Powershell Script that helps get subnets from Active Directory Sites and Services

November 20, 2015, 7:39 am

≫ Next: Cannot Register a User on the Client

≪ Previous: SEP Virus Detection/Notification Time

I do not need a solution (just sharing information)

Hello,

I wanted to share this in case if this can be of help to other SEPM admins.

Problem: Default group or the default installation group in SEPM keeps getting populated by machines every time there is a new install or a client reconnecting to management servers after default timeout period. We then had to manually figure out where the client should go based on their IP addresses and subnet information. Of course we can use move client .vbs group to automate this, but keeping the ipgroups.txt updated required for the vbs script was still a manual process. Our group heirarchy is based off of locations in our Active Directory Sites and Services (ADSS). We were looking to completely automate this issue of manually moving clients and keeping SEPM in sync with subnets that are listed in ADSS.

Solution: The powershell script listed below. The main goal of the script is to get a dump of all subnets and their sites from ADSS and convert this information into a format that move-client.vbs tool requires. i.e: IPGroups.txt . Secondary goal of this script is to run all the move client scripts after creating the IPGroups.txt. Couple things about the powershell script and our background setup.

This script was created mainly for workstations. We do not move servers based off of scripts
In our environment, all workstations start with W. So the staging.vbs (move-client) that is called in the powershell is set up so that it looks for any machines that starts with W and moves them to a group in SEPM called "Staging"
Once machines are in staging group, then another (Move-Client.vbs) script runs, that moves the machines based on their active directory subnet information.
Powershell by default outputs all text and csv files into Unicode format, therefore, you will notice that a convert.bat is called from within the powershell script. convert.bat converts from unicode to ANSI format, as this is the only format that the move-client.vbs tool is compatible with.
- the content of the convert.bat file is the following command without the quotes
  - TYPE D:\Scripts\Move-Clients\Main\Staging\temp.txt > D:\Scripts\Move-Clients\Main\Staging\IPGroups.txt
You will notice that there are a lot of import and exports happening in the powershell script, the reason is so that we can get the right data from ADSS into the right format that move-client.vbs tool requires (removing quotes etc.)
The main folder where all the scripts are running from in this powershell script is D:\Scripts\Move-Clients, feel free to change the path in the script to match your folder structure.
1. - Move-Clients folder has the main powershell script
  - Main has the move-client.vbs that moves clients from default group (installation group) to staging based on naming standard
  - staging has the move-client.vbs that moves clients from staging group in SEPM based on their ADSS subnets.
Once the script is test and adjusted to your enviornment, schedule it using windows task schedular. I have it scheduled for daily so that I can keep SEPM insync with ADSS subnet information atleast once a day.

Script:

[cmdletbinding()]
param()

$Sites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites
$obj = @()
foreach ($Site in $Sites) {
foreach($sub in $site.subnets){

  $obj += New-Object -Type PSObject -Property (
   @{
    "SiteName"  = "Put your SEPM group path here\" + $site.Name
    "SubNet"  = $sub.name
   }
   )}
  
 }
$obj | export-csv D:\Scripts\Move-Clients\1st.csv -NoTypeInformation
$csv = Get-Content D:\Scripts\Move-Clients\1st.csv
$csv = $csv[1..($csv.count - 1)]
$csv > D:\Scripts\Move-Clients\2nd.csv
$csv = (Get-Content D:\Scripts\Move-Clients\2nd.csv) | % {$_ -replace '"', ""} | out-file -FilePath D:\Scripts\Move-Clients\3rd.csv -Force 
Rename-Item D:\Scripts\Move-Clients\3rd.csv D:\Scripts\Move-Clients\temp.txt
Remove-Item D:\Scripts\Move-Clients\1st.csv
Remove-Item D:\Scripts\Move-Clients\2nd.csv
Copy-Item D:\Scripts\Move-Clients\temp.txt D:\Scripts\Move-Clients\Main\Staging\temp.txt -Force
Remove-Item D:\Scripts\Move-Clients\temp.txt
start d:\Scripts\Move-Clients\Main\Staging\convert.bat
sleep  -Seconds 5
Remove-Item D:\Scripts\Move-Clients\Main\Staging\temp.txt
d:
cd\
cd "D:\Scripts\Move-Clients\Main"
cscript main.vbs
sleep -Seconds 5
d:
cd\
cd "D:\Scripts\Move-Clients\Main\Staging"
cscript staging.vbs
cd\
cd "D:\Scripts\Move-Clients"

FYI: I am not a powershell guru, henceforth I may have done this the long way, if anyone has easier way of doing this, please feel free to share.

↧

Cannot Register a User on the Client

November 20, 2015, 8:57 am

≫ Next: Java question

≪ Previous: Powershell Script that helps get subnets from Active Directory Sites and Services

I need a solution

I have set up the policies for my laptops and tested it out on a couple. Everything seems to work apart from the fact I cannot get additional users to register. I managed to log in with one account and everything appeared to work properly, disks would encrypt automatically, notification to set recovery question appeared, all seemed good. After logging out and then trying to log another user onto the laptop I would get an "incorrect Authorisation" message on the login screen and could get no further. Not much use in this environment if only one user can ever log into a laptop.

