Symantec 20032623 - Endpoint Protection Small Business Edition Implementation Manual

Implementation guide

Table of Contents

Quick Links

Download this manual

Symantec Endpoint

Protection Small Business

Edition Implementation

Guide

Table of Contents

Troubleshooting

Summary of Contents for Symantec 20032623 - Endpoint Protection Small Business Edition

Page 1 Symantec Endpoint Protection Small Business Edition Implementation Guide...
Page 2: Legal Notice
Symantec, the Symantec Logo, Bloodhound, Confidence Online, Digital Immune System, LiveUpdate, Norton, Sygate, and TruScan are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
Page 3 Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com...
Page 4: Technical Support
The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Page 5: Customer Service
Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/ Customer service Customer service information is available at the following URL: www.symantec.com/business/support/...
Page 6 Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan customercare_apac@symantec.com Europe, Middle-East, and Africa semea@symantec.com North America and Latin America...
Page 7: Table Of Contents
Introducing Symantec Endpoint Protection Small Business Edition ............17 About Symantec Endpoint Protection Small Business Edition ....17 What's new in version 12.1 ............18 About the types of threat protection that Symantec Endpoint Protection Small Business Edition provides ......... 21 Protecting your network with Symantec Endpoint Protection Small Business Edition ..............
Page 8 Licensing Symantec Endpoint Protection .......... 56 About the trialware license ............58 Purchasing licenses ..............58 Where to buy a Symantec product license ......... 59 Activating your product license ............59 Using the License Activation wizard ..........60 Required licensing contact information ..........61 About upgrading from trialware .............
Page 9 Upgrading to a new release ............90 Migrating a management server ............. 90 Stopping and starting the management server service ......91 Disabling LiveUpdate in Symantec AntiVirus before migration ..... 92 Disabling scheduled scans in Symantec System Center when you migrate client computers ............93 Turning off the roaming service ............
Page 10 About the types of scans and real-time protection ...... 139 About the types of Auto-Protect ..........142 About virus and security risks ..........144 About the files and folders that Symantec Endpoint Protection excludes from virus and spyware scans ......146...
Page 11 Adjusting scans to increase protection on your client computers ..163 Managing Download Insight detections .......... 165 How Symantec Endpoint Protection Small Business Edition uses reputation data to make decisions about files ......169 How Symantec Endpoint Protection Small Business Edition protection features work together ............
Page 12 Contents Changing the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection ....... 190 Allowing users to view scan progress and interact with scans ..... 192 Chapter 13 Managing SONAR .............. 195 About SONAR ................195 About the files and applications that SONAR detects ......
Page 13 Creating a Tamper Protection exception ........248 Restricting the types of exceptions that users can configure on client computers ................249 Creating exceptions from log events in Symantec Endpoint Protection Manager ................249 Chapter 18 Configuring updates and updating client computer protection ..............
Page 14 Contents Chapter 19 Monitoring protection with reports and logs ....261 Monitoring endpoint protection ............ 261 Viewing a daily or weekly status report ........263 Viewing system protection ............. 264 Finding offline computers ............265 Finding unscanned computers ..........265 Viewing risks ...............
Page 15 Chapter 24 Troubleshooting installation and communication problems ................ 315 Downloading the Symantec Endpoint Protection Support Tool to troubleshoot computer issues ..........315 Identifying the point of failure of an installation ......316 Troubleshooting communication problems between the management server and the client ............. 316 Viewing the client connection status on the client ......
Page 16 Virus and Spyware Protection policy settings available for Windows and Mac ................340 LiveUpdate policy settings available for Windows and Mac ....341 Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1 ............342 Index ........................345...
Page 17: Introducing Symantec Endpoint Protection Small Business Edition
This chapter includes the following topics: About Symantec Endpoint Protection Small Business Edition What's new in version 12.1 About the types of threat protection that Symantec Endpoint Protection Small Business Edition provides Protecting your network with Symantec Endpoint Protection Small Business...
Page 18: What's New In Version 12.1
This comprehensive solution protects confidential and valuable information by combining multiple layers of protection on a single integrated client. Symantec Endpoint Protection reduces management overhead, time, and cost by offering a single management console and the single client.
Page 19 188. Insight Lookup detects the application files that might not typically be detected as risks and sends information from the files to Symantec for evaluation. If Symantec determines that the application files are risks, the client computer then handles the files as risks.
Page 20 LiveUpdate can run when the client computer is idle, has outdated content, or has been disconnected, which uses less memory. Support for Mac In Symantec Enterprise Protection Small Business Edition, you can now deploy and manage clients Mac clients on Symantec Endpoint Protection Manager for Symantec Endpoint Protection Small Business Edition.
Page 21: About The Types Of Threat Protection That Symantec Endpoint Protection Small Business Edition Provides
Introducing Symantec Endpoint Protection Small Business Edition About the types of threat protection that Symantec Endpoint Protection Small Business Edition provides New features in version 12.1 (continued) Table 1-1 Feature Description Improved installation You can install the product faster and easier than before with the following new installation...
Page 22 Introducing Symantec Endpoint Protection Small Business Edition About the types of threat protection that Symantec Endpoint Protection Small Business Edition provides Layers of protection Table 1-2 Protection Description Benefit type Virus and Virus and Spyware Protection protects Virus and Spyware Protection detects new...
Page 23 Introducing Symantec Endpoint Protection Small Business Edition About the types of threat protection that Symantec Endpoint Protection Small Business Edition provides Layers of protection (continued) Table 1-2 Protection Description Benefit type Proactive Threat Proactive Threat Protection uses SONAR to SONAR examines programs as they run, and...
Page 24 Introducing Symantec Endpoint Protection Small Business Edition About the types of threat protection that Symantec Endpoint Protection Small Business Edition provides An overview of protection layers Figure 1-1 Company Internet Network Back doors Application Insider threats Adware File/process/ DoS attacks...
Page 25: Protecting Your Network With Symantec Endpoint Protection Small Business Edition
Symantec Endpoint Protection Manager and the Symantec Endpoint Protection Small Business Edition client. Table 1-3 outlines the main high-level tasks that you need to do to use Symantec Endpoint Protection Small Business Edition. Steps to set up, configure, and manage Symantec Endpoint...
Page 26: Getting Up And Running On Symantec Endpoint Protection Small Business Edition For The First Time
Install or migrate the Whether you install the product for the first time, upgrade from a previous version, or management server migrate from another product, you install Symantec Endpoint Protection Manager first. Installing the management server and the console” on page 45.
Page 27 Introducing Symantec Endpoint Protection Small Business Edition Protecting your network with Symantec Endpoint Protection Small Business Edition Tasks to install and configure Symantec Endpoint Protection Small Table 1-4 Business Edition (continued) Action Description Install the client Deploy the client software.
Page 28 Introducing Symantec Endpoint Protection Small Business Edition Protecting your network with Symantec Endpoint Protection Small Business Edition Tasks to install and configure Symantec Endpoint Protection Small Table 1-4 Business Edition (continued) Action Description Configure Symantec Alerts and notifications are critical to maintaining a secure environment and can also Endpoint Protection save you time.
Page 29: Managing Protection On Client Computers
Security policies must be applied to a group before the clients apply the policies to the client computer. You can create policies that all groups share or that apply to only one group. Symantec Endpoint Protection Manager makes it easy to add and modify policies for all the security needs of your company.
Page 30: Maintaining The Security Of Your Environment
Symantec recommends that you analyze which computers need which type of security. If you deployment did not deploy the client installation package at the time that you installed Symantec Endpoint Protection Manager, you can deploy the client software later. You have the option to look for unprotected computers.
Page 31: Troubleshooting Symantec Endpoint Protection Small Business Edition
Tool to verify that your computers are ready for installation. The support tool is provided with the management server and the client. It is also available on the Symantec Support Web site. Downloading the Symantec Endpoint Protection Support Tool to troubleshoot computer issues”...
Page 32 Best practices for troubleshooting viruses on a network. Troubleshooting If the latest virus definitions do not update correctly on Symantec Endpoint Protection content update Manager or the clients, see the following knowledge base article: problems Symantec Endpoint Protection: LiveUpdate Troubleshooting.
Page 33: Installing Symantec Endpoint Protection Small Business Edition
Chapter 3. Installing Symantec Endpoint Protection Manager Chapter 4. Managing product licenses Chapter 5. Preparing for client installation Chapter 6. Installing the Symantec Endpoint Protection Small Business Edition client Chapter 7. Upgrading and migrating to Symantec Endpoint Protection Small Business Edition...
Page 35: Planning The Installation
Components of Symantec Endpoint Protection Small Business Edition Product license requirements System requirements About Symantec Endpoint Protection Manager compatibility with other products Planning the installation Table 2-1 summarizes the high-level steps to install Symantec Endpoint Protection Small Business Edition. Installation planning Table 2-1 Step Action Description...
Page 36 Installing the management server and the console” on page 45. Step 7 Migrate Symantec legacy If you are running legacy Symantec protection, you usually migrate policy and virus protection software group settings from your older version. About migrating to Symantec Endpoint Protection Small Business Edition”...
Page 37: Components Of Symantec Endpoint Protection Small Business Edition
Install clients Install the Symantec Endpoint Protection Small Business Edition client on your endpoint computers. Symantec recommends that you also install the client on the computer that hosts Symantec Endpoint Protection Manager. Deploying clients using a Web link and email”...
Page 38 Database The database stores security policies and events. The database is installed on the computer that hosts Symantec Endpoint Protection Manager. Symantec Endpoint The Symantec Endpoint Protection Small Business Edition...
Page 39: Product License Requirements
Small Business Edition provides” on page 21. Product license requirements If you want to use Symantec Endpoint Protection Small Business Edition after the trial period expires, you must purchase a product license. Your purchase a license according to the following requirements:...
Page 40 Serial number A license contains a serial number that uniquely identifies your license and associates the license with your company. The serial number can be used to activate your Symantec Endpoint Protection Small Business Edition license. Activating your product license”...
Page 41: System Requirements
58. Activate the license. Activating your product license” on page 59. Understanding license requirements is part of planning your Symantec Endpoint Protection Small Business Edition installation and after installation, managing your product licenses. Planning the installation” on page 35.
Page 42 Microsoft Internet Explorer 7, 8, or 9 Mozilla Firefox 3.6 or 4.0 Note: Clients before version 12.1 can be managed by this version of the Symantec Endpoint Protection Manager, regardless of the client operating system. Symantec Endpoint Protection Small Business Edition Windows and...
Page 43: About Symantec Endpoint Protection Manager Compatibility With Other Products
Some products may cause conflicts with Symantec Endpoint Protection Small Business Edition when they are installed on the same server. You need to configure the Symantec Endpoint Protection Manager installation if one or more of the following products is installed on the same server:...
Page 44 Planning the installation About Symantec Endpoint Protection Manager compatibility with other products For information about the configuration changes, see the Symantec Support knowledge base article, Addressing Symantec Endpoint Protection compatibility issues. System requirements” on page 41.
Page 45: Installing Symantec Endpoint Protection Manager
System requirements” on page 41. Preparing for client installation” on page 71. Getting up and running on Symantec Endpoint Protection Small Business Edition for the first time” on page 26.
Page 46 Configuring the management server during installation” on page 47. In the Symantec AntiVirus Migration (optional) panel, click No if you do not need to migrate from Symantec AntiVirus or Symantec Client Security. The Client Deployment Wizard starts automatically. You can deploy client software at any time.
Page 47: Configuring The Management Server During Installation
> Symantec Endpoint Protection Manager Tools. To configure the server, you specify the following information: Whether you want to use a recovery file. Note: If this is your first installation of Symantec Endpoint Protection Manager, there is no recovery file. Performing disaster recovery”...
Page 48: Uninstalling Symantec Endpoint Protection Manager
Uninstalling Symantec Endpoint Protection Manager uninstalls the server, console, and database. You can optionally uninstall the database backup files. If you plan to reinstall Symantec Endpoint Protection Manager, you should back up the database before you uninstall it. Backing up the database and logs”...
Page 49: Logging On To The Symantec Endpoint Protection Manager Console
Logging on to the Symantec Endpoint Protection Manager console Logging on to the Symantec Endpoint Protection Manager console You can log on to the Symantec Endpoint Protection Manager console after you install Symantec Endpoint Protection Manager. You can log on to the console in either of two ways: Locally, from the computer on which the management server is installed.
Page 50 IP address of the management server. On the Symantec Endpoint Protection Manager console Web Access page, click the desired console type. Note: If you select Symantec Endpoint Protection Manager Console, the computer from which you log on must have the Java 2 Runtime Environment (JRE) installed.
Page 51: What You Can Do From The Console
If you do, click Yes, Run, Start, or their equivalent, and continue until the console appears. You may need to accept the self-signed certificate that is required by Symantec Endpoint Protection Manager. Accepting the self-signed certificate for Symantec Endpoint Protection Manager”...
Page 52 Symantec Endpoint Protection Manager console pages (continued) Table 3-2 Page Description Monitors Monitor event logs that concern Symantec Endpoint Protection Manager and your managed computers. You can do the following tasks from the Monitors page: View risk distribution graphs. View event logs.
Page 53 295. Managing content updates” on page 251. Support Display the Symantec Support Web site where you can download a tool to help you with installation problems on the management server and the client. Downloading the Symantec Endpoint Protection Support Tool to troubleshoot computer issues”...
Page 54 Installing Symantec Endpoint Protection Manager What you can do from the console...
Page 55: Managing Product Licenses
