exist until they are specifically configured. See links to articles below for more details. 

For information on running sadiag.sh for linux, see: http://www.symantec.com/docs/HOWTO111042.
 

For additional configuration and logging info, see http://www.symantec.com/docs/TECH229238.

Installation Logs

/root/sep-install.log

/root/sepap-install.log

/root/sepap-legacy-install.log

/root/sepfl-install.log

/root/sepfl-kbuild.log

/root/sepjlu-install.log

/root/sepui-install.log

*** Not all of these logs may be present, depending on version, components installed, etc.

System startup files

/etc/init.d/autoprotect

/etc/init.d/rtvscand

/etc/init.d/smcd

/etc/init.d/symcfgd

/etc/rc*.d/ with the four files list in init.d

Main SEP directory

/opt/Symantec/

/opt/Symantec/autoprotect/

/opt/Symantec/autoprotect/symap*.ko

/opt/Symantec/autoprotect/symev*.ko

/opt/Symantec/bin/

/opt/Symantec/bin/navdefutil

/opt/Symantec/LiveUpdate/

/opt/Symantec/LiveUpdate/bcprov-jdk15on-148.jar

/opt/Symantec/LiveUpdate/jlu-3.10.0.26.jar

/opt/Symantec/LiveUpdate/jlu.jar

/opt/Symantec/LiveUpdate/jluold.jar

/opt/Symantec/LiveUpdate/liveupdt.log

/opt/Symantec/LiveUpdate/tmp

/opt/Symantec/LiveUpdate/uninstall-3.10.0.26.sh

/opt/Symantec/LiveUpdate/uninstall.sh

/opt/Symantec/symantec_antivirus/

/opt/Symantec/symantec_antivirus/libecomlodrlin.so

/opt/Symantec/symantec_antivirus/libpatchapp.so

/opt/Symantec/symantec_antivirus/libsep-cve.so

/opt/Symantec/symantec_antivirus/libsep-cve.so.1 -> libsep-cve.so

/opt/Symantec/symantec_antivirus/libsep-util.so

/opt/Symantec/symantec_antivirus/libsep-util.so.1 -> libsep-util.so

/opt/Symantec/symantec_antivirus/libsepcommon.so

/opt/Symantec/symantec_antivirus/libsepcommon.so.1 -> libsepcommon.so

/opt/Symantec/symantec_antivirus/libSlicMan.so

/opt/Symantec/symantec_antivirus/libSlicMan.so.1 -> libSlicMan.so

/opt/Symantec/symantec_antivirus/libSyLog.so

/opt/Symantec/symantec_antivirus/libSyLog.so.1 -> libSyLog.so

/opt/Symantec/symantec_antivirus/plugins/

/opt/Symantec/symantec_antivirus/plugins/AVMan.plg

/opt/Symantec/symantec_antivirus/plugins/LuMan.plg

/opt/Symantec/symantec_antivirus/rtvscand

/opt/Symantec/symantec_antivirus/sadiag.sh

/opt/Symantec/symantec_antivirus/sav

/opt/Symantec/symantec_antivirus/savluwrap

/opt/Symantec/symantec_antivirus/savtray

/opt/Symantec/symantec_antivirus/smcd

/opt/Symantec/symantec_antivirus/symcfg

/opt/Symantec/symantec_antivirus/symcfgd

/opt/Symantec/symantec_antivirus/symcfgdata.inf

/opt/Symantec/symantec_antivirus/symcfgpop

/opt/Symantec/symantec_antivirus/tools/

/opt/Symantec/symantec_antivirus/tools/libgcc_s.so.1

/opt/Symantec/symantec_antivirus/tools/liblog4cpp.so.4

/opt/Symantec/symantec_antivirus/tools/libstdc++.so.6

/opt/Symantec/symantec_antivirus/uninstall.sh

/opt/Symantec/symantec_antivirus/unsupported/

/opt/Symantec/symantec_antivirus/unsupported/xsymcfg

/opt/Symantec/symantec_antivirus/update_java_home.sh

/opt/Symantec/symantec_antivirus/upgrade.sh

/opt/Symantec/symantec_antivirus/vpdebug.log

/opt/Symantec/virusdefs/

/opt/Symantec/virusdefs/20160210.052/

/opt/Symantec/virusdefs/20160210.052/*dat, *sig, *txt, *so, *grd, *inf files (35 files total)

/opt/Symantec/virusdefs/20160211.002/

/opt/Symantec/virusdefs/20160211.002/*dat, *sig, *txt, *so, *grd, *inf files (35 files total)

/opt/Symantec/virusdefs/binhub/

/opt/Symantec/virusdefs/binhub/*dat, *sig, *txt, *so, *grd, *inf files (35 files total)

/opt/Symantec/virusdefs/definfo.dat

/opt/Symantec/virusdefs/defutil.log

/opt/Symantec/virusdefs/incoming

/opt/Symantec/virusdefs/temp

/opt/Symantec/virusdefs/texthub

/opt/Symantec/virusdefs/usage.dat

Main SEP Configuration & Log directory

/var/symantec/

/var/symantec/auto/            

/var/symantec/commandStatus.xml     

/var/symantec/communicationData.xml 

/var/symantec/heartbeatStatus.txt 

/var/symantec/index2.xml           

/var/symantec/licenseInfo.xml     

/var/symantec/Logs/ 

/var/symantec/Logs/02092016.log

/var/symantec/Logs/02102016.log

/var/symantec/Logs/02112016.log

/var/symantec/Logs/AVMan.log

/var/symantec/Logs/debug.log

/var/symantec/Logs/LUMan.log

/var/symantec/Logs/seclog.log

/var/symantec/Logs/serialize.dat

/var/symantec/Logs/syslog.log

/var/symantec/pending/

/var/symantec/pending/AVManOpstateInfo.xml

/var/symantec/pending/LUManOpstateInfo.xml

/var/symantec/pending/sepOpstateInfo.xml

/var/symantec/Quarantine 

/var/symantec/registration.xml

/var/symantec/registrationInfo.xml 

/var/symantec/sent/

/var/symantec/sent/AVManOpstateInfo.xml

/var/symantec/sent/LUManOpstateInfo.xml

/var/symantec/sent/sepOpstateInfo.xml

/var/symantec/serdef.dat

Other Configuration Files

/etc/liveupdate.conf

/etc/Symantec.conf

/etc/symc-defutils.conf

/etc/symantec/

/etc/symantec/dec3.cfg 

/etc/symantec/log4j.properties 

/etc/symantec/NLS 

/etc/symantec/NLS/15/rtvscan.msg

/etc/symantec/sep.slf 

/etc/symantec/setAid.ini 

/etc/symantec/setup.ini 

/etc/symantec/sylink.xml 

/etc/symantec/VPREGDB.BAK 

/etc/symantec/VPREGDB.DAT 

/etc/symantec/VPREGDB.SAV

Process Related Files
 

/etc/sysconfig/smcd

/etc/sysconfig/rtvscand

/etc/sysconfig/symcfgd

Hint: Try running this command to see the smcd, rtvscand and symcfgd processes:

      systemctl -a | grep -i symantec.

