Symantec Small Business Edition 12.1.2 Endpoint Protection Installation and Administration Guide
Symantec Endpoint Protection Small Business Edition 12.1.2 is a client-server solution that protects laptops, desktops, Windows and Mac computers, and servers in your network against malware. It combines virus protection with advanced threat protection to proactively secure your computers against known and unknown threats.
Advertisement
Advertisement
Symantec™ Endpoint
Protection Small Business
Edition 12.1.2 Installation and Administration Guide
Symantec Endpoint Protection Small Business Edition
Installation and Administration Guide
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Product version: 12.1.2
Documentation version: 1
Legal Notice
Copyright © 2012 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, Bloodhound, Confidence Online, Digital Immune System,
LiveUpdate, Norton, Sygate, and TruScan are trademarks or registered trademarks of
Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (“Third Party Programs”). Some of the Third Party
Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043 http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Support’s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online
Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s support offerings include the following:
■
A range of support options that give you the flexibility to select the right amount of service for any size organization
■
Telephone and/or Web-based support that provides rapid response and up-to-the-minute information
■
Upgrade assurance that delivers software upgrades
■
Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis
■
Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web site at the following URL: www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.
When you contact Technical Support, please have the following information available:
■
Product release level
■
Hardware information
■
Available memory, disk space, and NIC information
■
Operating system
■
Version and patch level
■
Network topology
■
Router, gateway, and IP address information
■
Problem description:
■
Error messages and log files
■
Troubleshooting that was performed before contacting Symantec
■
Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL: www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the following types of issues:
■
Questions regarding product licensing or serialization
■
Product registration updates, such as address or name changes
■
General product information (features, language availability, local dealers)
■
Latest information about product updates and upgrades
■
Information about upgrade assurance and support contracts
■
Information about the Symantec Buying Programs
■
Advice about Symantec's technical support options
■
Nontechnical presales questions
■
Issues that are related to CD-ROMs, DVDs, or manuals
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan
Europe, Middle-East, and Africa
North America and Latin America [email protected]
Contents
Technical Support
............................................................................................... 4
Chapter 1 Introducing Symantec Endpoint Protection Small
Business Edition
............................................................ 19
About Symantec Endpoint Protection Small Business Edition ............... 19
What's new in Symantec Endpoint Protection Small Business Edition
12.1.2 ................................................................................... 20
About the types of threat protection that Symantec Endpoint
Protection Small Business Edition provides ................................. 23
Protecting your network with Symantec Endpoint Protection Small
Business Edition .................................................................... 25
Getting up and running on Symantec Endpoint Protection Small
Business Edition for the first time ............................................. 26
Managing protection on client computers ......................................... 30
Maintaining the security of your environment ................................... 32
Troubleshooting Symantec Endpoint Protection Small Business
Edition ................................................................................. 33
Section 1 Installing Symantec Endpoint Protection
Small Business Edition
....................................... 35
Chapter 2 Planning the installation
................................................... 37
Planning the installation ............................................................... 37
Components of Symantec Endpoint Protection Small Business
Edition ................................................................................. 39
System requirements for Symantec Endpoint Protection Small
Business Edition .................................................................... 40
Product license requirements ......................................................... 42
About embedded database settings .................................................. 45
8 Contents
Chapter 3
Chapter 4
Chapter 5
Installing Symantec Endpoint Protection
Manager
.......................................................................... 47
Installing Symantec Endpoint Protection Manager ............................. 47
Configuring the management server during installation ...................... 49
Uninstalling Symantec Endpoint Protection Manager ......................... 50
About accepting the self-signed (SSL) server certificate for Symantec
Endpoint Protection Manager ................................................... 50
What you can do from the console ................................................... 53
Managing product licenses
............................................... 57
Licensing Symantec Endpoint Protection .......................................... 57
About the trialware license ............................................................ 60
About purchasing licenses ............................................................. 60
Activating or importing your Symantec Endpoint Protection Small
Business Edition 12.1 product license ........................................ 62
Required licensing contact information ...................................... 64
About the Symantec Licensing Portal ......................................... 65
About product upgrades and licenses ............................................... 66
About renewing your Symantec Endpoint Protection Small Business
Edition license ....................................................................... 66
Checking license status ................................................................. 66
About the licensing enforcement rules ............................................. 67
Backing up your license files .......................................................... 68
Recovering a deleted license ........................................................... 68
About multi-year licenses .............................................................. 69
Licensing an unmanaged client ....................................................... 69
Installing the Symantec Endpoint Protection Small
Business Edition client
................................................. 71
Preparing for client installation ...................................................... 71
About firewalls and communication ports ................................... 74
About client deployment methods ................................................... 75
Which features should you install on the client? .......................... 76
Deploying clients using a Web link and email .............................. 77
Deploying clients by using Remote Push ..................................... 79
Deploying clients by using Save Package .................................... 81
Contents 9
Chapter 6
Chapter 7
Restarting client computers ........................................................... 85
About managed and unmanaged clients ........................................... 85
Installing an unmanaged client ....................................................... 86
Uninstalling the Windows client ..................................................... 88
Uninstalling the Mac client ............................................................ 88
Upgrading Symantec Endpoint Protection Small
Business Edition
............................................................ 91
Upgrading to a new release of Symantec Endpoint Protection Small
Business Edition .................................................................... 92
Upgrade resources for Symantec Endpoint Protection Small Business
Edition 12.1 .......................................................................... 93
Feature mapping between 12.0 clients and 12.1 clients ........................ 95
Upgrading a management server ................................................... 101
Stopping and starting the management server service ....................... 101
Supported upgrade paths for the Symantec Endpoint Protection Small
Business Edition client .......................................................... 103
About upgrading client software ................................................... 103
Upgrading clients by using AutoUpgrade in Symantec Endpoint
Protection Small Business Edition ........................................... 104
Migrating to Symantec Endpoint Protection Small
Business Edition
.......................................................... 105
Migrating from Symantec AntiVirus or Symantec Client
Security .............................................................................. 106
Supported and unsupported migration paths to Symantec Endpoint
Protection Small Business Edition ........................................... 108
Supported and unsupported migration paths for the Mac client .......... 110
Disabling scheduled scans in Symantec System Center ...................... 110
Disabling LiveUpdate in Symantec System Center ............................ 111
Turning off the roaming service in Symantec System Center .............. 111
Unlocking server groups in Symantec System Center ........................ 112
Turning off Tamper Protection in Symantec System Center ............... 113
Uninstalling and deleting reporting servers .................................... 113
About computer groups imported with the Migration Wizard ............. 114
10 Contents
Importing group settings and policy settings with the Migration
Wizard ............................................................................... 114
Section 2 Managing groups, clients, and administrators
....................................................... 117
Chapter 8
Chapter 9
Chapter 10
Managing groups of client computers
.......................... 119
Managing groups of computers ..................................................... 119
How you can structure groups ...................................................... 121
Adding a group .......................................................................... 122
Blocking client computers from being added to groups ...................... 122
Moving a client computer to another group ..................................... 123
Best practices for managing portable computers .............................. 123
Managing clients
............................................................... 125
Managing client computers .......................................................... 125
How to determine whether the client is connected in the console ........ 127
Viewing the protection status of clients and client computers ............. 128
Searching for information about client computers ............................ 129
About commands that you can run on client computers ..................... 132
Running commands on the client computer from the console ............. 134
Ensuring that a client does not restart ............................................ 134
Managing administrator accounts and passwords
..................................................................... 137
Managing administrator accounts ................................................. 137
About administrator account roles and access rights ......................... 138
Adding an administrator account .................................................. 139
Configuring the access rights for a limited administrator ................... 140
Changing the password for an administrator account ........................ 140
Allowing administrators to reset forgotten passwords ....................... 141
Sending a temporary password to an administrator .......................... 142
Contents 11
Section 3 Managing protection and customizing policies
....................................................................... 145
Chapter 11
Chapter 12
Using policies to manage security
................................. 147
Performing the tasks that are common to all policies ........................ 147
The types of security policies ........................................................ 149
Adding a policy .......................................................................... 151
Editing a policy .......................................................................... 151
Copying and pasting a policy ........................................................ 152
Locking and unlocking Virus and Spyware policy settings .................. 153
Assigning a policy to a group ........................................................ 153
Viewing assigned policies ............................................................. 154
Replacing a policy ....................................................................... 155
Exporting and importing individual policies .................................... 155
How the client computers get policy updates ................................... 156
Manually updating policies on the client ......................................... 157
Managing Virus and Spyware Protection
Remediating risks on the computers in your network ........................ 162
Identifying the infected and at-risk computers ........................... 164
Managing scans on client computers .............................................. 165
About the types of scans and real-time protection ...................... 167
About the types of Auto-Protect .............................................. 170
About virus and security risks ................................................. 172
Setting up scheduled scans that run on Windows computers .............. 182
Setting up scheduled scans that run on Mac computers ..................... 185
Running on-demand scans on client computers ............................... 185
12 Contents
Chapter 13
Adjusting scans to improve computer performance .......................... 187
Adjusting scans to increase protection on your client computers ......... 189
Managing Download Insight detections .......................................... 191
About submitting information about detections to Symantec Security
Response ............................................................................ 198
About submissions throttling ....................................................... 199
Enabling or disabling client submissions to Symantec Security
Response ............................................................................ 199
Managing the Quarantine ............................................................ 202
About the pop-up notifications that appear on the clients that run
Windows 8 .......................................................................... 205
Managing early launch anti-malware (ELAM) detections .................... 206
Customizing scans
............................................................ 209
Customizing Auto-Protect for Windows clients ................................ 211
Customizing Auto-Protect for Mac clients ....................................... 212
Customizing administrator-defined scans for the clients that run on
Windows computers ............................................................. 215
Modifying global scan settings for Windows clients .......................... 218
Customizing Download Insight settings .......................................... 219
Changing the action that Symantec Endpoint Protection Small
Business Edition takes when it makes a detection ....................... 220
Contents 13
Chapter 14
Chapter 15
Chapter 16
Chapter 17
Allowing users to view scan progress and interact with scans ............. 222
Managing SONAR
.............................................................. 225
About SONAR ............................................................................ 225
Managing SONAR ....................................................................... 227
Monitoring SONAR detection results to check for false positives ......... 229
Enabling or disabling SONAR ....................................................... 230
Managing Tamper Protection
......................................... 231
About Tamper Protection ............................................................. 231
Changing Tamper Protection settings ............................................ 232
Managing firewall protection
.......................................... 233
Managing firewall protection ........................................................ 233
How a firewall works ............................................................. 234
About the Symantec Endpoint Protection firewall ...................... 235
Creating a firewall policy ............................................................. 237
Enabling and disabling a firewall policy .................................... 238
Adjusting the firewall security level ......................................... 239
Managing firewall rules ............................................................... 240
Changing the order of firewall rules ......................................... 242
How the firewall uses stateful inspection .................................. 242
About firewall rule application triggers .................................... 243
About firewall rule host triggers .............................................. 245
About firewall rule network services triggers ............................. 247
Setting up firewall rules .............................................................. 248
Adding a new firewall rule ...................................................... 248
Copying and pasting firewall rules ........................................... 249
Customizing firewall rules ..................................................... 250
Managing intrusion prevention
...................................... 259
Managing intrusion prevention on your client computers .................. 259
How intrusion prevention works ................................................... 261
About Symantec IPS signatures ..................................................... 262
Creating exceptions for IPS signatures ........................................... 264
14 Contents
Chapter 18
Chapter 19
Managing exceptions
........................................................ 267
About exceptions to Symantec Endpoint Protection Small Business
Edition ............................................................................... 267
Managing exceptions for Symantec Endpoint Protection Small
Business Edition ................................................................... 268
Creating exceptions for Symantec Endpoint Protection Small Business
Edition ............................................................................... 270
Excluding a file or a folder from scans ...................................... 274
Excluding known risks from virus and spyware scans .................. 275
Excluding file extensions from virus and spyware scans .............. 276
Specifying how Symantec Endpoint Protection Small Business
Edition handles monitored applications .............................. 277
Excluding a trusted Web domain from scans .............................. 278
Creating a Tamper Protection exception ................................... 279
Creating exceptions from log events in Symantec Endpoint Protection
Manager ............................................................................. 280
Configuring updates and updating client computer protection
...................................................................... 283
Managing content updates ........................................................... 283
How client computers receive content updates ........................... 285
Configuring the LiveUpdate download schedule for Symantec
Endpoint Protection Manager ................................................. 287
Downloading LiveUpdate content manually to Symantec Endpoint
Protection Manager .............................................................. 288
Viewing LiveUpdate downloads ..................................................... 288
Checking LiveUpdate server activity .............................................. 288
Symantec LiveUpdate ............................................................ 289
Contents 15
Chapter 20
Chapter 21
Monitoring protection with reports and logs
Monitoring endpoint protection .................................................... 293
Viewing a daily or weekly status report .................................... 296
Viewing system protection ..................................................... 297
Finding offline computers ...................................................... 298
Finding unscanned computers ................................................ 298
Viewing risks ....................................................................... 299
Viewing the status of deployed client computers ........................ 300
Viewing attack targets and sources .......................................... 300
Generating a list of the Symantec Endpoint Protection Small
Configuring reporting preferences ................................................. 302
About the types of reports ............................................................ 303
Running and customizing quick reports ......................................... 304
Saving and deleting custom reports ............................................... 306
Creating scheduled reports ........................................................... 307
Editing the filter used for a scheduled report ................................... 308
Printing and saving a copy of a report ............................................ 309
Viewing logs .............................................................................. 310
What you can do from the logs ................................................ 311
Saving and deleting custom logs by using filters ......................... 313
Running commands from the computer status log ............................ 315
Managing notifications
.................................................... 317
Managing notifications ................................................................ 317
How notifications work ......................................................... 318
About partner notifications .................................................... 322
Viewing and acknowledging notifications ....................................... 323
Saving and deleting administrative notification filters ...................... 324
Setting up administrator notifications ............................................ 325
16 Contents
Section 4 Configuring and managing Symantec
Endpoint Protection Manager
Chapter 22
Chapter 23
Managing the connection between the management server and the client computers
............................... 331
Managing the client-server connection ........................................... 331
How to determine whether the client is connected and protected ........ 332
Exporting the client-server communications file manually ................. 336
Importing client-server communication settings into the client .......... 337
Preparing for disaster recovery
...................................... 339
Preparing for disaster recovery ..................................................... 339
Backing up the database and logs .................................................. 340
Section 5 Troubleshooting Symantec Endpoint
Protection Small Business Edition
Chapter 24
Chapter 25
Performing disaster recovery
.......................................... 345
Performing disaster recovery ........................................................ 345
Reinstalling or reconfiguring Symantec Endpoint Protection
Manager ............................................................................. 346
Restoring the database ................................................................ 347
Troubleshooting installation and communication problems
........................................................................ 349
Identifying the point of failure of an installation .............................. 350
Contents 17
Chapter 26
Appendix A
Stopping and starting the Apache Web server ............................ 353
Checking the debug log on the client computer .......................... 354
Checking the inbox logs on the management server .................... 354
Restoring client-server communication settings by using the
SylinkDrop tool .............................................................. 355
Verifying the connection with the database ............................... 357
Troubleshooting reporting issues
.................................. 359
Troubleshooting reporting issues .................................................. 359
Differences between Mac and Windows features
.......................................................................... 363
Client protection features by platform ............................................ 363
Management features by platform ................................................. 364
LiveUpdate policy settings available for Windows and Mac ................ 367
Index
18 Contents
Chapter
1
Introducing Symantec
Endpoint Protection Small
Business Edition
This chapter includes the following topics:
■
About Symantec Endpoint Protection Small Business Edition
■
What's new in Symantec Endpoint Protection Small Business Edition 12.1.2
■
About the types of threat protection that Symantec Endpoint Protection Small
■
Protecting your network with Symantec Endpoint Protection Small Business
■
Getting up and running on Symantec Endpoint Protection Small Business
■
Managing protection on client computers
■
Maintaining the security of your environment
■
Troubleshooting Symantec Endpoint Protection Small Business Edition
About Symantec Endpoint Protection Small Business
Edition
Symantec Endpoint Protection Small Business Edition is a client-server solution that protects laptops, desktops, Windows and Mac computers, and servers in your network against malware. Symantec Endpoint Protection Small Business Edition
20 Introducing Symantec Endpoint Protection Small Business Edition
What's new in Symantec Endpoint Protection Small Business Edition 12.1.2
combines virus protection with advanced threat protection to proactively secure your computers against known and unknown threats.
Symantec Endpoint Protection Small Business Edition protects against malware such as viruses, worms, Trojan horses, spyware, and adware. It provides protection against even the most sophisticated attacks that evade traditional security measures, such as rootkits, zero-day attacks, and spyware that mutates. Providing low maintenance and high power, Symantec Endpoint Protection Small Business
Edition communicates over your network to automatically safeguard for both physical systems and virtual systems against attacks.
This comprehensive solution protects confidential and valuable information by combining multiple layers of protection on a single integrated client. Symantec
Endpoint Protection Small Business Edition reduces management overhead, time, and cost by offering a single management console for clients.
See
“About the types of threat protection that Symantec Endpoint Protection
Small Business Edition provides”
on page 23.
What's new in Symantec Endpoint Protection Small
Business Edition 12.1.2
describes the new features in the latest version of Symantec Endpoint
Protection Small Business Edition.
Introducing Symantec Endpoint Protection Small Business Edition
What's new in Symantec Endpoint Protection Small Business Edition 12.1.2
21
Table 1-1
New features in Symantec Endpoint Protection Small Business
Edition 12.1.2
Feature
System requirements
Description
Symantec Endpoint Protection Small Business Edition now supports additional new platforms and configurations.
You can now install Symantec Endpoint Protection Manager on the following operating systems:
■
■
Windows 8
Windows Server 2012
You can now install the Symantec Endpoint Protection Small Business Edition client on the following operating systems:
■
■
■
Windows 8 and Windows Server 2012
Mac OS X 10.8, Mountain Lion
Mac OS X case-sensitive formatted volumes
You can now use Symantec Endpoint Protection Manager from the following browsers:
■
■
Microsoft Internet Explorer 10
Google Chrome
For the complete list of system requirements:
See
“System requirements for Symantec Endpoint Protection Small Business Edition”
on page 40.
See the knowledge base article: Release Notes and System Requirements for all versions of Symantec
Endpoint Protection and Symantec Network Access Control
22 Introducing Symantec Endpoint Protection Small Business Edition
What's new in Symantec Endpoint Protection Small Business Edition 12.1.2
Feature
Installation
Remote management
Table 1-1
New features in Symantec Endpoint Protection Small Business
Edition 12.1.2 (continued)
Description
The Client Deployment Wizard includes the following changes:
■
■
■
The Client Deployment Wizard includes the Communication Update Package Deployment option to push the communications file (Sylink.xml) to the client in a client installation package.
You use the Sylink.xml file to convert an unmanaged client to a managed client, or to manage a previously orphaned client. In previous releases, you needed to export the Sylink.xml file from the management server, and import Sylink.xml to each client.
See
“Restoring client-server communications by using a client installation package”
on page 336.
See
“Why do I need to replace the client-server communications file on the client computer?”
on page 333.
The Client Deployment Wizard searches the network faster to find the computers that do not have the client software installed.
The Client Deployment Wizard includes the Automatically uninstall existing security software option so that a security software removal feature can uninstall third-party security products from the client computer. The feature removes security software before the client installation package installs the client software. With version 12.1.2, the feature removes more than 40 additional third-party products.
For a list of products that the third-party security software removal feature uninstalls, see the knowledge base article: About the third-party security software removal feature in Symantec
Endpoint Protection 12.1
See
“Deploying clients using a Web link and email”
on page 77.
See
“Deploying clients by using Remote Push”
on page 79.
See
“Deploying clients by using Save Package”
on page 81.
You can download and run a new diagnostic tool on the management server and client to help you diagnose common issues before and after installation. The Symantec Help tool enables you to resolve product issues yourself instead of calling Support.
See
“Troubleshooting computer issues with the Symantec Help support tool”
on page 349.
See the knowledge base article at the following URL: Symantec Help (SymHelp)
Symantec Endpoint Protection provides public support to remotely manage and monitor the client and the management server. New Web services let you write your own tools to perform the following tasks remotely:
■
■
■
■
Run commands on the client to remediate threat situations.
Export policies from the server.
Apply policies to clients across servers.
Monitor license status and content status on the management server.
Documentation and other tools for remote monitoring and management support appear in the
Web services SDK, located in the following folder on the installation disc: /Tools/Integration/
SEPM_WebService_SDK
Introducing Symantec Endpoint Protection Small Business Edition
About the types of threat protection that Symantec Endpoint Protection Small Business Edition provides
23
Feature
Windows 8 features
Protection features
LiveUpdate
Table 1-1
New features in Symantec Endpoint Protection Small Business
Edition 12.1.2 (continued)
Description
■
■
■
Support for the Microsoft Windows 8 style user interface, including toast notifications for critical events.
Support for Windows 8 and Windows Server 2012.
Windows 8 Early Launch Anti-Malware (ELAM) support provides a Microsoft-supported way for anti-malware software to start before all other third-party components. In addition, vendors can now control the launching of third-party drivers, depending on trust levels. If a driver is not trusted, it can be removed from the boot sequence. ELAM support makes more efficient rootkit detection possible.
See
on page 207.
Virus and Spyware Protection:
■
Full support for the Microsoft Windows 8 style user interface.
Exceptions:
■
■
Added support for HTTPS in trusted Web domain exceptions.
Common variables in exceptions now apply to 64-bit applications as well as 32-bit applications.
See
“Excluding a file or a folder from scans”
on page 274.
A link on the client Status page now lets end users quickly and easily confirm that the client has the most current content. The link displays the content version dialog box, where a new column lists the last time that the client checked each content type for updates. Users can be more confident that their client updates correctly and has the latest protection.
About the types of threat protection that Symantec
Endpoint Protection Small Business Edition provides
You need combinations of all the protection technologies to fully protect and customize the security in your environment. Symantec Endpoint Protection Small
Business Edition combines traditional scanning, behavioral analysis, intrusion prevention, and community intelligence into a superior security system.
describes the types of protection that the product provides and their benefits.
24 Introducing Symantec Endpoint Protection Small Business Edition
About the types of threat protection that Symantec Endpoint Protection Small Business Edition provides
Table 1-2
Description
Layers of protection
Protection type
Virus and
Spyware
Protection
Benefit
Virus and Spyware Protection protects computers from viruses and security risks, and in many cases can repair their side effects. The protection includes real-time scanning of files and email as well as scheduled scans and on-demand scans. Virus and spyware scans detect viruses and the security risks that can put a computer, as well as a network, at risk.
Security risks include spyware, adware, and other malicious files.
See
“Managing scans on client computers”
on page 165.
Virus and Spyware Protection detects new threats earlier and more accurately using not just signature-based and behavioral-based solutions, but other technologies as well.
■
■
■
Symantec Insight provides faster and more accurate malware detection to find the new and the unknown threats that other approaches miss. Insight identifies new and zero-day threats by using the collective wisdom of millions of systems in hundreds of countries.
Bloodhound uses heuristics to detect known and unknown threats.
Auto-Protect scans files from a signature list as they are read from or written to the client computer.
Network Threat
Protection
Network Threat Protection provides a firewall and an intrusion prevention system to prevent intrusion attacks and malicious content from reaching the computer that runs the client software.
■
■
The firewall allows or blocks network traffic based on the various criteria that the administrator sets. If the administrator permits it, end users can also configure firewall policies.
■
■
The Intrusion Prevention System (IPS) analyzes all the incoming and the outgoing information for the data patterns that are typical of an attack. It detects and blocks malicious traffic and attempts by outside users to attack the client computer. Intrusion prevention also monitors outbound traffic and prevents the spread of worms.
The rules-based firewall engine blocks malicious threats before they can harm the computer.
The IPS scans network traffic and files for indications of intrusions or attempted intrusions.
Browser Intrusion Prevention scans for the attacks that are directed at browser vulnerabilities.
Universal download protection monitors all downloads from browsers and validates that the downloads are not malware.
See
“Managing firewall protection”
on page 233.
See
“Managing intrusion prevention on your client computers”
on page 259.
Introducing Symantec Endpoint Protection Small Business Edition
Protecting your network with Symantec Endpoint Protection Small Business Edition
25
Table 1-2
Layers of protection (continued)
Protection type
Description Benefit
Proactive Threat
Protection
Proactive Threat Protection uses SONAR to protect against zero-day attack vulnerabilities in your network. Zero-day attack vulnerabilities are the new vulnerabilities that are not yet publicly known. Threats that exploit these vulnerabilities can evade signature-based detection, such as spyware definitions. Zero-day attacks may be used in targeted attacks and in the propagation of malicious code. SONAR provides real-time behavioral protection by monitoring processes and threats as they execute.
SONAR examines programs as they run, and identifies and stops malicious behavior of new and previously unknown threats. SONAR uses heuristics as well as reputation data to detect emerging and unknown threats.
See
on page 227.
The management server enforces each protection by using an associated policy that is downloaded to the client.
See
“Components of Symantec Endpoint Protection Small Business Edition”
on page 39.
Protecting your network with Symantec Endpoint
Protection Small Business Edition
You protect the computers in your network by installing and managing the
Symantec Endpoint Protection Manager and the Symantec Endpoint Protection
Small Business Edition client.
outlines the main high-level tasks that you need to do to use Symantec
Endpoint Protection Small Business Edition.
26 Introducing Symantec Endpoint Protection Small Business Edition
Getting up and running on Symantec Endpoint Protection Small Business Edition for the first time
Table 1-3
Steps to set up, configure, and manage Symantec Endpoint
Protection Small Business Edition
Task Description
Setting up Symantec Endpoint
Protection Small Business Edition
You can install Symantec Endpoint Protection
Manager and the Symantec Endpoint Protection
Small Business Edition client and protect your network in a few easy steps.
See
“Getting up and running on Symantec Endpoint
Protection Small Business Edition for the first time”
on page 26.
Managing Symantec Endpoint
Protection Small Business Edition
Symantec Endpoint Protection Manager comes with default settings and policies so that your network is protected immediately after you install. You can modify these settings to suit your network environment.
See
“Managing protection on client computers”
on page 30.
Maintaining a secure network environment
You might need to perform some ongoing maintenance to keep your network environment running smoothly at peak performance. For example, you must back up the database in case you need to perform disaster recovery.
See
“Maintaining the security of your environment”
on page 32.
Troubleshooting Symantec
Endpoint Protection Small Business
Edition
If you have problems installing or using the product,
Symantec Endpoint Protection Manager includes resources to help fix common issues, such as client-server communication and virus outbreaks.
See
“Troubleshooting Symantec Endpoint Protection
on page 33.
See
“Components of Symantec Endpoint Protection Small Business Edition”
on page 39.
Getting up and running on Symantec Endpoint
Protection Small Business Edition for the first time
You should assess your security requirements and decide if the default settings provide the balance of performance and security that you require. Some
Introducing Symantec Endpoint Protection Small Business Edition
Getting up and running on Symantec Endpoint Protection Small Business Edition for the first time
27 performance enhancements can be made immediately after you install Symantec
Endpoint Protection Manager.
lists the tasks that you should perform to install and protect the computers in your network immediately.
Table 1-4
Tasks to install and configure Symantec Endpoint Protection Small
Business Edition
Action Description
Install, upgrade, or migrate the management server
Whether you install the product for the first time, upgrade from a previous version, or migrate from another product, you install Symantec Endpoint Protection Manager first.
See
“Installing Symantec Endpoint Protection Manager”
on page 47.
See
“Upgrading to a new release of Symantec Endpoint Protection Small Business
on page 92.
See
“Migrating from Symantec AntiVirus or Symantec Client Security”
on page 106.
Create groups You can add groups that contain computers based on the level of security or function the computers perform. For example, you should put computers with a higher level of security in one group, or a group of Mac computers in another group.
See
“How you can structure groups”
on page 121.
See
on page 122.
See
“Best practices for managing portable computers”
on page 123.
See
“What you can do from the console”
on page 53.
Activate the product license Purchase and activate a license within 30 days of product installation.
See
“Activating or importing your Symantec Endpoint Protection Small Business
Edition 12.1 product license ”
on page 62.
Prepare computers for remote client installation
(optional)
If you deploy client software remotely, first modify the firewall settings on your client computers to allow communication between the computers and the management server.
See
“Preparing Windows operating systems for remote deployment”
on page 72.
See
“About firewalls and communication ports”
on page 74.
See
“Preparing for client installation”
on page 71.
Install the client software by using the Client Deployment
Wizard
Deploy the client software.
See
“Deploying clients using a Web link and email”
on page 77.
See
“Deploying clients by using Remote Push”
on page 79.
See
“Deploying clients by using Save Package”
on page 81.
28 Introducing Symantec Endpoint Protection Small Business Edition
Getting up and running on Symantec Endpoint Protection Small Business Edition for the first time
Table 1-4
Tasks to install and configure Symantec Endpoint Protection Small
Business Edition (continued)
Action Description
Check that the computers are listed in the groups that you expected and that the clients communicate with the management server
In the management console, on the Computers > Computers page:
1
Change the view to Client status to make sure that the client computers in each group communicate with the management server.
Look at the information in the following columns:
■
The Name column displays a green dot for the clients that are connected to the management server.
■
See
“How to determine whether the client is connected in the console”
on page 127.
The Last Time Status Changed column displays the time that each client last communicated with the management server.
■
■
The Restart Required column displays the client computers you need to restart to enable protection.
See
on page 85.
The Policy Serial Number column displays the most current policy serial number. The policy might not update for one to two heartbeats. You can manually update the policy on the client if the policy does not update immediately.
See
“Using the policy serial number to check client-server communication”
on page 156.
See
“Manually updating policies on the client”
on page 157.
2
Change to the Protection technology view and ensure that the status is set to
On in the columns between and including AntiVirus Status and Tamper
Protection Status.
See
“Viewing the protection status of clients and client computers”
on page 128.
3
On the client, check that the client is connected to a server, and check that the policy serial number is the most current one.
See
“Checking the connection to the management server on the client computer”
on page 352.
See
“Troubleshooting communication problems between the management server and the client”
on page 350.
displays the tasks to perform after you install and configure the product to assess whether the client computers have the correct level of protection.
Introducing Symantec Endpoint Protection Small Business Edition
Getting up and running on Symantec Endpoint Protection Small Business Edition for the first time
29
Table 1-5
Action
Modify the Virus and
Spyware Protection policy
Tasks to perform two weeks after you install
Description
Change the following default scan settings:
■
For the default Servers group, change the scheduled scan time to a time when most users are offline.
See
“Setting up scheduled scans that run on Windows computers”
on page 182.
Exclude applications and files from being scanned
You can increase performance by configuring the client not to scan certain folders and files. For example, the client scans the mail server directory every time a scheduled scan runs. You should exclude mail server program files and directories from being scanned.
For more information, see the knowledge base article: About the automatic exclusion of files and folders for Microsoft Exchange server and Symantec products .
You can improve performance by excluding the folders and files that are known to cause problems if they are scanned. For example, Symantec Endpoint Protection
Small Business Edition should not scan the proprietary Microsoft SQL Server files.
You should add an exception that prevents scanning of the folders that contain the
Microsoft SQL Server database files. These exceptions improve performance and avoid corruption or files being locked when the Microsoft SQL Server must use them.
For more information, see the knowledge base article: How to exclude MS SQL files and folders using Centralized Exceptions .
You can also exclude files by extension for Auto-Protect scans on Windows computers.
See
“Creating exceptions for Symantec Endpoint Protection Small Business Edition”
on page 270.
See
“Customizing Auto-Protect for Windows clients”
on page 211.
See
“Customizing Auto-Protect for Mac clients”
on page 212.
Run a quick report and scheduled report after the scheduled scan
Check to ensure that scheduled scans have been successful and clients operate as expected
Run the quick reports and scheduled reports to see whether the client computers have the correct level of security.
See
on page 303.
See
“Running and customizing quick reports”
on page 304.
See
on page 307.
Review monitors, logs, and the status of client computers to make sure that you have the correct level of protection for each group.
See
“Monitoring endpoint protection”
on page 293.
30 Introducing Symantec Endpoint Protection Small Business Edition
Managing protection on client computers
Table 1-5
Tasks to perform two weeks after you install (continued)
Action Description
Configure notifications for a single risk outbreak and when a new risk is detected
Create a notification for a Single risk event and modify the notification for Risk
Outbreak.
For these notifications, Symantec recommends that you do the following actions:
1
Change the Risk severity to Category 1 (Very Low and above) to avoid receiving emails about tracking cookies.
2 Keep the Damper setting at Auto.
Notifications are critical to maintaining a secure environment and can also save you time.
See
“Setting up administrator notifications”
on page 325.
See
on page 317.
See
“Protecting your network with Symantec Endpoint Protection Small Business
on page 25.
Managing protection on client computers
You use a single management console to manage the protection on the client computers. Although the client computers are protected immediately, you might need to modify the protection to suit your needs.
outlines the tasks that you can perform if you need to adjust the default settings.
Table 1-6
Modifying protection on the client computer
Task
Organizing and managing groups
Description
You apply protection to the client computers based on the group that you place a computer in. The computers in each group have the same level of security.
You can import your company's existing group structure. You can also create new groups.
To determine which groups to add, first consider the structure of the network. Or, if you create a new group structure, you base your group structure on function, role, geography, or a combination of criteria. For example, consider the number of computers at the site, or whether the computers are the same type, such as Windows or Mac computers.
See
“Managing groups of computers”
on page 119.
See
on page 125.
Introducing Symantec Endpoint Protection Small Business Edition
Managing protection on client computers
31
Task
Modifying protection
Managing policies
Table 1-6
Modifying protection on the client computer (continued)
Description
Symantec Endpoint Protection Manager includes default policies for each type of protection. The policies balance the need for protection with performance. Out of the box, the default policies provide appropriate settings for large and small organizations. You may want to adjust settings over time based on your company needs.
See
“About the types of threat protection that Symantec Endpoint Protection Small
on page 23.
See
“Managing scans on client computers”
on page 165.
See
“Managing firewall protection”
on page 233.
See
“Managing intrusion prevention on your client computers”
on page 259.
Security policies must be applied to a group before the clients apply the policies to the client computer. You can create policies that all groups share or that apply to only one group. Symantec Endpoint Protection Manager makes it easy to add and modify policies for all the security needs of your company.
See
“The types of security policies”
on page 149.
See
“Performing the tasks that are common to all policies”
on page 147.
Scheduling and managing updates
Client computers need to receive periodic updates to protection content such as virus definitions, intrusion prevention signatures, and product software. You can configure the method, type of content, and schedule that Symantec Endpoint Protection Small
Business Edition uses to download the content to the client computers.
See
on page 283.
Controlling user access You can configure the client to display different client features and protection features. How you configure these features depends on how much control you want client computer users in each group to have.
See
“Locking and unlocking Virus and Spyware policy settings”
on page 153.
Managing client deployment Symantec recommends that you analyze which computers need which type of security.
If you did not deploy the client installation package at the time that you installed
Symantec Endpoint Protection Manager, you can deploy the client software later.
You have the option to look for unprotected computers.
See
“Preparing for client installation”
on page 71.
See
“Deploying clients using a Web link and email”
on page 77.
32 Introducing Symantec Endpoint Protection Small Business Edition
Maintaining the security of your environment
Table 1-6
Modifying protection on the client computer (continued)
Task Description
Monitoring and responding to status changes
You use reports and logs to view the security status of the client computers. The reports and logs help you to handle virus outbreaks and to increase the security and performance of your company's network.
You can also configure notifications to alert administrators and computer users about potential security problems.
See
“Monitoring endpoint protection”
on page 293.
See
on page 317.
Managing administrators You can add administrator accounts so that different administrators have different levels of control over managing the groups, policies, commands, and reports in
Symantec Endpoint Protection Manager.
See
“Managing administrator accounts”
on page 137.
See
“Protecting your network with Symantec Endpoint Protection Small Business
on page 25.
See
“Getting up and running on Symantec Endpoint Protection Small Business
on page 26.
Maintaining the security of your environment
After you have secured your network, you might want to modify the protection and infrastructure to increase security or increase performance.
Table 1-7
Tasks you can perform to maintain the security of your network
Task Description
Checking the security status of your network
You should periodically check the Home page to view the overall security status of your network. You can use the notifications, reports, and logs to provide the details on the security status.
See
“Monitoring endpoint protection”
on page 293.
See
on page 317.
Maintaining licenses You can check whether your license is about to expire or if you have too many deployed clients for what your license covers.
See
“Licensing Symantec Endpoint Protection”
on page 57.
Introducing Symantec Endpoint Protection Small Business Edition
Troubleshooting Symantec Endpoint Protection Small Business Edition
33
Task
Preparing for disaster recovery
Reconfiguring servers
Table 1-7
Tasks you can perform to maintain the security of your network
(continued)
Description
To help mitigate a case of data corruption or a hardware failure, you should back up the database regularly and make a copy of specific management server files.
See
“Preparing for disaster recovery”
on page 339.
You can update the settings for the mail server, proxy server, and LiveUpdate servers.
See
“Establishing communication between the management server and email servers”
on page 323.
See
on page 289.
See
“Protecting your network with Symantec Endpoint Protection Small Business
on page 25.
Troubleshooting Symantec Endpoint Protection Small
Business Edition
displays the most common issues that you might encounter when you install and use Symantec Endpoint Protection Small Business Edition.
Table 1-8
Common issues you can troubleshoot
Task Description
Fixing installation problems You can download and run the Symantec Endpoint Protection Small Business Edition
Support Tool to verify that your computers are ready for installation. The support tool is provided with the management server and the client. It is also available on the Symantec Support Web site.
See
“Troubleshooting computer issues with the Symantec Help support tool”
on page 349.
Handling virus outbreaks You can prevent threats from attacking computers on your network.
See
“Preventing and handling virus and spyware attacks on client computers”
on page 160.
See
“Remediating risks on the computers in your network”
on page 162.
If a threat does attack a client computer, you can identify and respond to the threat.
See the following knowledge base article:
Best practices for troubleshooting viruses on a network .
34 Introducing Symantec Endpoint Protection Small Business Edition
Troubleshooting Symantec Endpoint Protection Small Business Edition
Table 1-8
Common issues you can troubleshoot (continued)
Task Description
Troubleshooting content update problems
If the latest virus definitions do not update correctly on Symantec Endpoint Protection
Manager or the clients, see the following knowledge base article:
Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart .
Fixing communication errors The communication channels between all of the Symantec Endpoint Protection Small
Business Edition components must be open. These channels include, server to client, server to database, and server and client to the content delivery component, such as
LiveUpdate.
See
“Troubleshooting communication problems between the management server and the client”
on page 350.
See
on page 356.
See the following knowledge base article:
Troubleshooting Symantec Endpoint Protection Manager communication problems .
Performing disaster recovery In case of database corruption or hardware failure, you can restore the latest snapshot of the database if you have a database backup file.
See
“Performing disaster recovery”
on page 345.
Troubleshooting reporting issues
You can solve various report and log issues.
See
“Troubleshooting reporting issues”
on page 359.
See
“Protecting your network with Symantec Endpoint Protection Small Business
on page 25.
Section
Installing Symantec Endpoint
Protection Small Business
Edition
1
■
Chapter 2. Planning the installation
■
Chapter 3. Installing Symantec Endpoint Protection Manager
■
Chapter 4. Managing product licenses
■
Chapter 5. Installing the Symantec Endpoint Protection Small Business Edition client
■
Chapter 6. Upgrading Symantec Endpoint Protection Small Business Edition
■
Chapter 7. Migrating to Symantec Endpoint Protection Small Business Edition
36
Chapter
2
Planning the installation
This chapter includes the following topics:
■
■
Components of Symantec Endpoint Protection Small Business Edition
■
System requirements for Symantec Endpoint Protection Small Business Edition
■
■
About Symantec Endpoint Protection Manager compatibility with other products
■
About embedded database settings
Planning the installation
summarizes the high-level steps to install Symantec Endpoint Protection
Small Business Edition.
Table 2-1
Installation planning
Step
Step 1
Action
Plan network architecture
Description
Understand the sizing requirements for your network. In addition to identifying the endpoints requiring protection, scheduling updates, and other variables should be evaluated to ensure good network and database performance.
Step 2 Review and purchase a license
Understand the product licensing requirements. Purchase a license within 30 days of product installation.
See
“Licensing Symantec Endpoint Protection”
on page 57.
See
“Product license requirements”
on page 42.
38 Planning the installation
Planning the installation
Step
Step 3
Step 4
Step 5
Step 6
Step 7
Action
Review system requirements
Table 2-1
Prepare computers for installation
Installation planning (continued)
Description
Make sure that the computers on which you install the client and the management server software comply with the minimum system requirements.
See the knowledge base article: Release Notes and System Requirements for all versions of Symantec Endpoint Protection and Symantec Network Access
Control
To install both management server and clients, you must be logged in with an account that grants local administrator access. Uninstall other security software from your computers by configuring your Symantec Endpoint Protection Small
Business Edition client install package to automatically uninstall it. You can also manually uninstall other security software. Some programs may have special uninstallation routines. See the documentation for the third-party software.
Make sure that administrator access to remote systems is available. Open firewalls (including ports and protocols) to allow remote deployment between the Symantec Endpoint Protection Manager and the endpoint computers.
See
“Preparing for client installation”
on page 71.
See
“Configuring client packages to uninstall existing third-party security software”
on page 83.
See
“Preparing Windows operating systems for remote deployment”
on page 72.
See
“About firewalls and communication ports”
on page 74.
Prepare to install management server
Decide on the following items before installation of the management server:
■
■
A password for your login to the management console
An email address where you can receive important notifications and reports
See
“Configuring the management server during installation”
on page 49.
See
“About embedded database settings”
on page 45.
Install the management server
Install Symantec Endpoint Protection Manager.
See
“Installing Symantec Endpoint Protection Manager”
on page 47.
Prepare and deploy client software
Determine which method would work best in your environment to deploy the client software to your computers.
Install the Symantec Endpoint Protection Small Business Edition client on your endpoint computers.
Note: Symantec recommends that you also install the client on the computer that hosts Symantec Endpoint Protection Manager.
See
“About client deployment methods”
on page 75.
Planning the installation
Components of Symantec Endpoint Protection Small Business Edition
39
Step
Step 8
Table 2-1
Action
Post-installation tasks
Installation planning (continued)
Description
Verify that your client computers are online and protected.
Become familiar with the features and functions of the Symantec Endpoint
Protection Small Business Edition management console and perform configuration and optimization tasks.
See
“Getting up and running on Symantec Endpoint Protection Small Business
on page 26.
Components of Symantec Endpoint Protection Small
Business Edition
lists the product's components and describes their functions.
Table 2-2
Product components
Component
Symantec Endpoint
Protection Manager
Description
Symantec Endpoint Protection Manager is a management server that manages the client computers that connect to your company's network.
Symantec Endpoint Protection Manager includes the following components:
■
■
■
The management server software provides secure communication to and from the client computers and the console.
The console is the interface to the management server. The console software coordinates and manages security policies, client computers, reports, logs, roles and access, administrative functions, and security. You can also install a remote console and use it to log on to the management server from any computer with a network connection.
The embedded database, which stores security policies and events.
See
“What you can do from the console”
on page 53.
See
“Installing Symantec Endpoint Protection Manager”
on page 47.
40 Planning the installation
System requirements for Symantec Endpoint Protection Small Business Edition
Table 2-2
Component
Symantec Endpoint
Protection Small Business
Edition client
Product components (continued)
Description
The client protects computers with virus and spyware scans, SONAR, Download
Insight, a firewall, an intrusion prevention system, and other protection technologies.
It runs on the servers, desktops, and portable computers that you want to protect.
The Symantec Endpoint Protection Mac client protects the computers with virus and spyware scans.
For more information about using the client, see the Symantec Endpoint Protection
Small Business Edition Client Guide.
See
“About Symantec Endpoint Protection Small Business Edition”
on page 19.
See
“About the types of threat protection that Symantec Endpoint Protection
Small Business Edition provides”
on page 23.
System requirements for Symantec Endpoint
Protection Small Business Edition
In general, the system requirements for Symantec Endpoint Protection Manager and the clients are the same as those of the supported operating systems.
displays the minimum requirements for the Symantec Endpoint
Protection Manager.
displays the minimum requirements for the Symantec Endpoint
Protection Small Business Edition client.
Table 2-3
Symantec Endpoint Protection Manager system requirements
Component
Processor
Requirements
■
■
32-bit processor: 1-GHz Intel Pentium III or equivalent minimum
(Intel Pentium 4 or equivalent recommended)
64-bit processor: 2-GHz Pentium 4 with x86-64 support or equivalent minimum
Note: Intel Itanium IA-64 processors are not supported.
Physical RAM
Hard drive
Display
1 GB of RAM for 32-bit operating systems, 2 GB of RAM for 64-bit operating systems, or higher if required by the operating system
4 GB or more free space; plus 4 GB for the locally installed database.
800 x 600
Planning the installation
System requirements for Symantec Endpoint Protection Small Business Edition
41
Table 2-3
Component
Operating system
Requirements
■
■
■
■
■
■
■
■
■
■
Windows XP (32-bit, SP2 or later; 64-bit, all SPs; all editions except
Home)
Windows 7 (32-bit, 64-bit; RTM and SP1; all editions except Home)
Windows 8 (32-bit, 64-bit)
Windows Server 2003 (32-bit, 64-bit, R2, SP1 or later)
Windows Server 2008 (32-bit, 64-bit, R2, RTM, SP1 and SP2)
Windows Server 2012
Windows Small Business Server 2003 (32-bit)
Windows Small Business Server 2008 (64-bit)
Windows Small Business Server 2011 (64-bit)
Windows Essential Business Server 2008 (64-bit)
Web browser
Symantec Endpoint Protection Manager system requirements
(continued)
■
■
■
Microsoft Internet Explorer 7, 8, 9, 10
Mozilla Firefox
Google Chrome
Note:
This version of the Symantec Endpoint Protection Manager can manage clients before version 12.1, regardless of the client operating system.
Table 2-4
Component
Processor
Physical RAM
Symantec Endpoint Protection Small Business Edition Windows and
Mac client system requirements
Requirements
■
■
■
■
32-bit processor for Windows: 1-GHz Intel Pentium III or equivalent minimum (Intel Pentium 4 or equivalent recommended)
32-bit processor for Mac: Intel Core Solo, Intel Core Duo. PowerPC processors are not supported.
64-bit processor for Windows: 2-GHz Pentium 4 with x86-64 support or equivalent minimum. Itanium processors are not supported.
64-bit processor for Mac: Intel Core 2 Duo, Intel Quad-Core Xeon
Windows: 512 MB of RAM (1 GB recommended), or higher if required by the operating system
Mac: 1 GB of RAM for 10.6; 2 GB for 10.7 and 10.8
42 Planning the installation
Product license requirements
Table 2-4
Symantec Endpoint Protection Small Business Edition Windows and
Mac client system requirements (continued)
Component
Hard drive
Requirements
Windows: 850 MB of available hard disk space for the installation; additional space is required for content and logs
Note: Space requirements are based on NTFS file systems.
Mac: 500 MB of available hard disk space for the installation
Display
Operating system
800 x 600
■
■
■
■
■
■
■
■
■
■
■
■
■
■
■
Windows XP Home or Professional (32-bit, SP2 or later; 64-bit, all SPs)
Windows XP Embedded (SP2 and later)
Windows Vista (32-bit, 64-bit)
Windows 7 (32-bit, 64-bit, RTM, and SP1)
Windows Embedded Standard 7
Windows 8 (32-bit, 64-bit)
Windows Server 2003 (32-bit, 64-bit, R2, SP1 or later)
Windows Server 2008 (32-bit, 64-bit, R2, SP1, and SP2)
Windows Server 2012
Windows Small Business Server 2003 (32-bit)
Windows Small Business Server 2008 (64-bit)
Windows Small Business Server 2011 (64-bit)
Windows Essential Business Server 2008 (64-bit)
Mac OS X 10.6.8, 10.7 (32-bit, 64-bit); 10.8 (64-bit)
Mac OS X Server 10.6.8, 10.7 (32-bit, 64-bit); 10.8 (64-bit)
For the most current system requirements, see: Release Notes and System
Requirements for all versions of Symantec Endpoint Protection and Symantec
Network Access Control
See
on page 37.
Product license requirements
If you want to use Symantec Endpoint Protection Small Business Edition after the trial period expires, you must purchase then activate a product license.
displays the requirements you need to license Symantec Endpoint
Protection Small Business Edition.
Planning the installation
Product license requirements
43
Table 2-5
Product license requirements
Product Requirement
Paid license installation of
Symantec Endpoint Protection
Small Business Edition
You must purchase a license that covers each deployed client. One license covers all clients regardless of platform and version.
See
“About the licensing enforcement rules”
on page 67.
Symantec legacy virus protection software
Symantec Endpoint Protection Small Business Edition accepts the license file from your Symantec legacy virus protection software. You must purchase a new license when the legacy license expires.
Trialware A 30-day trial license is included with Symantec
Endpoint Protection Small Business Edition. You must purchase a license when the trial license expires.
The following terminology applies to Symantec product licenses:
Serial number
Deployed
Activate
Seat
A license contains a serial number that uniquely identifies your license and associates the license with your company. The serial number can be used to activate your Symantec Endpoint Protection
Small Business Edition license.
See
“Activating or importing your Symantec Endpoint Protection
Small Business Edition 12.1 product license ”
on page 62.
Deployed refers to the endpoint computers that are under the protection of the Symantec Endpoint Protection Small Business
Edition client software. For example, "We have 50 deployed seats." means that 50 endpoints have client software installed on them.
You activate your Symantec Endpoint Protection Small Business
Edition product license to enable unrestricted access to all program functionality. You use the License Activation wizard to complete the activation process.
See
“Activating or importing your Symantec Endpoint Protection
Small Business Edition 12.1 product license ”
on page 62.
A seat is a single endpoint computer that the Symantec Endpoint
Protection Small Business Edition client software protects. A license is purchased and is valid for a specific number of seats.
"Valid seats" refers to the total number of seats that are specified in all of your active licenses.
44 Planning the installation
About Symantec Endpoint Protection Manager compatibility with other products
Trialware
Over-deployed
Trialware refers to a fully functioning installation of Symantec
Endpoint Protection Small Business Edition operating within the free trial period. The trial period is 30 days from the initial installation of the Symantec Endpoint Protection Manager. If you want to continue using Symantec Endpoint Protection Small
Business Edition beyond the trial period, you must purchase and activate a license for your installation. You do not need to uninstall the software to convert from trialware to a licensed installation.
See
on page 60.
A license is over-deployed when the number of deployed clients exceeds the number of licensed seats.
Understanding license requirements is part of planning your Symantec Endpoint
Protection Small Business Edition installation and after installation, managing your product licenses.
See
on page 37.
See
“Licensing Symantec Endpoint Protection”
on page 57.
See
on page 60.
See
“Activating or importing your Symantec Endpoint Protection Small Business
Edition 12.1 product license ”
on page 62.
About Symantec Endpoint Protection Manager compatibility with other products
Some products may cause conflicts with Symantec Endpoint Protection Small
Business Edition when they are installed on the same server. You need to configure the Symantec Endpoint Protection Manager installation if one or more of the following products is installed on the same server:
■
Symantec Backup Exec 10, 10D, or 11D
■
Symantec Brightmail
■
Symantec Enterprise Vault
■
Symantec Ghost Solution Suite 2.0
■
Symantec Mail Security for Exchange
■
Symantec NetBackup
■
Microsoft Outlook Web Access
■
Microsoft SharePoint
Planning the installation
About embedded database settings
45
■
Microsoft Windows Update Services
In most cases, port changes are required to allow these programs to run concurrently with Symantec Endpoint Protection Small Business Edition.
For information about the configuration changes, see the Symantec Support knowledge base article, Addressing Symantec Endpoint Protection compatibility issues .
For the most current system requirements, see: Release Notes and System
Requirements for all versions of Symantec Endpoint Protection and Symantec
Network Access Control
About embedded database settings
The following values represent the default settings when you install the Symantec
Endpoint Protection Manager. The ports that are listed are TCP ports.
See
“Installing Symantec Endpoint Protection Manager”
on page 47.
Setting
Server name
Server port
Table 2-6
Default
local host name
8443
Web console port
Server control port
Reporting port
9090
Client communications port
8014
Remote management web services port
8446
8765
8445
Embedded database settings
Description
The name of the computer that runs the Symantec
Endpoint Protection Manager.
The Symantec Endpoint Protection Manager listens on this port.
Remote HTTP console connections use this port.
The clients communicate with the management server on this port.
Remote Monitoring and Management (RMM) uses this port to send web services traffic over HTTPS.
The Tomcat web service uses this port.
The Apache web service uses this port for reporting.
46 Planning the installation
About embedded database settings
Table 2-6
Setting Default
Encryption password None
User name
Password
Email address admin
None
None
Embedded database settings (continued)
Description
This password encrypts communication between the
Symantec Endpoint Protection Manager and clients.
Document this password and put it in a secure location.
You cannot change or recover the password after you create the database. You must also enter this password for disaster recovery purposes if you do not have a backed up database to restore.
See
“Preparing for disaster recovery”
on page 339.
The name of the default user that is used to log on to the
Symantec Endpoint Protection Manager console for the first time. This value is not configurable.
The password that is specified for the admin account during server configuration.
System notifications are sent to the email address specified.
Chapter
3
Installing Symantec
Endpoint Protection
Manager
This chapter includes the following topics:
■
Installing Symantec Endpoint Protection Manager
■
Configuring the management server during installation
■
Uninstalling Symantec Endpoint Protection Manager
■
About accepting the self-signed (SSL) server certificate for Symantec Endpoint
■
Logging on to the Symantec Endpoint Protection Manager console
■
What you can do from the console
Installing Symantec Endpoint Protection Manager
You perform several tasks to install the management server and the console. In the installation wizard, a green check mark appears next to each completed task.
Note:
The Symantec Endpoint Protection Manager requires access to the system registry for installation and normal operation. To prepare a server that runs
Windows Server 2003 to install Symantec Endpoint Protection Manager using a remote desktop connection, you must first allow remote control on the server.
You must also use a remote console session, or shadow the console session.
48 Installing Symantec Endpoint Protection Manager
Installing Symantec Endpoint Protection Manager
For the most current system requirements, see: Release Notes and System
Requirements for all versions of Symantec Endpoint Protection and Symantec
Network Access Control
See
“Preparing for client installation”
on page 71.
See
“Getting up and running on Symantec Endpoint Protection Small Business
on page 26.
To install Symantec Endpoint Protection Manager
1 If you have physical media, insert and display the product disc.
The installation should start automatically. If it does not start, double-click
Setup.exe
.
If you downloaded the product, extract the entire product disc image to a physical disc, such as a hard disk. Run
Setup.exe
from the physical disc.
2 Click Install Symantec Endpoint Protection Manager.
3
Review the sequence of installation events and click Next.
4 In the License Agreement panel, click I accept the terms in the license
agreement, and then click Next.
5
In the Destination Folder panel, accept the default destination folder or specify another destination folder, and then click Next.
6 Click Install.
The installation process begins with the installation of the Symantec Endpoint
Protection Manager and console. This part of the installation completes automatically.
7 In the installation summary panel, click Next.
The Management Server Configuration Wizard starts automatically.
8 You configure the management server according to your requirements. Follow the on-screen instructions. When configuration is complete, click Next to create the database.
See
“Configuring the management server during installation”
on page 49.
Installing Symantec Endpoint Protection Manager
Configuring the management server during installation
49
9 In the Symantec AntiVirus Migration (optional) panel, click No, and then click Next.
10
The Installation Complete panel appears. Click Next to log on to the Symantec
Endpoint Protection Manager. The Client Deployment Wizard starts automatically. You can deploy client software at any time. You can safely cancel client deployment if you do not want to deploy client software at this time.
