For various reasons you may need to move Symantec Endpoint Protection Manager from one server to another. Another server meaning one with a different IP address and Host name.

I needed to do this sometime back, one of the reasons being a conflict for port 80 on IIS. Windows Server Update Services (WSUS), Self Update service accesses the WSUS server on port 80 and Symantec Endpoint Protection Manager also installs its website on port 80. The event log showed an error "Self-update is not working" with Event Id 13042.

You're reasons for Moving Symantec Endpoint Protection Manager to another server may be different, but either way, here is how I did it.

Looking around the web you'd find that there 2 ways to getting around this.

1 Using Replication Method
2 Backup-Restore Method

Out of the two the replication method seemed to make more sense, and looked the easiest to get done.

In summary what we need to do is:

1. Install SEPM on a new server
2. Configure it for replication with the first site
3. Change the priorities of the management servers to reflect that this new server is of higher priority; or simply assigning all groups to this new server.
4. Uninstalling old SEPM

Here is now you do that, step-by-step:

1. First install Symantec Endpoint Protection Manager on a new server
2. When you get to the Management Server Configuration Wizard panel, go through with the Advanced Configuration type; Select how many computers will be managed by this server
3. Choose to Install an additional site. This is the only option that will install a Management Server and a database for replication.
4. In the Server Information panel, accept or change the default values and then click Next
5. In the Site Information panel, accept or change the name in the Site Name box and then click Next. The Site Name cannot be the same as what you have on your other SEPM.
6. In the Replication Information panel, type values in the following boxes:
      Replication Server Name (The Name or IP address of the old Symantec Endpoint Protection Manager)
      Replication Server Port (The default is 8443)
      Administrator Name (The Username used to log on to the old console)
      Password (The password used to log on to the old console.)
7. Click Next
8. In the Certificate Warning dialog box, click Yes
9. In the Database Server Choice panel select either the Embedded database or the Microsoft SQL Server irrespective of what you have on your old server and click Next to complete the installation.
10. Log in to the new Symantec Endpoint Protection Manager (SEPM) and ensure that all the clients and policies are Migrated successfully
11. Click Policies
12. Click Policy Components
13. Click Management Server Lists.
14. Select the Default Management Server List for 'NEW SEPM'
15. Click Assign the List
16. Select all the locations, groups and click Assign to replace the existing Management Server list with the old server with the new one.
17. Wait for all the clients to reflect this change and connect to the new server. We can go through logs entries or on the SEPM Clients tab of the new server, you'd see the computer icon with a green dot for the ones connected to it, and a computer icon with a red arrow showing the clients still connected to the other server.
    
    After the successful Migration. I let this configuration run for a few days before the following
    
    
18. Uninstall the old Symantec Endpoint Protection Manager (SEPM)
19. Log in to the new SEPM and delete the old SEPM server from the Replication partners list and the Remote Sites
20. Under the Management Server Lists Policy Component, Delete the Default Management Server List for 'OLD SEPM'

The original of the above steps can be found at: https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=5911 I've edited the above based on my experience to hopefully bring in a little bit of clarity.

This worked for me perfectly and I Hope this works for you too. However it's advisable to first read Best Practices for Disaster Recovery with Symantec Endpoint Protection and be prepared for the worst.

The Firefox team is trying to set the record for most software downloads in 24 hours with the upcoming Firefox 3 release. If you want to help out with this effort visit the Firefox Download Day 2008 Website and make a pledge.

I switched to Firefox 3 from Firefox 2 since the initial beta releases and now run the release candidate. I’m definitely loving it.

What’s wrong in the email that I got below? Well for one thing, I didn’t try to reset my password, and the email doesn’t tell me what to do if I was not the one who initiated this password reset process.

Someone had recently attempted to reset my Google Account password. I'm not sure if this happened by accident or if it was an intention attempt to gain access to my account. Either way, it got me thinking "What if someone stole my Google account? What can I do?” If you had your account stolen and what sort of impact is it going to have on your life?

If you've just been using it to access various Google services, you no longer will be able to access any of them. If you've been using Gmail with that account, then other online services that you've associated with it get compromised as well. For example, at http://digg.com you can retrieve a lost user name or password by simply entering your email address. What this means is, if someone stole your email account (that’s used with digg); they've basically taken over your digg account as well.

Life is going to be very frustrating and you'd need to recover from this situation as quickly as possible. Leaving aside all the freaking-out, head-banging and sobbing there is hope.