Note that the ‘autoprotect’ service may also be running, depending on configuration settings.

1. Create an "Application and Device Control" rule.

"Apply this rule to the following processes:" *

Add "File and Folder Access Attempts"

1.1. "Properties" of File and Folder Access Attempts

Apply to the following files and folders:

decrypt all*.txt

decrypt_instruction*.txt

*.doc.???????

*.docx.???????

*.xls.???????

*.xlsx.???????

*.pdf.???????

*.rtf.???????

*.txt.???????

*.zip.???????

*.pst.???????

*.locky

*.crypted

*.encryptedRSA

do not apply the following files and folders:

*.???.???

*.partial

1.2. "Actions":

Under the "Launch Process Attempts":

properties:

Apply to the following processes:

new "cryptolocker" and "download.ponic" variants md5's

Actions:

Terminate process, Enable logging, severity - 0, Send e-mail alert.

2. Create a "Notification condition" under Monitors/Notifications:

Done.

When the malware makes an action (encrypts any files), SEPM generates a mail to system administrators.

This is the moment you’ve been waiting for – Symantec has released Symantec Endpoint Protection (SEP) 12.1 Release Update 6 Maintenance Pack 4 (12.1.6 MP4). The exact version is 12.1.6860.6400. Hooray!!!

You can grab a copy from FileConnect using your serial number.

This release includes the fixes where SEP Client would roll back if you have “Cumulative Update for Windows 10” (KB3140743) installed on your Windows 10 Build 1511 platform. So if you have been experiencing this issue, this newly released update is for you.

And there are other fixes as well – have a read at http://www.symantec.com/docs/INFO3517

The Release Notes can be found at http://www.symantec.com/docs/DOC9223 where you can download the PDF.

The System Requirements has been updated as well to include the latest version, but I can’t see any much change compared with the previous revision - http://www.symantec.com/docs/TECH231877

And finally, the bonus with this new release is that it has fixed a few security vulnerabilities, which you can read more at https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160317_00– this is covered on both SEPM and SEP client. So it’s worthwhile an upgrade to the SEPM console too.

As always, TEST, TEST, TEST. And TEST this on the development network before releasing this to your live production network. Unless you’re feeling brave. ;)

Has anyone come across any issue/bugs with this new release? If so, share your findings by replying here.

At some point it might happen that the computer encrypted with Symantec Encryption Desktop (SED) cannot be accessed. There are many reasons why this happens and here are some tips which can be used to find a way for authenticating or decrypting the drive:
1. First of all, if the machine is not locked, ensure the correct passphrase is entered. In BootGuard window, "tab" key can be pressed to show the characters for passphrase.
Here is the sample passphrase “MyP@ssphras3” written with hidden characters (default):

And here is revealed once “tab” was pressed:

2. In that case, authentication can be to another user’s passphrase (if another user was added to the disk) or using the Admin passphrase.

3. Usually after few unsuccessful attempts the disk is locked. Here is shown when the disk is already locked:

If this is the case, the next attempt would be to use Local Self Recovery (LSR) if it was configured before. This is a set of 5 questions to be answered. At least 3 of the answers need to be correct to authenticate. To use it, select "Forgot Passphrase" from bottom-right corner:

and answer the questions (answers will be visible by default):

Failed attempt will get you back to the first question with the “Incorrect authentication, please try again” message:

4. If LSR was not configured, or the answers were incorrect, Whole Disk Recovery Token (WDRT) can be used. This is 28-character long token (it looks like “ECYH0-BY95Y-YCDPH-UKB29-3A2F5-6MJ”, without quotes “”). On managed environments, this is one-time use only (the new one is generated after each use). Helpdesk or Administrator should be asked for current WDRT. If SED is standalone, WDRT generates on first encryption showing in the following pop-up:

and it can be used multiple times until it is manually regenerated, or disk is decrypted and then encrypted again. Since it displays only once, it had to be kept in a secure place as informed by a pop-up displayed on first encryption.
WDRT needs to be entered in the same place as the passphrase. Ensure to click “tab” key so all characters can be seen. The token is not case sensitive, so it can be written with small/capital letters and with/without dashes between characters:

5. In some rare cases, WDRT is not accepted. One of the reason is that the old WDRT was used. In that case, in managed environments, the list of all generated tokens might be taken directly from the database. In this situation a formal case with Technical Support should be opened.

6. If still no solution, the disk should be slaved to another machine with PGP installed and those pgpwde commands from command line can be executed. Be aware that all command options after pgpwde are followed with double hyphen (-):
- Navigate to the “PGP Desktop” with:
cd "C:\Program Files (x86)\PGP Corporation\PGP Desktop"

- In order to check what is the disk number for the encrypted boot drive, run:
pgpwde --enum

- Assuming that the affected drive is "1", run this in order to see the status of the disk (is it encrypted, or only instrumented):
pgpwde --disk-status --disk 1

- Check if there are users assigned to this disk – passphrase for any of that assigned user would be used for the decryption. The command is:
pgpwde --list-users --disk 1

- Next command to run is the decryption command:
pgpwde --decrypt --disk 1 --passphrase <user-passphrase>

where "<user-passphrase>" is the passphrase of any user found in previous step.

- If, for some reason, this is not working the following command can be used to check if any of the known passprases are correct:
pgpwde --auth --disk 1 --passphrase <user-passphrase>

Again, if the passphrase is found, it can be used for the decryption described in the previous step

- Decryption can be also done with the Admin passphrase (if the Drive Encryption policy has Admin added for disk decryption). The syntax for the decrypting will be the same.

