You are on page 1of 63

Administrators Guide

version 7.20

Endpoint Manager Antivirus & Antispyware Reports & Statistics

Norman Endpoint Manager Administrators Guide

Limited Warranty
Norman guarantees that the enclosed CD-ROM and documentation do not have production flaws. If you report a flaw within 30 days of purchase, Norman will replace the defective CD-ROM and/or documentation at no charge. Proof of purchase must be enclosed with any claim. This warranty is limited to replacement of the product. Norman is not liable for any other form of loss or damage arising from use of the software or documentation or from errors or deficiencies therein, including but not limited to loss of earnings. With regard to defects or flaws in the CD-ROM or documentation, or this licensing agreement, this warranty supersedes any other warranties, expressed or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose. In particular, and without the limitations imposed by the licensing agreement with regard to any special use or purpose, Norman will in no event be liable for loss of profits or other commercial damage including but not limited to incidental or consequential damages. This warranty expires 30 days after purchase. The information in this document as well as the functionality of the software is subject to change without notice. The software may be used in accordance with the terms of the license agreement. The purchaser may make one copy of the software for backup purposes. No part of this documentation may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or information storage and retrieval systems, for any purpose other than the purchasers personal use, without the explicit written permission of Norman. The Norman logo is a registered trademark of Norman ASA. Names of products mentioned in this documentation are either trademarks or registered trademarks of their respective owners. They are mentioned for identification purposes only. Norman documentation and software are Copyright 1990-2009 Norman ASA. All rights reserved.

Revision date 3 July 2009.

Copyright 1990-2009 Norman ASA

ii

Norman Endpoint Manager Administrators Guide

Table of Contents

Table of Contents
Introduction............................................................ 4
About this version ....................................................... 4 About this manual....................................................... 4 Help and support ........................................................ 4 System requirements ................................................. 5 Clients ...................................................................... 18 Group information .................................................. 18 Predefined groups .................................................. 19 Machine information ............................................... 20 About status .......................................................... 20 About icons and colors............................................ 20 Transitions between states ...................................... 21 Policies ..................................................................... 23 Create new policy................................................... 24 Configure policy products ........................................ 25 Configure Antivirus ................................................. 26 Configure Product Manager..................................... 33 Assign a policy to a group ....................................... 34 Products ................................................................... 35 Update products..................................................... 36 Languages ............................................................ 36 Platforms ............................................................... 36 Reports ..................................................................... 37 Maintenance ............................................................. 37 Realm administrators .............................................. 37 Backup and restore ................................................ 38 Import ................................................................... 41 Migration of corporate NVC5 clients ......................... 43 Active discovery ..................................................... 47 Generate MSI ........................................................ 47 Remote access ..................................................... 48 Settings .................................................................... 49 Event management ................................................ 49 Topology filters ....................................................... 52 Setting up network/domain access ........................... 53 Push install ............................................................ 53 Installing in a network ............................................. 56 Supervisor process................................................. 58 The Support page..................................................... 59 Appendix A .............................................................. 60 Technical description of passive discovery ................ 60

About Norman Endpoint Protection .................... 6


The concept................................................................ 6 Definition of terms ...................................................... 6 Primary functions........................................................ 7 Theory of operation .................................................... 7 The realm ................................................................ 8 Events in the realm................................................... 8 Realm communications ............................................. 8 Online status ........................................................... 9 Policies ................................................................... 9 Administrative realm ................................................. 9 Upgrading an existing environment ............................ 9 NVC v5 vs. Norman Endpoint Protection..................... 9

Installing the Endpoint Manager ........................ 11

Installing.................................................................11 Uninstalling ........................................................... 12

Installing on clients ............................................. 13 Using Norman Endpoint Manager...................... 14

Risk level indicator ................................................. 14 Current status ........................................................ 14 Select a task .......................................................... 15

The Home page........................................................ 15 Status ................................................................... 16 Alarms .................................................................. 16 Errors.................................................................... 16 Warnings ............................................................... 17 Not updated ........................................................... 17 Offline ................................................................... 18

Copyright 1990-2009 Norman ASA

iii

Norman Endpoint Manager Administrators Guide

Introduction | About this version

Introduction
About this version
The current release is available in several languages. New languages are added at irregular intervals. Check Normans web sites for details, or contact your local dealer for more information about language versions.

About this manual


This manual presents an overview of features and key functions in Norman Endpoint Manager and how they work with Norman Endpoint Protection. This guide focuses on the Endpoint Manager, and covers configuration options for Endpoint Protection. Norman Antivirus is the first product that can be handled by the Endpoint Manager. However, new products will be added to the Endpoint Protection product portfolio soon, like Norman Network Protection (NNP) and an antivirus solution for Exchange. The documentation for all Endpoint Protection products will be available as separate manuals.

Help and support


We strongly recommend that you read this guide thoroughly before installing Norman Endpoint Protection and the Endpoint Manager, and that you use it for reference during installation. In this guide you will find instructions on how to install and to upgrade your licensed software as well as on how to use the software. Norman provides technical support and consultancy services for the Endpoint Manager and security issues in general. Technical support also comprises quality assurance of your antivirus installation, including assistance in tailoring Endpoint Protection to match your exact needs. For training or technical support issues please do not hesitate to contact your local dealer or a Norman Office. Please see last page of this publication for further information on Norman Offices. We also encourage you to visit our home page for detailed support issues and to search within our Knowledge Base and to study our Frequently Asked Questions pages. Support http://www.norman.com/support/

Copyright 1990-2009 Norman ASA

Norman Endpoint Manager Administrators Guide

Introduction | System requirements

System requirements
Norman Endpoint Protection (NPRO) and Norman Endpoint Manager (NEM) are designed to work in IP-based networks. The communication between the management console and the clients applies TCP/IP on port 2868, which has been reserved and registered by Norman. The Norman Information Exchange (NIX) protocol is used. Both binary traffic and http-based communication use this port. NPRO is designed to run on the Windows platform listed below. The platforms do not have to be servers, but they must be licensed to allow an unlimited number of IP connections on a given port. The Endpoint Manager processes make extensive use of memory caching, and the amount of available RAM will influence directly on system performance. This version supports the installation of Norman Endpoint Protection and the management console Endpoint Manager on the following Windows platforms (clients and/or management console): Windows 2000 Pro/Server 32-bit SP4 + Update Rollup 1 for Windows 2000 SP4 and Internet Explorer 6 Windows XP 32-bit SP2/Win XP 64-bit SP1 and Internet Explorer 6 Windows Server 2003 32-bit SP1/64-bit SP1 and Internet Explorer 6 Windows Vista 32-bit/64-bit (SP1 recommended) Windows Server 2008 32-bit/64-bit

Hardware requirements: CPU: Minimum 1GHz RAM: Minimum 512 MB (1GB recommended)

Disk space: Minimum 300 MB for a network with approximately 100 clients, then 10 MB more for another 100 clients, and so on.

Internet browsers: Mozilla Firefox 2 or 3. Internet Explorer 7 (IE 6 works, but is slower).

In general, the Norman Endpoint Manager makes extensive use of memory caching for its data handling. In larger networks, the Endpoint Manager will perform better with more available RAM.

Copyright 1990-2009 Norman ASA

Norman Endpoint Manager Administrators Guide

About Norman Endpoint Protection | The concept

About Norman Endpoint Protection


Norman Endpoint Protection constitutes the framework for hosting a range of applications that can be installed and controlled through a common licensing and update system.

The concept
A Norman Endpoint Manager installation is a node in a network where the clients configuration is managed. This is done by establishing policies which include product configuration. When a client contacts the Endpoint Manager to fetch a configuration, the settings for the relevant policy are sent back. Information about the clients is sent to NEM through the messaging system or through a separate http-wrapped protocol. A database on the Endpoint Manager contains information about all the IP-based devices in the network. Clients can be assigned policies and hence managed on the NEM. A node that is designated NEM (of any type) is a regular corporate node with additional administrative functionality. The Endpoint Manager maintains lists in the local database over manageable and unmanageable clients and displays status information and network statistics. There are separate pages for the different administrative tasks, such as managing clients, policies, products, settings etc. One of the Endpoint Managers primary properties is that nodes and clients in the database are assigned to logical groups that can be configured. All clients in the same group will also share product configurations. Clients in the network will contact their assigned Endpoint Manager and get configuration according to the policy that has been established for their specific group. Each group can be opened and managed separately in the Endpoint Manager GUI. In addition, groups may be created and deleted. The Endpoint Manager contains additional functionality to distribute, install, manage, and control many installations within one organization. Only a few clients/machines are updated from Norman in such an environment. Most of the distribution takes place within the organization over the local network. This manual explains the additional functionality of the network version, including installation, establishment of the network, configuration, management, and software maintenance within the organization. Norman Endpoint Protection is covered by Norman Security Suites single user documentation, which is available in different languages and can be downloaded from Normans web site.

Definition of terms
NEM: Norman Endpoint Manager. This is a system in the realm where the network and Normans products can be configured and controlled. Primary NEM: The first NEM to be installed in a network. During install, the realm credentials package is established (realm name, realm owner name, etc.). NPRO: Norman Endpoint Protection. Norman security software managed by the Endpoint Manager. Realm: The organizational collection of clients that is controlled by a NEM, similar to a domain. NISE: Norman Internet Server Engine: An http server that serves either files, local database resources, or GUI content. It shares port 2868, the messaging system port. Credentials package: A unique data package identifying a realm. The package contains data that allows clients in a realm to communicate with the NEMs, and vice versa.

Copyright 1990-2009 Norman ASA

Norman Endpoint Manager Administrators Guide

About Norman Endpoint Protection | Primary functions

Primary functions
Norman Endpoint Manager is the management console in a Norman Endpoint Protection environment that ultimately will comprise all relevant Norman products. The list below presents the Endpoint Managers primary functions: Provides a view of network devices Provides a view of network/device status Generates and displays event and status statistics Manages incoming alarms, warnings and errors Manages configurations for current and future products Manages policies and assigns them to client groups Manages product installation in a network Provides limited status view of NVC v5 clients Manages the Internet Update configuration Generates and exports reports from statistics Provides redundancy for the topology and configuration database, including manual export/import Manages the administrators of the realm Installs additional endpoint clients Serves as a distribution point for definition files and software updates

An Endpoint Manager node will receive system messages from Endpoint Protection clients throughout the network. Data about network devices is passively gathered and qualified by the distributed Endpoint Protection clients. The topology information is then reported to the NEMs. From the Endpoint Manager network map, clients can be arranged in groups.

Theory of operation
Norman Endpoint Manager (NEM) is a product that provides management of Endpoint Protection clients. It consists of the following main components: A database that holds network clients and their data, both managed and unmanaged, as well as product policies. Credentials data that defines the logical realm that is being managed. A client component that is a part of all managed clients. A server component that runs the management processes on the NEM.

The Endpoint Manager was designed with scalability in mind. Emphasis has been put on keeping network traffic low. The management server and the clients are communicating continuously, but in a serialized manner. This means that the network picture during normal operations is not real-time, but is current enough as long as everything is normal. However, on-demand administrative actions as well as critical messages from the clients are real-time.

Copyright 1990-2009 Norman ASA

Norman Endpoint Manager Administrators Guide

About Norman Endpoint Protection | Theory of operation

The realm
The term realm denotes the logical collection of networks and network devices that make up the infrastructure where the software is installed. A network administrator will name the realm and define who will manage it. The NEM console will show a map of the devices that are included in the realm. These devices may or may not be managed. An administrator can include devices into the realm, or they can be auto discovered. The realm consists of a set of unique data that is duplicated between the management console and the managed clients. The data provides a way to encode the data communications between the NEM and the clients. It also serves as a method to identify which clients are managed or not. Configuration is changed centrally for the realm, and the clients retrieve the updated settings. Management of the clients is accomplished through changing the clients configuration and by issuing tasks through the same mechanism. Additionally, some direct commands allow an administrator to ask a client for information or issue instructions to the clients Program Manager. These commands can be used to tell a client to refresh an installation or update itself on demand. SeeAction buttons on page 22 for details. The Endpoint Manager has a built-in backup mechanism to save the realm data. This is important in case the NEM is damaged. It will the be possible to install a new management station and continue the management of all the existing clients without having to reinstall them.

