Professional Documents
Culture Documents
SW Manual (SWM)
For Symantec End Point Protection 11
update 5
Description
Sheet
Author
Approve
d by
A00
First Release
All
Igal
Avraham
Yuval
Golan
A04
SR updates
All
Igal
Avraham
08/2010
A05
SR updated to automatically
install the DB and User`
All
Igal
Avraham
08/2010
A06
All
Igal
Avraham
10/2010
A07
All
Igal
Avraham
11/2010
A08
All
Igal
Avraham
02/2011
A09
A10
All
Igal
Avraham
05/2011
A11
All
Sharon
Lesch
Igal
Avraha
m
V009412
12/6/2011
A12
All
Igal
Avraham
Yuval
Golan
V009539
31/7/2011
P/N 18-015-0085
1 of 50
ECO
Date
04/2010
Rev A13
NPI Group
A13
All
Signature
Author
Approved by
Rev:
Igal
Avraham
Yuval
Golan
Igal
Avraham
Date
Yuval
Golan
15/09/201
1
Description
Page:1
Symantec End Point Protection
11 update 5
Of:
SWM
A13
Notice
This material is proprietary of Verint. Any unauthorized reproduction, use or disclosure of this
material, or any part thereof, is strictly prohibited. This material is meant solely for the use of
Verint employees and Verint customers.
P/N 18-015-0085
2 of 50
Rev A13
NPI Group
Table of Contents
1.
1.1
1.2
1.3
2.
Target Audience...........................................................................................................4
Terms and Abbreviations..........................................................................................4
References.....................................................................................................................4
PREFACE....................................................................................................................................4
2.1
3.
2.1.1
Prerequisites..................................................................................................................4
MANUALS DOCUMENTS 4
2.1.2
HARDWARE
2.1.3
SOFTWARE MEDIA
2.1.4
LICENSES5
OVERVIEW................................................................................................................................5
3.1
3.2
3.3
4.
About viruses................................................................................................................5
About Symantec Antivirus Solution.....................................................................5
About Updating............................................................................................................5
SYMANTEC ANTIVIRUS INSTALLATION PROCESS:...........................................6
4.1
4.2
4.2.1
Installation flow............................................................................................................6
Automatic installation via SR tool (Supplied by PDD group).....................6
SQL EXPRESS 2008 R2 / SQL 2008 SERVER INSTALLATION 6
4.2.2
4.2.3
4.3.1
4.3.2
4.4.1
4.3
4.4
12
22
4.4.2 HOW TO DEPLOY THE SEP CLIENT AND/OR CHANGE FROM UNMANAGED TO
MANAGED
25
5.
4.4.3
4.4.4
4.4.5
33
35
36
P/N 18-015-0085
3 of 50
Rev A13
NPI Group
6.2
7.
7.1
How to Migrate From Symantec Antivirus System Center Console to Symantec
Endpoint Protection Manager.............................................................................................................53
7.2
How to fix kill.exe virus not detected.............................................................................57
P/N 18-015-0085
4 of 50
Rev A13
NPI Group
1. Scope and objectives
1.1 Target Audience
The Target audiences of this document are: Operations, Subcontractors and PDD.
1.3 References
Verint P/N 18-xxx-xxx
[A]Document name
[B]
[C]
2.
Preface
This document describes the procedure of installing and configuring of
Symantec End Point Protection 11.x / 12.x in:
Product
Reliant
Version
10.4 and above
10.1 SP 4.5 India
Audio Log
5.x
RELIANT (10.3 and above / India projects 10.1 SP4 and above), STAR-GATE
and VANTAGE systems.
2.1 Prerequisites
Prior to the installation, make sure that the entire required reference manuals
and installation files are available.
2.1.1
2.1.2
Manuals Documents
Projects SPD documents
Projects NDD documents
Licenses
No Licenses needed for SEP 11 OEM Edition, the solution is based on
agreement.
P/N 18-015-0085
5 of 50
Royalty
Rev A13
NPI Group
3.
Overview
P/N 18-015-0085
6 of 50
Rev A13
NPI Group
4.