7. If still unsuccessful, there is also a chance to decrypt the disk if the Additional Decryption Key (ADK) was created before the disk was encrypted. The keyID of ADK and its passphrase will need to be checked as these are used in the command. Once these are already known, the following command will be used to decrypt the drive:
pgpwde --decrypt --keyid <ADK-keyID> --disk <disk-number> --passphrase <ADK-passphrase>

In SEP Manager UI, there is no settings available to set whether the system should download Rapid virus definitions automatically. These definitions can be downloaded manually, The latest Rapid definitions can be installed by downloading and copying to a certain folder manually. Sometimes it might be crucial to automatically install the latest Rapid definitions, e. g. when a fast mutating virus emerges or when a previously unknown virus outbreak happens to meet your systems.

To solve this problem, here is a PowerShell script. On the server, in the Task Scheduler, schedule it to automatically run in a given interval, e. g. every 3 hours. The script checks the Symantec FTP for Rapid definitions, and downloads them if they are newer than the last one downloaded previously. It copies the downloaded definitions into SEPM incoming folder (e. g.: „D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming”), where SEP Manager automatically detects and installs it. After this, it saves the last definitions name into a simple text file, later used to identify if there were any updates.

If the situation normalizes and the virus attacks fall back to the usual numbers, simply disable the script in Task Scheduler, so the system will only install only the certified definitions again.

The script's contents, copy it to your directory of choosing (e.g.: "D:\_scripts"):

$proto='ftp://'

$fqdn='ftp.symantec.com'

$docLibURN='/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/'

$usr='anonymous'

$pwd='pass'

$dstFolder='D:\_RapidRelease'

$RelVersion =$dstFolder+'\ReleaseVersion.txt'

$TargetFolder='D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming'

$verinfo = get-content $RelVersion

$verinfolast = $verinfo | sort-object | select-object -last 1

$docList=@{}

$proxy = [System.Net.WebRequest]::GetSystemWebProxy()

$proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials

$req = [system.Net.WebRequest]::Create($proto+$fqdn+$docLibURN)

$req.Credentials = new-object System.Net.NetworkCredential($usr, $pwd);

#$req.PreAuthenticate = $true

$req.proxy = $proxy

$req.Method = [System.Net.WebRequestMethods+FTP]::ListDirectoryDetails


try {

  $res = $req.GetResponse()

  $sr = [Io.StreamReader]($res.GetResponseStream())

  $webpage = $sr.ReadToEnd()

  $sr.Close()

  $res.Close()

  $weblines=$webpage -split "`r`n|`r|`n"

  switch -regex ($weblines) {

    '.*href="(?<docRelPath>.*\.jdb)".*\>(?<docFolderName>.*)\<.*' {

       $docList[$matches.docFolderName]=$matches.docRelPath

    }

  }


  $webclient = New-Object System.Net.WebClient

  $webclient.Credentials = new-object System.Net.NetworkCredential($usr, $pwd);

  $webclient.proxy = $proxy

  $docList.keys | sort-object | select-object -last 1 | % {

    if ($verinfolast -eq $_)

       {

           write-host ($dstFolder+'\'+$_+' Exists')

       }

       else

       {

        $webclient.DownloadFile($($proto+$fqdn+$docList.Item($_)),$dstFolder+'\'+$_)

        echo $_ >>$RelVersion

        Move-Item $dstFolder\*.jdb $TargetFolder

       }

  }


} catch [System.Net.WebException]  {

    $res = $_.Exception.Response

}

If you need to deploy Symantec Data Center Security: Server Advanced in an evaluation installation, or you just need to install several DCS agents on the critial business server, you can use SQL Server express edition.

The installation of the DCS:SA will install the server and the SQL Server express automatically.

After the installtion, you can use the following steps to backup the database:

1. Create a sql file named backup.sql which contains these SQL statements:

GO   
DECLARE   
@backupTime VARCHAR(20)  
DECLARE   
@fileName VARCHAR(1000)    
SELECT  
 @backupTime=(CONVERT(VARCHAR(8), GETDATE(), 112) +REPLACE(CONVERT(VARCHAR(5), GETDATE(), 114), ':', ''))    
SELECT  
 @fileName='E:\DCSDB_backup\DCSDB_'+@backupTime+'.bak' 
backup database SCSPDB to disk=@fileName

2. Create a bat file named backup.bat which contains the following statement:

sqlcmd -S localhost\SCSP -i E:\DCSDB_backup\backup.sql

3. Copy these two files to the backup folder, for example: E:\DCSDB_backup\:

4. Launch Task Scheduler from Windows start:

5. Right click 'Task Scheduler Library', select 'Create Basic Task':

6. Input the task name and description:

7. Select the trigger as 'Daily':

8. Set the task start time:

9. Select 'Start a program':

10. Select the backup.bat as the program/script:

11. Select 'Open the Properties dialog for this task when I click Finish':

12. Select 'Run whether user is logged on or not':

13. You can test the configuration of the task by start it manually:

14. After the task finished, there is a database backup file created on E:\DCSDB_backup\:

It can be helpful to run reports of the membership of any filter as reports offer you the ability to add in additional data as well as export them to CSV for further processing. 

Here is one way to do that:

1. Make a report that lists all of the filters in your Altiris environment
   1. In reports right click and choose NEW > REPORT >SQL report
   2. Delete the contents of SQL query
   3. Change the name at the top to All filters
   4. Input the following SQL

   5. SELECT
       DISTINCT [vCollection].[Name] AS [Filter Name]
      FROM
         [vRM_Computer_Item] AS [vri3_Computer] INNER JOIN
       
      CollectionMembership ON CollectionMembership.ResourceGuid = vri3_Computer.Guid INNER JOIN
       
      vCollection INNER JOIN
       
      Collection ON vCollection.Guid = Collection.Guid ON CollectionMembership.CollectionGuid = Collection.Guid
      
      ORDER BY [vCollection].[Name]

   6. When you run this report you will see a list of all the filters in Altiris that have computers in them.

2. Make a drop down report that references this report

   1. ​In reports right click and choose NEW > Report > SQL report
   2. Change the name at the top to members of any filter
   3. In report parameters choose Add > New parameter
   4. Change the name of the parameter to filterName
   5. Change the description of the parameter to filterName
   6. Change the label text to "Choose the filter to view"
   7. Change the Value provider to Dropdown list Value Edit control
   8. Choose Add Dropdown Values from A Report
   9. In the select Report field choose "all filters"
   10. The report field to display should be automatically populated
   11. In the main report creation window choose the Data source tab
   12. In the lower tab row select "Query parameters"
   13. Go to the "fields" tab and add the fields you want to see about each computer in this report.
   14. As an example I will choose IP and computer model but you can add any number of fields that you want (we use a ton of them in our production version of this report
   15. Save the report
   16. Re open the report and choose "Convert this query to SQL"
   17. You need to add some SQL to get the filter memberships of each computer and to match that against the drop down filter
       1. At the bottom of the select statement add a comma on the last item
       2. Then add  "[vCollection].[Name] AS [Filter Name]"
       3. Add the following join below the line "[vRM_Computer_Item] AS [vri3_Computer]"
       4.  
          