Events in the realm


Messages
Managed clients as well as old NVC v5 installations, use the messaging system to communicate events on the clients. Events which are sent as messages are Alarms, Errors and Warnings. When messages reach the Endpoint Manager, they are sorted and stored with the database entry of the associated client.

Platform and status messages

A special administration protocol conveys data about the general status of managed clients, the platform it originates from, and license information.

Topology messages

Each managed client in a realm will frequently collect data about network traffic and compile lists of devices that it sees. This is used to let the Endpoint Manager add network devices to its topology map using a passive method rather than active scanning. Common for the traffic above is that data about online status for the network devices are being kept up to date in the NEM database.

Realm communications
Once the Endpoint Manager has been installed and a realm established, the Endpoint Protection (NPRO) may be distributed throughout the network. Nodes in the realm should contact a distribution point (usually a NEM) to get software and configuration updates. Software updates are distributed as signed packages in a way similar to NVC v5. However, these files are now fetched by an internal protocol and not from file shares as before. The same communication channel is used for configuration and management distribution. A node in the network can replicate settings from remote store resources.

Copyright 1990-2009 Norman ASA

Norman Endpoint Manager Administrators Guide

About Norman Endpoint Protection | Upgrading an existing environment

Online status
Every time an event from a particular device reaches the Endpoint Manager, managed or not, a timestamp is updated in the NEM database to reflect when the device was last seen. Network devices can have three online states: online, stale, and offline. When a device has been seen within a set period. These time thresholds can be adjusted on the NEM, but the defaults have proven to generate a good network status map. If a client has not been seen within this period, the status is changed to stale. Once it is stale, a separate process within NEM will attempt to actively contact the client to update its status. Note that as long as a client is online, no active communication is done from the Endpoint Manager to the client unless the administrator manually initiates it. While stale, the Endpoint Manager will contact the client a set number of times with a set delay between each attempt. See Supervisor process on page 58. If no connection is obtained within this time period and no data about the client is reported by the passive discovery mechanism, the client is marked as offline. As soon as any information about the client is received, it will immediately be marked as online. See also Technical description of passive discovery on page 60.

Policies
A policy is a collection of product settings configured and stored on the Endpoint Manager. Managed clients will frequently contact the NEM to get a copy of the product settings. The client does not know which policy it is getting. Rather, the Endpoint Manager looks up the policy for the requesting client, and hands back the settings contained in the relevant policy. The administrator can decide whether clients that belong to a policy are allowed to change their settings locally. If so, the administrator can revoke this right and enforce settings from the policy at a later time. The Endpoint Manager displays a logical network map containing groups of clients. A group can be assigned a policy or keep the original default policy. If there are groups within groups with different policies, and a group is deleted, any clients within the group is moved up to the next level where it inherits the policy that belongs to the new group.

Administrative realm
Once an Endpoint Manager has been installed and a realm established, Norman Endpoint Protection may be distributed throughout the network. The installer contains information that causes Endpoint Protection to contact the Endpoint Manager in the realm. Nodes in the realm should contact a distribution point (usually a NEM) to acquire software and configuration updates. Software updates are distributed as packages the same way as it is done in NVC v5. However, these files are now fetched by an internal protocol and not from file shares as before.

Upgrading an existing environment


NVC v5 vs. Norman Endpoint Protection
If you have an earlier version of NVC v5 installed, various possibilities for upgrading the existing installation will present themselves. The scenarios are as follows: Complete removal of the existing NVC v5 can be performed by running the delnvc5.exe utility on all nodes in the network. This will ensure a clean install of NPRO and involves the least risk. However, in larger networks, it may be desirable to retain some of the logical administrative structure. In NVC v5, the configuration for network nodes is kept in a directory tree at a file share. Each direc-

Copyright 1990-2009 Norman ASA

Norman Endpoint Manager Administrators Guide

About Norman Endpoint Protection | Upgrading an existing environment

tory contains configuration files for a group of clients. Although the configurations found here contain different sets of configuration values than what is used in NPRO, many of the values can be converted to Endpoint Protection values. This can be done during the initial install of an the Endpoint Manager. After creating the credentials for a new realm, the administrator can import settings from an old distribution point by contacting this point and traverse the configuration tree. For each directory found, a new configuration group is made in the network database of the new Endpoint Manager. Settings that apply to each group are also imported. The imported settings may then serve as a starting point for managing the new network, and may also save the administrator the extra task of typing in configuration names from scratch. After the Endpoint Manager is established in a network, provisions are available to allow a NVC v5 network to distribute packages that contain the credentials package and the data about known NEMs and distribution points. Each configuration in the NVC v5 configuration hierarchy can then be switched to start updating to Norman Endpoint Protection. This allows larger networks to be upgraded in steps, and allows organizations to run tests on the new software before performing a full deployment. The Maintenance page in the Endpoint Managers GUI offers the possibility of importing the NVC v5 topology from its distribution point into a realm in NEM at a later stage. From the same page you can migrate the client software from NVC v5 to Endpoint Protection. See Import on page 41.

Copyright 1990-2009 Norman ASA

10

Norman Endpoint Manager Administrators Guide

Installing the Endpoint Manager | Upgrading an existing environment

Installing the Endpoint Manager


After the Endpoint Manager has been installed, the realm owner may perform several additional tasks. Some useful tasks may be to add administrators to the realm, create and/or import some initial client groups, and set up some topology filters for discovered network clients. One task that is particularly important is the feature that will allow the administrator to create a client installation package (MSI) to be used for the initial roll-out of managed clients. This package is unique to the realm and will ensure that the clients establish communications with the Endpoint Manager and may be managed by policies. When an Endpoint Manager is initially established, the only administrator in the realm is the realm owner who was created when you stepped through the NEM wizard.

Note
The realm owner credentials should only be used when an Endpoint Manager is being restored from a backup. It is an essential task to create one or more realm administrators after the realm has been established. Future management sessions will be done as one of these realm administrators, and never as the realm owner. The distinction between the realm owner and a realm administrator is that while administrators come and go, the original realm fundamentals established by the realm owner should be unaffected by alternating admin regimes. The realm owner is not displayed on the list for realm administrators.

Installing
During installation you must complete two wizards: first a regular InstallShield Wizard to install Norman Endpoint Protection, and then Norman Endpoint Manager Install Wizard to install NEM and establish a realm. The current version only permits the setting up of one NEM instance. Make sure you have the Norman Endpoint Protection product license key at hand before you start. 1. Run the NPRO installer package [NormanEndpointProtection_Server_720xxx_ALL_yyy. exe] and follow the instructions on the screen. xxx represents x64 for 64-bit or x86 for the 32-bit version. ALL denotes that all available language versions are included in the package, while yyy specifies the release number.

Note
To save bandwidth and resources in general, we encourage you to select Custom rather than Complete installation and select only the language versions that you actually need.

2. When the installation is complete, you may be prompted to restart your computer. 3. Wait for 3-5 minutes before you right-click the Norman icon in the system tray and select Norman Endpoint Manager. The Endpoint Manager Install Wizard is launched. Running the wizard is a necessary and mandatory part of the installation. The wizard will request information like: Realm name Realm owner username Realm owner password Server name or IP address

Copyright 1990-2009 Norman ASA

11

Norman Endpoint Manager Administrators Guide

Installing the Endpoint Manager | Upgrading an existing environment

Note
The machine youre installing to must have a static IP address. The address you enter cannot be changed later. Depending on your DNS setup, specifying a server name instead has the advantage that a restore is easier to accomplish if you need to restore on a different machine. Valid characters for the realm name are A-Z, a-z, 0-9, and period (.), underscore (_), hyphen (-), and blank/space. The maximum length is 32 characters. The realm owner username must be at least 5 characters long. All fields are case sensitive. 4. A dialog appears, displaying the values you just specified. If you are satisfied, print this page for future reference and click Continue to proceed with the installation, or Back to change the values. 5. A final dialog appears with a handful of important tips. Click Finish to complete the installation. 6. In the next dialog, log on the Endpoint Manager with the values you just confirmed, i.e. username and password.

Note
If you experience problems logging on to the newly created realm, you must restart your machine. Alternatively, you can access the Endpoint Manger with another browser then IE, for example Mozilla Firefox, using the address: http://localhost:2868/noc/index.phtml.

7. The Endpoint Manager GUI is launched. We strongly recommend that you create a realm administrator before you do anything else (Maintenance > Realm administrators). 8. Select Products in the Endpoint Manager GUI and check Licenses, Languages and Platforms. Click Update selected products (Products > Licenses) to download the latest versions of all selected components. It is important that you select the correct platform of the NEM machine in this dialog. You can also select other platforms that NPRO will be supporting.

Uninstalling
To uninstall Norman Endpoint Manager, use the standard procedures offered by your operating system, for example Start >Control Panel >Add or Remove Programs.

Copyright 1990-2009 Norman ASA

12

Norman Endpoint Manager Administrators Guide

Installing on clients | Upgrading an existing environment

Installing on clients
There are three ways to install Endpoint Protection in a network: 1. Generate and run a Windows Installer file (.msi). See Generate MSI on page 47. 2. Through a push installation. See Push install on page 53. 3. Through the Import/Migrate functionality. See Import on page 41. When installed on a client, the Norman Endpoint Manager will retrieve, install and set up all the other Norman products (for now only Norman Antivirus) as defined by the groups policy. 1. Select and drag client(s) to add to a group if you wish to assign a certain policy to these clients. When prompted to confirm moving of a client to a group, click OK.

You can select multiple clients by holding down the Ctrl or SHIFT key (remember not to release the button until finished selecting and dragging the clients over to a group). Please refer to About icons and colors on page 20 and Transitions between states on page 21 for an explanation of available icons for groups and clients.

Copyright 1990-2009 Norman ASA

13

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Upgrading an existing environment

Using Norman Endpoint Manager


The web-based administrative GUI is made up from several main pages, some of them featuring separate tabbed pages. The left hand side of the page is identical regardless of which page youre working with, and displays the following information:

Risk level indicator

The Endpoint Manager collects information from the network about the realm and displays the risk level on the bar. The risk is calculated from a weighted analysis of errors, warnings and alarms within the realm, where the number of clients is part of the evaluation. The risk level is low if the indicator is in the green area of the bar. The risk level bar reflects dynamically the activity of all local NEM processes. The intention is to give a general idea about the health of the network, so do not use the bar as an exact indicator. Note that the size of the network combined with the selected trigger threshold values (see Event management on page 49) significantly affect the indicator. Example: In a network of 10 clients where the trigger threshold is set to 5% will raise the risk level if a couple of client receive a warning, alarm, or error. Just one client with one of those statuses means that 10% of all clients have that status (5% more then the trigger value is). Again, dont use the bar as an exact indicator for the soundness of your network.

Current status

These are the absolute numbers that the Risk indicator is based on. In addition, you can see if there are managed clients not updated recently, and the number of devices in the network that are offline. Click on Alarms, Errors, Warnings, Not updated or Offline to view more information on the Status page (see Status on page 16). The information area at the bottom reports how many clients are online, stale or guests. When the Endpoint Manager is unable to establish contact with a client after repeated attempts, and it has not been seen for a longer period of time, it is marked as stale. NPRO will actively try to rediscover a stale client before it is moved to the Offline folder, which happens after 1 or 2 hours (default for managed/unmanaged clients, respectively). Guest nodes are clients that have Norman Endpoint Protection installed, but dont belong to this realm. Guest services are not available in the first version of Norman Endpoint Manager.

Copyright 1990-2009 Norman ASA

14

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | The Home page

Select a task

Clicking on either task on this list brings you directly to the relevant page. The start/home page at the top always carries the name of the realm.

The Home page


In addition to the information common to all NEMs pages, the Home page features a graphical representation of the realms clientsthe status for all clients with graphs showing the number of alarms, warnings and errors over the past 24 hours. The lower part of the dialog presents the history of online, stale and offline clients in the same period for logged-on clients. The numbers are the same as those the risk indicator and the status area are based on.

Copyright 1990-2009 Norman ASA

15

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | The Home page

Status
The current status of the realm is presented in absolute numbers on the home page. Clicking on any of the status types (Alarms, Errors, Warnings, Not updated, or Offline) will display the Status page where each status type has its own tabbed dialog. Click on a column heading to sort the entries in a dialog by that particular event.