See
“About client deployment methods”
on page 75.
See
“Deploying clients using a Web link and email”
on page 77.
Configuring the management server during installation
The Management Server Configuration Wizard automatically starts after the
Symantec Endpoint Protection Manager installation.
See
“Installing Symantec Endpoint Protection Manager”
on page 47.
You can also start the Management Server Configuration Wizard at any time after installation from Start > All Programs > Symantec Endpoint Protection Manager
> Symantec Endpoint Protection Manager Tools.
To configure the server, you specify the following information:
■
Whether you want to use a recovery file.
Note: If this is your first installation of Symantec Endpoint Protection Manager, there is no recovery file.
See
“Performing disaster recovery”
on page 345.
■
The password for the default administrator account.
■
The email address that receives important notifications and reports.
■
The email server name and port number.
■
You can optionally add partner information if you have a Symantec Sales
Partner who manages your Symantec licenses.
See
on page 37.
50 Installing Symantec Endpoint Protection Manager
Uninstalling Symantec Endpoint Protection Manager
Uninstalling Symantec Endpoint Protection Manager
Uninstalling Symantec Endpoint Protection Manager uninstalls the server, console, and database. You can optionally remove the database backup files during uninstallation.
If you plan to reinstall Symantec Endpoint Protection Manager, you should back up the database before you uninstall it.
To uninstall Symantec Endpoint Protection Manager
The text that you see depends on the operating system of the server computer.
1
On the server computer, on the Start menu, click Control Panel > Add or
Remove Programs (or Control Panel > Programs > Uninstall a program).
2 In the Add or Remove Programs (or Uninstall or change a program) dialog box, click Symantec Endpoint Protection Manager, and then click Change,
Remove, or Uninstall.
3
Follow the onscreen prompts to remove Symantec Endpoint Protection
Manager.
In some cases, you may have to uninstall Symantec Endpoint Protection Manager manually.
For more information, see the knowledge base article: Methods for uninstalling
Symantec Endpoint Protection .
See
“Backing up the database and logs”
on page 340.
About accepting the self-signed (SSL) server certificate for Symantec Endpoint Protection Manager
When you install Symantec Endpoint Protection Manager, a self-signed certificate for the pages that are rendered in a browser is included as part of the installation.
When you first access these pages from a remote console, you must accept the self-signed certificate for the pages to display.
The certificates are stored separately for each user. Each administrator account must accept the certificate for each remote location from which they connect to the management server.
For instructions to add the security certificate to the Web browser, see the
Symantec Technical Support knowledge base article, How to install the certificate for Symantec Protection Center or Endpoint Protection Manager for Web console access .
Installing Symantec Endpoint Protection Manager
Logging on to the Symantec Endpoint Protection Manager console
51
See
“Logging on to the Symantec Endpoint Protection Manager console”
on page 51.
Logging on to the Symantec Endpoint Protection
Manager console
You can log on to the Symantec Endpoint Protection Manager console after you install Symantec Endpoint Protection Manager. You can log on to the console in either of two ways:
■
Locally, from the computer on which the management server is installed.
■
Remotely, from any computer that meets the system requirements for a remote console and has network connectivity to the management server.
You can log on to the remote Web console or the remote Java console.
To log on remotely, you need to know the IP address or the host name of the computer on which the management server is installed. You should also ensure that your Web browser Internet options let you view content from the server you log on to.
When you log on remotely, you can perform the same tasks as administrators who log on locally. What you can view and do from the console depends on the type of administrator you are. Most administrators in smaller organizations log on as a system administrator.
Note:
If you installed the remote Java console with an earlier version of the product, you must reinstall it when you upgrade to a later version.
The console logs you out after one hour. You can increase this period of time.
To log on to the console locally
1 Go to Start > Programs > Symantec Endpoint Protection Manager >
Symantec Endpoint Protection Manager.
2 In the Symantec Endpoint Protection Manager logon dialog box, type the user name (admin by default) and the password that you configured during the installation.
3 Click Log on.
52 Installing Symantec Endpoint Protection Manager
Logging on to the Symantec Endpoint Protection Manager console
To log on to the console remotely
1
Open a supported Web browser and type the following address in the address box:
http://host name:9090
where host name is the host name or IP address of the management server.
For a list of supported Web browsers, see the Knowledge Base document
Release Notes and System Requirements for all versions of Symantec Endpoint
Protection and Symantec Network Access Control .
2 On the Symantec Endpoint Protection Manager console Web Access page, click the desired console type.
If you click Symantec Endpoint Protection Manager Web Console, a secure webpage loads so you log on remotely without the use of the Java Runtime
Environment (JRE).
If you click Symantec Endpoint Protection Manager Console, the computer from which you log on must have the JRE installed to run the Java client. If it does not, you must download and install it. Follow the prompts to install the JRE, and follow any other instructions provided.
The two other options are not remote management solutions. The option
Symantec Protection Center directs you to the logon screen for Symantec
Protection Center 1.0.0, which provides limited reporting data. See the context-sensitive help for more information. The option Symantec Endpoint
Protection Manager Certificate prompts you to download the management console's certificate file. You can then import this file into your Web browser if needed.
3 If a host name message appears, click Yes.
This message means that the remote console URL that you specified does not match the Symantec Endpoint Protection Manager certificate name. This problem occurs if you log on and specify an IP address rather than the computer name of the management server.
If the Web page security certificate warning appears, click Continue to this
website (not recommended) and add the self-signed certificate.
Installing Symantec Endpoint Protection Manager
What you can do from the console
53
4 Follow the prompts to complete the logon process.
When you log on for the first time after installation, use the account name
admin.
5 Click Log On.
You may receive one or more security warning messages as the remote console starts up. If you do, click Yes, Run, Start, or their equivalent, and continue until the console appears.
You may need to accept the self-signed certificate that the Symantec Endpoint
Protection Manager requires.
See
“About administrator account roles and access rights”
on page 138.
See
“About accepting the self-signed (SSL) server certificate for Symantec Endpoint
on page 50.
What you can do from the console
The Symantec Endpoint Protection Manager console provides a graphical user interface for administrators. You use the console to manage policies and computers, monitor endpoint protection status, and create and manage administrator accounts.
The console divides the functions and tasks that you perform by pages.
Table 3-1
Symantec Endpoint Protection Manager console pages
Page
Home
Description
Display the security status of your network.
You can do the following tasks from the Home page:
■
■
■
■
■
■
Obtain a count of detected viruses and other security risks.
Obtain a count of unprotected computers in your network.
Obtain a count of computers that received virus definition and other content updates.
View license status.
Adjust console preferences.
Get information about the latest Internet and security threats.
See
“Configuring reporting preferences”
on page 302.
See
on page 66.
54 Installing Symantec Endpoint Protection Manager
What you can do from the console
Table 3-1
Page
Monitors
Reports
Policies
Computers
Symantec Endpoint Protection Manager console pages (continued)
Description
Monitor event logs that concern Symantec Endpoint Protection Manager and your managed computers.
You can do the following tasks from the Monitors page:
■
■
■
■
View risk distribution graphs.
View event logs.
View the status of recently issued commands.
View and create notifications.
See
“Viewing and acknowledging notifications”
on page 323.
Run reports to get up-to-date information about computer and network activity.
You can do the following tasks from the Reports page:
■
■
■
Run Quick Reports.
Run the Daily Summary Report.
Run the Weekly Summary Report.
See
“Running and customizing quick reports”
on page 304.
Display the security policies that define the protection technology settings.
You can do the following tasks from the Policies page:
■
■
■
■
View and adjust the protection settings.
Create, edit, copy, and delete security policies.
Assign security policies to computer groups.
Configure LiveUpdate schedules for client computers.
See
“The types of security policies”
on page 149.
See
“Performing the tasks that are common to all policies”
on page 147.
See
on page 283.
Manage computers and groups.
You can do the following tasks from this page:
■
■
■
■
Create and delete groups.
Edit group properties.
View the security policies that are assigned to groups.
Run commands on groups.
See
“Managing groups of computers”
on page 119.
Installing Symantec Endpoint Protection Manager
What you can do from the console
55
Table 3-1
Page
Admin
Support
Symantec Endpoint Protection Manager console pages (continued)
Description
Manage Symantec Endpoint Protection Manager settings, licenses, and administrator accounts.
You can do the following tasks from the Admin page:
■
■
■
■
■
■
■
Increase the time that you are logged on to Symantec Endpoint
Protection Manager.
Create, edit, and delete administrator accounts.
View and edit email and proxy server settings.
Import and purchase licenses.
Adjust the LiveUpdate schedule for Symantec Endpoint Protection
Manager.
Download content updates from LiveUpdate.
View LiveUpdate status and recent downloads.
See
“Managing administrator accounts”
on page 137.
See
on page 283.
Display the Symantec Support Web site where you can download a tool to help you with installation problems on the management server and the client.
See
“Troubleshooting computer issues with the Symantec Help support tool”
on page 349.
56 Installing Symantec Endpoint Protection Manager
What you can do from the console
Chapter
4
Managing product licenses
This chapter includes the following topics:
■
Licensing Symantec Endpoint Protection
■
■
■
Activating or importing your Symantec Endpoint Protection Small Business
■
About product upgrades and licenses
■
About renewing your Symantec Endpoint Protection Small Business Edition license
■
■
About the licensing enforcement rules
■
■
■
■
Licensing Symantec Endpoint Protection
Symantec Endpoint Protection Small Business Edition requires a paid license after the trial period expires or when your current license expires. You can apply an existing license to a product upgrade.
58 Managing product licenses
Licensing Symantec Endpoint Protection
You use the License Activation Wizard to activate new or renewed licenses, or when you convert a trial license to a paid license. You license Symantec Endpoint
Protection Small Business Edition according to the number of Symantec Endpoint
Protection Small Business Edition clients that you need to protect the endpoints at your site.
Once the Symantec Endpoint Protection Manager is installed, you have 30 days to purchase enough license seats to cover all of your deployed clients.
Note: To administer licenses, you must log on to Symantec Endpoint Protection
Manager with a management server system administrator account, such as the default account admin.
See
“About administrator account roles and access rights”
on page 138.
lists the tasks that are required to purchase, activate, and manage your
Symantec product license.
Table 4-1
Licensing tasks
Task
Check the product license requirements
Description
Understand the importance of the license requirements for the computers that you want to protect. A license lets you install the Symantec Endpoint Protection Small
Business Edition client on a specified number of computers. A license lets you download virus definitions, security content, and product updates from LiveUpdate.
See
“Product license requirements”
on page 42.
See
“About the licensing enforcement rules”
on page 67.
See
on page 69.
Managing product licenses
Licensing Symantec Endpoint Protection
59
Table 4-1
Licensing tasks (continued)
Task Description
Purchase a license and save it to the management server
You need to purchase a license in the following situations:
■
■
■
■
You want to purchase Symantec Endpoint Protection
Small Business Edition.
Your trialware license expired.
Your paid license expired.
Your license is over-deployed.
Starting with version 12.1, you do not need to manually download a license file. Depending on the method that you used to purchase your license, a Symantec license file
(.slf) or a license serial number is sent to you in an email.
See
on page 60.
See
on page 66.
See
on page 60.
Import the license file and activate your purchased license
You use the License Activation Wizard in the Symantec
Endpoint Protection Manager to import and activate your
Symantec product license.
Before you activate the license, you must have:
■
■
A Symantec license serial number
A Symantec license file (.slf)
You receive one or the other of these when you purchase a license.
See
“Activating or importing your Symantec Endpoint
Protection Small Business Edition 12.1 product license ”
on page 62.
See
“About the Symantec Licensing Portal”
on page 65.
Back up your license files
Review the preconfigured license notifications
Back up your license files to preserve the license files in case the database or the computer's hard disk becomes damaged.
See
“Backing up your license files”
on page 68.
See
“Recovering a deleted license”
on page 68.
Preconfigured license notifications alert administrators about expired licenses and other license issues.
See
“What are the types of notifications and when are they sent?”
on page 319.
60 Managing product licenses
About the trialware license
Table 4-1
Licensing tasks (continued)
Task Description
Keep track of when your licenses expire, and renew your licenses
Check the status for each license that you imported into the console to see whether you need to renew a license, or purchase more licenses.
See
on page 66.
See
“About renewing your Symantec Endpoint Protection
Small Business Edition license”
on page 66.
About the trialware license
The trialware license lets you evaluate and test Symantec Endpoint Protection
Small Business Edition in your environment.
The trialware license applies to the following Symantec Endpoint Protection Small
Business Edition components:
■
Symantec Endpoint Protection Manager
■
Symantec Endpoint Protection Small Business Edition client
■
Access to LiveUpdate content
After the trialware license expires, you must activate a paid license to retain full product functionality. You do not have to uninstall the trial-licensed version to convert your Symantec Endpoint Protection Small Business Edition installation to a fully licensed installation.
This trialware expires 30 days after you install the product.
See
on page 37.
See
on page 60.
About purchasing licenses
You need to purchase a license in the following situations:
■
Your trial license expired. Symantec Endpoint Protection Small Business
Edition comes with a trialware license that lets you install and evaluate the product in your environment.
■
Your current license is expired.
Managing product licenses
About purchasing licenses
61
■
Your current license is over-deployed. Over-deployed means that you have deployed more instances of the client or Symantec Endpoint Protection
Manager than your current license allows for.
Depending upon how you purchase your license, you receive either a product license serial number or a Symantec License file. License files are either sent to you in email or downloaded from a secure Web site. The license file uses the file extension .slf. When you receive the license file by email, it is attached to the email as a .zip file. You must extract the .slf file from the .zip file.
Save the license file to a computer that can be accessed from the Symantec
Endpoint Protection Manager console. Many users save the license on the computer that hosts the Symantec Endpoint Protection Manager. Many users also save a copy of the license to a different computer or removable storage media for safekeeping.
Warning:
To prevent corruption of the license file, do not open or alter the file contents in any way. You may however, copy and store the license as desired.
displays where to learn more about purchasing licenses.
Table 4-2
Purchasing license tasks
Task
Determine your licensing requirements
Find out where to buy product licenses
Description
See
“Product license requirements”
on page 42.
See
“About the licensing enforcement rules”
on page 67.
You can purchase a Symantec product license from the following sources:
■
■
■
The Symantec online store: http://store.symantec.com/
Your preferred Symantec reseller:
To find a reseller, use the Partner locator
To find out more about Symantec partners, go to http://www.symantec.com/partners/index.jsp
The Symantec sales team:
Visit the Symantec Ordering Web site for sales contact information.
Learn more about upgrading from the trialware license that comes with Symantec Endpoint
Protection Small Business Edition
See
on page 60.
62 Managing product licenses
Activating or importing your Symantec Endpoint Protection Small Business Edition 12.1 product license
Table 4-2
Purchasing license tasks (continued)
Task Description
Get help with purchasing licenses or learn more about licenses http://customercare.symantec.com/
See
“Licensing Symantec Endpoint Protection”
on page 57.
Activating or importing your Symantec Endpoint
Protection Small Business Edition 12.1 product license
You can use the License Activation Wizard workflow to perform the following tasks:
■
Activating a new paid license.
■
Converting a trial license to a paid license.
■
Renewing a license.
■
Activating an additional paid license in response to an over-deployment status.
You can import and activate a license file that you received from the following sources:
■
Symantec Licensing Portal
■
Symantec partner or preferred reseller
■
Symantec sales team
■
Symantec Business Store
You can start the License Activation Wizard in the following ways:
■
The Symantec Endpoint Protection Welcome screen that appears after you install the product.
■
From the Common Tasks menu on the Home page.
■
The Admin page of the Symantec Endpoint Protection Manager console.
If you activate or import your license from the Welcome screen or the Common
Tasks menu, you can skip the first three of the following steps.
Managing product licenses
Activating or importing your Symantec Endpoint Protection Small Business Edition 12.1 product license
63
To activate or import your Symantec Endpoint Protection Small Business Edition
12.1 product license
1
On the Symantec Endpoint Protection Manager console, click Admin.
2 On the Admin page, click Licenses.
3
Under Tasks, click Activate license.
4 In the License Activation Wizard, select Activate a new license, and then click Next. If you do not see this panel, continue to the next step.
5
On the License Activation panel, select the option that matches your situation, and then click Next.
The following table describes each option:
Option
I have a serial number
Description
You may receive a license serial number when you or your Symantec Partner purchased the license. If you have a license serial number, select this option.
If you are an eFlex (Symantec Enterprise Options) customer and have an eFlex-generated serial number, select I have a Symantec License File.
I have a Symantec License
File (.slf)
In most cases, a Symantec license file (.slf file) is sent to you in an email from Symantec shortly after you complete the purchase process. The file arrives attached to the notification email as a .zip file. If you have received a .slf file, select this option.
Note:
You must extract the .slf file from the .zip file before you can use it to activate your product license.
Warning: The .slf file contains the information that is unique to your license. To avoid corrupting the license file, do not alter its contents. You may copy the file for your records.
You can find information about eFlex at the following URL:
Enterprise Options
6 Do one of the following tasks based on the selection that you made in the previous step:
■
If you selected I have a serial number, enter the serial number, and then click Submit. Review the information about the license you added, and then click Next.
64 Managing product licenses
Activating or importing your Symantec Endpoint Protection Small Business Edition 12.1 product license
■
If you selected I have a Symantec License File (.slf), click Add File. Browse to and select the .slf file you extracted from the .zip file that was attached to your Symantec notification email. Click Open, and then click Next.
7 Enter information about your technical contacts and primary contacts, and about your company. Click to acknowledge the disclosure statement, and then click Submit.
If you provided this information when you purchased your license, this panel does not display.
8 Click Finish.
You can also view a video walkthrough of Symantec Endpoint Protection Small
Business Edition.
To view the video walkthrough
1
Go to http://go.symantec.com/education_septc .
2 On the linked page, click Symantec Endpoint Protection 12.1.
3
On the expanded list, click Symantec Endpoint Protection 12.1: How to
Activate the License.
See
on page 60.
See
“About renewing your Symantec Endpoint Protection Small Business Edition license”
on page 66.
See
on page 60.
See
“Migrating from Symantec AntiVirus or Symantec Client Security”
on page 106.
See
“Licensing Symantec Endpoint Protection”
on page 57.
Required licensing contact information
During the activation process, you are asked to provide any missing license contact information. Privacy statements are provided in the wizard to describe how this information is used. You must indicate that the privacy conditions are acceptable before you can complete the activation process.
includes the information you need.
Managing product licenses
Activating or importing your Symantec Endpoint Protection Small Business Edition 12.1 product license
65
Table 4-3
Licensing contact information
Type of information
Technical Contact
Description
Contact information for the person who is in charge of the technical activities that are concerned with installing or maintaining your endpoint security infrastructure. The contact's name, email address, and phone number are required.
Primary Contact Contact information for the person who represents your company. The contact's name, email address, and phone number are required.
Note: Click the checkbox to indicate when the Technical
Contact and Primary Contact are the same person.
Company Information Includes the company name, location, phone number, and email address.
See
“Licensing Symantec Endpoint Protection”
on page 57.
About the Symantec Licensing Portal
You can use the Symantec Licensing Portal to activate product licenses. However, you can activate licenses from the Symantec Endpoint Protection Manager console, which is simpler and faster.
The Symantec Licensing Portal is at the following location: https://licensing.symantec.com
Additional information about using the Symantec Licensing Portal to manage licenses is available at the Symantec Customer Care Web site: http://customersupport.symantec.com/
Note: You must create an account before you can use the licensing portal. If you do not have a Symantec Licensing Portal account, a link is provided on the main page to create one.
See
“Activating or importing your Symantec Endpoint Protection Small Business
Edition 12.1 product license ”
on page 62.
See
“Licensing Symantec Endpoint Protection”
on page 57.
66 Managing product licenses
About product upgrades and licenses
About product upgrades and licenses
When Symantec releases a new version of Symantec Endpoint Protection Small
Business Edition, you may apply your existing active license to the new version.
You receive an email notification that a new release is available that includes instructions for downloading the new version of Symantec Endpoint Protection
Small Business Edition.
For more information about licensing product upgrades, see the Version Upgrade
FAQ at the following URL: http://www.symantec.com/business/products/upgrades/faq/index.jsp
See
“Upgrading to a new release of Symantec Endpoint Protection Small Business
on page 92.
About renewing your Symantec Endpoint Protection
Small Business Edition license
When your current license is about to expire, the Symantec Endpoint Protection
Manager sends license expiration notifications to the Symantec Endpoint
Protection Small Business Edition administrator. Symantec highly recommends that you renew your license before it expires.
When you renew a license, the management server removes and replaces the expired license with a new license. To purchase renewal licenses, visit the Symantec
Store, or contact your Symantec partner or preferred Symantec reseller.
In the event that you accidentally delete a license, you can recover it from the
Symantec Endpoint Protection Manager console.
See
on page 60.
See
“Activating or importing your Symantec Endpoint Protection Small Business
Edition 12.1 product license ”
on page 62.
See
“Recovering a deleted license”
on page 68.
Checking license status
You can find out whether the management server uses a trialware license or a paid license. You can also obtain the following license information for each paid license that you imported into the console:
■
License serial number, total seat count, expiration date
■
Number of valid seats
Managing product licenses
About the licensing enforcement rules
67
■
Number of deployed seats
■
Number of expired seats
■
Number of over-deployed clients
The license status is not available for a trialware license.
To determine if your installation uses a paid license or a trialware license
1 In the console, click Admin.
2
On the Admin page, click Licenses.
To check license status for paid licenses
1
In the console, click Home.
2 On the Home page, click Licensing Details.
See
“Licensing Symantec Endpoint Protection”
on page 57.
See
“Activating or importing your Symantec Endpoint Protection Small Business
Edition 12.1 product license ”
on page 62.
About the licensing enforcement rules
Symantec Endpoint Protection Small Business Edition licenses are enforced according to the following rules:
Table 4-4
Where applies
Term of license
Licensing enforcement rules
Rule
The term of the license starts from the time and date of activation until midnight of the last day of the licensing term.
License coverage: Symantec
Endpoint Protection Small
Business Edition components
A Symantec Endpoint Protection Small Business Edition license applies to the Symantec Endpoint Protection
Small Business Edition clients. For instance, in a network with 50 endpoints, the license must provide for a minimum of 50 seats. Instances of the Symantec
Endpoint Protection Manager do not require a license.
License coverage: platforms Licensing seats apply to clients running on any platform, whether the platform is Windows or Mac.
License coverage: products and versions
License seats apply equally across product versions. For example, a license covers both version 12.1.1000 and
12.1.1101 clients within the same site.
68 Managing product licenses
Backing up your license files
Table 4-4
Licensing enforcement rules (continued)
Where applies Rule
Small Business Edition upgrades The clients that are licensed as Symantec Endpoint
Protection Small Business Edition remained licensed as
Small Business Edition clients when the Symantec
Endpoint Protection Manager is upgraded to the enterprise edition.
See
“Licensing Symantec Endpoint Protection”
on page 57.
Backing up your license files
Symantec recommends that you back up your license files. Backing up the license files preserves the license files in case the database or the console computer's hard disk becomes damaged.
By default, when you import the license file using the Licensing Activation Wizard,
Symantec Endpoint Protection Manager places a copy of the license file in the following location: \\Symantec Endpoint Protection Manager installation
directory\Inetpub\license
If you misplaced the license files you originally downloaded or received by email, you can download the files again from the Symantec Licensing Portal Web site.
To back up your license files
◆ Using Windows, copy the .slf license files from the directory where you saved the files to another computer of your choice.
See your company's procedure for backing up files.
See
“Activating or importing your Symantec Endpoint Protection Small Business
Edition 12.1 product license ”
on page 62.
See
“About the Symantec Licensing Portal”
on page 65.
See
“Licensing Symantec Endpoint Protection”
on page 57.
Recovering a deleted license
If you accidentally delete a license file, you can recover it from the Symantec
Endpoint Protection Manager console.
Managing product licenses
About multi-year licenses
69
To recover a deleted license
1
On the Symantec Endpoint Protection Manager console Admin page, click
Licenses and then under Tasks, click Recover a deleted license.
2 On License recovery panel, check the deleted license you want to recover, and then click Submit.
About multi-year licenses
When you purchase a multi-year license, you receive a set of license files equal to the number of years your license is valid. For instance, a three-year license consists of three separate license files. When you activate a multi-year license, you import all of the license files during the same activation session. The Symantec
Endpoint Protection Manager merges the separate license files into a single activated license that is valid for the purchased duration.
While not recommended, it is possible to activate fewer than the full complement of license files. In this case, the Symantec Endpoint Protection Manager merges the files and applies the duration of the license file that expires last. For instance, a three-year license that is activated with only the first two files indicates a duration of only two years. When the third file is activated at a later date, the full duration of the license is reported accurately as three years. In all cases, the number of seats remains consistent with the number of seats that you purchased.
When the Symantec Endpoint Protection Manager merges files, the shortest duration files are deleted and the longest duration file is kept for internal license-keeping functions. If you think that a license was deleted inappropriately, recover and reactivate the deleted license.
You can see the license serial numbers of shorter duration that are associated with the active license. On the Admin page, click Licenses and then click the activated license. The associated licenses appear in the Associated Licenses column.
See
“Recovering a deleted license”
on page 68.
See
“Licensing Symantec Endpoint Protection”
on page 57.
Licensing an unmanaged client
To enable the submission of reputation data from an unmanaged client, you must install a paid license on the unmanaged client.
70 Managing product licenses
Licensing an unmanaged client
To license an unmanaged client
1
Locate and create a copy of your current Symantec Licensing File (.slf).
Use the same file that you used to activate your license on Symantec Endpoint
Protection Manager.
2
On the client computer, place the copied license file into the Symantec
Endpoint Protection client inbox.
■
On the clients that run on a pre-Vista version of Windows, the inbox is located at: Drive:\Documents and Settings\All Users\Application
Data\Symantec\Symantec Endpoint Protection\CurrentVersion\inbox
■
On the clients that use Vista or a later version of Windows, the inbox is located at: Drive:\ProgramData\Symantec\Symantec Endpoint
Protection\CurrentVersion\inbox\
If the license file is invalid or the license installation failed, a folder named
Invalid is created and the invalid license is placed into the folder. If the file is valid, it is automatically removed from the inbox after it is processed.
3 To verify that you applied the license correctly, check that no files appear in the inbox folder.
4 Check that the .slf file is in either one of the following folders:
■
For the clients that run on a pre-Vista version of Windows:
Drive:\Documents and Settings\All Users\Application
Data\Symantec\Symantec Endpoint
Protection\silo_identification\Data\Config
■
For the clients that run on Vista or a later version of Windows:
Drive:\ProgramData\Symantec\Symantec Endpoint
Protection\silo_identification\Data\Config
Chapter
5
Installing the Symantec
Endpoint Protection Small
Business Edition client
This chapter includes the following topics:
■
Preparing for client installation
■
About client deployment methods
■
Configuring client packages to uninstall existing third-party security software
■
■
About managed and unmanaged clients
■
Installing an unmanaged client
■
Uninstalling the Windows client
■
Preparing for client installation
lists the actions that you must perform before you can install the client software on the computers in your network.
72 Installing the Symantec Endpoint Protection Small Business Edition client
Preparing for client installation
Action
Prepare computers for remote deployment
Table 5-1
Client computer preparation
Description
Prepare your computers for remote client deployment.
■
■
Modify firewall settings to allow communication between Symantec Endpoint
Protection Small Business Edition components.
See
“About firewalls and communication ports”
on page 74.
See
“Preparing Windows operating systems for remote deployment”
on page 72.
Uninstall any legacy Symantec virus protection software if migration is not supported.
See
“Supported and unsupported migration paths to Symantec Endpoint Protection
on page 108.
See the Symantec documentation for your legacy Symantec virus protection software for information about uninstallation.
Deploy client software You deploy the client software using any of the available methods.
See
“About client deployment methods”
on page 75.
■
You can choose to automatically uninstall existing third-party security software when you deploy a client installation package. Otherwise, you must uninstall third-party security software before deployment.
Note:
Some programs may have special uninstallation routines. See the documentation for the third-party software.
See
“Configuring client packages to uninstall existing third-party security software”
on page 83.
Preparing Windows operating systems for remote deployment
lists the associated tasks that you must do on client computer operating systems to successfully install the client remotely.
Installing the Symantec Endpoint Protection Small Business Edition client
Preparing for client installation
73
Table 5-2
Remote deployment actions
Operating system Tasks
Prepare Windows XP computers or Windows
Server 2003 servers that are installed in workgroups
Windows XP computers and Windows Server 2003 servers that are installed in workgroups do not accept remote deployment by default. To permit remote deployment, disable Simple File Sharing.
Note: This limitation does not apply to computers that are part of a Windows domain.
Prepare Windows Vista,
Windows 7, or Windows
Server 2008 computers
You may also need to perform the following tasks:
■
■
Ensure that the Administrator account does not have a blank password.
Disable the Windows Firewall, or allow the ports that are required for communication between Symantec Endpoint Protection Small Business Edition and Symantec Endpoint Protection Manager.
See
“About firewalls and communication ports”
on page 74.
Windows User Account Control blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$. You do not need to fully disable User Account Control on the client computers during the remote deployment if you disable the registry key LocalAccountTokenFilterPolicy. For more information, visit the following URL: http://support.microsoft.com/kb/951016
To push the client software to computers, you should use a domain administrator account if the client computer is part of an Active Directory domain. Remote deployment also requires administrator privileges to install.
Perform the following tasks:
■
■
■
■
Disable the Sharing Wizard.
Enable network discovery by using the Network and Sharing Center.
Enable the built-in administrator account and assign a password to the account.
Verify that the account has administrator privileges.
Prepare Windows 8 or
Windows Server 2012 computers
Before you deploy, perform the following tasks:
■
■
■
Disable the Windows Firewall.
Create the registry key LocalAccountTokenFilterPolicy. For more information, visit the following URL: http://support.microsoft.com/kb/942817
Enable and start the Remote Registry service.
See your Windows documentation for more information.
See
“Preparing for client installation”
on page 71.
74 Installing the Symantec Endpoint Protection Small Business Edition client
Preparing for client installation
About firewalls and communication ports
If your Symantec Endpoint Protection Manager and client computers run firewall software, you must open certain ports for communication between the management server and clients. See your firewall software product documentation for instructions to open ports or allow applications to use ports.
Warning:
The firewall in the Symantec Endpoint Protection Small Business Edition client is disabled by default at initial installation. To ensure firewall protection, leave the Windows firewall enabled on the clients until the software is installed and the client is restarted. The Symantec Endpoint Protection Small Business
Edition client firewall automatically disables the Windows firewall when the computer restarts.
Function
Push deployment
General communication
Table 5-3
Ports for client and server installation and communication
Component
Management server and client
Management server and client
Protocol and port
TCP 139 and 445 on management servers and clients
UDP 137 and 138 on management servers and clients
TCP ephemeral ports on management servers and clients
For management servers and clients:
■
■
TCP 8014 for management servers, by default.
TCP ephemeral port on clients.
Remote Symantec
Endpoint Protection
Manager console installation
Web services
Management server and remote management server console
TCP 9090 on remote management servers
TCP ephemeral ports on remote consoles
Migration and client deployment
LiveUpdate
Remote Monitoring and
Management (RMM)
Symantec Endpoint Protection
Manager and legacy Symantec management server
LiveUpdate client and server
TCP 8446 for RMM Web services
TCP 139, TCP 445, TCP ephemeral ports, and UDP 137
TCP ephemeral ports on clients
TCP 80 on LiveUpdate servers
■
Windows Vista, Windows 7, Windows 8, Windows Server 2008, and Windows
Server 2012 contain a firewall that is enabled by default. If the firewall is enabled, you might not be able to install or deploy the client software remotely.
Installing the Symantec Endpoint Protection Small Business Edition client
About client deployment methods
75
If you have problems deploying the client to computers running these operating systems, configure their firewalls to allow the required traffic.
■
If you have legacy Symantec virus protection software in your environment, open TCP and UDP port 2967, if they are not already open.
■
If you decide to use the Windows firewall after deployment, you must configure it to allow file and printer sharing (port 445).
For more information about configuring Windows firewall settings, see the
Windows documentation.
See
“Enabling and disabling a firewall policy”
on page 238.
See
“Monitoring endpoint protection”
on page 293.
See
“Preparing for client installation”
on page 71.
About client deployment methods
You deploy the Symantec Endpoint Protection Small Business Edition client by using the Client Deployment Wizard. You deploy the client software after the
Symantec Endpoint Protection Manager is installed.
displays the client deployment methods that you can use.
Table 5-4
Client deployment options
Options
Web link and email
Remote push
Description
Users receive an email message that contains a link to download and install the client software. The users must have local administrator rights to their computers. Web link and email notification installation is the recommended deployment method.
See
“Deploying clients using a Web link and email”
on page 77.
Remote push installation lets you control the client installation. Remote push installation pushes the client software to the computers that you specify. The installation begins automatically.
See
“Preparing Windows operating systems for remote deployment”
on page 72.
See
“Deploying clients by using Remote Push”
on page 79.
76 Installing the Symantec Endpoint Protection Small Business Edition client
About client deployment methods
Table 5-4
Options
Save package
Client deployment options (continued)
Description
Custom installation creates an executable installation package that you save to the management server and then distribute to the client computers. Users run a setup.exe
file to install the client software.
See
“Deploying clients by using Save Package”
on page 81.
See
“Which features should you install on the client?”
on page 76.
See
“Preparing for client installation”
on page 71.
Which features should you install on the client?
When you deploy the client using the Client Deployment Wizard, you must choose the feature set. The feature set includes multiple protection components that are installed on the client. You can select a default feature set or select individual components. Decide which feature set to install based on the role of the computers, and the level of security or performance that the computers need.
lists the protection technologies you should install on client computers based on their role.
Table 5-5
Client installation feature sets
Protection type Description
Laptop, Desktops &
Workstations - Full Protection
Includes all protection technologies. Appropriate for laptops, workstations, and desktops. Includes the full
Download Protection and mail protocol protection.
Servers - Full Protection
Includes all protection technologies except mail protocol protection. Appropriate for any servers that require maximum network security.
Servers - Basic Protection
Includes Virus and Spyware Protection and Download
Protection. Appropriate for any servers that require maximum network performance.
Installing the Symantec Endpoint Protection Small Business Edition client
About client deployment methods
77
Table 5-5
Protection type
Custom
Client installation feature sets (continued)
Description
■
■
Standard Protection
Includes Basic Virus and Spyware Protection,
SONAR, full Download Protection , and the firewall.
Includes the Auto-Protect real-time file scanning and manual file scanning plus basic Download
Insight.
Basic Virus and Spyware Protection
Includes Virus and Spyware Protection and
Download Protection.
Email Protection (optional)
Includes Microsoft Outlook Auto-Protect and
Internet Email Auto-Protect. For performance reasons, Microsoft Outlook Auto-Protect is not installed on supported Microsoft Server operating systems.
See
“About client deployment methods”
on page 75.
See
“Preparing for client installation”
on page 71.
Deploying clients using a Web link and email
The Web link and email method creates a URL for each client installation package.
You send the link to users in an email or make it available from a network location.
Web link and email performs the following actions:
■
Selects and configures the client installation packages.
Client installation packages are created for 32-bit and 64-bit Windows computers. The installation packages are stored on the computer that runs
Symantec Endpoint Protection Manager.
■
Notifies the computer users about the client installation packages.
An email message is sent to the selected computer users. The email message contains instructions to download and install the client installation packages.
Users follow the instructions to install the client software.
The Mac client install package is automatically exported as a
.zip
archive file.
To expand the package and extract the folder containing the Apple installer file
(
.pkg
) and the
Additional Resources folder, you must use either the Mac
Archive
Utility or the ditto command. You cannot use the Mac unzip command, a third-party application, or any Windows application to expand this file. You must
78 Installing the Symantec Endpoint Protection Small Business Edition client
About client deployment methods keep the
.pkg
file and the
Additional Resources folder together to complete the installation successfully.
Before you deploy the client installation package with email, make sure that you correctly configure the connection from the management server to the mail server.
You start the client deployment from the console.
To deploy clients by using a Web link and email
1 In the console, on the Home page, in the Common Tasks menu, select Install
protection client to computers.
2 In the Client Deployment Wizard, click New Package Deployment to create a new installation package, and then click Next.
Existing Package Deployment lets you deploy the packages that have been exported previously, but you can only use Remote Push with this option.
Communication Update Package Deployment lets you update client communication settings on the computers that already have the client installed. Use this option to convert an unmanaged client to a managed client.
You can only use Remote Push or Save Package with this option.
See
“Deploying clients by using Remote Push”
on page 79.
See
“Deploying clients by using Save Package”
on page 81.
See
“Restoring client-server communications by using a client installation package”
on page 336.
3 For a new package, make selections from Install Packages, Group, Install
Feature Set, and Content Options. Click Next.
Note: To uninstall third-party security software on the client, click
Automatically uninstall existing security software. To see which third-party software the client package removes, see the following knowledge base article:
About the third-party security software removal feature in Symantec Endpoint
Protection 12.1
.
See
“Configuring client packages to uninstall existing third-party security software”
on page 83.
4 Click Web Link and Email, and then click Next.
Installing the Symantec Endpoint Protection Small Business Edition client
About client deployment methods
79
5 In the Email Recipients and Message panel, specify the email recipients and the subject.
To specify multiple email recipients, type a comma after each email address.
A management console System Administrator automatically receives a copy of the message.
You can accept the default email subject and body, or edit the text. You can also copy the URL and post it to a convenient online location, like an intranet page.
To create the package and deliver the link by email, click Next, and then click
Finish.
6 Confirm that the computer users received the email message and installed the client software.
Client computers may not appear within the management console until after they are restarted. You or the computer users may need to restart the client computers.
See
on page 85.
See
“Viewing the status of deployed client computers”
on page 300.
See
“Which features should you install on the client?”
on page 76.
See
“About client deployment methods”
on page 75.
See
“Preparing for client installation”
on page 71.
See
“Establishing communication between the management server and email servers”
on page 323.
Deploying clients by using Remote Push
Remote Push lets you control the client installation. Remote Push pushes the client software to the computers that you specify. Using Remote Push requires knowledge of how to search networks to locate computers by IP address or computer names. Once the package is pushed, the installation is performed automatically and does not rely on the computer user to start it.
Remote Push performs the following actions:
■
Selects an existing client installation package or creates a new installation package.
■
For new installation packages, configures package deployment settings.
■
Locates the computers on your network.
Remote Push locates either specific computers for which you provide an IP number or range, or all computers that are visible by browsing the network.
80 Installing the Symantec Endpoint Protection Small Business Edition client
About client deployment methods
■
Pushes the client software to the computers that you specify.
The installation automatically begins on the computers once the package is successfully pushed.
The Mac client cannot be deployed using Remote Push.
You start the client deployment from the console.
To deploy clients by using Remote Push
1
In the console, on the Home page, in the Common Tasks menu, click Install
protection client to computers.
2 In the Client Deployment Wizard, do one of the following tasks:
■
Click New Package Deployment to create a new installation package, and then click Next.
■
Click Existing Package Deployment to use a package that was previously created, and then click Browse to locate the package to deploy.
The Client Deployment Wizard uploads the package and directs you to the Computer Selection panel (step
).
■
Click Communication Update Package Deployment if you want to update client communication settings on the computers that already have the client installed.
Use this option to convert an unmanaged client to a managed client.
See
“Restoring client-server communications by using a client installation package”
on page 336.
3
For a new package, in the Select Group and Install Feature Sets panel, make selections from Install Packages, Group, Install Feature Set, and Content
Options. Click Next.
To uninstall third-party security software on the client, click Automatically
uninstall existing security software. To see which third-party software the client package removes, see the following knowledge base article: About the
Security Software Removal feature in Symantec Endpoint Protection 12.1
.
See
“Configuring client packages to uninstall existing third-party security software”
on page 83.
4 Click Remote Push, and then click Next.
5
In the Computer Selection panel, locate the computers to receive the software using one of the following methods:
■
To browse the network for computers, click Browse Network.
■
To find computers by IP address or computer name, click Search Network, and then click Find Computers.
Installing the Symantec Endpoint Protection Small Business Edition client
About client deployment methods
81
You can set a timeout value to constrain the amount of time that the server applies to a search.
6
Click > > to add the computers to the list, and authenticate with the domain or workgroup if the wizard prompts you.
The remote push installation requires elevated privileges.
If the client computer is part of an Active Directory domain, you should use a domain administrator account.
7 Click Next, and then click Send to push the client software to the selected computers.
Once the Deployment Summary panel indicates a successful deployment, the installation starts automatically on the client computers.
The installation takes several minutes to complete.
8
Click Next, and then click Finish.
9 Confirm the status of the deployed clients on the Computers page.
Client computers may not appear within the management console until after they are restarted. You or the computer users may need to restart the client computers.
See
on page 85.
See
“Viewing the status of deployed client computers”
on page 300.
See
“Preparing Windows operating systems for remote deployment”
on page 72.
See
“Which features should you install on the client?”
on page 76.
See
“About client deployment methods”
on page 75.
See
“Preparing for client installation”
on page 71.
Deploying clients by using Save Package
Save Package creates the installation packages that you can install manually or with Windows Group Policy Object.
Save Package performs the following actions:
■
Creates a 32-bit or 64-bit installation package.
The installation package can comprise one setup.exe file or a collection of files that includes a setup.exe file. Computer users often find one setup.exe file easier to use.
■
Saves the installation package to a directory on the computer that runs
Symantec Endpoint Protection Manager.
82 Installing the Symantec Endpoint Protection Small Business Edition client
About client deployment methods
You must provide the installation package to the computer users. The users run the setup.exe file to install the client software. You or the computer users must restart the computers after installation.
The Mac client install package is automatically exported as a
.zip
archive file.
To expand the package and extract the folder containing the Apple installer file
(
.pkg
) and the
Additional Resources folder, you must use either the Mac
Archive
Utility or the ditto command. You cannot use the Mac unzip command, a third-party application, or any Windows application to expand this file. You must keep the
.pkg
file and the
Additional Resources folder together to complete the installation successfully.
You start the client deployment from the console.
To deploy clients by using Save Package
1 In the console, on the Home page, in the Common Tasks menu, click Install
protection client to computers.
2 In the Client Deployment Wizard, click New Package Deployment to configure a new installation package, and then click Next.
Existing Package Deployment lets you deploy the packages that have been exported previously, but you can only use Remote Push with this option.
Communication Update Package Deployment lets you update client communication settings on the computers that already have the client installed. Use this option to convert an unmanaged client to a managed client.
Click Next to select the group of clients on which the package is installed.
See
“Restoring client-server communications by using a client installation package”
on page 336.
3 For a new package, make selections from Install Packages, Group, Install
Feature Set, and Content Options. Click Next.
Note:
To uninstall third-party security software on the client, click
Automatically uninstall existing security software. To see which third-party software the client package removes, see the following knowledge base article:
About the Security Software Removal feature in Symantec Endpoint Protection
12.1
.
See
“Configuring client packages to uninstall existing third-party security software”
on page 83.
4 Click Save Package, and then click Next.
Installing the Symantec Endpoint Protection Small Business Edition client
Configuring client packages to uninstall existing third-party security software
83
5 Click Browse and specify the folder to receive the package, if you do not want to accept the default.
Check Single .exe file (default) or Separate files (required for .MSI), and then click Next.
To create a package for computers running on legacy operating systems, click
Create a package for clients with systems that are not supported by 12.x
packages. Click Next.
If the default folder does not exist, click Yes in the confirmation dialog box to create it.
Note: If you deploy clients with Windows Group Policy Object, choose Separate
files (required for .MSI).
6
Review the settings summary, click Next, and then click Finish.
7 Provide the custom installation package to the computer users.
For example, you can save the installation package to a shared network location, or email the installation package to the computer users. You can also use Windows Group Policy Object to deploy the package.
8 Confirm that the computer users have received and installed the client software, and confirm the status of the deployed clients.
Client computers may not appear within the management console until after they are restarted. You or the computer users may need to restart the client computers.
See
on page 85.
See
“Viewing the status of deployed client computers”
on page 300.
See
“Which features should you install on the client?”
on page 76.
See
“About client deployment methods”
on page 75.
See
“Deploying clients by using Remote Push”
on page 79.
See
“Preparing for client installation”
on page 71.
Configuring client packages to uninstall existing third-party security software
You can configure and deploy new installation packages to uninstall existing third-party security software before the installation of the Symantec Endpoint
84 Installing the Symantec Endpoint Protection Small Business Edition client
Configuring client packages to uninstall existing third-party security software
Protection Small Business Edition client. Uninstalling third-party security software allows the Symantec Endpoint Protection Small Business Edition client to run more efficiently.
You enable the security software removal feature when you create an installation package through the Client Deployment Wizard.
To see which third-party software the client package removes, see the following knowledge base article: About the third-party security software removal feature in Symantec Endpoint Protection 12.1
. Some programs may have special uninstallation routines. See the documentation for the third-party software.
Note:
You cannot remove third-party security software with Mac client packages.
You also cannot configure installation packages earlier than Symantec Endpoint
Protection Small Business Edition client version 12.1.1101 and legacy client version 12.0 to remove third-party security software.
Only the packages you create using the following procedure can remove third-party security software.
To configure client packages to uninstall existing third-party security software
1
In the console, on the Home page, in the Common Tasks drop-down list, click
Install protection client to computers.
2 In the Client Deployment Wizard, click New Package Deployment, and then click Next.
3
In Select Group and Install Feature Set, check Automatically uninstall
existing security software, and then click OK.
You can make other changes to your deployment here, and then click Next.
4
Choose the type of deployment that you want to use: Web link and email,
Remote Push, or Save Package.
5 Click Next to proceed with and complete your chosen deployment method.
See
“Deploying clients using a Web link and email”
on page 77.
See
“Deploying clients by using Remote Push”
on page 79.
See
“Deploying clients by using Save Package”
on page 81.
See
“Preparing for client installation”
on page 71.
Installing the Symantec Endpoint Protection Small Business Edition client
Restarting client computers
85
Restarting client computers
You need to restart client computers after you install the client software. By default, the client computers restart automatically after installation.
You can also restart the client computers at any time by running a restart command from the management server. You have the option to schedule the client computers to restart during a time that is convenient for users. You can force an immediate restart, or give the users an option to delay.
To restart a selected client computer
1 In the console, click Computers.
2
On the Computers page, on the Computers tab, select a group.
3 On the Computers tab, select a computer, right-click Run Command on
Computers, and then click Restart Client Computers.
4
Click Yes, specify the restart options that you require, and then click OK.
Some restart options apply only to Windows clients. For details, see the context-sensitive help.
To restart the client computers in a selected group
1 In the console, click Computers.
2
On the Computers page, on the Computers tab, select a group, right-click
Run a command on the group, and then click Restart Client Computers.
3 Click Yes, specify the restart options that you require, and then click OK.
Some restart options apply only to Windows clients. For details, see the context-sensitive help.
See
“About commands that you can run on client computers”
on page 132.
See
“Running commands on the client computer from the console”
on page 134.
See
“Preparing for client installation”
on page 71.
About managed and unmanaged clients
You can install the client software as a managed client or as an unmanaged client.
In most cases, you should install a managed client. You may want to install an unmanaged client if you want the user to have more control over the computer, such as a test computer. Make sure that the unmanaged client users have the appropriate level of knowledge to configure any security settings that are different from the default settings.
86 Installing the Symantec Endpoint Protection Small Business Edition client
Installing an unmanaged client
Table 5-6
Type
Managed client
Unmanaged client
Differences between a managed and an unmanaged client
Description
You administer the clients from the console. Managed client computers connect to your network. You use the console to update the client software, security policies, and virus definitions on the managed client computers.
In most cases, you install the client software as a managed client.
You can install a managed client in either of the following ways:
■
■
During initial product installation
From the console after installation
The primary computer user must administer the client computer. An unmanaged client cannot be administered from the console. The primary computer user must update the client software, security policies, and virus definitions on the unmanaged client computer.
You install an unmanaged client directly from the product disc.
See
“Installing an unmanaged client”
on page 86.
See
“Why do I need to replace the client-server communications file on the client computer?”
on page 333.
See
“Preparing for client installation”
on page 71.
Installing an unmanaged client
Unmanaged clients do not connect to Symantec Endpoint Protection Manager.
In most cases, unmanaged clients connect to your network intermittently or not at all.
You or the primary computer users must maintain the computers. This maintenance includes monitoring and adjusting the protection on the computers, and updating security policies, virus definitions, and software.
See
“About managed and unmanaged clients”
on page 85.
Installing the Symantec Endpoint Protection Small Business Edition client
Installing an unmanaged client
87
To install an unmanaged Windows client
1
On the computer, insert the product disc.
The installation should start automatically. If it does not start automatically, double-click
Setup.exe
.
If you downloaded the product, extract the entire product disc image to a physical disc, such as a hard disk. Run
Setup.exe
from the physical disc.
2
Click Install an unmanaged client, and then click Next.
3 On the License Agreement Panel, click I accept the terms in the license
agreement, and then click Next.
4
Confirm that the unmanaged computer is selected, and then click Next.
This panel appears when you install the client software for the first time on a computer.
5
On the Protection Options panel, select the protection types, and then click
Next.
See
“Which features should you install on the client?”
on page 76.
6
On the Ready to Install the Program panel, click Install.
7 On the Wizard Complete panel, click Finish.
To install an unmanaged Mac client
1 On the Mac computer, insert and double-click the product disc.
If you downloaded the product, extract the entire product disc image to a physical disc, such as a hard disk, on a Windows computer. Copy the
SEP_MAC folder to the desktop of the Mac computer.
2 Double-click the
SEP_MAC folder.
3 Double-click
Symantec Endpoint Protection.dmg
to mount it as a virtual disc.
4
Double-click
Symantec Endpoint Protection.pkg
to launch the installation.
5 On the Introduction panel, click Continue.
6 On the Software License Agreement panel, click Continue, and then click
Agree.
You can print or save the license agreement for review.
88 Installing the Symantec Endpoint Protection Small Business Edition client
Uninstalling the Windows client
7 Click Install, and then click Continue Installation.
Enter the password for the Mac administrative account when prompted.
8 On the Summary panel, click Log Out.
When you log back on to the Mac computer, LiveUpdate launches to update the definitions.
See
“Preparing for client installation”
on page 71.
Uninstalling the Windows client
You uninstall the Symantec Endpoint Protection Small Business Edition client by using the appropriate Windows control panel, such as Add or Remove Programs.
See your Windows documentation for more information.
See
“About client deployment methods”
on page 75.
To uninstall the client
The text that you see depends on the operating system of the client computer.
1 On the client computer, on the Start menu, click Control Panel > Add or
Remove Programs (or Control Panel > Programs > Uninstall a program).
2
In the Add or Remove Programs (or Uninstall or change a program) dialog box, click Symantec Endpoint Protection Small Business Edition, and then click Change, Remove or Uninstall.
3 Follow the onscreen prompts to remove the client software.
If the standard Windows uninstall method fails, you may have to uninstall the client manually. For more information, see the knowledge base article: Methods for uninstalling Symantec Endpoint Protection .
Uninstalling the Mac client
You can uninstall the Symantec Endpoint Protection Small Business Edition Mac client by using the Symantec Uninstaller that is included on the product disc in the
SEP_MAC folder. Two files are provided in the
.tgz
archive file.
Symantec
Uninstaller is the actual Symantec Endpoint Protection Small Business Edition
Mac client uninstaller.
SymantecUninstaller.pkg
lets you install the Symantec
Uninstaller onto the client computer. For example, you can install the Symantec
Uninstaller to allow an administrative user to uninstall the Symantec Endpoint
Protection Small Business Edition Mac client at a future time. Installing the
Symantec Uninstaller onto the client computer does not uninstall the Symantec
Endpoint Protection Small Business Edition Mac client.
Installing the Symantec Endpoint Protection Small Business Edition client
Uninstalling the Mac client
89
Note:
After you uninstall the Symantec Endpoint Protection Small Business Edition client, you are prompted to restart the client computer to complete the uninstallation. Make sure that the client computer users save their work or close all open applications first.
To uninstall the Mac client
1 Copy the Symantec Uninstaller
.tgz
archive file to the Mac client computer.
2 Double-click the file to extract the Symantec Uninstaller folder using
Archive
Utility
.
3
Double-click
Symantec Uninstaller
.
4 In the Delete column, check the box in front of Symantec Endpoint Protection
Small Business Edition, and then click Uninstall.
5 Click Uninstall again to confirm, then authenticate with your Mac's administrative user name and password when prompted.
6 Click Restart to restart the Mac computer.
If the Symantec Uninstaller fails, you may have to use an alternate method to uninstall.
For more information, see the knowledge base article: Methods for uninstalling
Symantec Endpoint Protection .
90 Installing the Symantec Endpoint Protection Small Business Edition client
Uninstalling the Mac client
Chapter
6
Upgrading Symantec
Endpoint Protection Small
Business Edition
This chapter includes the following topics:
■
Upgrading to a new release of Symantec Endpoint Protection Small Business
■
Upgrade resources for Symantec Endpoint Protection Small Business Edition
■
Feature mapping between 12.0 clients and 12.1 clients
■
Supported Symantec Endpoint Protection Manager upgrade paths
■
Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1
■
■
Stopping and starting the management server service
■
Supported upgrade paths for the Symantec Endpoint Protection Small Business
■
About upgrading client software
■
Upgrading clients by using AutoUpgrade in Symantec Endpoint Protection
92 Upgrading Symantec Endpoint Protection Small Business Edition
Upgrading to a new release of Symantec Endpoint Protection Small Business Edition
Upgrading to a new release of Symantec Endpoint
Protection Small Business Edition
You can upgrade to the newest release of the product to take advantage of new features. To install a new version of the software, you must perform certain tasks to ensure a successful upgrade or migration. You should also check the Known
Issues that appear in the Release Notes for any late-breaking information relating to upgrades.
Before you upgrade, review the following information:
■
System requirements
For the most current system requirements, see: Release Notes and System
Requirements for all versions of Symantec Endpoint Protection and Symantec
Network Access Control
■
New features in this version
See
“What's new in Symantec Endpoint Protection Small Business Edition
on page 20.
■
Feature changes between the previous version and the newest version of the client
See
“Feature mapping between 12.0 clients and 12.1 clients”
on page 95.
■
Compatible Symantec Endpoint Protection Manager upgrade paths
See
“Supported Symantec Endpoint Protection Manager upgrade paths”
on page 99.
■
Compatible Windows client upgrade paths
See
“Supported upgrade paths for the Symantec Endpoint Protection Small
on page 103.
■
Compatible Mac client migrations
See
“Supported and unsupported migration paths for the Mac client”
on page 110.
displays the steps you need to perform to upgrade to the latest version of Symantec Endpoint Protection Small Business Edition.
This section is specific to upgrading Symantec Endpoint Protection Small Business
Edition in environments where a compatible version of Symantec Endpoint
Protection Small Business Edition is already installed.
Upgrading Symantec Endpoint Protection Small Business Edition
Upgrade resources for Symantec Endpoint Protection Small Business Edition 12.1
93
Step
Step 1
Step 2
Step 3
Step 4
Action
Table 6-1
Back up the database
Stop the Symantec
Endpoint Protection
Manager service
Process for upgrading to the Small Business Edition
Description
Back up the database that Symantec Endpoint Protection Manager uses to ensure the integrity of your client information.
See
“Backing up the database and logs”
on page 340.
You must stop the management server service before you install a newer version.
See
“Stopping and starting the management server service”
on page 101.
Upgrade the Symantec
Endpoint Protection
Manager software
Install the new version of the Symantec Endpoint Protection Manager in your network. The existing version is detected automatically, and all settings are saved during the upgrade.