          INNER JOIN
           
          CollectionMembership ON CollectionMembership.ResourceGuid = vri3_Computer.Guid INNER JOIN
           
          vCollection INNER JOIN
           
          Collection ON vCollection.Guid = Collection.Guid ON CollectionMembership.CollectionGuid = Collection.Guid

       5. Finally right below the WHERE section add the following line "  ( [vCollection].[Name]  LIKE @v1_filterName)  AND "
       6. Here is the full example query:
       7.  
          

          DECLARE @v1_filterName nvarchar(max)
             SET @v1_filterName = N'%filterName%'
          DECLARE @v2_TrusteeScope nvarchar(max)
             SET @v2_TrusteeScope = N'%TrusteeScope%'
          SELECT
             [vri3_Computer].[Guid] AS [_ItemGuid],
             [vri3_Computer].[Name],
             [dca4_AeX AC TCPIP].[IP Address],
             [dca5_Manufacturer].[Model],
          [vCollection].[Name] AS [Filter Name]
          FROM
             [vRM_Computer_Item] AS [vri3_Computer]
          INNER JOIN
           
          CollectionMembership ON CollectionMembership.ResourceGuid = vri3_Computer.Guid INNER JOIN
           
          vCollection INNER JOIN
           
          Collection ON vCollection.Guid = Collection.Guid ON CollectionMembership.CollectionGuid = Collection.Guid
                LEFT OUTER JOIN [Inv_AeX_AC_TCPIP] AS [dca4_AeX AC TCPIP]
                   ON ([vri3_Computer].[Guid] = [dca4_AeX AC TCPIP].[_ResourceGuid])
                LEFT OUTER JOIN [Inv_Manufacturer] AS [dca5_Manufacturer]
                   ON ([vri3_Computer].[Guid] = [dca5_Manufacturer].[_ResourceGuid])
          WHERE
          
            ( [vCollection].[Name]  LIKE @v1_filterName)
          AND
             (
                ([vri3_Computer].[Guid] IN (SELECT [ResourceGuid] FROM [ScopeMembership] WHERE [ScopeCollectionGuid] IN (SELECT [ScopeCollectionGuid] FROM dbo.fnGetTrusteeScopeCollections(@v2_TrusteeScope))))
             )
          

3. Now you will be able to select any filter and get details about the computers in it.  
4. Using the dropdown:
6. You can view whatever details you added (i obfuscated the computer names and IPs in mine:

NOTE: Running a report against them does not refresh a filter.  So if you need up the minute accuracy refresh the filter first. 

Let me know if this helps anyone

Recently I was working on a project where I needed to check the current state of virtual layers on various client machines. In order to speed up the testing process I decided to create some PowerShell scripts which would allow to me remotely activate and deactivate layers. Furthermore, I was able to extend this to return layer information including the layer name, state, last activated date time, created date time etc.

In order to use these scripts you will need to configure the following information

• $Computer - Replace this with the computer you intend to connect to.
• $LayerId - Replace this with the layer GUID.
• $User - The user you wish to impersonate in order to secure the connection. (You will be prompted at runtime for a password)

Layer Info

Returns information about the specified layer.

$Computer = "ComputerName"
$LayerId = "9c56406e-fbdd-4711-a5b6-05a9bc34e87d"
$User = "DOMAIN\chris.mcewen"

$layer = Get-WmiObject -Namespace "root\default" -Class VirtualSoftwarePackage -Filter "Id='$LayerId'" -Impersonation 3 -Credential `
$User -ComputerName $Computer | select Id, Name, Active, ActivatedTime, AutoActivate, CreatedTime, Type

$layer | Format-Table

Activate Layer

Activates the specified layer.

$Computer = "ComputerName"
$LayerId = "9c56406e-fbdd-4711-a5b6-05a9bc34e87d"
$User = "DOMAIN\chris.mcewen"

$layer = Get-WmiObject -Namespace "root\default" -Class VirtualSoftwarePackage -Filter "Id='$LayerId'" -Impersonation 3 -Credential `
$User -ComputerName $Computer

$response = $layer.Activate();

write-host "Response Code -" $response.ReturnValue

Deactivate Layer

Deactivates the specified layer.

$Computer = "ComputerName"
$LayerId = "9c56406e-fbdd-4711-a5b6-05a9bc34e87d"
$User = "DOMAIN\chris.mcewen"
$Force = $true

$layer = Get-WmiObject -Namespace "root\default" -Class VirtualSoftwarePackage -Filter "Id='$LayerId'" -Impersonation 3 -Credential `
$User -ComputerName $Computer

$response = $layer.Deactivate($Force);

write-host "Response Code -" $response.ReturnValue

Delete Layer

Deletes the specified layer.

$Computer = "ComputerName"
$LayerId = "9c56406e-fbdd-4711-a5b6-05a9bc34e87d"
$User = "DOMAIN\chris.mcewen"

$layer = Get-WmiObject -Namespace "root\default" -Class VirtualSoftwarePackage -Filter "Id='$LayerId'" -Impersonation 3 -Credential `
$User -ComputerName $Computer

$response = $layer.Delete();

write-host "Response Code -" $response.ReturnValue

Rename Layer

Renames the specified layer.

$Computer = "ComputerName"
$LayerId = "9c56406e-fbdd-4711-a5b6-05a9bc34e87d"
$User = "DOMAIN\chris.mcewen"
$Name = "New Name"

$layer = Get-WmiObject -Namespace "root\default" -Class VirtualSoftwarePackage -Filter "Id='$LayerId'" -Impersonation 3 -Credential `
$User -ComputerName $Computer

$response = $layer.Rename($Name);

write-host "Response Code -" $response.ReturnValue

Reset Layer

Resets the specified layer.

