Symantec Endpoint Protection (SEP) 11.0

Symantec Endpoint Protection 11.0 combines Symantec Antivirus with advanced threat prevention to deliver unmatched defenses against malware for laptops, desktops and servers. It seamlessly integrates essential security technologies in a single agent and management console, increasing protection and helping lower total cost of ownership.

Specifically, Symantec Endpoint Protection 11.0 provides the following protection technologies:

Ø Antivirus and Antispyware

Ø Firewall

Ø Intrusion Prevention (both Network and Host based)

Ø Device and Application Control

Ø Proactive Threat Scanning

Ø Network Access Control (optional add-on)

Symantec Endpoint Protection combines technologies from previous Symantec products in a new interface. These technologies are:

•Antivirus and Antispyware

Antivirus and Antispyware scan for both viruses and for security risks. Some examples of security risks are spyware, adware, and other files that can put a computer or a network at risk.

•Personal Firewall

The Symantec Endpoint Protection firewall provides a barrier between the computer and the Internet. The firewall prevents unauthorized users from accessing the computers and the networks that connect to the Internet. It detects possible hacker attacks, protects personal information, and eliminates unwanted sources of network traffic.

•Intrusion Prevention

The intrusion prevention system (IPS) is the Symantec Endpoint Protection client's second layer of defense after the firewall. The intrusion prevention system is a network-based system. If a known attack is detected, one or more intrusion prevention technologies can automatically block it.

•Proactive Threat Scanning

Proactive threat scanning uses heuristics to detect unknown threats. Heuristic process scanning analyzes the behavior of an application or process to determine if it exhibits characteristics of threats, such as Trojan horses, worms, or keyloggers. This type of protection is sometimes referred to as zero-day protection.

•Device and Application Control

Device-level control is implemented using rule sets that block or allow access from devices, such as USB, infrared, FireWire, SCSI, serial ports, and parallel ports. Application-level control is implemented using rule sets that block or allow the applications that try to access system resources.

The core components required to run a centrally managed Symantec Endpoint Protection 11.0

Environment includes:

Ø Symantec Endpoint Protection client (on each machine you wish to protect)

Ø Symantec Endpoint Protection Manager (a web server, utilizing Microsoft IIS and Apache Tomcat)

Ø Database (by default, the SEPM automatically installs an embedded database, based upon Sybase Adaptive Server Anywhere version 9)

Ø Symantec Endpoint Protection Manager console (Java-based, can be run from anywhere with network access to the Manager)

Symantec Endpoint Protection client will run acceptably on Windows Terminal Servers; however there are a few modifications than can be made in order to optimize the overall user experience.

Antivirus and Antispyware protection the following recommendations should be taken into account:

Configure Auto-Protect to:

o Scan when a file is modified

o Disable network scanning

Centralized Exceptions It is recommended to:

o Exclude the pagefile

o Exclude the print spooler folder

o If the server is a license server, exclude the license server folder and databases

Some server administrators may wish to exclude their users roaming profiles and/or “My Documents” folders from being scanned for security risks. While this will improve performance, Symantec would not recommend this approach – in practice this is generally the location in which security risks are discovered.

 

Additional new features for all customers

•New client software user interface

The client user interface has been redesigned.

•Kernel-level rootkit protection

Root kit protection is expanded to detect and repair kernel-level root kits. Root kits are the programs that hide from a computer's operating system and can be used for malicious purposes.

•New management console

The management console is redesigned and is called the Symantec Endpoint Protection Manager console.

•Roles based administration

Allows different administrators to access different levels of the management system based on their roles and responsibilities.

•Group Update Provider

Symantec Endpoint Protection clients can be configured to provide signature and content updates to clients in a group. When clients are configured this way, they are called Group Update Providers. Group Update Providers do not have to be in the group or groups that they update.

•Location awareness

Location awareness features expanded from what previously existed in the Symantec Client Security product. Symantec Endpoint Protection expands location awareness support to the group level. Each group can be divided into multiple locations; and when a client is in that location, policies can be applied to that location.

•Policy Based settings

Policies now control most client settings. Settings are now controlled with the policies that can be applied down to the location level. For example, consider two policies that affect Live Update settings. One policy specifies how often Live Update runs and controls user interaction. The other policy specifies the content that can be installed on client computers with Live Update.

•Domains

Domains are now available for use. Domains let you create additional global groups. This feature is advanced and should be used only if necessary.

•Failover and load balancing

If you have a large network and need the ability to conserve bandwidth consumption, you can configure additional management servers in a load-balanced configuration. If you have a large network and need the ability to configure redundancy, you can configure additional management servers in a failover configuration.

•SQL Database support

Client information is now stored in a database on the management server. Legacy products stored information in the registry. Symantec Endpoint Protection Manager now stores all information about client computers in a SQL database (the embedded database or a Microsoft SQL database).

•Enhanced Live Update

Live Update now supports downloading and installation of a wide variety of content is including definitions, signatures, and white lists to prevent false positives, engines, and product updates.