Using the License Activation wizard Required licensing contact information About upgrading from trialware About product upgrades and licenses About renewing your Symantec Endpoint Protection Small Business Edition license About the Symantec Licensing Portal Maintaining your product licenses Checking license status...
Page 56: Licensing Symantec Endpoint Protection
Symantec Endpoint Protection Small Business Edition clients that are needed to protect the endpoints at your site. Once the Symantec Endpoint Protection Manager is installed, you have 30 days to purchase enough license seats to cover all of your deployed clients.
Page 57 Web site. The license file uses the file extension .SLF (Symantec license file ). When the license file is sent by email, it is attached to the email as a .ZIP file. You must extract the .SLF file from the .ZIP file.
Page 58: About The Trialware License
Managing product licenses About the trialware license Note: In some cases, you may only have a license serial number. This serial number can be used to activate your Symantec product license and to download the product software. About the trialware license The trialware license lets you evaluate and test Symantec Endpoint Protection Small Business Edition in your environment.
Page 59: Where To Buy A Symantec Product License
Visit the Symantec Ordering Web site for sales contact information. Activating your product license Activating a license saves the license file in the Symantec Endpoint Protection Manager database. Licensing Symantec Endpoint Protection” on page 56. You can activate the following types of licenses:...
Page 60: Using The License Activation Wizard
Using the License Activation wizard” on page 60. Using the License Activation wizard The License Activation wizard is used to activate and manage your Symantec Endpoint Protection Small Business Edition product licenses. The License Activation wizard is a component of the Symantec Endpoint Protection Manager.
Page 61: Required Licensing Contact Information
Upon completing your license purchase, you may be sent a file (.slf) Symantec License file. Symantec License files use the .SLF extension. If you received a .SLF file from Symantec or a Symantec vendor, use this option to activate your product license.
Page 62: About Upgrading From Trialware
58. Licensing Symantec Endpoint Protection” on page 56. About product upgrades and licenses When a new version of Symantec Endpoint Protection Small Business Edition is released, you may apply your existing active license to the new version. You receive...
Page 63: About Renewing Your Symantec Endpoint Protection Small Business Edition License
About renewing your Symantec Endpoint Protection Small Business Edition license When your current license is about to expire, the Symantec Endpoint Protection Manager begins sending license expiration notifications to the Symantec Endpoint Protection Small Business Edition administrator. Symantec highly recommends that you renew your license before it expires.
Page 64: Maintaining Your Product Licenses
Maintaining your product licenses Note: You must create an account before you can use the licensing portal. If you do not have a Symantec Licensing Portal account, a link is provided on the main page to create one. Licensing Symantec Endpoint Protection”...
Page 65: Downloading A License File
Versions of Symantec Endpoint Protection Small Business Edition before 12.1 required that you manually download license files in certain cases. Starting with version 12.1, you do not need to manually download a license file. Symantec Endpoint Protection Manager creates a copy of the license file and the recovery file.
Page 66: Backing Up Your License Files
Maintaining your product licenses” on page 64. Backing up your license files Symantec recommends that you back up your license files. Backing up the license files preserves the license files in case the database or the console computer's hard disk is damaged.
Page 67: Recovering A Deleted License
Submit. Maintaining your product licenses” on page 64. Importing a license Importing a license saves the license file in the Symantec Endpoint Protection Manager database. Licensing Symantec Endpoint Protection” on page 56. You can import the following types of licenses:...
Page 68: About Multi-Year Licenses
For instance, a three-year license consists of three separate license files. When you activate a multi-year license, you import all of the license files during the same activation session. The Symantec Endpoint Protection Manager merges the separate license files into a single activated license that is valid for the purchased duration.
Page 69 To license an unmanaged client Locate and create a copy of your current Symantec Licensing File (.SLF). Use the same file that you used to activate your license on the Symantec Endpoint Protection Manager. On the client computer, place the copied license file into the Symantec Endpoint Protection client inbox.
Page 70 Managing product licenses Licensing an unmanaged client...
Page 71: Preparing For Client Installation
Windows Add or Remove Programs tool to uninstall programs. However, some programs have special uninstallation routines. See the documentation for the third-party software. Uninstall any legacy Symantec virus protection software if you do not plan to migrate the settings. About migrating to Symantec Endpoint Protection Small Business Edition”...
Page 72: Preparing Windows Operating Systems For Remote Deployment
Action Description Prepare computers for Prepare your computers for remote client deployment. remote deployment Modify firewall settings to allow communication between Symantec Endpoint (optional) Protection Small Business Edition components. Preparing Windows operating systems for remote deployment” on page 72. Deploy client software You deploy the client software using any of the three available methods.
Page 73 The Symantec Endpoint Protection Manager requires access 2003 computers for to the system registry for installation and normal operation. installation using a remote To prepare a computer to install Symantec Endpoint desktop connection Protection Manager using a remote desktop connection, perform the following tasks: Configure a server that runs Windows Server 2003 to allow remote control.
Page 74 Preparing for client installation Preparing Windows operating systems for remote deployment...
Page 75: Installing The Symantec Endpoint Protection Small Business Edition Client
Installing an unmanaged client Uninstalling the client About client deployment methods You deploy the Symantec Endpoint Protection Small Business Edition client by using the Client Deployment Wizard. You deploy the client software after the Symantec Endpoint Protection Manager is installed.
Page 76: Deploying Clients Using A Web Link And Email
Select and configure the client installation packages. Client installation packages are created for 32-bit and 64-bit Windows computers. The installation packages are stored on the computer that runs Symantec Endpoint Protection Manager. Notify the computer users about the client installation packages. An email message is sent to the selected computer users.
Page 77: Deploying Clients By Using Remote Push
Select the type of deployment you want to use and then click Next. The New Package Deployment option uses the packages that are stored on the Symantec Endpoint Protection Manager. By default, two packages are available. You can optionally create new packages with custom settings and features.
Page 78 Installing the Symantec Endpoint Protection Small Business Edition client About client deployment methods Remote Push performs the following actions: Select an existing client installation package or create a new installation package. For new installation packages, configure package deployment settings Locate computers on your network.
Page 79: Deploying Clients By Using Save Package
Installing the Symantec Endpoint Protection Small Business Edition client About client deployment methods Click Send to push the client software to the selected computers. Wait while the client software is pushed to the selected computers. Click Finish. The installation starts automatically on the client computers. The installation takes several minutes to complete.
Page 80: Restarting Client Computers
Installing the Symantec Endpoint Protection Small Business Edition client Restarting client computers Select the package, the group, the installation feature set and content options and then click Next. Click Save, and then click Next. Check Single .exe file or Separate files.
Page 81: About Managed And Unmanaged Clients
Installing the Symantec Endpoint Protection Small Business Edition client About managed and unmanaged clients To restart a selected client computer In the console, click Computers. On the Computers page, on the Computers tab, select a group. On the Computers tab, select a computer, right-click Run Command on Group, and then click Restart Client Computers.
Page 82: Installing An Unmanaged Client
On the Wizard Complete panel, click Finish. Uninstalling the client You uninstall the Symantec Endpoint Protection Small Business Edition client by using the Windows Add or Remove Programs utility. If the client software uses a policy that blocks hardware devices, the devices are blocked after you uninstall the software.
Page 83 On the client computer, on the Start menu, click Control Panel > Add or Remove Programs. In the Add or Remove Programs dialog box, select Symantec Endpoint Protection Small Business Edition, and then click Remove. Follow the onscreen prompts to remove the client software.
Page 84 Installing the Symantec Endpoint Protection Small Business Edition client Uninstalling the client...
Page 85: Chapter 7 Upgrading And Migrating To Symantec Endpoint Protection Small Business Edition
Migrating a management server Stopping and starting the management server service Disabling LiveUpdate in Symantec AntiVirus before migration Disabling scheduled scans in Symantec System Center when you migrate client computers Turning off the roaming service Uninstalling and deleting reporting servers...
Page 86: About Migrating To Symantec Endpoint Protection Small Business Edition
Upgrading and migrating to Symantec Endpoint Protection Small Business Edition About migrating to Symantec Endpoint Protection Small Business Edition About migrating to Symantec Endpoint Protection Small Business Edition Symantec Endpoint Protection Small Business Edition detects and migrates Symantec legacy virus protection software.
Page 87: Migrating From Symantec Client Security Or Symantec Antivirus
Migrating from Symantec Client Security or Symantec AntiVirus You can migrate the clients that run Symantec legacy virus protection software. During migration, the database in Symantec Endpoint Protection Small Business Edition is populated with the group data and policy data from the legacy installation.
Page 88: About Migrating Computer Groups
Moving a client computer to another group” on page 105. Viewing assigned policies” on page 124. Import legacy license Import your legacy license file into Symantec Endpoint Protection Small Business Edition. Importing a license” on page 67. Deploy the client Deploy the client to the legacy computers.
Page 89 In the Migration Wizard panel, select one of the following options: Auto-detect Servers This option imports the settings from all the servers. Type the IP address of a computer that runs the Symantec System Center. Add Server This option imports the settings from a single server and the clients that it manages.
Page 90: Upgrading To A New Release
The information in this section is specific to upgrading software in environments where a version of Symantec Endpoint Protection 11.x or 12.0 is already installed. Process for upgrading to the latest Small Business Edition release...
Page 91: Stopping And Starting The Management Server Service
Manager service on the management server. After you upgrade, the service starts automatically. Warning: If you do not stop the Symantec Endpoint Protection Manager service before you upgrade the server, you risk corrupting your existing Symantec Endpoint Protection Small Business Edition database.
Page 92: Disabling Liveupdate In Symantec Antivirus Before Migration
Warning: Close the Services window or your upgrade can fail. Repeat this procedure for all installations of Symantec Endpoint Protection Manager. To start the Symantec Endpoint Protection Manager service using the command line From a command prompt, type: net start semsrv...
Page 93: Disabling Scheduled Scans In Symantec System Center When You Migrate Client Computers
Upgrading and migrating to Symantec Endpoint Protection Small Business Edition Disabling scheduled scans in Symantec System Center when you migrate client computers Check Do not allow client to manually launch LiveUpdate, and then click Repeat this procedure for all server groups if you have more than one.
Page 94: Uninstalling And Deleting Reporting Servers
Log on to a computer that runs the reporting server. Click Start > Settings > Control Panel > Add or Remove Programs. In the Add or Remove Programs dialog box, click Symantec Reporting Server, and then click Remove. Follow the on-screen prompts until you delete the reporting server.
Page 95: Unlocking Server Groups In Symantec System Center
Use one of the other supported methods of installing client software. About client deployment methods” on page 75. If the Symantec Network Access Control client is also installed, you should upgrade both the Symantec Endpoint Protection Small Business Edition client and the...
Page 96: Upgrading Clients By Using Autoupgrade
Upgrading and migrating to Symantec Endpoint Protection Small Business Edition Upgrading clients by using AutoUpgrade Symantec Network Access Control client. You can assign both the Symantec Endpoint Protection Small Business Edition package and the Symantec Network Access Control package to the same group. In this case, make sure that the Maintain Features option is selected.
Page 97 Upgrading and migrating to Symantec Endpoint Protection Small Business Edition Upgrading clients by using AutoUpgrade If you select the remote push option, you add computers to the Install Protection Client list and then click Next. To select computers, you either browse for computers, or search by IP address or computer name.
Page 98 Upgrading and migrating to Symantec Endpoint Protection Small Business Edition Upgrading clients by using AutoUpgrade...
Page 99: Managing Protection On Symantec Endpoint Protection Small Business Edition
Section Managing protection on Symantec Endpoint Protection Small Business Edition Chapter 8. Managing groups of client computers Chapter 9. Managing clients Chapter 10. Using policies to manage security Chapter 11. Managing Virus and Spyware Protection Chapter 12. Customizing scans Chapter 13. Managing SONAR Chapter 14.
Page 100 Chapter 18. Configuring updates and updating client computer protection Chapter 19. Monitoring protection with reports and logs Chapter 20. Managing notifications Chapter 21. Managing administrator accounts...
Page 101: Chapter 8 Managing Groups Of Client Computers
Accounting group. The group structure that you define often matches the structure of your organization. The Symantec Endpoint Protection Manager console contains the following default groups: The My Company group is the top-level, or parent, group. It contains a flat tree of child groups.
Page 102 Managing groups of client computers Managing groups of computers The Laptops and Desktops group contains portable computers and desktop computers. The Laptops and Desktops group is a child group under the My Company parent group. The Servers group contains the computers that run a supported Windows Server operating system.
Page 103: How You Can Structure Groups
Managing groups of client computers How you can structure groups Once you have organized your computers into logical groups, you can more easily manage your security policies. Performing tasks that are common to all security policies” on page 119. How you can structure groups You can create multiple groups and subgroups to match the organizational structure of your company.
Page 104: Adding A Group
Managing groups of client computers Adding a group Managing groups of computers” on page 101. Adding a group You can add groups after you define the group structure for your organization. Group descriptions may be up to 1024 characters long. Group names may contain any character except the following characters: [”...
Page 105: Viewing Assigned Computers
Managing groups of client computers Viewing assigned computers In the Group Properties for group name dialog box, click Block New Clients. Click OK. Viewing assigned computers You can verify that your computers are assigned to the correct groups. To view assigned computers In the console, click Computers.
Page 106 If your company has portable computers that never connect to the network, install unmanaged clients on them. Unmanaged clients do not communicate with Symantec Endpoint Protection Manager and receive updates directly from Symantec LiveUpdate servers. Create a group for the managed portable computers.
Page 107: Managing Clients