$Computer = "ComputerName"
$LayerId = "9c56406e-fbdd-4711-a5b6-05a9bc34e87d"
$Force = $true
$User = "DOMAIN\chris.mcewen"

$layer = Get-WmiObject -Namespace "root\default" -Class VirtualSoftwarePackage -Filter "Id='$LayerId'" -Impersonation 3 -Credential `
$User -ComputerName $Computer

$response = $layer.Reset($Force);

write-host "Response Code -" $response.ReturnValue

Auto Activate Layer

Determine whether or not to auto activate the layer on start up.

$Computer = "ComputerName"
$LayerId = "9c56406e-fbdd-4711-a5b6-05a9bc34e87d"
$User = "DOMAIN\chris.mcewen"
$AutoActivate = $true

$layer = Get-WmiObject -Namespace "root\default" -Class VirtualSoftwarePackage -Filter "Id='$LayerId'" -Impersonation 3 -Credential `
$User -ComputerName $Computer

$response = $layer.SetAutoActivate($AutoActivate);

write-host "Response Code -" $response.ReturnValue

Hope these help!

In this Article I'm going to explain how to send a message to the Altiris Agent via a Task, this is possible due to a method within the Agent called DisplayBalloon.

Remote onto your SMP/Altiris Server

Go to the ASDK Help file

"[Install Drive]:\Program Files\Altiris\Altiris ASDK\Help\ASDK7.6.chm"

Open and search for "DisplayBalloon"

Cause the agent to display a message to the user. 
Namespace: Altiris.ASDK.Agent
Assembly: Altiris.ASDK.Agent (in Altiris.ASDK.Agent.dll) 

public Object DisplayBalloon(
	string title,
	string message,
	int iconType,
	int timeout
)

Parameters
title
  Type: System..::.String
  Text to display in the balloon title.
message
  Type: System..::.String
  Text to display as the balloon message.
iconType
  Type: System..::.Int32
  Id number of the icon to display.
timeout
  Type: System..::.Int32
  Number of seconds to display the balloon.

Return Value
A handle to the balloon. 

So create a vbs file (SendNotificationTask.vbs):

We need a few objects to work with so we will set them first.

'Altiris Agent - Send Notification Task
Set objAltirisAgent = Nothing
Set objWshShell = WScript.CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")

Next we wan to check if the Altiris Agent exists:

Dim strAltirisDir, strAltirisReg
strAltirisDir = "c:"
strAltirisReg = "HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\InstallDir"
if RegVerify(strAltirisReg) then
    strAltirisDir = objWshShell.RegRead(strAltirisReg)
end if
If objFSO.FileExists(strAltirisDir & "\AeXAgentActivate.exe") Then
    set objAltirisAgent = CreateObject("Altiris.AeXClient")
else
    set objAltirisAgent = Nothing
End if

We can do this with a method to verify the Registry key exists and check that folder.

Public Function RegVerify(ByVal sRegEntry)
    On Error Resume next
    Dim WSH, sKeyTmp
    Set WSH = CreateObject("WScript.Shell")
    sKeyTmp = WSH.RegRead (sRegEntry)
    if err.number=0 then
        RegVerify = True
    else
        RegVerify = False               
    end if
    err.clear
    On Error goto 0
End Function

Next we want to create a function to display a message

sub AltirisBubble(strTitle, strMsg, intIcon, intTime)
    if numLoggedinUsers() => 0 then
        if not objAltirisAgent Is Nothing then
            dim sessmgr, sessions, session, cookie
            set sessmgr = objAltirisAgent.SessionManager
            set sessions = sessmgr.Sessions
            set session = sessions.Item ( 0 )
            
            cookie = session.DisplayBalloon ( "", "", intIcon, 0, Nothing)
            WScript.Sleep 10
            cookie = session.DisplayBalloon ( strTitle, strMsg, intIcon, intTime, Nothing)
            set sessmgr = Nothing
            set sessions = Nothing
            set session = Nothing
        end if
    else
        'Log
    end if
end sub

To change the Icon on the Message pass in one of the following numbers

• 0 | 1 | 2 | 3 | 4 | 5 | 6   

'intIcon info
' 0 = No Icon
' 1 = Information Icon
' 2 = Warning Icon
' 3 = Error Icon
' 4 = Altiris

AltirisBubble "No Icon", "There is No Icon", 0, 10

AltirisBubble "Information Icon", "Information Icon", 1, 10

AltirisBubble "Warning Icon", "Warning Icon", 2, 10

AltirisBubble "Error Icon", "Error Icon", 3, 10

AltirisBubble "Altiris", "Altiris", 4, 10

AltirisBubble "Test", "Warning Big", 5, 10

AltirisBubble "Test", "Error Big", 6, 10

Another helper method we can use is to get the number of logged in users

Function numLoggedinUsers()
    Dim objWMIService
    Dim intUserLoggin
    
    strComputer = "."  
    Set objWMIService = GetObject("winmgmts:" _  
        & "{impersonationLevel=impersonate}!\\"& strComputer & "\root\cimv2")  
        Set colComputer = objWMIService.ExecQuery _  
        ("Select * from Win32_ComputerSystem") 
        
    intUserLoggin = 0
    
    For Each objComputer in colComputer
        if objComputer.UserName <> "" then
            intUserLoggin = intUserLoggin + 1
        end if
    Next
    numLoggedinUsers = intUserLoggin
End Function

You can now create this as a Task in the SMP and add it to a Job, beginning/end to display a message to the User.

At the moment the message is hardcoded which doesn't make it very flexible, why not use a Task Parameter?

Adding a variable into the script is done by enclosing your Paramter name in "%!" and "!%"

"%!Message!%"

We can now replace the script to have

AltirisBubble "%!Title!%", "%!Message!%", 1, 10

 And now you can choose which Title and Message you want in each task you create.

Other Articles

If you've got a Win10 machine you wish to send the new toast notifications, check out this excellent Article from a fellow developer Chris:

• http://www.symantec.com/connect/articles/windows-10-toast-notification

Most Consultants are hired in the DLP space these days for several reasons. Improving Detection rate and reducing false positives is one of the most highly fetched reasons in today's market. Improved detection rate means several points here:

(1) Effort saving in terms of the incident management teams

(2) Database Space savings (lesser incidents written to the Database)

(3) Smaller Database means better TTB (Time to backup) & TTR (Time to restore)

(4) Improved performance on Enforce Reporting

Overall, as per mine and by the experience of a few old time consultants in the DLP space - the valid data breach/violation detection rate is between 3-7% in most environments for SMTP Gateway. Additionally, most of these 93-97% unwanted incidents are found to be system and group IDs. In other words, how many times has this happened that you have sorted you incidents by top senders or run the "top 10 or 20 violators report" and found most of them as group or system IDs top the list. Example: retirals_documents@anycompany.com or systemadmin_alert@anycompany.com er even something like vendorname_helpdesk@anycompany.com. Most of the times, these constitute to more than the 5-% of the false detections which are then dismissed after first review by the incident response teams.