Alarms
An alarm is an event that requires immediate action, and is posted by a security product.

If an incident of a serious nature occurs in a realm, the involved Norman application will generate event messages that are routed to the Endpoint Manager. The message details are displayed on the Status page. There are 6 columns in this dialog. Type: Client name: Alarm type: Alarm description: Detected: Policy: Specifies which type of device it is, for example workstation, server, printer, etc. See Clients on page 18. The error type message appears as descriptive text, like Cannot remove detected virus. Event details as defined by the reporting application. The date and time the error was detected (yyyy.mm.dd and time in 24 hour format). Name of the clients policy. See Policies on page 23.

Errors
Errors are system anomalies that may or may not require attention. They are typically generated when a client application suffers from a malfunction.

Copyright 1990-2009 Norman ASA

16

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | The Home page

Error messages that the Endpoint Manager receive in the realm are defined by the application reporting the alarm. There are 6 columns in this dialog. Type: Client name: Error type: Error description: Detected: Policy: Specifies which type of device it is, for example workstation, server, printer, etc. See Clients on page 18. The error type message appears as descriptive text, like Could not install. Event details as defined by the reporting application, also as descriptive text like Access denied. The date and time the error was reported (yyyy.mm.dd and time in 24 hour format). Name of the clients policy. See Policies on page 23.

Warnings

A warning is typically sent when there is an event that is handled normally but that implies that there is unusual activity detected by the client applications. As opposed to alarms and errors, warnings dont require immediate attention. This display informs about warning type, the name of the client issuing the warning, and the date and time when the client was last seen, i.e. the last time the Endpoint Manager detected network activity from this client. An example of Warning type is Virus detected and removed.

Not updated

The Not updated message is issued by a client when the clients program manager module detects that the client software has not received relevant updates.

Status information under this tab includes type of client, client name, when it was last seen, and when it was last updated (yyyy.mm.dd and time in 24 hour format).

Copyright 1990-2009 Norman ASA

17

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Clients

Offline

The list of clients found under the Offline tab have been registered as offline meaning that they have not been heard from or contacted within a certain period of time. The clients found here may or may not be managed Endpoint Protection clients. A managed client employs policy settings. An unmanaged client has no policy or no NPRO, or it is a another device (printer, hub, etc).

Clients
The Clients page presents a graphical view of the entire realm with all groups and clients. All machines are members of a group, which is given a name by their administrator. All newly discovered machines will automatically be assigned to the predefined Lost and found group, unless otherwise filtered. Machines can be moved between groups manually or automatically. When you click on a group, the machines/clients that belong to that entity appear in the right-hand column. Icons for tasks that can be performed for a client appear in the column heading. Highlight the client you wish to edit and select the relevant icon. Alternatively, double-click a group or a client to configure it directly.

Group information
There are four different group icons that allow the administrator to:

Create new subgroup


Click on this icon to enter a Group name and select a policy. Available policies are displayed when you click the Policy drop-down menu. You can also type in a descriptive text in the Notes field.
Copyright 1990-2009 Norman ASA 18

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Clients

Delete group
When you click on this icon, you are prompted to confirm the delete. If you delete a group that is not empty, its members and possible sub-groups are automatically moved to the Lost and found group.

Edit group
Double-click to launch a dialog where the selected Group name and supporting Policy appear in their respective fields. You can also type in a descriptive text in the Notes field.

Add client to group


This is the only available option for predefined groups, like Lost and found. Click the icon to launch a dialog where you can enter an Alias, IP address and/or MAC address and select the Type of client from the drop-down menu. This feature is provided for manual entry of clients not discovered automatically. If a client for some reason cannot be detected automatically, you can enter it manually. See also the section Predefined groups below. You can also type in a descriptive text in the Notes field.

Note
For a new client to be discovered and maintained in the client view, an IP or MAC address or a DNS name must be given.

Predefined groups
There are two mandatory groups in the Clients view: Lost and found Any discovered network device is placed in the Lost and found group unless a predefined filter rule places it elsewhere. The clients in this default group are given the default policy. Typically, the administrator will look in the Lost and found group to find new clients and then drag them to other groups where they are assigned a relevant policy and represent a logical view of the managed network. Unmanaged The group Unmanaged is a container for network devices that cannot be managed by NEM, like printers. When the administrator drags devices into the Unmanaged group, they will no longer be contacted or counted to maintain their status and statistics. It is, however, necessary to maintain a list of deleted devices, since they will still show up in the network topology reports from the clients and will be added to the Lost and found at each rediscovery. It is therefore not possible to delete devices completely from the topology database.

Copyright 1990-2009 Norman ASA

19

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Clients

Machine information
When you click on a group, its machines/clients appear on the right-hand side of the page. Highlight the client you wish to view or edit and select the relevant icon from the column heading. The task icons dont appear unless you highlight one or more machines/clients. Alternatively, double-click the client to configure it directly. The dialog that appears when you click an icon displays the following information about the client: Name, State (online, offline etc), IP and MAC address, OS, Hostname, Last seen, Up since, Last updated and Policy.

About status
Every time an event from a particular device reaches the Endpoint Manager, managed or not, a timestamp is updated in the NEM database to reflect when the device was last seen. Network devices can have three online states: online, stale, and offline. When a device has been seen within a set period (default 1 hour for managed and 2 hours for unmanaged clients), its status remains online. These time thresholds can be adjusted on the NEM, but the defaults have proven to generate a good network status map. If a client has not been seen within this period, the status is changed to stale. Once it is stale, a separate process within NEM will attempt to actively contact the client to update its status. Note that as long as a client is online, no active communication is done from the Endpoint Manager to the client unless the administrator manually initiates it. While stale, the Endpoint Manager will contact the client a set number of times with a set delay between each attempt. The default is 5 attempts with 1 hour in between, but this is adjustable. These settings can be configured from Settings > Supervisor process (see page 58). If no connection is obtained within this time period and no data about the client is reported by the passive discovery mechanism, the client is marked as offline. As soon as any information about the client is received, it will immediately be marked as online.

About icons and colors


A client can take on several states in the client view. The particular state of a client is indicated by its icon and color. A client can be either online, stale, or offline. Additionally, it can be managed or unmanaged. The icons themselves indicate what type of network device the client is, and is either set to a question mark (unknown) or a screen (workstation) upon installation. An administrator can change the icon by editing the client type in the client details window. The device type icon is a management aid for administrators and does not indicate any of the following status situations.

Copyright 1990-2009 Norman ASA

20

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Clients

Online
A client is online with a green icon when it has been seen or heard from within the time period defined as stale delay, which is 1 or 2 hours per default depending on if the client is managed or not. Any device in the network is regarded as a client regardless of whether it has Endpoint Protection installed.

Stale
A client is stale with a gray icon when it has not been heard from within the time period mentioned above. When a client is marked stale, it means that the Endpoint Manager will try to establish contact with the client a set number of times with a set time interval. This differs from a normal situation where clients are reported as online when they submit status information or are seen by other clients.

Offline
A client is offline with a red mark-out when it has not been reported by anyone and the attempts to contact it have failed. The client will remain offline until it reports itself to the Endpoint Manager, or it has been seen by another client that reports the network topology.

Managed
A client can be managed or unmanaged regardless of its online status. A client is managed when it has Endpoint Protection installed and is a member of the realm that the Endpoint Manager has established. The client becomes managed as soon as Endpoint Protection is installed and the client reports its platform- and status information to the Endpoint Manager. When the client is managed, it is shown with a green status ball next to it in the NEM clients view.

Unmanaged devices
Any device that is not managed, is unmanaged. An administrator can choose to keep the unmanaged devices visible in the network topology map, or he/she can drag those devices into the pre-defined unmanaged group to keep them out of sight.

Transitions between states


Clients will change states automatically between online, stale, and offline. Managed clients will automatically show up with a green ball, indicating that they are managed. If a client is uninstalled, the green ball will go away after a period of time. It is normally not necessary for the administrator to take any action to maintain the network status picture. If, however, the administrator decides to force any kind of action in the network, a set of action buttons are available in the client windows or in the group overviews.

Copyright 1990-2009 Norman ASA

21

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Clients

Action buttons

When selecting a client in the clients overview, or when looking at the details window for a specific client, a set of buttons are visible in the upper right corner. Depending on the status of a client, one or more of the buttons may be disabled.

Edit client

Clicking this button will open the client details window. Here, the administrator can change the type (icon) of the client, edit its alias name, move it to another group, and/or enter notes about the client. You can also double-click a client in the clients view to open this window..

Update client

This button is used to tell a managed client to check for product updates and to replicate its policy immediately. Under normal conditions, the client will check for product updates every hour and check for policy changes every 10 minutes.

Push install

If a client is enabled for push install through a Windows Domain or by configuration, the Endpoint Manager can be pushed to the client using this button. Please refer to Push install on page 53 for more information about this noteworthy feature.

Request status

A managed client can be asked to submit its status information. This is normally done when the client checks for policy changes, but can be forced by the administrator by clicking this button.

Rediscover client

When a client is stale, the Endpoint Manager will attempt to discover the client using active methods.
Copyright 1990-2009 Norman ASA 22

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Policies

These methods can be initiated manually using this button. Rediscovery can be performed on any device, regardless of status or if it is managed or not.

Repair client

If a managed client experiences consistent problems, this button tells the clients program manager to re-install all products. The entire Endpoint Protection software will then be re-installed. This action is quite drastic and should only be used as a last resort.

Remote command

An administrator can issue a console command directly to any Norman program module on a managed client. This may come in handy when an administrator is helping a client user with a specific issue, or it can be used to perform actions that are not covered by the pre-defined action buttons. It is only possible to execute software that is located below the Norman root. Before issuing a remote command to a client, keep in mind what the state of the remote client might be. There may not be a user logged on, or there may be several users logged on to the client. The process that you run remotely will run with system privileges in the context of the njeeves.exe process. However, if the process that you start requires a graphical user interface, it may not show up on the remote client unless the administrator is logged on and has the desktop open (for example on a Vista client).

Delete client

When you click this button, the client is deleted from the regular view. It is moved to the unmanaged group and will no longer be kept updated or be discovered by the Endpoint Manager. Clicking this button is the same as dragging the client into the unmanaged group.

Policies
See also Theory of operation on page 7. A policy is a collection of specific product configurations that governs the behavior of the clients in a group. Each policy is given a name by the administrator. The policy also holds information about which products to install at the member clients. Clients always use the policy assigned to its group. A default policy should always be present in the local database, and it will provide default configuration values to all licensed products. The predefined default policy is automatically assigned to all groups unless another policy is chosen. The administrator can edit the default policy, but not delete it. If a policy containing clients is deleted, these clients are moved to the Lost and found group.

Copyright 1990-2009 Norman ASA

23

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Policies

The users access to edit the various configuration values locally at their workstation is governed by the administrator through the policy. These access rights are granted on a per product basis, and can be either write access or read-only.

From this page you can edit existing policies, create new ones and delete existing policies. Click on the Policy name to view or change settings. You can allow users to install or uninstall products on a general basis by selecting that particular option. When you click the digit in the column Subscribing groups, a dialog with the subscribing groups appears. Access type states whether the policy can be edited or is read only. The default policy is mandatory. Unless otherwise stated, a group is assigned this policy.

Create new policy


Click the Create new policy button to open this dialog:

Note
A new policy will acquire the default values: Install all available products with default values.

Copyright 1990-2009 Norman ASA

24

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Policies

Enter a Policy name (mandatory) and Policy notes (optional). Allow users to (un)install products We do not recommend that you allow users to uninstall products at their own discretion, so be careful not to select this option unless you have good reasons to do otherwise. Leaving this check box empty will give the policy access type read-only. Install/uninstall You can select which product(s) to install for this policys subscribers from the list of available products under the Install/Uninstall column. Available products are licensed products. By default, all products are selected. Products which are mandatory or for other reasons not eligible for install/uninstall are grayed out. Click Create when youre done or Cancel to abort.

