Endpoint Protection

I've tried this years ago and it never worked then, either - and am trying again.
A couple of months ago, I setup a quarantine server here. Clients forward quarantined items to this server. THAT part works - it receives the files ok.
What it doesn't do is to get defs (there was an instant error, minutes after setup, that it could not get definitions)
And it won't submit anything. Doesn't seem to matter what it is, it won't submit it. I'm not sure what the rules are, but it seems to be that if SEP quarantines it, it won't bother to sumit the sample, even if it's new or bloodhound. Like "we quarantined it, so we know it's bad, quit bothering us" is what it wants to say to me.

So, What is the criteria? When WILL or DOES it submit samples?
Also - why can't it connect? I can't get it to get quarantine server defs, and can't even force a submission.
The error is that it can't make contact.

The server is VRDSMSAV5, the IP is 111.222.990.52
What it’s attempting to get to is: gateways.dis.symantec.com
Appears to default to port 80

Error is: “Qserver cannot connect to the gateway to download definitions. Ensure Qserver has access to adequate Internet connection”

There IS a place to plug in a firewall name, user name and password, firewall port, etc. on a page called “HTTP Proxy Firewall” but I know we don’t have anything here to block it…………..
We do NOT have a proxy and not firewall here. There's nothing blocking it, and our ITE folks who run firewalls state they don't block any web traffic, this is their response from Steve Harris, a firewall expert (literally!) with ITE:
-------------------------------------------
Browser or no, it still is just trying to get to the Internet. The best way to check is to confirm the TCP port and IP address needed to support this connection type. I would expect that Symantec can tell you that. When you have this information, go to the server in question (111.222.990.52), open a command window, and perform the “telnet” test:

C:\telnet gateways.dis.symantec.com 80 <ENTER>

If you connect, the screen will clear and throw the cursor to the top left of the screen. If it fails, telnet will show a timeout error on the screen.

I do not believe we are blocking anything related to this. I checked our firewall to see if there are any blocking rules related to 165.206.190.52, and there are none.

When I try the telnet test shown above, it fails for me, which suggests I am either going to the wrong device (gateways.dis.symantec.com ) or the wrong TCP port (80). It also could be that the service is not working. I would contact Symantec and confirm the IP address(es) and port(s) to test. Then we can see if something is getting blocked. Also, please send me the IP stack for 190.52. I want to see the IP address, mask, gateway, DNS, etc.

Thanks.
-Steve
---------------------------------------------
What gives?
Why won't it get defs?
Why won't it submit?
Under what conditions does a quarantine server submit samples?
Why can't I even force it?
And is this thing even USED any more? Does Symantec even support quarantine servers??

Try to update the defs manually, then it should auto update every 15 minutes. I know the below doc refers to the previous versions, but it should still be true for the newest version.

Central Quarantine Console displays "Virus Definitions: N/A" -

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2004062313041348


Regards,
Thomas

What gives?

The telnet test, while valid, is directed incorrectly. Our DIS servers don’t use the standard port 80 for http traffic.  Try telnet like this instead:

telnet gateways.dis.symantec.com 2847
telnet gateways.dis.symantec.com 2848


Do either of these connect?

Unsecure traffic is sent over port 2847, secure is sent over 2848.

Try seeing if both of these come up:

http://gateways.dis.symantec.com:2847
https://gateways.dis.symantec.com:2848



Both should redirect to the Symantec Security Response page. The HTTPS link should prompt about a security certificate first, but once that’s added (or an exception entered), it will redirect also. If neither of these come up, you may want to work with your network team to figure out what the issue is.


Why won't it get defs?

There’s a defect currently open with IE 7 and how it interact with Quarantine server because of a change in IE 7 done by Microsoft. In one case, when the customer unchecked the boxes in the Web Communication tab for secure communications, definitions updated.

Why won't it submit?

Without knowing more about your environment, there’s no way to tell. Assuming, however, that we’re able to connect to the gateway servers both with telnet and HTTP, I’d recommend contacting support so we can gather a debug log for more information.



Under what conditions does a quarantine server submit samples?

Samples should be sent whenever something is sent to the Quarantine server that doesn’t already have a detection. If the Quarantine server already has defs that detect the threat, it doesn’t submit it. If it doesn’t, it submits it.



Why can't I even force it?

That’s not functionality built into the Quarantine server as, again, if it doesn’t have defs, by default, it’s supposed to submit the file.



And is this thing even USED any more? Does Symantec even support quarantine servers??

