Thursday, June 4, 2009

Symantec Endpoint Protection and network scanning

Two of my co-workers returned from a small engagement this week. We had just upgraded our test laptops with Symantec Endpoint Protection. (Minor back-story: We had been using Symantec Anti-virus. When we updated the Retina definitions, a vulnerability was found in the Symantec reporting agent. We couldn't upgrade the AV because we didn't have licenses. Grrrr. Corporate had to grab SEP licences.)

Ok, so my co-workers were at a client site; having to scan a small number of workstations. They couldn't get Retina to reach ANY client machine. It seems, SEP was monitoring the NIC and assumed that the test laptops were under attack due to the high volume of packets leaving the machine and the type of traffic that was coming in and out of the laptop. It appears that the IDS shut down the NIC. NMAP was having trouble. Simple pings had problems after the IDS shut the NIC down. The ultimate solution was to uninstall SEP after getting network accreditation to test.

Is this a known issue? Has anyone else experienced this? Fortunately, they did not have to use the web application vulnerability scanner, as I'm sure it would not have worked either.

No comments:

Post a Comment