See
“Installing Symantec Endpoint Protection Manager”
on page 47.
Upgrade Symantec client software
Upgrade your client software to the latest version.
See
“About upgrading client software”
on page 103.
By default, the upgraded Symantec Endpoint Protection Manager automatically upgrades the managed clients. To disable this feature, right-click your Group, select Properties, and then check Disable Automatic
Client Package Updates.
Note: This feature was added in version 12.0.1001.95, and is retained for version 12.1.x. This feature was not available in version 12.0.122.192
See
“Migrating from Symantec AntiVirus or Symantec Client Security”
on page 106.
Upgrade resources for Symantec Endpoint Protection
Small Business Edition 12.1
lists the topics that help you prepare for a successful upgrade to the newest version.
94 Upgrading Symantec Endpoint Protection Small Business Edition
Upgrade resources for Symantec Endpoint Protection Small Business Edition 12.1
Table 6-2
Product upgrade tasks and resources
Task Resource
Learn about the Symantec
Endpoint Protection Small Business
Edition 12.1 upgrade requirements
Before you upgrade, review the prerequisites, differences from previous versions, and supported upgrade paths.
For the most current system requirements, see:
Release Notes and System Requirements for all versions of Symantec Endpoint Protection and
Symantec Network Access Control
Known issues for Symantec Endpoint Protection 12.1
See
“Feature mapping between 12.0 clients and 12.1
on page 95.
See
“Supported upgrade paths for the Symantec
Endpoint Protection Small Business Edition client”
on page 103.
See
“Supported Symantec Endpoint Protection
on page 99.
See
“Supported and unsupported migration paths for the Mac client”
on page 110.
Upgrade Symantec Endpoint
Protection Manager
Perform the following tasks before you upgrade the management server:
■
■
Back up the database.
See
“Backing up the database and logs”
on page 340.
Disable the automatic upgrade for individual groups if you prefer to control when the clients receive their upgrade.
See
“Upgrading clients by using AutoUpgrade in
Symantec Endpoint Protection Small Business
on page 104.
Manage product licenses Symantec Endpoint Protection Small Business Edition
12.1 is licensed according to the number of clients that are needed to protect the computers at your site.
See
“Product license requirements”
on page 42.
See
“About product upgrades and licenses”
on page 66.
Upgrading Symantec Endpoint Protection Small Business Edition
Feature mapping between 12.0 clients and 12.1 clients
95
Table 6-2
Product upgrade tasks and resources (continued)
Task
Upgrade client software
Resource
The management console automatically upgrades the client computers, unless automatic upgrade was previously disabled.
See
“Preparing for client installation”
on page 71.
See
“About client deployment methods”
on page 75.
provides additional information to upgrade.
Table 6-3 Additional upgrade resources
Item Resource
Client installation package settings and features
You can configure client installation packages with a variety of settings and protection features.
See
“The types of security policies”
on page 149.
See
“Client protection features by platform”
on page 363.
See
“Which features should you install on the client?”
on page 76.
Feature and policy descriptions
See
“About the types of threat protection that Symantec Endpoint
Protection Small Business Edition provides”
on page 23.
Feature dependencies
See
“How Symantec Endpoint Protection Small Business Edition policy features work together”
on page 196.
See
“Migrating from Symantec AntiVirus or Symantec Client Security”
on page 106.
Feature mapping between 12.0 clients and 12.1
clients
When you upgrade clients using the AutoUpgrade feature, the features that are configured in legacy clients are mapped to the new version. The AutoUpgrade feature is enabled by default for Symantec Endpoint Protection Small Business
Edition.
The tables in this section depict the feature mapping between previous versions and the new version of Symantec Endpoint Protection Small Business Edition for common update scenarios.
96 Upgrading Symantec Endpoint Protection Small Business Edition
Feature mapping between 12.0 clients and 12.1 clients
Table 6-4
12.0 Small Business Edition to 12.1 Small Business Edition all protection
Existing 12.0 Small Business Edition features installed
Virus and Spyware Protection
■
Virus and Spyware Protection
12.1 Small Business Edition features installed after AutoUpgrade
Virus and Spyware Protection
■
Basic Virus and Spyware Protection
Auto-Protect Email Protection
■
Email Scanner
Auto-Protect Email Protection
■
■
POP3/SMTP Scanner
Microsoft Outlook Scanner
Proactive Threat Protection
■
TruScan proactive threat scan
Network Threat Protection
■
Firewall and Intrusion Prevention
Proactive Threat Protection
■
SONAR
No change.
Table 6-5
12.0 Small Business Edition to 12.1 Small Business Edition without firewall
Existing 12.0 Small Business Edition features installed
Virus and Spyware Protection
■
Virus and Spyware Protection
12.1 Small Business Edition features installed after AutoUpgrade
Virus and Spyware Protection
■
■
Basic Virus and Spyware Protection
Standard protection
Auto-Protect Email Protection
■
■
POP3/SMTP Scanner
Microsoft Outlook Scanner
Proactive Threat Protection
■
TruScan proactive threat scan
Auto-Protect Email Protection
■
Email Scanner
Proactive Threat Protection
■
SONAR
Upgrading Symantec Endpoint Protection Small Business Edition
Feature mapping between 12.0 clients and 12.1 clients
97
Table 6-6
12.0 Small Business Edition to 12.1 Small Business Edition without
TruScan (unmanaged clients only)
Existing 12.0 Small Business Edition features installed
Virus and Spyware Protection
■
Virus and Spyware Protection
12.1 Small Business Edition features installed after upgrade
Virus and Spyware Protection
■
■
Basic Virus and Spyware Protection
Standard protection
Auto-Protect Email Protection
■
■
POP3/SMTP Scanner
Microsoft Outlook Scanner
Network Threat Protection
■
Firewall and Intrusion Prevention
Auto-Protect Email Protection
■
Email Scanner
No change.
The following tables show how email settings are mapped between the Small
Business Edition product versions. In the 12.1 version of the client, Email Scanner replaces the POP3/SMTP Scanner and the Microsoft Outlook Scanner.
Table 6-7 12.0 Small Business Edition to 12.1 Small Business Edition (no email scanning) installed on legacy client
Existing 12.0 Small Business Edition features installed
Virus and Spyware Protection
■
Virus and Spyware Protection
Auto-Protect Email Protection
■
None installed
12.1 Small Business Edition features installed
Virus and Spyware Protection
■
■
Basic Virus and Spyware Protection
Standard protection
Auto-Protect Email Protection
■
None installed
Table 6-8 12.0 Small Business Edition to 12.1 Small Business Edition
(POP3/SMTP Scanner) installed on legacy client
Existing 12.0 Small Business Edition features installed
Virus and Spyware Protection
■
Virus and Spyware Protection
12.1 Small Business Edition features installed
Virus and Spyware Protection
■
■
Basic Virus and Spyware Protection
Standard protection
98 Upgrading Symantec Endpoint Protection Small Business Edition
Feature mapping between 12.0 clients and 12.1 clients
Table 6-8
12.0 Small Business Edition to 12.1 Small Business Edition
(POP3/SMTP Scanner) installed on legacy client (continued)
Existing 12.0 Small Business Edition features installed
Auto-Protect Email Protection
■
POP3/SMTP Scanner only
12.1 Small Business Edition features installed
Auto-Protect Email Protection
■
None installed
Note: Both scanners in the legacy client must be turned on for the Small Business
Edition 12.1 client email scanner to be turned on automatically during
AutoUpgrade.
Also, the legacy 12.0 64-bit client does not have a POP3/SMTP Scanner. Email scanning is therefore not turned on automatically in the 12.1 64-bit client.
You can turn on this feature by sending a new policy that enables email scanning, to the 64-bit clients.
Table 6-9
12.0 Small Business Edition to 12.1 Small Business Edition
(Microsoft Outlook Scanner) installed on legacy client
Existing 12.0 Small Business Edition features installed
Virus and Spyware Protection
■
Virus and Spyware Protection
12.1 Small Business Edition features installed
Virus and Spyware Protection
■
■
Basic Virus and Spyware Protection
Standard protection
Upgrading Symantec Endpoint Protection Small Business Edition
Supported Symantec Endpoint Protection Manager upgrade paths
99
Table 6-9
12.0 Small Business Edition to 12.1 Small Business Edition
(Microsoft Outlook Scanner) installed on legacy client (continued)
Existing 12.0 Small Business Edition features installed
Auto-Protect Email Protection
■
Microsoft Outlook Scanner
12.1 Small Business Edition features installed
Auto-Protect Email Protection
■
None installed
Note: Both email scanners in the legacy client must be turned on for the 12.1
client email scanner to be turned on automatically during AutoUpgrade.
Also, the legacy 12.0 64-bit client does not have a POP3/SMTP Scanner. Email scanning is therefore not turned on automatically in the 12.1 64-bit client.
You can turn on this feature by sending a new policy that enables email scanning, to the 64-bit clients.
Supported Symantec Endpoint Protection Manager upgrade paths
The following Symantec Endpoint Protection Manager upgrade paths are supported:
■
From 12.0 Small Business Edition to 12.1.2 Small Business Edition
■
From 12.1 Small Business Edition to 12.1.2 Small Business Edition
Note:
Symantec AntiVirus 10.x server information can be imported during the installation of Symantec Endpoint Protection Manager version 12.1.2.
See
“Migrating from Symantec AntiVirus or Symantec Client Security”
on page 106.
The following downgrade paths are not supported:
■
Symantec Endpoint Protection 11.x to 12.1.2 Small Business Edition
■
12.1.x (enterprise version) to 12.1.2 Small Business Edition
100 Upgrading Symantec Endpoint Protection Small Business Edition
Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1
Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1
The Symantec Endpoint Protection Manager version 12.1 requires a minimum amount of available disk space for the installation. Make sure that any legacy servers or new hardware meet the minimum hardware requirements. However, additional available disk space may be needed during an upgrade to allow for the creation of temporary files.
Note: Make a backup of the database before making configuration changes.
See
“Backing up the database and logs”
on page 340.
lists ways you can make more disk space available for the upgrade.
Table 6-10
Tasks to increase disk space on the management server
Task Description
Relocate or remove co-existing programs and files
■
■
■
If other programs are installed on the same computer with the Symantec Endpoint Protection Manager, consider relocating them to another server. Unused programs can be removed.
If the Symantec Endpoint Protection Manager shares the computer with other storage intensive applications, consider dedicating a computer to support only the Symantec Endpoint Protection
Manager.
Remove temporary Symantec Endpoint Protection
Small Business Edition files.
For a list of temporary files that you can remove, see the knowledge base article, Symantec Endpoint
Protection Manager directories contain many .TMP
folders consuming large amounts of disk space .
Note: Defragment the hard drive after removing programs and files.
Note:
Make sure that the client computers also have enough disk space before an upgrade. Check the system requirements and as needed, remove unnecessary programs and files, and then defragment the client computer hard drive.
Upgrading Symantec Endpoint Protection Small Business Edition
Upgrading a management server
101
For the most current system requirements, see: Release Notes and System
Requirements for all versions of Symantec Endpoint Protection and Symantec
Network Access Control
Upgrading a management server
You must upgrade all management servers before you upgrade any clients.
Warning: You must follow the scenario that applies to your type of installation, or your upgrade can fail.
The upgrade process is similar to a fresh installation.
lists the tasks to upgrade Symantec Endpoint Protection Manager.
Table 6-11
Upgrade tasks
Task Description
Install and configure the new management server
Install the management server, and then configure it with the
Management Server Configuration Wizard.
See
“Installing Symantec Endpoint Protection Manager”
on page 47.
Log onto the management server
When the Symantec Endpoint Protection Manager logon panel appears, log on to the console by using your legacy logon credentials.
See
“Logging on to the Symantec Endpoint Protection Manager console”
on page 51.
Note:
You are not required to restart the computer after the upgrade, but you may notice performance improvements if you restart the computer and log on.
Stopping and starting the management server service
Before you upgrade, you must manually stop the Symantec Endpoint Protection
Manager service on the management server. After you upgrade, the service starts automatically.
102 Upgrading Symantec Endpoint Protection Small Business Edition
Stopping and starting the management server service
Warning:
If you do not stop the Symantec Endpoint Protection Manager service before you upgrade the server, you risk corrupting your existing Symantec
Endpoint Protection Small Business Edition database.
See
“Upgrading to a new release of Symantec Endpoint Protection Small Business
on page 92.
To stop the Symantec Endpoint Protection Manager service
1
Click Start > Settings > Control Panel > Administrative Tools > Services.
2 In the Services window, under Name, scroll to and right-click Symantec
Endpoint Protection Manager.
3
Click Stop.
4 Close the Services window.
Warning:
Close the Services window or your upgrade can fail.
5 Repeat this procedure for all installations of Symantec Endpoint Protection
Manager.
Note:
To start the Symantec Endpoint Protection Manager service, follow the above procedure and click Start instead of Stop.
To stop the Symantec Endpoint Protection Manager service using the command line
◆ From a command prompt, type: net stop semsrv
To start the Symantec Endpoint Protection Manager service using the command line
◆ From a command prompt, type: net start semsrv
Upgrading Symantec Endpoint Protection Small Business Edition
Supported upgrade paths for the Symantec Endpoint Protection Small Business Edition client
103
Supported upgrade paths for the Symantec Endpoint
Protection Small Business Edition client
The following Symantec Endpoint Protection Small Business Edition client versions can upgrade directly to version 12.1.2:
■
12.0.122.192 Small Business Edition
■
12.0.1001.95 Small Business Edition - Release Update 1 (RU1)
■
12.1.671.4971
■
12.1.1000.157 - Release Update 1 (RU1), with or without maintenance patches
The following downgrade paths are not supported:
■
Symantec Endpoint Protection 11.x to 12.1 Small Business Edition
■
12.1.x (enterprise version) to 12.1.2 Small Business Edition
Migrating from Symantec AntiVirus 10.x to 12.1 is supported. Migrating from
Symantec AntiVirus 9.x and Symantec Sygate Enterprise Protection 5.x is not supported.
See
“Supported and unsupported migration paths to Symantec Endpoint Protection
on page 108.
About upgrading client software
You can use several methods to upgrade Symantec client software. Some methods can take up to 30 minutes. Therefore, you may want to upgrade client software when most users are not logged on to their computers.
Table 6-12
Methods to upgrade the client software
Upgrade method Description
AutoUpgrade Use AutoUpgrade to update clients in one or more groups from the
Symantec Endpoint Protection Manager console.
AutoUpgrade is enabled by default for the managed clients.
See
“Upgrading clients by using AutoUpgrade in Symantec Endpoint
Protection Small Business Edition”
on page 104.
Product disc Use the installation program on the product disc to install a new version of the client.
104 Upgrading Symantec Endpoint Protection Small Business Edition
Upgrading clients by using AutoUpgrade in Symantec Endpoint Protection Small Business Edition
Table 6-12
Methods to upgrade the client software (continued)
Upgrade method Description
Other methods Use one of the other supported methods of installing client software.
See
“About client deployment methods”
on page 75.
See
“Upgrading to a new release of Symantec Endpoint Protection Small Business
on page 92.
Upgrading clients by using AutoUpgrade in Symantec
Endpoint Protection Small Business Edition
The AutoUpgrade process lets you automatically upgrade the Symantec Endpoint
Protection Small Business Edition client software for all the clients that are contained in a group. For example, you can use AutoUpgrade to upgrade clients to a new release update or product version.
The automatic upgrade feature is enabled by default for Symantec Endpoint
Protection Small Business Edition. To disable it, go to the Computers page in the management console, right-click your Group, select Properties, and then check
Disable Automatic Client Package Updates.
You confirm that the upgrade completed successfully by verifying the version number of the client software. The version number is displayed in the client's
Help > About panel. The updated client version number is also displayed in the
Symantec Endpoint Protection Manager on the Computers page after a successful check-in. You select the group, then the Computers tab, and change the view to
Client Status.
See
“About upgrading client software”
on page 103.
Chapter
7
Migrating to Symantec
Endpoint Protection Small
Business Edition
This chapter includes the following topics:
■
Migrating from Symantec AntiVirus or Symantec Client Security
■
Supported and unsupported migration paths to Symantec Endpoint Protection
■
Supported and unsupported migration paths for the Mac client
■
Disabling scheduled scans in Symantec System Center
■
Disabling LiveUpdate in Symantec System Center
■
Turning off the roaming service in Symantec System Center
■
Unlocking server groups in Symantec System Center
■
Turning off Tamper Protection in Symantec System Center
■
Uninstalling and deleting reporting servers
■
About computer groups imported with the Migration Wizard
■
Importing group settings and policy settings with the Migration Wizard
106 Migrating to Symantec Endpoint Protection Small Business Edition
Migrating from Symantec AntiVirus or Symantec Client Security
Migrating from Symantec AntiVirus or Symantec
Client Security
You can migrate the groups, the clients, and the settings from a Symantec legacy virus protection software environment. During migration, the group data and policy data from the legacy installation populates the database in Symantec
Endpoint Protection Small Business Edition. You then deploy installation packages to the migrated clients.
Note: Management servers migrate the legacy clients.
See
“Supported and unsupported migration paths to Symantec Endpoint Protection
on page 108.
Migrating to Symantec Endpoint Protection Small Business Edition
Migrating from Symantec AntiVirus or Symantec Client Security
107
Table 7-1
Migration summary
Task Description
Prepare for legacy migration from within the Symantec
System Center
Perform the following tasks to prepare your legacy installation for migration:
■
■
■
■
■
■
Disable scheduled scans.
The migration might fail if a scan is running during migration.
See
“Disabling scheduled scans in Symantec System Center”
on page 110.
Disable LiveUpdate.
Conflicts might occur if LiveUpdate runs on the client computers during migration.
See
“Disabling LiveUpdate in Symantec System Center”
on page 111.
Turn off roaming service.
Migration might hang and fail to complete if the roaming service is running on the client computers.
See
“Turning off the roaming service in Symantec System Center”
on page 111.
Unlock server groups.
You may encounter unpredictable results if you migrate from Symantec AntiVirus before you unlock the server groups.
See
“Unlocking server groups in Symantec System Center”
on page 112.
Turn off Tamper Protection.
Tamper Protection can cause unpredictable results during migration.
See
“Turning off Tamper Protection in Symantec System Center”
on page 113.
Uninstall and delete reporting servers.
Uninstall the reporting servers, and optionally delete the database files.
See
“Uninstalling and deleting reporting servers”
on page 113.
For additional technical information, see your Symantec legacy virus protection software documentation on the following product pages:
■
■
Symantec AntiVirus Corporate Edition
Symantec Client Security
108 Migrating to Symantec Endpoint Protection Small Business Edition
Supported and unsupported migration paths to Symantec Endpoint Protection Small Business Edition
Table 7-1
Migration summary (continued)
Task Description
Install the Symantec
Endpoint Protection
Manager, and migrate legacy group and policy settings when prompted
Use the Migration Wizard to import the legacy group settings and policy settings from your Symantec AntiVirus server. The Migration Wizard appears after you install and configure the management console. You can also click Start Menu > All Programs
> Symantec Endpoint Protection Manager > Symantec Endpoint Protection Manager
Tools > Migration Wizard.
See
“Installing Symantec Endpoint Protection Manager”
on page 47.
You can also adjust the migrated group settings and policy settings after you import them.
See
“About computer groups imported with the Migration Wizard”
on page 114.
See
“Importing group settings and policy settings with the Migration Wizard”
on page 114.
See
“Moving a client computer to another group”
on page 123.
For more information on how to perform common tasks between the Symantec System
Center and Symantec Endpoint Protection Manager, see: Symantec Endpoint
Protection Manager 12.1.x reference guide for Symantec System Center users
Deploy the Symantec
Endpoint Protection Small
Business Edition client software
Deploy the client to the new client computers.
See
“About client deployment methods”
on page 75.
Perform post-migration tasks Familiarize yourself with the interface, features, and functions of Symantec Endpoint
Protection Small Business Edition. You can perform many of the same tasks that are done after a new installation to become familiar with Symantec Endpoint Protection
Manager.
See
“Getting up and running on Symantec Endpoint Protection Small Business Edition for the first time”
on page 26.
See
“Upgrade resources for Symantec Endpoint Protection Small Business Edition
on page 93.
Supported and unsupported migration paths to
Symantec Endpoint Protection Small Business Edition
Symantec Endpoint Protection Small Business Edition detects and migrates
Symantec legacy virus protection software.
Migrating to Symantec Endpoint Protection Small Business Edition
Supported and unsupported migration paths to Symantec Endpoint Protection Small Business Edition
109
Table 7-2
Supported and unsupported migration paths
Product
Symantec legacy virus protection software
Description
You can migrate Symantec legacy virus protection software to
Symantec Endpoint Protection.
Migration detects and migrates installations of the following
Symantec legacy virus protection software:
■
■
■
Symantec AntiVirus Corporate Edition 10.x
Symantec Client Security 3.x
Symantec AntiVirus for Mac (client only)
Migration from the following legacy products are not supported:
■
■
■
Symantec AntiVirus 9.x or earlier
Symantec Client Security 2.x
Symantec Sygate Enterprise Protection 5.x
You may skip migration as follows:
■
■
■
■
Uninstall the Symantec legacy virus protection software from your servers and client computers.
During Symantec Endpoint Protection Manager installation, do not select the migration option.
After initial product installation, use Symantec Endpoint
Protection Manager to adjust the group settings and policy settings.
Install the Symantec Endpoint Protection Small Business
Edition client on the unprotected legacy computers.
See
“Migrating from Symantec AntiVirus or Symantec Client
on page 106.
See
“Supported and unsupported migration paths for the Mac client”
on page 110.
Symantec Endpoint
Protection Small
Business Edition
You can upgrade Symantec Endpoint Protection Small Business
Edition from Symantec Endpoint Protection Small Business
Edition 12.0, or to a new release update of 12.1.
See
“Upgrading to a new release of Symantec Endpoint
Protection Small Business Edition”
on page 92.
See
“Supported upgrade paths for the Symantec Endpoint
Protection Small Business Edition client”
on page 103.
See
“Upgrade resources for Symantec Endpoint Protection Small Business Edition
on page 93.
110 Migrating to Symantec Endpoint Protection Small Business Edition
Supported and unsupported migration paths for the Mac client
Supported and unsupported migration paths for the
Mac client
displays the products that can be migrated to the Symantec Endpoint
Protection for Mac client.
Table 7-3
Migration paths from Symantec AntiVirus for Mac to the Symantec
Endpoint Protection Mac client
Migrate from Migrate to Supported?
Managed Symantec AntiVirus for Mac client
Managed Symantec
Endpoint Protection for Mac client
Yes
Unmanaged Symantec AntiVirus for Mac client
Unmanaged Symantec
Endpoint Protection for Mac client
Yes
Unmanaged Symantec AntiVirus for Mac client
Managed Symantec
Endpoint Protection for Mac client
Yes
Managed Symantec AntiVirus for Mac client
Norton AntiVirus for Mac
Unmanaged Symantec
Endpoint Protection for Mac client
Managed or unmanaged
Symantec Endpoint
Protection for Mac client
Yes, but managed client settings are retained.
No. Client must uninstall
Norton products before installing Symantec
Endpoint Protection.
See
“Migrating from Symantec AntiVirus or Symantec Client Security”
on page 106.
Disabling scheduled scans in Symantec System Center
If a scan is scheduled to run and is running while the client migration occurs, migration may fail. A best practice is to disable scheduled scans during migration and then enable after migration.
See
“Migrating from Symantec AntiVirus or Symantec Client Security”
on page 106.
To disable scheduled scans in Symantec System Center
1 In the Symantec System Center, do one of the following actions:
■
Right-click a management server.
Migrating to Symantec Endpoint Protection Small Business Edition
Disabling LiveUpdate in Symantec System Center
111
■
Right-click a client group.
2 Click All Tasks > Symantec AntiVirus > Scheduled Scans.
3 In the Scheduled Scans dialog box, on the Server Scans tab, uncheck all scheduled scans.
4 On the Client Scans tab, uncheck all scheduled scans, and then click OK.
5 Repeat this procedure for all primary management servers, secondary management servers, and all client groups.
Disabling LiveUpdate in Symantec System Center
If LiveUpdate runs on client computers during migration, conflicts may occur.
Therefore, you must turn off LiveUpdate on client computers during migration.
See
“Migrating from Symantec AntiVirus or Symantec Client Security”
on page 106.
To disable LiveUpdate in Symantec System Center
1 In the Symantec System Center, right-click a server group.
2 Click All Tasks > Symantec AntiVirus > Virus Definition Manager.
3 In the Virus Definition Manager dialog box, check Update only the primary
server of this server group, and then click Configure.
4 In the Configure Primary Server Updates dialog box, uncheck Schedule for
Automatic Updates, and then click OK.
5 In the Virus Definition Manager dialog box, uncheck the following selections:
■
Update virus definitions from parent server
■
Schedule client for automatic updates using LiveUpdate
■
Enable continuous LiveUpdate
6 Check Do not allow client to manually launch LiveUpdate, and then click
OK.
7 Repeat this procedure for all server groups if you have more than one.
Turning off the roaming service in Symantec System
Center
If the roaming service is running on client computers, the migration might hang and fail to complete. If the roaming service is turned on, you must turn it off before starting the migration.
112 Migrating to Symantec Endpoint Protection Small Business Edition
Unlocking server groups in Symantec System Center
Note:
If your roaming clients run Symantec AntiVirus version 10.x, you must unlock your server groups before you disable the roaming service. This practice helps ensure that roaming clients are properly authenticated with certificates to their parent server.
To turn off the roaming service in Symantec System Center
1 In the Symantec System Center, right-click a server group.
2
Click All Tasks > Symantec AntiVirus > Client Roaming Options.
3 In the Client Roaming Options dialog box, in the Validate parent every minutes box, type 1.
4
In the Search for the nearest parent every minutes box, type 1, and then press
OK.
5 Wait a few minutes.
6
In the Symantec System Center, right-click a server group.
7 Click All Tasks > Symantec AntiVirus > Client Roaming Options.
8
In the Client Roaming Options dialog box, uncheck Enable roaming on clients
that have the Symantec AntiVirus Roaming service installed.
9 Click OK.
See
“Migrating from Symantec AntiVirus or Symantec Client Security”
on page 106.
Unlocking server groups in Symantec System Center
If you do not unlock server groups before migration, unpredictable results may occur. Also, if the roaming service is enabled for clients, the unlocking the server group helps ensure that the clients properly authenticate to a parent server.
Clients that properly authenticate to a parent server get placed in the database.
Clients that get placed in the database automatically appear in the correct legacy group in the console after installation.
To unlock a server group
1 In the Symantec System Center, right-click a locked server group, and then click Unlock Server Group.
2
In the Unlock Server Group dialog box, type the authentication credentials if necessary, and then click OK.
See
“Migrating from Symantec AntiVirus or Symantec Client Security”
on page 106.
Migrating to Symantec Endpoint Protection Small Business Edition
Turning off Tamper Protection in Symantec System Center
113
Turning off Tamper Protection in Symantec System
Center
Tamper Protection prevents processes from interfering with Symantec processes.
You should turn off Tamper Protection before migration. Tamper Protection can cause unpredictable results during migration.
See
“Migrating from Symantec AntiVirus or Symantec Client Security”
on page 106.
To turn off Tamper Protection in Symantec System Center
1 In the Symantec System Center, do one of the following actions:
■
Right-click a server or server group, and then click All Tasks > Symantec
AntiVirus > Client Tamper Protection Options.
■
Right-click a server or server group, and then click All Tasks > Symantec
AntiVirus > Server Tamper Protection Options.
2 If you use Symantec AntiVirus 10.1, under Protection, uncheck Processes and then uncheck Internal Objects.
3
Uncheck Enable Tamper Protection.
4 If you configure Client Tamper Protection Options, you can click Reset All.
This option propagates the settings on this tab to every client that is attached to the server or server group.
Uninstalling and deleting reporting servers
If you installed one or more reporting servers, you must uninstall these reporting servers, and optionally delete the database files. You must also delete reporting servers from the Symantec System Center. Complete reporting server uninstallation information is available in the Symantec System Center Online
Help. Legacy settings were stored in the Windows registry. All settings are now stored in a database along with the reporting data.
See
“Migrating from Symantec AntiVirus or Symantec Client Security”
on page 106.
To uninstall reporting servers
1 Log on to a computer that runs the reporting server.
2
Click Start > Settings > Control Panel > Add or Remove Programs.
3 In the Add or Remove Programs dialog box, click Symantec Reporting Server, and then click Remove.
114 Migrating to Symantec Endpoint Protection Small Business Edition
About computer groups imported with the Migration Wizard
4 Follow the on-screen prompts until you delete the reporting server.
5
Repeat this procedure for all reporting servers.
To delete reporting servers from the Symantec System Center
1
In the Symantec System Center, right-click and expand Reporting.
2 Right-click each reporting server, and then click Delete.
About computer groups imported with the Migration
Wizard
You import computer groups from Symantec AntiVirus or Symantec Client Security with the Migration Wizard. The wizard creates a My Company child group for each imported legacy group. The My Company child group name is a concatenation of each legacy group and its legacy child groups.
For example, suppose the legacy group Clients contains the legacy child groups
ClientGroup1 and ClientGroup2. The My Company child group names are Clients,
Clients.ClientGroup1, and Clients.ClientGroup2.
See
“Importing group settings and policy settings with the Migration Wizard”
on page 114.
See
“Migrating from Symantec AntiVirus or Symantec Client Security”
on page 106.
Importing group settings and policy settings with the
Migration Wizard
The following procedure uses the Migration Wizard to import the group settings and the policy settings from Symantec AntiVirus Corporate Edition and Symantec
Client Security.
You can run the Migration Wizard during initial product installation. You can also run the Migration Wizard from the Start menu on the computer that hosts
Symantec Endpoint Protection Manager.
To import group settings and policy settings with the Migration Wizard
1 Start the Migration Wizard if necessary.
To start the Migration Wizard from the console computer, on the Start menu, click All Programs > Symantec Endpoint Protection Manager > Symantec
Endpoint Protection Manager Tools > Migration Wizard.
2 In the Migration Wizard panel, click Next.
Migrating to Symantec Endpoint Protection Small Business Edition
Importing group settings and policy settings with the Migration Wizard
115
3 In the Migration Wizard panel, specify the following settings:
Server policy settings Specify where the server policy settings are configured.
Select one of the following options:
■
■
Server group
Each parent server
Client policy settings Specify where the client policy settings are configured.
Select one of the following options:
■
■
Server group or client group
Each parent server
4 Click Next.
5
In the Migration Wizard panel, select one of the following options:
Auto-detect Servers
Add Server
This option imports the settings from all the servers. Type the IP address of a computer that runs the Symantec System
Center.
This option imports the settings from a single server and the clients that it manages. Type the IP address of a computer that runs a server.
6 Click Next.
7
Follow the on-screen prompts to complete the migration.
See
“Migrating from Symantec AntiVirus or Symantec Client Security”
on page 106.
116 Migrating to Symantec Endpoint Protection Small Business Edition
Importing group settings and policy settings with the Migration Wizard
Section
Managing groups, clients, and administrators
2
■
Chapter 8. Managing groups of client computers
■
■
Chapter 10. Managing administrator accounts and passwords
118
Chapter
8
Managing groups of client computers
This chapter includes the following topics:
■
■
■
■
Blocking client computers from being added to groups
■
Moving a client computer to another group
■
Best practices for managing portable computers
Managing groups of computers
You organize computers with similar security needs into groups. For example, you might organize the computers in your accounting department into the
Accounting group. The group structure that you define often matches the structure of your organization.
Once you have organized your computers into logical groups, you can more easily manage your security policies.
The Symantec Endpoint Protection Manager console contains the following default groups:
■
The My Company group is the top-level, or parent, group. It contains a flat tree of child groups. The child group structure matches the organizational structure of your company.
120 Managing groups of client computers
Managing groups of computers
■
The Laptops and Desktops child group contains portable computers and desktop computers.
■
The Servers group contains the computers that run a supported Windows
Server operating system.
You can place your client computers in the Laptops and Desktops group, the
Servers group, or a group that you defined.
You cannot rename or delete the default groups.
describes the actions that you can perform when you manage your groups of computers.
Table 8-1
Group management tasks
Task
Add a group
Description
You can add new groups in the console. The newly created groups are listed as child groups under the My Company parent group.
See
on page 122.
See
“How you can structure groups”
on page 121.
You may want to consider creating groups for portable computers.
See
“Best practices for managing portable computers”
on page 123.
Block a computer from a group
You can block a client computer from being added to a group.
You should block a client if you do not want clients to be added automatically to a specific group when they connect to the network. The blocking option prevents computers from automatically being added to a group.
See
“Blocking client computers from being added to groups”
on page 122.
Move a computer If computers are not in the correct group, you can move them to another group.
See
“Moving a client computer to another group”
on page 123.
See
“Performing the tasks that are common to all policies”
on page 147.
Managing groups of client computers
How you can structure groups
121
How you can structure groups
You can create multiple groups and subgroups to match the organizational structure and security of your company. You can base your group structure on function, role, geography, or a combination of criteria.
Table 8-2
Criterion
Function
Criteria for creating groups
Description
You can create groups based on the types of computers to be managed, such as laptops, desktops, and servers. Alternatively, you can create multiple groups that are based on usage type. For example, you can create a remote group for the client computers that travel and a local group for the client computers that remain in the office.
Role You can create groups for department roles, such sales, engineering, finance, and marketing.
Geography You can create groups based on the offices, cities, states, regions, or countries where the computers are located.
Combination You can create groups based on a combination of criteria. For example, you can use the function and the role.
You can add a parent group by role and add child subgroups by function, as in the following scenario:
■
■
Sales, with subgroups of laptops, desktops, and servers.
Engineering, with subgroups of laptops, desktops, and servers.
After you organize the client computers into group, you can apply the appropriate amount of security to that group.
For example, suppose that a company has telemarketing and accounting departments. These departments have staff in the company's New York, London, and Frankfurt offices. All computers in both departments are assigned to the same group so that they receive virus and security risk definitions updates from the same source. However, IT reports indicate that the telemarketing department is more vulnerable to risks than the accounting department. As a result, the system administrator creates separate telemarketing and accounting groups.
Telemarketing clients share configuration settings that strictly limit how users can interact with their virus and security risk protection.
See the knowledge base article Best Practices for Creating Group Structure .
See
“Performing the tasks that are common to all policies”
on page 147.
See
“Managing groups of computers”
on page 119.
122 Managing groups of client computers
Adding a group
Adding a group
You can add groups after you define the group structure for your organization.
Group descriptions may be up to 1024 characters long. Group names may contain any character except the following characters: [” / \ * ? < > | :] Group descriptions are not restricted.
Note:
You can add groups only to the My Company group. You cannot add groups to the default sub-groups.
See
“How you can structure groups”
on page 121.
To add a group
1
In the console, click Computers.
2 Under Computers, click My Company.
3
Under Tasks, click Add a group.
4 In the Add Group for My Company dialog box, type the group name and a description.
5
Click OK.
Blocking client computers from being added to groups
You can set up client installation packages with their group membership already defined. If you define a group in the package, the client computer automatically is added to the appropriate group. The client is added the first time it makes a connection to the management server.
You can block a client if you do not want clients to be added automatically to a specific group when they connect to the network. You can block a new client from being added to the group to which they were assigned in the client installation package. In this case, the client gets added to the default group. You can manually move a computer to a blocked group.
To block client computers from being added to groups
1
In the console, click Computers.
2 Under Computers, right-click a group, and click Properties.
3
In the Group Properties for group name dialog box, click Block New Clients.
4 Click OK.
See
“Moving a client computer to another group”
on page 123.
Managing groups of client computers
Moving a client computer to another group
123
Moving a client computer to another group
If your client computers are not in the correct group, you can move them to another group.
To move client from multiple groups into a single group, you can redeploy the client installation package.
See
“Restoring client-server communications by using a client installation package”
on page 336.
To move a client computer to another group
1
In the console, click Computers.
2 On the Computers page, on the Computers tab, select a group.
3
On the Computers tab, in the selected group, select the computer, and then right-click Move.
Use the Shift key or the Control key to select multiple computers.
4
In the Move Clients dialog box, select the new group.
5 Click OK.
See
“Managing groups of computers”
on page 119.
Best practices for managing portable computers
A portable computer is a laptop computer or notebook computer that moves physically from one location to another. A portable computer might connect to your network intermittently or not at all. A portable computer might connect to your network through a virtual private network (VPN), a wireless network, or both.
Consider the following best practices for managing portable computers:
■
Install the portable computers as managed computers.
Administering managed computers is easy, because you access the managed computers directly from Symantec Endpoint Protection Manager.
If your company has the portable computers that never connect to the network, install unmanaged clients on them. Unmanaged clients do not communicate with Symantec Endpoint Protection Manager and receive updates directly from Symantec LiveUpdate servers.
■
Create a group for the managed portable computers.
Placing the managed portable computers in one group lets you manage the computers as a single unit.
124 Managing groups of client computers
Best practices for managing portable computers
■
Strengthen the protection technologies for remote users.
See the Symantec Technical Support knowledge base article, General security practices for network administrators .
See
“Installing an unmanaged client”
on page 86.
See
on page 122.
Chapter
9
Managing clients
This chapter includes the following topics:
■
■
How to determine whether the client is connected in the console
■
Viewing the protection status of clients and client computers
■
Searching for information about client computers
■
About enabling and disabling protection when you need to troubleshoot problems
■
About commands that you can run on client computers
■
Running commands on the client computer from the console
■
Ensuring that a client does not restart
Managing client computers
lists the tasks you should perform with the computers after you install the client software.
Table 9-1
Tasks to manage client computers
Task Description
Check that the client software is installed on your computers
■
■
You can display the computers in each group that do not have the client software installed yet.
You can add a client to a group and install the client software later.
See
“About client deployment methods”
on page 75.
126 Managing clients
Managing client computers
Table 9-1
Tasks to manage client computers (continued)
Task Description
Check whether the client is connected to the management server
You can check the client status icons in the management console and in the client.
The status icon shows whether the client and the server communicate.
See
“How to determine whether the client is connected in the console”
on page 127.
See
“How to determine whether the client is connected and protected”
on page 332.
A computer may have the client software installed, but is an unmanaged client. You cannot manage an unmanaged client. Instead, you can convert the unmanaged client to a managed client.
See
“Why do I need to replace the client-server communications file on the client computer?”
on page 333.
Configure the connection between the client and the server
After you install the client software client computers automatically connect to the management server at the next heartbeat. You can change how the server communicates with the client computer.
See
“Managing the client-server connection”
on page 331.
You can troubleshoot any connection issues.
See
on page 356.
Check that client computers have the right level of protection
■
■
■
You can view the status of each protection technology on your client computers.
See
“Viewing the protection status of clients and client computers”
on page 128.
See
“How to determine whether the client is connected in the console”
on page 127.
You can run reports or view logs to see whether you need to increase protection or improve performance. For example, the scans may cause false positives. You can also identify the client computers that need protection.
See
“Monitoring endpoint protection”
on page 293.
You can modify protection based on specific attributes of the client software or the client computers.
See
“Searching for information about client computers”
on page 129.
Managing clients
How to determine whether the client is connected in the console
127
Task
Adjust the protection on client computers
Table 9-1
Description
Tasks to manage client computers (continued)
If you decide that clients do not have the right level of protection, you can adjust the protection settings.
■
■
You can increase or decrease each type of protection based on the results in the reports and logs.
See
“The types of security policies”
on page 149.
See
“About the types of threat protection that Symantec Endpoint Protection Small
on page 23.
You can temporarily disable protection on the client computers if you need to diagnose a problem or improve performance.
See
“About enabling and disabling protection when you need to troubleshoot problems”
on page 130.
See
“Running commands on the client computer from the console”
on page 134.
Move endpoints from one group to another to modify protection (optional)
To change a client computer's level of protection, you can move it to a group that provides more protection or less protection.
See
“Moving a client computer to another group”
on page 123.
Let users control computer protection (optional)
You can specify the kind of control that users have over the protection on client computers.
■
■
For Virus and Spyware Protection and Proactive Threat Protection, you can lock or unlock a check box to specify whether users can change individual settings.
See
“Locking and unlocking Virus and Spyware policy settings”
on page 153.
If users need full control of the client, you can install an unmanaged client.
See
“Why do I need to replace the client-server communications file on the client computer?”
on page 333.
Remove the client software from computers (optional)
See
“Uninstalling the Windows client”
on page 88.
See
on page 88.
See
“Managing protection on client computers”
on page 30.
How to determine whether the client is connected in the console
In Symantec Endpoint Protection Manager, you can use the client status icons to check whether the client and the server communicate.
128 Managing clients
Viewing the protection status of clients and client computers
Table 9-2
Icon
Client status icons in the management console
Description
This icon indicates the following status:
The client software installation failed.
This icon indicates the following status:
■
The client can communicate with Symantec Endpoint Protection
Manager.
This icon indicates the following status:
■
■
The client cannot communicate with Symantec Endpoint Protection
Manager.
The client may have been added from the console, and may not have any Symantec client software installed.
See
“Viewing the protection status of clients and client computers”
on page 128.
You can also look on the client to see whether or not it is connected to the management server.
See
“How to determine whether the client is connected and protected”
on page 332.
Viewing the protection status of clients and client computers
You can view information about the real-time operational and protection status of the clients and the computers in your network.
You can view:
■
A list of managed client computers that do not have the client installed.
You can view the computer name, the domain name, and the name of the user who is logged on.
■
Which protections are enabled and disabled.
■
Which client computers have the latest policies and definitions.
■
The group's policy serial number and the client's version number.
■
The information about the client computer's network components, such as the MAC address of the network card that the computer uses.
■
The system information about the client computer, such as the amount of available disk space and the operating system version number.
Managing clients
Searching for information about client computers
129
After you know the status of a particular client, you can resolve any security issues on the client computers. You can resolve many issues by running commands on groups. For example, you can update content, or enable Auto-Protect.
Note:
If you manage legacy clients, some newer protection technologies may be listed as not reporting. This behavior is expected. It does not mean that you need to take action on these clients.
See
“How to determine whether the client is connected in the console”
on page 127.
See
“Running commands on the client computer from the console”
on page 134.
To view the protection status of client computers
1 In the console, click Computers.
2
On the Computers page, select the group in which the client belongs.
3 On the Computers tab, in the list of clients, look for the client name.
4
In the row with the client name, the Health State column shows the client connection status.
Searching for information about client computers
You can search for information about the clients, client computers, and users to make informed decisions about the security of your network. For example, you can find which computers in the Sales group run the latest operating system. Or, you can find out which client computers in the Finance group need the latest antivirus definitions installed. You can view the information about each client in the group on the Clients page. You can narrow down the search if there are too many clients.
See
“Viewing the protection status of clients and client computers”
on page 128.
You can export the data that is contained in the query into a text file.
Note:
To search for most of the information about the users, you must collect user information during the client software installation or later. This user information is also displayed on the General tab and the User Info tab in the client's Edit
Properties dialog box.
To search for information about client computers
1 In the console, click Clients.
2
On the Clients tab, under View Clients, choose the group you want to search.
130 Managing clients
About enabling and disabling protection when you need to troubleshoot problems
3 Under Tasks, click Search clients.
4
Click Browse to select a group other than the default group.
5 In the Select Group dialog box, select the group, and then click OK.
6
Under Search Criteria, click in the Search Field to see the drop-down list, and then select the criteria by which you want to search.
7 Click the Comparison Operator drop-down list, and then select a comparison operator.
You can use standard Boolean operators in your search criteria.
8 In the Value cell, type the search string.
9
Click Search.
You can export the results into a text file.
10
Click Close.
About enabling and disabling protection when you need to troubleshoot problems
In general, you always want to keep the protection technologies enabled on a client computer.
You might need to temporarily disable either all the protection technologies or individual protection technologies if you have a problem with the client computer.
For example, if an application does not run or does not run correctly, you might want to disable Network Threat Protection. If you still have the problem after you disable all protection technologies, completely uninstall the client. If the problem persists, you know that the problem is not due to Symantec Endpoint Protection.
Warning: Be sure to enable again any of the protections when you have completed your troubleshooting task to ensure that the computer remains protected.
describes the reasons why you might want to disable each protection technology.
Managing clients
About enabling and disabling protection when you need to troubleshoot problems
131
Protection technology
Virus and Spyware
Protection
Table 9-3
Purpose for disabling a protection technology
Purpose for disabling the protection technology
Proactive Threat
Protection
Network Threat
Protection
If you disable this protection, you disable Auto-Protect only.
The scheduled or startup scans still run if you or the user has configured them to do so.
You might enable or disable Auto-Protect for the following reasons:
■
■
■
■
Auto-Protect might block you from opening a document. For example, if you open a
Microsoft Word that has a macro, Auto-Protect may not let you open it. If you know the document is safe, you can disable Auto-Protect.
Auto-Protect may warn you about a virus-like activity that you know is not the work of a virus. For example, you might get a warning when you install new computer applications. If you plan to install more applications and you want to avoid the warning, you can temporarily disable Auto-Protect.
Auto-Protect may interfere with Windows driver replacement.
Auto-Protect might slow down the client computer.
Note:
If you disable Auto-Protect, you also disable Download Insight, even if Download
Insight is enabled. SONAR also cannot detect heuristic threats. SONAR detection of host file and system changes continues to function.
See
“Running commands on the client computer from the console”
on page 134.
If Auto-Protect causes a problem with an application, it is better to create an exception than to permanently disable the protection.
See
“Creating exceptions for Symantec Endpoint Protection Small Business Edition”
on page 270.
You might want to disable Proactive Threat Protection for the following reasons:
■
■
You see too many warnings about the threats that you know are not threats.
Proactive Threat Protection might slow down the client computer.
See
on page 230.
You might want to disable Network Threat Protection for the following reasons:
■
■
■
■
You install an application that might cause the firewall to block it.
The firewall or the Intrusion Prevention System causes network connectivity-related issues.
The firewall might slow down the client computer.
You cannot open an application.
If you are not sure that Network Threat Protection causes the problem, you might need to disable all the protection technologies.
See
“Enabling or disabling network intrusion prevention or browser intrusion prevention”
on page 263.
132 Managing clients
About commands that you can run on client computers
Table 9-3
Purpose for disabling a protection technology (continued)
Purpose for disabling the protection technology Protection technology
Tamper Protection Typically, you should keep Tamper Protection enabled.
You might want to disable Tamper Protection temporarily if you get an extensive number of false positive detections. For example, some third-party applications might make the changes that inadvertently try to modify Symantec settings or processes. If you are sure that an application is safe, you can create a Tamper Protection exception for the application.
See
“Changing Tamper Protection settings”
on page 232.
About commands that you can run on client computers
You can run commands remotely on individual clients or an entire group from the console.
You can enable and disable protection to troubleshoot problems on the client computer.
See
“About enabling and disabling protection when you need to troubleshoot problems”
on page 130.
Table 9-4 Commands that you can run on client computers
Commands
Scan
Description
Runs on-demand scan on the client computers.
If you run a scan command, and select a Custom scan, the scan uses the command scan settings that you configured on the
Administrator-defined Scans page. The command uses the settings that are in the Virus and Spyware Protection policy that is applied to the selected client computers.
See
“Running on-demand scans on client computers”
on page 185.
Update Content
Updates content on clients by initiating a LiveUpdate session on the client computers. The clients receive the latest content from
Symantec LiveUpdate.
See
“Configuring the LiveUpdate download schedule for Symantec
on page 287.
Update Content and
Scan
Updates content by initiating a LiveUpdate session and runs an on-demand scan on client computers.
Managing clients
About commands that you can run on client computers
133
Table 9-4
Commands
Restart Client
Computers
Commands that you can run on client computers (continued)
Description
Restarts the client computers.
Note: You can ensure that a client does not restart. You can add a registry key on the client that keeps it from restarting even if an administrator issues a restart command.
See
“Ensuring that a client does not restart”
on page 134.
Enable Auto-Protect
Enables Auto-Protect for the file system on the client computers.
By default, Auto-Protect for the file system is enabled. You might need to enable Auto-Protect from the console if you have allowed users to change the setting or if you disable Auto-Protect. You can lock the setting so that users on client computers cannot disable
Auto-Protect.
See
“Customizing Auto-Protect for Windows clients”
on page 211.
See
“Customizing Auto-Protect for Mac clients”
on page 212.
If you want to enable or disable Auto-Protect for email, you must include the setting in the Virus and Spyware Protection policy.
Enable Network
Threat Protection and
Disable Network
Threat Protection
Enables or disables the firewall and enables intrusion prevention on the client computers.
Note:
Mac client computers do not process this command.
See
“Managing firewall protection”
on page 233.
Enable Download
Insight and Disable
Download Insight
Enables or disables Download Insight on the client computers.
Note: Mac client computers do not process this command.
See
“Managing Download Insight detections”
on page 191.
See
“Running commands on the client computer from the console”
on page 134.
See
“Running commands from the computer status log”
on page 315.
You can configure a limited administrator to have rights to some or none of these commands.
See
“Configuring the access rights for a limited administrator”
on page 140.
134 Managing clients
Running commands on the client computer from the console
Running commands on the client computer from the console
On managed clients, the commands that you run override the commands that the user runs. The order in which commands and actions are processed on the client computer differs from command to command. Regardless of where the command is initiated, commands and actions are processed in the same way.
You can also run these commands on clients from the Computer Status log.
See
“Running commands from the computer status log”
on page 315.
See
“About commands that you can run on client computers”
on page 132.
To run commands on the client computer from the console
1 In the console, click Computers, and then under Computers, select the group that includes computers for which you want to run a command.
2
In the right pane, click Computers.
3 Do one of the following actions:
■
In the left pane, under Computers, right-click the group for which you want to run the command.
■
In the right pane, on the Computers tab, select and right-click the computers or users for which you want to run the command.
4 Click one of the following commands:
■
Run a command on the group > command
■
Run Command on Clients > command
5 In the message that appears, click OK.
Ensuring that a client does not restart
You can use the following procedure to ensure that any Symantec Endpoint
Protection Small Business Edition client computer does not restart. For example, you may want to set this value on the servers that run the Symantec Endpoint
Protection Small Business Edition client. Setting this registry key ensures that the server does not restart if an administrator issues a Restart computer command on its group from the console.
Managing clients
Ensuring that a client does not restart
135
To ensure that a client does not restart
1
On the client computer, open the registry editor.
2 Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec
Endpoint Protection\SMC.
3
Add the following line to the registry:
DisableRebootCommand REG_DWORD 1
136 Managing clients
Ensuring that a client does not restart
Chapter
10
Managing administrator accounts and passwords
This chapter includes the following topics:
■
Managing administrator accounts
■
About administrator account roles and access rights
■
Adding an administrator account
■
Configuring the access rights for a limited administrator
■
Changing the password for an administrator account
■
Allowing administrators to reset forgotten passwords
■
Sending a temporary password to an administrator
■
Displaying the Remember my user name and Remember my password check boxes on the logon screen
Managing administrator accounts
You can use administrator accounts to manage Symantec Endpoint Protection
Manager. Administrators log on to the Symantec Endpoint Protection Manager console to change policy settings, manage groups, run reports, and install client software, as well as other management tasks.
The default account is a system administrator account, which provides access to all features. You can also add a more limited administrator account, for administrators who need to perform a subset of tasks.
138 Managing administrator accounts and passwords
About administrator account roles and access rights
Task
Add administrator accounts
Reset passwords
For a small company, you may only need one administrator. For a large company, you most likely need multiple administrators, some of whom have more access rights than others.
You manage administrator accounts and their passwords on the Admin page.
Table 10-1
Account administration
Description
Add accounts for administrators who need access to the Symantec Endpoint Protection
Manager console.
■
■
Learn about the administrator account roles that are available.
Create the types of administrator accounts that you need.
Configure the restrictions for a limited administrator.
See
“Adding an administrator account”
on page 139.
See
“Configuring the access rights for a limited administrator”
on page 140.
You can perform the following tasks for passwords:
■
■
■
■
Change the password for an administrator account.
See
“Changing the password for an administrator account”
on page 140.
Make sure that the Forget your password? link appears so that administrators can reset their own forgotten passwords.
See
“Allowing administrators to reset forgotten passwords”
on page 141.
Send an administrator a temporary password so that they can reset their password.
Display the Remember my user name and Remember my password check boxes on the management server log on screen.
See
“Displaying the Remember my user name and Remember my password check boxes on the logon screen”
on page 142.
See
“Logging on to the Symantec Endpoint Protection Manager console”
on page 51.
About administrator account roles and access rights
When you install the Symantec Endpoint Protection Manager, a default system administrator account is created, called admin
. The system administrator account gives an administrator access to all the features in Symantec Endpoint Protection
Manager.
To help you manage security, you can add additional system administrator accounts and limited administrator accounts. A limited administrator account has access to a subset of Symantec Endpoint Protection Manager features.
Managing administrator accounts and passwords
Adding an administrator account
139
You choose which accounts you need based on the types of roles and access rights you need in your company. For example, a large company may use the following types of roles:
describes the account type and the access rights that each role has.
Table 10-2
Administrator roles and responsibilities
Administrator role Responsibilities
System administrator
System administrators can log on to the Symantec Endpoint Protection Manager console with complete, unrestricted access to all features and tasks.
A system administrator can create and manage other system administrator accounts and limited administrator accounts.
Limited administrator
Limited administrators can log on to the Symantec Endpoint Protection Manager console with restricted access. Limited administrators do not have access rights by default. A system administrator role must explicitly grant access rights to allow a limited administrator to perform tasks.
Parts of the management server user interface are not available to limited administrators when you restrict access rights. For example:
■
■
Limited administrators without reporting rights cannot view the Home, Monitors, or
Reports pages.
Limited administrators without policy rights cannot view or modify the policy. In addition, they cannot apply, replace, or withdraw a policy.
See
“Configuring the access rights for a limited administrator”
on page 140.
See
“Managing administrator accounts”
on page 137.
See
“Adding an administrator account”
on page 139.
Adding an administrator account
As a system administrator, you can add another system administrator or a limited administrator.
To add an administrator account
1 In the console, click Admin.
2
On the Admin page, click Administrators.
3 Under Tasks, click Add an administrator.
4
In the Add Administrator dialog box, on the General tab, enter the user name and email address.
140 Managing administrator accounts and passwords
Configuring the access rights for a limited administrator
5 On the Access Rights tab, specify the administrator role and access rights.
See
“About administrator account roles and access rights”
on page 138.
Click Help for more information.
6
Click OK.
See
“Managing administrator accounts”
on page 137.
Configuring the access rights for a limited administrator
If you add an account for a limited administrator, you must also specify the administrator's access rights. Limited administrator accounts that are not granted any access rights are created in a disabled state and the limited administrator will not be able to log on to the management server.
To configure the access rights for a limited administrator
1
In the console, click Admin.
2 On the Admin page, click Administrators.
3
Select the limited administrator.
You can also configure the access rights when you create a limited administrator account.
See
“Adding an administrator account”
on page 139.
4 Under Tasks, click Edit Administrator.
5
On the Access Rights tab, check an option, and then click the corresponding button to set the access rights. Click Help for more information.
6 Click OK.
See
“About administrator account roles and access rights”
on page 138.
See
“Managing administrator accounts”
on page 137.
Changing the password for an administrator account
For security purposes, you may need to change the password for another administrator's account.
The following rules apply to changing passwords:
■
System administrators can change the password for all administrators.
■
Limited administrators can change their own passwords only.
Managing administrator accounts and passwords
Allowing administrators to reset forgotten passwords
141
Note:
When you configure the management server in the Management Server
Configuration Wizard, you create the default administrator account, admin
. The password you enter for the default administrator account also becomes the database password. If you change the default administrator's password, the database password does not change.