Chapter Managing clients This chapter includes the following topics: Managing client computers About the client protection status icons Viewing the protection status of clients and client computers Viewing a client computer's properties About enabling and disabling protection About commands you can run on client computers Running commands on the client computer from the console Converting an unmanaged client to a managed client Managing client computers...
Page 108: About The Client Protection Status Icons
The types of security policies” on page 118. About the types of threat protection that Symantec Endpoint Protection Small Business Edition provides” on page 21. You can temporarily disable protection on the client computers if you need to diagnose a problem or improve performance.
Page 109: Viewing The Protection Status Of Clients And Client Computers
Client status icons in the management console Table 9-2 Icon Description This icon indicates the following status: The client can communicate with Symantec Endpoint Protection Manager. This icon indicates the following status: The client cannot communicate with Symantec Endpoint Protection Manager.
Page 110: Viewing A Client Computer's Properties
Managing clients Viewing a client computer's properties Note: If you manage legacy clients, some newer protection technologies may be listed as not reporting. This behavior is expected. It does not mean that you need to take action on these clients. About the client protection status icons”...
Page 111: About Enabling And Disabling Protection
Managing clients About enabling and disabling protection In the client name dialog box, you can view information about the client. Click OK. About enabling and disabling protection In general, you always want to keep the protection technologies enabled on the client computer.
Page 112 114. If Auto-Protect causes a problem with an application, it is better to create an exception than to permanently disable the protection. Creating exceptions for Symantec Endpoint Protection Small Business Edition” on page 240. Proactive Threat You might want to disable Proactive Threat Protection for the following reasons: Protection You see too many warnings about the threats that you know are not threats.
Page 113: About Commands You Can Run On Client Computers
Update Content Updates content on clients by initiating a LiveUpdate session on the client computers. The clients receive the latest content from Symantec LiveUpdate. Configuring the LiveUpdate download schedule for Symantec Endpoint Protection Manager” on page 255. Update Content and...
Page 114: Running Commands On The Client Computer From The Console
Managing clients Running commands on the client computer from the console Commands that you can run on client computers (continued) Table 9-4 Commands Description Enable Auto-Protect Enables Auto-Protect for the file system on the client computers. By default, Auto-Protect for the file system is enabled. You might need to enable Auto-Protect from the console if you allow users to change the setting or if you disable Auto-Protect.
Page 115: Converting An Unmanaged Client To A Managed Client
Managing clients Converting an unmanaged client to a managed client To run commands on the client computer from the console In the console, click Computers, and then under Computers, select the group that includes computers for which you want to run a command. In the right pane, click Computers.
Page 116 Managing clients Converting an unmanaged client to a managed client Server communication settings import steps Table 9-5 Step Task Description Step 1 Provide server Export the sylink.xml file that contains the server communication settings for a communications group. settings to computer Do the following tasks to export the sylink.xml file: user In the console, on the Computers page, right-click a group, and then click...
Page 117: Using Policies To Manage Security
Chapter Using policies to manage security This chapter includes the following topics: The types of security policies Performing tasks that are common to all security policies Adding a policy Copying and pasting a policy Editing a policy Locking and unlocking policy settings Assigning a policy to a group Viewing assigned policies Testing a security policy...
Page 118: The Types Of Security Policies
Using policies to manage security The types of security policies The types of security policies Your security policies define how the protection technologies protect your computers from known and unknown threats. You use several different types of security policies to manage your network security.
Page 119: Performing Tasks That Are Common To All Security Policies
Performing tasks that are common to all security policies You can manage your Symantec Endpoint Protection Small Business Edition security policies in many ways. For example, you can create copies of the security policies and then customize the copies for your specific needs. You can lock and unlock certain settings so that users cannot change them on the client computer.
Page 120 Assigning a policy to a group” on page 123. Test a policy Symantec recommends that you always test a new policy before you use it in a production environment. Testing a security policy” on page 124. Replace a policy You can replace one policy with another.
Page 121: Adding A Policy
Performing tasks that are common to all security policies” on page 119. Symantec recommends that you test all new policies before you use them in a production environment. Testing a security policy” on page 124.
Page 122: Editing A Policy
Using policies to manage security Editing a policy In the policy type Policies pane, right-click the specific policy that you want to copy, and then click Copy. Click OK. Right-click anywhere in the white space of the policy type Policies pane, and then click Paste.
Page 123: Assigning A Policy To A Group
Policies are assigned to computer groups as follows: At initial installation, the Symantec default security policies are assigned to the My Company parent group. The security policies in the My Company parent group are automatically assigned to each newly created child group.
Page 124: Viewing Assigned Policies
Click Tasks for more options. Testing a security policy Symantec recommends that you test a policy before you use it in a production environment. Performing tasks that are common to all security policies” on page 119.
Page 125: Replacing A Policy
Using policies to manage security Replacing a policy Move the test computers to the test group. Exercise the test computers to verify that they operate correctly. Replacing a policy You may want to replace one policy in a group with another. To replace a policy In the console, click Policies.
Page 126: Deleting A Policy Permanently
When you are prompted to confirm that you want to delete the policy that you selected, click Yes. How the client computers get policy updates Computers get security policy updates from Symantec Endpoint Protection Manager. When you update a security policy by using the console, the computers...
Page 127: Using The Policy Serial Number To Check Client-Server Communication
Using policies to manage security Using the policy serial number to check client-server communication receive the updates immediately. You can also update polices manually on the client computer. Using the policy serial number to check client-server communication” on page 127. Using the policy serial number to check client-server communication You can manually update the policies and use the policy serial numbers to check...
Page 128 Using policies to manage security Using the policy serial number to check client-server communication...
Page 129: Managing Virus And Spyware Protection
Adjusting scans to improve computer performance Adjusting scans to increase protection on your client computers Managing Download Insight detections How Symantec Endpoint Protection Small Business Edition uses reputation data to make decisions about files How Symantec Endpoint Protection Small Business Edition protection features...
Page 130: Preventing And Handling Virus And Spyware Attacks On Client Computers
Symantec Endpoint Protection Small servers should have Symantec Endpoint Business Edition installed Protection Small Business Edition installed. Make sure that Symantec Endpoint Protection Small Business Edition is functioning correctly. Keep definitions current Make sure that the latest virus definitions are installed on client computers.
Page 131 Typically, you might want to create a full scheduled scan to run once a week, and an active scan to run once per day. By default, Symantec Endpoint Protection Small Business Edition generates an active scan that runs at 12:30 P.M.
Page 132: Remediating Risks On The Computers In Your Network
Symantec Endpoint Protection Small Business Edition was not able to completely remove the threat. In some cases client computers require a restart for Symantec Endpoint Protection Small Business Edition to complete the cleaning process. Remediating risks on the computers in your network”...
Page 133 You can get information about infected and at-risk computers from at-risk computers Symantec Endpoint Protection Manager. On the Home page, check the Newly Infected and the Still Infected counts in the Virus and Risks Activity Summary. The Newly Infected count is a subset of the Still Infected count.
Page 134: Identifying The Infected And At-Risk Computers
275. Identifying the infected and at-risk computers You can use the Symantec Endpoint Protection Manager Home page and a risk report to identify the computers that are infected and at risk. Remediating risks on the computers in your network”...
Page 135: Checking The Scan Action And Rescanning The Identified Computers
Computers are still infected if a subsequent scan would report them as infected. For example, Symantec Endpoint Protection Small Business Edition might have been able to clean a risk only partially from a computer, so Auto-Protect still detects the risk.
Page 136: Managing Scans On Client Computers
Managing Virus and Spyware Protection Managing scans on client computers Click Back. On the Logs tab, select the Computer Status log, and then click View Log. If you changed an action and pushed out a new policy, select the computers that need to be rescanned with the new settings.
Page 137 They can also protect memory, load points, and other important locations on your client computers. Note: For managed clients, Symantec Endpoint Protection Small Business Edition provides a default scheduled scan that scans all files, folders, and locations on the client computers.
Page 138 Managing scans on client computers (continued) Table 11-3 Task Description Adjust scans to improve client By default, Symantec Endpoint Protection Small computer performance Business Edition provides a high level of security while it minimizes the effect on your client computers' performance. You can change some settings, however, to optimize the computer performance even more.
Page 139: About The Types Of Scans And Real-Time Protection
Symantec Endpoint Protection Small Business Edition includes different types of scans and real-time protection to detect different types of viruses, threats, and risks. By default, Symantec Endpoint Protection Small Business Edition runs an active scan every day at 12:30 P.M. Symantec Endpoint Protection Small Business Edition...
Page 140 Download Insight boosts the security of Auto-Protect scans by inspecting files when users try to download them from browsers and other portals. Download Insight uses reputation information to make decisions about files. A Symantec technology that is called Insight determines the file reputation. Insight uses not only the source of a file but also its context to determine a file's reputation.
Page 141 Like proactive threat scans, SONAR detects keyloggers, spyware, and any other application that might be malicious or potentially malicious. Note: SONAR is only supported on Windows computers that run Symantec Endpoint Protection Small Business Edition version 12.1 and later. About SONAR”...
Page 142: About The Types Of Auto-Protect
Auto-Protect scans files as well as certain types of email and email attachments. By default, all types of Auto-Protect are enabled. If your client computers run other email security products, such as Symantec Mail Security, you might not need to enable Auto-Protect for email.
Page 143 Managing Virus and Spyware Protection Managing scans on client computers Types of Auto-Protect Table 11-5 Type of Auto-Protect Description Auto-Protect Continuously scans files as they are read from or written to the client computer Auto-Protect is enabled by default for the file system. It loads at computer startup.
Page 144: About Virus And Security Risks
On Windows clients, you can change the action that Symantec Endpoint Protection Small Business Edition takes when it detects a virus or a security risk. The security risk categories are dynamic and change over time as Symantec collects information about risks.
Page 145 Managing Virus and Spyware Protection Managing scans on client computers Viruses and security risks Table 11-6 Risk Description Viruses Programs or code that attach a copy of themselves to another computer program or file when it runs. When the infected program runs, the attached virus program activates and attaches itself to other programs and files.
Page 146: About The Files And Folders That Symantec Endpoint Protection Excludes From Virus And Spyware Scans
Stand-alone or appended applications that trace a user's path on the Internet and send information to the controller or hacker's system. About the files and folders that Symantec Endpoint Protection excludes from virus and spyware scans When Symantec Endpoint Protection Small Business Edition detects the presence of certain third-party applications and some Symantec products, it automatically creates exclusions for these files and folders.
Page 147 You can view the exclusions that the client automatically creates. Look in the following locations of the Windows registry: On 32-bit computers, see HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection Small Business Edition\AV\Exclusions. On 64-bit computers, see HKEY_LOCAL_MACHINE\Software\Wow6432Node\Symantec\Symantec Endpoint Protection Small Business Edition\AV\Exclusions.
Page 148 Forefront Server Security for Exchange Forefront Server Security for SharePoint Forefront Threat Management Gateway Check the Microsoft Web site for a list of recommended exclusions. Also see the Symantec Technical Support knowledge base article, Configuring Symantec Endpoint Protection exclusions for Microsoft Forefront.
Page 149 Symantec products when they are detected. The client creates exclusions for the following Symantec products: Symantec Mail Security 4.0, 4.5, 4.6, 5.0, and 6.0 for Microsoft Exchange Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange Norton AntiVirus 2.x for Microsoft Exchange...
Page 150 Edition scans all extensions and folders. Any extensions or folders that you deselect are excluded from that particular scan. Symantec does not recommend that you exclude any extensions from scans. If you decide to exclude files by extension and any Microsoft folders, however, you should consider the amount of protection that your network requires.
Page 151: About Submitting Information About Detections To Symantec Security Response
Symantec Response and the Global Intelligence Network use this submitted information to quickly formulate responses to new and developing security threats. The data that you submit improves Symantec's ability to respond to threats and customize protection. Symantec recommends that you always allow submissions.
Page 152: About Submissions Throttling
Risk log. This information is used for statistical analysis. On the client, you can also manually submit a sample to Response from the Quarantine or through the Symantec Web site. To submit a file through the Symantec Web site, contact Symantec Technical Support.
Page 153: About The Default Virus And Spyware Protection Policy Scan Settings
Which IP address of the Symantec Security Response server receives the submission If the SCD file becomes out-of-date, then clients stop sending submissions. Symantec considers the SCD file out-of-date when a client computer has not retrieved LiveUpdate content in 7 days. The client stop sending submissions after 14 days.
Page 154 Sends a message to the computer users about detected viruses and security risks. SONAR Enabled for Symantec Endpoint Protection 12.1 clients and later. Legacy clients use TruScan settings. TruScan is enabled when SONAR is enabled. Detection notifications appear on client computers...
Page 155 Managing Virus and Spyware Protection Managing scans on client computers Virus and Spyware Protection Balanced policy scan settings Table 11-8 (continued) Setting Description Administrator-defined The scheduled scan includes the following default settings: scans Performs an active scan every day at 12:30 P.M. The scan is randomized.
Page 156: How Symantec Endpoint Protection Small Business Edition Handles Detections Of Viruses And Security Risks