System Requirements for SEP
Symantec Endpoint Protection Server Manager
Central Administration Server
Minimum requirements
· Windows 2000, Windows XP Professional SP2+, Windows Server 2003 Standard/Enterprise, Windows SBS 2003
· Microsoft Internet Information Services (IIS)
· 2GB RAM
· 1GB free disk space
· Symantec Endpoint Protection ConsoleRemote administration console (optional)

Symantec Endpoint Protection Client (32-bit)
Minimum requirements
· Windows 2000 SP3+, Windows XP, Windows Server 2003, Windows Vista (x86), Windows SBS 2003
· Pentium III 300 MHz
· 256MB RAM
· 500 MB disk (plus an additional 440 MB during installation)

Symantec Endpoint Protection Client (64-bit)
Minimum requirements
· Windows XP (x64) SP1+, Windows Server 2003 (x64), Windows Vista (x64)
· 1 GHz with one of the following processors: Intel Xeon with Intel EM64T support, Intel Pentium IV with EM64T support, AMD 64-bit Opteron, AMD 64-bit Athlon (Note: Itanium is not supported)
· 256MB RAM
· 500 MB disk (plus an additional 440 MB during installation)
· Symantec Antivirus for Linux ClientLinux distribution support:
· Red Hat Enterprise Linux
· SuSE Linux Enterprise (server/desktop)
· Novell Open Enterprise Server
· VMware ESX
Minimum Requirements
· Windows 2000, Windows XP Professional, Windows Server 2003 Standard/Enterprise, Windows Vista
· Microsoft Internet Explorer 6.0 SP2+
· 512MB RAM
· 11 MB free disk space per active console session

Design Architecture

We can manage our entire server’s through Symantec Endpoint Protection Manger console.

We have separated servers in Symantec console as per their functionality, like Active directory servers and Production servers.

Through this console we can set schedule scan, live update schedule, scanning exclusion etc. is configured.

Clients for SEP 11 can be configured by 2 methods. Before deploying clients packages we need to create package depending upon Operating system of client system like 32 bit or 64 bit. Also we have option for MAC os also.

Creation of Client package is in further part of document.

We can make a package as per our requirement and also as per group in SEP console.

By means of creating package for Groups in SEP11 console, client will get added in desired group after installation completed.

Methods for deployment-

1.We deploy the client packages from parent server using “Migration and Deployment wizard”

2. We can configure the client by copying the Setup.exe file to request server and then just run the setup.exe

It will install SEP11 client for 32 bit or 64 bit whichever we have selected and add the client server in console. This installtion can be unattended with out no restart.

We can also create client for user interference and with restart.

“Migration and Deployment wizard” is explained below in document.

Symantec Server Policies

We can configure policies on Symantec server by two methods.

· Configure policy from Policies tab in Symantec Endpoint Protection Manger Console

· Configure policy from Client tab, required Server group and then click Policy tab.

To configure from Policies tab, we have to define type of Policy that need to be configured. Like policy related to Antivirus and antispyware or policy related to Exclusion of files.

And to configure policy from Client tab, required Server group and then click Policy tab after that assign policy as required.

Custom SEP 11.0 Package creation and configuration

To create a new custom client installation configuration

1. Open the Symantec Endpoint Protection Manager console.
2. On the Admin Tab, under Tasks, click Install Packages.
   The current default client installation packages appear on the right.
3. Under View Install Packages, click Client Install Settings.
4. Under Tasks, click Add Client Install Settings.
5. Specify the name you would like the custom Client Install Settings to have.
6. Give the custom Client Install Settings a description.
7. Select an installation type from the following:
   • Unattended (Displays notification, but requires no user input)
   • Interactive (User input required)
   • Silent (No user input or display)
8. Select either Restart the computer after installation or Do not restart the computer after installation.
9. Select the installation location (default or custom folder).
10. Enable or disable installation logging.
11. Select whether or not to add the program to the Start Menu.
12. Select whether or not to maintain all previous logs, policies, and client-server communication settings.
13. Click OK.

Screen Shots:

Click on Export.

Then browse for folder where you want to export installable.

Select the group name as after installation the client will get directly added in that group.

Select Installation settings and features.

Click OK

To create a new custom Client Install Feature Set

1. Open the Symantec Endpoint Protection Manager console.
2. On the Admin tab, under Tasks, click Install Packages.
   The current default client installation packages appear on the right.
3. Under View Install Packages, click Client Install Feature Sets.
4. Under Tasks, click Add Client Install Feature Sets.
5. Specify the name you would like the custom Client Install Feature Set to have.
6. Give the custom Client Install Feature Set a description.
7. Select the Symantec Endpoint Protection features you want to include in the install package from the following list:
   • Antivirus and Antispyware Protection
     • Antivirus Email Protection
     • Microsoft Outlook Scanner
     • Lotus Notes Scanner
     • POP3/SMTP Scanner
   • Network Threat Protection
     • Network Threat Protection
   • Proactive Threat Protection
     • Proactive Threat Scan
     • Application and Device Control
8. When you are finished, click OK.

Below is screen shot where we can select options for Clients Install Settings.

To create the new custom install package

1. In the Symantec Endpoint Protection Manager console, on the Admin tab, under Tasks, click Install Packages.
   The current default client installation packages appear on the right.
2. Under View Install Packages, click Client Install Packages.
3. Under Tasks, click Export Client Install Package.
4. Browse to or create a preferred export folder, and select it.
5. Select whether or not you want to create a single .EXE file. Unchecking single .EXE will export multiple files, including an *.MSI installer file.
6. Under "Pick the customized installation settings below", from the drop down menu, select your custom Client Install Setting.
7. Under "Select the features you want to use", from the drop down menu, select your custom Client Install Feature Set.
8. Choose "Export a managed client", then select the group to which the client will be installed. If no group has been created, select the Default Group. It is recommended to leave "Add clients automatically to the selected group" checked.
9. Select the Preferred Policy Mode. The default is Computer mode.
10. Click OK.

The new install package is created in the location you specified.

“Migration and Deployment wizard” for Client Deployment

Click next and browse for Installation package that we have created as per our requirement

Click on Add or Import computer.

Then add computer as IP Address or by Hostname.

Click FINISH

It will start installation on remote computer.

Once installation complete the computer name can be visible in SEP11 console.