To change the password for an administrator account
1 In the console, click Admin > Administrators.
2 Under Administrators, select the administrator account, and click Edit the
administrator.
3 On the General tab, type both your password and the administrator's new password.
4 Click OK.
See
“Managing administrator accounts”
on page 137.
Allowing administrators to reset forgotten passwords
If you have a system administrator account, you can allow your administrators to reset passwords. If you enable this feature, administrators can click the Forgot
your password? link on the logon panel to request a temporary password.
To allow administrators to reset forgotten passwords
1 In the console, click Admin.
2 On the Admin page, click System.
3 Under Tasks, click Edit the server properties.
4 In the Server Properties dialog box, on the Passwords tab, check Allow
administrators to reset the passwords.
5 Click OK.
See
“Sending a temporary password to an administrator”
on page 142.
See
“Displaying the Remember my user name and Remember my password check boxes on the logon screen”
on page 142.
See
“Managing administrator accounts”
on page 137.
142 Managing administrator accounts and passwords
Sending a temporary password to an administrator
Sending a temporary password to an administrator
If you have a system administrator account, you can allow your administrators to reset their own passwords. An email that contains a link to activate the temporary password is sent to the administrator. You must first make sure the
Forgot your password? link appears on the Symantec Endpoint Protection
Manager log on screen.
For security reasons, the management server does not store or verify the temporary passwords. To verify whether the administrator successfully reset the password, check that the administrator received the email message.
An administrator can request a temporary password from the management console only once per minute.
You must configure the mail server so that the mail server sends the notification.
To send a temporary password to an administrator
1 On the management server computer, click Start > All Programs > Symantec
Endpoint Protection Manager > Symantec Endpoint Protection Manager.
By default, the Forgot your password? link appears on the management server logon screen. If it does not, you must enable it.
See
“Displaying the Remember my user name and Remember my password check boxes on the logon screen”
on page 142.
2
In the Logon screen, click Forgot your password?
3 In the Forgot Password dialog box, type the user name for the account for which to reset the password.
4
Click Temporary Password.
As a security precaution, the administrator must change the temporary password immediately after logging on.
See
“Establishing communication between the management server and email servers”
on page 323.
See
“Managing administrator accounts”
on page 137.
Displaying the Remember my user name and
Remember my password check boxes on the logon screen
You can display the Remember my user name and Remember my password check boxes on the Symantec Endpoint Protection Manager logon screen. If you enable
Managing administrator accounts and passwords
Displaying the Remember my user name and Remember my password check boxes on the logon screen
143 this feature, the administrator's user name and password is prepopulated on the logon screen.
To display the Remember my user name and Remember my password check boxes on the logon screen
1 In the console, click Admin.
2
On the Admin page, click System.
3 Under Server, click Edit the server properties.
4
On the Passwords tab, check Allow users to save credentials when logging
on.
5 Click OK.
See
“Managing administrator accounts”
on page 137.
144 Managing administrator accounts and passwords
Displaying the Remember my user name and Remember my password check boxes on the logon screen
Section
3
Managing protection and customizing policies
■
Chapter 11. Using policies to manage security
■
Chapter 12. Managing Virus and Spyware Protection
■
■
■
Chapter 15. Managing Tamper Protection
■
Chapter 16. Managing firewall protection
■
Chapter 17. Managing intrusion prevention
■
Chapter 18. Managing exceptions
■
Chapter 19. Configuring updates and updating client computer protection
■
Chapter 20. Monitoring protection with reports and logs
■
Chapter 21. Managing notifications
146
Chapter
11
Using policies to manage security
This chapter includes the following topics:
■
Performing the tasks that are common to all policies
■
The types of security policies
■
■
■
■
Locking and unlocking Virus and Spyware policy settings
■
■
■
■
Exporting and importing individual policies
■
How the client computers get policy updates
■
Using the policy serial number to check client-server communication
■
Manually updating policies on the client
Performing the tasks that are common to all policies
Your security policies define how the protection technologies protect your computers from known and unknown threats.
148 Using policies to manage security
Performing the tasks that are common to all policies
You can manage your Symantec Endpoint Protection Small Business Edition security policies in many ways. For example, you can create copies of the security policies and then customize the copies for your specific needs. You can lock and unlock certain settings so that users cannot change them on the client computer.
describes many of the policy tasks that you can perform.
Table 11-1
Tasks common to all policies
Task
Add a policy
Description
If you do not want to use one of the default policies, you can add a new policy.
Note:
If you add or edit policies in the Policies page, you must also assign the policies to a group. Otherwise those policies are not effective.
Lock and unlock policy settings
You can lock and unlock some Virus and Spyware Protection
policy settings. Computer users cannot change locked policy settings. A padlock icon appears next to a lockable policy setting.
See
“Locking and unlocking Virus and Spyware policy settings”
on page 153.
Edit a policy
See
“The types of security policies”
on page 149.
See
on page 151.
If you want to change the settings in an existing policy, you can edit it. You can increase or decrease the protection on your computers by modifying its security policies. You do not have to reassign a modified policy unless you change the group assignment.
See
on page 151.
Assign a policy
Test a policy
To put a policy into use, you must assign it to one or more groups.
See
“Assigning a policy to a group”
on page 153.
See
on page 154.
Symantec recommends that you always test a new policy before you use it in a production environment.
Replace a policy You can replace one policy with another.
See
on page 155.
Using policies to manage security
The types of security policies
149
Table 11-1
Tasks common to all policies (continued)
Task Description
Copy and paste a policy Instead of adding a new policy, you may want to copy an existing policy to use as the basis for the new policy.
See
“Copying and pasting a policy”
on page 152.
Export and import a policy
You can export an existing policy if you want to use it in a different group. You can then import the policy and apply it to a group.
See
“Exporting and importing individual policies”
on page 155.
Delete a policy If a policy is assigned to one or more groups, you cannot delete it until you have unassigned it from all groups. You must replace it with another policy first.
Check that the client has the latest policy
You can check whether the client has the latest policy. If not, you can manually update the policy on the client.
See
“How the client computers get policy updates”
on page 156.
See
“Using the policy serial number to check client-server communication”
on page 156.
See
“Manually updating policies on the client”
on page 157.
The types of security policies
You use several different types of security policies to manage your network security. Most types of policies are automatically created during the installation.
You can use the default policies or you can customize policies to suit your specific environment.
See
“Performing the tasks that are common to all policies”
on page 147.
150 Using policies to manage security
The types of security policies
Table 11-2
Policy type
Virus and Spyware
Protection policy
Security policy types
Description
The Virus and Spyware Protection policy provides the following protection:
■
■
■
Detects, removes, and repairs the side effects of virus and security risks by using signatures.
Detects the threats in the files that users try to download by using reputation data from Download Insight.
Detect the applications that exhibit suspicious behavior by using SONAR heuristics and reputation data.
The Virus and Spyware Protection policy finds behavior anomalies through its SONAR technology. For legacy clients, it finds behavior anomalies through TruScan proactive threat scans.
Note:
Download Insight and SONAR technology are available only on Windows clients.
Firewall policy
See
“Managing scans on client computers”
on page 165.
The Firewall policy provides the following protection:
■
■
■
Blocks the unauthorized users from accessing the computers and networks that connect to the Internet.
Detects the attacks by hackers.
Eliminates the unwanted sources of network traffic.
Note: Firewall policies can be applied only to Windows clients.
See
“Managing firewall protection”
on page 233.
Intrusion Prevention policy
The Intrusion Prevention policy automatically detects and blocks network attacks and attacks on browsers.
Note: Intrusion Prevention policies can be applied only to
Windows clients.
LiveUpdate policy
See
“Managing intrusion prevention on your client computers”
on page 259.
The LiveUpdate policy contains the settings that determine when and how often client computers download content updates from LiveUpdate.
See
on page 283.
Using policies to manage security
Adding a policy
151
Table 11-2
Policy type
Exceptions policy
Security policy types (continued)
Description
The Exceptions policy provides the ability to exclude applications and processes from detection by the virus and spyware scans and by SONAR.
See
“Managing exceptions for Symantec Endpoint Protection
on page 268.
Adding a policy
Symantec Endpoint Protection Manager comes with a default policy for each type of protection. If you need to customize a policy, you add one and edit it. You can create multiple versions of each type of policy.
Symantec recommends that you test all new policies before you use them in a production environment.
To add a new policy
1 In the console, click Policies.
2 On the Policies page, select a policy type, and then click the link to add a new policy.
3 Modify the policy settings to increase or decrease protection.
4 Click OK to save the policy.
5 Optionally assign the new policy to a group.
You can assign a new policy to a group during or after policy creation. The new policy replaces the currently assigned policy of the same protection type.
See
“Assigning a policy to a group”
on page 153.
See
“Performing the tasks that are common to all policies”
on page 147.
Editing a policy
You can edit policies on the Policies tab on the Computers page as well as on the
Policies page. Multiple groups can share the same policy.
See
“Performing the tasks that are common to all policies”
on page 147.
152 Using policies to manage security
Copying and pasting a policy
To edit a policy in the Policies page
1
In the console, click Policies.
2 On the Policies page, under Policies, click the policy type.
3
In the policy type Policies pane, click the specific policy that you want to edit
4 Under Tasks, click Edit the Policy.
5
In the policy type Policy Overview pane, edit the name and description of the policy, if necessary.
6 To edit the policy, click any of the policy type Policy pages for the policies.
Copying and pasting a policy
You can copy a policy and modify it if you want to keep the default policy for some of your groups or for reference. You can copy and paste policies on the Policies page. You can copy and paste policies on the Computers page. You can also copy a policy on the Policies page and then paste it on to a group in the Computers page.
Note: You can also use the Copy the group policies and Paste the group policies tasks on the Computers page to copy all of the policies that are assigned to a group.
To copy and paste a policy
1
In the console, click Policies.
2 On the Policies page, under Policies, click the type of policy that you want to copy.
3
In the policy type Policies pane, right-click the specific policy that you want to copy, and then click Copy.
4 Click OK.
5
Right-click anywhere in the white space of the policy type Policies pane, and then click Paste.
See
“Performing the tasks that are common to all policies”
on page 147.
Using policies to manage security
Locking and unlocking Virus and Spyware policy settings
153
Locking and unlocking Virus and Spyware policy settings
You can lock and unlock some Virus and Spyware Protection policy settings. End users cannot change locked settings. A padlock icon appears next to a lockable setting.
See
“Performing the tasks that are common to all policies”
on page 147.
To lock or unlock a policy setting
1 In the console, open a Virus and Spyware Protection policy.
2
Select one of the pages, such as Auto-Protect.
3 Click a padlock icon to lock or unlock the corresponding setting.
4
Click OK.
You can also lock and unlock Tamper Protection settings, Submissions settings, and intrusion prevention settings.
See
“Changing Tamper Protection settings”
on page 232.
See
“Enabling or disabling client submissions to Symantec Security Response”
on page 199.
See
“Enabling or disabling network intrusion prevention or browser intrusion prevention”
on page 263.
Assigning a policy to a group
You assign a policy to a client computer through a group. Every group has exactly one policy of each protection type that is assigned to it at all times. If you have both Windows clients and Mac clients, you can put them into separate groups or you can manage them in the same group. If you put them in the same group and apply a policy, each type of client applies the appropriate policy settings. Window computers ignore the settings that only apply to Mac computers, and Mac computers ignore the settings that only apply to Window computers.
You can assign a policy to one or more groups. The policy replaces the currently assigned policy of the same protection type.
Policies are assigned to computer groups as follows:
■
At initial installation, the Symantec default security policies are assigned to the My Company parent group.
■
The security policies in the My Company parent group are automatically assigned to each newly created child group.
154 Using policies to manage security
Viewing assigned policies
■
You replace a policy in a group by assigning another policy of the same type.
You can replace a policy that is assigned to the My Company parent group or to any child group.
New groups always inherit from their immediate parent group. If you create a hierarchy of sub-groups, each one inherits from its immediate parent, not from the top-level parent.
The user interface in the Assign policy dialog box conveys the following additional information:
A folder icon indicates a group.
A check mark in a green circle indicates that this policy is assigned to this group.
See
“Performing the tasks that are common to all policies”
on page 147.
See
on page 154.
To assign a policy to a group
1
In the console, click Policies.
2 On the Policies page, select a policy, and then click Assign the policy.
3
In the Assign policy dialog box, select the groups, and then click Assign.
4 Click OK to confirm.
Viewing assigned policies
You can verify that your security policies are assigned to the correct groups from the Computers page. You can also view policy settings from this page.
See
“Assigning a policy to a group”
on page 153.
See
“Performing the tasks that are common to all policies”
on page 147.
Click Help for more information about the assigned policies.
To view assigned policies
1 In the console, click Computers.
2
On the Computers page, on the Policies tab, in the group tree, click a group.
The policies that are assigned to the selected group are shown. Click a policy to view its settings.
Click Tasks for more options.
Using policies to manage security
Replacing a policy
155
Replacing a policy
You may want to replace one policy in a group with another.
To replace a policy
1
In the console, click Policies.
2 On the Policies page, under Policies, click the type of policy that you want to replace.
3
In the policy type Policies pane, click the policy.
4 In the Policies page, under Tasks, click Replace the Policy.
5
In the Replace policy type Policy dialog box, in the New policy type Policy list box, select the replacement policy.
6 In the tree under Replace Policy, select the groups for which you want to replace the existing policy.
7
Click Replace.
8 When you are prompted to confirm the replacement of the policy, click Yes.
See
“Performing the tasks that are common to all policies”
on page 147.
Exporting and importing individual policies
You can export and import policies rather than recreating the policies. All the settings that are associated with the policy are automatically exported.
You export and import each policy one at a time. You can import a policy file on the Policies page and apply it to a group.
See
“Performing the tasks that are common to all policies”
on page 147.
To export a single policy from the Policies page
1 In the console, click Policies.
2
On the Policies page, under Policies, click the type of policy that you want to export.
3 In the policy type Policies pane, click the specific policy that you want to export.
4
In the Policies page, under Tasks, click Export the Policy.
5 In the Export Policy dialog box, locate the folder where you want to export the policy file to, and then click Export.
156 Using policies to manage security
How the client computers get policy updates
To import a single policy
1
In the console, click Policies.
2 On the Policies page, under Policies, click the type of policy that you want to import.
3
In the policy type Policies pane, click the policy that you want to import.
4 On the Policies page, under Tasks, click Import a policy type Policy.
5
In the Import Policy dialog box, browse to the policy file that you want to import, and then click Import.
How the client computers get policy updates
Computers get security policy updates from Symantec Endpoint Protection
Manager. When you update a security policy by using the console, the computers receive the updates immediately. You can also update polices manually on the client computer.
See
“Using the policy serial number to check client-server communication”
on page 156.
Using the policy serial number to check client-server communication
To check whether the server and client communicate, check the policy serial number on the console and on the client. If the client communicates with the management server and receives regular policy updates, the serial numbers should match.
See
“Manually updating policies on the client”
on page 157.
See
“How the client computers get policy updates”
on page 156.
To view the policy serial number in the console
1 In the console, click Computers.
2
Under Computers, select the relevant group.
The policy serial number and policy date appear in the upper right corner of the program window.
Using policies to manage security
Manually updating policies on the client
157
To view the policy serial number on the client computer
◆ On the client computer, in the client, click Help > Troubleshooting.
On the Management tab, look at the policy serial number.
The serial number should match the serial number on the console for the group that the client computer is in.
See
“Performing the tasks that are common to all policies”
on page 147.
Manually updating policies on the client
You can manually update the policies on the client computer if you do not think you have the latest policy on the client. If the client does not receive the update, there might be a communication problem.
Check the policy serial number to check whether your managed client computers can communicate with the management server.
See
“Using the policy serial number to check client-server communication”
on page 156.
To manually update policies from the client computer
1
On the client computer, in the client user interface, click Help >
Troubleshooting.
2 In the Troubleshooting dialog box, in the left column, click Management.
3
On the Management panel, under Policy Profile, click Update.
See
“Performing the tasks that are common to all policies”
on page 147.
158 Using policies to manage security
Manually updating policies on the client
Chapter
12
Managing Virus and
Spyware Protection
This chapter includes the following topics:
■
Preventing and handling virus and spyware attacks on client computers
■
Remediating risks on the computers in your network
■
Managing scans on client computers
■
Setting up scheduled scans that run on Windows computers
■
Setting up scheduled scans that run on Mac computers
■
Running on-demand scans on client computers
■
Adjusting scans to improve computer performance
■
Adjusting scans to increase protection on your client computers
■
Managing Download Insight detections
■
■
How Symantec Endpoint Protection Small Business Edition policy features work together
■
About submitting information about detections to Symantec Security Response
■
■
Enabling or disabling client submissions to Symantec Security Response
■
160 Managing Virus and Spyware Protection
Preventing and handling virus and spyware attacks on client computers
■
Managing the virus and spyware notifications that appear on client computers
■
About the pop-up notifications that appear on the clients that run Windows
■
Managing early launch anti-malware (ELAM) detections
■
Preventing and handling virus and spyware attacks on client computers
You can prevent and handle virus and spyware attacks on client computers by following some important guidelines.
Table 12-1
Protecting computers from virus and spyware attacks
Task Description
Make sure that your computers have Symantec Endpoint
Protection Small Business Edition installed
All computers in your network and all your servers should have Symantec
Endpoint Protection Small Business Edition installed. Make sure that Symantec
Endpoint Protection Small Business Edition is functioning correctly.
Keep definitions current Make sure that the latest definitions are installed on client computers.
You can check the definitions date on the Computers tab. You can run a command to update the definitions that are out of date.
You can also run a computer status report to check the latest definitions date.
See
on page 283.
Managing Virus and Spyware Protection
Preventing and handling virus and spyware attacks on client computers
161
Task
Run regular scans
Table 12-1
Protecting computers from virus and spyware attacks (continued)
Description
By default, Auto-Protect and SONAR run on client computers. A default scheduled active scan also runs on client computers.
You can run scans on demand. You can customize the scan settings.
See
“Running on-demand scans on client computers”
on page 185.
You might want to create and customize scheduled scans.
Typically, you might want to create a full scheduled scan to run once a week, and an active scan to run once per day. By default, Symantec Endpoint Protection
Small Business Edition generates an active scan that runs at 12:30 P.M. On unmanaged computers, Symantec Endpoint Protection Small Business Edition also includes a default startup scan that is disabled.
You should make sure that you run an active scan every day on the computers in your network. You might want to schedule a full scan once a week or once a month if you suspect that you have an inactive threat in your network. Full scans consume more computer resources and might affect computer performance.
See
“Setting up scheduled scans that run on Windows computers”
on page 182.
See
“Setting up scheduled scans that run on Mac computers”
on page 185.
Check or modify scan settings for increased protection
By default, virus and spyware scans detect, remove, and repair the side effects of viruses and security risks.
The default scan settings optimize your client computers' performance while still providing a high level of protection. You can increase the level of protection, however.
For example, you might want to increase the Bloodhound™ heuristic protection.
See
“Adjusting scans to increase protection on your client computers”
on page 189.
Allow clients to submit information about detections to
Symantec
Clients can submit information about detections to Symantec. The submitted information helps Symantec address threats.
See
“Enabling or disabling client submissions to Symantec Security Response”
on page 199.
Run intrusion prevention Symantec recommends that you run intrusion prevention on your client computers as well as Virus and Spyware Protection.
See
“Managing intrusion prevention on your client computers”
on page 259.
162 Managing Virus and Spyware Protection
Remediating risks on the computers in your network
Table 12-1
Protecting computers from virus and spyware attacks (continued)
Task Description
Remediate infections if necessary After scans run, client computers might still have infections. For example, a new threat might not have a signature, or Symantec Endpoint Protection Small
Business Edition was not able to completely remove the threat. In some cases client computers require a restart for Symantec Endpoint Protection Small
Business Edition to complete the cleaning process.
See
“Remediating risks on the computers in your network”
on page 162.
Remediating risks on the computers in your network
You remediate risks as part of handling virus and spyware attacks on your computers.
You use the Reports and Monitors features in the console to determine what computers are infected and to view the results of remediation.
Table 12-2
Remediating risks on client computers
Step Task
Step 1 Identify infected and at-risk computers
Description
You can get information about infected and at-risk computers from Symantec
Endpoint Protection Manager. On the Home page, check the Newly Infected and the Still Infected counts in the Virus and Risks Activity Summary. The Newly
Infected count is a subset of the Still Infected count. The Newly Infected count shows the number of infected and at-risk computers during the time interval that you specify in the summary.
Note: Unremediated SONAR detections are not counted as Still Infected. They are part of the Suspicious count in the summary.
Computers are considered still infected if a subsequent scan detects them as infected. For example, a scheduled scan might partially clean a file. Auto-Protect subsequently detects the file as a risk.
Files that are considered "still infected" are rescanned when new definitions arrive or as soon as the client computer is idle.
See
“Identifying the infected and at-risk computers”
on page 164.
Managing Virus and Spyware Protection
Remediating risks on the computers in your network
163
Table 12-2
Remediating risks on client computers (continued)
Step Task Description
Step 2 Update definitions and rescan
You should make sure that clients use the latest definitions.
For the clients that run on Windows computers, you should also make sure that your scheduled and on-demand scans use the Insight Lookup feature.
You can check the definitions date in the Infected and At Risk Computers report.
You can run the Update Content and Scan command from the Risk log.
When the Virus and Risks Activity Summary on the Home page shows the Still
Infected and the Newly Infected counts are zero, then all risks are eliminated.
See
on page 283.
Step 3 Check scan actions and rescan
Scans might be configured to leave the risk alone. You might want to edit the Virus and Spyware Protection policy and change the action for the risk category. The next time the scan runs, Symantec Endpoint Protection Small Business Edition applies the new action.
You set the action on the Actions tab for the particular scan type
(administrator-defined or on-demand scan, or Auto-Protect). You can also change the detection action for Download Insight and SONAR.
See
“Checking the scan action and rescanning the identified computers”
on page 164.
Step 4 Restart computers if necessary to complete remediation
Computers may still be at risk or infected because they need to be restarted to finish the remediation of a virus or security risk.
You can view the Risk log to determine if any computers require a restart.
You can run a command from the logs to restart computers.
See
“Running commands from the computer status log”
on page 315.
Step 5 Investigate and clean remaining risks
Step 6 Check the Computer
Status log
If any risks remain, you should to investigate them further.
You can check the Symantec Security Response Web page for up-to-date information about viruses and security risks.
http://securityresponse.symantec.com
On the client computer, you can also access the Security Response Web site from the scan results dialog box.
Symantec Technical Support also offers a Threat Expert tool that quickly provides detailed analysis of threats. You can also run a loadpoint analysis tool that can help you troubleshoot problems.
View the Computer Status log to make sure that risks are remediated or removed from client computers.
See
on page 310.
164 Managing Virus and Spyware Protection
Remediating risks on the computers in your network
For more information about handling viruses and outbreaks on a network, see the knowledge base article, Best practices for troubleshooting viruses on a network .
See
“Preventing and handling virus and spyware attacks on client computers”
on page 160.
See
“Monitoring endpoint protection”
on page 293.
Identifying the infected and at-risk computers
You can use the Symantec Endpoint Protection Manager Home page and a Risk report to identify the computers that are infected and at risk.
To identify infected computers
1 In the console, click Home and view the Virus and Risks Activity Summary.
Still Infected is a subset of Newly Infected, and the Still Infected count goes down as you eliminate the risks from your network. Computers are still infected if a subsequent scan would report them as infected. For example,
Symantec Endpoint Protection Small Business Edition might have been able to clean a risk only partially from a computer, so Auto-Protect still detects the risk.
2 In the console, click Reports.
3
In the Report type list box, click Risk.
4 In the Select a report list box, click Infected and At Risk Computers.
5
Click Create Report and note the lists of the infected and at-risk computers that appear.
See
“Remediating risks on the computers in your network”
on page 162.
Checking the scan action and rescanning the identified computers
If you have infected and at-risk computers, you should identify why the computers are still infected or at risk. Check the action that was taken for each risk on the infected and at risk computers. It may be that the action that was configured and taken was Left Alone. If the action was Left Alone, you should either clean the risk from the computer, remove the computer from the network, or accept the risk. For Windows clients, you might want to edit the Virus and Spyware Protection policy and change the scan action.
See
“Remediating risks on the computers in your network”
on page 162.
Managing Virus and Spyware Protection
Managing scans on client computers
165
To identify the actions that need to be changed and rescan the identified computers
1
In the console, click Monitors.
2 On the Logs tab, select the Risk log, and then click View Log.
From the Risk log event column, you can see what happened and the action that was taken. From the Risk Name column, you can see the names of the risks that are still active. From the Domain Group User column you can see which group the computer is a member of.
If a client is at risk because a scan took the action Left Alone, you may need to change the Virus and Spyware Protection policy for the group. In the
Computer column, you can see the names of the computers that still have active risks on them.
See
“Changing the action that Symantec Endpoint Protection Small Business
Edition takes when it makes a detection”
on page 220.
3 Click Back.
4
On the Logs tab, select the Computer Status log, and then click View Log.
5 If you changed an action and pushed out a new policy, select the computers that need to be rescanned with the new settings.
6
In the Command list box, select Scan, and then click Start to rescan the computers.
You can monitor the status of the Scan command from the Command Status tab.
Managing scans on client computers
Some scans run by default, but you might want to change settings or set up your own scheduled scans. You can also customize scans and change how much protection they provide on your client computers.
Table 12-3
Task
Review the types of scans and default settings
Managing scans on client computers
Description
Check your scan settings. You can review the defaults and determine if you want to make changes.
See
“About the types of scans and real-time protection”
on page 167.
See
“About the default Virus and Spyware Protection policy scan settings”
on page 178.
166 Managing Virus and Spyware Protection
Managing scans on client computers
Table 12-3
Managing scans on client computers (continued)
Task Description
Create scheduled scans and run on-demand scans
You use scheduled scans and on-demand scans to supplement the protection that
Auto-Protect provides. Auto-Protect provides protection when you read and write files. Scheduled scans and on-demand scans can scan any files that exist on your client computers. They can also protect memory, load points, and other important locations on your client computers.
Note: For managed clients, Symantec Endpoint Protection Small Business Edition provides a default scheduled scan that scans all files, folders, and locations on the client computers.
See
“Setting up scheduled scans that run on Windows computers”
on page 182.
See
“Setting up scheduled scans that run on Mac computers”
on page 185.
See
“Running on-demand scans on client computers”
on page 185.
Customize scan settings for your environment
You can customize Auto-Protect settings as well as options in administrator-defined scans. You might want to change scan settings to handle false positive detections, optimize computer or scan performance, or change scan actions or notifications.
See
“Customizing the virus and spyware scans that run on Windows computers”
on page 210.
See
“Customizing the virus and spyware scans that run on Mac computers”
on page 211.
Adjust scans to improve client computer performance
By default, Symantec Endpoint Protection Small Business Edition provides a high level of security while it minimizes the effect on your client computers' performance. You can change some settings, however, to optimize the computer performance even more. Optimization is important in virtualized environments.
Note:
When you adjust settings to optimize client computer performance, you might decrease some security on your client computers.
Adjust scans to increase protection on your client computers
Manage Download Insight detections
See
“Adjusting scans to improve computer performance”
on page 187.
The default scan settings optimize your client computers' performance while still providing a high level of protection. You can increase the level of protection, however.
See
“Adjusting scans to increase protection on your client computers”
on page 189.
Download Insight inspects files that users try to download through Web browsers, text messaging clients, and other portals. Download Insight uses reputation information from Symantec Insight to make decisions about files.
See
“Managing Download Insight detections”
on page 191.
Managing Virus and Spyware Protection
Managing scans on client computers
167
Table 12-3
Managing scans on client computers (continued)
Task Description
Manage SONAR SONAR is part of Proactive Threat Protection on your client computers. However,
SONAR settings are part of a Virus and Spyware Protection policy.
See
on page 227.
Configure exceptions for scans You can create exceptions for the files and applications that you know are safe.
Symantec Endpoint Protection Small Business Edition also excludes some files and folders automatically.
See
“Managing exceptions for Symantec Endpoint Protection Small Business
on page 268.
See
on page 174.
Manage files in the Quarantine You can monitor and delete the files that are quarantined on your client computers.
See
on page 202.
Allow clients to submit information about detections to
Symantec
By default, clients send information about detections to Symantec. You can turn off submissions or choose which types of the information that clients submit.
Symantec recommends that you always allow clients to send submissions. The information helps Symantec address threats.
See
“Enabling or disabling client submissions to Symantec Security Response”
on page 199.
Manage the virus and spyware notifications that appear on client computers
You can decide whether or not notifications appear on client computers for virus and spyware events.
See
“Managing the virus and spyware notifications that appear on client computers”
on page 203.
About the types of scans and real-time protection
Symantec Endpoint Protection Small Business Edition includes different types of scans and real-time protection to detect different types of viruses, threats, and risks.
By default, Symantec Endpoint Protection Small Business Edition runs an active scan every day at 12:30 P.M. Symantec Endpoint Protection Small Business Edition also runs an active scan when new definitions arrive on the client computer. On unmanaged computers, Symantec Endpoint Protection Small Business Edition also includes a default startup scan that is disabled.
168 Managing Virus and Spyware Protection
Managing scans on client computers
Scan type
Auto-Protect
Download Insight
Note:
When a client computer is off or in hibernation or sleep mode, the computer might miss a scheduled scan. When the computer starts up or wakes, by default the scan is retried within a specified interval. If the interval already expired,
Symantec Endpoint Protection Small Business Edition does not run the scan and waits until the next scheduled scan time. You can modify the settings for missed scheduled scans.
You should make sure that you run an active scan every day on the computers in your network. You might want to schedule a full scan once a week or once a month if you suspect that you have an inactive threat in your network. Full scans consume more computer resources and might affect computer performance.
See
“Managing scans on client computers”
on page 165.
Table 12-4
Scan types
Description
Auto-Protect continuously inspects files and email data as they are written to or read from a computer. Auto-Protect automatically neutralizes or eliminates detected viruses and security risks.
Note:
Mac clients support Auto-Protect for the file system only.
See
“About the types of Auto-Protect”
on page 170.
Download Insight boosts the security of Auto-Protect scans by inspecting files when users try to download them from browsers and other portals. It uses reputation information from Symantec Insight to allow or block download attempts.
Download Insight functions as part of Auto-Protect and requires Auto-Protect to be enabled.
See
on page 195.
Managing Virus and Spyware Protection
Managing scans on client computers
169
Table 12-4
Scan types (continued)
Scan type
Administrator-defined scans
Description
Administrator-defined scans detect viruses and security risks by examining all files and processes on the client computer. Administrator-defined scans can also inspect memory and load points.
The following types of administrator-defined scans are available:
■
Scheduled scans
A scheduled scan runs on the client computers at designated times. Any concurrently scheduled scans run sequentially. If a computer is turned off or in hibernation or sleep mode during a scheduled scan, the scan does not run unless it is configured to retry missed scans. When the computer starts or wakes, Symantec Endpoint Protection
Small Business Edition retries the scan until the scan starts or the retry interval expires. You can schedule an active, full, or custom scan.
Note: Only custom scans are available for Mac clients.
■
You can save your scheduled scan settings as a template. You can use any scan that you save as a template as the basis for a different scan. The scan templates can save you time when you configure multiple policies. A scheduled scan template is included by default in the policy. The default scheduled scan scans all files and directories.
Startup scans and triggered scans
Startup scans run when the users log on to the computers. Triggered scans run when new virus definitions are downloaded to computers.
Note: Startup scans and triggered scans are available only for Windows clients.
■
On-demand scans
On-demand scans are the scans that run immediately when you select the scan command in Symantec Endpoint Protection Manager.
You can select the command from the Computers tab or from the logs.
SONAR SONAR offers real-time protection against zero-day attacks. SONAR can stop attacks even before traditional signature-based definitions detect a threat. SONAR uses heuristics as well as file reputation data to make decisions about applications or files.
Like proactive threat scans, SONAR detects keyloggers, spyware, and any other application that might be malicious or potentially malicious.
Note: SONAR is only supported on Windows computers that run Symantec Endpoint
Protection Small Business Edition version 12.1 and later.
See
on page 225.
170 Managing Virus and Spyware Protection
Managing scans on client computers
Table 12-4
Scan types (continued)
Scan type Description
TruScan proactive threat scans
Supported on Windows computers that run Symantec Endpoint Protection version 11.x.
SONAR is not supported on any computers that run version 11.x.
TruScan proactive threat scans provide protection to legacy clients against zero-day attacks. TruScan proactive threat scans determine if an application or a process exhibits characteristics of known threats. These scans detect Trojan horses, worms, keyloggers, adware and spyware, and the applications that are used for malicious purposes.
Unlike SONAR, which runs in real time, TruScan proactive threat scans run on a set frequency.
Early launch anti-malware (ELAM)
Works with the Windows early launch anti-malware driver. Supported only on Windows
8.
Early launch anti-malware provides protection for the computers in your network when they start up and before third-party drivers initialize.
See
“Managing early launch anti-malware (ELAM) detections”
on page 206.
About the types of Auto-Protect
Auto-Protect scans files as well as certain types of email and email attachments.
By default, all types of Auto-Protect are enabled. If your client computers run other email security products, such as Symantec Mail Security, you might not need to enable Auto-Protect for email.
Mac clients do not support Auto-Protect scans of email.
See
“About the types of scans and real-time protection”
on page 167.
Managing Virus and Spyware Protection
Managing scans on client computers
171
Type of Auto-Protect
Auto-Protect
Table 12-5
Internet Email Auto-Protect
Types of Auto-Protect
Description
Continuously scans files as they are read from or written to the client computer.
Auto-Protect is enabled by default for the file system. It loads at computer startup. It inspects all files for viruses and security risks, and blocks the security risks from being installed. It can optionally scan files by file extension, scan files on remote computers, and scan floppies for boot viruses. It can optionally back up files before it attempts to repair the files, and terminate processes and stop services.
You can configure Auto-Protect to scan only selected file extensions. When
Auto-Protect scans the selected extensions, it can also determine a file's type even if a virus changes the file's extension.
For Mac clients or Windows clients that do not run email Auto-Protect, your client computers are still protected when Auto-Protect is enabled.
Most email applications save attachments to a temporary folder when users launch email attachments. Auto-Protect scans the file as it is written to the temporary folder and detects any virus or security risk. Auto-Protect also detects the virus if the user tries to save an infected attachment to a local drive or network drive.
Scans Internet email (POP3 or SMTP) and attachments for viruses and security risks; also performs outbound email heuristics scanning.
By default, Internet Email Auto-Protect supports encrypted passwords and email over POP3 and SMTP connections. If you use POP3 or SMTP with
Secure Sockets Layer (SSL), then the client detects secure connections but does not scan encrypted messages.
Note: For performance reasons, Internet Email Auto-Protect for POP3 is not supported on server operating systems. Internet email scanning is not supported for 64-bit computers.
Email scanning does not support IMAP, AOL, or HTTP-based email such as Hotmail or Yahoo! Mail.
172 Managing Virus and Spyware Protection
Managing scans on client computers
Table 12-5
Type of Auto-Protect
Microsoft Outlook Auto-Protect
Types of Auto-Protect (continued)
Description
Scans Microsoft Outlook email (MAPI and Internet) and attachments for viruses and security risks.
Supported for Microsoft Outlook 98/2000/2002/2003/2007/2010 (MAPI and Internet).
If Microsoft Outlook is already installed on the computer when you perform a client software installation, the client software detects the email application. The client automatically installs Microsoft Outlook
Auto-Protect.
If you use Microsoft Outlook over MAPI or Microsoft Exchange client and you have Auto-Protect enabled for email, attachments are scanned when the user opens the attachment. If a user downloads a large attachment over a slow connection, mail performance is affected. You may want to disable this feature for users who regularly receive large attachments.
Note:
On a Microsoft Exchange Server, you should not install Microsoft
Outlook Auto-Protect. Instead you should install Symantec Mail Security for Microsoft Exchange.
About virus and security risks
Symantec Endpoint Protection Small Business Edition scans for both viruses and for security risks. Viruses and security risks can arrive through email messages or instant messenger programs. Often a user unknowingly downloads a risk by accepting an End User License Agreement from a software program.
Many viruses and security risks are installed as drive-by downloads. These downloads usually occur when users visit malicious or infected Web sites, and the application's downloader installs through a legitimate vulnerability on the computer.
On Windows clients, you can change the action that Symantec Endpoint Protection
Small Business Edition takes when it detects a virus or a security risk. The security risk categories are dynamic and change over time as Symantec collects information about risks.
See
“Changing the action that Symantec Endpoint Protection Small Business
Edition takes when it makes a detection”
on page 220.
You can view information about specific virus and security risks on the Symantec
Security Response Web site.
Managing Virus and Spyware Protection
Managing scans on client computers
173
Table 12-6
Risk
Viruses
Adware
Dialers
Hacking tools
Viruses and security risks
Description
Programs or code that attach a copy of themselves to another computer program or file when it runs. When the infected program runs, the attached virus program activates and attaches itself to other programs and files.
The following types of threats are included in the virus category:
■
■
■
■
■
Malicious Internet bots
Programs that run automated tasks over the Internet. Bots can be used to automate attacks on computers or to collect information from Web sites.
Worms
Programs that replicate without infecting other programs.
Some worms spread by copying themselves from disk to disk, while others replicate in memory to reduce computer performance.
Trojan horses
Programs that hide themselves in something benign, such as a game or utility.
Blended threats
Threats that blend the characteristics of viruses, worms,
Trojan horses, and code with server and Internet vulnerabilities to initiate, transmit, and spread an attack.
Blended threats use multiple methods and techniques to spread rapidly and cause widespread damage.
Rootkits
Programs that hide themselves from a computer's operating system.
Programs that deliver any advertising content.
Programs that use a computer, without the user's permission or knowledge, to dial out through the Internet to a 900 number or
FTP site. Typically, these numbers are dialed to accrue charges.
Programs that hackers use to gain unauthorized access to a user's computer. For example, one hacking tool is a keystroke logger, which tracks and records individual keystrokes and sends this information back to the hacker. The hacker can then perform port scans or vulnerability scans. Hacking tools may also be used to create viruses.
174 Managing Virus and Spyware Protection
Managing scans on client computers
Table 12-6
Viruses and security risks (continued)
Risk Description
Joke programs Programs that alter or interrupt the operation of a computer in a way that is intended to be humorous or frightening. For example, a joke program might move the recycle bin away from the mouse when the user tries to delete an item.
Misleading applications Applications that intentionally misrepresent the security status of a computer. These applications typically masquerade as security notifications about any fake infections that must be removed.
Parental control programs
Remote access programs
Security assessment tool
Spyware
Trackware
Programs that monitor or limit computer usage. The programs can run undetected and typically transmit monitoring information to another computer.
Programs that allow access over the Internet from another computer so that they can gain information or attack or alter a user's computer.
Programs that are used to gather information for unauthorized access to a computer.
Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and relay it back to another computer.
Stand-alone or appended applications that trace a user's path on the Internet and send information to the controller or hacker's system.
About the files and folders that Symantec Endpoint Protection excludes from virus and spyware scans
When Symantec Endpoint Protection Small Business Edition detects the presence of certain third-party applications and some Symantec products, it automatically creates exclusions for these files and folders. The client excludes these files and folders from all scans.
Note:
The client does not exclude the system temporary folders from scans because doing so can create a significant security vulnerability on a computer.
To improve scan performance or reduce false positive detections, you can exclude files by adding a file or a folder exception to an Exceptions policy. You can also
Managing Virus and Spyware Protection
Managing scans on client computers
175 specify the file extensions or the folders that you want to include in a particular scan.
Warning:
The files or folders that you exclude from scans are not protected from viruses and security risks.
You can view the exclusions that the client automatically creates.
Look in the following locations of the Windows registry:
■
On 32-bit computers, see
HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection
Small Business Edition\AV\Exclusions.
■
On 64-bit computers, see
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Symantec\Symantec
Endpoint Protection Small Business Edition\AV\Exclusions.
Warning: Do not edit this registry directly.
176 Managing Virus and Spyware Protection
Managing scans on client computers
Files
Microsoft Exchange
Microsoft Forefront
Active Directory domain controller
Table 12-7
File and folder exclusions
Description
The client software automatically creates file and folder scan exclusions for the following Microsoft Exchange Server versions:
■
■
■
■
■
■
■
Exchange 5.5
Exchange 6.0
Exchange 2000
Exchange 2003
Exchange 2007
Exchange 2007 SP1
Exchange 2010
For Exchange 2007, see your user documentation for information about compatibility with antivirus software. In a few circumstances, you might need to create scan exclusions for some Exchange 2007 folders manually. For example, in a clustered environment, you might need to create some exclusions.
The client software checks for changes in the location of the appropriate Microsoft
Exchange files and folders at regular intervals. If you install Microsoft Exchange on a computer where the client software is already installed, the exclusions are created when the client checks for changes. The client excludes both files and folders; if a single file is moved from an excluded folder, the file remains excluded.
For more information, see the knowledge base article, Preventing Symantec Endpoint
Protection from scanning the Microsoft Exchange 2007 directory structure .
The client automatically creates file and folder exclusions for the following Microsoft
Forefront products:
■
■
■
Forefront Server Security for Exchange
Forefront Server Security for SharePoint
Forefront Threat Management Gateway
Check the Microsoft Web site for a list of recommended exclusions.
Also see the Symantec Technical Support knowledge base article, Configuring
Symantec Endpoint Protection exclusions for Microsoft Forefront .
The client automatically creates file and folder exclusions for the Active Directory domain controller database, logs, and working files. The client monitors the applications that are installed on the client computer. If the software detects Active
Directory on the client computer, the software automatically creates the exclusions.
Managing Virus and Spyware Protection
Managing scans on client computers
177
Files
Symantec products
Selected extensions and
Microsoft folders
Table 12-7
File and folder exclusions (continued)
Description
The client automatically creates appropriate file and folder scan exclusions for certain
Symantec products when they are detected.
The client creates exclusions for the following Symantec products:
■
■
■
■
Symantec Mail Security 4.0, 4.5, 4.6, 5.0, and 6.0 for Microsoft Exchange
Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange
Norton AntiVirus 2.x for Microsoft Exchange
Symantec Endpoint Protection Manager embedded database and logs
For each type of administrator-defined scan or Auto-Protect, you can select files to include by extension. For administrator-defined scans, you can also select files to include by folder. For example, you can specify that a scheduled scan only scans certain extensions and that Auto-Protect scans all extensions.
For executable files and Microsoft Office files, Auto-Protect can determine a file's type even if a virus changes the file's extension.
By default Symantec Endpoint Protection Small Business Edition scans all extensions and folders. Any extensions or folders that you deselect are excluded from that particular scan.
Symantec does not recommend that you exclude any extensions from scans. If you decide to exclude files by extension and any Microsoft folders, however, you should consider the amount of protection that your network requires. You should also consider the amount of time and resources that your client computers require to complete the scans.
Note: Any file extensions that you exclude from Auto-Protect scans of the file system also excludes the extensions from Download Insight. If you are running Download
Insight, you should include extensions for common programs and documents in the list of extensions that you want to scan. You should also make sure that you scan
.msi files.
File and folder exceptions You use an Exceptions policy to create exceptions for the files or the folders that you want Symantec Endpoint Protection Small Business Edition to exclude from all virus and spyware scans.
Note:
By default, users on client computers can also create file and folder exceptions.
For example, you might want to create file exclusions for an email application inbox.
If the client detects a virus in the Inbox file during an on-demand or scheduled scan, the client quarantines the entire inbox. You can create an exception to exclude the inbox file instead. If the client detects a virus when a user opens an email message, however, the client still quarantines or deletes the message.
178 Managing Virus and Spyware Protection
Managing scans on client computers
Files
Trusted files
Table 12-7
File and folder exclusions (continued)
Description
Virus and spyware scans include a feature that is called Insight that lets scans skip trusted files. You can choose the level of trust for the files that you want to skip, or you can disable the option. If you disable the option, you might increase scan time.
See
“Excluding a file or a folder from scans”
on page 274.
About the default Virus and Spyware Protection policy scan settings
Symantec Endpoint Protection Manager includes three default policies.
■
Virus and Spyware Protection Balanced policy
■
Virus and Spyware Protection High Security policy
The High Security policy is the most stringent of all the preconfigured policies.
You should be aware that it can affect the performance of other applications.
■
Virus and Spyware Protection High Performance policy
The High Performance policy provides better performance than the High
Security policy, but it does not provide the same safeguards. The policy relies primarily on Auto-Protect to scan files with selected file extensions to detect threats.
The basic Virus and Spyware Protection policy provides a good balance between security and performance.
Table 12-8
Virus and Spyware Protection Balanced policy scan settings
Setting
Auto-Protect for the file system
Description
Enabled
Download Insight malicious file sensitivity is set to level 5.
The Download Insight action for unproven files is Prompt.
Auto-Protect includes the following settings:
■
■
■
■
■
■
Scans all files for viruses and security risks.
Blocks the security risks from being installed.
Cleans the virus-infected files. Backs up the files before it repairs them. Quarantines the files that cannot be cleaned.
Quarantines the files with security risks. Logs the files that cannot be quarantined.
Checks all floppies for boot viruses. Logs the boot viruses.
Notifies the computer users about viruses and security risks.
Managing Virus and Spyware Protection
Managing scans on client computers
179
Table 12-8
Virus and Spyware Protection Balanced policy scan settings
(continued)
Setting Description
Auto-Protect for email Enabled
Other types of Auto-Protect include the following settings:
■
■
■
■
Scans all files, including the files that are inside compressed files.
Cleans the virus-infected files. Quarantines the files that cannot be cleaned.
Quarantines the files with security risks. Logs the files that cannot be quarantined.
Sends a message to the computer users about detected viruses and security risks.
SONAR Enabled for Symantec Endpoint Protection 12.1 clients and later.
Legacy clients use TruScan settings. TruScan is enabled when
SONAR is enabled.
Detection notifications appear on client computers
Administrator-defined scans
The scheduled scan includes the following default settings:
■
■
■
■
■
■
■
Performs an active scan every day at 12:30 P.M. The scan is randomized.
Scans all files and folders, including the files that are contained in compressed files.
Scans memory, common infection locations, and known virus and security risk locations.
Cleans the virus-infected files. Backs up the files before it repairs them. Quarantines the files that cannot be cleaned.
Quarantines the files with security risks. Logs the files that cannot be quarantined.
Retries missed scans within three days.
Insight Lookup is set to level 5.
The on-demand scan provides the following protection:
■
■
■
■
Scans all files and folders, including the files that are contained in compressed files.
Scans memory and common infection locations.
Cleans the virus-infected files. Backs up the files before it repairs them. Quarantines the files that cannot be cleaned.
Quarantines the files with security risks. Logs the files that cannot be quarantined.
180 Managing Virus and Spyware Protection
Managing scans on client computers
The default Virus and Spyware High Security policy provides high-level security, and includes many of the settings from the Virus and Spyware Protection policy.
The policy provides increased scanning.
Table 12-9
Virus and Spyware Protection High Security policy settings
Setting Description
Auto-Protect for the file system and email
Same as Virus and Spyware Protection Balanced policy
Auto-Protect also inspects the files on the remote computers.
Global settings Bloodhound is set to Aggressive.
The default Virus and Spyware Protection High Performance policy provides high-level performance. The policy includes many of the settings from the Virus and Spyware Protection policy. The policy provides reduced security.
Table 12-10
Virus and Spyware Protection High Performance policy settings
Setting
Auto-Protect for the file system
Description
Same as Virus and Spyware Protection Balanced policy but with the following changes:
■
Download Insight malicious file sensitivity is set to level 1.
Internet Email
Auto-Protect
Microsoft Outlook
Auto-Protect
Disabled
Administrator-defined scans
Same as Virus and Spyware Protection policy except the following setting:
■
Insight Lookup is set to level 1.
How Symantec Endpoint Protection Small Business Edition handles detections of viruses and security risks
Symantec Endpoint Protection Small Business Edition uses default actions to handle the detection of viruses and security risks. You can change some of the defaults.
Managing Virus and Spyware Protection
Managing scans on client computers
181
Table 12-11
Detection
Viruses
Security risks
How Symantec Endpoint Protection Small Business Edition handles the detection of viruses and security risks
Description
By default, the Symantec Endpoint Protection Small
Business Edition client first tries to clean a file that a virus infects.
If the client software cannot clean the file, it does the following actions:
■
■
■
Moves the file to the Quarantine on the infected computer
Denies any access to the file
Logs the event
By default, the client moves any files that security risks infect to the Quarantine on the infected computer. The client also tries to remove or repair the risk's side effects.
If a security risk cannot be quarantined and repaired, the second action is to log the risk.
By default, the Quarantine contains a record of all actions that the client performed. You can return the client computer to the state that existed before the client tried the removal and repair.
Detections by SONAR are considered suspicious events. You configure actions for these detections as part of the SONAR configuration.
See
on page 227.
For Windows client computers, you can assign a first and a second action for
Symantec Endpoint Protection Small Business Edition to take when it finds risks.
You can configure different actions for viruses and security risks. You can use different actions for scheduled, on-demand, or Auto-Protect scans.
Note:
On Windows client computers, the list of the detection types for security risks is dynamic and changes as Symantec discovers new categories. New categories are downloaded to the console or the client computer when new definitions arrive.
For Mac client computers, you can specify whether or not Symantec Endpoint
Protection Small Business Edition repairs the infected files that it finds. You can also specify whether Symantec Endpoint Protection Small Business Edition moves the infected files that it cannot repair into the Quarantine. You can configure the settings for all administrator-defined scans or for Auto-Protect scans.
182 Managing Virus and Spyware Protection
Setting up scheduled scans that run on Windows computers
See
on page 202.
How Symantec Endpoint Protection Small Business Edition acts on detections on Windows 8 computers
Symantec Endpoint Protection Small Business Edition protects both the Windows
8 style user interface as well as the Windows 8 desktop. However, actions for the detections that are related to Windows 8 style apps and files function differently than actions for other detections.
The applications that are hosted on the Windows 8 style user interface are implemented in containers that are isolated from other processes in the operating system. Symantec Endpoint Protection Small Business Edition does not clean or quarantine any detections that affect Windows 8 style apps or files. For any detections that involve these apps and files, Symantec Endpoint Protection Small
Business Edition only deletes or logs the detections.
For any detections that are not related to Windows 8 style apps and files, Symantec
Endpoint Protection Small Business Edition can quarantine and repair the detections and functions as it typically does on any other Windows operating system.
You should keep in mind the difference when setting up actions in Virus and
Spyware Protection policy and when you run reports.
See
“About the pop-up notifications that appear on the clients that run Windows
on page 205.
See
on page 180.
Setting up scheduled scans that run on Windows computers
You configure scheduled scans as part of a Virus and Spyware Protection policy.
The scan settings are different for Windows clients and for Mac clients.
You can save your scheduled scan settings as a template. The scan templates can save you time when you configure multiple policies. You can use any scan that you save as a template as the basis for a new scan in a different policy. A scheduled scan template is included by default in the policy. The default scheduled scan scans all files and folders.
See
“Managing scans on client computers”
on page 165.
Managing Virus and Spyware Protection
Setting up scheduled scans that run on Windows computers
183
See
“Customizing administrator-defined scans for the clients that run on Windows computers”
on page 215.
See
“Excluding file extensions from virus and spyware scans”
on page 276.
Consider the following important points when you set up a scheduled scan:
Multiple simultaneous scans run serially
If you schedule multiple scans to occur on the same computer and the scans start at the same time, the scans run serially. After one scan finishes, another scan starts.
For example, you might schedule three separate scans on your computer to occur at 1:00 P.M. Each scan scans a different drive. One scan scans drive C. Another scan scans drive D. Another scan scans drive E. In this example, a better solution is to create one scheduled scan that scans drives
C, D, and E.
Missed scheduled scans might not run
If your computer misses a scheduled scan for some reason, by default Symantec Endpoint Protection Small Business
Edition tries to perform the scan until it starts or until a specific time interval expires. If Symantec Endpoint
Protection Small Business Edition cannot start the missed scan within the retry interval, it does not run the scan.
Scheduled scan time might drift
Symantec Endpoint Protection Small Business Edition might not use the scheduled time if the last run of the scan occurred at a different time because of the scan duration or missed scheduled scan settings. For example, you might configure a weekly scan to run every Sunday at midnight and a retry interval of one day. If the computer misses the scan and starts up on Monday at 6am, the scan runs at 6am.
The next scan is performed one week from Monday at 6am rather than the next Sunday at midnight.
If you did not restart your computer until Tuesday at 6am, which is two days late and exceeds the retry interval,
Symantec Endpoint Protection Small Business Edition does not retry the scan. It waits until the next Sunday at midnight to try to run the scan.
In either case, if you randomize the scan start time you might change the last run time of the scan.
You can click Help for more information about the options that are used in this procedure.
184 Managing Virus and Spyware Protection
Setting up scheduled scans that run on Windows computers
To set up scheduled scans that run on Windows computers
1
In the console, open a Virus and Spyware Protection policy.
2 Under Windows Settings, click Administrator-defined Scans.
3
On the Scans tab, under Scheduled Scans, click Add.
4 In the Add Scheduled Scan dialog box, click Create a new scheduled scan.
5
Click OK.
6 In the Add Scheduled Scan dialog box, on the Scan Details tab, type a name and description for this scheduled scan.
7
Click Active Scan, Full Scan, or Custom Scan.
8 If you selected Custom, under Scanning, you can specify the folders to scan.
9
Under File types, click Scan all files or Scan only selected extensions.
Note: Scheduled scans always scan container files unless you disable the Scan
files inside compressed files option under Advanced Scanning Options or you create specific exceptions for the container file extensions.
10
Under Enhance the scan by checking, check or uncheck Memory, Common
infection locations, or Well-known virus and security risk locations.
11 On the Schedule tab, under Scanning schedule, set the frequency and the time at which the scan should run.
The retry setting under Missed Scheduled Scans changes automatically according to whether you select Daily, Weekly, or Monthly.
12 Under Missed Scheduled Scans, you can disable the option to run a missed scan or you can change the retry interval.
You can also specify a maximum scan duration before the scan pauses. You can also randomize scan start time.
13 If you want to save this scan as a template, check Save a copy as a Scheduled
Scan Template.
14
Click OK.
Managing Virus and Spyware Protection
Setting up scheduled scans that run on Mac computers
185
Setting up scheduled scans that run on Mac computers
You configure scheduled scans as part of a Virus and Spyware Protection policy.
The scan settings are different for Windows clients and for Mac clients.
See
“Managing scans on client computers”
on page 165.
See
“Customizing administrator-defined scans for clients that run on Mac computers”
on page 216.
You can save your scheduled scan settings as a template. You can use any scan that you save as a template as the basis for a different Virus and Spyware
Protection policy. The scan templates can save you time when you configure new policies or scans. A scheduled scan template is included by default in the policy.
The default scheduled scan scans all files and directories.
To configure a scheduled scan for Mac clients
1 In the console, open a Virus and Spyware Protection policy.
2
Under Mac Settings, click Administrator-defined Scans.
3 On the Scans tab, under Scheduled Scans, click Add.
4
In the Add Scheduled Scan dialog box, click Create a new scheduled scan, and then click OK.
5 In the Add Scheduled Scan dialog box, on the Scan Details tab, type a name and a description for the scan.
6
Under Scan drives and folders, specify the items to scan.
7 Customize any settings, including scan priority.
8
On the Schedule tab, under Scanning schedule, set the frequency and the time at which the scan should run.
9 If you want to save this scan as a template, check Save a copy as a Scheduled
Scan Template.
10
Click OK.
Running on-demand scans on client computers
You can run a manual, or on-demand, scan on client computers remotely from the management console. You might want to run an on-demand scan as part of your strategy to prevent and handle virus and spyware attacks on your client computers.
