Endpoint Protection

We recently upgraded clients from SEP 11 to 12.1 and the 12.1.1101.401 latest.  With full SEP 12 features including IPS on XP with IE 7 when the user launches Oracle Developer Forms the browser locks and event 1000 is logged.  We tried disabling the IPS add on in IE, added compatibility mode on other test machines in IE 8, the web site is in the trusted intranet zone and all users have the issue.  If we install just the SEP 12 AV only or go back to SEP 11 full client it works.

No blocked event is logged in Symantec.  Need to kill the iexplore.exe task to gain access to PC again.  Tried replacing the JVM.DLL from the newer java 1.7 and still errors out.

In the SEP IPS exclusion list on the SEPM server I do not see a matching browser exclusion for this or maybe I cannot find it in the 3000 + items I can pick from.

Anyone have a solution?

Faulting application name: iexplore.exe, version: 8.0.7601.17514, time stamp: 0x4ce79912

Faulting module name: jvm.dll, version: 0.0.0.0, time stamp: 0x42527311

Exception code: 0xc0000005

Fault offset: 0x00050b58

Faulting process id: 0xb34

Faulting application start time: 0x01cd34fbf3bc6d7e

Faulting application path: C:\Program Files\Internet Explorer\iexplore.exe

Faulting module path: C:\PROGRA~1\Oracle\JINITI~1.22\bin\hotspot\jvm.dll

Report Id: 31e9962b-a0ef-11e1-8604-000fb059306e

open a support ticket.

whats the setting for download insight? can you decrease and check?

Hello,

Check this Article:

Unable to open Oracle related intranet URL on Internet Explorer browser when Advanced Download Protection feature enabled.

http://www.symantec.com/docs/TECH166379

Add intranet URL to the local intranet list of Internet Explorer browser 
  1.   Open IE.
  2.   Click Tools - Internet Options.
  3.   Go to the Security tab.
  4.   Select Local intranet.
  5.   Click on Sites button. 
  7.   Click Advanced.
  8.   Enter intranet URL in the section "Add the website to the zone".
  9.   Click on Add button to add it.
10.   Click on Close 
11.   Click on OK.

Also, Check this link on Creating Oracle related Exceptions.

http://www.symantec.com/business/support/index?page=content&id=TECH134383

Exclusions could be set for the following extensions:

.dbf - database file
.log - Online Redo Log
.rdo - Online Redo Log
.arc - Archive log
.ctl - Control files

Customers should contact Oracle Support for a full list of files and extensions that should be excluded from scans.

Note:  Wildcard variables such as * and ? are not supported by Symantec Antivirus or Endpoint Protection

IMPORTANT : Symantec does not advise excluding entire directories (such as the Oracle database directory and subdirectories) from scanning as this poses a potential high security risk. Additionally you should not exclude any temp files or folders as these can be a target for security risks.

Also check this Thread:

https://www-secure.symantec.com/connect/forums/scan-exclusions-oracle

Hope that helps!!

Added our full Oracle server intranet URL no go.  Root *.domain already in Intranet Zone.
Added 5 extensions to global exclusions policy for all activities.
Disabled "download insight" in policy
Disabled Sonar in policy
No go.
Is there a SEP advanced logging I can enable to get some events recorded?  Only getting the event ID 1000 from above in the windows logs.

Thanks.

Hello,

In this case, I would suggest you to create a Case with Symantec Technical Support.

You can either call symantec to Create a Case OR log a web case.

QuickStart Guide - Create and Manage Support Cases in SymWISE

http://www.symantec.com/docs/HOWTO31132

How to update a support case and upload diagnostic files with MySupport

http://www.symantec.com/docs/TECH71023

OR

Regional Support Telephone Numbers:

United States: https://support.broadcom.com (407-357-7600 from outside the United States)

Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)

United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Hope that helps!!

I will look into opening a case.  If there are other ideas in the meantime please post.  If they provide a solution I will update.

Thanks..

I seem to be having some success with SEP 12 and this option.

"Turn off DEP inside of Internet Explorer. Click on Tools, Internet Options, then the advanced tab. Scroll down to Security and uncheck "Enable memory protection to help mitigate online attacks".  Restart the browser."

Some XP + IE 7 or XP + IE 8 machines are working now.  None of the Windows 7 IE 8 or 9 machines work when the setting is changed.  Just updating the post.

As a short term fix we have also found for some machines if the IE "enable memory protection..." unchecked alone does not allow it to launch also disabling the Symantec Intrusion Protection browser add on works for the PC.  Especially in Windows 7 with IE 8.  Maybe there is a Symantec exclusion somewhere as disabling the IPS for all computers is not our first choice.  Just as good not to install it.

Thanks.