Insight Lookup is set to level 1. How Symantec Endpoint Protection Small Business Edition handles detections of viruses and security risks Symantec Endpoint Protection Small Business Edition uses default actions to handle the detection of viruses and security risks. You can change some of the defaults.
Page 157: Setting Up Scheduled Scans That Run On Windows Computers
196. For Windows client computers, you can assign a first and a second action for Symantec Endpoint Protection Small Business Edition to take when it finds risks. You can configure different actions for viruses and security risks. You can use different actions for scheduled, on-demand, or Auto-Protect scans.
Page 158 185. If a computer misses a scheduled scan for some reason, the Symantec Endpoint Protection Small Business Edition client tries to perform the scan for a specific time interval. If the client cannot start the scan within the time interval, it does not run the scan.
Page 159: Setting Up Scheduled Scans That Run On Mac Computers
Managing Virus and Spyware Protection Setting up scheduled scans that run on Mac computers Under Missed Scheduled Scans, you can disable the option to run a missed scan or you can change the retry interval. You can also specify a maximum scan duration before the scan pauses. You can also randomize scan start time.
Page 160: Running On-Demand Scans On Client Computers
About commands you can run on client computers” on page 113. To run an on-demand scan on client computers In the Symantec Endpoint Protection Manager console, click Computers. Under Computers, right-click the clients or the group that you want to scan Do one of the following actions:...
Page 161: Adjusting Scans To Improve Computer Performance
You can change some scan settings to optimize the performance even more. Many of the tasks that are suggested here are useful in the environments that run Symantec Endpoint Protection Small Business Edition in guest operating systems on virtual machines (VMs).
Page 162 You can change the level of trust for the types of files that scans skip: Symantec and Community Trusted This level skips files that are trusted by Symantec and the Symantec Community. Symantec Trusted This level skips only files that are trusted by Symantec.
Page 163: Adjusting Scans To Increase Protection On Your Client Computers
Adjusting scans to increase protection on your client computers Symantec Endpoint Protection Small Business Edition provides a high level of security by default. You can increase the protection even more. The settings are different for clients that run on Windows computers and clients that run on Mac...
Page 164 Be careful when you use Delete or Terminate for security risk detections. The action might cause some legitimate applications to lose functionality. Changing the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection” on page 190.
Page 165: Managing Download Insight Detections
Be careful when you use Delete or Terminate for security risk detections. The action might cause some legitimate applications to lose functionality. Changing the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection” on page 190.
Page 166 Users can allow files by responding to notifications that appear for detections. Administrators receive the report as part of a weekly report that Symantec Endpoint Protection Manager generates and emails. You must have specified an email address for the administrator during installation or configured as part of the administrator properties.
Page 167 247. Note: If your client computers use a proxy with authentication, you must specify trusted Web domain exceptions for Symantec URLs. The exceptions let your client computers communicate with Symantec Insight and other important Symantec sites. For information about the recommended exceptions, see the related Technical Support Knowledge Base article.
Page 168 Managing Virus and Spyware Protection Managing Download Insight detections Managing Download Insight detections (continued) Table 11-15 Task Description Customize Download Insight settings You might want to customize Download Insight settings for the following reasons: Increase or decrease the number of Download Insight detections. You can adjust the malicious file sensitivity slider to increase or decrease the number of detections.
Page 169: How Symantec Endpoint Protection Small Business Edition Uses Reputation Data To Make Decisions About Files
Managing Virus and Spyware Protection How Symantec Endpoint Protection Small Business Edition uses reputation data to make decisions about files Managing Download Insight detections (continued) Table 11-15 Task Description Allow clients to submit information By default, clients send information about reputation detections to about reputation detections to Symantec.
Page 170: How Symantec Endpoint Protection Small Business Edition Protection Features Work Together
Managing Virus and Spyware Protection How Symantec Endpoint Protection Small Business Edition protection features work together By default, a client computer sends information about reputation detections to Symantec Security Response for analysis. The information helps to refine Insight's reputation database. The more clients that submit information the more useful the reputation database becomes.
Page 171 Managing Virus and Spyware Protection How Symantec Endpoint Protection Small Business Edition protection features work together How policy features work together (continued) Table 11-16 Policy Feature Interoperability Notes Download Insight Download Insight has the following dependencies: Auto-Protect must be enabled...
Page 172: Enabling Or Disabling Client Submissions To Symantec Security Response
Symantec Security Response. Symantec Security Response uses this information to address new and changing threats. Any data you submit improves Symantec's ability to respond to threats and customize protection for your computers. Symantec recommends that you choose...
Page 173 Client computers submit information anonymously about detections. You can specify the types of detections for which clients submit information. You can also enable or disable submissions from client computers. Symantec recommends that you always enable submissions. In some cases, however, you might want to prevent your clients from submitting such information.
Page 174: Managing The Quarantine
Download Insight and may impair the functionality of SONAR heuristics and Insight Lookup. Managing the Quarantine When virus and spyware scans detect a threat or SONAR detects a threat, Symantec Endpoint Protection Small Business Edition places the files in the client computer's local Quarantine.
Page 175: Using The Risk Log To Delete Quarantined Files On Your Client Computers
175. Using the Risk log to delete quarantined files on your client computers You can use the Risk log in the Symantec Endpoint Protection Manager console to delete quarantined files on your client computers. You run the Delete from Quarantine command from the log for any quarantined file that you want to delete.
Page 176: Managing The Virus And Spyware Notifications That Appear On Client Computers
Managing Virus and Spyware Protection Managing the virus and spyware notifications that appear on client computers You must have all entries in the compressed file in the log view. You can use the Limit option under Advanced Settings to increase the number of entries in the view.
Page 177 Managing Virus and Spyware Protection Managing the virus and spyware notifications that appear on client computers Virus and spyware notifications that appear on client computers Table 11-18 User Notification Description Customizing a scan detection message For Windows client computers, you can configure a detection message for the following types of scans: All types of Auto-Protect, including Download...
Page 178 Managing Virus and Spyware Protection Managing the virus and spyware notifications that appear on client computers Virus and spyware notifications that appear on client computers Table 11-18 (continued) User Notification Description Set up Auto-Protect email notifications Applies to Windows client computers only when Auto-Protect email scans find a risk, Auto-Protect can send email notifications to alert the email sender and any other email address that...
Page 179: Customizing Scans
Randomizing scans to improve computer performance in virtualized environments Modifying global scan settings for Windows clients Customizing Download Insight settings Changing the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection Allowing users to view scan progress and interact with scans...
Page 180: Customizing The Virus And Spyware Scans That Run On Windows Computers
Customizing scans Customizing the virus and spyware scans that run on Windows computers Customizing the virus and spyware scans that run on Windows computers You can customize options for administrator-defined scans (scheduled and on-demand scans) that run on Windows computers. You can also customize options for Auto-Protect.
Page 181: Customizing The Virus And Spyware Scans That Run On Mac Computers
Customizing Download Insight settings” on page 189. Customize scan actions You can change the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection. Changing the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection”...
Page 182: Customizing Auto-Protect For Windows Clients
Block security risk from being installed. Click OK. On the Actions tab, set any of the options. Changing the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection” on page 190. You can also set remediation options for Auto-Protect.
Page 183: Customizing Auto-Protect For Mac Clients
Customizing the virus and spyware scans that run on Mac computers” on page 181. Changing the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection” on page 190. Managing the virus and spyware notifications that appear on client computers”...
Page 184: Customizing Auto-Protect For Email Scans On Windows Computers
Check or uncheck Scan files inside compressed files. On the Actions tab, set any of the options. Changing the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection” on page 190.
Page 185: Customizing Administrator-Defined Scans For Clients That Run On Windows Computers
Customizing scans Customizing administrator-defined scans for clients that run on Windows computers You can customize the message text and include a warning. For Internet Email Auto-Protect you must also specify the email server. For Internet Email Auto-Protect only, on the Advanced tab, under Encrypted Connections, enable or disable encrypted POP3 or SMTP connections.
Page 186: Customizing Administrator-Defined Scans For Clients That Run On Mac Computers
Missed Scheduled Scans You can specify a retry interval for missed scans. On the Actions tab, change any detection actions. Changing the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection” on page 190. On the Notifications tab, enable or disable a notification that appears on client computers when the scan makes a detection.
Page 187: Randomizing Scans To Improve Computer Performance In Virtualized Environments
Customizing scans Randomizing scans to improve computer performance in virtualized environments Set the scan priority. Click OK. Edit the scan details for any other scan that is included in this policy. On the Notifications tab, enable or disable notification messages about scan detections.
Page 188: Modifying Global Scan Settings For Windows Clients
Customizing scans Modifying global scan settings for Windows clients To randomize scans In the console, open a Virus and Spyware Protection policy and click Administrator-defined Scans. Create a new scheduled scan or select an existing scheduled scan to edit. In the Add Scheduled Scan or Edit Scheduled Scan dialog box, click the Schedule tab.
Page 189: Customizing Download Insight Settings
Customizing Download Insight settings Configure any of the following options: Insight Insight allows scans to skip trusted good files. The scan can skip the files that Symantec trusts as good (more secure) or that the community trusts as good (less secure). Bloodhound...
Page 190: Changing The Action That Symantec Endpoint Protection Small Business Edition Takes When It Makes A Detection
Customizing scans Changing the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection Files known by users for less than x days When unproven files meet this criteria, Download Insight detects the files as malicious.
Page 191 Customizing scans Changing the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection Moves the file to the Quarantine on the infected computer and denies any access to the file. Logs the event. By default, Symantec Endpoint Protection Small Business Edition moves any files that security risks infect into the Quarantine.
Page 192: Allowing Users To View Scan Progress And Interact With Scans
When you finish configuring this policy, click OK. To specify the action that Symantec Endpoint Protection Small Business Edition takes when it makes a detection on Mac computers In the Virus and Spyware Protection policy, under Mac Settings, select Administrator-Defined Scans.
Page 193 Customizing scans Allowing users to view scan progress and interact with scans When a scan runs, the message link scan in progress appears. The user can click the link to display the scan progress. A link to reschedule the next scheduled scan also appears. Managing scans on client computers”...
Page 194 Customizing scans Allowing users to view scan progress and interact with scans To limit the number of times a user may delay (or snooze) a scan, in the Maximum number of snooze opportunities box, type a number between 1 and 8. By default, a user can delay a scan for 1 hour.
Page 195: Managing Sonar
Chapter Managing SONAR This chapter includes the following topics: About SONAR About the files and applications that SONAR detects Managing SONAR Monitoring SONAR detection results to check for false positives Enabling or disabling SONAR About SONAR SONAR is a real-time protection that detects potentially malicious applications when they run on your computers.
Page 196: About The Files And Applications That Sonar Detects
SONAR is part of Proactive Threat Protection on your client computers. You manage SONAR settings as part of a Virus and Spyware Protection policy. You configure SONAR settings for the clients that run Symantec Endpoint Protection Small Business Edition version 12.1. SONAR settings also include...
Page 197 Check that SONAR is enabled To provide the most complete protection for your client computers you should enable SONAR. SONAR interoperates with some other Symantec Endpoint Protection Small Business Edition features. SONAR requires Auto-Protect. You can use the Computers tab to check whether Proactive Threat Protection is enabled on your client computers.
Page 198: Monitoring Sonar Detection Results To Check For False Positives
SONAR detections to Symantec submissions on your client computers. The information that clients submit about detections helps Symantec address threats. The information helps Symantec create better heuristics, which results in fewer false positive detections. Enabling or disabling client submissions to Symantec Security Response”...
Page 199 File/Path columns for more information. For example, you might recognize the application name of a legitimate application that a third-party company has developed. Creating exceptions from log events in Symantec Endpoint Protection Manager” on page 249. To monitor SONAR events In the console, click Monitors >...
Page 200: Enabling Or Disabling Sonar
Managing SONAR Enabling or disabling SONAR Click View Log. After you identify the legitimate applications and the security risks, create an exception for them in an Exceptions policy. You can create the exception directly from the SONAR Logs pane. Enabling or disabling SONAR When you enable or disable SONAR, you also enable or disable TruScan proactive threat scans for legacy clients.
Page 201: Managing Tamper Protection
It prevents non-Symantec processes such as worms, Trojan horses, viruses, and security risks, from affecting Symantec resources. You can configure the software to block or log attempts to modify Symantec resources. Note: Tamper Protection runs on Windows clients only. It does not run on Mac clients.
Page 202: Changing Tamper Protection Settings
Tamper Protection to Block it and log the event. About Tamper Protection” on page 201. You can configure a message to appear on clients when Symantec Endpoint Protection Small Business Edition detects a tamper attempt. By default, notification messages appear when the software detects a tamper attempt.
Page 203 In the list box under Actions to take if an application attempts to tamper with or shut down Symantec security software, select one of the following options: Block it and log the event Log the event only Check or uncheck Displayanotificationmessagewhentamperingisdetected.
Page 204 Managing Tamper Protection Changing Tamper Protection settings...
Page 205: Managing Firewall Protection