186 Managing Virus and Spyware Protection
Running on-demand scans on client computers
By default, an active scan runs automatically after you update definitions. You can configure an on-demand scan as a full scan or custom scan and then run the on-demand scan for more extensive scanning.
Settings for on-demand scans are similar to the settings for scheduled scans.
See
“Managing scans on client computers”
on page 165.
See
“Preventing and handling virus and spyware attacks on client computers”
on page 160.
For Windows client computers, you can run an active, full, or custom on-demand scan.
For Mac client computers, you can run only a custom on-demand scan.
The custom scan uses the settings that are configured for on-demand scans in the Virus and Spyware Protection policy.
Note:
If you issue a restart command on a client computer that runs an on-demand scan, the scan stops, and the client computer restarts. The scan does not restart.
You can run an on-demand scan from the Computer Status log or from the
Computers tab in the console.
You can cancel all scans in progress and queued for selected clients from the
Computer Status log. If you confirm the command, the table refreshes and you see that the cancel command is added to the command status table.
See
“Running commands from the computer status log”
on page 315.
See
“About commands that you can run on client computers”
on page 132.
To run an on-demand scan on client computers
1 In the Symantec Endpoint Protection Manager console, click Computers.
2
Under Computers, right-click the clients or the group that you want to scan
3 Do one of the following actions:
■
Click Run Command on Group > Scan.
■
Click Run Command on Computers > Scan.
4 For Windows clients, select Active Scan, Full Scan, or Custom Scan, and then click OK.
Managing Virus and Spyware Protection
Adjusting scans to improve computer performance
187
Adjusting scans to improve computer performance
By default, virus and spyware scans to minimize the effect on your client computers' resources. You can change some scan settings to optimize the performance even more. Many of the tasks that are suggested here are useful in the environments that run Symantec Endpoint Protection Small Business Edition in guest operating systems on virtual machines (VMs).
The settings that are available are different for Windows computers and Mac computers.
See
“Managing scans on client computers”
on page 165.
Table 12-12
Adjusting scans to improve performance on Windows computers
Task Description
Modify tuning and compressed files options for scheduled and on-demand scans
You can adjust the following options for scheduled and on-demand scans:
■
■
Change tuning options
You can change the scan tuning to Best Application Performance. When you configure a scan with this setting, scans can start but they only run when the client computer is idle. If you configure an Active Scan to run when new definitions arrive, the scan might not run for up to 15 minutes if the user is using the computer.
Change the number of levels to scan compressed files
The default level is 3. You might want to change the level to 1 or 2 to reduce scan time.
See
“Customizing administrator-defined scans for the clients that run on Windows computers”
on page 215.
Use resumable scans For computers in your network that have large volumes, scheduled scans can be configured as resumable scans.
A scan duration option provides a specified period to run a scan. If the scan does not complete by the end of the specified duration, it resumes when the next scheduled scan period occurs. The scan resumes at the place where it stopped until the entire volume is scanned. Typically you use the scan duration option on servers.
Note:
Do not use a resumable scan if you suspect that the computer is infected.
You should perform a full scan that runs until it scans the entire computer. You should also not use a resumable scan if a scan can complete before the specified interval.
See
“Setting up scheduled scans that run on Windows computers”
on page 182.
188 Managing Virus and Spyware Protection
Adjusting scans to improve computer performance
Task
Table 12-12
Allow all scans to skip trusted files
Randomize scheduled scans
Adjusting scans to improve performance on Windows computers
(continued)
Description
Virus and spyware scans include an option called Insight that skips trusted files.
By default Insight is enabled. You can change the level of trust for the types of files that scans skip:
■
■
Symantec and Community Trusted
This level skips files that are trusted by Symantec and the Symantec
Community.
Symantec Trusted
This level skips only files that are trusted by Symantec.
See
“Modifying global scan settings for Windows clients”
on page 218.
In virtualized environments, where multiple virtual machines (VMs) are deployed, simultaneous scans create resource problems. For example, a single server might run 100 or more VMs. Simultaneous scans on those VMs drain resources on the server.
You can randomize scans to limit the impact on your server.
See
“Randomizing scans to improve computer performance in virtualized environments”
on page 217.
Disable early launch anti-malware (ELAM) detection
Symantec Endpoint Protection Small Business Edition ELAM works with Windows
ELAM to provide protection against malicious startup drivers.
See
“Managing early launch anti-malware (ELAM) detections”
on page 206.
Managing Virus and Spyware Protection
Adjusting scans to increase protection on your client computers
189
Table 12-13
Adjusting scans to improve performance on Mac computers
Task
Adjust scan priority
Description
Applies to scheduled scans on clients that run on
Mac computers.
Scan priority on Mac computers is equivalent to tuning or performance adjustment on Windows computers. High priority means that the scan runs as fast as possible, but other applications may run more slowly during the scan. Low priority means that other applications run as fast as possible, but the scan may run more slowly.
Medium priority balances the speed at which applications and scans run.
See
“Customizing administrator-defined scans for clients that run on Mac computers”
on page 216.
Adjusting scans to increase protection on your client computers
Symantec Endpoint Protection Small Business Edition provides a high level of security by default. You can increase the protection even more. The settings are different for clients that run on Windows computers and clients that run on Mac computers.
Note:
If you increase the protection on your client computers, you might impact computer performance.
Table 12-14
Task
Lock scan settings
Adjusting scans to increase protection on Windows computers
Description
Some settings are locked by default; you can lock additional settings so that users cannot change the protection on their computers.
190 Managing Virus and Spyware Protection
Adjusting scans to increase protection on your client computers
Table 12-14
Adjusting scans to increase protection on Windows computers
(continued)
Task
Modify settings for administrator-defined scans
Description
You should check or modify the following options:
■
■
■
Scan performance
Set the scan tuning to Best Scan Performance. The setting, however, might affect your client computer performance. Scans run even if the computer is not idle.
Scheduled scan duration
By default, scheduled scans run until the specified time interval expires and then resume when the client computer is idle. You can set the scan duration to Scan until finished.
Use Insight Lookup
Insight Lookup uses the latest definition set from the cloud and information from the Insight reputation database to scan and make decisions about files. You should make sure that Insight
Lookup is enabled. Insight Lookup settings are similar to the settings for Download Insight.
See
“Customizing administrator-defined scans for the clients that run on Windows computers”
on page 215.
Specify stronger scan detection actions
Specify Quarantine, Delete, or Terminate actions for detections.
Note: Be careful when you use Delete or Terminate for security risk detections. The action might cause some legitimate applications to lose functionality.
See
“Changing the action that Symantec Endpoint
Protection Small Business Edition takes when it makes a detection”
on page 220.
Increase the level of Bloodhound protection
Bloodhound locates and isolates the logical regions of a file to detect virus-like behavior. You can change the detection level from Automatic to Aggressive to increase the protection on your computers. The
Aggressive setting, however, is likely to produce more false positives.
See
“Modifying global scan settings for Windows clients”
on page 218.
Managing Virus and Spyware Protection
Managing Download Insight detections
191
Table 12-15
Task
Lock scan settings
Adjusting scans to increase protection on Mac computers
Description
Some settings are locked by default; you can lock additional settings so that users cannot change the protection on their computers.
Specify stronger scan detection actions
Specify Quarantine, Delete, or Terminate actions for detections.
Note:
Be careful when you use Delete or Terminate for security risk detections. The action might cause some legitimate applications to lose functionality.
See
“Changing the action that Symantec Endpoint
Protection Small Business Edition takes when it makes a detection”
on page 220.
Managing Download Insight detections
Auto-Protect includes a feature that is called Download Insight, which examines the files that users try to download through Web browsers, text messaging clients, and other portals.
Supported portals include Internet Explorer, Firefox, Microsoft Outlook, Outlook
Express, Google Chrome, Windows Live Messenger, and Yahoo Messenger.
Download Insight determines that a downloaded file might be a risk based on evidence about the file's reputation. Download Insight is supported only for the clients that run on Windows computers.
Note:
If you install Auto-Protect for email on your client computers, Auto-Protect also scans the files that users receive as email attachments.
See
“Managing scans on client computers”
on page 165.
192 Managing Virus and Spyware Protection
Managing Download Insight detections
Table 12-16
Managing Download Insight detections
Task Description
Learn how Download Insight uses reputation data to make decisions about files
Download Insight uses reputation information exclusively when it makes decisions about downloaded files. It does not use signatures or heuristics to make decisions.
If Download Insight allows a file, Auto-Protect or SONAR scans the file when the user opens or runs the file.
See
on page 195.
View the Download Risk
Distribution report to view
Download Insight detections
You can use the Download Risk Distribution report to view the files that Download
Insight detected on your client computers. You can sort the report by URL, Web domain, or application. You can also see whether a user chose to allow a detected file.
Note:
Risk details for a Download Insight detection show only the first portal application that attempted the download. For example, a user might use Internet
Explorer to try to download a file that Download Insight detects. If the user then uses Firefox to try to download the file, the risk details show Internet Explorer as the portal.
The user-allowed files that appear in the report might indicate false positive detections.
Users can allow files by responding to notifications that appear for detections.
Administrators receive the report as part of a weekly report that Symantec
Endpoint Protection Manager generates and emails. You must have specified an email address for the administrator during installation or configured as part of the administrator properties. You can also generate the report from the Reports tab in the console.
See
“Running and customizing quick reports”
on page 304.
Managing Virus and Spyware Protection
Managing Download Insight detections
193
Table 12-16
Task
Create exceptions for specific files or Web domains
Managing Download Insight detections (continued)
Description
You can create an exception for an application that your users download. You can also create an exception for a specific Web domain that you believe is trustworthy.
See
“Specifying how Symantec Endpoint Protection Small Business Edition handles monitored applications”
on page 277.
See
“Excluding a trusted Web domain from scans”
on page 278.
Note:
If your client computers use a proxy with authentication, you must specify trusted Web domain exceptions for Symantec URLs. The exceptions let your client computers communicate with Symantec Insight and other important
Symantec sites.
For information about the recommended exceptions, see the following related knowledge base articles:
■
■
How to test connectivity to Insight and Symantec licensing servers
Required exclusions for proxy servers to allow Symantec Endpoint Protection to connect to Symantec reputation and licensing servers
By default, Download Insight does not examine any files that users download from a trusted Internet or intranet site. You configure trusted sites and trusted local intranet sites on the Windows Control Panel > Internet Options > Security tab. When the Automatically trust any file downloaded from an intranet site option is enabled, Symantec Endpoint Protection Small Business Edition allows any file that a user downloads from any sites in the lists.
Symantec Endpoint Protection Small Business Edition checks for updates to the
Internet Options trusted sites list at user logon and every four hours.
Note: Download Insight recognizes only explicitly configured trusted sites.
Wildcards are allowed, but non-routable IP address ranges are not supported.
For example, Download Insight does not recognize 10.*.*.* as a trusted site.
Download Insight also does not support the sites that are discovered by the
Internet Options > Security > Automatically detect intranet network option.
Make sure that Insight lookups are enabled
Download Insight requires reputation data from Symantec Insight to make decisions about files. If you disable Insight lookups, Download Insight runs but detects only the files with the worst reputations. Insight lookups are enabled by default.
See
“Enabling or disabling client submissions to Symantec Security Response”
on page 199.
194 Managing Virus and Spyware Protection
Managing Download Insight detections
Table 12-16
Task
Customize Download Insight settings
Managing Download Insight detections (continued)
Description
You might want to customize Download Insight settings for the following reasons:
■
■
■
Increase or decrease the number of Download Insight detections.
You can adjust the malicious file sensitivity slider to increase or decrease the number of detections. At lower sensitivity levels, Download Insight detects fewer files as malicious and more files as unproven. Fewer detections are false positive detections.
At higher sensitivity levels, Download Insight detects more files as malicious and fewer files as unproven. More detections are false positive detections.
Change the action for malicious or unproven file detections.
You can change how Download Insight handles malicious or unproven files.
The specified action affects not only the detection but whether or not users can interact with the detection.
For example, you might change the action for unproven files to Ignore. Then
Download Insight always allows unproven files and does not alert the user.
Alert users about Download Insight detections.
When notifications are enabled, the malicious file sensitivity setting affects the number of notifications that users receive. If you increase the sensitivity, you increase the number of user notifications because the total number of detections increases.
You can turn off notifications so that users do not have a choice when
Download Insight makes a detection. If you keep notifications enabled, you can set the action for unproven files to Ignore so that these detections are always allowed and users are not notified.
Regardless of the notifications setting, when Download Insight detects an unproven file and the action is Prompt, the user can allow or block the file.
If the user allows the file, the file runs automatically.
When notifications are enabled and Download Insight quarantines a file, the user can undo the quarantine action and allow the file.
Note: If users allow a quarantined file, the file does not automatically run.
The user can run the file from the temporary Internet folder. Typically the folder location is drive:\\Documents and Settings\username\Local
Settings\Temporary Internet Files.
Allow clients to submit information about reputation detections to Symantec
See
“Customizing Download Insight settings”
on page 219.
By default, clients send information about reputation detections to Symantec.
Symantec recommends that you enable submissions for reputation detections.
The information helps Symantec address threats.
See
“Enabling or disabling client submissions to Symantec Security Response”
on page 199.
Managing Virus and Spyware Protection
How Symantec Endpoint Protection Small Business Edition uses reputation data to make decisions about files
195
How Symantec Endpoint Protection Small Business
Edition uses reputation data to make decisions about files
Symantec collects information about files from its global community of millions of users and its Global Intelligence Network. The collected information forms a reputation database that Symantec hosts. Symantec products leverage the information to protect client computers from new, targeted, and mutating threats.
The data is sometimes referred to as being in the cloud since it does not reside on the client computer. The client computer must request or query the reputation database.
Symantec uses a technology it calls Insight to determine each file's level of risk or security rating.
Insight determines a file's security rating by examining the following characteristics of the file and its context:
■
The source of the file
■
How new the file is
■
How common the file is in the community
■
Other security metrics, such as how the file might be associated with malware
Scanning features in Symantec Endpoint Protection Small Business Edition leverage Insight to make decisions about files and applications. Virus and Spyware
Protection includes a feature that is called Download Insight. Download Insight relies on reputation information to make detections. If you disable Insight lookups,
Download Insight runs but cannot make detections. Other protection features, such as Insight Lookup and SONAR, use reputation information to make detections; however, those features can use other technologies to make detections.
By default, a client computer sends information about reputation detections to
Symantec Security Response for analysis. The information helps to refine Insight's reputation database. The more clients that submit information the more useful the reputation database becomes.
You can disable the submission of reputation information. Symantec recommends, however, that you keep submissions enabled.
Client computers also submit other types of information about detections to
Symantec Security Response.
See
“Managing Download Insight detections”
on page 191.
196 Managing Virus and Spyware Protection
How Symantec Endpoint Protection Small Business Edition policy features work together
See
“How Symantec Endpoint Protection Small Business Edition policy features work together”
on page 196.
See
“Enabling or disabling client submissions to Symantec Security Response”
on page 199.
How Symantec Endpoint Protection Small Business
Edition policy features work together
Some policy features require each other to provide complete protection on
Windows client computers.
Warning:
Symantec recommends that you do not disable Insight lookups.
Feature
Download Protection
Download Insight
Table 12-17
How policy features work together
Interoperability Notes
Download Protection is part of Auto-Protect and gives Symantec Endpoint
Protection Small Business Edition the ability to track URLs. The URL tracking is required for several policy features.
If you install Symantec Endpoint Protection Small Business Edition without
Download Protection, Download Insight has limited capability. Browser
Intrusion Prevention and SONAR require Download Protection.
The Automatically trust any file downloaded from an intranet website option also requires Download Protection.
Download Insight has the following dependencies:
■
■
Auto-Protect must be enabled
If you disable Auto-Protect, Download Insight cannot function even if
Download Insight is enabled.
Insight lookups must be enabled
Symantec recommends that you keep the Insight lookups option enabled.
If you disable the option, you disable Download Insight completely.
Note:
If basic Download Protection is not installed, Download Insight runs on the client at level 1. Any level that you set in the policy is not applied.
The user also cannot adjust the sensitivity level.
Even if you disable Download Insight, the Automatically trust any file
downloaded from an intranet website option continues to function for
Insight Lookup.
Managing Virus and Spyware Protection
How Symantec Endpoint Protection Small Business Edition policy features work together
197
Feature
Insight Lookup
SONAR
Table 12-17
How policy features work together (continued)
Interoperability Notes
Uses Insight lookups
Insight Lookup uses the latest definitions from the cloud and the Insight reputation database to make decisions about files. If you disable Insight lookups, Insight Lookup uses the latest definitions only to make decisions about files.
Insight Lookup also uses the Automatically trust any file downloaded
from an intranet website option.
Insight Lookup does not run on right-click scans of folders or drives on your client computers. However, Insight Lookup runs on right-click scans of selected files.
Note: Insight Lookup uses the configured Insight Lookup slider level value to evaluate the files that were downloaded from a supported portal. If the files were not downloaded from a supported portal, then Insight Lookup detects them only if they have the worst reputation (similar to level 1).
Browser Intrusion Prevention
Trusted Web Domain exception
SONAR has the following dependencies:
■
■
■
Download Protection must be installed.
Auto-Protect must be enabled.
If Auto-Protect is disabled, SONAR loses some detection functionality and appears to malfunction on the client. SONAR can detect heuristic threats, however, even if Auto-Protect is disabled.
Insight lookups must be enabled.
Without Insight lookups, SONAR can run but cannot make detections.
In some rare cases, SONAR can make detections without Insight lookups.
If Symantec Endpoint Protection Small Business Edition has previously cached reputation information about particular files, SONAR might use the cached information.
Download Protection must be installed. Download Insight can be enabled or disabled.
The exception is only applied if Download Protection is installed.
See
“Managing Download Insight detections”
on page 191.
See
on page 227.
See
“Managing intrusion prevention on your client computers”
on page 259.
198 Managing Virus and Spyware Protection
About submitting information about detections to Symantec Security Response
About submitting information about detections to
Symantec Security Response
You can configure your client computers to automatically submit information about detections to Symantec Security Response for analysis.
Symantec Response and the Global Intelligence Network use this submitted information to quickly formulate responses to new and developing security threats.
The data that you submit improves Symantec's ability to respond to threats and customize protection. Symantec recommends that you always allow submissions.
See
“About the types of threat protection that Symantec Endpoint Protection
Small Business Edition provides”
on page 23.
You can choose to submit any of the following types of data:
■
File reputation
Information about the files that are detected based on their reputation. The information about these files contributes to the Symantec Insight reputation database to help protect your computers from new and emerging risks.
■
Antivirus detections
Information about virus and spyware scan detections.
■
Antivirus advanced heuristic detections
Information about potential threats that are detected by Bloodhound and other virus and spyware scan heuristics.
These detections are silent detections that do not appear in the Risk log.
Information about these detections is used for statistical analysis.
■
SONAR detections
Information about threats that SONAR detects, which include high or low risk detections, system change events, and suspicious behavior from trusted applications.
■
SONAR heuristics
SONAR heuristic detections are silent detections that do not appear in the
Risk log. This information is used for statistical analysis.
On the client, you can also manually submit a sample to Response from the
Quarantine or through the Symantec Web site. To submit a file through the
Symantec Web site, contact Symantec Technical Support.
See
“Enabling or disabling client submissions to Symantec Security Response”
on page 199.
See
on page 195.
Managing Virus and Spyware Protection
About submissions throttling
199
See
“About submissions throttling”
on page 199.
About submissions throttling
Symantec Endpoint Protection Small Business Edition throttles client computer submissions to minimize any effect on your network. Symantec Endpoint
Protection Small Business Edition throttles submissions in the following ways:
■
Client computers only send samples when the computer is idle. Idle submission helps randomize the submissions traffic across the network.
■
Client computers send samples for unique files only. If Symantec has already seen the file, the client computer does not send the information.
■
Symantec Endpoint Protection Small Business Edition uses a Submission
Control Data (SCD) file. Symantec publishes the SCD file and includes it as part of a LiveUpdate package. Each Symantec product has its own SCD file.
The SCD file controls the following settings:
■
How many submissions a client can submit in one day
■
How long to wait before the client software retries submissions
■
How many times to retry failed submissions
■
Which IP address of the Symantec Security Response server receives the submission
If the SCD file becomes out-of-date, then clients stop sending submissions.
Symantec considers the SCD file out-of-date when a client computer has not retrieved LiveUpdate content in 7 days. The client stops sending submissions after 14 days.
If clients stop the transmission of the submissions, the client software does not collect the submission information and send it later. When clients start to transmit submissions again, they only send the information about the events that occur after the transmission restart.
See
“About submitting information about detections to Symantec Security
on page 198.
Enabling or disabling client submissions to Symantec
Security Response
Symantec Endpoint Protection Small Business Edition can protect computers by submitting information about detections to Symantec Security Response. Symantec
Security Response uses this information to address new and changing threats.
200 Managing Virus and Spyware Protection
Enabling or disabling client submissions to Symantec Security Response
Any data you submit improves Symantec's ability to respond to threats and customize protection for your computers. Symantec recommends that you choose to submit as much detection information as possible.
Client computers submit information anonymously about detections. You can specify the types of detections for which clients submit information. You can also enable or disable submissions from client computers. Symantec recommends that you always enable submissions. In some cases, however, you might want to prevent your clients from submitting such information. For example, your corporate policies might prevent your client computers from sending any network information to outside entities.
To enable or disable client submissions to Symantec Security Response
1
In the console, select Computers then click the Policies tab.
2 In the Policies page, click Edit Settings for Tamper Protection and
Submissions.
3
Click the Submissions tab.
4 If you want to enable your client computers to submit data for analysis, check
Let computers automatically forward selected anonymous security
information to Symantec.
5
To disable submissions for the client, uncheck Let computers automatically
forward selected anonymous security information to Symantec.
If you disable submissions for a client and lock the settings, the user is unable to configure the client to send submissions. If you enable, select your submissions types and lock the settings, the user is not able to change your chosen settings. If you do not lock your settings, the user can change the configuration as desired.
Symantec recommends that you submit threat information to help Symantec provide custom threat protection. You may need however, to disable this feature in response to network bandwidth issues or a restriction on data leaving the client. You can check the Client Activity to view log submissions activity if you need to monitor your bandwidth usage.
See
on page 310.
6
Select the types of information to submit:
■
File reputation
Information about files that are detected based on their reputation. The information about these files contributes to the Symantec Insight reputation database to help protect your computers from new and emerging risks.
Managing Virus and Spyware Protection
Enabling or disabling client submissions to Symantec Security Response
201
Note:
Unmanaged clients require a paid license to enable the submission of file reputation data.
See
“Licensing an unmanaged client”
on page 69.
■
Antivirus detections
Information about virus and spyware scan detections.
■
Antivirus advanced heuristic detections
Information about the potential threats that are detected by Bloodhound and other virus and spyware scan heuristics.
These detections are the silent detections that do not appear in the Risk log. Information about these detections is used for statistical analysis.
■
SONAR detections
Information about the threats that SONAR detects, which include high or low risk detections, system change events, and suspicious behavior from trusted applications.
■
SONAR heuristics
SONAR heuristic detections are silent detections that do not appear in the Risk log. This information is used for statistical analysis.
7
Check Allow Insight lookups for threat detection to allow Symantec Endpoint
Protection to use the Symantec Insight reputation database to make decisions about threats.
Insight lookups are enabled by default. You can disable this option if you do not want to allow Symantec Endpoint Protection Small Business Edition to query the Symantec Insight reputation database.
Download Insight, Insight Lookup, and SONAR use Insight lookups for threat detection. Symantec recommends that you allow Insight lookups. Disabling lookups disables Download Insight and may impair the functionality of SONAR heuristics and Insight Lookup.
See
“About submitting information about detections to Symantec Security
on page 198.
See
on page 195.
202 Managing Virus and Spyware Protection
Managing the Quarantine
Managing the Quarantine
When virus and spyware scans detect a threat or SONAR detects a threat, Symantec
Endpoint Protection Small Business Edition places the files in the client computer's local Quarantine.
See
“Managing scans on client computers”
on page 165.
Table 12-18
Managing the Quarantine
Task
Monitor files in the
Quarantine
Description
You should periodically check the quarantined files to prevent accumulating large numbers of files. Check the quarantined files when a new virus outbreak appears on the network.
Leave files with unknown infections in the Quarantine. When the client receives new definitions, it rescans the items in the Quarantine and might delete or repair the file.
Delete files in the Quarantine You can delete a quarantined file if a backup exists or if you have a copy of the file from a trustworthy source.
You can delete a quarantined file directly on the infected computer or by using the
Risk log in the Symantec Endpoint Protection Small Business Edition console.
See
“Using the Risk log to delete quarantined files on your client computers”
on page 202.
Using the Risk log to delete quarantined files on your client computers
You can use the Risk log in the Symantec Endpoint Protection Manager console to delete quarantined files on your client computers. You run the Delete from
Quarantine command from the log for any quarantined file that you want to delete.
See
“Managing scans on client computers”
on page 165.
If Symantec Endpoint Protection Small Business Edition detects risks in a compressed file, the compressed file is quarantined as a whole. However, the Risk log contains a separate entry for each file in the compressed file. To successfully delete all risks in a compressed file, you must select all the files in the compressed file.
To use the Risk log to delete files from the Quarantine on your client computers
1 Click Monitors.
2
On the Logs tab, from the Log type list box, select the Risk log, and then click
View Log.
3 Do one of the following actions:
Managing Virus and Spyware Protection
Managing the virus and spyware notifications that appear on client computers
203
■
Select an entry in the log that has a file that has been quarantined.
■
Select all entries for files in the compressed file.
You must have all entries in the compressed file in the log view. You can use the Limit option under Advanced Settings to increase the number of entries in the view.
4 From the Action list box, select Delete from Quarantine.
5 Click Start.
6 In the dialog box that appears, click Delete.
7 In the confirmation dialog box that appears, click OK.
Managing the virus and spyware notifications that appear on client computers
You can decide whether or not notifications appear on client computers for virus and spyware events. You can customize messages about detections.
See
“Managing scans on client computers”
on page 165.
The notification settings for Auto-Protect and administrator-defined scan detections also control whether or not popup notifications appear on the Windows
8 style user interface.
204 Managing Virus and Spyware Protection
Managing the virus and spyware notifications that appear on client computers
Table 12-19
Tasks for managing virus and spyware notifications that appear on client computers
Task
Customize a scan detection message
Description
For Windows client computers, you can configure a detection message for the following types of scans:
■
■
All types of Auto-Protect, including Download Insight
Scheduled scans and on-demand scans
For scheduled scans, you can configure a separate message for each scan.
Note:
If a process continually downloads the same security risk to a client computer, Auto-Protect automatically stops sending notifications after three detections. Auto-Protect also stops logging the event. In some situations, however,
Auto-Protect does not stop sending notifications and logging events. Auto-Protect continues to send notifications and log events when the action for the detection is Leave alone (log only).
Change settings for user notifications about Download
Insight detections
For Mac client computers, you can configure a detection message that applies to all scheduled scans and a message that applies to on-demand scans.
See
“Customizing administrator-defined scans for the clients that run on Windows computers”
on page 215.
See
“Customizing administrator-defined scans for clients that run on Mac computers”
on page 216.
You can change what notifications users receive about Download Insight detections.
See
“Managing Download Insight detections”
on page 191.
Choose whether or not to display the Auto-Protect results dialog
Applies to Windows client computers only.
Applies to Auto-Protect for the file system only.
See
“Customizing administrator-defined scans for the clients that run on Windows computers”
on page 215.
Set up Auto-Protect email notifications
Applies to Windows client computers only.
when Auto-Protect email scans find a risk, Auto-Protect can send email notifications to alert the email sender and any other email address that you specify. You can also insert a warning into the email message.
For Internet Email Auto-Protect, you can also specify that a notification appears about scan progress when Auto-Protect scans an email.
See
“Customizing Auto-Protect for email scans on Windows computers”
on page 213.
Managing Virus and Spyware Protection
About the pop-up notifications that appear on the clients that run Windows 8
205
Table 12-19
Tasks for managing virus and spyware notifications that appear on client computers (continued)
Task Description
Allow users to see scan progress and start or stop scans
Applies to Windows client computers only.
You can configure whether or not the scan progress dialog box appears. You can configure whether or not users are allowed to pause or delay scans.
When you let users view scan progress, a link to the scan progress dialog appears in the main pages of the client user interface. A link to reschedule the next scheduled scan also appears.
See
“Allowing users to view scan progress and interact with scans”
on page 222.
About the pop-up notifications that appear on the clients that run Windows 8
On Windows 8 computers, pop-up notifications for malware detections and other critical Symantec Endpoint Protection Small Business Edition events appear on the Windows 8 style user interface and the Windows 8 desktop. The notifications alert the user to an event that occurred in either the Windows 8 style user interface or the Windows 8 desktop, regardless of which interface the user is currently viewing.
You enable or disable the pop-up notifications as part of the configuration for
Auto-Protect and administrator-defined scan settings in the Virus and Spyware
Protection policy. You also enable the pop-up notifications as part of the notifications setting in the Firewall policy.
Note:
The Windows 8 configuration also includes settings to show or hide notifications. Symantec Endpoint Protection Small Business Edition pop-up notifications only appear if Windows 8 is configured to show them. In the Windows
8 style user interface, the Settings pane or the Change PC Settings option let you show or hide app notifications. See the Windows 8 user documentation for more information.
If the user clicks a notification on the Windows 8 style user interface, the Windows
8 desktop appears. If the user clicks the notification on the Windows 8 desktop, the notification disappears. For detections of malware or security risks, the user can view information about the detections in the Detection Results dialog on the
Windows 8 desktop.
206 Managing Virus and Spyware Protection
Managing early launch anti-malware (ELAM) detections
When Symantec Endpoint Protection Small Business Edition notifies Windows 8 that it detected malware or a security risk that affects a Windows 8 style app, an alert icon appears on the app tile. When the user clicks the tile, the Windows App
Store appears so that the user can re-download the app.
See
“Managing the virus and spyware notifications that appear on client computers”
on page 203.
See
“How Symantec Endpoint Protection Small Business Edition acts on detections on Windows 8 computers”
on page 182.
Managing early launch anti-malware (ELAM) detections
Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. Malicious software can load as a driver or rootkits might attack before the operating system completely loads and Symantec Endpoint Protection Small Business Edition starts.
Rootkits can sometimes hide themselves from virus and spyware scans. Early launch anti-malware detects these rootkits and bad drivers at startup.
Symantec Endpoint Protection Small Business Edition provides an ELAM driver that works with the Windows ELAM driver to provide the protection. The Windows
ELAM driver must be enabled for the Symantec ELAM driver to have any affect.
You use the Windows Group Policy editor to view and modify the Windows ELAM settings. See your Windows 8 documentation for more information.
Table 12-20
Managing ELAM detections
Task Description
View the status of ELAM on your client computers
You can see whether Symantec Endpoint Protection Small Business Edition
ELAM is enabled in the Computer Status log.
See
on page 310.
View ELAM detections You can view early launch anti-malware detections in the Risk log.
When Symantec Endpoint Protection Small Business Edition ELAM is configured to report detections of bad or bad critical drivers as unknown to Windows, Symantec Endpoint Protection Small Business Edition logs the detections as Log only. By default, Windows ELAM allows unknown drivers to load.
See
on page 310.
Managing Virus and Spyware Protection
Adjusting the Symantec Endpoint Protection Small Business Edition early launch anti-malware (ELAM) options
207
Table 12-20
Managing ELAM detections (continued)
Task
Enable or disable ELAM
Description
You might want to disable Symantec Endpoint Protection Small Business
Edition ELAM to help improve computer performance.
See
on page 207.
See
“Adjusting scans to improve computer performance”
on page 187.
Adjust ELAM detection settings if you get false positives
The Symantec Endpoint Protection Small Business Edition ELAM settings provide an option to treat bad drivers and bad critical drivers as unknown.
Bad critical drivers are the drivers that are identified as malware but are required for computer startup. You might want to select the override option if you get false positive detections that block an important driver. If you block an important driver, you might prevent client computers from starting up.
Note: ELAM does not support a specific exception for an individual driver.
The override option applies globally to ELAM detections.
Run the Power Eraser tool on ELAM detections that Symantec Endpoint
Protection Small Business Edition cannot remediate
See
on page 207.
In some cases, an ELAM detection requires the Symantec Power Eraser tool that is part of the Symantec Help tool.
See
“Troubleshooting computer issues with the Symantec Help support tool”
on page 349.
Adjusting the Symantec Endpoint Protection Small
Business Edition early launch anti-malware (ELAM) options
Symantec Endpoint Protection Small Business Edition provides an ELAM driver that works with the Microsoft ELAM driver to provide protection for the computers in your network when they start up. The settings are supported on Microsoft
Windows 8.
The Symantec Endpoint Protection Small Business Edition ELAM driver is a special type of driver that initializes first and inspects other startup drivers for malicious code. When the driver detects a startup driver, it determines whether the driver is good, bad, or unknown. The Symantec Endpoint Protection Small Business
Edition driver then passes the information to Windows to decide to allow or block the detected driver.
208 Managing Virus and Spyware Protection
Adjusting the Symantec Endpoint Protection Small Business Edition early launch anti-malware (ELAM) options
You cannot create exceptions for individual ELAM detections; however, you can create a global exception to log all bad drivers as unknown. By default, unknown drivers are allowed to load.
For some ELAM detections that require remediation, you might be required to run Power Eraser. Power Eraser is part of the Symantec Help tool.
Note: Auto-Protect scans any driver that loads.
To adjust the Symantec Endpoint Protection Small Business Edition ELAM options
1
In the Symantec Endpoint Protection Manager console, on the Policies tab, open a Virus and Spyware Protection policy.
2 Under Protection Technologies, select Early Launch Anti-Malware Driver.
3
Check or uncheck Enable Symantec early launch anti-malware.
The Windows ELAM driver must be enabled for this option to be enabled. You use the Windows Group Policy editor to view and modify the Windows ELAM settings. See your Windows 8 documentation for more information.
4
If you want to log the detections only, under Detection Settings, select Log
the detection as unknown so that Windows allows the driver to load.
5 Click OK.
See
“Managing early launch anti-malware (ELAM) detections”
on page 206.
See
“Troubleshooting computer issues with the Symantec Help support tool”
on page 349.
Chapter
13
Customizing scans
This chapter includes the following topics:
■
Customizing the virus and spyware scans that run on Windows computers
■
Customizing the virus and spyware scans that run on Mac computers
■
Customizing Auto-Protect for Windows clients
■
Customizing Auto-Protect for Mac clients
■
Customizing Auto-Protect for email scans on Windows computers
■
Customizing administrator-defined scans for the clients that run on Windows computers
■
Customizing administrator-defined scans for clients that run on Mac computers
■
Randomizing scans to improve computer performance in virtualized environments
■
Modifying global scan settings for Windows clients
■
Customizing Download Insight settings
■
■
Allowing users to view scan progress and interact with scans
210 Customizing scans
Customizing the virus and spyware scans that run on Windows computers
Customizing the virus and spyware scans that run on
Windows computers
You can customize options for administrator-defined scans (scheduled and on-demand scans) that run on Windows computers. You can also customize options for Auto-Protect.
See
“Managing scans on client computers”
on page 165.
Table 13-1
Customizing virus and spyware scans on Windows computers
Task
Customize Auto-Protect settings
Description
You can customize Auto-Protect in many ways, including the configuration for the following settings:
■
■
■
The types of files that Auto-Protect scans
The actions that Auto-Protect takes when it makes a detection
The user notifications for Auto-Protect detections
You can also enable or disable the Scan Results dialog for Auto-Protect scans of the file system.
See
“Customizing Auto-Protect for Windows clients”
on page 211.
See
“Customizing Auto-Protect for email scans on Windows computers”
on page 213.
Customize administrator-defined scans You can customize the following types of options for scheduled and on-demand scans.
■
■
■
■
Compressed files
Tuning options
Insight Lookup
User notifications about detections
See
“Customizing administrator-defined scans for the clients that run on
on page 215.
You can also customize scan actions.
Adjust ELAM settings You might want to enable or disable Symantec Endpoint Protection Small
Business Edition early launch anti-malware (ELAM) detection if you think
ELAM is affecting your computers' performance. Or you might want to override the default detection setting if you get many false positive ELAM detections.
See
“Managing early launch anti-malware (ELAM) detections”
on page 206.
Customizing scans
Customizing the virus and spyware scans that run on Mac computers
211
Task
Customize scan actions
Table 13-1
Adjust Download Insight settings
Customizing virus and spyware scans on Windows computers
(continued)
Description
You might want to adjust the malicious file sensitivity to increase or decrease the number of detections. You can also modify actions for detections and user notifications for detections.
See
“Customizing Download Insight settings”
on page 219.
You can change the action that Symantec Endpoint Protection Small
Business Edition takes when it makes a detection.
See
“Changing the action that Symantec Endpoint Protection Small Business
Edition takes when it makes a detection”
on page 220.
Customizing the virus and spyware scans that run on
Mac computers
You can customize options for administrator-defined scans (scheduled and on-demand scans) that run on Mac computers. You can also customize options for Auto-Protect.
See
“Managing scans on client computers”
on page 165.
Table 13-2
Customizing the virus and spyware scans that run on Mac computers
Task Description
Customize Auto-Protect You can customize Auto-Protect settings for the clients that run on Mac computers.
See
“Customizing Auto-Protect for Mac clients”
on page 212.
Customize administrator-defined scans
You can customize common settings and notifications as well as scan priority.
See
“Customizing administrator-defined scans for clients that run on Mac computers”
on page 216.
Customizing Auto-Protect for Windows clients
You might want to customize Auto-Protect settings for Windows clients.
See
“Customizing the virus and spyware scans that run on Windows computers”
on page 210.
212 Customizing scans
Customizing Auto-Protect for Mac clients
See
“Managing scans on client computers”
on page 165.
To configure Auto-Protect for Windows clients
1 In the console, open a Virus and Spyware Protection policy.
2
Under Windows Settings, under Protection Technology, click Auto-Protect.
3 On the Scan Details tab, check or uncheck Enable Auto-Protect.
Note:
If you disable Auto-Protect, Download Insight cannot function even if it is enabled.
4 Under Scanning, under File types, click one of the following options:
■
Scan all files
This option is the default and is the most secure option.
■
Scan only selected extensions
You can improve scan performance by selecting this option, however, you might decrease the protection on your computer.
5 Under Additional options, check or uncheck Scan for security risks.
6
Click OK.
7 On the Actions tab, set any of the options.
See
“Changing the action that Symantec Endpoint Protection Small Business
Edition takes when it makes a detection”
on page 220.
You can also set remediation options for Auto-Protect.
8
On the Notifications tab, set any of the notification options.
See
“Managing the virus and spyware notifications that appear on client computers”
on page 203.
9
If you are finished with the configuration for this policy, click OK.
Customizing Auto-Protect for Mac clients
You might want to customize Auto-Protect settings for the clients that run on
Mac computers.
See
“Customizing the virus and spyware scans that run on Mac computers”
on page 211.
See
“Changing the action that Symantec Endpoint Protection Small Business
Edition takes when it makes a detection”
on page 220.
Customizing scans
Customizing Auto-Protect for email scans on Windows computers
213
See
“Managing the virus and spyware notifications that appear on client computers”
on page 203.
To customize Auto-Protect for Mac clients
1 In the console, open a Virus and Spyware Protection policy.
2
Under Mac Settings, under Protection Technology, click File System
Auto-Protect.
3 At the top of the Scan Details tab, click the lock icon to lock or unlock all settings.
4
Check or uncheck any of the following options:
■
Enable File System Auto-Protect
■
Automatically repair infected files
■
Quarantine files that cannot be repaired
■
Scan compressed files
5 Under General Scan Details, specify the files that Auto-Protect scans.
Note:
To exclude files from the scan, you must select Scan everywhere except
in specified folders, and then add an Exceptions policy to specify the files to exclude.
See
“Excluding a file or a folder from scans”
on page 274.
6 Under Scan Mounted Disk Details, check or uncheck any of the available options.
7 On the Notifications tab, set any of the notification options, and then click
OK.
Customizing Auto-Protect for email scans on Windows computers
You can customize Auto-Protect for email scans on Windows computers.
See
“Customizing the virus and spyware scans that run on Windows computers”
on page 210.
See
“Managing the virus and spyware notifications that appear on client computers”
on page 203.
214 Customizing scans
Customizing Auto-Protect for email scans on Windows computers
To customize Auto-Protect for email scans on Windows computers
1
In the console, open a Virus and Spyware Protection policy.
2 Under Windows Settings, click one of the following options:
■
Internet Email Auto-Protect
■
Microsoft Outlook Auto-Protect
3 On the Scan Details tab, check or uncheck Enable Internet Email
Auto-Protect.
4 Under Scanning, under File types, click one of the following options:
■
Scan all files
This option is the default and most secure option.
■
Scan only selected extensions
You can improve scan performance by selecting this option, however, you might decrease the protection on your computer.
5 Check or uncheck Scan files inside compressed files.
6 On the Actions tab, set any of the options.
See
“Changing the action that Symantec Endpoint Protection Small Business
Edition takes when it makes a detection”
on page 220.
7 On the Notifications tab, under Notifications, check or uncheck Display a
notification message on the infected computer. You can also customize the message.
8 Under Email Notifications, check or uncheck any of the following options:
■
Insert a warning into the email message
■
Send email to the sender
■
Send email to others
You can customize the message text and include a warning. For Internet Email
Auto-Protect you must also specify the mail server.
9 For Internet Email Auto-Protect only, on the Advanced tab, under Encrypted
Connections, enable or disable encrypted POP3 or SMTP connections.
10 Under Mass Mailing Worm Heuristics, check or uncheck Outbound worm
heuristics.
11 If you are finished with the configuration for this policy, click OK.
Customizing scans
Customizing administrator-defined scans for the clients that run on Windows computers
215
Customizing administrator-defined scans for the clients that run on Windows computers
You might want to customize scheduled or on-demand scans for the clients that run on Windows computers. You can set options for scans of compressed files and optimize the scan for computer or scan performance.
See
“Customizing the virus and spyware scans that run on Windows computers”
on page 210.
See
“Setting up scheduled scans that run on Windows computers”
on page 182.
To customize an administrator-defined scan for the clients that run on Windows computers
1
In the console, open a Virus and Spyware Protection policy.
2 Under Windows Settings, click Administrator-defined scans.
3
Do one of the following actions:
■
Under Scheduled Scans, select the scheduled scan that you want to customize, or create a new scheduled scan.
■
Under Administrator On-demand Scan, click Edit.
4 On the Scan Details tab, select Advanced Scanning Options.
5 On the Compressed Files tab, you can reduce the number of levels to scan compressed files. If you reduce the number of levels, you might improve client computer performance.
6 On the Tuning tab, change the tuning level for the best client computer performance or the best scan performance.
7 Click OK.
8 On the Insight Lookup tab, change any of the settings to adjust how Insight
Lookup handles reputation detections. The settings are similar to the settings for Download Insight.
9 For scheduled scans only, on the Schedule tab, set any of the following options:
■
Scan Duration
You can set how long the scan runs before it pauses and waits until the client computer is idle. You can also randomize scan start time.
■
Missed Scheduled Scans
You can specify a retry interval for missed scans.
216 Customizing scans
Customizing administrator-defined scans for clients that run on Mac computers
10 On the Actions tab, change any detection actions.
See
“Changing the action that Symantec Endpoint Protection Small Business
Edition takes when it makes a detection”
on page 220.
11 On the Notifications tab, enable or disable a notification that appears on client computers when the scan makes a detection.
See
“Managing the virus and spyware notifications that appear on client computers”
on page 203.
12 Click OK.
Customizing administrator-defined scans for clients that run on Mac computers
You customize scheduled scans and on-demand scans separately. Some of the options are different.
See
“Customizing the virus and spyware scans that run on Mac computers”
on page 211.
See
“Setting up scheduled scans that run on Mac computers”
on page 185.
See
“Changing the action that Symantec Endpoint Protection Small Business
Edition takes when it makes a detection”
on page 220.
See
“Managing the virus and spyware notifications that appear on client computers”
on page 203.
To customize a scheduled scan that runs on Mac computers
1
In the console, open a Virus and Spyware Protection policy.
2 Under Mac Settings, select Administrator-Defined Scans.
3
Under Scheduled Scans, select the scheduled scan that you want to customize, or create a new scheduled scan.
4 On the Scan Details tab, under Scan drives and folders, select the items that you want to scan.
5
Set the scan priority.
6 Click OK.
Edit the scan details for any other scan that is included in this policy.
7 On the Notifications tab, enable or disable notification messages about scan detections. The setting applies to all scheduled scans that you include in this policy.
Customizing scans
Randomizing scans to improve computer performance in virtualized environments
217
8 On the Common Settings tab, set any of the following options:
■
Scan Options
■
Actions
■
Alerts
These options apply to all scheduled scans that you include in this policy.
9 Click OK.
To customize the on-demand scans that run on Mac computers
1 On the Virus and Spyware Protection Policy page, under Mac Settings, select
Administrator-Defined Scans.
2
Under Administrator On-demand Scan, click Edit.
3 On the Scan Details tab, under Scan Drives and Folders, select the items that you want to scan.
You can also specify actions for scan detections and enable or disables scans of compressed files.
4 On the Notifications tab, enable or disable notifications for detections. You can also specify the message that appears.
5
Click OK.
Randomizing scans to improve computer performance in virtualized environments
You can randomize scheduled scans to improve performance on Windows client computers. Randomization is important in virtualized environments.
For example, you might schedule scans to run at 8:00 PM. If you select a four-hour time interval, scans on client computers start at a randomized time between 8:00
PM and 12:00 AM.
See
“Adjusting scans to improve computer performance”
on page 187.
See
“Setting up scheduled scans that run on Windows computers”
on page 182.
To randomize scans to improve computer performance in virtualized environments
1
In the console, open a Virus and Spyware Protection policy and click
Administrator-defined Scans.
2 Create a new scheduled scan or select an existing scheduled scan to edit.
3
In the Add Scheduled Scan or Edit Scheduled Scan dialog box, click the
Schedule tab.
218 Customizing scans
Modifying global scan settings for Windows clients
4 Under Scanning Schedule, select how often the scan should run.
5
Under Scan Duration, check Scan for up to and select the number of hours.
The number of hours controls the time interval during which scans are randomized.
6 Make sure that you enable Randomize scan start time within this period
(recommended in VMs)
7
Click OK.
8 Make sure that you apply the policy to the group that includes the computers that run Virtual Machines.
Modifying global scan settings for Windows clients
You can customize global settings for the scans that run on Windows client computers. You might want to modify these options to increase security on your client computers.
Note: If you increase the protection on your client computers by modifying these options, you might affect client computer performance.
See
“Managing scans on client computers”
on page 165.
See
“Customizing the virus and spyware scans that run on Windows computers”
on page 210.
To modify global scan settings for Windows clients
1
In the console, open a Virus and Spyware Protection policy.
2 Under Windows Settings, click Global Scan Options.
3
Configure any of the following options:
Insight
Bloodhound
Insight allows scans to skip trusted good files.
The scan can skip the files that Symantec trusts as good (more secure) or that the community trusts as good (less secure).
Bloodhound isolates and locates the logical regions of a file to detect a high percentage of unknown viruses. Bloodhound then analyzes the program logic for virus-like behavior. You can specify how the sensitivity for detection.
4
Click OK.
Customizing scans
Customizing Download Insight settings
219
Customizing Download Insight settings
You might want to customize Download Insight settings to decrease false positive detections on client computers. You can change how sensitive Download Insight is to the file reputation data that it uses to characterize malicious files. You can also change the notifications that Download Insight displays on client computers when it makes a detection.
See
“Customizing the virus and spyware scans that run on Windows computers”
on page 210.
See
“Managing Download Insight detections”
on page 191.
To customize Download Insight settings
1
In the console, open a Virus and Spyware Protection policy and select
Download Protection.
2 On the Download Insight tab, make sure that Enable Download Insight to
detect potential risks in downloaded files based on file reputation is checked.
If Auto-Protect is disabled, Download Insight cannot function even if it is enabled.
3 Move the slider for malicious file sensitivity to the appropriate level.
If you set the level higher, Download Insight detects more files as malicious and fewer files as unproven. Higher settings, however, return more false positives.
4 Check or uncheck the following options to use as additional criteria for examining unproven files:
■
Files with fewer than x users
■
Files known by users for less than x days
When unproven files meet this criteria, Download Insight detects the files as malicious.
5 Make sure that Automatically trust any file downloaded from an intranet
website is checked.
6 On the Actions tab, under Malicious Files, specify a first action and a second action.
7 Under Unproven Files, specify the action.
220 Customizing scans
Changing the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection
8 On the Notifications tab, you can specify whether or not to display a message on client computers when Download Insight makes a detection.
You can also customize the text of a warning message that appears when a user allows a file that Download Insight detects.
9 Click OK.
Changing the action that Symantec Endpoint
Protection Small Business Edition takes when it makes a detection
You can configure the action or actions that scans should take when they make a detection. Each scan has its own set of actions, such as Clean, Quarantine, Delete, or Leave alone (log only).
On Windows clients, each detection category can be configured with a first action and a second action in case the first action is not possible.
See
“Customizing the virus and spyware scans that run on Windows computers”
on page 210.
See
“Customizing the virus and spyware scans that run on Mac computers”
on page 211.
See
“Managing Download Insight detections”
on page 191.
See
on page 227.
See
“Checking the scan action and rescanning the identified computers”
on page 164.
See
“Remediating risks on the computers in your network”
on page 162.
By default, Symantec Endpoint Protection Small Business Edition tries to clean a file that a virus infected. If Symantec Endpoint Protection Small Business Edition cannot clean a file, it performs the following actions:
■
Moves the file to the Quarantine on the infected computer and denies any access to the file.
■
Logs the event.
By default, Symantec Endpoint Protection Small Business Edition moves any files that security risks infect into the Quarantine.
If you set the action to log only, by default if users create or save infected files,
Symantec Endpoint Protection Small Business Edition deletes them.
Customizing scans
Changing the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection
221
On Windows computers, you can also configure remediation actions for administrator scans, on-demand scans, and Auto-Protect scans of the file system.
You can lock actions so that users cannot change the action on the client computers that use this policy.
Warning: For security risks, use the Delete action with caution. In some cases, deleting security risks causes applications to lose functionality. If you configure the client to delete the files that security risks affect, it cannot restore the files.
To back up the files that security risks affect, use the Quarantine action instead.
To change the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection on Windows computers
1 In the console, open a Virus and Spyware Protection policy, and then select the scan (any Auto-Protect scan, administrator scan, or on-demand scan).
2
On the Actions tab, under Detection, select a type of malware or security risk.
By default, each subcategory is automatically configured to use the actions that are set for the entire category.
Note:
The categories change dynamically over time as Symantec gets new information about risks.
3 To configure actions for a subcategory only, do one of the following actions:
■
Check Override actions configured for Malware, and then set the actions for that subcategory only.
Note: There might be a single subcategory under a category, depending on how Symantec currently classifies risks. For example, under Malware, there might be a single subcategory called Viruses.
■
Check Override actions configured for Security Risks, and then set the actions for that subcategory only.
4 Under Actions for, select the first and second actions that the client software takes when it detects that category of virus or security risk.
For security risks, use the Delete action with caution. In some cases, deleting security risks causes applications to lose functionality.
222 Customizing scans
Allowing users to view scan progress and interact with scans
5 Repeat these steps for each category for which you want to set actions (viruses and security risks).
6
When you finish configuring this policy, click OK.
To specify the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection on Mac computers
1
In the Virus and Spyware Protection policy, under Mac Settings, select
Administrator-Defined Scans.
2 Do one of the following actions:
■
For scheduled scans, select the Common Settings tab.
■
For on-demand scans, on the Scans tab, under Administrator On-demand
Scan, click Edit.
3 Under Actions, check either of the following options:
■
Automatically repair infected files
■
Quarantine files that cannot be repaired
4
For on-demand scans, click OK.
5 When you finish configuring this policy, click OK.
Allowing users to view scan progress and interact with scans
You can configure whether or not the scan progress dialog box appears on client computers. If you allow the dialog box to appear on client computers, users are always allowed to pause or delay an administrator-defined scan.
When you allow users to view scan progress, a link appears in the main pages of the client UI to display scan progress for the currently running scan. A link to reschedule the next scheduled scan also appears.
When you allow users to view scan progress, the following options appear in the main pages of the client UI:
■
When a scan runs, the message link scan in progress appears.
The user can click the link to display the scan progress.
■
A link to reschedule the next scheduled scan also appears.
See
“Managing scans on client computers”
on page 165.
You can allow users to stop a scan entirely. You can also configure options for how users pause or delay scans.
Customizing scans
Allowing users to view scan progress and interact with scans
223
You can allow the user to perform the following scan actions:
Pause
Snooze
Stop
When a user pauses a scan, the Scan Results dialog box remains open and waits for the user to either continue or abort the scan. If the computer is turned off, the paused scan does not continue.
When a user snoozes a scheduled scan, the user has the option of snoozing the scan for one hour or three hours. The number of snoozes is configurable. When a scan snoozes, the Scan Results dialog box closes; it reappears when the snooze period ends and the scan resumes.
When a user stops a scan, the scan usually stops immediately. If a user stops a scan while the client software scans a compressed file, the scan does not stop immediately. In this case, the scan stops as soon as the compressed file has been scanned. A stopped scan does not restart.
A paused scan automatically restarts after a specified time interval elapses.
You can click Help for more information about the options that are used in this procedure.
To allow users to view scan progress and interact with scans
1
In the console, open a Virus and Spyware Protection policy and click
Administrator-defined Scans.
2 On the Advanced tab, under Scan Progress Options, click Show scan progress or Show scan progress if risk detected.
3
To automatically close the scan progress indicator after the scan completes, check Close the scan progress window when done.
4 Check Allow user to stop scan.
5
Click Pause Options.
6 In the Scan Pause Options dialog box, do any of the following actions:
■
To limit the time that a user may pause a scan, check Limit the time the
scan may be paused, and then type a number of minutes. The range is 3 to 180.
■
To limit the number of times a user may delay (or snooze) a scan, in the
Maximum number of snooze opportunities box, type a number between
1 and 8.
■
By default, a user can delay a scan for one hour. To change this limit to three hours, check Allow users to snooze the scan for 3 hours.
7
Click OK.
224 Customizing scans
Allowing users to view scan progress and interact with scans
Chapter
14
Managing SONAR
This chapter includes the following topics:
■
■
■
Monitoring SONAR detection results to check for false positives
■
About SONAR
SONAR is a real-time protection that detects potentially malicious applications when they run on your computers. SONAR provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats.
SONAR uses heuristics as well as reputation data to detect emerging and unknown threats. SONAR provides an additional level of protection on your client computers and complements your existing Virus and Spyware Protection, intrusion prevention, and firewall protection.
SONAR uses a heuristics system that leverages Symantec's online intelligence network with proactive local monitoring on your client computers to detect emerging threats. SONAR also detects changes or behavior on your client computers that you should monitor.
Note:
Auto-Protect also uses a type of heuristic that is called Bloodhound to detect suspicious behavior in files.
SONAR might inject some code into the applications that run in Windows user mode to monitor them for suspicious activity. In some cases, the injection might
226 Managing SONAR
About SONAR affect the application performance or cause problems with running the application.
You can create an exception to exclude the file, folder, or application from this type of monitoring.
Note:
SONAR does not inject code into applications on Symantec Endpoint
Protection Small Business Edition 12.1 or earlier clients. If you use Symantec
Endpoint Protection Manager 12.1.2 to manage clients, a SONAR file exception in an Exceptions policy is ignored on your legacy clients. If you use a legacy
Symantec Endpoint Protection Manager to manage clients, the legacy policy does not support SONAR file exceptions for your Symantec Endpoint Protection Small
Business Edition 12.1.2 clients. You can prevent SONAR code injection into applications on these clients, however, by creating an Application to monitor exception in the legacy policy. After the client learns the application, you can configure an application exception in the policy.