Configure policy products


When you have created and saved a policy, it appears on the Policies page. Click the name for the relevant policy to view this dialog:

The Configure column features a button for each of the products that a policy covers. By clicking one of these buttons, you may configure the settings for this particular product within this policy. When changes are saved, all managed clients assigned to this policy will apply the configuration changes that you have made. Clients that belong to other policies will not be affected. It is good practice to leave the default policy unchanged or to only make small changes to the default policy, as this is the policy that is assigned to all new groups by default. See the sections below for details about configuring Antivirus and Product Manager. The Install/uninstall column lets you add or remove products and/or components within a product. You can also select Allow user to change configuration per product, which includes all sub-products/modules that belong to the product. Such changes are implemented locally on the individual client and will not affect the policy itself or other subscribers. If you dont select Allow user to change configuration, the local users settings are overwritten by the policy.

Copyright 1990-2009 Norman ASA

25

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Policies

Configure Antivirus
Click a policy name and then Antivirus Configure button to view this dialog:

Enable On-access scanner is by default on. On-access scanning is an ongoing process that monitors critical activities on your system. Depending on your configuration, this can involve file access and copy/move to other drives or directories. Whenever a file is accessed in a read/write operation or a program is executed, the On-access scanner is notified and scans the file on the fly. We dont recommend disabling of the On-access scanner, and if you do, a warning appears in the system tray. Automatically remove detected viruses is by default on. When the On-access scanner detects a virus, it will try to clean the infected file before its deleted or quarantined. Sometimes cleaning equals deletion, for example trojans, where the entire file makes up the malware.

Note
A copy of the deleted or blocked file is quarantined by default.

User modes This section is divided into two different modules; Local users and Services and remote users. Under normal circumstances, a workstation runs in Local user mode, while a server runs in the Services and remote users mode. The default settings provide sufficient protection for most situations, and we do not recommend that you change them unless you are fully aware of the effect.

Copyright 1990-2009 Norman ASA

26

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Policies

Local users Antivirus control for a logged on user, which includes everything that the user does on the local machine. If the user is logged off or the machine acts like a server, the Services and remote users mode applies. Scan on read/execute Instructs the On-access scanner to scan files before they are used. Example: When a user double-clicks a .doc file, the On-access scanner checks the file as well as the application which is being launched (in this instance, MS Word). Scan on both read and write Instructs the On-access scanner to scan files that are opened for write, for example when a user download a file from the internet. If you selected Scan on read/execute, it is possible to download and save an infected file to disk. However, the On-access scanner will detect the virus when you try to open the file. Important: More specifically, scanning on write means that new or changed files are scanned on close. Suppose you have an unprotected client computer, which is infected with a virus that spreads across network shares. Whenever this virus infects a file on a server, where the On-access scanner is configured to scan on both read and write, the On-access scanner detects and removes the virus. Services and remote users In this module you select whether you want to scan files before they are used and/or when new files are created, or when existing files are changed. In other words, you select a strategy for the onaccess scanning that takes effect when other computers write files to your computer/server. You may think of these options as server settings. The typical scenario is that Services and remote users activity takes place on the server. However, if someone physically logs on the server, the Local users mode applies. Scan on write Instructs the On-access scanner to scan files that are saved to disk, for example when a user is saving a file on a server. In this case, the On-access scanner on the server will scan the file. Scan on both read and write This is hopefully an option you wont need to use. A scenario where this is a useful option is if a server has become infected, as a result of a missing scanner update, for example. Scan on both read and write in such a situation will prevent the infection from spreading further throughout the network.

Use Sandbox From the drop-down list for the Use Sandbox option, there are three alternatives: Normal (default), Disabled, and Extended. The Antivirus application employs the sandbox functionality to detect new, unknown viruses. Select Normal this if you want Antivirus to look out for new virus variants. The sandbox is particularly tuned to find new email-, network- / peer-to-peer worms, and file viruses, and will also react to unknown security threats. With the Normal option enabled, the Sandbox checks all write operations both for local users and for remote/services. In a critical situation you can select the Extended mode, for example if you have a virus outbreak on your system and no signature-based detection is available for a limited period of time. The Sandbox will then check on read as well as on execute. However, scanning time increases notably in Extended mode. Exclude files from scanning You may want to speed up the scanning process by excluding certain files from scanning. Note that excluding files or areas from scanning is a decision at the expense of security. Select Use the exclude list to exclude the files you enter on this list.

Copyright 1990-2009 Norman ASA

27

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Policies

Exclude network drives: enable this option if you dont want Antivirus to scan shares that you have access to on remote computers. The Antivirus application will by default scan files that are accessed on network drives. The On-access scanners behavior will depend on the user rights of the logged on user when scanning files residing on network drives. When the On-access scanner sees a file that is opened from a network drive, it will scan the file as usual. However, it will not be able to repair, remove or quarantine an infected file, unless the logged on user has write access to the directory/file in question. Still, access to the infected file will be denied. The paragraph above is not a recommendation to be less restrictive with user privileges. If an up-todate On-access scanner protects your servers as well as clients, it is not likely that the On-access scanner on a client ever will detect malware on a network drive. Anyway, if such a situation occurs, the protection is there. When the On-access scanner detects viruses or other malware on network drives, it will display the location as UNC paths and not mapped drives. Many users know network drives as X, Y, Z etc. The popup alerts from the On-access scanner will for example display \\Server\Share\InfectedFile instead of X:\Infected file. On-access scanning in networks is intended for a situation where servers dont run antivirus software, simply to avoid that the same files are scanned twiceonce on the server and then again when they are opened on the client. The consequences of such double scanning could be that network logons and backup becomes slower. However, the individual system administrator must make the final decision where security on one hand, and network operation on the other are two major factors to consider. Exclude list Specify files, directories, or entire drives that you dont want Antivirus to scan. Follow these steps to exclude items from scanning: Enter a file name, directory, or drive letter and click Add to list. Wildcards (* and ?) are accepted. Examples: c:\dir *.xyz example.exe c:\windows\xyz.sys Excludes all files in the directory, including subdirectories Excludes all files with the extension .xyz Excludes the specified file regardless of where its found. Excludes this particular file.

Do not use apostrophes ( or ) when you specify items for exclusion. Items on the Exclude list are not scanned. The most obvious reason for not scanning certain files is that they interfere seriously with certain applications when they are scanned. Anyway, we recommend that you scan files on the exclude list regularly by running scheduled or manual scans. For security reasons the exclude list for the On-access scanner is limited to 50 entries. In addition to the risk the exclude list represents, it also increases the use of system resources. The more entries in the list, the more resources will be used by the On-access scanner. Recommendations: Make sure that your Antivirus installation is up-to-date. This is the best protection against virus attacksto stop viruses before they enter the system. Install antivirus software on email servers and gateways. Restrict user rights on shares as much as possible, for example by setting read-only attribute where applicable on files that are not frequently changed. Back up your files regularly.

Copyright 1990-2009 Norman ASA

28

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Policies

Note well
Exclude lists should be handled with great care, as they represent a potential security risk. We recommend that you scan the Exclude list manually (using the On-demand scanner) on a regular basis, and also include these files or areas in scheduled scans.

Configure the On-demand scanner

You can use the On-demand scanner to perform periodic scans of selected areas of your computer. If you are using the Task scheduler (see page 32), you need to install the On-demand scanner. Use sandbox Antivirus employs the sandbox functionality to detect new, unknown viruses. Select this option if you want Antivirus to look out for new virus variants. The sandbox is particularly tuned to find new email-, network- / peer-to-peer worms, and file viruses and will also react to unknown security threats. When this option is selected, scanning time will increase, but it is not likely to affect the performance considerably. Automatically remove detected viruses is by default on. When the On-access scanner detects a virus, it will try to clean the infected file before its deleted or quarantined. Sometimes cleaning equals deletion, for example trojans, where the entire file makes up the malware.

Note
A copy of the deleted or blocked file is quarantined by default.

Scan archives Antivirus is configured to always scan archives. If an infected file is detected within an archive, Antivirus will try to repair first. If repair is not possible, the infected file is deleted from the archive, and the original file is quarantined. The following formats are currently supported: TAR, GZ, BZIP2, ARJ, ACE, RAR, RAR3, ZIP, MAIL, SFXZIP, CAB, LZH, APPLE_SINGLE, and 7Z. Create log file Creates a log file whenever you run an on-demand scan. If you deselect this option, no log file is generated for on-demand scans. Log file path: The default path for the log file is c:\Program Files\Norman\logs. Detailed logging Extensive logging that generates a very detailed report, specifying each file that was scanned, scanning time per file, status, etc. Exclude files from scanning You may want to speed up the scanning process by excluding certain files from scanning. Note that excluding files or areas from scanning is a decision at the expense of security. Select Use the exclude list to exclude the files you enter on this list. Exclude network drives In networks, you may not allow all users to scan files on the server. Select this option if you only permit scanning of files located on the workstation Exclude list Specify files, directories, or entire drives that you dont want Antivirus to scan. Follow these steps to exclude items from scanning: Enter a file name, directory, or drive letter and click Add to list. Wildcards (* and ?) are accepted.
Copyright 1990-2009 Norman ASA 29

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Policies

Examples: c:\dir *.xyz example.exe c:\windows\xyz.sys Excludes all files in the directory, including subdirectories Excludes all files with the extension .xyz Excludes the specified file regardless of where its found. Excludes this particular file.

Do not use apostrophes ( or ) when you specify items for exclusion. Items on the Exclude list are not scanned. Reasons for not scanning certain files may be that they trigger false alarms, or they are too time-consuming to scan. Anyway, we recommend that you scan files on the exclude list regularly by running scheduled or manual scans. For security reasons the exclude list for the On-demand scanner is limited to 50 entries. In addition to the risk the exclude list represents, it also increases the use of system resources. The more entries in the list, the more resources will be used by the On-demand scanner. If you neither want automatic removal of viruses nor denied access for infected files, you can select this option. When you try to open an infected file, youll receive information about the incident. From the dialog that appears, you can choose between removal and exit. Recommendations: Make sure that your Antivirus installation is up-to-date. This is the best protection against virus attacksto stop viruses before they enter the system. Install antivirus software on email servers and gateways.

Restrict user rights on shares as much as possible, for example by setting read-only attribute where applicable on files that are not frequently changed. Back up your files regularly.

Note well
Exclude lists should be handled with great care, as they represent a potential security risk. We recommend that you scan the Exclude list manually (using the On-demand scanner) on a regular basis, and also include these files or areas in scheduled scans.

Configure Internet Protection

Internet protection is a filter that protects against viruses that spread through Internet mail and news readers. The majority of viruses reported today use mechanisms that enable them to spread through email. Statistically, one of 30 emails sent during major virus epidemics contains some sort of malicious software. The need for protection against such virus attacks is imperative. Internet protection is a module designed to intercept incoming and outgoing mail and newsstripping or blocking all infected attachments for undesired content. This module is both capable of scanning emails for known viruses and block file attachments, depending on content and file extensions. As an integrated component in the Antivirus program it can be distributed throughout your network, establishing yet another barrier against the increasing threat from viruses coming from the outside. Important limitations: The current version of Internet protection is best fitted for home users rather than professional environments. Presently, its more a workstation than a server module, partly because Internet protection doesnt scan local mail servers for malware.

Copyright 1990-2009 Norman ASA

30

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Policies

Use sandbox Antivirus employs the sandbox functionality to detect new, unknown viruses. Select this option if you want Antivirus to look out for new virus variants. The sandbox is particularly tuned to find new email-, network- / peer-to-peer worms, and file viruses and will also react to unknown security threats. When this option is selected, scanning time will increase, but it is not likely to affect the performance considerably.

Traffic to scan
Incoming email Scans all email that you receive from others. Again, even your best friend or closest business associate may be ignorant of a virus infection Outgoing email Scans all email that is sent from your system. If your machine is infected by malware which you are unaware of, you could unintentionally send infected mails to friends and business associates, for example. Newsgroups Scans the traffic generated between your computer and the other participants in the group/forum you are active in. Instant Messaging (received files) Scans file transfer traffic during instant messaging sessions with MSN Messenger and Windows Messenger. When this option is selected, NIP will scan incoming files for malware. If a file is infected, a pop-up message will warn about the incident. Only file transfers are scanned, so infected links still pose a threat. Note that the files that are transferred will be scanned when they are written to the directory ...\ Temporary Internet Files. If malware is detected, it is probably a .tmp file that is quarantined. To restore a quarantined .tmp file, select the desired file, choose the Save as option from the right-click menu and save the file with its original name and extension.