4.2.1
SQL Server/Express 2008 R2 and SEP manager
installation
1. Choose MPS in Reliant or the Managmanet server in Star Gate
platform and install/upgrade option and press next.
2. In prerequisites check verify no errors and press next.
2.1. Microsoft SQL Express 2008 R2 for Projects without Citrix
Environment.
OR
2.2. Microsoft SQL Server 2008 for Projects WITH Citrix
Environment.
P/N 18-015-0085
7 of 50
Rev A13
NPI Group
Leave SR defaults
If you receive a warning message, click YES and continue.
P/N 18-015-0085
8 of 50
Rev A13
NPI Group
Wait for installation to complete.
P/N 18-015-0085
9 of 50
Rev A13
NPI Group
4.2.2
P/N 18-015-0085
10 of 50
Rev A13
NPI Group
5. In the IP Addresses Tab change the IP All TCP Port Value to 1433
P/N 18-015-0085
11 of 50
Rev A13
NPI Group
4.2.3
NOTE: SR import the SEP database, create and assign the user for
the SEP manager please check.
2. After login:
a. Check for the existence of the Database name
VerintSem5 under Databases.
b. Check that the user Hercules assign to the database under
Databases\VerintSem5\Security\Users
P/N 18-015-0085
12 of 50
Rev A13
NPI Group
Note: in case the DB was not restored and you can find the VerintSem5 DB
please run the following procedure
1.
2.
3.
4.
5.
7. Check the Data base for the VerintSem5 according to the beginning
of the procedure.
8. If the Hercules User doesnt exist please repeat steps 3-5 with the
script: create_user.sql
The results should be as follow:
P/N 18-015-0085
13 of 50
Rev A13
NPI Group
4.3 Configure the Symantec Endpoint Protection
Manger
4.3.1
Chose the appropriate amount of SEP clients that should connect to the
SEP manager (Unless specified otherwise we use 100-500) and click next.
P/N 18-015-0085
14 of 50
Rev A13
NPI Group
P/N 18-015-0085
15 of 50
Rev A13
NPI Group
Leave the setting in the next page and click next
P/N 18-015-0085
16 of 50
Rev A13
NPI Group
P/N 18-015-0085
17 of 50
Rev A13
NPI Group
Wait a few seconds and the configuration finish.
After you click FINISH the SEP manager login console starts
Login with Hercules / Rel7 user name
P/N 18-015-0085
18 of 50
Rev A13
NPI Group
If you get a warning message during login please follow those steps.
To fix this warning message issue, we should fix the ODBC connection.
-
P/N 18-015-0085
19 of 50
Rev A13
NPI Group
-
Enter the name of the user and password. E.g. Hercules and
Nine1One password and click next
P/N 18-015-0085
20 of 50
Rev A13
NPI Group
-
P/N 18-015-0085
21 of 50
Rev A13
NPI Group
Launch the Symantec Endpoint protection manager console again and
login to the SEP manager console.
4.3.2
We need to verify that the current server is defined as SEP Admin server.
1. Open the SEP Manager Console click on Admin on the left Toolbar, and
select servers:
P/N 18-015-0085
22 of 50
Rev A13
NPI Group
P/N 18-015-0085
23 of 50
Rev A13
NPI Group
4.4 Deploy Symantec Endpoint 11 Clients
-
4.4.1
-
P/N 18-015-0085
24 of 50
Rev A13
NPI Group
4.4.2
How to deploy the SEP client and/or change from
unmanaged to managed
Please use the procedure below:
1. Create new custom installation settings
2. Create new Installation feature set
3. Export the new SEP clients
4. Deploy the client by using the Symantec migration and deployment
wizard
4.4.2.1
P/N 18-015-0085
25 of 50
Rev A13
NPI Group
P/N 18-015-0085
26 of 50
Rev A13
NPI Group
4.4.2.2
P/N 18-015-0085
27 of 50
Rev A13
NPI Group
4.4.2.3
P/N 18-015-0085
28 of 50
Rev A13
NPI Group
P/N 18-015-0085
29 of 50
Rev A13
NPI Group
4.4.2.4
P/N 18-015-0085
30 of 50
Rev A13
NPI Group
Or
b. Click the Add or Import Computer button and select the
computers based upon "IP Address" or "Host name." (You
may also use a text file list populated with either Host names or
IP Addresses)
P/N 18-015-0085
31 of 50
Rev A13
NPI Group
Click CLOSE and youll receive a message to review the deployment log.