Symantec Endpoint Protection Small Business Edition clients version 12.0 or earlier do not support SONAR; however, legacy clients use TruScan proactive threat scans to provide protection against zero-day threats. TruScan proactive threat scans run periodically rather than in real time.
SONAR does not make detections on application type, but on how a process behaves. SONAR acts on an application only if that application behaves maliciously, regardless of its type. For example, if a Trojan horse or keylogger does not act maliciously, SONAR does not detect it.
SONAR detects the following items:
Heuristic threats
System changes
Trusted applications that exhibit bad behavior
SONAR uses heuristics to determine if an unknown file behaves suspiciously and might be a high risk or low risk.
It also uses reputation data to determine whether the threat is a high risk or low risk.
SONAR detects applications or the files that try to modify
DNS settings or a host file on a client computer.
Some good trusted files might be associated with suspicious behavior. SONAR detects these files as suspicious behavior events. For example, a well-known document sharing application might create executable files.
If you disable Auto-Protect, you limit SONAR's ability to make detections of high and low risk files. If you disable Insight lookups (reputation queries), you also limit the SONAR's detection capability.
See
on page 227.
Managing SONAR
Managing SONAR
227
See
“Managing exceptions for Symantec Endpoint Protection Small Business
on page 268.
Managing SONAR
SONAR is part of Proactive Threat Protection on your client computers. You manage SONAR settings as part of a Virus and Spyware Protection policy.
You configure SONAR settings for the clients that run Symantec Endpoint
Protection Small Business Edition version 12.1. SONAR settings also include
TruScan proactive threat scan settings for legacy clients. Many of the settings can be locked so that users on client computers cannot change the settings.
Table 14-1
Managing SONAR
Task
Learn how SONAR works
Description
Learn how SONAR detects unknown threats.
Information about how SONAR works can help you make decisions about using SONAR in your security network.
See
on page 225.
Check that SONAR is enabled To provide the most complete protection for your client computers you should enable SONAR.
SONAR interoperates with some other Symantec
Endpoint Protection Small Business Edition features. SONAR requires Auto-Protect.
You can use the Computers tab to check whether
Proactive Threat Protection is enabled on your client computers.
Note: Legacy clients do not report Proactive
Threat Protection status to Symantec Endpoint
Protection Manager.
See
on page 230.
Check the default settings for SONAR SONAR settings are part of a Virus and Spyware
Protection policy.
See
“About the default Virus and Spyware
Protection policy scan settings”
on page 178.
228 Managing SONAR
Managing SONAR
Table 14-1
Managing SONAR (continued)
Task
Make sure that Insight lookups are enabled
Monitor SONAR events to check for false positive detections
Description
SONAR uses reputation data in addition to heuristics to make detections. If you disable
Insight lookups, SONAR makes detections by using heuristics only. The rate of false positives might increase, and the protection that SONAR provides is limited.
You enable or disable Insight Lookups in the
Submissions dialog.
See
“Enabling or disabling client submissions to
on page 199.
You can use the SONAR log to monitor events.
You can also view the SONAR Detection Results report (under Risk Reports) to view information about detections.
See
“Monitoring SONAR detection results to check for false positives”
on page 229.
See
“Monitoring endpoint protection”
on page 293.
Prevent SONAR from detecting the applications that you know are safe
SONAR might detect the files or applications that you want to run on your client computers. You can use an Exceptions policy to specify exceptions for the specific files, folders, or applications that you want to allow. For the items that SONAR quarantines, you can create an exception for the quarantined item from the SONAR log.
Prevent SONAR from examining some applications
In some cases an application might become unstable or cannot run when SONAR injects code into the application to examine it. You can create a file, folder, or application exception for the application.
See
“Creating exceptions for Symantec Endpoint
Protection Small Business Edition”
on page 270.
Managing SONAR
Monitoring SONAR detection results to check for false positives
229
Table 14-1
Managing SONAR (continued)
Task Description
Allow clients to submit information about SONAR detections to Symantec
Symantec recommends that you enable submissions on your client computers. The information that clients submit about detections helps Symantec address threats. The information helps Symantec create better heuristics, which results in fewer false positive detections.
See
“Enabling or disabling client submissions to
on page 199.
Monitoring SONAR detection results to check for false positives
The client collects and uploads SONAR detection results to the management server. The results are saved in the SONAR log.
To determine which processes are legitimate and which are security risks, look at the following columns in the log:
Event
Application
Application type
File/Path
The event type and the action that the client has taken on the process, such as cleaning it or logging it. Look for the following event types:
■
■
A possible legitimate process is listed as a Potential risk found event.
A probable security risk is listed as a Security risk found event.
The process name.
The type of malware that SONAR or a TruScan proactive threat scan detected.
The path name from where the process was launched.
The Event column tells you immediately whether a detected process is a security risk or a possible legitimate process. However, a potential risk that is found may or may not be a legitimate process, and a security risk that is found may or may not be a malicious process. Therefore, you need to look at the Application type and File/Path columns for more information. For example, you might recognize the application name of a legitimate application that a third-party company has developed.
230 Managing SONAR
Enabling or disabling SONAR
Legacy clients do not support SONAR. Legacy clients collect similar events from
TruScan proactive threat scans, however, and include them in the SONAR log.
To monitor SONAR detection results to check for false positives
1 In the console, click Monitors > Logs.
2
On the Logs tab, in the Log type drop-down list, click SONAR.
3 Select a time from the Time range list box closest to when you last changed a scan setting.
4
Click Advanced Settings.
5 In the Event type drop-down list, select one of the following log events:
■
To view all detected processes, make sure All is selected.
■
To view the processes that have been evaluated as security risks, click
Security risk found.
■
To view the processes that have been evaluated and logged as potential risks, click Potential risk found.
6 Click View Log.
7 After you identify the legitimate applications and the security risks, create an exception for them in an Exceptions policy.
You can create the exception directly from the SONAR Logs pane.
See
“Creating exceptions from log events in Symantec Endpoint Protection
on page 280.
Enabling or disabling SONAR
When you enable or disable SONAR, you also enable or disable TruScan proactive threat scans for legacy clients.
See
on page 227.
To enable or disable SONAR
1 In the Virus and Spyware Protection policy, click SONAR.
2 On the SONAR Settings tab, check or uncheck Enable SONAR.
3 Click OK.
Chapter
15
Managing Tamper
Protection
This chapter includes the following topics:
■
■
Changing Tamper Protection settings
About Tamper Protection
Tamper Protection provides real-time protection for Symantec applications that run on servers and clients. It prevents non-Symantec processes such as worms,
Trojan horses, viruses, and security risks, from affecting Symantec resources.
You can configure the software to block or log attempts to modify Symantec resources.
Note: Tamper Protection runs on Windows clients only. It does not run on Mac clients.
By default, Tamper Protection is enabled and is set to Block and do not log. You can change the setting to Log only or Block and log if you want to monitor the detections for false positives. Tamper Protection can generate many log messages, so you might not want to log the events.
If you use any third-party security risk scanners that detect and defend against unwanted adware and spyware, these scanners typically affect Symantec resources.
If you set Tamper Protection to log tamper events when you run such a scanner,
Tamper Protection generates a large number of log entries. If you decide to log
Tamper Protection events, use log filtering to manage the number of events.
You can create exceptions for the applications that Tamper Protection detects.
232 Managing Tamper Protection
Changing Tamper Protection settings
See
“Changing Tamper Protection settings”
on page 232.
See
“Creating a Tamper Protection exception”
on page 279.
Changing Tamper Protection settings
Tamper Protection provides real-time protection for Symantec applications that run on servers and clients. It prevents threats and security risks from tampering with Symantec resources. You can enable or disable Tamper Protection. You can also configure the action that Tamper Protection takes when it detects a tampering attempt on the Symantec resources in your network.
Tamper Protection settings are configured globally for a selected group.
To change Tamper Protection settings
1
In the console, click Computers.
2 On the Policies tab, under Other Policy Settings, next to Tamper Protection
and Submissions, click Edit Settings.
3
On the Tamper Protection tab, check or uncheck Protect Symantec security
software from being tampered with or shut down.
4 In the list box under Actions to take if an application attempts to tamper
with or shut down Symantec security software, select one of the following actions:
■
Log only
■
Block and do not log
■
Block and log
5 Click the icon to lock or unlock the options on client computers. When you lock an option, you prevent user changes to the option.
6
Click OK.
See
on page 231.
Chapter
16
Managing firewall protection
This chapter includes the following topics:
■
■
■
■
Managing firewall protection
The firewall allows the incoming network traffic and outgoing network traffic that you specify in firewall policy. The Symantec Endpoint Protection Small
Business Edition firewall policy contains rules and protection settings, most of which you can enable or disable and configure.
describes ways in which you can manage your firewall protection. All of these tasks are optional.
Table 16-1
Manage firewall protection
Task
Read about firewall protection
Description
Before you configure your firewall protection, you should familiarize yourself with the firewall.
See
on page 234.
See
“About the Symantec Endpoint Protection firewall”
on page 235.
234 Managing firewall protection
Managing firewall protection
Table 16-1
Manage firewall protection (continued)
Task Description
Create a firewall policy
Symantec Endpoint Protection Small Business Edition installs with a default firewall policy. You can modify the default policy or create new ones.
You must create a policy first before you configure firewall rules and firewall protection settings for that policy.
See
on page 237.
See
“Enabling and disabling a firewall policy”
on page 238.
Create and customize firewall rules
Firewall rules are the policy components that control how the firewall protects client computers from malicious attacks.
The default firewall policy contains default firewall rules. And when you create a new policy, Symantec Endpoint Protection Small Business
Edition provides default firewall rules. However, you can modify the default rules or create new ones.
See
on page 240.
See
on page 248.
Monitor firewall protection
Regularly monitor the firewall protection status on your computers.
See
“Monitoring endpoint protection”
on page 293.
See
“Running commands on the client computer from the console”
on page 134.
See the knowledge base article Symantec Endpoint Protection Network Threat
Protection (Firewall) Overview and Best Practices White Paper .
How a firewall works
A firewall does all of the following tasks:
■
Prevents any unauthorized users from accessing the computers and networks in your organization that connect to the Internet
■
Monitors the communication between your computers and other computers on the Internet
■
Creates a shield that allows or blocks attempts to access the information on your computer
■
Warns you of connection attempts from other computers
■
Warns you of connection attempts by the applications on your computer that connect to other computers
Managing firewall protection
Managing firewall protection
235
The firewall reviews the packets of data that travel across the Internet. A packet is a discrete chunk of data that is part of the information flow between two computers. Packets are reassembled at their destination to appear as an unbroken data stream.
Packets contain information about the following:
■
Sending computers
■
Intended recipients
■
How the packet data is processed
■
Ports that receive the packets
Ports are the channels that divide the stream of data that comes from the Internet.
Applications that run on a computer listen to the ports. The applications accept the data that is sent to the ports.
Network attacks exploit weaknesses in vulnerable applications. Attackers use these weaknesses to send the packets that contain malicious programming code to ports. When vulnerable applications listen to the ports, the malicious code lets the attackers gain access to the computer.
See
“About the Symantec Endpoint Protection firewall”
on page 235.
See
“Managing firewall protection”
on page 233.
About the Symantec Endpoint Protection firewall
The Symantec Endpoint Protection Small Business Edition firewall uses firewall policies and rules to allow or block network traffic. The Symantec Endpoint
Protection Small Business Edition includes a default Firewall policy with default firewall rules for the office environment. The office environment is normally under the protection of corporate firewalls, boundary packet filters, or antivirus servers. Therefore, it is normally more secure than most home environments, where limited boundary protection is available.
Firewall rules control how the client protects the client computer from malicious inbound traffic and malicious outbound traffic. The firewall automatically checks all the inbound and the outbound packets against these rules. The firewall then allows or blocks the packets based on the information that is specified in rules.
When a computer tries to connect to another computer, the firewall compares the type of connection with its list of firewall rules. The firewall also uses stateful inspection of all network traffic.
When you install the console for the first time, it adds a default Firewall policy to each group automatically.
236 Managing firewall protection
Managing firewall protection
You determine the level of interaction that you want users to have with the client by permitting or blocking their ability to configure firewall rules. Users can interact with the client only when it notifies them of new network connections and possible problems. Or they can have full access to the user interface.
You can enable or disable the firewall protection as needed.
describes how you can increase firewall protection by adjusting the security level and modifying the firewall rules.
Table 16-2
Firewall protection adjustments
Setting
Default or custom
Firewall rules
Description
Changing from default to custom lets you modify the firewall rules and lets you modify the security level and follows:
■
■
■
Low
The Low security level allows all IP incoming traffic and outgoing traffic. Low is the default security level.
Medium
The Medium security level enforces the Low security level. It also blocks TCP incoming traffic and UDP stateful incoming traffic.
High
The High security level blocks all IP incoming traffic and outgoing traffic.
You can modify the default firewall rules or you can create new rules.
You create and edit Firewall policies similarly to the way you create and modify other types of policies. You can assign, withdraw, replace, copy, export, import, or delete a Firewall policy.
You typically assign a policy to multiple groups in your security network.
See
“Managing firewall protection”
on page 233.
See
on page 234.
See
“How the firewall uses stateful inspection”
on page 242.
See
“The types of security policies”
on page 149.
Managing firewall protection
Creating a firewall policy
237
Creating a firewall policy
The Symantec Endpoint Protection Small Business Edition includes a default
Firewall policy with default firewall rules for the office environment. The office environment is normally under the protection of corporate firewalls, boundary packet filters, or antivirus servers. Therefore, it is normally more secure than most home environments, where limited boundary protection is available.
When you install the console for the first time, it adds a default Firewall policy to each group automatically.
When you enable firewall protection, the policy allows all inbound IP-based network traffic and all outbound IP-based network traffic, with the following exceptions:
■
The default firewall protection blocks inbound and outbound IPv6 traffic with all remote systems.
Note: IPv6 is a network layer protocol that is used on the Internet. If you install the client on the computers that run Microsoft Vista, the Rules list includes several default rules that block the Ethernet protocol type of IPv6. If you remove the default rules, you must create a rule that blocks IPv6.
■
The default firewall protection restricts the inbound connections for a few protocols that are often used in attacks (for example, Windows file sharing).
Internal network connections are allowed and external networks are blocked.
describes the tasks that you can perform to configure a new firewall policy. You must add a firewall policy first, but thereafter, the remaining tasks are optional and you can complete them in any order.
Table 16-3
How to create a firewall policy
Task
Add a firewall policy
Description
When you create a new policy, you give it a name and a description. You also specify the groups to which the policy is applied.
A firewall policy is automatically enabled when you create it.
But you can disable if you need to.
See
“Enabling and disabling a firewall policy”
on page 238.
238 Managing firewall protection
Creating a firewall policy
Table 16-3
Adjust the firewall security level
How to create a firewall policy (continued)
Task
Create firewall rules
Description
Firewall rules are the policy components that control how the firewall protects client computers from malicious incoming traffic and applications. The firewall automatically checks all incoming packets and outgoing packets against these rules. It allows or blocks the packets based on the information that is specified in rules. You can modify the default rules, create new rules, or disable the default rules.
When you create a new Firewall policy, Symantec Endpoint
Protection Small Business Edition provides default firewall rules.
The default firewall rules are enabled by default.
See
on page 248.
You can specify the security level of the firewall rules. The security level determines how stringently the firewall rules are applied.
See
“Adjusting the firewall security level”
on page 239.
Enable and customize notifications to users that access to an application is blocked
You can send users a notification that an application that they want to access is blocked.
These settings are disabled by default.
See
“Notifying the users that access to an application is blocked”
on page 245.
See
“Managing firewall protection”
on page 233.
See
on page 151.
Enabling and disabling a firewall policy
Firewall policies are automatically enabled when you create them. You can disable a firewall policy as needed, and then enable it again. You must enable a firewall policy for it to be active.
You might want to disable the firewall for any of the following reasons:
■
You install an application that might cause the firewall to block it.
■
A firewall rule or firewall setting blocks an application due to an administrator's mistake.
■
The firewall causes network connectivity-related issues.
■
The firewall might slow down the client computer.
Managing firewall protection
Creating a firewall policy
239
You should enable at least the default firewall protection to keep your computers protected during remote client installation.
See
“About enabling and disabling protection when you need to troubleshoot problems”
on page 130.
To enable or disable a firewall policy
1
In the console, click Policies.
2 On the Policies page, select the Firewall policy, and then right-click Edit.
3
In the policy, click Firewall Rules.
4 In the policy, check Enable this Firewall Policy to enable the policy; uncheck it to disable it.
5
Click OK.
See
on page 237.
See
“Managing firewall protection”
on page 233.
Adjusting the firewall security level
When you adjust the firewall security level, you select how strictly you want to restrict network traffic.
The security levels are as follows:
Low
Medium
High
The Low security level allows all IP incoming traffic and outgoing traffic.
Low is the default security level.
The Medium security level enforces the Low security level. It also blocks TCP incoming traffic and UDP stateful incoming traffic.
The High security level blocks all IP incoming traffic and outgoing traffic.
To adjust the firewall security level
1
In the console, click Policies.
2 On the Policies page, select the Firewall policy, and then right-click Edit.
3
In the policy, click Firewall Rules.
4 In the policy, check Enable this Firewall Policy, and then select Customize
the default settings.
240 Managing firewall protection
Managing firewall rules
5 In the policy, select the security level setting.
6
Click OK.
See
on page 234.
See
“Managing firewall protection”
on page 233.
Managing firewall rules
Firewall rules control how the firewall protects computers from malicious incoming traffic and applications. The firewall checks all incoming packets and outgoing packets against the rules that you enable. It allows or blocks the packets based on the conditions that you specify in the firewall rule.
Symantec Endpoint Protection Small Business Edition installs with a default firewall policy that contains default rules. When you create a new firewall policy,
Symantec Endpoint Protection Small Business Edition provides default firewall rules. You can modify any of the default rules or create new firewall rules if your administrator permits it, or if your client is unmanaged.
You must have at least one rule in a policy. But you can have as many rules as you need. You can enable or disable rules as needed. For example, you might want to disable a rule to perform troubleshooting and enable it when you are done.
describes what you need to know to manage firewall rules.
Table 16-4
Managing firewall rules
Subject Description
Learn how firewall rules work and what makes up a firewall rule
Before you modify the firewall rules, you should understand the following information about how firewall rules work.
■
■
That the client uses stateful inspection, which eliminates the need for you to create additional rules.
See
“How the firewall uses stateful inspection”
on page 242.
The firewall components that make up the firewall rule.
When you understand about these triggers and how you can best use them, you can customize your firewall rules to protect your clients and servers.
See
“About firewall rule application triggers”
on page 243.
See
“About firewall rule host triggers”
on page 245.
See
“About firewall rule network services triggers”
on page 247.
Managing firewall protection
Managing firewall rules
241
Table 16-4
Managing firewall rules (continued)
Subject Description
Add a new firewall rule You can perform the following tasks to manage firewall rules:
■
■
■
■
You can add new firewall rules through the console using several methods. One method lets you add a blank rule that has default settings. The other method offers a wizard that guides you through creating a new rule.
See
on page 248.
You can customize a default rule or one that you created by changing any of the firewall rule criteria.
Export and import firewall rules
Copy and paste firewall rules
You can save time creating a new firewall rule by copying an existing rule that is similar to the rule that you want to create. Then you can modify the copied rule to meet your needs.
See
“Copying and pasting firewall rules”
on page 249.
Enable or disable a firewall rule
Customize a firewall rule
Firewall rules are automatically enabled. However, you may need to temporarily disable a firewall rule to test the rule. The firewall does not inspect disabled rules.
See
“Adjusting the firewall security level”
on page 239.
After you create a new rule, or if you want to customize a default rule, you can modify any of the firewall rule criteria.
See
on page 250.
See
“Managing firewall protection”
on page 233.
About the firewall rule, firewall setting, and intrusion prevention processing order
Firewall rules are ordered sequentially, from highest to lowest priority in the rules list. If the first rule does not specify how to handle a packet, the firewall inspects the second rule. This process continues until the firewall finds a match. After the firewall finds a match, the firewall takes the action that the rule specifies.
Subsequent lower priority rules are not inspected. For example, if a rule that blocks all traffic is listed first, followed by a rule that allows all traffic, the client blocks all traffic.
You can order rules according to exclusivity. The most restrictive rules are evaluated first, and the most general rules are evaluated last. For example, you should place the rules that block traffic near the top of the rules list. The rules that are lower in the list might allow the traffic.
242 Managing firewall protection
Managing firewall rules
The Rules list contains a blue dividing line. The dividing line sets the priority of rules when a subgroup inherits rules from a parent group.
See
“Changing the order of firewall rules”
on page 242.
See
on page 234.
See
“How intrusion prevention works”
on page 261.
Changing the order of firewall rules
The firewall processes the list of firewall rules from the top down. You can determine how the firewall processes firewall rules by changing their order.
Note: For better protection, place the most restrictive rules first and the least restrictive rules last.
To change the order of firewall rules
1
In the console, open a Firewall policy.
2 In the Firewall Policy page, click Rules, and then select the rule that you want to move.
3
Do one of the following tasks:
■
To process this rule before the previous rule, click Move Up.
■
To process this rule after the rule below it, click Move Down.
4 Click OK.
See
“About the firewall rule, firewall setting, and intrusion prevention processing order”
on page 241.
See
on page 151.
How the firewall uses stateful inspection
Firewall protection uses stateful inspection to track current connections. Stateful inspection tracks source and destination IP addresses, ports, applications, and other connection information. Before the client inspects the firewall rules, it makes the traffic flow decisions that are based on the connection information.
For example, if a firewall rule allows a computer to connect to a Web server, the firewall logs the connection information. When the server replies, the firewall discovers that a response from the Web server to the computer is expected. It permits the Web server traffic to flow to the initiating computer without inspecting
Managing firewall protection
Managing firewall rules
243 the rule base. A rule must permit the initial outbound traffic before the firewall logs the connection.
Stateful inspection eliminates the need to create new rules. For the traffic that is initiated in one direction, you do not have to create the rules that permit the traffic in both directions. The client traffic that is initiated in one direction includes
Telnet (port 23), HTTP (port 80), and HTTPS (port 443). The client computers initiate this outbound traffic; you create a rule that permits the outbound traffic for these protocols. Stateful inspection automatically permits the return traffic that responds to the outbound traffic. Because the firewall is stateful in nature, you only need to create the rules that initiate a connection, not the characteristics of a particular packet. All packets that belong to an allowed connection are implicitly allowed as being an integral part of that same connection.
Stateful inspection supports all rules that direct TCP traffic.
Stateful inspection does not support the rules that filter ICMP traffic. For ICMP traffic, you must create the rules that permit the traffic in both directions. For example, for the clients to use the ping command and receive replies, you must create a rule that permits ICMP traffic in both directions.
See
on page 234.
About firewall rule application triggers
When the application is the only trigger you define in a rule that allows traffic, the firewall allows the application to perform any network operation. The application is the significant value, not the network operations that the application performs. For example, suppose you allow Internet Explorer and you define no other triggers. Users can access the remote sites that use HTTP, HTTPS, FTP,
Gopher, and any other protocol that the Web browser supports. You can define additional triggers to describe the particular network protocols and hosts with which communication is allowed.
Application-based rules may be difficult to troubleshoot because an application may use multiple protocols. For example, if the firewall processes a rule that allows Internet Explorer before a rule that blocks FTP, the user can still communicate with FTP. The user can enter an FTP-based URL in the browser, such as ftp://ftp.symantec.com.
For example, suppose you allow Internet Explorer and define no other triggers.
Computer users can access the remote sites that use HTTP, HTTPS, FTP, Gopher, and any other protocol that the Web browser supports. You can define additional triggers to describe the network protocols and hosts with which communication is allowed.
244 Managing firewall protection
Managing firewall rules
You should not use application rules to control traffic at the network level. For example, a rule that blocks or limits the use of Internet Explorer would have no effect should the user use a different Web browser. The traffic that the other Web browser generates would be compared against all other rules except the Internet
Explorer rule. Application-based rules are more effective when the rules are configured to block the applications that send and receive traffic.
See
“Defining information about applications”
on page 244.
See
“Notifying the users that access to an application is blocked”
on page 245.
See
on page 240.
Defining information about applications
You can define information about the applications that clients run and include this information in a firewall rule.
To define information about applications
1 In the console, open a Firewall policy.
2
On the Firewall Policies page, click Rules.
3 On the Rules tab, in the Rules list, right-click the Application field, and then click Edit.
4
In the Application List dialog box, click Add.
5 In the Add Application dialog box, enter one or more of the following fields:
■
Path and file name
■
Description
■
Size, in bytes
■
Date that the application was last changed
■
File fingerprint
6 Click OK.
7 Click OK.
See
on page 240.
See
on page 151.
See
“About firewall rule application triggers”
on page 243.
Managing firewall protection
Managing firewall rules
245
Notifying the users that access to an application is blocked
You can send users a notification that an application that they want to access is blocked. This notification appears on the users' computers.
Note:
Enabling too many notifications can not only overwhelm your users, but can also alarm them. Use caution when enabling notifications.
To notify the users that access to an application is blocked
1 In the console, open a Firewall policy.
2
On the Firewall Policies page, click Rules.
3 Enable custom firewall protection.
4
On the Notifications tab, check the following options that you want to apply:
Display notification on the computer when the client blocks an application
A notification appears when the client blocks an application.
Add additional text to notification
Click Set Additional Text and customize the notification.
Customizing the notification text is optional.
5
Click OK.
See
“Managing firewall protection”
on page 233.
See
“Enabling and disabling a firewall policy”
on page 238.
See
on page 240.
See
“About firewall rule application triggers”
on page 243.
About firewall rule host triggers
You specify the host on both sides of the described network connection when you define host triggers.
Traditionally, the way to express the relationship between hosts is referred to as being either the source or destination of a network connection.
You can define the host relationship in either one of the following ways:
246 Managing firewall protection
Managing firewall rules
Source and destination The source host and destination host is dependent on the direction of traffic. In one case the local client computer might be the source, whereas in another case the remote computer might be the source.
The source and the destination relationship are more commonly used in network-based firewalls.
Local and remote The local host is always the local client computer, and the remote host is always a remote computer that is positioned elsewhere on the network. This expression of the host relationship is independent of the direction of traffic.
The local and the remote relationship is more commonly used in host-based firewalls, and is a simpler way to look at traffic.
You can define multiple source hosts and multiple destination hosts.
illustrates the source relationship and destination relationship with respect to the direction of traffic.
Figure 16-1
The relationship between source and destination hosts
`
SEP client
Source
HTTP
Destination
Symantec.com
Destination
Source
`
SEP client
RDP
`
Other client
illustrates the local host and remote host relationship with respect to the direction of traffic.
Managing firewall protection
Managing firewall rules
247
Figure 16-2
The relationship between local and remote hosts
`
SEP client
Local
HTTP
Remote
Symantec.com
Local
Remote
`
SEP client
RDP
`
Other client
Relationships are evaluated by the following types of statements:
OR statement The hosts that you define on either side of the connection (between the source and the destination)
Selected hosts AND statement
For example, consider a rule that defines a single local host and multiple remote hosts. As the firewall examines the packets, the local host must match the relevant
IP address. However, the opposing sides of the address may be matched to any remote host. For example, you can define a rule to allow HTTP communication between the local host and either Symantec.com, Yahoo.com, or Google.com. The single rule is the same as three rules.
See
“Blocking traffic to or from a specific server”
on page 252.
See
on page 240.
About firewall rule network services triggers
Network services let networked computers send and receive messages, share files, and print. A network service uses one or more protocols or ports to pass through a specific type of traffic. For example, the HTTP service uses ports 80 and 443 in the TCP protocol. You can create a firewall rule that allows or blocks network services. A network service trigger identifies one or more network protocols that are significant in relation to the described network traffic.
248 Managing firewall protection
Setting up firewall rules
When you define TCP-based or UDP-based service triggers, you identify the ports on both sides of the described network connection. Traditionally, ports are referred to as being either the source or the destination of a network connection.
See
“Permitting clients to browse for files and printers in the network”
on page 255.
See
on page 240.
Setting up firewall rules
describes how to set up new firewall rules.
Step Task
Step 1 Add a new firewall rule
Table 16-5
How to setup firewall rules
Description
You can add new firewall rules through the console using several methods. One method lets you add a blank rule that has default settings. The other method offers a wizard that guides you through creating a new rule.
See
on page 248.
You can save time creating a new firewall rule by copying an existing rule that is similar to the rule that you want to create. Then you can modify the copied rule to meet your needs.
See
“Copying and pasting firewall rules”
on page 249.
Step 2 (Optional)
Customize the firewall rule criteria
After you create a new rule, or if you want to customize a default rule, you can modify any of the firewall rule criteria.
See
on page 250.
See
on page 240.
See
“Adjusting the firewall security level”
on page 239.
Adding a new firewall rule
Use the Add Firewall Rule wizard to add new firewall rules and then configure the rule as needed. The wizard does not configure new rules with multiple criteria.
You should specify both the inbound and the outbound traffic in the rule whenever possible. You do not need to create inbound rules for traffic such as HTTP. The
Symantec Endpoint Protection Small Business Edition client uses stateful inspection for TCP traffic. Therefore, it does not need a rule to filter the return traffic that the clients initiate.
Managing firewall protection
Setting up firewall rules
249
When you create a new firewall rule, it is automatically enabled. You can disable a firewall rule if you need to allow specific access to a computer or application.
The rule is disabled for all inherited policies.
Note:
Rules must be enabled for the firewall to process them.
To add a new firewall rule
1 In the console, open a Firewall policy.
2
On the Firewall Policy page, click Rules.
3 Check Customize the default settings.
4
On the Rules tab, under the Rules list, click Add Rule.
5 In the Add Firewall Rule Wizard, click Next.
6
In the Select Rule Type panel, select one of the types of rules.
7 Click Next.
8
Enter data on each panel to create the type of rule you selected.
9 For applications and hosts, click Add More to add additional applications and services.
10
When you are done, click Finish.
11 Optionally, you can customize the firewall rule criteria as needed.
12
If you are done with the configuration of the rule, click OK.
See
on page 250.
See
on page 248.
See
on page 151.
See
“How the firewall uses stateful inspection”
on page 242.
Copying and pasting firewall rules
Save time creating a new firewall rule by copying an existing rule that is similar to the new rule that you want to create. Then you can modify the copied rule as needed.
You can copy and paste rules from the same policy or another policy.
To copy and paste firewall rules
1 In the console, open a Firewall policy.
2
In the Firewall Policy page, click Rules.
250 Managing firewall protection
Setting up firewall rules
3 On the Rules tab, right-click the rule you want to copy, and then click Copy
Rule.
4
Right-click the row where you want the rule to be pasted, and then click Paste
Rule.
5 Click OK.
See
on page 250.
See
on page 248.
See
on page 151.
Customizing firewall rules
When you create a new Firewall policy, the policy includes several default rules.
You can modify one or multiple rule components as needed.
The components of a firewall rule are as follows:
Actions The action parameters specify what actions the firewall takes when it successfully matches a rule. If the rule matches and is selected in response to a received packet, the firewall performs all actions. The firewall either allows or blocks the packet and logs or does not log the packet. If the firewall allows traffic, it lets the traffic that the rule specifies access the network. If the firewall blocks traffic, it blocks the traffic that the rule specifies so that it does not access the network.
The actions are as follows:
■
■
Allow
The firewall allows the network connection.
Block
The firewall blocks the network connection.
Managing firewall protection
Setting up firewall rules
251
Triggers When the firewall evaluates the rule, all the triggers must be true for a positive match to occur. If any one trigger is not true in relation to the current packet, the firewall cannot apply the rule. You can combine the trigger definitions to form more complex rules, such as to identify a particular protocol in relation to a specific destination address.
The triggers are as follows:
■
■
■
Application
When the application is the only trigger you define in an allow-traffic rule, the firewall allows the application to perform any network operation. The application is the significant value, not the network operations that the application performs. You can define additional triggers to describe the particular network protocols and hosts with which communication is allowed.
See
“About firewall rule application triggers”
on page 243.
Host
When you define host triggers, you specify the host on both sides of the described network connection.
Traditionally, the way to express the relationship between hosts is referred to as being either the source or destination of a network connection.
See
“About firewall rule host triggers”
on page 245.
Network services
A network services trigger identifies one or more network protocols that are significant in relation to the described traffic.
The local host computer always owns the local port, and the remote computer always owns the remote port. This expression of the port relationship is independent of the direction of traffic.
See
“About firewall rule network services triggers”
on page 247.
Notifications The Log settings let you specify whether the server creates a log entry or sends an email message when a traffic event matches the criteria that are set for this rule.
Customizing firewall rules
1
In the console, open a Firewall policy.
2 On the Firewall Policy page, click Rules.
3
On the Rules tab, in the Rules list, in the Enabled field, ensure that the box is checked to enable the rule; uncheck the box to disable the rule.
Symantec Endpoint Protection Small Business Edition only processes the rules that you enable. All rules are enabled by default.
4
Double-click the Name field and type a unique name for the firewall rule.
252 Managing firewall protection
Setting up firewall rules
5 Right-click the Action field and select the action that you want Symantec
Endpoint Protection Small Business Edition to take if the rule is triggered.
6
In the Application field, define an application.
See
“Defining information about applications”
on page 244.
7
In the Host field, specify a host trigger.
See
“Blocking traffic to or from a specific server”
on page 252.
8
In addition to specifying a host trigger, you can also specify the traffic that is allowed to access your local subnet.
See
“Allowing only specific traffic to the local subnet”
on page 253.
9
In the Service field, specify a network service trigger.
See
“Controlling whether networked computers can share messages, files, and printing”
on page 254.
10
In the Log field, specify when you want Symantec Endpoint Protection Small
Business Edition to send an email message to you when this firewall rule is violated.
See
“Setting up notifications for firewall rule violations”
on page 256.
11
If you are done with the configuration of the rule, click OK.
See
on page 248.
See
on page 240.
Blocking traffic to or from a specific server
To block traffic to or from a specific server, you can block the traffic by IP address rather than by domain name or host name. Otherwise, the user may be able to access the IP address equivalent of the host name.
To block traffic to or from a specific server
1 In the console, open a Firewall policy.
2
On the Firewall Policy page, click Rules.
3 On the Rules tab, in the Rules list, select the rule you want to edit, right-click the Host field, and then click Edit.
4
In the Host List dialog box, do one of the following actions:
■
Click Source/Destination.
■
Click Local/Remote.
5 Do one of the following tasks:
Managing firewall protection
Setting up firewall rules
253
To select a host type from the Type drop-down list
Do all of the following tasks:
■
■
■
In the Source and Destination or Local and Remote tables, click Add.
In the Host dialog box, select a host type from the Type drop-down list, and type the appropriate information for each host type.
Click OK.
The host that you created is automatically enabled.
To select a host group
In the Host List dialog box, do one of the following actions:
■
■
Click Source/Destination.
Click Local/Remote.
Then in the Host List dialog box, check the box in the Enabled column for any host group that you want to added to the rule.
6 Add additional hosts, if necessary.
7 Click OK to return to the Rules list.
See
on page 248.
See
on page 250.
See
on page 151.
Allowing only specific traffic to the local subnet
You can create a firewall rule that permits only specific traffic to your local subnet.
This firewall rule always applies to your local subnet IP address, regardless of what the address is. Therefore, even if you change your local subnet IP address, you never have to modify this rule for the new address.
For example, you can create this rule to permit traffic to port 80 only on the local subnet, regardless of what the local subnet IP address is.
To allow only specific traffic to the local subnet
1 In the console, open a Firewall policy.
2 On the Firewall Policy page, click Rules.
3 On the Rules tab, in the Rules list, select the rule that you want to edit.
4 Click Customize the default settings to access the list of default settings.
5 In the Firewall Rules table, in the Host column, double-click on the rule for which you want to create a local subnet traffic condition.
254 Managing firewall protection
Setting up firewall rules
6 Under the type of hosts for which this rule applies (Local or Remote), click
Add.
7
Click the Address Type drop-down list and select Local Subnet.
8 Click OK, and then click OK again to close out of the Host List dialog box.
See
“The types of security policies”
on page 149.
See
on page 151.
See
on page 250.
Controlling whether networked computers can share messages, files, and printing
Network services let networked computers send and receive messages, shared files, and print. You can create a firewall rule that allows or blocks network services.
You can add a custom network service through a firewall rule. However, that network service is not added to the default list. You cannot access the custom service from any other rule.
To control whether networked computers can share messages, files, and printing
1 In the console, open a Firewall policy.
2
On the Firewall Policy page, click Rules.
3 On the Rules tab, in the Rules list, select the rule you want to edit, right-click the Service field, and then click Edit.
4
In the Service List dialog box, check box beside each service that you want to trigger the rule.
5 To add an additional service for the selected rule only, click Add.
6
In the Protocol dialog box, select a protocol from the Protocol drop-down list.
7 Fill out the appropriate fields.
8
Click OK.
9 Click OK.
10
Click OK.
See
“About firewall rule network services triggers”
on page 247.
See
on page 248.
See
on page 151.
Managing firewall protection
Setting up firewall rules
255
See
on page 250.
Permitting clients to browse for files and printers in the network
You can enable the client to either share its files or to browse for shared files and printers on the local network. To prevent network-based attacks, you may not want to enable network file and printer sharing.
You enable network file and print sharing by adding firewall rules. The firewall rules allow access to the ports to browse and share files and printers. You create one firewall rule so that the client can share its files. You create a second firewall rule so that the client can browse for other files and printers.
The settings work differently based on the type of control that you specify for your client, as follows:
Client control or mixed control
Users on the client can enable these settings automatically by configuring them in Network Threat Protection.
Mixed control
Server control
A server firewall rule that specifies this type of traffic can override these settings.
These settings are not available on the client.
To permit clients to browse for files and printers in the network
1 In the console, open a Firewall policy.
2
On the Firewall Policy page, click Rules.
3 On the Rules tab, in the Rules list, select the rule you want to edit, right-click the Service field, and then click Edit.
4
In the Service List dialog box, click Add.
5 In the Protocol dialog box, in the Protocol drop-down list, click TCP, and then click Local/Remote.
6
Do one of the following tasks:
To permit clients to browse for files and printers in the network
In the Remote port drop-down list, type 88, 135, 139, 445.
To enable other computers to browse files on the client
In the Local Port drop-down list, type 88, 135, 139, 445.
256 Managing firewall protection
Setting up firewall rules
7 Click OK.
8
In the Service List dialog box, click Add.
9 In the Protocol dialog box, in the Protocol drop-down list, click UDP.
10
Do one of the following tasks:
To permit clients to browse for files and printers in the network
In the Local Port drop-down list, type 137, 138.
In the Remote Port drop-down list, type 88.
To enable other computers to browse files on the client
In the Local Port drop-down list, type 88, 137, 138.
11
Click OK.
12 In the Service List dialog box, make sure that the two services are enabled, and then click OK.
13
On the Rules tab, make sure the Action field is set to Allow.
14 If you are done with the configuration of the policy, click OK.
See
on page 248.
See
on page 250.
See
on page 151.
Setting up notifications for firewall rule violations
You can configure Symantec Endpoint Protection Small Business Edition to send you an email message each time the firewall detects a rule violation, attack, or event. For example, you may want to know when a client blocks the traffic that comes from a particular IP address.
To set up notifications for firewall rule violations
1 In the console, open a Firewall policy.
2
On the Firewall Policy page, click Rules.
3 On the Rules tab, select a rule, right-click the Logging field and select whether you want to log the violation and whether you want to send email alerts.
4
Click OK.
See
on page 248.
See
on page 250.
Managing firewall protection
Setting up firewall rules
257
See
“Setting up administrator notifications”
on page 325.
258 Managing firewall protection
Setting up firewall rules
Chapter
17
Managing intrusion prevention
This chapter includes the following topics:
■
Managing intrusion prevention on your client computers
■
How intrusion prevention works
■
■
Enabling or disabling network intrusion prevention or browser intrusion prevention
■
Creating exceptions for IPS signatures
Managing intrusion prevention on your client computers
The default intrusion prevention settings protect client computers against a wide variety of threats. You can change the default settings for your network.
Table 17-1
Managing intrusion prevention
Task
Learn about intrusion prevention
Description
Learn how intrusion prevention detects and blocks network and browser attacks.
See
“How intrusion prevention works”
on page 261.
See
“About Symantec IPS signatures”
on page 262.
260 Managing intrusion prevention
Managing intrusion prevention on your client computers
Table 17-1
Managing intrusion prevention (continued)
Task Description
Enable or disable intrusion prevention You might want to disable intrusion prevention for troubleshooting purposes or if client computers detect excessive false positives. However, to keep your client computers secure, typically you should not disable intrusion prevention.
You can enable or disable the following types of intrusion prevention in the Intrusion Prevention policy:
■
■
Network intrusion prevention
Browser intrusion prevention
See
“Enabling or disabling network intrusion prevention or browser intrusion prevention”
on page 263.
You can also enable or disable both types of intrusion prevention, as well as the firewall, when you run the Enable Network Threat Protection or
Disable Network Threat Protection command.
See
“Running commands on the client computer from the console”
on page 134.
Managing intrusion prevention
How intrusion prevention works
261
Table 17-1
Managing intrusion prevention (continued)
Task Description
Create exceptions to change the default behavior of Symantec network intrusion prevention signatures
You might want to create exceptions to change the default behavior of the default Symantec network intrusion prevention signatures. Some signatures block the traffic by default and other signatures allow the traffic by default.
Note: You cannot change the behavior of browser intrusion prevention signatures.
You might want to change the default behavior of some network signatures for the following reasons:
■
■
■
Reduce consumption on your client computers.
For example, you might want to reduce the number of signatures that block traffic. Make sure, however, that an attack signature poses no threat before you exclude it from blocking.
Allow some network signatures that Symantec blocks by default.
For example, you might want to create exceptions to reduce false positives when benign network activity matches an attack signature.
If you know the network activity is safe, you can create an exception.
Block some signatures that Symantec allows.
For example, Symantec includes signatures for peer-to-peer applications and allows the traffic by default. You can create exceptions to block the traffic instead.
See
“Creating exceptions for IPS signatures”
on page 264.
If you want to block the ports that send and receive peer-to-peer traffic, use a Firewall policy.
See
on page 237.
Create exceptions to ignore browser signatures on client computers
You can create exceptions to exclude browser signatures from browser intrusion prevention.
You might want to ignore browser signatures if browser intrusion prevention causes problems with browsers in your network.
See
“Creating exceptions for IPS signatures”
on page 264.
How intrusion prevention works
Intrusion prevention is part of Network Threat Protection.
Intrusion prevention automatically detects and blocks network attacks and attacks on browsers. Intrusion prevention is the second layer of defense after the firewall to protect client computers. Intrusion prevention is sometimes called the intrusion prevention system (IPS).
262 Managing intrusion prevention
About Symantec IPS signatures
Type
Network intrusion prevention
Browser intrusion prevention
Intrusion prevention intercepts data at the network layer. It uses signatures to scan packets or streams of packets. It scans each packet individually by looking for the patterns that correspond to network attacks or browser attacks. Intrusion prevention detects attacks on operating system components and the application layer.
Intrusion prevention provides two types of protection.
Table 17-2
Types of intrusion prevention
Description
Network intrusion prevention uses signatures to identify attacks on client computers. For known attacks, intrusion prevention automatically discards the packets that match the signatures.
Browser intrusion prevention monitors attacks on Internet Explorer and Firefox. Browser intrusion prevention is not supported on any other browsers.
Firefox might disable the Symantec Endpoint Protection plug-in, but you can re-enable it.
This type of intrusion prevention uses attack signatures as well as heuristics to identify attacks on browsers.
For some browser attacks, intrusion prevention requires that the client terminate the browser. A notification appears on the client computer.
See the following knowledge base article for the latest information about the browsers that browser intrusion prevention protects: Supported browser versions for browser intrusion prevention .
See
“Managing intrusion prevention on your client computers”
on page 259.
About Symantec IPS signatures
Symantec intrusion prevention signatures are installed on the client by default.
See
“Managing intrusion prevention on your client computers”
on page 259.
Intrusion prevention uses the Symantec signatures to monitor individual packets or streams of packets. For streams of packets, intrusion prevention can remember the list of patterns or partial patterns from previous packets. It can then apply this information to subsequent packet inspections.
Symantec signatures include signatures for network intrusion prevention and browser intrusion prevention.
Managing intrusion prevention
Enabling or disabling network intrusion prevention or browser intrusion prevention
263
Network intrusion prevention signatures
Network signatures match patterns of an attack that can crash applications or exploit the operating systems on your client computers.
You can change whether a Symantec network signature blocks or allows traffic. You can also change whether or not
Symantec Endpoint Protection Small Business Edition logs a detection from a signature in the Security log.
Browser intrusion prevention signatures
Browser signatures match patterns of attack on supported browsers, such as script files that can crash the browser.
You cannot customize the action or log setting for browser signatures, but you can exclude a browser signature.
See
“Creating exceptions for IPS signatures”
on page 264.
The Symantec Security Response team supplies the attack signatures. The intrusion prevention engine and the corresponding set of signatures are installed on the client by default. The signatures are part of the content that you update on the client.
You can view information about IPS signatures on the following Symantec Web site page:
Attack Signatures
Enabling or disabling network intrusion prevention or browser intrusion prevention
You can enable or disable either type of intrusion prevention. Typically, you should not disable either type of intrusion prevention.
See
“Managing intrusion prevention on your client computers”
on page 259.
Enabling or disabling network intrusion prevention or browser intrusion prevention
1
In the console, open an Intrusion Prevention policy.
2 On the Intrusion Prevention Policy page, click Settings.
3
Check or uncheck the following options:
■
Enable Network Intrusion Prevention
■
Enable Browser Intrusion Prevention
4 Click the icon to lock or unlock the options on client computers. When you lock an option, you prevent user changes to the option.
5 Click OK.
264 Managing intrusion prevention
Creating exceptions for IPS signatures
Creating exceptions for IPS signatures
You can create exceptions to perform the following actions:
■
Change the default behavior of IPS network signatures.
■
Specify the browser signatures that client computers should ignore.
You can change the action that the client takes when the IPS recognizes a network signature. You can also change whether the client logs the event in the Security log.
You cannot change the behavior of Symantec browser signatures; unlike network signatures, browser signatures do not allow custom action and logging settings.
However, you can create an exception for a browser signature so that clients ignore the signature.
Note:
When you add a browser signature exception, Symantec Endpoint Protection
Manager includes the signature in the exceptions list and automatically sets the action to Allow and the log setting to Do Not Block. You cannot customize the action or the log setting.
See
“Managing intrusion prevention on your client computers”
on page 259.
Note: To change the behavior of a custom IPS signature that you create or import, you edit the signature directly.
To change the behavior of Symantec IPS network signatures
1
In the console, open an Intrusion Prevention policy.
2 On the Intrusion Prevention Policy page, click Exceptions, and then click
Add.
3
In the Add Intrusion Prevention Exceptions dialog box, do one of the following actions to filter the signatures:
■
To display the signatures in a particular category, select an option from the Show category drop-down list.
■
To display the signatures that are classified with a particular severity, select an option from the Show severity drop-down list.
4
Select one or more signatures.
To make the behavior for all network signatures the same, click Select All.
5
Click Next.
Managing intrusion prevention
Creating exceptions for IPS signatures
265
6 In the Signature Action dialog box, set the action to Block or Allow.
Note:
The Signature Action dialog only applies to network signatures.
7 Optionally, set the log action to Log the traffic or Do not log the traffic.
8
Click OK.
If you want to revert the network signature's behavior back to the original behavior, select the signature and click Delete.
If you want clients to use the browser signature and not ignore it, select the signature and click Delete.
9 Click OK.
266 Managing intrusion prevention
Creating exceptions for IPS signatures
Chapter
18
Managing exceptions
This chapter includes the following topics:
■
About exceptions to Symantec Endpoint Protection Small Business Edition
■
Managing exceptions for Symantec Endpoint Protection Small Business Edition
■
Creating exceptions for Symantec Endpoint Protection Small Business Edition
■
Restricting the types of exceptions that users can configure on client computers
■
Creating exceptions from log events in Symantec Endpoint Protection Manager
About exceptions to Symantec Endpoint Protection
Small Business Edition
Typically exceptions are items, such as files or Web domains, that you want to exclude from scans.
Symantec Endpoint Protection Small Business Edition automatically excludes some files from virus and spyware scans.
You can also use exceptions to detect an application or to change the default behavior when Symantec Endpoint Protection Small Business Edition detects an application or when the application launches.
You might want to use exceptions to reduce the amount of time that scans run.
For example, you can exclude files, folders, and extensions from scans. If you reduce the scan time, you might increase the system performance on client computers.
268 Managing exceptions
Managing exceptions for Symantec Endpoint Protection Small Business Edition
Note:
You cannot create exceptions for an individual virus and spyware scans.
For example, if you create a file exception, Symantec Endpoint Protection Small
Business Edition applies the exception to all virus and spyware scans (Auto-Protect,
Download Insight, and any administrator-defined or user-defined scan).
Exceptions apply to a particular client type (Windows or Mac). You configure the exceptions separately. For example, if you configure a file exception, it applies either to clients that run on Windows computers or clients that run on Mac computers. Some exceptions are not available for Mac clients.
Table 18-1
Scan exceptions and client type
Client Type
Mac clients
Windows clients
Exception
File or folder exception
You can configure the following types of exceptions:
■
■
■
■
■
■
■
■
File
Folder
Known risk
Extension
Trusted Web domain
Application to monitor
Application
Tamper Protection
See
on page 174.
See
“Managing exceptions for Symantec Endpoint Protection Small Business
on page 268.
Managing exceptions for Symantec Endpoint
Protection Small Business Edition
You can manage exceptions for Symantec Endpoint Protection Small Business
Edition in the Symantec Endpoint Protection Manager console.
Managing exceptions
Managing exceptions for Symantec Endpoint Protection Small Business Edition
269
Table 18-2
Managing exceptions
Task
Learn about exceptions
Description
You use exceptions to exclude items from scans and protection on your client computers.
See
“About exceptions to Symantec Endpoint
Protection Small Business Edition”
on page 267.
Review the types of files and folders that Symantec Endpoint Protection
Small Business Edition automatically excludes from scans
Symantec Endpoint Protection Small Business
Edition automatically creates exceptions, or exclusions, for some third-party applications and some Symantec products.
You can also configure individual scans to scan only certain extensions and skip any other extensions.
See
“About the files and folders that Symantec
Endpoint Protection excludes from virus and spyware scans”
on page 174.
Create exceptions for scans You add exceptions in an Exceptions policy directly. Or you can add exceptions from log events on the Monitors page.
See
“Creating exceptions for Symantec Endpoint
Protection Small Business Edition”
on page 270.
See
“Creating exceptions from log events in
Symantec Endpoint Protection Manager”
on page 280.
Restricting the types of exceptions that users can configure on client computers
By default, users on client computers have limited configuration rights for exceptions. You can restrict users further so that they cannot create exceptions for virus and spyware scans or for
SONAR.
Users can never force an application detection and they never have permission to create Tamper
Protection exceptions.
See
“Restricting the types of exceptions that users can configure on client computers”
on page 279.
270 Managing exceptions
Creating exceptions for Symantec Endpoint Protection Small Business Edition
Table 18-2
Managing exceptions (continued)
Task Description
Check the logs for detections for which you might want to create exceptions
After Symantec Endpoint Protection Small
Business Edition makes a detection, you can create an exception for the detection from the log event.
For example, you might want to create an exception for a file that scans detect but that your users request to download.
See
“Creating exceptions from log events in
Symantec Endpoint Protection Manager”
on page 280.
Configure intrusion prevention exceptions
You can specify exceptions for intrusion prevention.
Intrusion prevention exceptions are configured in an Intrusion Prevention policy.
See
“Managing intrusion prevention on your client computers”
on page 259.
Creating exceptions for Symantec Endpoint Protection
Small Business Edition
You can create different types of exceptions for Symantec Endpoint Protection
Small Business Edition.
Any exception that you create takes precedence over any exception that a user might define. On client computers, users cannot view the exceptions that you create. A user can view only the exceptions that the user creates.
Note:
The Exceptions policy includes a SONAR file path exception to prevent
SONAR code injection into the specified application. SONAR does not inject code into applications on Symantec Endpoint Protection Small Business Edition 12.1
or earlier clients. If you use Symantec Endpoint Protection Manager 12.1.2 to manage clients, a SONAR file exception in an Exceptions policy is ignored on your legacy clients. If you use a legacy Symantec Endpoint Protection Manager to manage clients, the legacy policy does not support SONAR file exceptions for your
Symantec Endpoint Protection Small Business Edition 12.1.2 clients. You can prevent SONAR code injection into applications on these clients, however, by creating an Application to monitor exception in the legacy policy. After the client learns the application, you can configure an application exception in the policy.
Managing exceptions
Creating exceptions for Symantec Endpoint Protection Small Business Edition
271
Exceptions for virus and spyware scans also apply to Download Insight.
Table 18-3
Creating exceptions for Symantec Endpoint Protection Small
Business Edition
Task
Exclude a file from scans
Exclude a folder from scans
Description
Supported on Windows and Mac clients.
Excludes a file by name from virus and spyware scans or SONAR on
Windows clients.
You can also exclude a file from virus and spyware scans on Mac clients.
See
“Excluding a file or a folder from scans”
on page 274.
Supported on Windows and Mac clients.
Excludes a folder from virus and spyware scans, SONAR, or all scans on
Windows clients. You can also exclude a folder from virus and spyware scans on Mac clients.
See
“Excluding a file or a folder from scans”
on page 274.
Exclude a known risk from virus and spyware scans
Supported on Windows clients.
Excludes a known risk from virus and spyware scans. The scans ignore the risk, but you can configure the exception so that the scans log the detection.
In either case, the client software does not notify users when it detects the specified risks.
If a user configures custom actions for a known risk that you configure to ignore, Symantec Endpoint Protection Small Business Edition ignores the custom actions.
See
“Excluding known risks from virus and spyware scans”
on page 275.
Security risk exceptions do not apply to SONAR.
Exclude file extensions from virus and spyware scans
Supported on Windows clients.
Excludes any files with the specified extensions from virus and spyware scans.
See
“Excluding file extensions from virus and spyware scans”
on page 276.
Extension exceptions do not apply to SONAR.
272 Managing exceptions
Creating exceptions for Symantec Endpoint Protection Small Business Edition
Table 18-3
Creating exceptions for Symantec Endpoint Protection Small
Business Edition (continued)
Task
Monitor an application to create an exception for the application
Specify how scans handle monitored applications
Description
Supported on Windows clients.
Use the Application to monitor exception to monitor a particular application. When Symantec Endpoint Protection Small Business Edition learns the application, you can create an exception to specify how Symantec
Endpoint Protection Small Business Edition handles the application.
See
“Monitoring an application to create an exception for the application”
on page 276.
Supported on Windows clients.
Use an application exception to specify an action for Symantec Endpoint
Protection Small Business Edition to apply to a monitored application. The type of action determines whether Symantec Endpoint Protection Small
Business Edition applies the action when it detects the application or when the application runs. Symantec Endpoint Protection Small Business Edition applies the Terminate, Quarantine, or Remove action to an application when it launches or runs. It applies the Log only or Ignore action when it detects the application.
Unlike a file name exception, an application exception is a hash-based exception. Different files can have the same name, but a file hash uniquely identifies an application.