Managing firewall protection The firewall allows the incoming network traffic and outgoing network traffic that you specify in firewall policy. The Symantec Endpoint Protection Small Business Edition firewall policy contains rules and protection settings, most of which you can enable or disable and configure.
Page 206: How A Firewall Works
Table 15-1 Task Description Create a firewall Symantec Endpoint Protection Small Business Edition installs with a policy default firewall policy. You can modify the default policy or create new ones. You must create a policy first before you configure firewall rules and firewall protection settings for that policy.
Page 207: About The Symantec Endpoint Protection Firewall
About the Symantec Endpoint Protection firewall The Symantec Endpoint Protection Small Business Edition firewall uses firewall policies and rules to allow or block network traffic. The Symantec Endpoint Protection Small Business Edition includes a default Firewall policy with default firewall rules for the office environment. The office environment is normally under the protection of corporate firewalls, boundary packet filters, or antivirus servers.
Page 208 Managing firewall protection Managing firewall protection You determine the level of interaction that you want users to have with the client by permitting or blocking their ability to configure firewall rules. Users can interact with the client only when it notifies them of new network connections and possible problems.
Page 209: Creating A Firewall Policy
Creating a firewall policy Creating a firewall policy The Symantec Endpoint Protection Small Business Edition includes a default Firewall policy with default firewall rules for the office environment. The office environment is normally under the protection of corporate firewalls, boundary packet filters, or antivirus servers.
Page 210: Enabling And Disabling A Firewall Policy
You can modify the default rules, create new rules, or disable the default rules. When you create a new Firewall policy, Symantec Endpoint Protection Small Business Edition provides default firewall rules. The default firewall rules are enabled by default.
Page 211: Adjusting The Firewall Security Level
Managing firewall protection Creating a firewall policy You should enable at least the default firewall protection to keep your computers protected during remote client installation. About enabling and disabling protection” on page 111. To enable or disable a firewall policy In the console, click Policies.
Page 212: About Firewall Rules
You can enable and disable firewall rules. The firewall does not inspect disabled rules. Symantec Endpoint Protection Small Business Edition installs with a default firewall policy that contains default rules. When you create a new firewall policy, Symantec Endpoint Protection Small Business Edition provides default firewall rules.
Page 213: About The Firewall Rule, Firewall Setting, And Intrusion Prevention Processing Order
Managing firewall protection About firewall rules About the firewall rule, firewall setting, and intrusion prevention processing order Firewall rules are ordered sequentially, from highest to lowest priority, or from the top to bottom in the rules list. If the first rule does not specify how to handle a packet, the firewall inspects the second rule.
Page 214: How The Firewall Uses Stateful Inspection
Managing firewall protection About firewall rules About the firewall rule, firewall setting, and intrusion prevention processing order” on page 213. Editing a policy” on page 122. How the firewall uses stateful inspection Firewall protection uses stateful inspection to track current connections. Stateful inspection tracks source and destination IP addresses, ports, applications, and other connection information.
Page 215 Internet Explorer before a rule that blocks FTP, the user can still communicate with FTP. The user can enter an FTP-based URL in the browser, such as ftp://ftp.symantec.com. For example, suppose you allow Internet Explorer and define no other triggers.
Page 216 Managing firewall protection About firewall rules Date that the application was last changed File fingerprint Click OK. Click OK. About firewall rules” on page 212. Editing a policy” on page 122. About firewall rule application triggers” on page 214. Notifying the users that access to an application is blocked You can send users a notification that an application that they want to access is blocked.
Page 217: About Firewall Rule Host Triggers
Managing firewall protection About firewall rules About firewall rule host triggers You specify the host on both sides of the described network connection when you define host triggers. Traditionally, the way to express the relationship between hosts is referred to as being either the source or destination of a network connection.
Page 218 Managing firewall protection About firewall rules The relationship between source and destination hosts Figure 15-1 Source Destination HTTP Symantec.com SEP client Destination Source SEP client Other client Figure 15-2 illustrates the local host and remote host relationship with respect to the direction of traffic.
Page 219: About Firewall Rule Network Services Triggers
IP address. However, the opposing sides of the address may be matched to any remote host. For example, you can define a rule to allow HTTP communication between the local host and either Symantec.com, Yahoo.com, or Google.com. The single rule is the same as three rules.
Page 220: Adding A New Firewall Rule
You should specify both the inbound and the outbound traffic in the rule whenever possible. You do not need to create inbound rules for traffic such as HTTP. The Symantec Endpoint Protection Small Business Edition client uses stateful inspection for TCP traffic. Therefore, it does not need a rule to filter the return traffic that the clients initiate.
Page 221: Copying And Pasting Firewall Rules
Managing firewall protection Setting up firewall rules When you are done, click Finish. Optionally, you can customize the firewall rule criteria as needed. If you are done with the configuration of the rule, click OK. Customizing firewall rules” on page 221. Setting up firewall rules”...
Page 222 Managing firewall protection Setting up firewall rules Actions The action parameters specify what actions the firewall takes when it successfully matches a rule. If the rule matches and is selected in response to a received packet, the firewall performs all actions. The firewall either allows or blocks the packet and logs or does not log the packet.
Page 223 All rules are enabled by default. Double-click the Name field and type a unique name for the firewall rule. Right-click the Action field and select the action that you want Symantec Endpoint Protection Small Business Edition to take if the rule is triggered.
Page 224 Managing firewall protection Setting up firewall rules Blocking traffic to or from a specific server To block traffic to or from a specific server, you can block the traffic by IP address rather than by domain name or host name. Otherwise, the user may be able to access the IP address equivalent of the host name.
Page 225 Managing firewall protection Setting up firewall rules Allowing only specific traffic to the local subnet You can create a firewall rule that permits only specific traffic to your local subnet. This firewall rule always applies to your local subnet IP address, regardless of what the address is.
Page 226 Managing firewall protection Setting up firewall rules On the Rules tab, in the Rules list, select the rule you want to edit, right-click the Service field, and then click Edit. In the Service List dialog box, check box beside each service that you want to trigger the rule.
Page 227 Managing firewall protection Setting up firewall rules To permit clients to browse for files and printers in the network In the console, open a Firewall policy. On the Firewall Policy page, click Rules. On the Rules tab, in the Rules list, select the rule you want to edit, right-click the Service field, and then click Edit.
Page 228 122. Setting up notifications for firewall rule violations You can configure Symantec Endpoint Protection Small Business Edition to send you an email message each time the firewall detects a rule violation, attack, or event. For example, you may want to know when a client blocks the traffic that comes from a particular IP address.
Page 229: Managing Intrusion Prevention
This chapter includes the following topics: Managing intrusion prevention on your client computers How intrusion prevention works About Symantec IPS signatures Enabling or disabling network intrusion prevention or browser intrusion prevention Creating exceptions for IPS signatures Managing intrusion prevention on your client...
Page 230 Managing intrusion prevention Managing intrusion prevention on your client computers Managing intrusion prevention (continued) Table 16-1 Task Description Enable or disable intrusion prevention You might want to disable intrusion prevention for troubleshooting purposes or if client computers detect excessive false positives. However, to keep your client computers secure, typically you should not disable intrusion prevention.
Page 231 Create exceptions to change the default You might want to create exceptions to change behavior of Symantec network the default behavior of the default Symantec intrusion prevention signatures network intrusion prevention signatures. Some signatures block the traffic by default and other signatures allow the traffic by default.
Page 232: How Intrusion Prevention Works
Managing intrusion prevention How intrusion prevention works Managing intrusion prevention (continued) Table 16-1 Task Description Create exceptions to ignore browser You can create exceptions to exclude browser signatures on client computers signatures from browser intrusion prevention. You might want to ignore browser signatures if browser intrusion prevention causes problems with browsers in your network.
Page 233: About Symantec Ips Signatures
The signatures are part of the content that you update on the client. You can view information about IPS signatures on the Symantec Web site. http://securityresponse.symantec.com/avcenter/attack_sigs/index.html Enabling or disabling network intrusion prevention or browser intrusion prevention You can enable or disable either type of intrusion prevention.
Page 234: Creating Exceptions For Ips Signatures
You can also change whether the client logs the event in the Security log. You cannot change the behavior of Symantec browser signatures; unlike network signatures, browser signatures do not allow custom action and logging settings. However, you can create an exception for a browser signature so that clients ignore the signature.
Page 235 Managing intrusion prevention Creating exceptions for IPS signatures In the Add Intrusion Prevention Exceptions dialog box, do one of the following actions to filter the signatures: To display the signatures in a particular category, select an option from the Show category drop-down list. To display the signatures that are classified with a particular severity, select an option from the Show severity drop-down list.
Page 236 Managing intrusion prevention Creating exceptions for IPS signatures...
Page 237: Managing Exceptions
Symantec Endpoint Protection Small Business Edition automatically excludes some files from virus and spyware scans. About the files and folders that Symantec Endpoint Protection excludes from virus and spyware scans” on page 146. You can also use exceptions to detect an application or to change the default behavior when Symantec Endpoint Protection Small Business Edition detects an application.
Page 238: Managing Exceptions For Symantec Endpoint Protection Small Business Edition
Managing exceptions for Symantec Endpoint Protection Small Business Edition Note: You cannot create exceptions for an individual virus and spyware scans. For example, if you create a file exception, Symantec Endpoint Protection Small Business Edition applies the exception to all virus and spyware scans (Auto-Protect, Download Insight, and any administrator-defined or user-defined scan).
Page 239 Managing exceptions Managing exceptions for Symantec Endpoint Protection Small Business Edition Managing exceptions (continued) Table 17-2 Task Description Review the types of files and folders Symantec Endpoint Protection Small Business that Symantec Endpoint Protection Edition automatically creates exceptions, or Small Business Edition automatically...
Page 240: Creating Exceptions For Symantec Endpoint Protection Small Business Edition
229. Creating exceptions for Symantec Endpoint Protection Small Business Edition You can create different types of exceptions for Symantec Endpoint Protection Small Business Edition. Any exception that you create takes precedence over any exception that a user might define. On client computers, users cannot view the exceptions that you create.
Page 241 Managing exceptions Creating exceptions for Symantec Endpoint Protection Small Business Edition Creating exceptions for Symantec Endpoint Protection Small Table 17-3 Business Edition (continued) Task Description Exclude a folder from scans Supported on Windows and Mac clients. Excludes a folder from virus and spyware scans, SONAR, or all scans on Windows clients.
Page 242 Managing exceptions Creating exceptions for Symantec Endpoint Protection Small Business Edition Creating exceptions for Symantec Endpoint Protection Small Table 17-3 Business Edition (continued) Task Description Specify how scans handle detected or Supported on Windows clients. downloaded applications Specifies how Symantec Endpoint Protection...
Page 243 Managing exceptions Creating exceptions for Symantec Endpoint Protection Small Business Edition Creating exceptions for Symantec Endpoint Protection Small Table 17-3 Business Edition (continued) Task Description Exclude a Web domain from scans Supported on Windows clients. Download Insight scans the files that users try to download from Web sites and other portals.
Page 244: Excluding A File Or A Folder From Scans
Managing exceptions Creating exceptions for Symantec Endpoint Protection Small Business Edition Excluding a file or a folder from scans You add exceptions for files or folders individually. If you want to create exceptions for more than one file, repeat the procedure.
Page 245: Excluding Known Risks From Virus And Spyware Scans
Managing exceptions Creating exceptions for Symantec Endpoint Protection Small Business Edition In the Folder text box, type the name of the folder. If you select a prefix variable, the path should be relative to the prefix. If you select [NONE], type the full path name.
Page 246: Forcing Scans To Detect An Application
Click OK. Forcing scans to detect an application You can configure an exception to force Symantec Endpoint Protection Small Business Edition to detect an application. You might configure this type of exception when scans currently do not detect a particular application.
Page 247: Specifying How Symantec Endpoint Protection Small Business Edition Handles An Application That Scans Detect Or That Users Download
Specifying how Symantec Endpoint Protection Small Business Edition handles an application that scans detect or that users download You can force Symantec Endpoint Protection Small Business Edition to detect a particular application. When Symantec Endpoint Protection Small Business Edition detects the application and the management console receives the event, the application appears in the application list.
Page 248: Creating A Tamper Protection Exception
Managing exceptions Creating exceptions for Symantec Endpoint Protection Small Business Edition To specify an exception for a trusted Web domain On the Exceptions Policy page, click Add > Windows Exceptions > Trusted Web Domain. In the Trusted Web Domain Exception dialog box, enter the Web domain that you want to exclude from Download Insight detections.
Page 249: Restricting The Types Of Exceptions That Users Can Configure On Client Computers
You can configure restrictions so that users on client computers cannot create exceptions for virus and spyware scans or for SONAR. By default, users are permitted to configure exceptions. Managing exceptions for Symantec Endpoint Protection Small Business Edition” on page 238.
Page 250 Creating exceptions for Symantec Endpoint Protection Small Business Edition” on page 240. To create exceptions from log events in Symantec Endpoint Protection Manager On the Monitors tab, click the Logs tab. In the Log type drop-down list, select the Risk log, SONAR log, or Application and Device Control log.
Page 251: Configuring Updates And Updating Client Computer Protection
Downloading LiveUpdate content manually to Symantec Endpoint Protection Manager Viewing LiveUpdate downloads Checking LiveUpdate server activity Configuring Symantec Endpoint Protection Manager to connect to a proxy server to access the Internet Enabling and disabling LiveUpdate scheduling for client computers Configuring the LiveUpdate download schedule for client computers...