P/N 18-015-0085
32 of 50
Rev A13
NPI Group
4.4.3
The master installer is changing the SEP client from unmanaged to manage
automatically, the following procedure explain how to manually perform this
action.
In order to assign the Clients to the manager we need to upload the Manager
Policy to the client
4.4.3.1
P/N 18-015-0085
33 of 50
Rev A13
NPI Group
Click on Export
4.4.3.2
Note: if the server is already managed by different server you need to un-assign
it.
P/N 18-015-0085
34 of 50
Rev A13
NPI Group
Note: the Server will be shown as IP/Host name per client DNS configuration.
At the SEP manager Server you can see the server listed under
clients Verint
4.4.4
P/N 18-015-0085
35 of 50
Rev A13
NPI Group
13. If you do not choose Upgrade Schedule, then clients will receive the
instructions to change their installation when they check in with the
manager. This launches MSIEXEC on the client.
14. After the installation completes, a restart is required if the change installs
or uninstalls Network Threat Protection.
For unmanaged clients, or to change a managed client on an individual basis
local to that managed client, use Add or Remove Programs to change the
installation.
To modify installed features for unmanaged clients
Open Add or Remove Programs.
1. Select Symantec Endpoint Protection, and then click Change.
2. Click Next.
3. Select Modify, and click next.
4. Use the drop down menus next to the individual component to either
"This feature will be installed...", "This feature, and all subcomponents,
will be installed...", or "This feature will not be available."
5. Click Next.
6. Click Install to modify the installation.
7. After the installation completes, a restart is required if the change installs
or uninstalls Network Threat Protection.
Network overhead considerations
As each existing Symantec Endpoint Protection client already contains all
components (whether or not they are installed) and the version is not
being upgraded, no installation files are actually sent over the network.
No network bandwidth or traffic spikes should occur when changing the
installed feature set.
4.4.5
4.4.5.1
These distributions are supported on computers using Intel 486-, 586-, and 686compatible CPUs.
The Java Runtime Environment (JRE) 1.4 or higher must be installed on your
P/N 18-015-0085
36 of 50
Rev A13
NPI Group
Linux computers to use the user interface. JRE is also required to run Java Live
Update.
X11 with a KDE or Gnome desktop environment is required to see the system tray
icon, user status window, and event notifications.
Installation Packages for SAV
The setup binaries for SAV for Linux can be found at:
\3rdparty\SEP 11 u5 Client\SAVLINUX
4.4.5.2
P/N 18-015-0085
37 of 50
Rev A13
NPI Group
5. Files and Folder exclusions
In order to avoid the SEP client from scanning unwanted files and folders
in our systems, a policy has been set in the Symantec End Point Manager
to apply on all SEP client when they first connect to the SEP Manager
server.
This policy contains all files extensions and folders for all projects and if a
file/folder is not exist on a particular server/workstation the SEP client
ignore it.
Since this policy is part of the SEP manager database, there is no need to
run config tool or configure any component.
Note: Security Risk Exceptions are global, and apply to all Scheduled Scans
as well as Real-time Auto Protect.
The following pages contain all files and folders exclusions for the variant
servers.
CONFIGURATION TABLES
FOR
RELIANT
AND
STARGATE
P/N 18-015-0085
38 of 50
Rev A13
NPI Group
5.2 Reliant 10.4 updates
Microsoft Office
Word 97 - 2003 Document
P/N 18-015-0085
39 of 50
Rev A13
NPI Group
6. Virus definitions updates
6.1 Manual updates the SEPM manager
When updating the SEPM antivirus definition content is not possible by running LiveUpdate
(LUALL.exe) or scheduling LiveUpdate through the SEPM GUI and then manually updating the
definitions content on the SEPM is the next preferred method.
