Symantec Endpoint Protection #SEP #Broadcom behind firewalled network + proxy server

I have been struggling with this problem for a long time. Eventually I found out the solution, so I decided to describe my experience.

At the beginning I'm gonna briefly describe our configuration. There's a company LAN with a dozen of VLANs, ~170 PCs (laptops & desktops & servers/VMs). On each computer Symantec (now Broadcom) Endpoint Protection (SEP) is installed. Our network is strictly firewalled - it means all direct inbound AND outbound traffic is blocked out on our firewall. For normal PC reaching the Internet is possible only through internal Proxy Server (which is also pretty restricted). Proxy connection isn't forced (outbound traffic isn't redirected), so web-browsers're fully aware of going through Proxy Server (just like the SEP Client is).

PROBLEM

Even though SEP Client was configured to use our Proxy we constantly had problems with random (different) desktops. The only rule I noticed was

The first point is pretty explicable - laptops which were connected at user's home, had the possibility to download updates at home. But not every desktop connected to the company's LAN has experienced such problems. The majority of desktops were OK (or at least not in at risk state, however they not always had the latest virus definitions). It wasn't easy to notice the rule. In the COVID-19 pandemic many desktops were run at the office all the time and users logged-in remotely on them.

SOLUTION

Honestly, I still don't know why desktops which were rebooted every day didn't have problems with downloading definitions and desktops which were uptime all the time did have. My suspicion is that on systems with long uptime Windows couldn't connect to some Microsoft servers for a long time and than turned offline mode on (at least for Local System Account).

What I did, was:

To enable proxy settings you must run Internet Explorer as Local System Account first. To do so you need to download & install psexec package (direct link). Once installed type in command line :

psexec -s -i "%programfiles%\Internet Explorer\iexplore.exe"

Then configure your proxy settings as usual. Don't forget to add your company's CA root certificate in this IE session if it's needed (only when you decrypt SSL traffic on proxy server).

Apart from changing IE proxy settings, I added following registry key


REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"Globaluseroffline"=dword:00000000

Moreover, I'm not sure which one of above mentioned options did solve the problem (or maybe both?) ; but thankfully our desktops can now download virus definitions without any problems.

I'm glad if this short tutorial has helped someone



added later

Another important issue related to downloading virus definitions I noticed later. I realized that connection to https://liveupdate.symantecliveupdate.com site hangs very often (every 3rd connection!). I was immediately suspecting our company's router (because it worked fine on the VPS outside our network). I changed TCP Session timeout in NAT section. From default 1800 seconds to 120 seconds. Probably there were too many established connections from our router's public IP to the Symantec cloud/site. By shortening TCP NAT session timeout I reduced the number of concurent connections and it did help.

06/2021, MS [ marek[0] helion [D0T] pl ]