I have been in contact with Symantec Engineers for weeks now and am no further forward. I have approx 200 laptops (some are multi user) I need to get encrypted but am getting nowhere fast.

Can anyone help?

Beanie

IMAG0335.jpg

↧

Java question

November 20, 2015, 8:59 am

≫ Next: Determine latest virus definitions on server from database

≪ Previous: Cannot Register a User on the Client

I need a solution

Here are some questions that I am being asked internally in regards to SEP(M) and Java.

1. Does application use Java?

2. If 'Yes', what version?

3. Is Java used on Client or Server Side?

↧

Determine latest virus definitions on server from database

November 20, 2015, 1:53 pm

≫ Next: SEPM Embedded DB size limitation for restore

≪ Previous: Java question

I need a solution

I am writing some automation scripts to create some reports for management and one part I cannot seem to find is the "Latest on Manager" field that is on the SEPM home screen. Does anyone know if that is in the database and if so, where it might be?

Thanks

Martin

1448117078

↧

SEPM Embedded DB size limitation for restore

November 21, 2015, 3:59 am

≫ Next: Virus definition "Not Available" after upgrading SEP to 12.1RU6

≪ Previous: Determine latest virus definitions on server from database

I need a solution

Hi all , I have two questions would really appreciate your helpful and kind replies.

Is there any limit on the size of sem5 database ( embedded database ) that we can backup or not . for example if sem5 exceeds 15 GB we cannot backup it up via the SEPM Backup utility
Is there any limitation on the size of DB that we can restore via SEPM restore utility . for example if the size of DB exceeds 20 GB we cannot restore it via the Restore utlity of SEPM

I remember I read somehwere that there is a limit on size of DB if it exceeds then we cannot restore it . Please correct me if I am wrong . Thanks

↧

Virus definition "Not Available" after upgrading SEP to 12.1RU6

November 23, 2015, 11:57 pm

≫ Next: Symantec Tamper Protection Alert au niveau de serveur Exchange

≪ Previous: SEPM Embedded DB size limitation for restore

I need a solution

bonjour;

Après la mise à niveau de mon serveur SEPM 12.1.5 vers la nopuvelle version 12.1RU6, la majoritté des clients au niveau de la console affiche Vrus définition "Not Available" ;

↧

Symantec Tamper Protection Alert au niveau de serveur Exchange

November 24, 2015, 12:16 am

≫ Next: SEP 12.1.4112.4156 NOT INSTALLED.

≪ Previous: Virus definition "Not Available" after upgrading SEP to 12.1RU6

I need a solution

bonjour;

au niveau de mon serveur Exchange , le symantec affiche plusieur message d'alert :

SYMANTEC TAMPER PROTECTIO? ALERT

Target :C:\Program Files\Common Files\Symantec Shared\ccApp.exe

Event Info : Allocation Memory

Action Taken : Logged

Actor Process : C\Document and Setting \session user\local Séttings \Temp\2\f70564d5.exe(PID 11104)

et même les services Symantec au niveau de ce serveur sont arrêtés autoimatiquement et je n'arrive pas a le redémarrer

↧

SEP 12.1.4112.4156 NOT INSTALLED.

November 24, 2015, 12:35 am

≫ Next: SEP 12 Log uploadtime question?

≪ Previous: Symantec Tamper Protection Alert au niveau de serveur Exchange

I need a solution

SEP are not set in the manual mode or via the GPO. In the manual mode, the installation creates a log file, and through group policies do not.

SEP_INST.7z

↧

SEP 12 Log uploadtime question?

November 24, 2015, 2:25 am

≫ Next: NTP Attack logs forwarded to external syslog server

≪ Previous: SEP 12.1.4112.4156 NOT INSTALLED.

I need a solution

Hey guys,

We're trying to figure out when the SEP agents send log on SEPM. We tried editing the communications settings ->heartbeat interval to 30 mins on the clients tab, but we're not sure if this is the right one th check. Is this the right place to edit the time for the sep agent to upload logs on sepm?

Thank you,

1448372182

↧

NTP Attack logs forwarded to external syslog server

November 24, 2015, 2:46 am

≫ Next: LUA hompage blank and can't access config

≪ Previous: SEP 12 Log uploadtime question?

Network Threat Protection Attack logs which are available under Monitor>Logs>Network Threat Protection>Attack, cannot be forwarded to external syslog server: Admin->Servers->Local site->External looging for local site->Log filter, attack log is not listed
The suggestion for Symantec is simply to add these logs in the selection panel of External looging for local site->Log filter. If they can be accessed on Monitors, it should be easy to make them available for exporting to a syslog server. Thanks.