Cause: When the SEPM is behind a closed firewall/proxy or has no direct access to the Internet or
an internal LiveUpdate server, the SEPM will not be able to retrieve content.
Solution:
The file *. JDB can be used to update the virus definitions for Symantec Endpoint
Protection Manager.
Please note that the .JDB file only contains antivirus/antispyware definitions and will not provide
updated content for the firewall component for the SEP clients.
Use the .JDB Daily Certified definitions or the .JDB Rapid Release definitions to update Symantec
Endpoint Protection Manager Content.
b.
On the next web page, "Symantec Endpoint Protection / Symantec Antivirus Corporate
Edition", there are multiple headings/product categories presented. Be aware that each set of
definitions available are grouped by 32 bit or 64 bit product installation sets. Download the correct
(32 bit or 64 bit) .JDB file according to the Windows platform where the Symantec Endpoint
Protection Manager is installed and save the file to the Windows desktop.
b.
Download the available .JDB file and save the file to the Windows desktop.
To use the .JDB file to update definitions for Symantec Endpoint Protection
Manager:
a.
After downloading, rename the file extension from ".zip" to ".jdb". (Most browsers detect
the file type and automatically change the extension. This must be changed back to .JDB for use in
the SEPM.)
P/N 18-015-0085
40 of 50
Rev A13
NPI Group
b.
c.
In a period of time from 30 seconds to a minute, the .JDB file will be processed. As the .JDB
file is processed, all files and subfolders are removed from the "Incoming" folder.
To verify that the SEPM content has been updated, look in the following folders:
32-bit definitions: "C:\Program Files\Symantec\Symantec Endpoint Protection
Manager\Inetpub\content\{C60DC234-65F9-4674-94AE-62158EFCA433}"
64-bit definitions: "C:\Program Files\Symantec\Symantec Endpoint Protection
Manager\Inetpub\content\{1CD85198-26C6-4bac-8C72-5D34B025DE35}"
b.
Typically, there will be 3 numbered folders present. The folder naming convention is
"yymmddxxx". For example "100602034". This is the date and build (revision) number of the
definition set installed. Please note that the definition set installed may have been published the
previous day and a set for the current day may not yet be available.
c.
Looking inside the folder that matches the set downloaded and installed, there should be a
folder named "Full" and a zip file named "Full.zip".
d.
Looking inside the "Full" folder, there should be the files typically associated with a virus
definition set.
For the 32-bit Intelligent Updater files for clients, the file names end with "i32.exe" and the
64-bit client file names end with "i64.exe".
2.
The Intelligent Updater file names for SAV clients end with "i32.exe" or "i64.exe".
3.
The Intelligent Updater file names for SEP clients end with "v5i32.exe" or "v5i64.exe".
4.
The Intelligent Updater file name that ends in "x86.exe" is only for certain products and
should only be used with those products.
5.
6.
The SAV Parent updater file has an ".XDB" extension and only updates 32-bit virus
definitions; SAV parent servers do not serve 64-bit definitions. 64-bit systems cannot be SAV parent
servers.
P/N 18-015-0085
41 of 50
Rev A13
NPI Group
6.2 How to manually update definitions for a
unmanaged SEP Client.
How to update definitions for the Symantec Endpoint Protection Client using
the .jdb file.
The *.jdb file can be used to update virus definitions for the Symantec Endpoint
Protection Client. Use the Daily Certified or Rapid Release *.jdb to update
Symantec Endpoint Protection Client.
Directly on the Client:
1. Download the *.jdb File from our Symantec Security Response Website:
http://www.symantec.com/avcenter/defs.download.html for certified
definitions or
http://www.symantec.com/avcenter/rapidrelease.download.html for Rapid
Release definitions.
2. Copy the file on the Client PC into the folder:
C:\Documents and Settings\All Users\Application
Data\Symantec\Symantec Endpoint Protection\inbox
On Windows 2003 the path is C:\Document and Settings\All Users\...
On Windows 2008/R2 the path is C:\Users\All Users\....