Google Accounts Help provides support when you face "issues that prevent you from accessing your account". However, if you want to have your problem solved quickly and efficiently you need to do your part and help out with some information regarding your account. The more you know the faster your turnaround time is going to be.

Some of the questions that you'd be asked to prove your ownership of the account include:

- Last successful login date
- Account creation date

- If you use Gmail:
    Most recent secondary email address
    Up to five frequently emailed contacts
    Names of up to four labels

- If you signed up via an invitation:
    Invitation URL (listed in your Gmail invitation)    
    The Gmail username of the person who invited you to create an account
    The email address to which your invitation was sent

- Google products you used with this account and the date you started using each one

While you are not required to answer all these, being able to answer at least some additional questions will definitely help your case. Knowing this, I took a few minutes to find the answers to some of these questions.  Just in case.

The month of May seems to be a time for many SQL injection attacks around the world. Unfortunately one of the sites affected by these attacks happens to be one that is administrated by a friend of mine. As it so happens the site was also developed by a friend and I'm sure we can have a good time reminding him to give SQL injections the respect it deserves for a long time to come.

Anyway, getting back to the attack, I was able to get a few logs to see what was happening first had. Here is a (modified) extract of the IIS logs that show what had happened:

This particular attack carried out from within China (WHOIS - 58.215.76.181) is pretty interesting, most of the SQL is obfuscated behind a very long hex string (CAST(0x HEX string)). I've removed the original string and replaced it with something harmless and much shorter in the above log entries.

The attacker has tried 2 slight variations of a SQL injection attack in the form of

1) /page.asp?pageID=2;SQLStatement;--   

2) /page.asp?pageID=2';SQLStatement;--

the attacker keeps trying the above 2 combinations on different pages of the website till he gets status 200 result; then leaves.

So what has the attacker done in his SQL statement?  To figure this out we can fire up SQL Server Management Studio and pretty much use the same code that the attacker used except that we substitute the EXEC with a PRINT to view the query.

DECLARE @S NVARCHAR(4000);
SET @S = CAST(0xuseTheActualHexString AS NVARCHAR(4000))
PRINT(@S)

The attacker had queried all the all the user tables, found column names in each of these tables that are used to store string values such as text, nvarchar, or varchar etc. then it adds a <script> tag with a URL pointing to  a malicious .js file into each of  the column values. The SQL had also been "nice" not to replace the original values and only append to it, and also even properly deallocate and close cursors they used in their attack query!

The result of all that meant that all the websites configured to use that database will start to display its pages as shown in the following Google search result. Innocent visitors of the site would in some cases be executing that .js file in their browser which could cause all kinds of havoc depending on what is in the specified .js file.

Recovering from the attack is straight forward; use a clean backup of the database, or if you really wanted you could just remove the appended <script .. > portion from all the column data using the same script that was used to insert it.

But do we prevent this from happening again? well that's another post. Just remember to give SQL injections the respect it deserves.

Is your free disk space gradually vanishing after installing Symantec Endpoint Protection (SEP)?

If you have noticed this, check out the following locations on your hard drive

on Windows Vista:
[installed drive]:\ProgramData\Symantec\Definitions\VirusDefs  

or on older Microsoft OS versions such as Windows XP Windows 2000:
[installed drive]:\Program Files\Common Files\Symantec Shared\VirusDefs

If it looks like this:

you may need to update your Symantec Endpoint Protection installation to Maintenance Release 2 (MR2).

I came across this problem while rolling out Symantec Endpoint Protection 11.0 on a portion of our network. Oddly enough the client PC's SEP installation (after updating to the latest virus definitions) had taken upto 2~3 GB of hard disk space! Something was wrong or at least I thought so. After a quick check with SpaceMonger my suspicions were justified. It showed the culprit being the virus definitions folder, which contained hundreds of tmp*.tmp folders taking up more than a GB of disk space!

A quick look in the Symantec knowledge base told me that this was a common problem and that Symatec Endpoint Protection had just released its MR2 which has fixed this and many other issues according to the release notes.

You can check your installed version by clicking on "About" in the "Help and Support" icon on the SEP client interface. If the version number is lower than 11.0.2000.1567 you don't have SEP MR2 so you'll need to upgrade.

Upgrading is pretty straight forward. There is even an easy to follow step-by-step migration guide available. So start you upgrade now.

However, upgrading will not get rid of all the tmp*.tmp folders that already exist, you'll need to delete them on your own.