Related to Case Number 09853963

↧

LUA hompage blank and can't access config

November 24, 2015, 3:24 am

≫ Next: How my TV got infected with ransomware and what you can learn from it

≪ Previous: NTP Attack logs forwarded to external syslog server

I need a solution

Recently two of my LUA's seem to have stopped downloading which is strange. When I go onto the homepage it doens't populate any information apart from available disk space of which there is over 100GB on both. When I click on config the LUA just seems to time out but when I click on all the other tabs in the LUA everything else comes up fine. I've tried restarting the services with no effect and I can't even seem to run the troubleshooting tool in the LUA to generate a log for symantec. Anyone else had this issue or know how to resolve it?

I've spoken to the other teams and they say that nothing has been adjusted on them in the past week. LUA version 2.3.2.99 we can't upgrade to the latest version atm. But seems odd that both have gone down at the same time and have the same issue.

↧

How my TV got infected with ransomware and what you can learn from it

November 24, 2015, 6:04 am

≫ Next: Logging of files from USB pendrive in SEP 12.1.x

≪ Previous: LUA hompage blank and can't access config

A look at some of the possible ways your new smart TV could be the subject of cyberattacks.

↧

Logging of files from USB pendrive in SEP 12.1.x

November 24, 2015, 7:57 am

≫ Next: Need Urgent Replies on the following SEP features

≪ Previous: How my TV got infected with ransomware and what you can learn from it

I need a solution

Hi All, I am using the A&DC setting of "Log files written to USB drives" in a select group of machines. Does anyone know where these logs are actually written to. Are they on the the client, or is it possible to report on them through the SEPM via Quick Reports. I am aware of DLP but this is for something else.

PaulC

1448383534

↧

Need Urgent Replies on the following SEP features

November 24, 2015, 8:13 am

≫ Next: Consolidation + Licensing Concerns

≪ Previous: Logging of files from USB pendrive in SEP 12.1.x

I need a solution

Hello all , I need some urgent reply on the following features whether they are available within the product or not. Please kindly reply with a yes or no instead of refering to the articles .

Must support malformed attachment detection.
Support for memory and boot sector scanning to eliminate memory-resident viruses.
Should support basic functions of Network Access Control (NAC) .
Should have an option for infected clients to be immediately disconnected from the network.
Ability to auto-deploy the product to discovered PCs and servers that are not compliant.
Support for tablets/smart phones/PDAs will be added advantage.
Must have the ability to scan and control web traffic.
Should have inventory features.
Should have file integrity monitoring specially for servers.
MUST have different version for each system (SharePoint, Servers, Desktop & laptop)
Must support Arabic language for console interfaces and Arabic OS.

Endpoint Protection for VDI – Agentless:
Architecture:

1. Must Integrate with vshield endpoint API / use native VMware vshield

Is SEP for VDI agentless meaning we dont need to install SEP client on GVM or we have to install SEP client on GVM ?
2. Must NOT be dependent on NSX.
3. Must support caching features
4. Must support centralized antimalware architecture to prevent scanning and update storms
5. Virtual appliance must be based on a secure OS
6. Must support Fail-over between virtual appliances.
7. Must support different hypervisors versions.
8. Must support performance monitoring.
9. Optional to have Network level protection.

↧

Consolidation + Licensing Concerns

November 24, 2015, 8:50 am

≫ Next: Need Some clarification on this SEP for VDI

≪ Previous: Need Urgent Replies on the following SEP features

I need a solution

Currently have two completely seperate instances of SEPM going, with clients reporting repectively.

Enviroment 1 is 12.1.6

Enviroment 2 is 12.1.2

Need to consolidate these instances, looking to bring all the clients on Env 2 onto Env 1.

Currently, Env 1 has licensing for 180 seats, and Env 2 about 500 seats.

Need to have both enviroments online for a period of time, as the migration will span over a week or two; but also need to bring the licensing from Env 2 to Env 1 to begin migrating clients.

Can I have two managers using the same licensing, online at the same time?

Any other reccomendations?

Thanks!

Kris

1448393199

↧

Need Some clarification on this SEP for VDI

November 25, 2015, 10:43 pm

≫ Next: SEPM support for Windows 10 64 Bit

≪ Previous: Consolidation + Licensing Concerns

I need a solution

Hello guys , sorry in advance if my question is rally naieve becuase I have some confusion on this , I would really appreciate if you can tell me if it is somewhat misleading or not. I am attaching a datasheet for SEP for VDI.

Now as per this Datasheet it says that SEP for VDI is agentless meaning we do not need to install any SEP agent on the Guest VMs ( GVMs) . In the data sheet in System requirements it is mentioning DCS as well. As per my understanding the true agentless Antivirus solution from Symantec is DCS.

This Datasheet is confusing me. Could you please tell me if this SEP for VDI a separate product or the same traditional SEP that we have been using.

As per my understanding we still need to require SEP agent on each GVM in VDI envoirement. However the benifet we get is there are some features that are optimized for Virtual envoirements like SVA , Share insight cache for sharing scan results etc etc.

Your help and guidance would be appreciated.

Thanks