Page 252 LiveUpdate client verifies them to ensure that your updates are come from Symantec and have not been tampered with in any way. An advanced setting is available to let users manually start LiveUpdate from their client computers.
Page 253: How Client Computers Receive Content Updates
LiveUpdate over the Internet is especially useful if you have users who travel with portable computers. If the computers connect intermittently or not at all to your network, have them update directly from a Symantec LiveUpdate server over the Internet. The client computers continue to get content directly from Symantec Endpoint Protection Manager when on the company network.
Page 254 The client computer's virus definitions are old and the client computer is unable to communicate with Symantec Endpoint Protection Manager. The client computer has repeatedly failed to communicate with Symantec Endpoint Protection Manager. A portable computer might be unable to communicate with the server because it is disconnected from the network.
Page 255: Configuring The Liveupdate Download Schedule For Symantec Endpoint Protection Manager
Configuring the LiveUpdate download schedule for Symantec Endpoint Protection Manager You can adjust the schedule that Symantec Endpoint Protection Manager uses to download content updates from LiveUpdate to the management server. For example, you can change the default server schedule frequency from hourly to daily to save bandwidth.
Page 256: Downloading Liveupdate Content Manually To Symantec Endpoint Protection Manager
Managing content updates” on page 251. Checking LiveUpdate server activity You can list the events that concern Symantec Endpoint Protection Manager and LiveUpdate. From these events, you can determine when content was updated. To check LiveUpdate server activity In the console, click Admin.
Page 257: Configuring Symantec Endpoint Protection Manager To Connect To A Proxy Server To Access The Internet
Configuring updates and updating client computer protection Configuring Symantec Endpoint Protection Manager to connect to a proxy server to access the Internet Click Show the LiveUpdate Status. Click Close. Managing content updates” on page 251. Configuring Symantec Endpoint Protection Manager...
Page 258: Configuring The Liveupdate Download Schedule For Client Computers
The LiveUpdate client schedule settings are defined in the LiveUpdate policy. To save bandwidth, Symantec Endpoint Protection Small Business Edition clients run scheduled LiveUpdates from the Symantec LiveUpdate server only if both of the following conditions are met: Virus and spyware definitions on a client computer are more than two days old.
Page 259 Configuring updates and updating client computer protection Configuring the LiveUpdate download schedule for client computers If you select any frequency other than Continuously, specify the Retry Window. The Retry Window is the number of hours or days that the client computer tries to run LiveUpdate if the scheduled LiveUpdate fails for some reason.
Page 260 Configuring updates and updating client computer protection Configuring the LiveUpdate download schedule for client computers...
Page 261: Monitoring Protection With Reports And Logs
Running commands on the client computer from the logs Monitoring endpoint protection Symantec Endpoint Protection Small Business Edition collects information about the security events in your network. You can use log and reports to view these events, and you can use notifications to stay informed about the events as they occur.
Page 262 Which computers need scanning? What risks were detected in the network? Note: Symantec Endpoint Protection Small Business Edition pulls the events that appear in the reports from the event logs on your management servers. The event logs contain time-stamps in the client computers' time zones. When the management server receives the events, it converts the event time-stamps to Greenwich Mean Time (GMT) for insertion into the database.
Page 263: Viewing A Daily Or Weekly Status Report
Checking the scan action and rescanning the identified computers” on page 135. Review events in the Events are the informative, notable, and critical activities that concern your Symantec logs Endpoint Protection Manager and client computers. The information in the event logs supplements the information is that is contained in the reports.
Page 264: Viewing System Protection
261. To view the daily status report In the console, click Home. On the Home page, in the Favorite Reports pane, click Symantec Endpoint Protection Daily Status or Symantec Endpoint Protection Small Business Edition Weekly Status. Viewing system protection System protection comprises the following information: The number of computers with up-to-date virus definitions.
Page 265: Finding Offline Computers
Monitoring protection with reports and logs Monitoring endpoint protection Finding offline computers You can list the computers that are offline. A client may be offline for a number of reasons. You can identify the computers that are offline and remediate these problems in a number of ways. Troubleshooting communication problems between the management server and the client”...
Page 266: Viewing Risks
Monitoring protection with reports and logs Monitoring endpoint protection Viewing risks You can get information about the risks in your network. Monitoring endpoint protection” on page 261. To view infected and at risk computers In the console, click Reports. On the Quick Reports tab, specify the following information: Report type You select Risk.
Page 267: Viewing Attack Targets And Sources
Monitoring protection with reports and logs Monitoring endpoint protection To view client inventory In the console, click Reports. On the Quick Reports tab, specify the following information: Report type Computer Status. Select a report Client Inventory Details. Click Create Report. Viewing attack targets and sources You can view attack targets and sources.
Page 268: Configuring Reporting Preferences
Monitoring protection with reports and logs Configuring reporting preferences To view a full report on attack targets and sources In the console, click Reports. On the Quick Reports tab, specify the following information: Report type You select Network Threat Protection. Select a report You select Full Report.
Page 269 Monitoring protection with reports and logs About the types of reports Scheduled reports, which run automatically based on a schedule that you configure. Reports include the event data that is collected from your management servers as well as from the client computers that communicate with those servers. You can customize reports to provide the information that you want to see.
Page 270: Running And Customizing Quick Reports
Monitoring protection with reports and logs Running and customizing quick reports Report types available as quick reports and scheduled reports Table 19-2 (continued) Report type Description Scan Displays the information about virus and spyware scan activity. Running and customizing quick reports” on page 270.
Page 271 Monitoring protection with reports and logs Running and customizing quick reports In the Select a report list box, select the name of the report you want to customize. For the Network Compliance Status report and the Compliance Status report, in the Status list box, select a saved filter configuration that you want to use, or leave the default filter.
Page 272: Saving And Deleting Custom Reports
Monitoring protection with reports and logs Saving and deleting custom reports Creating scheduled reports” on page 273. Saving and deleting custom reports You can save custom report settings in a filter so that you can generate the report again at a later date. When you save your settings, they are saved in the database. The name that you give to the filter appears in the Use a saved filter list box for that type of logs and reports.
Page 273: Creating Scheduled Reports
Monitoring protection with reports and logs Creating scheduled reports Click OK. When the confirmation dialog box appears, click OK. After you save a filter, it appears in the Use a saved filter list box for related reports and logs. To delete a custom report In the console, click Reports.
Page 274: Editing The Filter Used For A Scheduled Report
Monitoring protection with reports and logs Editing the filter used for a scheduled report In the Run every text box, select the time interval at which you want the report to be emailed to recipients (hours, days, weeks, months). Then, type the value for the time interval you selected.
Page 275: Printing And Saving A Copy Of A Report
Monitoring protection with reports and logs Printing and saving a copy of a report Printing and saving a copy of a report You can print a report or save a copy of a Quick Report. You cannot print scheduled reports. A saved file or printed report provides a snapshot of the current data in your reporting database so that you can retain a historical record.
Page 276 Monitoring protection with reports and logs Viewing logs configuration, you can generate the same log view at a later date without having to configure the settings each time. You can delete your customized filter configurations if you no longer need them. Because logs contain some information that is collected at intervals, you can refresh your log views.
Page 277: About Logs
Log type Contents and actions Application and Device Application and device control is not supported on Symantec Endpoint Protection Control Small Business Edition but the Application Control log contains information about Tamper Protection events. Although you can also select the Device Control log to view, it is always empty.
Page 278 Monitoring protection with reports and logs Viewing logs Log types (continued) Table 19-3 Log type Contents and actions Computer Status The Computer Status log contains information about the real-time operational status of the client computers in the network. Available information includes the computer name, IP address, infected status, protection technologies, Auto-Protect status, versions, definitions date, user, last check-in time, policy, group, domain, and restart required status.
Page 279: Saving And Deleting Custom Logs By Using Filters
Monitoring protection with reports and logs Viewing logs Saving and deleting custom logs by using filters You can construct custom filters by using the Basic Settings and Advanced Settings to change the information that you want to see. You can save your filter settings to the database so that you can generate the same view again in the future.
Page 280: Running Commands On The Client Computer From The Logs
From the Computer Status log, you can run several commands on the client computers. You can also right-click a group directly from the Computers page of the Symantec Endpoint Protection Manager console to run commands. About commands you can run on client computers”...
Page 281 Monitoring protection with reports and logs Running commands on the client computer from the logs Using the Risk log to delete quarantined files on your client computers” on page 175. To run a command from the Computer Status log Click Monitors. On the Logs tab, from the Log type list box, select Computer Status.
Page 282 Monitoring protection with reports and logs Running commands on the client computer from the logs Click Start. When the confirmation dialog box appears, click Yes to cancel all in-progress and queued scans for the selected computers. When a confirmation that the command was queued successfully appears, click OK.
Page 283: Managing Notifications
Chapter Managing notifications This chapter includes the following topics: Managing notifications Establishing communication between the management server and email servers Viewing and acknowledging notifications Saving and deleting administrative notification filters Setting up administrator notifications How upgrades from another version affect notification conditions Managing notifications Notifications alert administrators and computer users about potential security problems.
Page 284: How Notifications Work
An action might record the notification in a log, or run a batch file or an executable file, or send an email. Note: Email notifications require that communications between the Symantec Endpoint Protection Manager and the email server are properly configured.
Page 285: About The Preconfigured Notifications
Or you can set notifications to take specific actions when they are triggered. By default, some of these conditions are enabled when you install Symantec Endpoint Protection Manager. Notification conditions that are enabled by default are configured to log to the server and send email to system administrators.
Page 286 Managing notifications Managing notifications Preconfigured notifications Table 20-2 Notification Description Client list changed This notification triggers when there is a change to the existing client list. This notification condition is enabled by default. Client list changes can include: The addition of a client A change in the group of a client A change in the name of a client The deletion of a client...
Page 287 Managing notifications Managing notifications Preconfigured notifications (continued) Table 20-2 Notification Description Trial license expiration This notification alerts administrators about expired trial licenses. This notification is enabled by default. New risk detected This notification triggers whenever a new risk is detected by virus and spyware scans. New software package This notification triggers when a new software package downloads or the following occurs:...
Page 288: About Partner Notifications
In many installations the server administrator may not have the authority to make such purchases, but instead relies upon a Symantec partner to perform this task. The management server provides the ability to maintain the contact information for the partner.
Page 289: Establishing Communication Between The Management Server And Email Servers
Managing notifications Establishing communication between the management server and email servers Establishing communication between the management server and email servers For the management server to send automatic email notifications, you must configure the connection between the management server and the email server. Managing notifications”...
Page 290: Saving And Deleting Administrative Notification Filters
Managing notifications Saving and deleting administrative notification filters To view all notifications In the console, click Monitors and then click the Notifications tab. Optionally, on the Notifications tab, from the Use a saved filter menu, select a saved filter. Saving and deleting administrative notification filters” on page 290.
Page 291: Setting Up Administrator Notifications
Managing notifications Setting up administrator notifications For example, you can create a filter that only displays unacknowledged risk outbreak notifications posted during the past 24 hours. To add a notification filter In the console, click Monitors. On the Monitors page, on the Notifications tab, click Advanced Settings. Under the What filter settings would you like to use? heading, set the criteria for the filter.
Page 292: How Upgrades From Another Version Affect Notification Conditions
283. Viewing and acknowledging notifications” on page 289. How upgrades from another version affect notification conditions When Symantec Endpoint Protection Small Business Edition is installed on a new server, many of the preconfigured notification conditions are enabled by default.
Page 293 Managing notifications How upgrades from another version affect notification conditions An upgrade to Symantec Endpoint Protection Small Business Edition from a previous version, however, can affect which notification conditions are enabled by default. It can also affect their default settings.
Page 294 Managing notifications How upgrades from another version affect notification conditions email to system administrators, Log the notification, Run batch file, and Send email to. When all four of these actions are disabled, the notification condition is not processed, even though the condition itself is present. Administrators can edit the notification conditions to enable any or all of these settings.
Page 295: Managing Administrator Accounts
Chapter Managing administrator accounts This chapter includes the following topics: Managing administrator accounts About administrator accounts Adding an administrator account About access rights Configuring the access rights for a limited administrator Changing an administrator password Allowing administrators to save logon credentials Allowing administrators to reset forgotten passwords Resetting a forgotten password Resetting the administrator user name and password to admin...
Page 296: About Administrator Accounts
Allowing administrators to reset forgotten passwords” on page 300. About administrator accounts Administrator accounts provide secure access to the Symantec Endpoint Protection Manager console. Roles are assigned to the administrator accounts. A role determines which functions an administrator can perform in the console.