Ports

Internet protection relates to the standard ports for the traffic it is monitoring. If you have installed other applications that use other ports for the same type of traffic, then you may have to reflect this in your configuration. The port numbers are the defaults for the POP3, SMTP, and NNTP protocols. However, if Internet protection is not configured to monitor incoming mail on port 110, it will ignore whatever activity that takes place on that port.

Configure Attachment blocking

You can block attachments by entering the exact file name or files with certain extensions, for example. This feature is particularly useful when email worms are roaming and the worm can be identified by name. Attachment blocking is also a useful feature to stop file types that you do not want to receive in your mailbox. When an attachment is blocked, its moved to the quarantine area rather than deleted. This serves as a backup if it proves that the attachment was legitimate after all. In the quarantine area it cannot do any harm anyway. For example, if you have specified that all executables (*.exe) should be blocked, its reassuring to know that you can recover a file that you actually needed Block all attachments Absolutely all attachments are blocked. Block any attachment with double extensions Many worms and email viruses apply a technique where an additional extension is added, for example <filename>.jpg.vbs. Most email clients will hide the last extension so that the attachment appears to have the extension .jpg only. However, this feature is not only used by viruseslegitimate files with names like myfile.hlp.zip and todolist 20.dec.doc are both treated as double extensions.

Copyright 1990-2009 Norman ASA

31

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Policies

Block any CLSID extensions Some worms and email viruses apply a CLSID technique to fool email scanners and blocking software. They take advantage of a feature in Windows which makes it possible to replace an .exe extension with a{...} extension and thus evade blocking of .exe files. Since there is no reason for legitimate attachments to use this type of extension, this behavior is blocked by default. Block encrypted attachments Depending on the tools used, compressed and encrypted files are generally harder to scan for viruses than plain file attachments. Therefore youre offered the option of blocking such attachments altogether. Block all attachments listed below All names that you add to the list are blocked. Enter a specific name, or use wildcard (*) to identify attachments to stop. Block all attachments, except those listed below All names that you add to the list are accepted. Enter a specific name, or use wildcard (*) to identify attachments to accept. It is very important that you distinguish carefully between these two options, as they represent opposite extremes: block all on the list, or accept all on the list. Attachment list Use this function to explicitly select attachments you want to block or certify. You can enter the exact name of an attachment, or use wildcard (*) to block certain extensions. To block all .exe files, for example, enter *.exe and click Add to list. The entry appears in the list box, where you later can edit or remove it.

Configure Task editor

Use this tool to create task files and to view/change scheduled events. Administrators can create task files and distribute them to all workstations in the network to ensure consistent checking of areas that require special attention. Like a new or changed policy, you should allow a task file some 10 minutes before its replicated to all clients. A task file shortcut can be placed on the desktop as an icon, or added to the Start menu as an item. Scheduled task files must reside in ...\Program Files\Norman\tasks. Existing tasks are listed in the dialog, and you can (de)activate, delete, or open them from the initial dialog. Click New to create a new task and type in a Task name. Then you choose between Scan entire computer and Scan selected files and folders. You must enter file and folder names directly into the text box. Wildcard (*) is supported, i.e. specify *.doc to include all doc files in the scan. The common scanning options for task files are: Scan archives Select this option to include archived files in the scan. The following formats are currently supported: TAR, GZ, BZIP2, ARJ, ACE, RAR, RAR3, ZIP, MAIL, SFXZIP, CAB, LZH, APPLE_SINGLE, and 7Z. Scan memory When you scan the memory area, Antivirus looks for resident viruses. You should always make sure that no viruses exist in memory. Scan boot sectors When you select this option, Antivirus will check the boot sector of the area(s) that are being scanned.

Schedule task
Under Frequency, select if the task should run Once, Daily, Weekly, or Monthly. Start time is specified in the format YYYY-MM-DD. You can enter the value directly into the text box

Copyright 1990-2009 Norman ASA

32

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Policies

or click the clock icon to select a day from the calendar. The time of the day must be entered manually in the text box.

Configure Product Manager


Click a policy name and then Product Managers Configure button to view this dialog:

Select product language

Norman Endpoint Protection is available in a number of different languages. Select language from the drop-down list. The list is subject to change as new language versions may be added. A change from English (default) to another language will take effect after the next update. You can also run a manual update for the changes to take effect immediately.

Select update method

Use the LAN product update frequency to decide how often the clients should contact the distribution point to check for product updates. These options are for activities within your own network. Never The clients will never check the distribution point for updates. Default The clients will check each hour. Configure Select another update frequency ranging from 30 minutes to 48 hours.

Internet update

Use this section to download and install the latest software components from Normans product servers. Never (update from CD or LAN/WAN) If you select this option you will never be prompted or reminded about available Internet downloads. Since CDs normally are distributed only when a new version of Norman Endpoint Protection is released, you will only receive CDs from Norman every three months or so. We do not recommend this option, as your Antivirus installation will be outdated after maximum one week. Update manually Select this option if you prefer to start Internet Update manually from the Norman menu to check for updated packages, or use Windows Scheduled Tasks utility (located in Control Panel). Automatically at set intervals You can select this option if you have a permanent connection to the Internet. Use the drop-down menus for Time before using Internet update and Update intervals to establish the routine. If Internet Update has not been run for 24 hours, the program automatically checks for updates at startup.

Copyright 1990-2009 Norman ASA

33

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Policies

Wait for dial-up connection If you use a modem to connect to the Internet, select this option for daily checks for updates on Normans servers. You just access the Internet like you normally do, and the program will figure out if updated files are available. If you connect to the Internet several times per day, Internet Update checks for updates the first time you connect only. If you connect to the Internet once a week, for example, Internet Update will check once as soon as youre connected.

Alternate update path


Use alternate update path Set an alternate update path if updates are to be fetched from a file share instead of from the endpoint manager node. Alternate path When an alternate path is specified, it must be entered in the following format \\server_name\share_name\distrib\download

Note
distrib\download is a mandatory part of the path and cannot be changed.

Proxy settings

Proxy servers may require user authentication. If you use the proxy server options in this dialog, you must enter the same information for proxy server log on and authentication as configured on the proxy. Use proxy server Enter the Proxy address and Proxy port for the firewalls HTTP proxy. If you have specified information for HTTP proxy in your browser, you should enter exactly the same values here.

Proxy authentication
Log on to proxy server This option is only relevant if your proxy server requires authentication. User name Enter a valid user name. Password Enter the password. Domain (for Windows NT challenge/response) Enter the domain name. If the field is left blank, the machine name is used. This field is not intended for proxy servers using basic authentication. The two prevalent authentication schemes are: basic, and Windows NT challenge/response aka NTLM.

Assign a policy to a group


From the Clients page, first click the group you wish to assign the policy to. Then click the edit icon (Action buttons on page 22):

Copyright 1990-2009 Norman ASA

34

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Products

The Group name field displays the name of the selected group. You can also change the name if you wish. The Policy field is a drop-down menu where you can choose from all existing policies in the realm. Notes: text field for entering any information you wish.

Products
All licensed products that the Endpoint Manager administers in the realm are listed on this page, which is equipped with three tabs: Update product, Languages, and Platforms. These are the products available on the machine where the Endpoint Manager is installedthe distribution point. When a product within a policy or on a client is configured for scheduled updates, it fetches the update from this distribution point. The clients are updated in accordance with their policy.

Note
To configure a product, go to the Policies page and click an existing policy. In the dialog that appears you must click the Configure button for the relevant product. See Configure policy products on page 25.

Copyright 1990-2009 Norman ASA

35

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Products

Update products
Explanation to the columns on this page: In use is an approximate number of clients managed by this Endpoint Manager with this product installed. Seats is the number of seats that your license covers, for this product. If the In use is larger than Seats, this is an indication that you should check if your license covers your actual needs. Expires states the date when the license for the product expires. Manual update: select this option for the product(s) you wish to update manually rather than automatically. When you have selected one or more products, click the Update selected products button. Scheduled update: Select this option if you want to schedule updates for a product. For each product, you may select/deselect the manual and the scheduled update option. When you update manually, only products marked for Manual update will be updated. Likewise, when the scheduler initiates an update, only products with Scheduled update selected will be updated. A product may have both options selected, or none at all, in which case the product will not receive updates from Norman.

Languages
Normans products are available in a number of different languages, and new language versions are added at irregular intervals. The default product language is English and cannot be deselected. You can choose to download one or more language versions if they are covered by your license. These languages will be available to the Endpoint Protection clients in the managed network. The download packages may be large, so in order to reduce bandwidth use, you should be selective when you pick language versions.

Platforms
Normans products support a wide range of platforms, including most Windows, Linux and NetWare versions. Please refer to System requirements on page 5 for details.

Copyright 1990-2009 Norman ASA

36

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Reports

Select the platforms which are represented in your network and click Save. The selections are valid for both manual and automatic updates via Normans Internet Update.

Reports
The Endpoint Manager maintains statistics for the realm around the clock. The reports cover the topology status and incidents. As a supplement to the graphical representation of statistics on the home page, you can generate your own, detailed reports that identify all clients in the network. Generated reports are based on all discovered devices in the network, also those that are not managed. However, devices that have been moved to the Unmanaged group are not included. You may filter which clients to include in the report by their online status and/or whether a status flag has been set.

Select the details and the machines you want to include in the report and click Generate. You can filter machines by selecting clients with only one or two particular status types or select all types to include all clients (default). The default setting for the report details is also all. Choose between commas or semicolons as CSV (comma-separated value) separator, depending on the report format you prefer.

Maintenance
These pages contain maintenance tasks, both chores which are performed regularly like administrator management, and occasional tasks like migrating or upgrading clients from NVC v5.

Realm administrators
For more information about realm owner and realm administrator, please refer to Installing the Endpoint Manager on page 11. The realm owner credentials should only be used when an Endpoint Manager is being restored from a backup. When first running the Endpoint Manager console after it has been installed, it
Copyright 1990-2009 Norman ASA 37

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Maintenance

is an essential task to complete the creation of one or more realm administrators.

All users with administrators privileges in the realm are listed on this page, with information about access type etc. Access type can be Read and write or Read. Click on the name to view more information about the administrator. To add a new administrative user, click the Create administrator button.

Backup and restore


The Endpoint Manager and the network realm rely on certain basic data stored in the local database, also referred to as the store. It is strongly recommended that you back up these data systematically. The backup will include vital information like network topology, realm credentials and operation center settings.

Backup
When a managed realm is set up, we recommend that you back it up on an external storage device. The most recent backup file is named NEM_backup_00000.nbk, and for each backup the number 00000 is incremented until the selected Max number is reached. Hence, the backup file with the highest number is the oldest one. The file cannot be opened/viewed by any application since the sole purpose of the backup is to provide a possibility to restore a managed network realm on a NEM in the case of hardware loss etc. Without a backup, the loss of the NEM would require new credentials to be distributed throughout the network. The logical network structure would also have to be recreated. The backup/restore functionality is also used if you want to upgrade or replace a functioning NEM. First, back up the existing NEM to an external media, then restore the backup file as part of the install wizard procedure on the new NEM. The size of the file depends on your networkthe bigger it is, the bigger the backup file.

Copyright 1990-2009 Norman ASA

38

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Maintenance

Destination Enter a path for the backup file directory where NEM_backup_0000x.nbk will be stored. The default location is c:\Program Files\Norman\backups\noc. Alternatively click Browse to select a location from the Windows Explorer view. Max number of backups Enter the number of backup files that will represent the maximum before the Endpoint Manager starts to delete the oldest of the existing files. Businesses, networks and routines are so diverse that its impossible to make a categorical recommendation with regard to backup frequency. However, you should keep this number high enough to maintain a usable backup history, and at the same time limit the number to avoid consuming more disk space than necessary. If you reduce the number from 10 to 5, for example, old backups from 5 and upwards will not be deleted unless you do it manually. Enable scheduled backups When you select this option, the Start time fields are enabled for specifying the time backup should run. Select the day(s) of the week Starting with Monday, each weekday is listed and selected by default. Start time Enter hour and minute when you want the backup to start. Backup will start at the specified time for all selected weekdays. Click Backup now for an immediate backup of the Endpoint Manager database, or Save to store your settings. If the Endpoint Manager is down when backup should be performed, backup is executed as soon NEM becomes operational again.