We do support it, however the use has been on the decline for the last 2.5 years. Quarantine server is meant for LARGE (10,000+ seats), but even then, the odds of it actually catching, submitting and getting definitions back, honestly, is slim even in HUGE environments.



If you are still having issues, I’d recommend that you call in for troubleshooting.

Thomas

AHA - someone who knows quarantine server! Such a person does exist! LOL.
What a comprehensive reply - and I've gained some info............
I can open a command prompt and the telnet test seems to "connect:" with both ports.
HOWEVER, when I open IE7, only the unsecure address (2847) works - and I get a page from SSR about the latest viruses, etc..
The other, the 2848 never goes anywhere and eventually errs out with IE stating "........cannot display the web page".

Now - last week on a whim I unchecked both the send and receive secure boxes. No change. No defs.

I've already had two cases where the bug was unknown, I manually submitted after another AV app told me the file names, and within a couple hours, new defs DID detect the bug properly. This is a case where had I been able to quarantine the files manually using SEP, and they had gone to the quarantine server, and had it submitted the files I quarantined, we'd have had defs back that could have been pushed out to the enterprise.
Only 350 computers, and twice this year I could have used the quarantine server to do such a deed.  It happens..............
I'd like to have it working for several reasons...........

 

SP,

The last time I went looking for this issue (connect to 'dis.~'), I ended up with setting my server to contact a specific host-name at Symantec, because the re-direct fromt he loadbalancer(s) didn't work, at least if you use secure submission and secure download on the 'Web Communications' tab. However, this target - gateways.dis.symantec.com - **will** work if you DE-select the secure submission and secure download boxes.

Symantec have deprecated the product to the point where it can't push unique defs to SEP11 clients. They appear to be killing it via the 'death of a thousand  cuts'.

Loel

Too bad IF that's the case because we NEED all the automation we can get.
Ideally, SEP's bloodhound would find something, or some other heuristics would find something OR I could manually quarantine a bug, it would go to Symantec, and we'd get defs to deal with it. That's the ideal, and how it used to be.
I've had cases where SEP and SAV didn't find something, Trojan Remover did, and it told me the path and file name, and I manually quarantined the file, and manually submitted it, and we got defs back later that day that allowed SAV/SEP to deal with it.
Otherwise, what's the point of automation?
We must move to applications that protect us automatically and learn on their own. What better way to do so?
I can't always be here to babysit, and no one should be expected to. And since things come at us so fast even Symantec can't keep up without CUSTOMER SUBMISSIONS, why would they allow such technology to die?
It makes no sense to me at all. It's like saying "cruise control is great, but it's of no benefit to GM, so GM has decided to remove it from all future cars".  ??
But in this case, it COULD benefit Symantec because they could get samples that they would otherwise not get, putting them ahead of the competition............. correct?
I hope this is all speculation and 100% wrong, as it makes no sense to kill something that could not only automate applications for us, the end user, but allow them to receive samples - samples on which they depend so much.
In these very forums, they STRESS the need for us, the customer to send them samples, otherwise they have no way of knowing what is out there, but then that is contradicted here?
Defies logic.
Besides, we have orders to move to technology that automates our chores.............. and if automation disappears, we need to keep moving ourselves closer to automation where it exists.

Hi,

take in consideration that Symantec releases definitions for the Quarantine Server once per week, on Wednesday, of course not in advance of the definitions for SEP...

After that I think you will reconsider how this tool is useful.

Regards,

So, bluntly, Symantec is abandoning automation in favor of we security administrators having to babysit hundreds of computers and manually, through a web page process, manually submit samples, and wait for an email telling us that new defs are ready, when several years ago, this was all automatic? (and the competition IS automatic now)
Is that what's being said? Automatic processes giving way to Manual processes?
Management from hundreds of stations compared to centralized management from a single server?
Manually submitting samples compared to the computers doing it for me?
WOW. Might as well go back to 8088's! LOL
Sorry, sort of unreal how we take HUGE steps back in logging and alerting - dropping AMS2 in favor of a cryptic "hey, you have an infection somewhere" email from SEP, and now find that we are taking huge steps backwards, dropping a nice automatic system requiring hardly any human intervention that submitted samples FOR us and received new defs FOR us,  to a manual system requiring every step be done manually by a human and where we have to watch our inbox for results.
Don't tell me it's "rare" for someone with less than 10,000 computers to see a need - I've seen it twice in as many months. We constantly see new stuff SEP won't find, and I MANUALLY use other software to find and quarantine the files, and manually submit them so we can get protection. Quarantine server USED to do that for me with SAV 7-SAV 10 - Quarantine server used to handle this all while I slept - and slept soundly knowing that the system submitted for me, and got new defs for me, and applied them accordingly.
I can't keep doing this - I'm too busy - I guess I won't be submitting any more samples since there doesn't seem to be the desire to receive them so new defs can be developed.
If Symantec wants new samples that badly, they can resurrect q-server!