Group ID to me = Email addresses with sending rights which is shared & used by two or more members in a team for sending emails

System ID to me = Email address configured into Tools & Systems directly which send preconfigured alerts, traps, texts as per schedule/trigger

Knowing the above information gives us several options. Depending upon the sensitivity of the data involved there would be variations in the below approach however still writing further considering an average case scenario:

(1) List all SMTP events in the database sorted by sender (column sort by total) & export to Excel

(2) Remove all senders wherein total is less than 100

(3) Keep only System & Group IDs like Administrator@abc.com, helpdesk_1@abc.com, etc. & remove all individual users like scott.tiger@abc.com, tom.best@abc.com

Now, the above is our list of System & Group IDs. This needs further filtering and finalization as below:

(1) There are no violations/valid detections previously sent via this Sender

(2) Exception would be added only if the Supervisor/Lead/Team Manager is also part of the Group ID

(3) The system ID is limited to email sending via the tool/system itself and its password is not shared to any users except the custodian/owner

Once the final list is available, we could then create Sender/Recipient Patterns (from v12 onwards) and add them as exceptions to Policies. The choice of policy to apply this exception would also vary depending on the trustworthiness of the custodian, owner, the result of the above filtering parameters we used & overall severity of the data detected & controlled by the policy. An example would be: Do not include any exceptions in a policy which deals with IP or PCI data.

Let me know what you think about this, whether you like it or you don’t. Thank you for reading. Happy Data Protection!!!

Background:  We recently had a hard drive that was showing signs of failing.  User data partition wasn’t unlocking automatically (the data could therefore not be copied off) and the recovery keys weren’t working when using an e-sata hard drive dock but they did work during boot.

Requirements:

• Failing drive must still be mountable.  If ghost can’t detect the drive, this won’t work
• A network or external drive that has more free space than the size of the source disk
• BitLocker recovery passwords for your drive (do not delete the object from Active Directory if this is where it is stored)

Capturing the image:

1. With the failed hard drive installed boot to automation or PXE (your preference).  You may have to enter your BitLocker recover password.
2. Cancel any automated deployment prompts.
3. Map to a network drive using the net use {drive-letter}: cmd or connect an external hard drive.
4. Browse to x:\Program Files\Symantec\Deployment\Ghost and run ghostXX.exe.
5. Open the options menu.  On the Span/CRC tab select CRC Ignore.
6.  
7. On the Misc tab select Force Cloning.
9. On the Save Settings tab Review, Save, and Accept.
11. From the menu select Local > Disk > To Image
12. Select the drive you want to capture an image of.
13. From the drop down, select the drive that you want to save the .gho to.  Make sure there is enough space for a full image of the entire bitlockered drive.  Select Save.
14. At this point you will receive a warning that the drive you are trying to create an image from is encrypted and that it will be unable to compress the contents.  Continue or ok and the image will start to capture.  Depending on drive size this will take some time.

Deploying the image:

Requirements:

• Access to captured .gho image file that you captured in the previous steps.  I copied this to a drive local to my computer so that I wasn’t held up by the network.
• A known good replacement for the failed drive.  It must be the same size or larger than the source drive.
• A copy of the ghost image files from your NS. Mine were at \Program Files\Deployment\Imaging\ghost\   You only need the x64 or x86 directory depending on your preference and architecture.  I used x64 because that’s what I captured it with.

1. Mount the drive that you have the gho stored on and the drive that you want to deploy the image back to.
2. From your system launch ghostXX.exe as an administrator. 
3. From the menu select Local > Disk >From Image
4. Select the .gho that you captured.
5. Select the drive that you will be deploying the image to.
6. Accept any prompts.  Wait
7. Once completed unmount the drive and install it back in to a system and boot to it.  You will be prompted to enter your BitLocker recovery password.  It will be the same as the source drive.  From here you can recover any data without worrying about the drive failing any more.

Find the Attachment For More Details ( With Screenshots )

Table of Contents

About backup and recovery on Windows

Symantec recommends that administrators perform backups of their entire system.

Perform system backups in case the Symantec Data Loss Prevention system crashes and needs to be restored

Administrators should follow all of the backup instructions that are in this section in the order in which they are presented.

Administrators who would prefer to back up only part of their system must determine which subsets of the system backup instructions to follow.

Recommendations:

1. Symantec recommends that administrators perform backups of their entire system.

2. Perform system backups regularly.

3. Complete system backups should be performed at the following times:

    ■ After installation

    ■ Before any system upgrades

    ■ Any time the system changes, such as when a Symantec Data Loss Prevention          

     ■ Server is added to or removed from the system configuration

Calculating the total size of the backup on Windows:

To calculate the total size of the backup

1 Enter the size of the database here: ____133.31 GB

2 Enter the size of the file system files here: _____426 MB + 22.3 MB (\SymantecDLP\Protect\plugins,\SymantecDLP\Protect\logs)

3 Enter the size of the server configuration files here: ____483 KB (\SymantecDLP\Protect\config)

4 Add the size of the database to the size of the configuration files and file system files for a total size here: ____134 GB Approx  

Calculating the size of the database:

1. Run SQL PLUS as Administrator

2. Perform the following Tasks

Connect to database as SYSDBA

Run The Following Query

SELECT ROUND(SUM(bytes)/1024/1024/1024, 4) GB

FROM (

SELECT SUM(bytes) bytes

FROM dba_data_files

UNION ALL

SELECT SUM(bytes) bytes

FROM dba_temp_files

UNION ALL

SELECT SUM(bytes) bytes

FROM v$log

);

Calculating the size of File System:

Calculating the size of Server Configuration:

Creating backup directories on Windows:

Create the following directories, preferably on a external storage device.

To create the backup directory structure

1.  Create a directory in which to store the backup files:

\SymantecDLP_Backup_Files

Remember that this directory should be created on a computer other than the

one that hosts the database, the Enforce Server, or the detection servers.