Page 297: Adding An Administrator Account
Role Description Limited administrator Administrators with the Limited Administrator role can log on to the Symantec Endpoint Protection Manager console with restricted access. An administrator with the System Administrator role determines the restrictions. Restrictions can affect the following items: Reports You can limit an administrator's access to specific client computers.
Page 298: About Access Rights
The administrator can also run reports on all groups in the domain, except for any groups that migrated from Symantec AntiVirus 10.x. You must explicitly configure reporting rights to these migrated groups.
Page 299: Configuring The Access Rights For A Limited Administrator
Managing administrator accounts Configuring the access rights for a limited administrator Types of access rights (continued) Table 21-3 Type of access Description rights Policy rights For limited administrators only, specifies which policies and policy-related settings the administrator can manage. Configuring the access rights for a limited administrator If you add an account for a limited administrator, you must also specify the administrator's access rights.
Page 300: Allowing Administrators To Save Logon Credentials
Click OK. Allowing administrators to save logon credentials You can allow your administrators to save their credentials when they log on to the Symantec Endpoint Protection Manager console. To allow users to save logon credentials In the console, click Admin.
Page 301: Resetting A Forgotten Password
. To reset a forgotten password On the management server computer, click Start > All Programs > Symantec Endpoint Protection Manager > Symantec Endpoint Protection Manager. In the Logon screen, click Forgot your password?.
Page 302: Resetting The Administrator User Name And Password To Admin
You can use the resetpass.bat tool to reset the user name and password for the account that you use to log on to Symantec Endpoint Protection Manager. If the user name or password is something other than , running resetpass.bat...
Page 303: Maintaining Your Security Environment
Section Maintaining your security environment Chapter 22. Preparing for disaster recovery...
Page 305: Preparing For Disaster Recovery
In case of hardware failure or database corruption, you should prepare for disaster recovery by backing up the information that is collected while you installed Symantec Endpoint Protection Manager. You then copy these files to another computer. High-level steps to prepare for disaster recovery...
Page 306: Backing Up The Database And Logs
Symantec Endpoint Protection Manager. Backing up the database and logs Symantec recommends that you back up the database at least weekly. You should store the backup file on another computer. The backup file is saved in the following folder, by default:...
Page 307 Preparing for disaster recovery Backing up the database and logs Log data is not backed up unless you configure Symantec Endpoint Protection Manager to back it up. If you do not back up the logs, then only your log configuration options are saved during a backup. You can use the backup to restore your database, but the logs in the database are empty of data when they are restored.
Page 308 Preparing for disaster recovery Backing up the database and logs...
Page 309: Troubleshooting Symantec Endpoint Protection
Section Troubleshooting Symantec Endpoint Protection Chapter 23. Performing disaster recovery Chapter 24. Troubleshooting installation and communication problems Chapter 25. Troubleshooting reporting issues...
Page 311: Performing Disaster Recovery
Reinstalling or reconfiguring Symantec Endpoint Protection Manager Performing disaster recovery Table 23-1 lists the steps to recover your Symantec Endpoint Protection Small Business Edition environment in the event of hardware failure or database corruption. Note: This topic assumes that you have prepared for disaster recovery and have created backups and recovery files.
Page 312: Restoring The Database
Backing up the database and logs” on page 306. You must restore the database using the same version of Symantec Endpoint Protection Manager that you used to back up the database. You can restore the database on the same computer on which it was installed originally or on a different computer.
Page 313: Reinstalling Or Reconfiguring Symantec Endpoint Protection Manager
You can reinstall the software on the same computer, in the same installation directory. The Symantec Endpoint Protection Manager creates a recovery file during installation. The recovery file is selected by default during the reinstallation process.
Page 314 Performing disaster recovery Reinstalling or reconfiguring Symantec Endpoint Protection Manager...
Page 315: Troubleshooting Installation And Communication Problems
Support Tool to troubleshoot computer issues You can download a utility to diagnose common issues you encounter with installing and using Symantec Endpoint Protection Manager or the Symantec Endpoint Protection Small Business Edition client. To download the Symantec Endpoint Protection Tool...
Page 316: Identifying The Point Of Failure Of An Installation
If you cannot determine the reason for the failed installation, you should retain the log file. Provide the file to Symantec Technical Support if it is requested. Note: Each time the installation package is executed, the log file is overwritten.
Page 317 Check the client's routing path. Check that the management server does not have a network problem. Check that the Symantec Endpoint Protection firewall (or any third-party firewall) does not cause any network problems. Check the debug logs on the...
Page 318: Viewing The Client Connection Status On The Client
Recovering client communication settings by using the SylinkDrop tool” on page 321. If Symantec Endpoint Protection Manager displays logging errors or HTTP error codes, see the following knowledge base article: Symantec Endpoint Protection Manager communication troubleshooting.
Page 319: Investigating Protection Problems Using The Troubleshooting File On The Client
Troubleshooting installation and communication problems Troubleshooting communication problems between the management server and the client Symantec Endpoint Protection Small Business Edition client status Table 24-2 icons (continued) Icon Description The client runs with no problems. It is connected to and communicates with the server.
Page 320: Stopping And Starting The Apache Web Server
Troubleshooting communication problems between the management server and the client Stopping and starting the Apache Web server When you install Symantec Endpoint Protection Manager, it installs the Apache Web server. The Apache Web server runs as an automatic service. You may need to stop and restart the Web server to enable the Apache HTTP Server Access log.
Page 321: Checking The Inbox Logs On The Management Server
Recovering client communication settings by using the SylinkDrop tool The Sylink.xml file includes communication settings between the client and a Symantec Endpoint Protection Manager server. If the clients have lost the communication with a management server, you must replace the old Sylink.xml file with a new file.
Page 322: Troubleshooting Communication Problems Between The Management Server And The Console Or The Database
Troubleshooting installation and communication problems Troubleshooting communication problems between the management server and the console or the database Restores the communication breakages to the client that cannot be corrected on the management server. Converts an unmanaged client to a managed client. Converts a managed client to an unmanaged client.
Page 323: Verifying The Connection With The Database
Perform the following steps: Verify that the Symantec Embedded Database service runs and that the dbsrv9.exe process listens to TCP port 2638. Test the ODBC connection.
Page 324 Click Database. On the Database tab, in the Server name text box, type <\\servername\instancename>. If you use the English version of Symantec Endpoint Protection Manager, type the default, . Otherwise, leave the Server name text box blank. sem5 On the ODBC tab, click Test Connection and verify that it succeeds.
Page 325: Troubleshooting Reporting Issues
Chapter Troubleshooting reporting issues This chapter includes the following topics: Troubleshooting reporting issues Troubleshooting context-sensitive help for the reporting console Changing reporting fonts to display Asian languages Accessing reporting pages when the use of loopback addresses is disabled About recovering a corrupted client System Log on 64-bit computers Troubleshooting reporting issues You should be aware of the following information when you use reports: Timestamps, including client scan times, in reports and logs are given in the...
Page 326 Symantec Endpoint Protection reporting functions on Windows Server 2003. Risk category information in the reports is obtained from the Symantec Security Response Web site. Until the Symantec Endpoint Protection Manager console is able to retrieve this information, any reports that you generate show Unknown in the risk category fields.
Page 327: Troubleshooting Context-Sensitive Help For The Reporting Console
If you do so, be sure that you do not delete the LegacyOptions.inc file, if it exists. If you delete this file, you lose the incoming data from legacy Symantec AntiVirus client logs.
Page 328: Accessing Reporting Pages When The Use Of Loopback Addresses Is Disabled
If you have disabled the use of loopback addresses on the computer, the reporting pages do not display. If you try to log on to the Symantec Endpoint Protection Manager console or to access the reporting functions, you see the following error...
Page 329: About Recovering A Corrupted Client System Log On 64-Bit Computers
If the System log becomes corrupted on a 64-bit client, you may see an unspecified error message in the System logs on the Symantec Endpoint Protection Manager console. If corrupted, you cannot view the data in the log on the client and the data does not upload to the console.
Page 330 Troubleshooting reporting issues About recovering a corrupted client System Log on 64-bit computers...
Page 331: Appendix A Migration And Client Deployment Reference
Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1 Where to go for information on upgrading and migrating Table A-1 lists the key topics that pertain to upgrading and migrating to Symantec Endpoint Protection Small Business Edition.
Page 332 Topic Supported and unsupported For new installations, you deploy client software to upgrade paths your computers after you install the Symantec Endpoint Protection Manager. For existing installations, you upgrade existing clients to the new version of Symantec Endpoint Protection Small Business Edition after you upgrade the Symantec Endpoint Protection Manager.
Page 333: Supported Server Upgrade Paths
From 12.0 Small Business Edition to 12.1 Small Business Edition From 12.1 Small Business Edition to 12.1 (full version) Note: Symantec AntiVirus 9.x and 10.x server information can be imported during the installation of Symantec Endpoint Protection Manager version 12.1.
Page 334: Migrations That Are Supported And Unsupported For The Mac Client
AntiVirus 9.x and 10.x to 12.1 (full version) is supported. Upgrading from Symantec Endpoint Protection Small Business Edition 11.x or Symantec Sygate Enterprise Protection 5.x to 12.1 Small Business Edition is not supported. Migrations that are supported and unsupported for...
Page 335: Feature Mapping Between 12.0 Clients And 12.1 Clients
The tables in this section depict the feature mapping between previous versions and the new version of Symantec Endpoint Protection Small Business Edition for common update scenarios. 12.0 Small Business Edition to 12.1 Small Business Edition all...
Page 336 Migration and client deployment reference Feature mapping between 12.0 clients and 12.1 clients 12.0 Small Business Edition to 12.1 Small Business Edition without Table A-4 firewall (continued) Existing 12.0 Small Business Edition 12.1 Small Business Edition features features installed installed after Autoupgrade Proactive Threat Protection Proactive Threat Protection TruScan proactive threat scan...
Page 337 Migration and client deployment reference Feature mapping between 12.0 clients and 12.1 clients 12.0 Small Business Edition to 12.1 Small Business Edition Table A-7 POP3/SMTP Scanner installed on legacy client Existing 12.0 Small Business Edition 12.1 Small Business Edition features features installed installed Virus and Spyware Protection...
Page 338: Client Protection Features By Platform
64-bit clients. Client protection features by platform Table A-9 explains the differences in the protection features that are available on the different client computer platforms. Symantec Endpoint Protection Small Business Edition client Table A-9 protection Client feature Windows XP...
Page 339: Management Features By Platform
Migration and client deployment reference Management features by platform Symantec Endpoint Protection Small Business Edition client Table A-9 protection (continued) Client feature Windows XP Windows XP Windows Windows Linux (SP2), (SP2), Server 2003, Server 2003, Windows Windows Windows Windows Vista,...
Page 340: Virus And Spyware Protection Policy Settings Available For Windows And Mac
Migration and client deployment reference Virus and Spyware Protection policy settings available for Windows and Mac Comparison between Symantec Endpoint Protection Manager Table A-10 features for Windows and Mac (continued) Feature Windows Run commands from Scan Scan management server Update Content...
Page 341: Liveupdate Policy Settings Available For Windows And Mac
Migration and client deployment reference LiveUpdate policy settings available for Windows and Mac Virus and Spyware Protection policy settings (Windows and Mac Table A-11 only) Policy setting Windows Define actions for scans You can specify first and second actions You can specify either of the following when different types of virus or risk are actions: found.
Page 342: Increasing Symantec Endpoint Protection Manager Disk Space Before
Migration and client deployment reference Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1 LiveUpdate policy settings (Windows and Mac only) Table A-12 Policy setting Windows LiveUpdate Scheduling Yes, for Frequency; no for Retry Window Product Update Settings Management features by platform”...
Page 343 Migration and client deployment reference Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1 Tasks to increase disk space on the management server Table A-13 Task Description Relocate or remove co-existing If other programs are installed on the same computer...
Page 344 Migration and client deployment reference Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1...
Page 345: Index
114 when to run 139 automatic exclusions adding about 146 a group 104 for Microsoft Exchange server 148 an administrator 297 for Symantec products 149 administrator AutoUpgrade access rights 298 client 96 adding 297 change password 299 renaming 297...
Page 346 Index client computer (continued) content (continued) managed 81 viewing downloads to server 256 migrating 86–88 Migration Wizard 88 moving to group 105 database offline 264–265 backing up 306 online 264 restoring 312 policy updates 126 debug logs. See logs preparing for installation 71 definitions properties 105 updating 251...
Page 347 Index exceptions (continued) known risks 245 global scan settings 188 managing 238 group Tamper Protection 248 about 101 exclusions add 104 created automatically 146 blocking 104 exporting computer assignment 105 policies 125 policy assignment 124 group structure about 103 groups feature dependencies 170 default 103 File System Auto-Protect.
Page 348 58 Mac client 334 renewed 59, 67 misleading applications 146 renewing 63 mobile device. See portable computer requirements 39 Symantec Licensing Portal 63 trialware 59, 62, 67 license issues network intrusion prevention notifications for 285 about 232 limited administrator...
Page 349 292 authentication 167 virus and spyware events on client Symantec Endpoint Protection Manager computers 176 connection to Symantec LiveUpdate 257 on-demand scans Quarantine running 160 deleting files 175 scan progress options 193...
Page 350 278 Submissions scans 188 locking and unlocking settings 122 about 139 submissions 151–152 customizing administrator-defined 185 Symantec Endpoint Protection Small Business Edition managing 136 about 17 paused 193 Symantec Licensing Portal. See license running on demand 160 Symantec products...
Page 351 Index trusted Web domain creating an exception for 247 trusted Web domain exception feature dependencies 170 update definitions 251 user and computer properties displaying 110 virtual machine adjusting scans for 161 virtualization adjusting scans for 161 randomizing scans 187 Virus and Spyware Protection preventing attacks 130 Virus and Spyware Protection policy locking and unlocking settings 122...