The application exception is a SHA-2 hash-based exception. Legacy exceptions for TruScan proactive threat scans appear as SHA-1 hash-based exceptions. Legacy clients support SHA-1 exceptions only. The file fingerprint in the exceptions list is preceded by a 2 or a 1 respectively to indicate the file hash type.
Applications for which you can create exceptions appear in the Exceptions dialog after Symantec Endpoint Protection Small Business Edition learns the application. You can request that Symantec Endpoint Protection Small
Business Edition monitors a specific application to learn.
See
“Specifying how Symantec Endpoint Protection Small Business Edition handles monitored applications”
on page 277.
Managing exceptions
Creating exceptions for Symantec Endpoint Protection Small Business Edition
273
Task
Table 18-3
Exclude a Web domain from scans
Create file exceptions for Tamper
Protection
Creating exceptions for Symantec Endpoint Protection Small
Business Edition (continued)
Description
Supported on Windows clients.
Download Insight scans the files that users try to download from Web sites and other portals. Download Insight runs as part of a virus and spyware scan. You can configure an exception for a specific Web domain that you know is safe.
Download Insight must be enabled for the exception to have any effect.
Note: If your client computers use a proxy with authentication, you must specify trusted Web domain exceptions for Symantec URLs. The exceptions let your client computers communicate with Symantec Insight and other important Symantec sites.
See the following related knowledge base articles:
■
■
How to test connectivity to Insight and Symantec licensing servers
Required exclusions for proxy servers to allow Symantec Endpoint
Protection to connect to Symantec reputation and licensing servers
See
“Excluding a trusted Web domain from scans”
on page 278.
Supported on Windows clients.
Tamper Protection protects client computers from the processes that tamper with Symantec processes and internal objects. When Tamper
Protection detects a process that might modify the Symantec configuration settings or Windows registry values, it blocks the process.
Some third-party applications inadvertently try to modify Symantec processes or settings. You might need to allow a safe application to modify
Symantec settings. You might want to stop Tamper Protection for certain areas of the registry or certain files on the client computer.
In some cases, Tamper Protection might block a screen reader or some other assistive technology application. You can create a file exception so that the application can run on client computers. Folder exceptions are not supported for Tamper Protection.
See
“Creating a Tamper Protection exception”
on page 279.
See
“Managing exceptions for Symantec Endpoint Protection Small Business
on page 268.
See
“Creating exceptions from log events in Symantec Endpoint Protection
on page 280.
274 Managing exceptions
Creating exceptions for Symantec Endpoint Protection Small Business Edition
Excluding a file or a folder from scans
You add exceptions for files or folders individually. If you want to create exceptions for more than one file, repeat the procedure.
You can configure file or folder exceptions on both Windows and Mac clients. On
Windows clients, file exceptions can apply to virus and spyware scans and SONAR.
To exclude a file from scans on Windows clients
1
On the Exceptions Policy page, click Exceptions.
2 Under Exceptions, click Add > Windows Exceptions > File
3
In the Prefix variable drop-down box, select a common folder.
Select [NONE] to enter the absolute path and file name.
When you select a prefix, the exception can be used on different Windows operating systems.
4 In the File text box, type the name of the file.
If you select a prefix variable, the path should be relative to the prefix. If you select [NONE], type the full path name.
Note: Paths must be denoted by using a backward slash.
5
Under Specify the types of scans that will exclude this file, select the type of scan (Security Risk).
You must select at least one type.
6
For security risk scans, under Specify the type of security risk scan, select
Auto-Protect, Scheduled and on-demand, or All Scans.
7 Click OK.
To exclude a folder from scans on Windows clients
1 On the Exceptions Policy page, click Exceptions.
2
Under Exceptions, click Add > Windows Exceptions > Folder
3 In the Prefix variable drop-down box, select a common folder.
Select [NONE] to enter the absolute path and file name.
When you select a prefix, the exception can be used on different Windows operating systems.
Managing exceptions
Creating exceptions for Symantec Endpoint Protection Small Business Edition
275
4 In the Folder text box, type the name of the folder.
If you select a prefix variable, the path should be relative to the prefix. If you select [NONE], type the full path name.
Note: Paths must be denoted by using a backward slash.
5
Under Specify the type of scan that excludes this folder, select the type of scan (Security Risk or SONAR or All).
You must select at least one type.
6
For security risk scans, under Specify the type of security risk scan, select
Auto-Protect, Scheduled and on-demand, or All Scans.
7 Click OK.
To exclude a file or folder on Mac clients
1 On the Exceptions Policy page, click Exceptions.
2
Under Exceptions, click Add > Mac Exceptions > Security Risk Exceptions
for File or Folder.
3 Under Security Risk File or Folder Exception, in the Prefix variable drop-down box, select a common folder.
Select [NONE] to enter the absolute path and file name.
4 In the File or Folder text box, type the name of the folder.
If you select a prefix variable, the path should be relative to the prefix. If you select [NONE], type the full path name.
Note: Folder paths must be denoted by using a forward slash.
5
Click OK.
See
“Creating exceptions for Symantec Endpoint Protection Small Business
on page 270.
Excluding known risks from virus and spyware scans
The security risks that the client software detects appear in the Known Security
Risk Exceptions dialog box.
The known security risks list includes information about the severity of the risk.
276 Managing exceptions
Creating exceptions for Symantec Endpoint Protection Small Business Edition
See
“Creating exceptions for Symantec Endpoint Protection Small Business
on page 270.
To exclude known risks from virus and spyware scans
1 On the Exceptions Policy page, click Exceptions.
2
Under Exceptions, click Add > Windows Exceptions > Known Risks.
3 In the Add Known Security Risk Exceptions dialog box, select one or more security risks that you want to exclude from virus and spyware scans.
4
Check Log when the security risk is detected if you want to log the detection.
If you do not check this option, the client ignores the risk when it detects the selected risks. The client therefore does not log the detection.
5
Click OK.
6 If you are finished with the configuration for this policy, click OK.
Excluding file extensions from virus and spyware scans
You can add multiple file extensions to an exception. After you create the exception, you cannot create another extensions exception for the same policy.
You must edit the existing exception.
You can add only one extension at a time. If you enter multiple extension names in the Add text box, the policy treats the entry as a single extension name.
See
“Creating exceptions for Symantec Endpoint Protection Small Business
on page 270.
To exclude file extensions from virus and spyware scans
1 On the Exceptions Policy page, click Exceptions.
2
Under Exceptions, click Add > Windows Exceptions > Extensions.
3 In the text box, type the extension that you want to exclude, and then click
Add.
4
Add any other extensions to the exception.
5 Click OK.
Monitoring an application to create an exception for the application
When Symantec Endpoint Protection Small Business Edition learns a monitored application, the application appears in the Application Exception dialog. You can create an exception action for the application in the Exceptions policy. The
Managing exceptions
Creating exceptions for Symantec Endpoint Protection Small Business Edition
277 application also appears in the relevant log, and you can create an exception from the log.
See
“Creating exceptions for Symantec Endpoint Protection Small Business
on page 270.
See
“Specifying how Symantec Endpoint Protection Small Business Edition handles monitored applications”
on page 277.
See
“Creating exceptions from log events in Symantec Endpoint Protection
on page 280.
To monitor an application to create an exception for the application
1
On the Exceptions Policy page, click Exceptions.
2 Click Add > Windows Exceptions > Application to Monitor.
3
In the dialog box, type the application name.
For example, you might type the name of an executable file as follows:
foo.exe
4 Click Add.
5
If you are finished with the configuration for this policy, click OK.
Specifying how Symantec Endpoint Protection Small Business Edition handles monitored applications
You can monitor a particular application so that you can create an exception for how Symantec Endpoint Protection Small Business Edition handles the application.
After Symantec Endpoint Protection Small Business Edition learns the application and the management console receives the event, the application appears in the application list in the Application Exception dialog. The application list appears empty if the client computers in your network have not yet learned any applications.
The applications list includes the applications that you monitor as well as the files that your users download. Symantec Endpoint Protection Small Business
Edition applies the action when either Symantec Endpoint Protection Small
Business Edition detects the application or the application runs.
See
“Monitoring an application to create an exception for the application”
on page 276.
See
“Creating exceptions for Symantec Endpoint Protection Small Business
on page 270.
278 Managing exceptions
Creating exceptions for Symantec Endpoint Protection Small Business Edition
To specify how Symantec Endpoint Protection Small Business Edition handles monitored applications
1
On the Exceptions Policy page, click Exceptions.
2 Click Add > Windows Exceptions > Application.
3
In the View drop-down list, select All, Watched Applications, or User-allowed
Applications.
4 Select the applications for which you want to create an exception.
5
In the Action drop-down box, select Ignore, Log only, Quarantine, Terminate, or Remove.
The Ignore and Log only actions apply when scans detect the application.
The Terminate, Quarantine, and Remove actions apply when the application launches.
6
Click OK.
Excluding a trusted Web domain from scans
You can exclude a Web domain from virus and spyware scans and SONAR.
You can specify only one Web domain at a time. You must specify an HTTP or
HTTPS URL or an IP address when you specify a trusted Web domain exception.
FTP URLs are not supported in the exceptions configuration. You must specify an IP address for an FTP location. You cannot use a port number.
Note:
If Download Insight or Auto-Protect is disabled, trusted Web domain exceptions are disabled as well.
See
“Creating exceptions for Symantec Endpoint Protection Small Business
on page 270.
To exclude a trusted Web domain from scans
1
On the Exceptions Policy page, click Add > Windows Exceptions > Trusted
Web Domain.
2 In the Add Trusted Web Domain Exception dialog box, enter the HTTP or
HTTPS Web site or IP address that you want to exclude.
3
Click OK.
4 Repeat the procedure to add more Web domain exceptions.
Managing exceptions
Restricting the types of exceptions that users can configure on client computers
279
Creating a Tamper Protection exception
You can create file exceptions for Tamper Protection. You might want to create a Tamper Protection exception if Tamper Protection interferes with a known safe application on your client computers. For example, Tamper Protection might block an assistive technology application, such as a screen reader.
You need to know the name of the file that is associated with the assistive technology application. Then you can create an exception to allow the application to run.
Note: Tamper Protection does not support folder exceptions.
See
“Creating exceptions for Symantec Endpoint Protection Small Business
on page 270.
To create an exception for Tamper Protection
1 On the Exceptions Policy page, click Exceptions.
2
Click Add > Windows Exceptions > Tamper Protection Exception.
3 In the Add Tamper Protection Exception dialog box, in the Prefix variable drop-down box, select a common folder.
When you select a prefix, the exception can be used on different Windows operating systems.
Select [NONE] if you want to enter the absolute path and file name.
4
In the File text box, type the name of the file.
If you selected a prefix, the path should be relative to the prefix. If you selected
[NONE] for the prefix, type the full path name.
You must specify a file name. Tamper Protection does not support folder exceptions. If you enter a folder name, Tamper Protection does not exclude all the files in a folder with that name. It only excludes a file with that specified name.
5 Click OK.
Restricting the types of exceptions that users can configure on client computers
You can configure restrictions so that users on client computers cannot create exceptions for virus and spyware scans or for SONAR. By default, users are permitted to configure exceptions.
280 Managing exceptions
Creating exceptions from log events in Symantec Endpoint Protection Manager
Users on client computers can never create exceptions for Tamper Protection, regardless of the restriction settings.
See
“Managing exceptions for Symantec Endpoint Protection Small Business
on page 268.
To restrict the types of exceptions that users can configure on client computers
1
On the Exceptions Policy page, click Client Restrictions.
2 Under Client Restrictions, uncheck any exception that you do not want users on client computers to configure.
3
If you are finished with the configuration for this policy, click OK.
Creating exceptions from log events in Symantec
Endpoint Protection Manager
You can create exceptions from log events for virus and spyware scans, SONAR, and Tamper Protection.
Note:
You cannot create exceptions from log events for early launch anti-malware detections.
Table 18-4
Exception Type
File
Folder
Exceptions and log types
Known risk
Extension
Application
Trusted Web domain
Tamper Protection
Log Type
Risk log
Risk log
SONAR log
Risk log
Risk log
Risk log
SONAR log
Risk log
SONAR log
Application Control log
See
“Monitoring endpoint protection”
on page 293.
Managing exceptions
Creating exceptions from log events in Symantec Endpoint Protection Manager
281
Symantec Endpoint Protection Small Business Edition must have already detected the item for which you want to create an exception. When you use a log event to create an exception, you specify the Exceptions policy that should include the exception.
See
“Managing exceptions for Symantec Endpoint Protection Small Business
on page 268.
See
“Creating exceptions for Symantec Endpoint Protection Small Business
on page 270.
To create exceptions from log events in Symantec Endpoint Protection Manager
1 On the Monitors tab, click the Logs tab.
2
In the Log type drop-down list, select the Risk log, SONAR log, or Application and Device Control log.
3 Click View Log.
4
Next to Time range, select the time interval to filter the log.
5 Select the entry or entries for which you want to create an exception.
6
Next to Action, select the type of exception that you want to create.
The exception type that you select must be valid for the item or items that you selected.
7
Click Apply or Start.
8 In the dialog box, remove any items that you do not want to include in the exception.
9
For security risks, check Log when the security risk is detected if you want
Symantec Endpoint Protection Small Business Edition to log the detection.
10 Select all of the Exceptions policies that should use the exception.
11
Click OK.
282 Managing exceptions
Creating exceptions from log events in Symantec Endpoint Protection Manager
Chapter
19
Configuring updates and updating client computer protection
This chapter includes the following topics:
■
■
Configuring the LiveUpdate download schedule for Symantec Endpoint
■
Downloading LiveUpdate content manually to Symantec Endpoint Protection
■
■
Checking LiveUpdate server activity
■
■
Enabling and disabling LiveUpdate scheduling for client computers
■
Configuring the LiveUpdate download schedule for client computers
Managing content updates
Symantec products depend on current information to protect computers from threats with the latest threat protection technology. Client computers and servers need periodic updates to their protection content, such as virus and spyware definitions, intrusion protection system signatures, and product software.
LiveUpdate provides these Symantec-signed updates through an Internet
284 Configuring updates and updating client computer protection
Managing content updates connection. The LiveUpdate client verifies them to ensure that the updates come from Symantec and have not been tampered with in any way.
Symantec Endpoint Protection Small Business Edition supports the HTTPS, HTTP, and FTP protocols to connect to internal LiveUpdate servers. It supports connections to the Symantec LiveUpdate server over HTTP, with FTP as the backup method. Although HTTPS is not supported for connection to the Symantec
LiveUpdate server, the content is digitally signed. The advantage of HTTP is that most clients can connect to the LiveUpdate server over HTTP, and HTTP is typically faster.
Note: The LiveUpdate that Symantec Endpoint Protection Small Business Edition uses does not update content in other Symantec products. If you previously used a single instance of LiveUpdate for content updates on multiple products, you should now enable the LiveUpdate scheduler in those other Symantec products.
You can restrict users from running LiveUpdate only on Windows clients. Users on Mac clients can always run LiveUpdate. Product updates from a LiveUpdate server, however, can be restricted on both Mac and Windows clients. If you restrict product updates from LiveUpdate on a Mac client, you must provide them manually. Mac clients cannot get updates from the management server.
describes some of the tasks that you can perform to manage content updates. Since you can use the defaults for updating, all tasks are optional.
Table 19-1
Tasks for managing content updates
Task Description
Run LiveUpdate after installation
After you install Symantec Endpoint Protection Manager, it is configured to periodically update content automatically. However, you can run LiveUpdate immediately or at any point to download the latest security and product updates.
See
“Downloading LiveUpdate content manually to Symantec Endpoint Protection Manager”
on page 288.
Review or change the
LiveUpdate schedule for the management server
Review the LiveUpdate downloads and the default schedule that the management server uses to get content updates. You can adjust the schedule.
See
“Configuring the LiveUpdate download schedule for Symantec Endpoint Protection
on page 287.
See
“Viewing LiveUpdate downloads”
on page 288.
See
“Checking LiveUpdate server activity”
on page 288.
Configuring updates and updating client computer protection
Managing content updates
285
Table 19-1
Tasks for managing content updates (continued)
Task Description
Decide how client computers get updates
Client computers automatically download virus definitions and other product content updates from Symantec Endpoint Protection Manager. You can also allow them to use
LiveUpdate over the Internet to download security definitions and other product updates directly from a Symantec LiveUpdate server.
Note:
Mac client computers get updates only from a Symantec LiveUpdate server over the
Internet.
See
“How client computers receive content updates”
on page 285.
See
“Configuring the LiveUpdate download schedule for client computers”
on page 290.
How client computers receive content updates
Your client computers automatically download virus definitions and other security content updates from Symantec Endpoint Protection Manager. You can also allow them to use LiveUpdate over the Internet to download security definitions and other product updates directly from a Symantec LiveUpdate server when they do not have access to the Symantec Endpoint Protection Manager server. Enabling a computer to use LiveUpdate over the Internet is especially useful if you have users who travel with portable computers. If the computers connect intermittently or not at all to your network, have them update directly from a Symantec
LiveUpdate server over the Internet. The client computers continue to get content directly from Symantec Endpoint Protection Manager when on the company network. That method is the most efficient method of delivery and conserves company network bandwidth.
Note: Mac client computers get updates only from an external LiveUpdate server.
Only Windows client computers can get updates from the management server.
The Symantec Endpoint Protection Manager LiveUpdate schedule settings are defined in the Server Properties on the Admin page. The LiveUpdate client computer schedule settings are defined in the LiveUpdate policy.
See
on page 283.
286 Configuring updates and updating client computer protection
Managing content updates
Method
Symantec Endpoint
Protection Manager to client computers
(Default)
Table 19-2
Content distribution methods and when to use them
Description
The management server can update the client computers that it manages.
When to use it
This method is configured by default after management server installation.
Note:
Only Windows client computers can get updates from the management server.
Mac client computers must currently get their updates from a Symantec LiveUpdate server or manually.
Symantec LiveUpdate server to client computers over the
Internet
Client computers can receive updates directly from a Symantec LiveUpdate server.
Use an external Symantec LiveUpdate server for the client computers that are not always connected to the corporate network.
Note: Mac client computers must use this method.
Symantec Endpoint Protection Manager and scheduled updates are enabled by default, as are the options to only run scheduled updates when connection to Symantec
Endpoint Protection Manager is lost and the virus and spyware definitions are older than a certain age. With the default settings, clients always get updates from Symantec
Endpoint Protection Manager except when
Symantec Endpoint Protection Manager is nonresponsive for a long period of time.
A client computer receives the content updates from LiveUpdate in the following situations:
■
LiveUpdate scheduling is enabled for the client computer.
■
The client computer's virus definitions are old and the client computer is unable to communicate with Symantec Endpoint Protection Manager.
■
The client computer has repeatedly failed to communicate with Symantec
Endpoint Protection Manager.
A portable computer might be unable to communicate with the server because it is disconnected from the network. The computer does not receive the content updates from LiveUpdate when the virus definitions are current and the computer can communicate with Symantec Endpoint Protection Manager.
Note: The downloading of definitions does not require a computer restart.
Downloading product updates might require a computer restart.
Configuring updates and updating client computer protection
Configuring the LiveUpdate download schedule for Symantec Endpoint Protection Manager
287
Configuring the LiveUpdate download schedule for
Symantec Endpoint Protection Manager
You can adjust the schedule that Symantec Endpoint Protection Manager uses to download content updates from LiveUpdate to the management server. For example, you can change the default server schedule frequency from hourly to daily to save bandwidth.
lists the default settings that Symantec Endpoint Protection Manager uses to download content updates from LiveUpdate.
Table 19-3
Default server schedule settings
Setting
Frequency
Select download start time window
Retry interval
Retry window
Description
How frequently the management server downloads new content. Symantec Endpoint Protection Manager gets content updates from LiveUpdate every four hours.
If you select a Daily or Weekly download, you can select an interval for when the download starts.
The retry interval determines how often the management server tries to connect to the LiveUpdate server. The retry window determines how long the management server continues to try when the connection is unsuccessful.
Symantec Endpoint Protection Manager is unable to connect to LiveUpdate, it retries every 15 minutes for an hour.
To configure the schedule for LiveUpdate downloads to Symantec Endpoint
Protection Manager
1
In the console, click Admin.
2 On the Admin page, click System.
3
On the Admin page, under Tasks, click Edit the server properties.
4 In the Server Properties dialog box, on the LiveUpdate tab, click Edit
Schedule.
5
Change the frequency and any other settings that you want to change.
6 Click OK.
See
on page 283.
288 Configuring updates and updating client computer protection
Downloading LiveUpdate content manually to Symantec Endpoint Protection Manager
Downloading LiveUpdate content manually to
Symantec Endpoint Protection Manager
You do not have to wait for your scheduled LiveUpdate downloads. You can manually download content updates to Symantec Endpoint Protection Manager.
You can use either of the following procedures.
To manually download content updates to Symantec Endpoint Protection Manager
1
From the Home Page, select Common Tasks and then select Run LiveUpdate.
2 Click Download.
To manually download content updates to Symantec Endpoint Protection Manager
1 In the console, click Admin.
2
On the Admin page, click System.
3 Click Download LiveUpdate content.
4
In the Download LiveUpdate Content dialog box, click Download.
See
on page 283.
Viewing LiveUpdate downloads
You can list the recent downloads of LiveUpdate content.
To view LiveUpdate downloads
1
In the console, click Admin.
2 On the Admin page, click System.
3
On the Admin page, click Show LiveUpdate downloads.
4 Click Close.
See
on page 283.
Checking LiveUpdate server activity
You can list the events that concern Symantec Endpoint Protection Manager and
LiveUpdate. From these events, you can determine when content was updated.
To check LiveUpdate server activity
1 In the console, click Admin.
2
On the Admin page, under Tasks, click System.
Configuring updates and updating client computer protection
Configuring Symantec Endpoint Protection Manager to connect to a proxy server to access the Internet and download content from Symantec LiveUpdate
289
3 Click Show the LiveUpdate Status.
4
Click Close.
See
on page 283.
Configuring Symantec Endpoint Protection Manager to connect to a proxy server to access the Internet and download content from Symantec LiveUpdate
If you want Symantec Endpoint Protection Manager to go through a proxy server to connect to the Internet, you must configure Symantec Endpoint Protection
Manager to connect to the proxy server. A proxy server can add a layer of security because only the proxy server is connected directly to the Internet.
To configure Symantec Endpoint Protection Manager to connect to a proxy server to access the Internet and download content from Symantec LiveUpdate
1
In the console, click Admin, and then click System.
2 Under Servers, select the management server to which you want to connect a proxy server.
3
Under Tasks, click Edit the server properties.
4 On the Proxy Server tab, under HTTP Proxy Settings, for Proxy usage, select
Use custom proxy settings.
5
Type in the proxy settings.
For more information on these settings, click Help.
6
Click OK.
See
on page 283.
Enabling and disabling LiveUpdate scheduling for client computers
If you enable LiveUpdate for client computers, the computers get content updates from LiveUpdate, based on the default schedule or a schedule that you specify.
If you disable LiveUpdate for client computers, the computers do not get content updates directly from a Symantec LiveUpdate server.
290 Configuring updates and updating client computer protection
Configuring the LiveUpdate download schedule for client computers
To enable LiveUpdate scheduling for client computers
1
In the console, click Policies.
2 Under Policies, click LiveUpdate.
3
Right-click the policy that you want and then click Edit.
4 Under Windows Settings, click Schedule.
5
Check Enable LiveUpdate Scheduling.
6 Specify the frequency and the retry window.
7
Click OK.
To disable LiveUpdate scheduling for client computers
1
In the console, click Policies.
2 Under Policies, click LiveUpdate.
3
Right-click the policy that you want, and then click Edit.
4 Under Windows Settings, click Schedule.
5
Uncheck Enable LiveUpdate Scheduling.
6 Click OK.
See
on page 283.
Configuring the LiveUpdate download schedule for client computers
The LiveUpdate client schedule settings are defined in the LiveUpdate policy.
To save bandwidth, Symantec Endpoint Protection Small Business Edition clients run scheduled LiveUpdates from the Symantec LiveUpdate server only if both of the following conditions are met:
■
Virus and spyware definitions on a client computer are more than two days old.
■
A client computer is disconnected from Symantec Endpoint Protection Manager for more than eight hours.
To configure the schedule for LiveUpdate downloads to Windows client computers
1
Click Policies and then click LiveUpdate.
2 Right-click the LiveUpdate policy that you want, and then click Edit.
3
Under Windows Settings, click Schedule.
Configuring updates and updating client computer protection
Configuring the LiveUpdate download schedule for client computers
291
4 Check Enable LiveUpdate Scheduling.
5
Specify the frequency.
If you select Daily, also set the time of day to run. If you select Weekly, also set the time of day to run and the day of the week to run.
6
If you select any frequency other than Continuously, specify the Retry
Window.
The Retry Window is the number of hours or days that the client computer tries to run LiveUpdate if the scheduled LiveUpdate fails for some reason.
7
Click OK.
To configure the schedule for LiveUpdate downloads to Mac client computers
1
Click Policies and then click LiveUpdate.
2 Right-click the policy that you want, and then click Edit.
3
Under Mac Settings, click Schedule.
4 Specify the frequency.
If you select Daily, also set the time of day to run. If you select Weekly, also set the time of day to run and the day of the week to run.
5 Click OK when finished.
See
on page 283.
292 Configuring updates and updating client computer protection
Configuring the LiveUpdate download schedule for client computers
Chapter
20
Monitoring protection with reports and logs
This chapter includes the following topics:
■
Monitoring endpoint protection
■
Configuring reporting preferences
■
■
Running and customizing quick reports
■
Saving and deleting custom reports
■
■
Editing the filter used for a scheduled report
■
Printing and saving a copy of a report
■
■
Running commands from the computer status log
Monitoring endpoint protection
Symantec Endpoint Protection Small Business Edition collects information about the security events in your network. You can use log and reports to view these events, and you can use notifications to stay informed about the events as they occur.
You can use the reports and logs to determine the answers to the following kinds of questions:
294 Monitoring protection with reports and logs
Monitoring endpoint protection
■
Which computers are infected?
■
Which computers need scanning?
■
What risks were detected in the network?
Note: Symantec Endpoint Protection Small Business Edition pulls the events that appear in the reports from the event logs on your management servers. The event logs contain time-stamps in the client computers' time zones. When the management server receives the events, it converts the event time-stamps to
Greenwich Mean Time (GMT) for insertion into the database. When you create reports, the reporting software displays information about events in the local time of the computer on which you view the reports.
Monitoring protection with reports and logs
Monitoring endpoint protection
295
Table 20-1
Tasks for monitoring endpoint protection
Task Description
Review the security status of your network
The following list describes some of the tasks that you can perform to monitor the security status of your client computers.
■
■
■
■
■
■
■
■
■
■
Obtain a count of detected viruses and other security risks and view details for each virus and security risk.
See
on page 299.
Obtain a count of unprotected computers in your network and view the details for each computer.
See
on page 297.
View the number of computers with up-to-date virus and spyware definitions.
See
on page 297.
View the real-time operational status of your client computers.
See
“Viewing the protection status of clients and client computers”
on page 128.
View the number of computers that are offline.
See
on page 298.
Review the processes that run in your network.
See
“Monitoring SONAR detection results to check for false positives”
on page 229.
Locate which computers are assigned to which groups.
View a list of the Symantec Endpoint Protection Small Business Edition software versions that are installed on the clients and Symantec Endpoint Protection Manager servers in your network.
See
on page 302.
Locate which policies are assigned to which groups.
See
on page 154.
View the licensing information on the client computers, which includes the number of valid seats, over-deployed seats, expired seats, and expiration date.
See
on page 66.
See
“Viewing the status of deployed client computers”
on page 300.
See
“Viewing a daily or weekly status report”
on page 296.
296 Monitoring protection with reports and logs
Monitoring endpoint protection
Task
Locate which client computers need protection
Table 20-1
Tasks for monitoring endpoint protection (continued)
Description
You can perform the following tasks to view or find which computers need additional protection:
■
■
■
■
View the number of computers with Symantec Endpoint Protection Small Business
Edition disabled.
See
on page 297.
View the number of computers with out-of-date virus and spyware definitions.
See
on page 297.
Find the computers that have not been scanned recently.
See
on page 298.
View attack targets and sources.
See
“Viewing attack targets and sources”
on page 300.
Protect your client computers
Review events in the logs
You can run commands from the console to protect the client computers.
See
“Running commands from the computer status log”
on page 315.
For example, you can eliminate security risks on client computers.
See
“Checking the scan action and rescanning the identified computers”
on page 164.
Events are the informative, notable, and critical activities that concern your Symantec
Endpoint Protection Manager and client computers. The information in the event logs supplements the information is that is contained in the reports.
See
“What you can do from the logs”
on page 311.
See
on page 310.
Configure notifications to alert you when security events occur
You can create and configure notifications to be triggered when certain security-related events occur. For example, you can set a notification to occur when an intrusion attempt occurs on a client computer.
See
“Setting up administrator notifications”
on page 325.
Create custom quick reports and scheduled reports for ongoing monitoring
You can create and generate customized quick reports and you can schedule custom reports to run regularly with the information that you want to see.
See
“Running and customizing quick reports”
on page 304.
See
on page 307.
See
“Saving and deleting custom reports”
on page 306.
See
“Configuring reporting preferences”
on page 302.
Viewing a daily or weekly status report
The Daily Status Report provides the following information:
Monitoring protection with reports and logs
Monitoring endpoint protection
297
■
Virus detection counts for cleaned, suspicious, blocked, quarantined, deleted, newly infected, and still infected actions.
■
Virus definition distribution timeline
■
Top ten risks and infections
The Weekly Status Report provides the following information:
■
Computer status
■
Virus detection
■
Protection status snapshot
■
Virus definition distribution timeline
■
Risk distribution by day
■
Top ten risks and infections
See
“Monitoring endpoint protection”
on page 293.
To view the daily status report
1 In the console, click Home.
2 On the Home page, in the Favorite Reports pane, click Symantec Endpoint
Protection Small Business Edition Daily Status or Symantec Endpoint
Protection Small Business Edition Weekly Status.
Viewing system protection
System protection comprises the following information:
■
The number of computers with up-to-date virus definitions.
■
The number of computers with out-of-date virus definitions.
■
The number of computers that are offline.
■
The number of computers that are disabled.
See
“Monitoring endpoint protection”
on page 293.
To view system protection
1 In the console, click Home.
System protection is shown in the Endpoint Status pane.
2 In the Endpoint Status pane, click View Details to view more system protection information.
298 Monitoring protection with reports and logs
Monitoring endpoint protection
Finding offline computers
You can list the computers that are offline.
A client may be offline for a number of reasons. You can identify the computers that are offline and remediate these problems in a number of ways.
See
“Troubleshooting communication problems between the management server and the client”
on page 350.
To find offline computers
1 In the console, click Home.
2
On the Home page, in the Endpoint Status pane, click the link that represents the number of offline computers.
3 To get more information about offline computers, click the View Details link.
To view offline client computers in the Computer Status log
1 In the console, click Monitors.
2
On the Logs tab, from the Log type list box, click Computer Status.
3 Click Advanced Settings.
4
In the Online status list box, click Offline.
5 Click View Log.
By default, a list of the computers that have been offline for the past 24 hours appears. The list includes each computer's name, IP address, and the last time that it checked in with its server. You can adjust the time range to display offline computers for any time range you want to see.
Finding unscanned computers
You can list the computers that need scanning.
See
“Monitoring endpoint protection”
on page 293.
To find unscanned computers
1 In the console, click Reports.
2
On the Quick Reports tab, specify the following information:
Report type
Selected report
You select Scan.
You select Computers Not Scanned.
3 Click Create Report.
Monitoring protection with reports and logs
Monitoring endpoint protection
299
Viewing risks
You can get information about the risks in your network.
See
“Monitoring endpoint protection”
on page 293.
To view infected and at risk computers
1
In the console, click Reports.
2 On the Quick Reports tab, specify the following information:
Report type
Selected report
Risk
Infected and At Risk Computers
3
Click Create Report.
To better understand the benefits and risks of not enabling certain features, you can run the Risk Distribution by Protection Technology report. This report provides the following information:
■
Signature-based detections of virus and spyware
■
SONAR detections
■
Download Insight detections
■
Intrusion Prevention and browser protection detections
To view the risks detected by the types of protection technology
1 In the console, click Reports.
2 On the Quick Reports tab, specify the following information:
Report type
Selected report
Risk
Risk Distribution by Protection Technology
3 Click Create Report.
300 Monitoring protection with reports and logs
Monitoring endpoint protection
To view newly detected risks
1
In the console, click Reports.
2 On the Quick Reports tab, specify the following information:
Report type
Selected report
Risk
New Risks Detected in the Network
3
Click Create Report.
To view a comprehensive risk report
1
In the console, click Reports.
2 On the Quick Reports tab, specify the following information:
Report type
Select a report
Risk
Comprehensive Risk Report
3
Click Create Report.
Viewing the status of deployed client computers
You can confirm the status of your deployed client computers.
See
“Monitoring endpoint protection”
on page 293.
To view status of deployed client computers
1 In the console, click Reports.
2
On the Quick Reports tab, specify the following information:
Report type
Select a report
Computer Status
Client Inventory Details
3 Click Create Report.
Viewing attack targets and sources
You can view attack targets and sources.
See
“Monitoring endpoint protection”
on page 293.
Monitoring protection with reports and logs
Monitoring endpoint protection
301
To view the top targets that were attacked
1
In the console, click Reports.
2 On the Quick Reports tab, specify the following information:
Report type
Select a report
You select Network Threat Protection.
You select Top Targets Attacked.
3
Click Create Report.
To view top attack sources
1
In the console, click Reports.
2 On the Quick Reports tab, specify the following information:
Report type
Select a report
You select Network Threat Protection.
You select Top Sources of Attack.
3
Click Create Report.
A full report contains the following statistics:
■
Top attack types
■
Top targets of attack
■
Top sources of attack
■
Top traffic notifications
To view a full report on attack targets and sources
1 In the console, click Reports.
2 On the Quick Reports tab, specify the following information:
Report type
Select a report
Configure option
You select Network Threat Protection.
You select Full Report.
You can optionally select the reports to include in the full report.
3 Click Create Report.
302 Monitoring protection with reports and logs
Configuring reporting preferences
Generating a list of the Symantec Endpoint Protection Small Business
Edition versions installed on the clients and servers in your network
You can run a quick report from Symantec Endpoint Protection Manager that provides a list of the Symantec Endpoint Protection Small Business Edition software versions that are installed on the clients and Symantec Endpoint
Protection Manager servers in your network. This list can be useful when you want to upgrade or migrate your software from a previous version of Symantec
Endpoint Protection Small Business Edition. The list includes local and remote computers.
You can save the report using MHTML Web page archive format.
See
“Printing and saving a copy of a report”
on page 309.
To generate a report that lists the Symantec Endpoint Protection Small Business
Edition software versions
1
In the console, click Reports.
2 For Report type, select Computer Status.
3
For Select a report, select Symantec Endpoint Protection Small Business
Edition Product Versions.
4 Click Create Report.
Configuring reporting preferences
You can configure the following reporting preferences:
■
The Home and Monitors pages display options
■
The Security Status thresholds
■
The display options that are used for the logs and the reports, as well as legacy log file uploading
For information about the preference options that you can set, you can click Help on each tab in the Preferences dialog box.
To configure reporting preferences
1 In the console, on the Home page, click Preferences.
2 Click one of the following tabs, depending on the type of preferences that you want to set:
■
Home and Monitors
■
Security Status
Monitoring protection with reports and logs
About the types of reports
303
■
Logs and Reports
3
Set the values for the options that you want to change.
4 Click OK.
About the types of reports
The following categories of reports are available:
■
Quick reports, which you run on demand.
■
Scheduled reports, which run automatically based on a schedule that you configure.
Reports include the event data that is collected from your management servers as well as from the client computers that communicate with those servers. You can customize reports to provide the information that you want to see.
The quick reports are predefined, but you can customize them and save the filters that you used to create the customized reports. You can use the custom filters to create custom scheduled reports. When you schedule a report to run, you can configure it to be emailed to one or more recipients.
See
“Running and customizing quick reports”
on page 304.
A scheduled report always runs by default. You can change the settings for any scheduled report that has not yet run. You can also delete a single scheduled report or all of the scheduled reports.
See
on page 307.
You can also print and save reports.
See
“Printing and saving a copy of a report”
on page 309.
describes the types of reports that are available.
Table 20-2
Report type
Computer Status
Report types available as quick reports and scheduled reports
Description
Displays the information about the operational status of the computers in your network, such as which computers have security features turned off. These reports include information about versions, the clients that have not checked in to the server, client inventory, and online status.
304 Monitoring protection with reports and logs
Running and customizing quick reports
Table 20-2
Report types available as quick reports and scheduled reports
(continued)
Report type Description
Network Threat Protection Displays the information about intrusion prevention, attacks on the firewall, and about firewall traffic and packets.
The Network Threat Protection reports let you track a computer’s activity and its interaction with other computers and networks. They record information about the traffic that tries to enter or exit the computers through their network connections.
Risk Displays the information about risk events on your management servers and their clients. It includes information about SONAR scans and, if you have legacy clients in your network, about TruScan proactive threat scans.
Scan Displays the information about virus and spyware scan activity.
See
“Running and customizing quick reports”
on page 304.
Running and customizing quick reports
Quick reports are predefined, customizable reports. These reports include event data collected from your management servers as well as the client computers that communicate with those servers. Quick reports provide information on events specific to the settings you configure for the report. You can save the report settings so that you can run the same report at a later date, and you can print and save reports.
Quick reports are static; they provide information specific to the time frame you specify for the report. Alternately, you can monitor events in real time using the logs.
To run a quick report
1 In the console, click Reports.
2 On the Quick Reports tab, in the Report type list box, select the type of report that you want to run.
3 In the Select a report list box, select the name of the report you want to run.
4 Click Create Report.
Monitoring protection with reports and logs
Running and customizing quick reports
305
To customize a quick report
1
In the console, click Reports.
2 On the Quick Reports tab, in the Report type list box, select the type of report that you want to customize.
3
In the Select a report list box, select the name of the report you want to customize.
For the Network Compliance Status report and the Compliance Status report, in the Status list box, select a saved filter configuration that you want to use, or leave the default filter.
For the Top Risk Detections Correlation report, you can select values for the
X-axis and Y-axis list boxes to specify how you want to view the report.
For the Scan Statistics Histogram Scan report, you can select values for Bin
width and Number of bins.
For some reports, you can specify how to group the report results in the Group list box. For other reports, you can select a target in the Target field on which to filter report results.
4 In the Use a saved filter list box, select a saved filter configuration that you want to use, or leave the default filter.
5
Under What filter settings would you like to use?, in the Time range list box, select the time range for the report.
6 If you select Set specific dates, then use the Start date and End date list boxes. These options set the time interval that you want to view information about.
When you generate a Computer Status report and select Set specific dates, you specify that you want to see all entries that involve a computer that has not checked in with its server since the time you specify in the date and time fields.
306 Monitoring protection with reports and logs
Saving and deleting custom reports
7 If you want to configure additional settings for the report, click Advanced
Settings and set the options that you want.
You can click Tell me more to see descriptions of the filter options in the context-sensitive help.
Note: The filter option text boxes that accept wildcard characters and search for matches are not case-sensitive. The ASCII asterisk character is the only asterisk character that can be used as a wildcard character.
You can save the report configuration settings if you think you will want to run this report again in the future.
8
Click Create Report.
See
“Saving and deleting custom reports”
on page 306.
See
“Printing and saving a copy of a report”
on page 309.
See
on page 307.
Saving and deleting custom reports
You can save custom report settings in a filter so that you can generate the report again at a later date. When you save your settings, they are saved in the database.
The name that you give to the filter appears in the Use a saved filter list box for that type of logs and reports.
Note: The filter configuration settings that you save are available for your user logon account only. Other users with reporting privileges do not have access to your saved settings.
See
“Editing the filter used for a scheduled report”
on page 308.
You can delete any report configuration that you create. When you delete a configuration, the report is no longer available. The default report configuration name appears in the Use a saved report list box and the screen is repopulated with the default configuration settings.
Monitoring protection with reports and logs
Creating scheduled reports
307
Note:
If you delete an administrator from the management server, you have the option to save the reports that were created by the deleted administrator. The ownership of the reports is changed, and the report names are changed. The new report name is in the format
"OriginalName('AdminName')"
. For example, a report that was created by administrator JSmith, named
Monday_risk_reports
, would be renamed
Monday_risk_reports(JSmith)
.
To save a custom report
1
In the console, click Reports.
2 On the Quick Reports tab, select a report type from the list box.
3
Change any basic settings or advanced settings for the report.
4 Click Save Filter.
5
In the Filter name text box, type a descriptive name for this report filter.
Only the first 32 characters of the name that you give display when the filter is added to the Use a saved filter list.
6 Click OK.
7
When the confirmation dialog box appears, click OK.
After you save a filter, it appears in the Use a saved filter list box for related reports and logs.
To delete a custom report
1 In the console, click Reports.
2
On the Quick Reports tab, select a report type.
3 In the Use saved filter list box, select the name of the filter that you want to delete.
4
Click the Delete icon beside the Use a saved filter list box.
5 When the confirmation dialog box appears, click Yes.
Creating scheduled reports
Scheduled reports are the reports that run automatically based on the schedule that you configure. Scheduled reports are emailed to recipients, so you must include the email address of at least one recipient. After a report runs, the report is emailed to the recipients that you configure as an .mht file attachment.
308 Monitoring protection with reports and logs
Editing the filter used for a scheduled report
The data that appears in the scheduled reports is updated in the database every hour. At the time that the management server emails a scheduled report, the data in the report is current to within one hour.
To create a scheduled report
1 In the console, click Reports.
2
On the Scheduled Reports tab, click Add.
3 In the Report name text box, type a descriptive name and optionally, type a longer description.
Although you can paste more than 255 characters into the description text box, only 255 characters are saved in the description.
4 If you do not want this report to run until another time, uncheck the Enable
this scheduled report check box.
5
Select the report type that you want to schedule from the list box.
6 Select the name of the specific report that you want to schedule from the list box.
7
Select the name of the saved filter that you want to use from the list box.
8 In the Run every text box, select the time interval at which you want the report to be emailed to recipients (hours, days, weeks, months). Then, type the value for the time interval you selected. For example, if you want the report to be sent to you every other day, select days and then type 2.
9
In the Start after text box, type the date that you want the report to start or click the calendar icon and select the date. Then, select the hour and minute from the list boxes.
10 Under Report Recipients, type one or more comma-separated email addresses.
You must already have set up mail server properties for email notifications to work.
11 Click OK to save the scheduled report configuration.
Editing the filter used for a scheduled report
You can change the settings for any report that you have already scheduled. The next time the report runs it uses the new filter settings. You can also create additional scheduled reports, which you can base on a previously saved report filter.
Monitoring protection with reports and logs
Printing and saving a copy of a report
309
Note:
When you associate a saved filter with a scheduled report, make sure that the filter does not contain custom dates. If the filter specifies a custom date, you get the same report every time the report runs.
See
on page 307.
To edit the filter used for a scheduled report
1 In the console, click Reports.
2
Click Scheduled Reports.
3 In the list of reports, click the scheduled report that you want to edit.
4
Click Edit Filter.
5 Make the filter changes that you want.
6
Click Save Filter.
If you want to retain the original report filter, give this edited filter a new name.
7
Click OK.
8 When the confirmation dialog box appears, click OK.
Printing and saving a copy of a report
You can print a report or save a copy of a Quick Report. You cannot print scheduled reports. A saved file or printed report provides a snapshot of the current data in your reporting database so that you can retain a historical record.
Note: By default, Internet Explorer does not print background colors and images.
If this printing option is disabled, the printed report may look different from the report that you created. You can change the settings in your browser to print background colors and images.
See
“Running and customizing quick reports”
on page 304.
To print a copy of a report
1 In the report window, click Print.
2
In the Print dialog box, select the printer you want, if necessary, and then click Print.
310 Monitoring protection with reports and logs
Viewing logs
When you save a report, you save a snapshot of your security environment that is based on the current data in your reporting database. If you run the same report later, based on the same filter configuration, the new report shows different data.
To save a copy of a report
1 In the report window, click Save.
2
In the File Download dialog box, click Save.
3 In the Save As dialog box, in the Save in selection dialog box, browse to the location where you want to save the file.
4
In the File name list box, change the default file name, if desired.
5 Click Save.
The report is saved in MHTML Web page archive format in the location you selected.
6 In the Download complete dialog box, click Close.
Viewing logs
You can generate a list of events to view from your logs that are based on a collection of filter settings that you select. Each log type and content type have a default filter configuration that you can use as-is or modify. You can also create and save new filter configurations. These new filters can be based on the default filter or on an existing filter that you created previously. If you save the filter configuration, you can generate the same log view at a later date without having to configure the settings each time. You can delete your customized filter configurations if you no longer need them.
Because logs contain some information that is collected at intervals, you can refresh your log views. To configure the log refresh rate, display the log and select from the Auto-Refresh list box at the top right on that log's view.
Note:
If you view log data by using specific dates, the data stays the same when you click Auto-Refresh.
Reports and logs always display in the language that the management server was installed with.
See
“What you can do from the logs”
on page 311.
See
“Saving and deleting custom logs by using filters”
on page 313.
Monitoring protection with reports and logs
Viewing logs
311
To view a log
1
In the main window, click Monitors.
2 On the Logs tab, from the Log type list box, select the type of log that you want to view.
3
For some types of logs, a Log content list box appears. If it appears, select the log content that you want to view.
4 In the Use a saved filter list box, select a saved filter or leave the value Default.
5
Select a time from the Time range list box or leave the default value. If you select Set specific dates, then set the date or dates and time from which you want to display entries.
6 Click Advanced Settings to limit the number of entries you display.
You can also set any other available Advanced Settings for the type of log that you selected.
Note: The filter option fields that accept wildcard characters and search for matches are not case-sensitive. The ASCII asterisk character is the only asterisk character that can be used as a wildcard character.
7
After you have the view configuration that you want, click View Log.
The log view appears in the same window.
What you can do from the logs
Logs contain records about client configuration changes, security-related activities, and errors. These records are called events. The logs display these events with any relevant additional information. Security-related activities include information about virus detections, computer status, and the traffic that enters or exits the client computer.
Logs are an important method for tracking each client computer’s activity and its interaction with other computers and networks. You can use this data to analyze the overall security status of the network and modify the protection on the client computers. You can track the trends that relate to viruses, security risks, and attacks. If several people use the same computer, you might be able to identify who introduces risks, and help that person to use better precautions.
You can view the log data on the Logs tab of the Monitors page.
The management server regularly uploads the information in the logs from the clients to the management server. You can view this information in the logs or in
312 Monitoring protection with reports and logs
Viewing logs
Log type
Application and Device
Control
reports. Because reports are static and do not include as much detail as the logs, you might prefer to monitor the network by using logs.
In addition to using the logs to monitor your network, you can take the following actions from various logs:
■
Run commands on client computers.
See
“Running commands from the computer status log”
on page 315.
■
Add several kinds of exceptions.
See
“Creating exceptions from log events in Symantec Endpoint Protection
on page 280.
■
Delete files from the Quarantine.
See
“Using the Risk log to delete quarantined files on your client computers”
on page 202.
describes the different types of content that you can view and the actions that you can take from each log.
Table 20-3
Log types
Contents and actions
Application and Device Control is not supported on Symantec Endpoint Protection
Small Business Edition but the Application Control log contains information about
Tamper Protection events. Although you can also select the Device Control log to view, it is always empty.
Available information includes the time the event occurred, the action taken, and the domain and computer that were involved. It also includes the user that was involved, the severity, the rule that was involved, the caller process, and the target.
You can create a Tamper Protection exception from the Application Control log.
Computer Status
The Computer Status log contains information about the real-time operational status of the client computers in the network.
Available information includes the computer name, IP address, infected status, protection technologies, Auto-Protect status, versions, and definitions date. It also includes the user, last check-in time, policy, group, domain, and restart required status.
You can also clear the infected status of computers from this log.
Note:
This log contains information that is collected from both Windows clients and
Mac clients.
Monitoring protection with reports and logs
Viewing logs
313
Table 20-3
Log types (continued)
Log type Contents and actions
Network Threat Protection
The Network Threat Protection logs contain information about attacks on the firewall and on intrusion prevention. Information is available about denial-of-service attacks, port scans, and the changes that were made to executable files. They also contain information about the connections that are made through the firewall (traffic), and the data packets that pass through. These logs also contain some of the operational changes that are made to computers, such as detecting network applications, and configuring software.
No actions are associated with these logs.
SONAR
Risk
Scan
System
The SONAR log contains information about the threats that have been detected during
SONAR threat scanning. These are real-time scans that detect potentially malicious applications when they run on your client computers.
The information includes items such as the time of occurrence, event actual action, user name, Web domain, application, application type, file, and path.
If you have legacy clients in your network, the SONAR log can also contain information from legacy TruScan proactive threat scans.
See
on page 225.
The Risk log contains information about risk events. Available information includes the event time, event actual action, user name, computer, and domain, risk name and source, count, and file and path.
The Scan log contains information about virus and spyware scan activity from both
Windows clients and Mac clients.
Available information includes items such as the scan start, computer, IP address, status, duration, detections, scanned, omitted, and domain.
No actions are associated with these logs.
The system logs contain information about events such as when services start and stop.
No actions are associated with these logs.
Saving and deleting custom logs by using filters
You can construct custom filters by using the Basic Settings and Advanced
Settings to change the information that you want to see. You can save your filter settings to the database so that you can generate the same view again in the future.
When you save your settings, they are saved in the database. The name you give
314 Monitoring protection with reports and logs
Viewing logs to the filter appears in the Use a saved filter list box for that type of logs and reports.
Note:
If you selected Past 24 hours as the time range for a log filter, the 24-hour time range begins when you first select the filter. If you refresh the page, the start of the 24-hour range does not reset. If you select the filter, and wait to view a log, the time range starts when you select the filter. It does not start when you view the log.
If you want to make sure the past 24-hour range starts now, select a different time range and then reselect Past 24 hours.
To save a custom log by using a filter
1
In the main window, click Monitors.
2 On the Logs tab, select the type of log view that you want to configure a filter for from the Log type list box.
3
For some types of logs, a Log content list box appears. If it appears, select the log content that you want to configure a filter for.
4 In the Use a saved filter list box, select the filter that you want to start from.
For example, select the default filter.
5
Under What filter settings would you like to use, click Advanced Settings.
6 Change any of the settings.
7
Click Save Filter.
8 In the dialog box that appears, in the Filter name box, type the name that you want to use for this log filter configuration. Only the first 32 characters of the name that you give display when the saved filter is added to the filter list.
9
Click OK and your new filter name is added to the Use a saved filter list box.
10 When the confirmation dialog box appears, click OK.
To delete a saved filter
1 In the Use a saved filter list box, select the name of the log filter that you want to delete.
2
Beside the Use a saved filter list box, click the Delete icon.
3 When you are prompted to confirm that you want to delete the filter, click
Yes.
Monitoring protection with reports and logs
Running commands from the computer status log
315
Running commands from the computer status log
From the Computer Status log, you can take the following kinds of actions on client computers:
■
Run scans or cancel scans.
■
Restart the computers.
■
Update content.
■
Enable or disable several of the protection technologies.
You can also right-click a group directly from the Computers page of the Symantec
Endpoint Protection Manager console to run commands.
See
“About commands that you can run on client computers”
on page 132.
See
“Running commands on the client computer from the console”
on page 134.
From the Command Status tab, you can view the status of the commands that you have run from the console and their details. You can also cancel a specific scan from this tab if the scan is in progress.
You can cancel all scans in progress and queued for selected clients. If you confirm the command, the table refreshes and you see that the cancel command is added to the command status table.
Note:
If you run a scan command, and select a Custom scan, the scan uses the command scan settings that you configured on the Administrator-defined Scans page. The command uses the settings that are in the Virus and Spyware Protection policy that is applied to the selected client computers.
If you run a Restart Client Computer command from a log, the command is sent immediately. Users that are logged on to the client are warned about the restart based on the options that the administrator has configured for that client.
See
on page 85.
To run a command from the Computer Status log
1 Click Monitors.
2 On the Logs tab, from the Log type list box, select Computer Status.
3 Click View Log.
4 Select a command from the Action list box.
316 Monitoring protection with reports and logs
Running commands from the computer status log
5 Click Start.
If there are settings choices for the command that you selected, a new page appears where you can configure the appropriate settings.
6 When you have finished configuration, click Yes or OK.
7
In the command confirmation message box that appears, click Yes.
8 In the Message dialog box, click OK.
If the command is not queued successfully, you may need to repeat this procedure. You can check to see if the server is down. If the console has lost connectivity with the server, you can log off the console and then log back on to see if that helps.
To view command status details
1
Click Monitors.
2 On the Command Status tab, select a command in the list, and then click
Details.
To cancel a specific scan that is in progress
1 Click Monitors.
2
On the Command Status tab, click the Cancel Scan icon in the Command column of the scan command that you want to cancel.
3 When a confirmation that the command was queued successfully appears, click OK.
To cancel all in-progress and queued scans
1 Click Monitors.
2
On the Logs tab, from the Log type list box, select Computer Status.
3 Click View Log.
4
Select one or more computers in the list, and then select Cancel All Scans from the command list.
5 Click Start.
6
When the confirmation dialog box appears, click Yes to cancel all in-progress and queued scans for the selected computers.
7 When a confirmation that the command was queued successfully appears, click OK.
Chapter
21
Managing notifications
This chapter includes the following topics:
■
■
Establishing communication between the management server and email servers
■
Viewing and acknowledging notifications
■
Saving and deleting administrative notification filters
■
Setting up administrator notifications
■
How upgrades from another version affect notification conditions
Managing notifications
Notifications alert administrators and computer users about potential security problems.
Some notification types contain default values when you configure them. These guidelines provide reasonable starting points depending on the size of your environment, but they may need to be adjusted. Trial and error may be required to find the right balance between too many and too few notifications for your environment. Set the threshold to an initial limit, then wait for a few days. After a few days, you can adjust the notifications settings.
For virus, security risk, and firewall event detection, suppose that you have fewer than 100 computers in a network. A reasonable starting point in this network is to configure a notification when two risk events are detected within one minute.
If you have 100 to 1000 computers, detecting five risk events within one minute may be a more useful starting point.
You manage notifications on the Monitors page. You can use the Home page to determine the number of unacknowledged notifications that need your attention.
318 Managing notifications
Managing notifications
lists the tasks you can perform to manage notifications.
Table 21-1
Notification management
Task Description
Learn about notifications Learn how notifications work.
See
on page 318.
Confirm that the email server is configured to enable email notifications
Notifications sent by email require that the Symantec
Endpoint Protection Manager and the email server are properly configured.
See
“Establishing communication between the management server and email servers”
on page 323.
Review preconfigured notifications
View unacknowledged notifications
Configure new notifications
Review the preconfigured notifications provided by Symantec
Endpoint Protection Small Business Edition.
View and respond to unacknowledged notifications.
See
“Viewing and acknowledging notifications”
on page 323.
Optionally create notifications to remind you and other administrators about important issues.
See
“Setting up administrator notifications”
on page 325.
Create notification filters Optionally create filters to expand or limit your view of all of the notifications that have been triggered.
See
“Saving and deleting administrative notification filters”
on page 324.
How notifications work
Notifications alert administrators and users about potential security problems.
For example, a notification can alert administrators about an expired license or a virus infection.
Events trigger a notification. A new security risk, a hardware change to a client computer, or a trialware license expiration can trigger a notification. Actions can then be taken by the system once a notification is triggered. An action might record the notification in a log, or run a batch file or an executable file, or send an email.
Note:
Email notifications require that communications between the Symantec
Endpoint Protection Manager and the email server are properly configured.