1.  Create the following subdirectories in which to store the backup files:

\SymantecDLP_Backup_Files\File_System

\SymantecDLP_Backup_Files\Server_Configuration_Files

\SymantecDLP_Backup_Files\Database

\SymantecDLP_Backup_Files\Recovery_Aid

Performing a cold backup of the Oracle database on

Windows

Cold backups are recommended primarily for non-database administrator users.

You perform a cold backup by

■ Stopping the Symantec Data Loss Prevention system

■ Shutting down the Oracle database

■ Copying important files to a safe backup location

You should create recovery aid files for use in recovery procedures. A trace file of

the control file and a copy of the init.ora file are very helpful for database recoveries.

The trace file of the control file contains the names and locations of all of the data

files.

The init.ora file contains the initialization parameters for Oracle, including the names

and locations of the database control files.

To generate a trace file of the control file

1.  At the command prompt,

 enter sqlplus /nolog.

1.  At the SQL> command prompt, to connect as the sysdba user, enter

connect sys/password@protect as sysdba where password is the SYS password.

1.  After receiving the Connected message, at the SQL> command prompt, enter:

alter database backup controlfile to trace as

'C:\SymantecDLP_Backup_Files\Recovery_Aid\controlfile.trc';

Success is indicated by the message "Database altered."

With this command you are generating a copy of the backup control file and

outputting this file to the \SymantecDLP_Backup_Files\Recovery_Aid directory

that you created previously.

1.  Issue the following command to backup the init.ora file.

create pfile='C:\SymantecDLP_Backup_Files\Recovery_Aid\init.ora' from spfile;

exit;

1.  Navigate to the C:\SymantecDLP_Backup_Files\Recovery_Aid directory. You

should see the controlfile.trc and init.ora files in this directory.

1.  Rename the file controlfile.trc so that it can be easily identified.

controlfilebackupMMDDYY.trc

Connect To Database as sysdba

Collecting a list of files to be backed up

You can create a list of files that need to be backed up. These lists are used in a

later step.

To create a list of files for back up

1. Open SQL*Plus using the following command:

sqlplus sys/<password> as sysdba

2. Enter the following SQL commands to create lists of files that must be backed

up:

SELECT file_name FROM dba_data_files

UNION

SELECT file_name FROM dba_temp_files

UNION

SELECT name FROM v$controlfile

UNION

SELECT member FROM v$logfile;

3. Save the list of files returned by the query to use in the following procedures:

C:\SymantecDLP_Backup_Files\Recovery_Aid\oracle_datafile_directories.txt.

4. Exit SQL*Plus:

exit;

Creating a copy of the spfile on Windows

After you generate a trace file of the control file, you must create a copy of the

spfile.

Performing a cold backup of the Oracle database on Windows

To create a copy of the spfile

1. In Oracle SQL*Plus, at the SQL> command prompt, enter:

create pfile='C:\SymantecDLP_Backup_Files\Recovery_Aid\inittemp.ora' from spfile;

2. To exit Oracle SQL*Plus, enter: Exit

Shutting down the Symantec Data Loss Prevention system on Windows

To shut down the system

1. On the computer that hosts the Enforce Server, navigate to Start > All

Programs > Administrative Tools > Services to open the Windows Services

menu.

2. Open the Services menu and stop all running Symantec Data Loss Prevention

services, which might include the following:

Vontu Update

Vontu Incident Persister (on the computers that also host the Enforce Server)

Vontu Manager (on the computers that also host the Enforce Server)

Vontu Monitor (on the computers that also host a detection server)

Vontu Monitor Controller (on the computers that also host the Enforce Server)

Vontu Notifier (on the computers that also host the Enforce Server)

3. On the computer that hosts the database, stop the OracleService

databasename, where databasename is the Global Database Name and SID

selected during installation.

Stop All Vontu Services

Stop All Oracle Services

Copying the database files to the backup location on Windows

The database files that should be backed up include the files in the \protect directory and the database password file.

To copy the database files to the backup location

1. Make sure that the Oracle services are stopped.

If the Oracle services are not stopped, the backup files may be corrupt and unusable.

2. On the computer that hosts the database, copy the files from the list that you

Collected in the procedure collecting a list of files to be backed up to the computer that hosts the backup files.

Copy the protect directory into the c:\Symantec_DLP_Backup_Files\Database directory of the computer that hosts the backup files.

3. On the computer that hosts the database, select the

%ORACLE_HOME%\database\PWDprotect.ora file and copy it into the c:\Backup_Files\Database directory of the computer that hosts the backup files.

OR

Run the  Database_Files_Backup.bat From Attachment to Backup All the Files.

Modify .bat File if required.

Restarting the system on Windows

To restart the system

=> Start all of the Oracle services:

     OracleServiceDATABASENAME

=> On the computer that hosts the Enforce Server, start the Vontu Notifier service

     before starting other Symantec Data Loss Prevention services.

=> Start the remaining Symantec Data Loss Prevention services, which might

     include the following:

Vontu Manager

Vontu Monitor

Vontu Incident Persister

Vontu Update

Vontu Monitor Controller

Backing up the server configuration files on Windows

To back up the server configuration files

1. Select the \SymantecDLP\Protect\config directory.

Copy it to the

\SymantecDLP_Backup_Files\Server_Configuration_Files Directory on the computer that hosts the backup files.

OR

Run the Config_Files_Backup.bat as Administrator to Backup All Files in One Shot.

You Can Modify This File According to your Environment.

Backing up files stored on the file system on Windows

Some files that are stored on the file system for the Enforce Server and detection

servers should be backed up whenever they are changed. These files include:

=> Custom configuration changes

=> System logs

=> Keystore file

Copy All Files and Folders from Following location and store it to \SymantecDLP_Backup_Files\File_System

\SymantecDLP\Protect\plugins\

\SymantecDLP\Protect\logs\

 \SymantecDLP\Protect\tomcat\conf\.keystore

OR

Run the File_System_Backup.bat as Administrator to Backup All Files in One Shot.

You Can Modify This File According to your Environment.

The Windows recovery information worksheet

Modify Recovery Information Worksheet According to your setup.

=> Print this page containing the Recovery Information Worksheet.

=> Store this worksheet in a secure location because it contains sensitive data.

At last! Someone have managed to crack the Petya Ransomware's Encryption and is offering a tool for you to generate a key for FREE! And knowing that many if you were hit with this, and having to resort to your last good backup (where it could be a day or a week out of date), this is your chance to get your whole data back!

Basically, in a nutshell...