3. After a few minutes the client will have the new Antivirus Definitions.
P/N 18-015-0085
42 of 50
Rev A13
NPI Group
P/N 18-015-0085
43 of 50
Rev A13
NPI Group
7.
8. Appendix
8.1 How to Migrate From Symantec Antivirus System
Center Console to Symantec Endpoint Protection
Manager
In order to upgrade the SAV System center to Symantec Endpoint Protection, you
must follow the below procedure for success upgrade.
Migrations that are supported:
The client installation detects the following software and migrates the software if
it is detected:
a. Symantec Antivirus client and server 9.x and later
b. Symantec Client Security client and server 2.x and later
Migrations that are blocked:
The client installation routines check for the existence of the following
software and blocks migration if this software is detected:
a. Symantec Antivirus client and server 8.x and earlier
b. Symantec Client Security client and server 1.x
c. Symantec Client Firewall 5.0
d. Symantec System Center, all versions
e. Symantec Reporting Server 10.x
f.
P/N 18-015-0085
44 of 50
Rev A13
NPI Group
Migrating Symantec Antivirus and Symantec Client Security
Preparing legacy installations for migration:
With the Symantec System Center, you must change settings for clients and
servers to simplify the migration process. For example, if a client runs an
antivirus scan during migration, migration is blocked until the scan finishes and
the migration may fail. Also, you need to disable the uninstallation password
feature for client software if it is enabled. If you do not, users are prompted to
enter the password in interactive mode.
Note: If you migrate groups and settings from the Symantec System Center, the
policies that are migrated for those groups include these modifications. You may
want to revert these settings after the migration. For example, you may want to
turn on scheduled scans. Also, you do not need to disable the uninstall password
if it is enabled. The migration ignores the password.
Preparing all legacy installations:
These procedures apply to all legacy software installations that are supported for
migration.
Note: If you use client groups that do not inherit settings, prepare
these groups the same way that you prepare server groups and
management servers.
Disabling scheduled scans:
If a scan is scheduled to run and is running while the client migration occurs,
migration may fail. A best practice is to disable scheduled scans during migration
and then enable after migration.
To disable scheduled scans
1. In the Symantec System Center, do one of the following actions:
a. Right-click a management server.
b. Right-click a client group.
2. Click All Tasks > Symantec Antivirus > Scheduled Scans.
3. In the Scheduled Scans dialog box, on the Server Scans tab, uncheck all
scheduled scans.
4. On the Client Scans tab, uncheck all scheduled scans, and then click OK.
5. Repeat this procedure for all primary management servers, secondary
management servers, and all client groups.
P/N 18-015-0085
45 of 50
Rev A13
NPI Group
Deleting histories
All histories are now stored in a database. History file deletion speeds the
migration process.
To delete histories
1. In the Symantec System Center, right-click a server group.
2. Click All Tasks > Symantec Antivirus > Configure History.
3. In the History Options dialog box, change the Delete after values to 1 day.
4. Click OK.
5. Repeat this procedure for all server groups if you have more than one.
Migrating Symantec Antivirus and Symantec Client Security
Disabling LiveUpdate
If LiveUpdate runs on client computers during migration, conflicts may occur.
Therefore, you must turn off LiveUpdate on client computers during migration.
To turn off LiveUpdate
1. In the Symantec System Center, right-click a server group.
2. Click All Tasks > Symantec AntiVirus > Virus Definition Manager.
3. In the Virus Definition Manager dialog box, check Update only the primary
server of this server group, and then click Configure.
4. In the Configure Primary Server Updates dialog box, uncheck Schedule for
Automatic Updates, and then click OK.
5. In the Virus Definition Manager dialog box, uncheck the following selections:
* Update virus definitions from parent server
* Schedule client for automatic updates using LiveUpdate
* Enable continuous LiveUpdate
6. Check do not allow client to manually launch LiveUpdate, and then click OK.
7. Repeat this procedure for all server groups if you have more than one.
Turning off the roaming service
If the roaming service is running on client computers, the migration might hang
and fail to complete. If the roaming service is turned on, you must turn it off
before starting the migration.