Copyright 1990-2009 Norman ASA

39

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Maintenance

Restore
From the Backup and restore page, click the Restore tab:

Restore from Enter the path for the backup file directory where NEM_backup_0000x.nbk is stored. The default location is c:\Program Files\Norman\backups\noc. Alternatively click Browse to select a location from the Windows Explorer view. Restore strategy Select what parts of the backup to restore. The Settings part of the database contains the realm credentials and settings. The Topology part is a map of known machines in the network, as presented in the Clients view, including the group names and assigned policies. Keep most recent values Selecting this option will keep the most recent values during restoration of a backup when a value exists both in the backup and in the current database.

Note
Keeping the most recent value may in some cases result in duplicate topology entries if you have chosen to restore the topology.

Copyright 1990-2009 Norman ASA

40

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Maintenance

Import
The import functions provide methods to populate your topology map. Import lets you point to an old NVC5 distribution point (share) and automatically create groups and policies based on the old distribution hierarchy. Migrate will write migration data to an existing v5 distribution point to migrate all subscribing clients over to the NSS managed realm. Active discovery allows you to give a start and an end IP address and will import all addresses found into the topology for further management.

Importing from an NVC v5 distribution point


If NVC is installed in your network, you can enter the path to an NVC v5 distribution point, i.e. to a /distrib folder to import the topology and create policies based on the product configurations stored in the .ndf files there, for example default.ndf. When you click Import, a tree structure as it was found on the distribution point is displayed. Here you can select which groups to create and/or omit. You may also choose whether to assign the default policy to the new groups, or try to create policies based on the old NVC v5 settings. Note that there are many differences in the settings in Endpoint Protection compared to NVC v5. Not all settings will be imported into the new policies. You must have read rights to the share youre importing to. 1. Select Maintenance > Import 2. On the following screen you need to provide the path to the old NVC5 distribution point, normally hostname or IP address followed by share folder, for example \\sharehost\norman\distrib. a. b. Press Enter or click Import. In the dialog that appears you can enter the login credentials for the remote share (see second image below). Share hostname and folder \\sharehost\norman\ is a minimum in order for Endpoint Manager to access a share (see image below). When you have typed in the information, click the arrow to open the dialog where you can provide login credentials.

Copyright 1990-2009 Norman ASA

41

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Maintenance

3. Valid login credentials must be provided in order for Endpoint Manager to access the share. During migration, the user must have write access to the NVC5 share.

4. Next a confirmation dialog will ask you to confirm topology import. Click OK. 5. If the import was successful, the following window appears:

a.

The first column allows you to select which groups you wish to import. The second column allows you to exclude policy import (due to incompatibilities between NVC v5 and Endpoint Manager policies). Deselect the check box if you wish the policy to be created and assigned to the associated group (check the policy settings afterwards to make sure they are correct). Click Import topology when you are done.

b.

6. You can check your new policies in the Clients view now to see that everything is correct.

Copyright 1990-2009 Norman ASA

42

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Maintenance

Migrate
Migrate will write migration data to an existing NVC5 distribution point to migrate all subscribing clients over to the Endpoint Manager realm. You can use the Migrate function without importing topology map. 1. Select Maintenance > Import > Migrate. 2. Repeat the steps 2-5 under Import above. Click Migrate when youre done. 3. If migration was successful, the clients that were managed by the old NVC v5 installation will be updated to Norman Endpoint Protection and managed by Endpoint Manager. However, this process may take some time and you will receive a restart request on those clients when the upgrade process is complete. In this version, a gradual upgrade of the clients is only possible if the NVC distribution point is organized in a hierarchical way. You can also migrate existing NVC v5 nodes to Norman Endpoint Protection. Enter the path to the NVC v5 configuration (.ndf) file where the nodes to migrate are fetching their configuration, and the IP address or host name of the Endpoint Manager they should use. Alternatively click Browse to select a file/location from the Windows Explorer view.

Note
In an NVC5 network, it is not possible to tell which clients are actually updating from a given configuration file.

You must have read/write rights to the share youre migrating to.

Migrating between NEM realms

Managed clients may be migrated from one realm to another. This is done by generating the file mig2nss7.nts on the target NEM (generate MSI on the NEM that you are migrating to), and distributing this file to the config folders on the clients that you want to migrate. After migrating the clients you will have to move the clients on the source NEM into unmanaged to prevent this NEM from attempting to reacquire the clients that you have migrated.

Migration of corporate NVC5 clients


When performing a migration of an existing Norman v5 distribution server from the Endpoint Manager, all clients belonging to this server will be upgraded by default. In some instances, a partial upgrade of the network is required, for example upgrade clients before servers, upgrade a single client to ensure compatibility etc. There are different ways to achieve the desired end-result, and these are step-by-step procedures for some of them:

Pre-requisites for all procedures


Existing distributed NVC5 network where clients receive updates from an NVC5 distribution server. Clients meet the requirements for installing Norman Endpoint Protection (software and hardware). Installed and configured Norman Endpoint Protection environment, including Norman Endpoint Manager.

Copyright 1990-2009 Norman ASA

43

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Maintenance

Note well
The 64-bit platform is not supported In the current version of the Endpoint Manager. NVC5 clients running on this platform must therefore be manually updated.

Common tasks for all procedures


1. On an NVC5 distribution server: a. b. Copy the shared Norman folder (default c:\program files\norman\) including sub folders to an alternate location, for example c:\program_files\norman_migrate\. Share the directory copy (for example Norman_migrate).

2. On the Norman Endpoint Manager: a. b. c. d. e. f. g. Log in to Norman Endpoint Manager. Go to Maintenance > Import > Migrate. Enter the path to the new shared folder (for example \\<computername>\Norman_ Migrate) and click Browse. Enter login credentials with write access to the share. Browse to the ..\distrib folder (for example \\<computername>\Norman_Migrate\distrib\) and click OK. Click Migrate. Make sure that the migration completes successfully.

Migrate single client - I

This procedure is the best choice if you dont know the hostname of the client, or if you want to initiate the update from the client itself instead of from the distribution server. This procedure may also be scripted, for example via a login script. 1. Make sure you have performed all steps under Common tasks for all procedures above. 2. On NVC5 distribution server: a. Copy all files from ...\Norman_Migrate\distrib\download to ...\Norman\distrib\download . This is necessary for client upgrade to the distribution folder, except the file initiating the upgrade.

3. On the client that is to be upgraded: a. b. c. Navigate to the Norman_Migrate share on the distribution server. Copy the file Norman_Migrate\distrib\nvc\config\mig2nss7.nts to the local config directory (default c:\program files\norman\config\). The client will automatically be upgraded the next time Zandathe agentchecks for changes. You can accelerate the process by entering zanda /updatenow from the command prompt. Installation normally takes 2-10 minutes. 1-2 restarts are necessary before migration is completed.

Copyright 1990-2009 Norman ASA

44

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Maintenance

Migrate single client - II

This procedure lets you migrate a single client directly from the NVC5 distribution server without physically accessing the client. You must know the hostname of the client you wish to migrate. 1. Make sure you have performed all steps under Common tasks for all procedures above. 2. On NVC5 distribution server: a. b. Locate the configuration file used by the client. Unless you have a special setup involving different configuration files, the location is \norman\distrib\nvc\config\default.ndf. Make a copy of the configuration file and place it in the same directory as the original. Rename the copy to <hostname>.ndf where <hostname> reflects the name of the client you wish to migrate. If the client you wish to upgrade is named client01, the copy of the configuration file should be renamed to client01.ndf. Double-click the configuration file you just created (for example client01.ndf), and on the LAN/WAN tab, change the Share name to reflect the share created under Common tasks for all procedures, item 1b. The client will receive the new configuration file the next time it checks the distribution server for a new configuration (default once per hour). After receiving the new configuration file, the client will look for new files in the new share location the next time it is scheduled to download updates. The new share is prepared for migration, so the client will start the migration process.

c.

d. e.

The speed of this procedure depends on how often the client is configured to look for configuration file and software updates, but normally the client will be upgraded within a couple of hours. The client will require one or more restarts before the migration process is complete.

Migrate a group of clients using different configuration files

For this upgrade scenario to work, existing NVC5 infrastructure must be configured in such a way that different groups of clients receive their updates from different configuration files. See NVCs Administrators Guide under the section Configuration - Using environment variables to distribute diverse configuration/task files to different user groups for more information on how to configure this. 1. Make sure you have performed all steps under Common tasks for all procedures on page 44.

2. Open the configuration file for the client you wish to migrate by double-clicking it. 3. On the LAN/WAN tab, change the share name to the newly shared folder (for example Norman_ Migrate). 4. The clients will receive the new configuration file the next time it checks the distribution server for a new configuration (default once per hour). 5. After receiving the new configuration file, the clients will look for new files in the new share location the next time it is scheduled to download updates. The new share is prepared for migration, so the client will start the migration process. 6. Clients are upgraded the next time they look for changes on the distribution server (or you can run zanda /updatenow on the clients to initiate a client to look for updates immediately).

Migrating the NVC5 distribution server to Norman Endpoint Protection client

The migration process initiated from Norman Endpoint Manger is designed to migrate only the clients that receive upgrades from an NVC5 distribution server, not to upgrade the distribution server itself. Upgrading the distribution server requires the following additional steps: On the NVC5 distribution server:

Copyright 1990-2009 Norman ASA

45

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Maintenance

1. Copy \norman\distrib\download\config\mig2nss7.nts to \norman\config\. 2. The migration will start the next time Norman looks for changes. To initiate the process immediately, click Start > Run and enter zanda /updatenow. 3. The migration will start in the background. The entire upgrade process normally takes 5-10 minutes and requires one or more restarts of the server.

Installing NEM on the same server as the existing NVC5 distribution server

Note
Unless you plan to upgrade the entire network to NPRO, the following procedure should not be used as it will no longer download updates for existing NVC5 clients.

All of the following tasks should be performed on the computer serving as NVC5 distribution server: 1. Download the latest available definition files and software from Norman by starting Norman Internet Update (right-click the Norman tray icon and select Norman Internet Update). a. If new files were downloaded, make sure new components are installed before you proceed.

2. Create a new folder, for example c:\Program Files\NewFolder. 3. Copy the \distrib folder from the original Norman folder (default c:\norman or c:\program files\norman) to the newly created folder. Make sure to keep the same folder structure (c:\ Program Files\NewFolder\Distrib). 4. In a distributed NVC5 environment, your existing Norman folder is shared. Take note of the existing permissions and share name for the Norman folder. 5. Remove sharing of the existing Norman folder. 6. Share the newly created folder with the same share name and permissions that previously were assigned to the Norman share. The clients will now use this share for downloading software and definition file updates. 7. Uninstall Norman Virus Control from the server. 8. Restart the server. 9. Delete the Norman folder (do not remove the NewFolder). 10. Install and configure Norman Endpoint Manager according to the this manual. a. b. c. d. e. f. Install Norman Endpoint Protection (NPRO) with Norman Endpoint Manager (NEM). Configure Norman Endpoint Manager. Create one or more administrators. Create policies. Create client groups and assign policies to them. Assign clients to their respective group.

11. Start migration of Norman Endpoint Manager, but point to the folder c:\Program Files\ NewFolder\distrib instead of a remote share for migration.
46

Copyright 1990-2009 Norman ASA

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Maintenance

12. After a successful migration, clients will gradually start migration. When all clients are migrated, remove the share and delete the C:\Program Files\NewFolder folder.

Active discovery
While migration is a functionality to upgrade Norman installations on clients, the purpose of Active discovery is to identify clients where Norman is not installed and that you can push install to. When a new realm is created, the Endpoint Manager starts monitoring the network traffic for clients. This builtin passive discovery is an effective way to roll out managed clients. In addition, you can use Active discovery to poll a network segment for a range of IP addresses for active clients. Enter a Start and an End address and click Discover. Active discovery only works on hosts that reply to ICMP ping. See also Technical description of passive discovery on page 60. Clients that reply are placed in the Lost and found topology folder. To use active discovery, enter a start IP address and an end IP address and click Discover. As a security measure, the maximum range of active discovery is 1000 clients per session. Make sure that the entire range given is within the network you want to manage. The Endpoint Manager does not validate the specified IP range. However, the limitation of 1000 clients per session prevents that you by accident enter a range beyond your own network.

