So I’ve spent ages troubleshooting and debugging Symantec’s Endpoint Protection (SEP) version 11, MR4 – the first version that actually has a hope of working on a 64bit platform. After spending far too long configuring the various policies and tweaking various settings I was finally able to get the software installed via group policy on a testlab machine but the client would not checkin with the management server. The virus definitions were 4 months old BUT the client console was saying everything was ok. Lots of troubleshooting later and I stumbled across the definitions for the Management server – a setting that I had originally wanted to change anyway. In there I saw that the management server was listening on port 8014 and a quick telnet check from the client showed I was unable to connect. Disabling windows firewall (temporarily – this is on a testlab so the infection risk is minimal) allowed the client to check in with the server, change some settings in the console and update the virus definition dates. Finally I re-enabled the firewall, added an exception for TCP port 8014 and it all looks good, but I’ll wait to see what happens overnight for definition updates on the client. For future reference the list of communications ports for version 11 can be found at Symantecs website here or posted below in the extended entry.
I upgraded my wrt54g to the latest dd-wrt firmware over the weekend from v23 to v24sp1. The annoying thing is that they highly recommend the unit is set to factory defaults which means re-entering the config in by hand after the upgrade. This is not a quick and easy task, especially whn you have to get the config off the there doesn’t seem to be a “print config” page. However, by using the screengrab firefox extension it didn’t take long to open up each dialog page, right click and choose screengrab, save, complete page. Saving all the screenshots into a unique folder means I have a nice copy of the config that I was then able to refer to when rebuilding the unit.
The new firmware also supports wpa2 so I enabled that on the router and then found that my xpsp2 box couldn’t see the router. I was pretty sure I had all the updates for xp on the laptop but I guess not. A quick download of the hotfix 893357, one reboot later and I was connected with wpa2. I’m sure we’re going to see more of this sort of thing on client laptops so this will also be a good placeholder for work.
I haven’t got the openvpn configuration sorted out, I think I have to set this up from scratch as I forgot to save one of the keys – but openvpn seems to be more integrated in this version – at least there are dialog boxes for openvpn – there didn’t use to be.
One of my customers has a cyberguard firewall that was working perfectly when I configured it in the office. However on shipping it to the customer, it was placed behind a horrible Verizon modem that broke most of the configuration parameters I had put in place. Most of them were fixable straight away, but I’ve never been able to get it to vpn back to the head office. I was getting the error message “Peer is not authorized to use remote address” in the log files.
Various responses in google mentioned I had to add noauth to the /etc/ppp file but this file doesn’t exist on the cyberguard unit. However, using the Advanced section and editing the “pptp.connect to office” file, adding “noauth” (without quotes) to the end of the file, the vpn connection worked.
This isn’t documented anywhere in google that I’ve seen so hopefully this will help someone else.
TR/dldr.delf.CB.1*2
BDS/Haxdoor.BH*3
TR/dldr.small.ait
TR/Drop.Funweb.A
Drop.Small.NK
BDS/Haxdoor.BH.1*2
PMS.WildTangent.B.1
Interestingly Norton had already detected and deleted a couple of these files but didn’t detect any of the others. I had to boot from a Windows UltimateBootCD, download new dats for avpersonal and then run a scan. The Avpersonal only took 30 minutes to run, the Trendmicro one has been going for about an hour and is still going. Its a good job I don’t charge by the hour.
Now that we had proved (or thought we had) that the DR recovery onto new hardware for our Symantec Enterprise Firewall worked it was time to upgrade to version 8 of the software.
Finally completed the DR of our firewall – 8 days after starting it….
Oh great – I was just extolling the virtue (or lack) of our firewall(s) in the office/remote pc’s and then there’s a Symantec Client Firewall Remote Access and Denial of Service Issues posted in Lockergnome’s Tech News Watch. Going to have fun looking at that one tomorrow!.
Update After waiting 15 minutes on hold, apparently the problem does not affect the corporate Enterprise VPN client – only the firewalls sold with antivirus type products – phew! As it turns out there is a culmalative patch available for the firewall anyway so I downloaded this instead.
Yesterday was apparently Personal Firewall Day which is weird that I only heard of it today (as I didn’t read my rss feeds yesterday). I would have thought this would have kicked off before the actual day….Anyway – yesterday I was asked to go to a friends who told me they had welchia or blaster on their pc. When I got there I did a quick check of the startup folders and registry and saw nothing suspicious. That and the fact they were running 98 did make me wonder HOW they got infected (as these are nt platform virus’s) Needless to say they had no real a/v software on the machine. PC-Cillin98 which had never been updated – so probably 6 years old. NAV was “installed” on the machine – the cd was copied onto the hard disk – so that wasn’t helping much 🙂
I ran through my various fix_virus.exe files downloaded from symantec, found nothing and then installed the free Computer Associates firewall/AV combo on their machine. All went well until it told me I HAD to update the definitions, reasonably enough, except for some reason it was coming up with 550 errors on the ftp. But a manual download of the file, from the same url worked fine! A standard home user would have had NO idea what to do and would have been left with an annoying popup every time they booted and no a/v protection.
After scanning there were no virus’s found but 50+mb of windows updates (not including WMP9 etc) and I wasn’t going to download them via dialup!
I installed the CA Antivirus firewall on the parents-in-law computer. The firewall is almost identical to zonealarm. I’ve not used zonealarm for several months/years now so I can’t tell if it is the same as the newer versions, but all the popup dialog boxes and the traffic meters in the taskbar are practically identical. The Antivirus is different and also includes spyware and popup blockers so it will be interesting to see how good they are – i’m sure I’ll have plenty of practise as I’ve already removed lop from the computer twice, amongst many other spyware infections on it. I’ve also installed SpywareGuard which aims to stop the driveby installations (and i’ve also installed firebird for my own surfing)
I wouldn’t have thought that organising an adsl modem to work in conjunction with a hardware firewall would be that difficult. But I’ve been receiving conflicting advise over what routers/functionality needs to be installed. All I need is an router/modem that is effectively invisible to the firewall so it thinks it is connected to the internet and can get on with its filtering,vpn’s and protection. However I am being ignored by BT, the company we are probably going to buy Broadband from (yet another reason to not use them – if they are this bad when we *want* to spend some money with them I hate to think what they will be like when we have a problem), our existing firewall support won’t help unless we buy one particular make of router and get broadband from one particular supplier, and the firewall company won’t help as they say its the resellers problem – so back to square one…..Almost makes me want to go to dialup modem! The fact that we can’t order broadband until the physical line is installed and live also makes a mockery of the whole broadband ordering process.