Its that time of the year again. Good times..

Its a sad day today as I got to know that Sci-fi guru Sir Arthur C. Clarke had passed away.

"The only way to discover the limits of the possible is to go beyond them into the impossible."  -Arthur C. Clarke

Democratic Socialist Republic of Sri Lanka celebrated its 60th anniversary since regaining its independence. During the period of 1505 to 1948 Sri Lanka was invaded and was under the rule of the Portuguese, Dutch and then British.

The President's Independence Day Message
"Sixty years is a small interlude to a country with a history and civilization dating back more than 2500 years. Yet, this 60th anniversary of Independence has its own significance as it marks the period since we achieved freedom after nearly half a millennium of colonial rule, and made our mark as a free people in the community of nations." ...

Since Merill has migrated to Australia, it looks like he wont be positing his usual "Add 200x Sri Lanka Holidays" to Outlook post this year. So this year I've compiled the list of holidays, and copied the instructions on how to add them into Outlook. Hope this helps.

Holidays

– – – – – – – – –  Start Copy – – – – – – – – –

[Sri Lanka] 25
Tamil Thai Pongal Day (BPM),2008/1/15
Duruthu Full Moon Poya Day (BPM),2008/1/22
National Day (BPM),2008/2/4
Navam Full Moon Poya Day (BPM),2008/2/20
Mahasivarathri Day (BP),2008/3/6
Milad-Un-Nabi (Holy Prophet’s Birthday) (BPM),2008/3/20
Medin Full Moon Poya Day (BPM),2008/3/21
Good Friday (BP),2008/3/21
Day Prior to Sinhala & Tamil New Year Day (BPM),2008/4/12
Sinhala & Tamil New Year Day (BPM),2008/4/13
Bak Full Moon Poya Day (BPM),2008/4/19
May Day (BPM),2008/5/1
Vesak Full Moon Poya Day (BPM),2008/5/19
Day following Vesak Full Moon Poya Day (BPM),2008/5/20
Poson Full Moon Poya Day (BPM),2008/6/18
Esala Full Moon Poya Day (BPM),2008/7/17
Nikini Full Moon Poya Day (BPM),2008/8/16
Binara Full Moon Poya Day (BPM),2008/9/14
Id-Ul-Fitr (Ramazan Festival Day) (BP),2008/10/01
Vap Full Moon Poya Day (BPM),2008/10/14
Deepavali Festival Day (BP),2008/11/27
Il Full Moon Poya Day (BPM),2008/11/12
Id-Ul-Alha (Hadji Festival Day) (BP),2008/12/9
Unduvap Full Moon Poya Day (BPM),2008/12/12
Christmas Day (BPM),2008/12/25

– – – – – – End Copy – – – – – – –

Instructions

A) Backup the existing Holiday file
   1. Exit Outlook if it is running.
   2. Locate Outlook.hol file and create a backup of it.
 Outlook 2007: drive:\Program Files\Microsoft Office\Office12\1033\Outlook.hol
 Outlook 2003: drive:\Program Files\Microsoft Office\Office11\1033\Outlook.hol

B) Update the Outlook Holiday file
   1. Exit Outlook if it is running.
   2. Open the Outlook.hol file in a text editor, such as Notepad.
   3. If you're doing this for the first time, copy and paste the above section between "Start Copy" and "End Copy" to the end of the Outlook.hol file. Update your existing list with the above if you've already have a section for the Sri Lanka Holidays.
   4. Save and close Outlook.hol.

C) To update the Outlook calendar
   1. Start Outlook.
   2. On the Tools menu, click Options.
   3. On the Preferences tab, under Calendar, click Calendar Options.
   4. In the Calendar Options dialog box, under Calendar options, click Add Holidays.
   5. Select the check box "Sri Lanka" and click OK.

Note: If a set of holidays or events observed has already been selected in the Add Holidays to Calendar dialog box and you try to add the same again, you see the message, "Holidays for country are already installed. Do you want to install them again?" Click No. If you click Yes, the holidays and events are installed a second time, and you will see duplicate holiday and event entries in your calendar.
  
  
Links:
 Customize the Outlook calendar
 2006 Sri Lanka Holidays
 2007 Sri Lanka Holidays

A Relaxed Mind,
A Peaceful Soul,
A Joyful Spirit,
A Healthy Body &
Heart full of Love..
All these are my wishes for you.

Wish you all very Happy New Year.