Note
Unless time is an important factor, passive discovery is the preferred method for topology mapping.

Generate MSI
Generate a Windows Installer file (.msi) for unattended installations. The generated file will hold information about the location of the relevant Endpoint Manager and the credentials to access it. This is the most trouble-free method for installing the Endpoint Manager on a client, as the administrator only needs to initiate and distribute the MSI installer to clients. Once started, the installation of the MSI package will open up port 2868 on the client machine and complete the full installation of Endpoint Protection. The clients then retrieves their policies, as described in previous steps.

Note
The MSI package and NPRO automatically opens port 2868 on Normans and Windows firewalls only. If you are using another firewall, you must manually open this port.

Distribution of the MSI package can be performed in different ways, for example: by a startup script emailing the package to the clients copying the package using an USB stick or a similar medium by employing a 3rd party tool distributing via Active Directory The creation and distribution of an MSI package is an option that the Endpoint Manager provides for rapid deployment of Endpoint Protection on client machines. Select Maintenance > Generate MSI.
Copyright 1990-2009 Norman ASA 47

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Maintenance

The information provided on the screen that appears describes what is needed to generate an MSI package.

IP/hostname should already be filled in as it was provided during the realm creation (see Installing on page 11). The fastest way to generate a new package is to provide a valid path and a full filename for the MSI file, for example c:\install.msi or any other name with the extension .msi. When youre done, press Enter or click Generate. The Endpoint Manager then generates c:\install_ x86.msi (32-bit version) and c:\install_x64.msi (64-bit version), in addition to c:\mig2nss7. nts (for manual migration). Alternatively, you can use the Browse button to select a folder where you want to store the file, but you will still have to write the full file name after the selected path. The MSI installer file should now be stored on the location you specified. The generated file will hold information about the location of the relevant Endpoint Manager, and the credentials to access it. You can use this file to install Norman Endpoint Protection (NPRO) on eligible clients, auto-run it on a domain, distributing it through email, USB stick or any other suitable way. Keep in mind that all new clients will be placed in the Lost and Found group, unless they are previously discovered and assigned to a group. The default policy will apply for those. You can create topology filters that will move clients to certain groups as they are discovered. Then clients will use the policy for that particular group rather than the default_policy.

Note
It is a good idea to test the MSI package on a couple of clients before rolling it out in your network, in order to identify any problem with the given NEM name or address, for example.

This is an alternative migration method: The file mig2nns7.nts, which is found in the folder distrib\nvc\config after migration, can be copied to norman\config on an old NVC v5 client. The client will then be migrated to the new realm.

Remote access
The Endpoint Manager console can be accessed remotely. By default, remote access is not permitted. Remote access is only permitted from the locations specified below. From this screen you can remove and/or add access to NEM from a remote location.

Copyright 1990-2009 Norman ASA

48

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Settings

Remote locations currently permitted to access the Endpoint Manager are listed in the upper part of the screen, identified by IP address, Netmask and Description (optional).

Note well
Just type in the IP address and Description when you set up permissions for remote access in NEM. Do not specify Netmask unless you wish to grant remote access for all computers on that subnet.

You should be careful admitting remote browsers access to the Endpoint Manager, as there are some obvious security issues. To enable remote access, you must select Allow remote access. In addition, you have to specify the IP addresses that should be allowed to log on to the NEM. You may either give a specific IP address, or a whole segment by entering an address and a netmask. Example: Address 172.17.0.0 with netmask 255.255.0.0 will give access to clients from the entire 172.17 segment. Againremote access should in general be limited to as few clients as possible.

Settings
Certain settings and parameters of a nature that dont require frequent attention or are likely to be performed just once are located on these pages.

Event management
The event management system is used to create messages based on the situation in your managed realm. The system is connected to the status indicators in the far left column, triggering a notification event when a preset threshold is reached. The system triggers on the number of alarms, errors and warnings in a network. You can set threshold values for the absolute percentage of reported alarms, errors and warnings. Threshold values are specified for the change rate of the same over a reporting period.

Copyright 1990-2009 Norman ASA

49

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Settings

Reports can also be made periodically or if a NEM error occurs. See Reports on page 37.

About the trigger thresholds


The values are not cumulative, i.e. there can be only one event of each type from each client in the network. For each type, there is a setting for the absolute threshold percentage and for the percentage change over one management period (the time it takes for the Endpoint Manager to update all nodes in its topology database). When either threshold is exceeded, the selected events are triggered. The event messages can be sent as: Email SNMP SMS Syslog The operating systems event log

Triggers

Note
When you specify one or more methods to send messages (e-mail, SMS, etc.), dont forget to configure the selected transmission mechanism(s). Similarly, you dont need to configure devices not selected. No messages will be sent if there are any errors in this configuration.

The trigger values and type of messages are specified under the Triggers tab. Configuration of each type of message is located under the related tab.

Copyright 1990-2009 Norman ASA

50

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Settings

You can set threshold values for the following events, and determine if the event should be communicated as email, SNMP trap, SMS and/or in the syslog or event log. Alarms In the example dialog above, an alarm is triggered when 3% of the network nodes trigger alarms. The alarm is passed on in the selected manner(s) (email, SNMP etc.).

Note
An alarm is an event that requires immediate action. It is issued by a product in Norman Endpoint Protection on a managed client.

Errors In the example dialog above, an error is triggered when 5% of the network nodes trigger errors. The error is passed on in the selected manner(s) (email, SNMP etc.).

Note
Errors are system anomalities that require immediate attention.

Warnings In the example dialog above, a warning is triggered when 10% of the network nodes trigger warnings. The error is passed on in the selected manner(s) (email, SNMP etc.).

Note
Warnings are information about events that are suspicious and that may require administrator attention.

Alarms delta Change in the amount of network nodes that have an alarm. When the threshold percentage is reached, the event is triggered. In the example above, a message is triggered when there is a 5% positive change of alarms within one management period. The message is passed on in the selected manner(s), like email, SNMP etc. Like above, for changes in the amount of network nodes that have an error. Change in the amount of network nodes that have a warning. When the threshold percentage is reached, the event is triggered. Endpoint Manager errors Various errors related to the operation and running of the Endpoint Manager and its processes. Aggregated reports on the status of the network (errors, alarms, warnings). If you want to receive status reports, select this option and specify the desired frequency.

Errors delta Warnings delta

Frequency status report -

Copyright 1990-2009 Norman ASA

51

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Settings

Email settings

Enter the address that recipients of notifications can reply to under Reply-to address. In the Recipients address(es) field, enter the email address of notification recipients, separated by commas. There are two text fields, for Subject and Appended text (optional). Finally, you must enter an SMTP server and an IP Port number, or leave blank for default port 25.

SNMP settings

Enter hostname or address of the system(s) that should receive the messages under Trap recipient(s). You can also specify a Subject for the message (optional). Under Community, type in an SNMP community name or leave blank for public. This field is case sensitive.

SMS settings

Fill in these fields if you want to send notifications to mobile phones. Enter one or more phone numbers separated by commas in the field Recipient phone numbers. Then specify COM port, Baud rate and Data format. The default value for all these fields is Auto for automatic detection of the port where the SMS modem is connected, the speed of the communication with the modem and the data format, respectively. Finally, enter the Service providers phone number included in the subscription documentation.

Syslog settings

Enter name and address for the Syslog server(s) that you want to send events to. In the optional fields Prefix and Port you can enter a short text to append all syslog entries from the Endpoint Manager, and a port number if youre not using the default 514. Facility classification can be set to any of the eight locally defined values (16 through 23 in the Facility drop-down menu), or select Default for user level messages.

Topology filters
Discovered network devices can automatically be filtered to pre-defined topology groups. If a device does not match any of the filter rules, it will be placed in the default group Lost and found. Clients already a part of the known network topology are not subjected to new filters. The general syntax is IF attribute Equals / Not equals value or partial value THEN place in group. Attribute is a pull-down list of attributes identifying a device, like a name or an IP address. The operator is either Equals (=) or Not equals (!=). The value is a complete or partial string to match the attribute against. If partial, a wildcard character can be placed in front of or at the end of the string. The filters are applied top-down. If a client matches more than one rule, only the first rule will be applied. Use the And.. button to create rules where several conditions have to be met. Example: Move all clients with IP addresses that start with 172.17 to the group London: If IP = 172.17* move to London.Similarly, the wildcard * may be placed in front of the expression. Example: Move all clients with names that end in srv to group London: If CN = *srv move to London. When specifying what to test against in a rule, the value IP address reflects any of the IP addresses registered with a client. Likewise, MAC address means any of the MAC addresses associated with the network interfaces for a client.

Copyright 1990-2009 Norman ASA

52

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Settings

The value Name is the common name of a client as reported by passive discovery (NetBIOS name), or the name that the client itself responds to. The value DNS name, on the other hand, is the machine name associated with the DNS entry of the client in the Endpoint Manager database. If the DNS entry in the clients network differ from the one resolved by the Endpoint Manager, the NEM entry is used. Details about a client are displayed in this order: Alias (set by the administrator), NetBIOS name, DNS name, IP address. The NetBIOS names are reported by the passive discovery module. If a client is only known by its IP address (as a result of active discovery or manual entry, for example), it will be displayed with its IP address until a reverse DNS lookup has been done (if enabled). At any time, a topology report containing the NetBIOS name of the client will be stored and displayed in the clients list. A managed client will also report its NetBIOS name if available, causing it to be displayed instead of the DNS name. Note that the DNS name is always available in the client details window, labeled hostname.

Setting up network/domain access


Note
This procedure is only necessary if you are going to push install (see Push install on page 53).

The next step is to prepare the Endpoint Manager for the network where it is installed. Being a distribution server, the Endpoint Manager machine will distribute products, updates and upgrades to all network clients in a Windows domain or in a local network. The Endpoint Manager needs access as an administrator user to each client. NEM is optimally installed in a Windows domain. Otherwise all computers in a network must have the same administrator user with the same username/password. See Installing in a network on page 56. If only username and password is used and the username is Administrator, make sure that the user account is enabled on Vista clients.

Push install
This function will push install Norman Program Manager (NPM) to the selected group or clients, thus allowing rapid deployment of Endpoint Protection to several client machines. When installed on a client machine, the Program Manager will retrieve, install and set up all the other Norman products (for now only Norman Antivirus) as defined by the groups policy. Please refer to Installing in a network on page 56.

Note
The recommended method to install NPRO on client machines is using an MSI package (see page 47), otherwise all computers in the network you are push installing to must have the same administrator user with the same username and password.

NEM uses the WIN32_Product WMI class for push install. This WMI class is not available by default on Windows Server 2003 32- and 64-bit or on Windows XP 64-bit. Without this WMI class push install will fail.
Follow this easy procedure for making the WIN32_Product WMI class available: 1. In Add or Remove Programs, click Add/Remove Windows Components. 2. In the Windows Components Wizard, select Management and Monitoring Tools and then
Copyright 1990-2009 Norman ASA 53

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Settings

Details.

3. In the Management and Monitoring Tools dialog, select WMI Windows Installer Provider and click OK. 4. Click Next.
This procedure should be possible to perform via a centralized admin policy and rolled out to the relevant servers preceding Norman push install. Since push install employs WMI (Windows Management Instrumentation) and Windows file sharing (CIFS), you should be aware of the following information: Ports used: 135TCP, 139TCP, 445TCP, 137UDP, 138UDP, 445UDP, and 2868. The user must have the necessary credentials for write access to C$ share. The users credential settings must be present and enabled, and with the password set.

Requirements to push installing to a Windows XP client


Follow this procedure to push install Norman Endpoint Protection to a Windows XP client (SP 2 or later): 1. Disable simple file sharing Windows XP Professional-based computers joined to a domain use only the classic file sharing and security interface, and should not require any further configuration regarding simple file sharing. For Windows XP computers not part of a domain, do the following to disable the use of simple file sharing: a. b. c. d. e. In Windows Explorer, select Tools > Folder Options. Select View. Clear the Use simple file sharing (Recommended) check box. Click OK to save the settings. Restart the computer.