Managing notifications
Managing notifications
319
You can set a damper period for notifications. The damper period specifies the time that must pass before the notification condition is checked for new data.
When a notification condition has a damper period, the notification is only issued on the first occurrence of the trigger condition within that period. For example, suppose a large-scale virus attack occurs, and that there is a notification condition configured to send an email whenever viruses infect five computers on the network.
If you set a one hour damper period for that notification condition, the server sends only one notification email each hour during the attack.
See
on page 317.
See
“Establishing communication between the management server and email servers”
on page 323.
See
“What are the types of notifications and when are they sent?”
on page 319.
See
“Setting up administrator notifications”
on page 325.
See
“Viewing and acknowledging notifications”
on page 323.
What are the types of notifications and when are they sent?
Symantec Endpoint Protection Manager provides notifications for administrators.
You can customize most of these notifications to meet your particular needs. For example, you can add filters to limit a trigger condition only to specific computers.
Or you can set notifications to take specific actions when they are triggered.
By default, some of these notifications are enabled when you install Symantec
Endpoint Protection Manager. Notifications that are enabled by default are configured to log to the server and send email to system administrators.
See
on page 317.
See
“How upgrades from another version affect notification conditions”
on page 326.
320 Managing notifications
Managing notifications
Table 21-2
Notification
Client list changed
Preconfigured notifications
Description
This notification triggers when there is a change to the existing client list. This notification condition is enabled by default.
Client list changes can include:
■
■
■
■
■
The addition of a client
A change in the group of a client
A change in the name of a client
The deletion of a client
A change in the hardware of a client
This notification is enabled by default.
Client security alert
Download Protection content out-of-date
IPS signature out-of-date
Licensing issue
Paid license expiration
Licensing issue
Over-deployment
This notification triggers upon any of the following security events:
■
■
Network Threat Protection events
Traffic events
You can modify this notification to specify the type, severity, and frequency of events that determine when these notifications are triggered.
Some of these occurrence types require that you also enable logging in the associated policy.
Alerts the administrators about out-of-date Download
Protection content. You can specify the age at which the definitions trigger the notification.
Alerts the administrators about out-of-date IPS signatures. You can specify the age at which the definitions trigger the notification.
This notification alerts administrators and, optionally, partners, about the paid licenses that have expired or that are about to expire.
This notification is enabled by default.
This notification alerts administrators and, optionally, partners, about over-deployed paid licenses.
This notification is enabled by default.
Managing notifications
Managing notifications
321
Table 21-2
Preconfigured notifications (continued)
Notification
Licensing issue
Trial license expiration
Description
This notification alerts administrators about expired trial licenses and the trial licenses that are due to expire in 60, 30, and 7 days.
This notification is enabled by default if there is a trial license. It is not enabled by default if your license is due for an upgrade or has been paid.
This notification is enabled by default.
New risk detected
New software package
This notification triggers whenever virus and spyware scans detect a new risk.
This notification triggers when a new software package downloads or the following occurs:
■
■
■
LiveUpdate downloads a client package.
The management server is upgraded.
The console manually imports client packages.
You can specify whether the notification is triggered only by new security definitions, only by new client packages, or by both. By default, the Client package setting option is enabled and the Security definitions option is disabled for this condition.
The New client software notification is enabled by default.
Risk outbreak
Server health
This notification alerts administrators about security risk outbreaks. You set the number and type of occurrences of new risks and the time period within which they must occur to trigger the notification. Types of occurrences include occurrences on any computer, occurrences on a single computer, or occurrences on distinct computers.
This notification condition is enabled by default.
Server health issues trigger the notification. The notification lists the server name, the health status, the reason, and the last online or offline status.
This notification is enabled by default.
322 Managing notifications
Managing notifications
Table 21-2
Notification
Single risk event
Preconfigured notifications (continued)
SONAR definition out-of-date
Description
This notification triggers upon the detection of a single risk event and provides details about the risk. The details include the user and the computer involved, and the actions that the management server took.
Alerts the administrators about out-of-date SONAR definitions. You can specify the age at which the definitions trigger the notification.
System event
This notification triggers upon certain system events and provides the number of such events that were detected.
System events include the following events:
■
■
Server activities
System errors
Virus definitions out-of-date
Alerts the administrators about out-of-date virus definitions. You can specify the age at which the definitions trigger the notification.
This notification is enabled by default.
About partner notifications
When the management server detects that clients have paid licenses that are about to expire or that have expired, it can send a notification to the system administrator. Similarly, the management server can send a notification to the administrator when it detects that licenses are over-deployed.
However, in both of these cases, the resolution of the problem may require the purchase of new licenses or renewals. In many installations the server administrator may not have the authority to make such purchases, but instead relies upon a Symantec partner to perform this task.
The management server provides the ability to maintain the contact information for the partner. This information can be supplied when the server is installed.
The system administrator can also supply or edit the partner information at any time after the installation in the Licenses pane of the console.
When the partner contact information is available to the management server, paid license-related notifications and over-deployed license notifications are sent automatically both to the administrator and to the partner.
See
“What are the types of notifications and when are they sent?”
on page 319.
Managing notifications
Establishing communication between the management server and email servers
323
Establishing communication between the management server and email servers
For the management server to send automatic email notifications, you must configure the connection between the management server and the email server.
See
on page 317.
To establish communication between the management server and email servers
1 In the console, click Admin, and then click System.
2
Under Server, select the management server.
3 Under Tasks, click Edit the server properties.
4
In the Server Properties dialog box, click the Email Server tab.
5 Enter the email server settings.
For details about setting options in this dialog box, click Help.
6 Click OK.
Viewing and acknowledging notifications
You can view unacknowledged notifications or all notifications. You can acknowledge an unacknowledged notification. You can view all the notification conditions that are currently configured in the console.
The Security Status pane on the Home page indicates the number of unacknowledged notifications that have occurred during the last 24 hours.
See
on page 317.
To view recent unacknowledged notifications
1
In the console, click Home.
2 On the Home page, in the Security Status pane, click View Notifications.
A list of recent unacknowledged notifications appears under the Notifications tab.
3 Optionally, in the list of notifications, in the Report column, click the document icon if it exists.
The notification report appears in a separate browser window. If there is no document icon, all of the notification information appears in the Message column in the list of notifications.
324 Managing notifications
Saving and deleting administrative notification filters
To view all notifications
1
In the console, click Monitors and then click the Notifications tab.
2 Optionally, on the Notifications tab, from the Use a saved filter menu, select a saved filter.
See
“Saving and deleting administrative notification filters”
on page 324.
3 Optionally, on the Notifications tab, from the Time range menu, select a time range.
4
On the Notifications tab, click View Notifications.
To acknowledge a notification
1
View notifications.
See
“To view recent unacknowledged notifications”
on page 323.
See
on page 324.
2 On the Notifications tab, in the list of notifications, in the Ack column, click the red icon to acknowledge the notification.
To view all configured notification conditions
1 In the console, click Monitors.
2
On the Monitors page, on the Notifications tab, click Notification Conditions.
All the notification conditions that are configured in the console are shown.
You can filter the list by selecting a notification type from the Show
notification type menu.
Saving and deleting administrative notification filters
You can use filters to expand or limit your view of administrative notifications in the console. You can save new filters and you can delete previously saved filters.
See
“Viewing and acknowledging notifications”
on page 323.
See
on page 317.
You can create a saved filter that uses any combination of the following criteria:
■
Time range
■
Acknowledged status
■
Notification type
■
Created by
■
Notification name
Managing notifications
Setting up administrator notifications
325
For example, you can create a filter that only displays unacknowledged risk outbreak notifications posted during the past 24 hours.
To add a notification filter
1 In the console, click Monitors.
2
On the Monitors page, on the Notifications tab, click Advanced Settings.
3 Under the What filter settings would you like to use? heading, set the criteria for the filter.
4
Click Save Filter.
5 On the Notifications tab, in the Filter name box, type a filter name, and then click OK.
To delete a saved notification filter
1 In the console, click Monitors.
2
On the Monitors page, on the Notifications tab, on the Use a saved filter menu, choose a filter.
3 At the right of the Use a saved filter menu, click the X icon.
4
In the Delete Filter dialog box, click Yes.
Setting up administrator notifications
You can configure notifications to alert you and other administrators when particular kinds of events occur. You can also add the conditions that trigger notifications to remind you to perform important tasks. For example, you can add a notification condition to inform you when a license has expired, or when a security risk has been detected.
When triggered, a notification can perform specific actions, such as the following:
■
Log the notification to the database.
■
Send an email to one or more individuals.
■
Run a batch file.
Note: To send email notifications, you must configure an email server to communicate with the management server.
See
“Establishing communication between the management server and email servers”
on page 323.
You choose the notification condition from a list of available notification types.
326 Managing notifications
How upgrades from another version affect notification conditions
Once you choose the notification type, you then configure it as follows:
■
Specify filters.
Not all notification types provide filters. When they do, you can use the filters to limit the conditions that trigger the notification. For example, you can restrict a notification to trigger only when computers in a specific group are affected.
■
Specify settings.
All notification types provide settings, but the specific settings vary from type to type. For example, a risk notification may allow you to specify what type of scan triggers the notification.
■
Specify actions.
All notification types provide actions you can specify.
To set up an administrator notification
1 In the console, click Monitors.
2
On the Monitors page, on the Notifications tab, click Notification Conditions.
3 On the Notifications tab, click Add, and then click a notification type.
4
In the Add Notification Condition dialog box, provide the following information:
■
In the Notification name text box, type a name to label the notification condition.
■
In the What filter settings would you like to use? area, if it is present, specify the filter settings for the notification condition.
■
In the What settings would you like for this notification? area, specify the conditions that trigger the notification.
■
In the What should happen when this notification is triggered? area, specify the actions that are taken when the notification is triggered.
5
Click OK.
See
on page 317.
See
“Viewing and acknowledging notifications”
on page 323.
How upgrades from another version affect notification conditions
When Symantec Endpoint Protection Small Business Edition is installed on a new server, many of the preconfigured notification conditions are enabled by default.
Managing notifications
How upgrades from another version affect notification conditions
327
An upgrade to Symantec Endpoint Protection Small Business Edition from a previous version, however, can affect which notification conditions are enabled by default. It can also affect their default settings.
The following notification conditions are enabled by default in a new installation of Symantec Endpoint Protection Small Business Edition:
■
Client list changed
■
New client software
■
Over deployment issue
■
Paid license issue
■
Risk outbreak
■
Server health
■
Trialware license expiration
■
Virus definitions out-of-date
When an administrator upgrades the software from a previous version, all existing notification conditions from the previous version are preserved. However, existing
New software package notification conditions become New client software notification conditions. The New client software condition has two settings that are not present in the New software package condition: Client package and
Security definitions. When the software is upgraded, the Client package setting is enabled and the Security definitions setting is disabled for this notification condition.
Note: When the Security definitions setting in the New client software notification condition is enabled, it may cause a large number of notifications to be sent. This situation can occur when there are many clients or when there are frequently scheduled security definition updates. If you do not want to receive frequent notifications about security definition updates, you can edit the notification condition to disable the Security definitions setting
The value of the Send email to system administrators setting is preserved across the upgrade for all notification conditions that have this setting.
When a default notification condition type has not been added in a previous installation, that notification condition is added in the upgraded installation.
However, the upgrade process cannot determine which default notification conditions may have been deleted deliberately by the administrator in the previous installation. With one exception, therefore, all of the following action settings are disabled in each default notification condition in an upgraded installation: Send
328 Managing notifications
How upgrades from another version affect notification conditions
email to system administrators, Log the notification, Run batch file, and Send
email to. When all four of these actions are disabled, the notification condition is not processed, even though the condition itself is present. Administrators can edit the notification conditions to enable any or all of these settings.
Note that the New client software notification condition is an exception: it can produce notifications by default when it is added during the upgrade process.
Unlike the other default notification conditions, both the Log the notification and the Send email to system administrators action settings are enabled for this condition.
If a trialware license is in effect at the time of the upgrade, a Trialware license
expiration notification condition is enabled.
Some notification condition types are not available in previous versions of the software. Those notification conditions are enabled by default when the software is upgraded.
See
“What are the types of notifications and when are they sent?”
on page 319.
Section
Configuring and managing
Symantec Endpoint
Protection Manager
4
■
Chapter 22. Managing the connection between the management server and the client computers
■
Chapter 23. Preparing for disaster recovery
330
Chapter
22
Managing the connection between the management server and the client computers
This chapter includes the following topics:
■
Managing the client-server connection
■
How to determine whether the client is connected and protected
■
Why do I need to replace the client-server communications file on the client computer?
■
How do I replace the client-server communications file on the client computer?
■
Restoring client-server communications by using a client installation package
■
Exporting the client-server communications file manually
■
Importing client-server communication settings into the client
Managing the client-server connection
After you install the client, the management server automatically connects to the client computer. You may need to verify whether the client and server communicate.
lists the tasks you can perform to view and manage how the management server connects to clients.
332 Managing the connection between the management server and the client computers
How to determine whether the client is connected and protected
Table 22-1
Tasks to manage connections between the management server and the clients
Action Description
Check whether the client is connected to the management server
You can check the client status icon in the client and in the management console.
The status icon shows whether the client and the server communicate.
See
“How to determine whether the client is connected in the console”
on page 127.
A computer may have the client software installed, but does not have the correct communications file.
See
“Why do I need to replace the client-server communications file on the client computer?”
on page 333.
See
“How do I replace the client-server communications file on the client computer?”
on page 334.
Check that the client gets policy updates
Check that the client computers get the most current policy updates by checking the policy serial number in the client and in the management console. The policy serial number should match if the client can communicate with the server and receives regular policy updates.
You can perform a manual policy update and then check the policy serial numbers against each other.
See
“Using the policy serial number to check client-server communication”
on page 156.
See
“Manually updating policies on the client”
on page 157.
Troubleshoot management server connectivity problems
If the management server and the client do not connect, you can troubleshoot connection problems.
See
“Troubleshooting communication problems between the management server and the client”
on page 350.
For more information on the ports that Symantec Endpoint Protection Small
Business Edition uses, see the knowledge base article: Which Communications
Ports does Symantec Endpoint Protection use?
How to determine whether the client is connected and protected
You can check the notification area icon on the client to determine whether the client is connected to a management server and adequately protected.
The icon is located in the lower-right hand corner of the client computer desktop.
You can also right-click this icon to display frequently used commands.
Managing the connection between the management server and the client computers
Why do I need to replace the client-server communications file on the client computer?
333
Table 22-2
Icon
Symantec Endpoint Protection Small Business Edition client status icons
Description
The client runs with no problems. It is either offline or unmanaged. Unmanaged clients are not connected to a management server. The icon is a plain yellow shield.
The client runs with no problems. It is connected to and communicates with the server. All components of the security policy protect the computer. The icon is a yellow shield with a green dot.
The client has a minor problem. For example, the virus definitions may be out of date. The icon is a yellow shield and a light yellow dot that contains a black exclamation mark.
The client does not run, has a major problem, or has at least one protection technology disabled. For example, Network Threat Protection may be disabled.
The icon is a yellow shield with a white dot outlined in red and a red line across the dot.
You can also check the management server to view the connection status of the computers.
See
“How to determine whether the client is connected in the console”
on page 127.
See
“Viewing the status of deployed client computers”
on page 300.
See
“Managing the client-server connection”
on page 331.
Why do I need to replace the client-server communications file on the client computer?
Symantec Endpoint Protection Manager connects to the client with a communications file called Sylink.xml. The Sylink.xml file includes the communication settings such as the IP address of the management server and the heartbeat interval. After you install a client installation package on to the client computers, the client and the server automatically communicate.
Normally you do not need to replace the Sylink.xml file. However, you may need to replace the existing Sylink.xml file on the client computer in the following situations:
■
The client and the server do not communicate. If the clients have lost the communication with the management server, you must replace the old
Sylink.xml file with a new file.
334 Managing the connection between the management server and the client computers
How do I replace the client-server communications file on the client computer?
■
See
“Managing the client-server connection”
on page 331.
See
“Checking the connection to the management server on the client computer”
on page 352.
You want to convert an unmanaged client to a managed client. If a user installs a client from the product disc, the client is unmanaged and does not communicate with the management server. You can also reinstall the client software on the computer as a managed computer.
See
“About managed and unmanaged clients”
on page 85.
■
You want to manage a previously orphaned client. For example, if the hard drive that the management server is installed on gets corrupted, you must reinstall the management server. You can update the Sylink.xml file to re-establish communication with all your orphaned clients.
■
You want to move a large number of clients from multiple groups to a single group. For example, you might want to move the client computers in a remote group and a laptop group to a test group. Typically, you need to move the client computers one group at a time.
See
“Moving a client computer to another group”
on page 123.
See
“How do I replace the client-server communications file on the client computer?”
on page 334.
See
“Restoring client-server communications by using a client installation package”
on page 336.
How do I replace the client-server communications file on the client computer?
If you need to replace the client-server communications file (Sylink.xml) on the client computer, you can use the following methods:
■
Create a new client installation package and deploy it on the client computers.
Use this method if manually importing the Sylink.xml on large environment is physically not possible and requires administrative access.
See
“Restoring client-server communications by using a client installation package”
on page 336.
■
Write a script that runs the SylinkDrop tool, which is located in the /Tools folder of the Tools product disc. Symantec recommends this method for a large number of clients. You should also use the SylinkDrop tool if you use a software management tool to download the client software to computers. The advantage of the software management tool is that it downloads the Sylink.xml file as soon as the end user turns on the client computer. In comparison, the client
Managing the connection between the management server and the client computers
How do I replace the client-server communications file on the client computer?
335
■ installation package downloads the new Sylink.xml file only after the client computer connects to the management server.
See
“Restoring client-server communication settings by using the SylinkDrop tool”
on page 355.
Export the Sylink.xml file to the client computer and import it on the client computer manually. Symantec recommends this method if you want to use a software management tool like Altiris. With a software management tool, the job is queued up and completed whenever the users turn on their computer.
With the other methods, the client computer must be online.
displays the process for exporting and importing the Sylink.xml
file into the client computer.
Table 22-3
Steps for exporting and importing the communications file
Step Task Description
Step 1 Export a file that includes all the communication settings for the group that you want the client to be in.
The default file name is group name_sylink.xml.
See
“Exporting the client-server communications file manually”
on page 336.
Step 2 Deploy the file to the client computer.
You can either save the file to a network location or send it to an individual user on the client computer.
Step 3 Import the file on the client computer.
Step 4 Verify client and server communication on the client.
Either you or the user can import the file on the client computer.
See
“Importing client-server communication settings into the client”
on page 337.
Unmanaged clients are not password-protected, so you do not need a password on the client. However, if you try to import a file into a managed client that is password-protected, then you must enter a password. The password is the same one that is used to import or export a policy.
You do not need to restart the client computer.
The client immediately connects to the management server. The management server places the client in the group that is specified in the communication file. The client is updated with the group's policies and settings. After the client and the management server communicate, the notification area icon with the green dot appears in the client computer's taskbar.
See
“How to determine whether the client is connected in the console”
on page 127.
See
“Why do I need to replace the client-server communications file on the client computer?”
on page 333.
336 Managing the connection between the management server and the client computers
Restoring client-server communications by using a client installation package
Restoring client-server communications by using a client installation package
If the client-server communications breaks, you can quickly restore communications by replacing the Sylink.xml file on the client computer. You can replace the sylink.xml file by redeploying a client installation package. Use this method for a large number of computers, for the computers that you cannot physically access easily, or the computers that require administrative access.
See
“Why do I need to replace the client-server communications file on the client computer?”
on page 333.
To restore client-server communication settings by using a client installation package
1 On the Home page, in the Common Tasks drop-down list, click Install
protection client to computers.
2
In the Client Deployment Wizard, click Communication Update Package
Deployment, and then click Next.
3 Select the group of computers on which you want to deploy the client installation package, and then click Next.
4
Choose one of the following deployment methods, and then click Next:
■
Click Remote Push and go to step
in the following procedure.
See
“Deploying clients by using Remote Push”
on page 79.
■
Save Package and go to step
in the following procedure.
See
“Deploying clients by using Save Package”
on page 81.
5
Confirm that the computer users installed the custom installation package.
You or the computer users must restart the client computers.
See
“Viewing the status of deployed client computers”
on page 300.
See
on page 85.
Exporting the client-server communications file manually
If the client and server do not communicate, you may need to reinstall the
Sylink.xml file on the client computer to restore communications. You can manually export the Sylink.xml file from Symantec Endpoint Protection Manager on a group basis.
Managing the connection between the management server and the client computers
Importing client-server communication settings into the client
337
The most common reasons for replacing the Sylink.xml are:
■
To convert an unmanaged client into a managed client.
■
To reconnect a previously orphaned client to the management server.
See
“Why do I need to replace the client-server communications file on the client computer?”
on page 333.
If you need to update client-server communications for a large number of clients, redeploy the client installation package instead of using this method.
See
“Restoring client-server communications by using a client installation package”
on page 336.
To export the client-server communications file manually
1 In the console, click Computers.
2 Under Computers, select the group in which you want the client to appear.
3 Right-click the group, and then click Export Communication Settings.
4 In the Export Communication Settings for group name dialog box, click
Browse.
5 Locate the folder to where you want to export the .xml file, and then click
OK.
6 Click Export, and then click OK.
To finish the conversion, you or a user must import the communications setting on the client computer.
See
“Importing client-server communication settings into the client”
on page 337.
Importing client-server communication settings into the client
Once you have exported client-server communication settings, you can import them into a client. You can use it to convert an unmanaged client into a managed client or to reconnect a previously orphaned client with a Symantec Endpoint
Protection Manager.
To import the client-server communications settings file into the client
1 Open Symantec Endpoint Protection Small Business Edition on the computer that you want to convert to a managed client.
2 In the upper right, click Help, and then click Troubleshooting.
3 In the Troubleshooting dialog box, in the Management pane, click Import.
338 Managing the connection between the management server and the client computers
Importing client-server communication settings into the client
4 In the Import Group Registration Settings dialog box, locate the group
name_sylink.xml file, and then click Open.
5
Click Close to close the Troubleshooting dialog box.
After you import the communications file, and the client and the management server communicate, the notification area icon with appears in the computer's taskbar. The green dot indicates that the client and the management server are in communication with each other.
See
“Exporting the client-server communications file manually”
on page 336.
Chapter
23
Preparing for disaster recovery
This chapter includes the following topics:
■
Preparing for disaster recovery
■
Backing up the database and logs
Preparing for disaster recovery
In case of hardware failure or database corruption, you should back up the information that is collected after you install Symantec Endpoint Protection
Manager. You then copy these files to another computer.
High-level steps to prepare for disaster recovery
Step
Step 1
Table 23-1
Action
Back up the database
Description
Back up the database regularly, preferably weekly.
By default, the database backup folder is saved to the following location:
Drive: \\Program Files\Symantec\Symantec Endpoint
Protection Manager\data\backup
.
The backup file is called date_timestamp.zip.
See
“Backing up the database and logs”
on page 340.
340 Preparing for disaster recovery
Backing up the database and logs
Step
Step 2
Table 23-1
Action
Back up the disaster recovery file
High-level steps to prepare for disaster recovery (continued)
Description
The recovery file includes the encryption password, keystore files domain ID, certificate files, license files, and port numbers. By default, the file is located in the following directory:
Drive:\\Program Files\Symantec\ Symantec Endpoint
Protection Manager\Server Private Key
Backup\recovery_timestamp.zip
Step 3 Save the IP address and host name of the management server to a text file (optional)
If you have a catastrophic hardware failure, you must reinstall the management server using the IP address and host name of the original management server.
Add the IP address and host name to a text file, such as:
Backup.txt
.
Step 4 Copy the files you backed up in the previous steps to another computer
Copy the backed up files to a computer in a secure location.
See
“Performing disaster recovery”
on page 345.
See
“Backing up your license files”
on page 68.
See the knowledge base article Best Practices for Disaster Recovery with the
Symantec Endpoint Protection Manager .
Backing up the database and logs
Symantec recommends that you back up the database at least weekly. You should store the backup file on another computer.
By default, the backup file is saved in the following folder:
Drive:\Program
Files\Symantec\Symantec Endpoint Protection Manager\data\backup
.
The backups are placed in a .zip file. By default, the backup database file is named
date_timestamp.zip, the date on which the backup occurs.
Note:
Avoid saving the backup file in the product installation directory. Otherwise, the backup file is removed when the product is uninstalled.
Log data is not backed up unless you configure Symantec Endpoint Protection
Manager to back it up. If you do not back up the logs, then only your log configuration options are saved during a backup. You can use the backup to restore
Preparing for disaster recovery
Backing up the database and logs
341 your database, but the logs in the database are empty of data when they are restored.
The database backup might take several minutes to complete. You can check the
System log as well as the backup folder for the status during and after the backup.
See
“Preparing for disaster recovery”
on page 339.
To back up the database and logs
1 On the computer that runs Symantec Endpoint Protection Manager, on the
Start menu, click All Programs > Symantec Endpoint Protection Manager
> Symantec Endpoint Protection Manager Tools > Database Back Up and
Restore.
2
In the Database Back Up and Restore dialog box, click Back Up.
3 In the Back Up Database dialog box, optionally check Backup logs, and then click Yes.
4
Click OK.
5 When the database backup completes, click Exit.
6
Copy the backup database file to another computer.
342 Preparing for disaster recovery
Backing up the database and logs
Section
Troubleshooting Symantec
Endpoint Protection Small
Business Edition
5
■
Chapter 24. Performing disaster recovery
■
Chapter 25. Troubleshooting installation and communication problems
■
Chapter 26. Troubleshooting reporting issues
344
Chapter
24
Performing disaster recovery
This chapter includes the following topics:
■
■
Reinstalling or reconfiguring Symantec Endpoint Protection Manager
■
Performing disaster recovery
lists the steps to recover your Symantec Endpoint Protection Small
Business Edition environment in the event of hardware failure or database corruption.
Note:
This topic assumes that you have prepared for disaster recovery and have created backups and recovery files.
Table 24-1
Step
Step 1
Process for performing disaster recovery
Action
Reinstall Symantec Endpoint Protection Manager using a disaster recovery file.
By reinstalling the management server, you can recover the files that were saved after initial installation.
See
“Reinstalling or reconfiguring Symantec Endpoint Protection Manager”
on page 346.
346 Performing disaster recovery
Reinstalling or reconfiguring Symantec Endpoint Protection Manager
Table 24-1
Step
Step 2
Process for performing disaster recovery (continued)
Action
Restore the database.
See
on page 347.
See
“Preparing for disaster recovery”
on page 339.
See the knowledge base article: Perform a disaster recovery when the database backup/restore process fails using the "Database Backup/Restore Wizard" for an
Embedded Database .
Reinstalling or reconfiguring Symantec Endpoint
Protection Manager
If you need to reinstall or reconfigure the management server, you can import all your settings by using a disaster recovery file. You can reinstall the software on the same computer, in the same installation directory.
The Symantec Endpoint Protection Manager creates a recovery file during installation. The recovery file is selected by default during the reinstallation process.
See
“Preparing for disaster recovery”
on page 339.
To reinstall or reconfigure the management server
1 On the management server computer, do one of the following tasks:
■
To reinstall the management server, uninstall the management server and reinstall the management server by using the product disc.
See
“Uninstalling Symantec Endpoint Protection Manager”
on page 50.
See
“Installing Symantec Endpoint Protection Manager”
on page 47.
■
To reconfigure the management server, click Start > All Programs >
SymantecEndpointProtectionManager>SymantecEndpointProtection
Manager Tools > Management Server Configuration Wizard.
2 In the Welcome panel, make sure that Reconfigure management server
using a recovery file is checked, and then click Next.
Performing disaster recovery
Restoring the database
347
3 In the Server data folder text field, locate the recovery file.
By default, the recovery file is located in:
Drive:\Program
Files\Symantec\Symantec Endpoint Protection Manager\Server Private
Key Backup
. The recovery file is a compressed directory that is named with a timestamp. For instance, recovery_2011-04-19-15-23.ZIP
4 Follow the instructions in each panel.
Restoring the database
If the database gets corrupted or you need to perform disaster recovery, you can restore the database. To restore the database, you must first have backed it up.
See
“Backing up the database and logs”
on page 340.
You must restore the database using the same version of Symantec Endpoint
Protection Manager that you used to back up the database. You can restore the database on the same computer on which it was installed originally or on a different computer.
The database restore might take several minutes to complete.
To restore the database
1 Stop the management server service.
See
“Stopping and starting the management server service”
on page 101.
2 On the Start menu, click All Programs > Symantec Endpoint Protection
Manager > Symantec Endpoint Protection Manager Tools > Database Back
Up and Restore.
3 In the Database Back Up and Restore dialog box, click Restore.
4 Click Yes to confirm the database restoration.
5 In the Restore Site dialog box, select the backup database file, and then click
OK.
Locate the copy of the backup database file that you made when you backed up the database. By default, the backup database file is named
date_timestamp.zip.
6 Click OK.
7 Click Exit.
8 Restart the management server service.
348 Performing disaster recovery
Restoring the database
Chapter
25
Troubleshooting installation and communication problems
This chapter includes the following topics:
■
Troubleshooting computer issues with the Symantec Help support tool
■
Identifying the point of failure of an installation
■
Troubleshooting communication problems between the management server and the client
■
Troubleshooting communication problems between the management server and the console or the database
Troubleshooting computer issues with the Symantec
Help support tool
You can download a utility to diagnose common issues you encounter with installing and using Symantec Endpoint Protection Manager or the Symantec
Endpoint Protection Small Business Edition client.
The support tool helps you with the following issues:
■
Lets you quickly and accurately identify known issues.
■
When the tool recognizes an issue, the tool redirects you to the resources to resolve the issue yourself.
■
When an issue is not resolved, the tool lets you easily submit data to Support for further diagnostics.
350 Troubleshooting installation and communication problems
Identifying the point of failure of an installation
To troubleshoot computer issues with the Symantec Help support tool
1
Do one of the following tasks:
■
See the knowledge base article: Symantec Help (SymHelp)
■
In the client, click Help > Download Support Tool
2 Follow the on-screen instructions.
Identifying the point of failure of an installation
The Windows Installer and Push Deployment Wizard create log files that can be used to verify whether or not an installation was successful. The log files list the components that were successfully installed and provide a variety of details that are related to the installation package. You can use the log file to help identify the component or the action that caused an installation to fail. If you cannot determine the reason for the failed installation, you should retain the log file.
Provide the file to Symantec Technical Support if it is requested.
Note: Each time the installation package is executed, the log file is overwritten.
To identify the point of failure of an installation
1 In a text editor, open the log file that the installation generated.
2 To find failures, search for the following entry:
Value 3
The action that occurred before the line that contains this entry is most likely the action that caused the failure. The lines that appear after this entry are the installation components that have been rolled back because the installation was unsuccessful.
Troubleshooting communication problems between the management server and the client
If you have trouble with client and server communication, you should first check to make sure that there are no network problems. You should also check network connectivity before you call Symantec Technical Support.
You can test the communication between the client and the management server in several ways.
Troubleshooting installation and communication problems
Troubleshooting communication problems between the management server and the client
351
Table 25-1
Checking the connection between the management server and the client
What to check
Look on the client to see if the client connects to the management server
Test the connectivity between the client and the management server
Solution
You can download and view the troubleshooting file on the client to verify the communication settings.
See
“How to determine whether the client is connected and protected”
on page 332.
See
“Checking the connection to the management server on the client computer”
on page 352.
See
“Investigating protection problems using the troubleshooting file on the client”
on page 352.
You can perform several tasks to check the connectivity between the client and the management server.
■
■
Ping the management server from the client computer.
See
“Using the ping command to test the connectivity to the management server”
on page 353.
Use a Web browser on the client computer to connect to the management server.
Check for any network problems
You should verify that there are no network problems by checking the following items:
■
■
■
■
Test the connectivity between the client and the management server first. If the client computer cannot ping or Telnet to the management server, verify network connections and services for the client.
Check the client's routing path.
Check that the management server does not have a network problem.
Check that the Symantec Endpoint Protection firewall
(or any third-party firewall) does not cause any network problems.
Check the debug logs on the client
You can use the debug log on the client to determine if the client has communication problems.
See
“Checking the debug log on the client computer”
on page 354.
See
“Checking the inbox logs on the management server”
on page 354.
352 Troubleshooting installation and communication problems
Troubleshooting communication problems between the management server and the client
Table 25-1
What to check
Recover lost client communication
Checking the connection between the management server and the client (continued)
Solution
If the clients have lost the communication with a management server, you can use a tool to recover the communication file.
See
“Restoring client-server communication settings by using the SylinkDrop tool”
on page 355.
If Symantec Endpoint Protection Manager displays logging errors or HTTP error codes, see the following knowledge base article: Symantec Endpoint Protection
Manager communication troubleshooting .
Checking the connection to the management server on the client computer
If you have a managed client, you can check your connection to the management server. If you are not connected to the management server, you can request that your client connect.
See
“Troubleshooting communication problems between the management server and the client”
on page 350.
Checking the connection to the management server on the client computer
1 On the Status page, click Help > Troubleshooting.
2 In the Troubleshooting dialog box, click Connection Status.
3 In the Connection Status pane, you can see the last attempted connection and the last successful connection.
4 To reestablish a connection with the management server, click Connect Now.
Investigating protection problems using the troubleshooting file on the client
To investigate client problems, you can examine the
Troubleshooting.txt
file on the client computer. The
Troubleshooting.txt
file contains information about policies, virus definitions, and other client-related data.
Symantec Technical Support might request that you email the
Troubleshooting.txt
file.
See
“Troubleshooting communication problems between the management server and the client”
on page 350.
Troubleshooting installation and communication problems
Troubleshooting communication problems between the management server and the client
353
To export the troubleshooting file from the client
1
On the client computer, open the client.
2 In the client, click Help > Troubleshooting.
3
In the Management pane, under Troubleshooting Data, click Export.
4 In the Save As dialog box, accept the default troubleshooting file name or type a new file name, and then click Save.
You can save the file on the desktop or in a folder of your choice.
5 Using a text editor, open
Troubleshooting.txt
to examine the contents.
Stopping and starting the Apache Web server
When you install Symantec Endpoint Protection Manager, it installs the Apache
Web server. The Apache Web server runs as an automatic service. You may need to stop and restart the Web server to enable the Apache HTTP Server Access log.
To stop the Apache Web server
◆
From a command prompt, type: net stop semwebsrv
To start the Apache Web server
◆
From a command prompt, type: net start semwebsrv
Using the ping command to test the connectivity to the management server
You can try to ping the management server from the client computer to test connectivity.
See
“Troubleshooting communication problems between the management server and the client”
on page 350.
354 Troubleshooting installation and communication problems
Troubleshooting communication problems between the management server and the client
To use the ping command to test the connectivity to the management server
1
On the client, open a command prompt.
2 Type the ping command. For example: ping name where name is the computer name of the management server. You can use the server IP address in place of the computer name. In either case, the command should return the server's correct IP address.
If the ping command does not return the correct address, verify network connections, and that the network services are running on the client computer.
Checking the debug log on the client computer
You can check the debug log on the client. If the client has communication problems with the management server, status messages about the connection problem appear in the log.
See
“Troubleshooting communication problems between the management server and the client”
on page 350.
To check the debug log on the client
1 In the client, click Help > Troubleshooting
2
In the Debug Logs pane, click Edit Debug Log Settings
3 Enter a name for the debug log and then click OK.
You can also click View Log to view the log files.
Checking the inbox logs on the management server
You can use a Windows registry key to generate logs about activity in the management server inbox. When you modify the Windows registry key, the management server generates the logs (ersecreg.log and exsecars.log). You can view these logs to troubleshoot client and server communication.
See
“Troubleshooting communication problems between the management server and the client”
on page 350.
See
“Checking the debug log on the client computer”
on page 354.
Troubleshooting installation and communication problems
Troubleshooting communication problems between the management server and the client
355
To check the inbox logs on the management server
1
On the management server, under
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint
Protection Small Business Edition\SEPM, set the DebugLevel value to 3.
Typically, the inbox appears in the following location on the management server computer:
\Program Files\Symantec\Symantec Endpoint Protection Manager\data\ inbox\log
2
Open the log with Notepad.
Restoring client-server communication settings by using the SylinkDrop tool
The Sylink.xml file includes communication settings between the client and a
Symantec Endpoint Protection Manager server. If the clients have lost the communication with a management server, you must replace the old Sylink.xml
file with a new Sylink.xml file. The SylinkDrop tool automatically replaces the
Sylink.xml file on the client computer with a new Sylink.xml file.
Note:
You can also replace the Sylink.xml file by redeploying a client installation package. Use this method for a large number of computers, for computers that you cannot physically access easily or computers that require administrative access.See
“Restoring client-server communications by using a client installation package”
on page 336.
When you run the SylinkDrop tool, it can also perform the following tasks:
■
Restores the communication breakages to the client that cannot be corrected on the management server.
■
Converts an unmanaged client to a managed client.
■
Converts a managed client to an unmanaged client.
You can write a script with the tool to modify communication settings for large numbers of clients.
See
“About managed and unmanaged clients”
on page 85.
See
“Troubleshooting communication problems between the management server and the client”
on page 350.
356 Troubleshooting installation and communication problems
Troubleshooting communication problems between the management server and the console or the database
Note:
You must disable Tamper Protection to use the SylinkDrop.exe tool. You can also create a Tamper Protection exception for the SylinkDrop.exe tool.
See
“Changing Tamper Protection settings”
on page 232.
See
“Creating a Tamper Protection exception”
on page 279.
To recover client-server communication settings by using the SylinkDrop tool
1 In the console, export the communications file from the group that connects to the management server to which you want the client computer to connect.
The communications file is the Sylink.xml file.
See
“Exporting the client-server communications file manually”
on page 336.
2 Copy the communication file to the client computer.
You can either save the file to a network location, email it to the user on the client computer, or copy it to removable media.
3 Do one of the following tasks:
■
On the tools product disc, locate
\Tools\SylinkDrop\SylinkDrop.exe
.
■
On the computer that runs the management server, locate
drive:\Program
Files (x86)\Symantec\Symantec Endpoint
Protection\Version.Number\Bin\SylinkDrop.exe
You can run the tool remotely or save it and then run it on the client computer.
If you use the tool on the command line, read the SylinkDrop.txt file for a list of the tool's command parameters.
4 In the Sylink Drop dialog box, click Browse, and locate the .xml file you deployed in step
to the client computer.
5 Click Update Sylink.
6 When you see a confirmation dialog box, click OK.
7 In the Sylink Drop dialog box, click Exit.
Troubleshooting communication problems between the management server and the console or the database
If you have a connection problem with the console or the database, you may see one of the following symptoms:
■
The management server service (semsrv) stops.
Troubleshooting installation and communication problems
Troubleshooting communication problems between the management server and the console or the database
357
■
The management server service does not stay in a started state.
■
The Home, Monitors, and Reports pages display an HTTP error.
■
The Home, Monitors, and Reports pages are blank.
■
The Home, Monitors, and Reports pages display a continuously loading progress bar, without displaying any content.
All of these issues display a Java -1 error in the Windows Event log. To find the specific cause for the Java -1 error, look in the scm-server log. The scm-server log is typically located in the following location:
C:\Program Files\Symantec\Symantec Endpoint Protection
Manager\tomcat\logs\scm-server-0.log
Table 25-2
Checking the communication with the console or database
What to check Description
Test the connectivity between the database and the management server.
You can verify that the management server and the database communicate properly.
See
“Verifying the connection with the database”
on page 357.
Check that the management server heap size is correct.
You may need to adjust the heap size that is appropriate for the management server's operating system. If you cannot log in to the management server's remote console, or if you see an out-of-memory message in the scm-server log, you may need to increase the heap size. The default heap size for
Symantec Endpoint Protection Manager is 256 MB.
Check the system requirements.
You can check whether both the client and the management server run the minimum or the recommended system requirements.
For the most current system requirements, see: Release Notes and System Requirements for all versions of Symantec
Endpoint Protection and Symantec Network Access Control
Verifying the connection with the database
The management server and the database may not communicate properly. You should verify that the database runs and then test the connection between the server and the database.
Perform the following steps:
■
Verify that the Symantec Embedded Database service runs and that the dbsrv9.exe process listens to TCP port 2638.
358 Troubleshooting installation and communication problems
Troubleshooting communication problems between the management server and the console or the database
■
Test the ODBC connection.
To verify communication with the embedded database
1 On the management server, click Start > Control Panel > Administrative
Tools.
2 In the Administrative Tools dialog box, double-click Data Sources (ODBC).
3 In the ODBC Data Source Administrator dialog box, click System DSN.
4 On the System DSN tab, double-click SymantecEndpointSecurityDSN.
5 On the ODBC tab, verify that the Data source name drop-down list is
SymantecEndpointSecurityDSN and type an optional description.
6
Click Login.
7 On the Login tab, in the User ID text box, type dba
.
8 In the Password text box, type the password for the database.
This password is the one that you entered for the database when you installed the management server.
9 Click Database.
10 On the Database tab, in the Server name text box, type
<\\servername\instancename>.
If you use the English version of Symantec Endpoint Protection Manager, type the default, sem5
. Otherwise, leave the Server name text box blank.
11
On the ODBC tab, click Test Connection and verify that it succeeds.
12 Click OK.
13
Click OK.
Chapter
26
Troubleshooting reporting issues
This chapter includes the following topics:
■
Troubleshooting reporting issues
■
Accessing reporting pages when the use of loopback addresses is disabled
■
About recovering a corrupted client System Log on 64-bit computers
Troubleshooting reporting issues
You should be aware of the following information when you use reports:
■
Timestamps, including client scan times, in reports and logs are given in the user's local time. The reporting database contains events in Greenwich Mean
Time (GMT). When you create a report, the GMT values are converted to the local time of the computer on which you view the reports.
■
If managed clients are in a different time zone from the management server, and you use the Set specific dates filter option, you may see unexpected results
The accuracy of the data and the time on both the client and the management server may be affected.
■
If you change the time zone on the server, log off of the console and log on again to see accurate times in logs and reports.
■
In some cases, the report data does not have a one-to-one correspondence with what appears in your security products. This lack of correspondence occurs because the reporting software aggregates security events.
■
You can use SSL with the reporting functions for increased security. SSL provides confidentiality, the integrity of your data, and authentication between the client and the server.
360 Troubleshooting reporting issues
Troubleshooting reporting issues
See the knowledge base article: Configuring Secure Sockets Layer (SSL) to work with the Symantec Endpoint Protection reporting functions on Windows Server
2003 .
■
Risk category information in the reports is obtained from the Symantec
Security Response Web site. Until the Symantec Endpoint Protection Manager console is able to retrieve this information, any reports that you generate show
Unknown in the risk category fields.
■
The reports that you generate give an accurate picture of compromised computers in your network. Reports are based on log data, not the Windows registry data.
■
If you get CGI or terminated process errors, you might want to change other timeout parameters.
For more information, see the following document in the knowledge base article: SAV Reporting Server or SEPM Reporting does not respond or shows a timeout error message when querying large amounts of data .
■
If you have disabled the use of loopback addresses on the computer, the reporting pages do not display.
See
“Accessing reporting pages when the use of loopback addresses is disabled”
on page 361.
The following information is important to note if you have computers in your network that are running legacy versions of Symantec AntiVirus:
■
If the System log becomes corrupted on a 64-bit client, you may see an unspecified error message in the System logs on the Symantec Endpoint
Protection Manager console.
See
“About recovering a corrupted client System Log on 64-bit computers”
on page 361.
■
When you use report and log filters, server groups are categorized as domains.
Client groups are categorized as groups, and parent servers are categorized as servers.
■
If you generate a report that includes legacy computers, the IP address and
MAC address fields display None.
■
The reporting functions use a temporary folder, drive:\Symantec\Symantec
Endpoint Protection Manager\Inetpub\Reporting\Temp. You might want to schedule your own automated tasks to periodically clean this temporary folder.
If you do so, be sure that you do not delete the LegacyOptions.inc file, if it exists. If you delete this file, you lose the incoming data from legacy Symantec
AntiVirus client logs.
Troubleshooting reporting issues
Accessing reporting pages when the use of loopback addresses is disabled
361
Accessing reporting pages when the use of loopback addresses is disabled
If you have disabled the use of loopback addresses on the computer, the reporting pages do not display. If you try to log on to the Symantec Endpoint Protection
Manager console or to access the reporting functions, you see the following error message:
Unable to communicate with Reporting component
The Home, Monitors, and Reports pages are blank; the Policies, Clients, and
Admin pages look and function normally.
To get the Reports components to display when you have disabled loopback addresses, you must associate the word localhost with your computer's IP address.
You can edit the Windows hosts file to associate localhost with an IP address.
To associate localhost with the IP address on computers running Windows
1 Change directory to the location of your hosts file.
By default, the hosts file is located in %SystemRoot%\system32\drivers\etc
2 Open the hosts file with an editor.
3
Add the following line to the hosts file:
xxx.xxx.xxx.xxx localhost #to log on to reporting functions where you replace xxx.xxx.xxx.xxx with your computer's IP address. You can add any comment you want after the pound sign (#). For example, you can type the following line:
192.168.1.100 localhost # this entry is for my console computer
4
Save and close the file.
About recovering a corrupted client System Log on
64-bit computers
If the System log becomes corrupted on a 64-bit client, you may see an unspecified error message in the System logs on the Symantec Endpoint Protection Manager console. If corrupted, you cannot view the data in the log on the client and the data does not upload to the console. This condition can affect data in the console
Computer Status, Risk, and Scan logs and reports.
To correct this condition, you can delete the corrupted log file and the serialize.dat
file on the client. These files are located on the client in Drive:\Documents and
Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate
362 Troubleshooting reporting issues
About recovering a corrupted client System Log on 64-bit computers
Edition\7.5\Logs\date.Log. After you delete these files, the log file is recreated and begins to log entries correctly.
Appendix
A
Differences between Mac and Windows features
This appendix includes the following topics:
■
Client protection features by platform
■
Management features by platform
■
Virus and Spyware Protection policy settings available for Windows and Mac
■
LiveUpdate policy settings available for Windows and Mac
Client protection features by platform
explains the differences in the protection features that are available on the different client computer platforms.
Table A-1 Symantec Endpoint Protection Small Business Edition client protection
Client feature
Scheduled scans
On-demand scans
Windows XP
(SP2),
Windows
Vista,
Windows 7,
Windows 8,
32-bit
Windows XP
(SP2),
Windows
Vista,
Windows 7,
Windows 8,
64-bit
Windows
Server 2003,
Windows
Server 2008,
32-bit
Windows
Server 2003,
Windows
Server 2008,
Windows
Server 2012,
64-bit
Mac
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Linux
Yes
Yes
364 Differences between Mac and Windows features
Management features by platform
Table A-1
Symantec Endpoint Protection Small Business Edition client protection (continued)
Linux Client feature
Auto-Protect for the file system
Internet Email Auto-Protect Yes
Microsoft Outlook
Auto-Protect
Yes
Windows XP
(SP2),
Windows
Vista,
Windows 7,
Windows 8,
32-bit
Windows XP
(SP2),
Windows
Vista,
Windows 7,
Windows 8,
64-bit
Windows
Server 2003,
Windows
Server 2008,
32-bit
Windows
Server 2003,
Windows
Server 2008,
Windows
Server 2012,
64-bit
Mac
Yes Yes Yes Yes Yes
Yes
Yes
No
Yes
No
Yes
No
No
SONAR
Firewall
Intrusion Prevention
Tamper Protection
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes, with limitations
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes, with limitations
No
No
No
No
Yes
No
No
No
No
No
No
See
“Management features by platform”
on page 364.
See
“Virus and Spyware Protection policy settings available for Windows and
on page 366.
See
“LiveUpdate policy settings available for Windows and Mac”
on page 367.
Management features by platform
explains the management features that are available for the Windows and Mac client platforms.
Table A-2
Comparison between Symantec Endpoint Protection Manager features for Windows and Mac
Feature
Deploy client remotely from
Symantec Endpoint Protection
Manager
Windows
Yes
Mac
No
Differences between Mac and Windows features
Management features by platform
365
Table A-2
Comparison between Symantec Endpoint Protection Manager features for Windows and Mac (continued)
Feature
Manage client from Symantec
Endpoint Protection Manager
Windows
Yes
Mac
Yes
Update virus definitions and product from management server
Yes
Run commands from management server
No
■
■
■
■
■
■
■
■
■
Scan
Update Content
Update Content and Scan
Restart Client Computers
Enable Auto-Protect
Restart Client Computers
Enable Auto-Protect
Enable Network Threat Protection
Disable Network Threat Protection
■
■
■
■
■
■
■
Scan
Update Content
Update Content and Scan
Restart Client Computers
Enable Auto-Protect
Restart Client Computers
Enable Auto-Protect
Provide updates by using Group
Update Providers
Yes
Run Intelligent Updater Yes
Package updates for third-party tools in management server
Yes
Set randomized scans
Set randomized updates
Yes
Yes
No
Yes
No*
No
Yes
*You can run Intelligent Updater to get Mac content updates. You can then push the updates to Mac clients by using a third-party tool such as Apple Remote
Desktop.
See
“Virus and Spyware Protection policy settings available for Windows and
on page 366.
See
“LiveUpdate policy settings available for Windows and Mac”
on page 367.
See
“Client protection features by platform”
on page 363.
366 Differences between Mac and Windows features
Virus and Spyware Protection policy settings available for Windows and Mac
Virus and Spyware Protection policy settings available for Windows and Mac
displays the differences in the policy settings that are available for
Windows clients and Mac clients.
Table A-3
Virus and Spyware Protection policy settings (Windows and Mac only)
Policy setting
Define actions for scans
Windows Mac
You can specify first and second actions when different types of virus or risk are found. You can specify the following actions:
■
■
You can specify either of the following actions:
Automatically repair infected files
Quarantine files that cannot be repaired
■
■
■
■
Clean
Quarantine
Delete
Leave alone
Specify remediation if a virus or a risk is found
You can specify the following remediation actions:
Remediation is automatically associated with actions.
■
■
■
Back up files before repair
Terminate processes
Stop services
Set scan type
Retry scheduled scans
Set scans to check additional locations (scan enhancement)
Yes
Configure storage migration scans
Yes
Configure scan exceptions
Scan on mount
Active, Full, Custom
Yes
Yes
No
Custom only
No
No
No
Yes
No
See
“Management features by platform”
on page 364.
See
“LiveUpdate policy settings available for Windows and Mac”
on page 367.
See
“Client protection features by platform”
on page 363.
Differences between Mac and Windows features
LiveUpdate policy settings available for Windows and Mac
367
LiveUpdate policy settings available for Windows and
Mac
displays the LiveUpdate policy options that the Windows client and the
Mac client support.
LiveUpdate policy settings (Windows and Mac only)
Policy setting
LiveUpdate Scheduling
Table A-4
Product Update Settings
Windows
Yes
No
Mac
Yes, for Frequency and Retry
Window
Yes
See
“Management features by platform”
on page 364.
See
“Virus and Spyware Protection policy settings available for Windows and
on page 366.
See
“Client protection features by platform”
on page 363.
368 Differences between Mac and Windows features
LiveUpdate policy settings available for Windows and Mac
Index
A
actions
active scans
adding
administrator
administrator account
administrator-defined scan
administrator-defined scans 210–211
See also on-demand scans
See also scheduled scans
Apache Web server
application
monitoring 277 using an except to allow or block 277 using an exception to detect 277
application triggers
applications
adding to a rule 244 defining 244 searching for 244
assistive technology
Auto-Protect
customizing for email scans 213
Auto-Protect (continued)
customizing for Mac computers 212
customizing for Windows clients 211
Download Insight 131 enabling or disabling 131
for file system
automatic exclusions
for Microsoft Exchange server 176
AutoUpgrade
B
block traffic
blocking
Bloodhound
browser intrusion prevention
C
client
client computer
Client Deployment Wizard 75 custom installation 75 deploying 75
370 Index client computer (continued)
uninstalling on Mac 88 uninstalling on Windows 88
client connection. See health state
client data
client status
client-server communication settings
client-server communications
clients
commands
running from logs 134 running on clients from the console 134
communication
problems between the client and the server 350
problems with the server and the console or the
communication and required ports 74
communications file
components
computer status
computers
connectivity communication between the client and the
verifying communication with the database 357
console
content
how clients receive updates 285
viewing downloads to server 288
converting an unmanaged client to a managed
D
database
debug logs. See logs definitions
deploying
disable
Proactive Threat Protection 131
disaster recovery
domains
Download Insight
actions 219 customizing settings 219
interaction with Auto-Protect 131
Download Protection
E
early launch anti-malware
ELAM. See early launch anti-malware
disable to improve computer performance 187
email application inbox
email messages
email server
embedded database
endpoint protection
excluding a file or folder 274
exclusions
exporting
F
File System Auto-Protect. See Auto-Protect files
filters
firewall
Firewall policies
adding
allowing traffic to local subnet 253
host groups
network services
processing order
full scans
G
group
group structure
groups
H
health state
host groups
host triggers
Index 371
372 Index hosts
local and remote 245 source and destination 245
I
icons
importing
Insight Lookup
installation
client firewalls 74 communications ports 74
installing
interoperability
enabling or disabling in Intrusion Prevention
locking and unlocking settings 153
IPS signatures
J
L
license
checking status 66 deployed 66 expired 66 over-deployed 66
license (continued)
license issues
limited administrator
LiveUpdate
configuring server download frequency 287
checking the debug log on the client 354 checking the inbox logs 354
deleting configuration settings 314
deleting files from the Quarantine 202
saving filter configurations 313
TruScan proactive threat scans 229
M
Mac client
management server
Index 373
Microsoft Exchange server
migration. See client computer
Symantec AntiVirus and Client Security 106
mobile device. See portable computer
N
network intrusion prevention
network services
Network Threat Protection
notification
notification area icon
notifications
upgrades from another version 326
virus and spyware events on client
O
on-demand scans
P
password
password change
policy
export shared
Virus and Spyware Protection 149
policy serial number
ports
communication requirements 74 installation requirements 74
Proactive Threat Protection
product
protection
protocols
proxy required exceptions when using
Symantec Endpoint Protection Manager
connection to Symantec LiveUpdate 289
Q
Quarantine
deleting files 202 managing 202
quick reports
374 Index
R
remote installation and TCP port 139 74
report
Infected and At Risk Computers 299
New Risks Detected in the Network 299
reporting
language 359 legacy Symantec AntiVirus 359
SSL 359 timestamps 359 troubleshooting 359
reports
deleting configuration settings 306
saving configuration settings 306
restart
risk
deleting files from the Quarantine 202
risks
S
Scan
customizing administrator-defined 215
scans (continued)
scheduled reports
scheduled scans
screen reader
application blocked by Tamper Protection 273
search for
groups, users, and computers 129
security risks
serial number. See policy serial number server
services
settings
SONAR
exceptions for code injection 226, 270
status
status icon. See client connection
Submissions
locking and unlocking settings 153
sylink.xml
converting an unmanaged client to a managed
Symantec AntiVirus
Symantec Client Security
Symantec Endpoint Protection Small Business Edition
Symantec Licensing Portal. See license
Symantec products
Symantec Security Response 163
System
system administrator
T
Tamper Protection
locking and unlocking settings 153
templates for scheduled scans 182, 185
threats
trialware
triggers
troubleshooting
TruScan proactive threat scans
trusted Web domain
trusted Web domain exception
U
uninstall
update
users
V
virtual machine
virtualization
Virus and Spyware Protection
Virus and Spyware Protection policy
locking and unlocking settings 153
virus definitions
W
Windows 8
Index 375
Advertisement
Key features
- Protects against malware
- Provides protection against sophisticated attacks
- Low maintenance and high power
- Single management console for clients
- Comprehensive solution