Note: If your roaming clients run Symantec Antivirus version 10.x, you must
unlock your server groups before you disable the roaming service. This practice
helps ensure that roaming clients are properly authenticated with certificates to
their parent server.
To turn off the roaming service
1. In the Symantec System Center, right-click a server group.
2. Click All Tasks > Symantec Antivirus > Client Roaming Options.
3. In the Client Roaming Options dialog box, in the Validate parent every minutes
box, type 1.
4. In the Search for the nearest parent every minutes box, type 1, and then press
OK.
P/N 18-015-0085
46 of 50
Rev A13
NPI Group
5. Wait a few minutes.
6. In the Symantec System Center, right-click a server group.
7. Click All Tasks > Symantec Antivirus > Client Roaming Options.
8. In the Client Roaming Options dialog box, uncheck Enableroamingonclients
that have the Symantec Antivirus Roaming service installed.
9. Click OK.
About preparing Symantec 10.x/3.x legacy installations
Symantec Antivirus 10.x and Symantec Client Security 3.x provide the additional
features that must be properly configured for successful migration.
Unlocking server groups
If you do not unlock server groups before migration, unpredictable results may
occur. Also, if the roaming service is enabled for clients, the unlocking the server
group helps ensures that the clients properly authenticate to a parent server.
Clients that properly authenticate to a parent server get placed in the database.
Clients that get placed in the database automatically appear in the correct
legacy group in the console after installation.
To unlock a server group
1. In the Symantec System Center, right-click a locked server group, and then
click Unlock Server Group.
2. In the Unlock Server Group dialog box, type the authentication credentials if
necessary, and then click OK.
Turning off Tamper Protection
Tamper Protection can cause unpredictable results during migration. You must
turn off Tamper Protection before starting the migration.
To turn off Tamper Protection
1. In the Symantec System Center, right-click one of the following categories:
* Server group Migrating Symantec Antivirus and Symantec Client
Security
* Primary or secondary management server
2. Click AllTasks>SymantecAntiVirus>ServerTamperProtection Options.
3. In the Server Tamper Protection Option dialog box, uncheck
EnableTamperProtection.
4. Click OK.
5. Do one of the following actions:
* If you selected a server group, repeat this procedure for all server
groups if you have more than one.
* If you selected a management server, repeat this procedure for all
management servers in all server groups.
P/N 18-015-0085
47 of 50
Rev A13
NPI Group
8.2 How to fix kill.exe virus not detected
The kill.exe virus is not detected due to predefined path in the centralized
exception that Symantec add in the first place.
The following procedure is for existing environments.
The updated SEP database contains this fix.
1.
2.
3.
4.
5.
6.
P/N 18-015-0085
48 of 50
Rev A13
NPI Group
8.3 PER - Project Exceptional Request
8.3.1
In all Verint products we are using the following Anti Virus solutions
regarding Symantec
No.
1
Departmen
t
NPI
Project
version
10.4 and above
10.3 SP1
10.1 SP4.5
India
7.10 SPx
2.
3.
WAM-WIS
Stargate
4.
Audiolog
6.x
5.x
5.x
4.x
5.
8.3.2
Tactical
In case the customer want to use his/her own A/V solution, please use the
following procedure:
1. Run a sanity test in your LAB with the A/V solution the customer
requested.
2. Check with the customer to use the exclusion list tables on section 5
pages 58 when configuring the A/V policy
In order to avoid the SEP client from scanning unwanted files and folders
in our systems to avoid access blocking and poor performance, a policy
has been set in the Symantec End Point Protection Manager that applies
on all SEP clients when they first connect to the SEP Manager server.
This policy contains all files extensions and folders for all projects and if a
file/folder is not exist on a particular server/workstation the SEP client
ignore it.
Since this policy is part of the SEP manager database, there is no need to
run config tool or configure any component.
Note: Security Risk Exceptions are global, and apply to all Scheduled Scans
as well as Real-time Auto Protect.
P/N 18-015-0085
49 of 50
Rev A13
NPI Group
4. Check with the customer about the Virus definition updates procedure.
P/N 18-015-0085
50 of 50
Rev A13