Sorry, just seems that every step I try to take forward, I'm finding that I'm being dragged backwards.
We need MORE automation, not less. Again, don't even SUGGEST that we don't see constant new threats that SEP won't recognize. I'd proven that theory very wrong -
yes, I'm having a bad week because I'm fighting to make things work, and finding that I need to spend MORE time, not less.
This (q-server) doesn't work, reporting is lame as all get out and gives me pie charts instead of names and addresses (read that as scheduled reporting is worthless, seriously! you may as well totally remove it.), the console is slow and you have to keep clicking to get to policies (slow on 3 computers, so it's not my computer), emails don't contain pertenant information, I have to go to another computer and dig through logs instead of getting it in email messages like I did years ago with AMS2.
PLEASE - Let's put features IN, please, NOT take them out! Let's add functionality, not remove it. Let's add automation, not make it manual again.

There is something automatic in SEP.
We have to scenarios: detected malware and suspicious/undetected files (a file that needs more analysis).
If the file is detected, SEP sends to Symantec a detection rate of the malwares, useful to put more effort in the most common malwares.
If the file is not detected, a human has to "detect" it in the suspected machine. The IT admin can put this file in the local quarantine and from the quarantine run the wizard for the submission to the Security Response, it is simplier than the web form and it is totally automatic, it means no tracking code and no emails. An improvement could be to submit the manually quarantined file to the SR without run the wizard.
Who needs more manual control of the submissions (i.e. tracking code, etc...) has to use the manual submission via web.
The only advantage of the Quarantine Server and Console is the better reporting.
I think a better reporting regarding infections and quarantined files will be implemented in the future in SEPM.

As I've had happen here MORE than ONE time - I need a way for the files to be submitted QUICKLY and AUTOMATICALLY, then DEFINITIONS come back. Without my babysitting and spending time with email and web sites. Submitting takes time and effort - must get the files onto a machine, get to the web site, plug in all the info, get out account number in correctly, and by then, the code we must type in has probably changed and the submission errs out, try again, wrong code. So type it all in again, find the file again, browse to it, reload it on the page, type in the code, submit. Watch your email, and interpret the email when a result comes in either that day or the next - and then make sure you get the defs that will catch the bug.
Q-server took care of all that, automatically, including ROLLING out the better/new defs to the enterprise automatically.
The problem with SEP is that I don't have ACCESS to the machines - I can't walk up to them and quarantine a file in some cases. They are in other cities. There may or may not be someone there. I do a lot of things using C$\filepath and then grab the files and put them on another server to manually submit them.
If SEP find the file, q-server gets it and then I have it locally. If sep doesn't find the file, and I have to use another product to find it, then I get it back to Des Moines and do the manual submission process. I typically don't have access to the "console" or desktop - or SEP, on the infected computer. I suppose I could drag the suspect file to my own computer or a SEP server and then manually quarantine it......... still a lot of manual work.
Many of us manage computers in other cities or states, so depending on us being able to open SEP on that computer isn't too good. In fact most of our computers exist where there is NO IT staff. So we need a solution that we can use here -

I have our machines set up so 100% of them can submit the infection rate info. If there's a problem, might as well let them ALL tell Symantec about it. Might be useful for regionalizing infectins or putting the most effort on thing that are most likely to hit you.

Let's get this automated again - I can't see what was so wrong with quarantine server. It worked, it was a brilliant concept!
I'd rather not see it killed off.

Question:

Under what conditions does a quarantine server submit samples?

Samples should be sent whenever something is sent to the Quarantine server that doesn’t already have a detection. If the Quarantine server already has defs that detect the threat, it doesn’t submit it. If it doesn’t, it submits it.

---

Regarding the answer above, if a sample is detected as something like "Downloader," does that disqualify the same from being sent to Symantec since it is technically "detected."  

---

Question:

If I enable the submission feature for a large number of clients, won't the network get clogged if we have an outbreak with all of the individual submissions?   Doesn't seem like a good corporate solution.

Comment:

Make Quarantine Server part of SEP so that we can receive feedback about submitted samples from a central location.   CIO's ask about this type of stuff.   This should all be transparent to the administrator outside of the initial setup at the beginning.   McAfee advertises 15 minutes a day or 1 hour a week of admin time through ePolicy Orchestrator.