2. Allow Remote administration exception in the firewall Allowing for remote administration exception in the firewall is done through Windows group policy, either locally on the client, or as a distributed domain policy. Necessary steps to allow for remote administration exception: a. b. c. Start Group Policy editor: Start > Run. Type gpedit.msc and click OK. Select Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall. Open either Domain Profile or Standard Profile, depending on which profile you want to configure. Domain Profile for computers in a domain Standard profile for stand-alone / workgroup computers. The Domain Profile settings take effect when users are actively logged in by a Domain Controller. The Standard Profile is used when users are logged in without being authenticated by a Domain Controller, for example when theyre out of office or if the computer is not part of
54

Copyright 1990-2009 Norman ASA

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Settings

a domain. d. e. f. Double-click Windows Firewall: Allow remote administration exception. In the Windows Firewall: Allow remote administration exception properties dialog box, on the Settings tab, click Enabled. Click OK to save your settings.

Requirements to push install to a Windows Vista client

Enable the Administrator account (unless its part of a domain). If the username is Administrator, make sure that the user account with password is enabled. Allow Remote Administration and WMI through firewall. 1. Go to Start > Control Panel > Security Center. 2. Select Windows firewall from the menu on the left hand side. 3. Select Allow a program through Windows Firewall. 4. Select Remote Administration. 5. Select Windows Management Instrumentation (WMI). 6. Click OK. For more information, please refer to Normans support pages: http://www.norman.com/support/en-us. Type in a search phrase and select Norman Endpoint Protection from the drop-down menu.

Copyright 1990-2009 Norman ASA

55

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Settings

Push install to group or client(s)


1. Select the group where you moved your client(s) to. a. In this example, it is the Regular PC group. Two extra clients are added, and the group now contains Vista, Windows XP and Windows 2000 clients.

b.

The clients moved to this group appear on the right hand side of the screen. When selected, each group will display five icons next to its name which allow you to perform different actions. (See Group information on page 18 for icon explanations.) Click the icon marked with red on the illustration abovePush install to group. You can also highlight one or more clients to push install to. Keep the Ctrl key pressed and click on the desired clients.

2. A dialog appears asking you to confirm the selected action. Click OK. 3. Leave the Endpoint Manager for a few minutes. It takes a minimum of 5 minutes to get any feedback regarding the status of the push installation.

Installing in a network
Installs Norman Endpoint Protection to computers located in a network like Windows domain, using DCOM/WMI. This requires that the user who is installing has the credentials to administer the domain, or to have credentials to an administrator account (username and password) on each computer where Endpoint Protection is to be installed. 1. Select Settings > Installing in a network to display the page where these settings can be specified.

a.

If you are installing in a Windows domain you should provide the domain name also, otherwise provide an administrators username and password that is valid for all the clients in your local network that you want NEM to have access to.

Copyright 1990-2009 Norman ASA

56

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Settings

Note
Make sure that the administrator user is enabled on the clients and has write access. In Windows Vista the administrator user is disabled by default. 2. Click Save when youre done. The next step is to select one or more discovered clients in the Lost and Found group and move or drag them to the newly created Regular PC group. First you can probe the local network for other possible clients within an IP range. Since the realm was created, the Endpoint Manager has been collecting network data and slowly discovered clients on the local network by listening to network traffic. The discovered clients can be found in the Lost and Found group, where all newly discovered clients are placed (unless a Topology filter rule says otherwise). The longer Endpoint Manager is running, the more clients are discovered. Ideally we should leave it to Endpoint Manager to discover clients. 3. Select the Maintenance > Import > Active discovery page in order to specify the IP range that you want to probe.

Note
This feature will only discover clients that respond to a ping command. It is therefore important to disable any firewall or firewall feature restricting clients to respond to a ping.

Note
Remember to specify an IP range that is valid for the client machines that you wish to discover.

4. Click Discover when youre done. The Endpoint Manager will now probe the specified IP address range for potential clients. 5. When youre done, select the Clients page or the Go to clients link and then select the Lost and Found group. When you click the Push install icon from the Clients page ( ), the installation is scheduled on the

Copyright 1990-2009 Norman ASA

57

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Settings

machine and will commence as soon as possible. See also Push install on page 53. A red bullet signifies that a critical error has occurred and the installation is cancelled. A yellow bullet signifies a temporary error, and new attempts to install will be performed at the specified Installation failure delay interval until the Max number of installation retries is reached. Make sure that the following ports are open: 135/tcp 139/tcp 445/tcp 138/udp If not, the error message Host offline and a yellow bullet appears. \\machinename\C$ must be accessible with username (and domain) and password. If not, the error message Access denied and a red bullet appears. The WMI service must be running on the machine youre installing to, and the user must have the necessary privileges for an WMI installation. If not, the error message Access denied and a red bullet appears. We recommend that you install the MSI package using third party tools, a logon script or an install this file mail if push install causes problems.

Supervisor process
These settings are used to fine tune the Endpoint Manager working threads. Normally, the default settings are adequate. However, certain local networking properties may require changes to some of the settings to ensure optimal performance. See also About status on page 20. The following options are available: Topology thread delay Regulates the pace of the topology picture updating thread, walking through the entire network tree. The lower the number, the faster the speed. Increase this value if you experience peaking CPU/networking load. Client thread delay Regulates the pace of the client working thread, which does local topology discovery. The lower the number, the faster the speed. Discovery thread delay Regulates the pace of the active discovery thread dispatcher. The lower the number, the faster the speed. As with Topology thread delay, the speed may be increased if you experience peaking CPU/ networking load. Max. discovery threads Sets the upper allowable limit of parallel active discovery processes. Reduce this value if you have a large network, and the network load generated by the Endpoint Manager is too high. Push install delay Delay between each time a push installation is attempted. Increase this value to reduce the load on the Endpoint Manager in large networks.
Copyright 1990-2009 Norman ASA 58

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | The Support page

Discovery attempts Sets the maximum attempts of discovering a stale client before it is marked as offline. Increasing this value will increase the stale period of offline clients since the formula is discovery attempts times rediscovery interval for rediscovering stale clients. Rediscovery interval Sets the interval between active rediscovery attempts. Increasing this value will increase the stale period of offline clients since the formula is discovery attempts times rediscovery interval for rediscovering stale clients. Stale delay for managed clients Sets the maximum time without communication from a managed client before it is marked as stale. Stale delay for unmanaged clients Sets the maximum time without communication from an unmanaged client before it is marked as stale. Enable discovery reverse DNS The discovery process should attempt to resolve addresses into names through reverse DNS. Enable discovery ICMP The discovery process should use ICMP to actively chart lost clients using ping.

The Support page


This page is will open Normans web pages for help and support. Norman provides technical support and consultancy services for the Endpoint Manager and security issues in general. Technical support also comprises quality assurance of your antivirus installation, including assistance in tailoring Endpoint Protection to match your exact needs. These pages also provide information about available services, Norman offices and local dealers/distributors, and technical support issues, including Knowledge bases and Frequently Asked Questions pages.

Copyright 1990-2009 Norman ASA

59

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Appendix A

Appendix A
Technical description of passive discovery
Norman Endpoint Protection (NPRO) and the Endpoint Manager (NEM) employ a mechanism to map out devices in a network and report them to the Endpoint Manager. This mechanism resides as a driver that is visible in the network configuration as Norman Network Security. The Network Security driver is currently used for mapping the network topology. In the future, the driver may be involved in other network security tasks, like actively looking for malicious traffic in and out of the machine. NEM depends on information about clients in the network to produce a useful picture of the net. NPRO clients make their presence known through their communications with the Endpoint Manager. Network devices that do not have NPRO installed are discovered using the network security driver. On an NPRO client, a management client module interrogates the security driver regularly to ask for network devices that have generated traffic. After polling the driver, a so-called topology list is generated and submitted to the Endpoint Manager. NEM will then sift through the list and update the online statuses of the network devices that it is keeping track of. The first topology report will be submitted a few minutes after client boot-up. The client will first tell the driver to listen to network traffic for a minute. Then it creates a list of devices containing their NetBIOS names, MAC addresses, and IP addresses. A MAC address will always be found, but the name and IP may or may not be included. The client will compare the discovered devices with a local cache and create a topology report that is sent to the Endpoint Manager. A client will send a second report about five minutes after the first. It will then taper off and wait about 30 minutes before the third report, two hours before the fourth and so on, up to a maximum of four hours. If the client is restarted, it will start over. The reporting aggressiveness is also decreased as the reports grow larger. The reason for this is that, statistically, a network containing a high number of clients will have a higher number of clients reporting the topology. The information reported is only basic information pulled from the ethernet headers and the NetBIOS protocol header. No protocol content is ever collected.

Copyright 1990-2009 Norman ASA

60

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Appendix A

Copyright 1990-2009 Norman ASA

61

Norman Endpoint Manager Administrators Guide

Using Norman Endpoint Manager | Appendix A

Copyright 1990-2009 Norman ASA

62

Norman offices
Denmark
Norman Data Defense Systems AS Blangstedgrdsvej 1, DK-Odense S Tel: +45 63 11 05 08 Fax: +45 63 13 39 01 Email: normandk@normandk.com Web: www.norman.no/dk

Spain

Norman Data Defense Systems Camino Cerro de los Gamos 1, Edif.1 E - 28224 Pozuelo de Alarcn MADRID Tel: +34 91 790 11 31 Fax: +34 91 790 11 12 Email: norman@normandata.es Web: www.normandata.es

France

Norman France 8 Rue de Berri, 75008 Paris Tel: +33 1 42 99 94 14 Fax: +33 1 42 99 95 01 Email: info@norman.fr Web: www.norman.fr

Sweden

Norman Data Defense Systems AB Korsgatan 2, 602 33 Norrkping Tel: +46 11 230 330 Fax: +46 11 230 349 Email: sales.se@norman.no Web: www.norman.com/se

Germany

Norman Data Defense Systems GmbH Zentrale, Gladbecker Str. 3, 40472 Dsseldorf Tel: +49 0211 5 86 99 0 Fax: +49 0211 5 86 99 150 Email: info@norman.de Web: www.norman.de

Switzerland

Norman Data Defense Systems AG Mnchensteinerstrasse 43, CH- 4052 Basel Tel: +41 61 317 25 25 Fax: +41 61 317 25 26 Email: norman@norman.ch Web: www.norman.ch

Italy

Norman Data Defense Systems Centro Direzionale Lombardo, Via Roma, 108 20060 Cassina dePecchi (MI) Tel: +39 02 951 58 952 Fax: +39 02 951 38 270 Email: info@normanit.com Web: www.normanit.com

United Kingdom

Norman Data Defense Systems (UK) Ltd Exchange House, 494 Midsummer Boulevard Central Milton Keynes, MK9 2EA Tel: +44 08 707 448 044 / +44 01 908 255 990 Fax: +44 08 701 202 901 Email: norman@normanuk.com Web: www.normanuk.com

Netherlands

Norman/SHARK BV Postbus 159, 2130 AD, Hoofddorp Tel: +31 23 789 02 22 Fax: +31 23 561 31 65 Email: support@norman.nl Web: www.norman.nl

United States

Norman Data Defense Systems Inc. 9302 Lee Highway, Suite 950A, Fairfax, VA 22031 Tel: +1 703 267 6109 Fax: +1 703 934 6367 Email: norman@norman.com Web: www.norman.com

Norway

Norman ASA (Headquarter / hovedkontor og salg Norge) Visit: Strandveien 37, Lysaker PO Box 43, N-1324 Lysaker Tel: +47 67 10 97 00 Fax: +47 67 58 99 40 E-mail: norman@norman.no Web: www.norman.com/no

Norman ASA is a world leading company within the field of data security, internet protection and analysis tools. Through its SandBox technology Norman offers a unique and proactive protection unlike any other competitor. While focusing on its proactive antivirus technology, the company has formed alliances that enable Norman to offer a complete range of data security services. Norman was established in 1984 and is headquartered in Norway with continental Europe, UK, and US as its main markets.

Copyright 1990-2009 Norman ASA

You might also like