This manual is also suitable for:

Endpoint protection small business edition

Symantec 20032623 - Endpoint Protection Small Business Edition Implementation Manual

Chapter 1 Introducing Symantec Endpoint Protection Small Business Edition

Chapter 2 Planning the Installation

Chapter 3 Installing Symantec Endpoint Protection Manager

Chapter 4 Managing Product Licenses

Chapter 5 Preparing for Client Installation

Chapter 6 Installing the Symantec Endpoint Protection Small Business Edition Client

Chapter 7 Upgrading and Migrating to Symantec Endpoint Protection Small Business Edition

Chapter 8 Managing Groups of Client Computers

Chapter 9 Managing Clients

Chapter 10 Using Policies to Manage Security

Chapter 11 Managing Virus and Spyware Protection

Chapter 12 Customizing Scans

Chapter 13 Managing SONAR

Chapter 14 Managing Tamper Protection

Chapter 15 Managing Firewall Protection

Chapter 16 Managing Intrusion Prevention

Chapter 17 Managing Exceptions

Chapter 18 Configuring Updates and Updating Client Computer Protection

Chapter 19 Monitoring Protection with Reports and Logs

Chapter 20 Managing Notifications

Chapter 21 Managing Administrator Accounts

Chapter 22 Preparing for Disaster Recovery

Chapter 23 Performing Disaster Recovery

Chapter 24 Troubleshooting Installation and Communication Problems

Chapter 25 Troubleshooting Reporting Issues

Appendix A Migration and Client Deployment Reference

Quick Links

Troubleshooting

Related Manuals for Symantec 20032623 - Endpoint Protection Small Business Edition

Summary of Contents for Symantec 20032623 - Endpoint Protection Small Business Edition