* Remove affected HDD to another PC (or HDD docking)

* Run the Petya Sector Extractor tool to get the 512 byte data - http://download.bleepingcomputer.com/fabian-wosar/PetyaExtractor.zip

* Go to https://petya-pay-no-ransom.herokuapp.com and enter the details that you got from the tool above.

* It will generate the key for you to enter on your infected PC

* Put the HDD back in your computer and boot it up and wait for it to reach the Petya Ransomware lock screen - enter the key.

* Once entered, it will begin decrypting the HDD

* Your data is back! \o/

If you prefer to follow the guides with further details, you can do so at http://www.bleepingcomputer.com/news/security/petya-ransomwares-encryption-defeated-and-password-generator-released/

How did it go for you? Did it work for you? Share your experience.

In this article we will create a backup of Symantec Endpoint Encryption Management Server Database.

Table of Contents

For more information on Active Directory:

https://technet.microsoft.com/en-us/sysinternals/adexplorer.aspx

1. Connect to your database using SQL Server Management Studio

​

2. Find Your Database. (For Example: SEEMSDb)

3. Right click on your Database > Tasks > Back Up

4. Verify Destination Directory.

5. Success

Put All of your backup files in Safe and Secure Place.

Apple released a change two weeks ago to the way that the codesign tool works in regards to applications that have been signed on a Mac in OSX El Capitan. The sha1 has can no longer be accepted for signature validation purposes. It must be formatted as sha256 for the signature to be created to successfully validate. Since Mobility Suite's codesign tool on the backend uses Linux, we have upgraded the signature to use sha256 instead of sha1. SaaS customers have had this patch applied on the 'appcenterhq.com' domain. The patch will be included in the upcoming Mobility Suite 5.5 .iso release for On-Prem customers.

The OSX Release that brought these changes is as follows:

OS X El Capitan v10.11.4

INFO:

https://developer.apple.com/osx/download/

DOWNLOAD:

https://itunes.apple.com/us/app/os-x-el-capitan/id1018109117?mt=12

Error message seen in device logs:

"Domain=MIInstallerErrorDomain Code=13 "Failed to verify code signature" (The application does not have a valid signature.)"

If Mobility Suite 5.4.2 fails to install due to dependency errors, then the script attached to this article can be run to remove the packages that Mobility Suite installed, clean the yum repository, and install the dependencies necessary for a successful reinstallation.

The contents of the "Uninstall_5.4.2.sh" command is as follows:

#!/usr/bin/env bash

sudo yum -y erase zip libaio perl-CGI policycoreutils-python policycoreutils-sandbox appcenter-confwiz appcenter-setup-python httpd mod_ssl postfix jdk libXt monit appcenter-python mod_wsgi appcenter-mysql-connector-java appcenter-celery-deps-1.1.3 appcenter-celery-3.1.17 appcenter-django-celery appcenter-pyasn1 appcenter-decorator appcenter-lockfile appcenter-python-daemon appcenter-setuptools appcenter-Imaging appcenter-MySQL-python appcenter-python-ldap appcenter-M2Crypto appcenter-boto appcenter-xlrd appcenter-APNSWrapper appcenter-pysaml2 appcenter-ConcurrentLogHandler appcenter-Django appcenter-django-tables appcenter-django-auth-ldap appcenter-Django-south appcenter-django-ses appcenter-django-compressor appcenter-django-appconf appcenter-versiontools appcenter-djangorestframework appcenter-cx_Oracle-5.1.3 appcenter-recaptcha-client appcenter-django-simple-math-captcha appcenter-python-cjson appcenter-BeautifulSoup4 appcenter-httplib2 appcenter-aapt appcenter-apktool appcenter-ipaddr appcenter-protobuf appcenter-gevent appcenter-pyOpenSSL xmlsec1 SecureProxy-5.4-1 appcenter-server-common appcenter-liveupdate appstore_cu appstore_cu-bin GPLv2-openscep Quaqua iphone-fixpng libpng-nukona iOS-wrap iOS-wrap-server android-wrap AppCenterBuilder iOS-ThreatProtection AppCenterSample android-AppCenterAgent libgdiplus0-2.10 mono-core-3.8.0 libmono-2_0-1-3.8.0 libmono-2_0-devel-3.8.0 libmonosgen-2_0-0-3.8.0 libmonosgen-2_0-devel-3.8.0 mono-locale-extras-3.8.0 mono-data-3.8.0 mono-winforms-3.8.0 ibm-data-db2-3.8.0 mono-extras-3.8.0 mono-data-sqlite-3.8.0 mono-wcf-3.8.0 mono-winfxcore-3.8.0 mono-web-3.8.0 mono-mvc-3.8.0 mono-data-oracle-3.8.0 mono-data-postgresql-3.8.0 mono-nunit-3.8.0 mono-devel-3.8.0 monodoc-core-3.8.0 mono-complete-3.8.0 mm-python-pika openscep-certs appcenter-load-settings xorg-x11-server-Xvfb bb_icon_extractor SymantecLicensing appcenter-siteminder appcenter-modsecurity appcenter-lua appcenter-libxml2 appcenter-libxslt mod_xsendfile SYMC-MDMCore-7.2-250 SYMC-ADCS-Installer-7.2-250 symc-mdmcore_migration mod_mono-2.10 xsp-3.0.11 erlang-17.4 rabbitmq-server ntp-4.2.6p5 ntpdate-4.2.6p5 at appcenter-greenlet oracle-instantclient11.2-basic oracle-instantclient11.2-sqlplus mm-nginx appcenter-uwsgi libevent libcouchbase-devel libcouchbase2-core libcouchbase2-libevent mm-python-requests mm-service-common-core mm-service-common-django mm-service-common-sqlalchemy mm-sclients sensu mm-sensu-gems puppet appcenter-pycountry appcenter-operations_portal appcenter-suds

sudo yum clean all

sudo yum -y install libtool-ltdl mysql perl-CGI zip libaio

echo "+-------------------------------------------------------------------+"
echo "|Mobility Suite 5.4.2 is uninstalled and is ready for reinstallation|"
echo "+-------------------------------------------------------------------+"
$SHELL

The script's permissions may need to be modified before it can be run after it has been uncompressed. In order to uncompress, qualify the script for use, and execute it using the Linux Terminal the following commands need to be run in the directory where the script is located:

yum -y install unzip
unzip Uninstall_5.4.2.zip -d ~
cd ~
chmod +x Uninstall_5.4.2.sh
./Uninstall_5.4.2.sh