Corporate comprehensive antivirus Symantec Endpoint Protection. Deploying Symantec Endpoint Protection clients


This article describes how to install Symantec Endpoint Protection 11.0 on a network that does not have older versions of Symantec AntiVirus installed.

First installation software control is performed in two stages. The first step is to install Symantec Endpoint Protection Manager. The second step is to install and configure the Symantec Endpoint Protection Manager database. In the first step, leave the default values ​​unchanged. In the second step, the user must enter at least one value - a password.

Note:

  • The management software does not include Symantec Endpoint Protection or any other managed client.
  • Before installing Symantec Endpoint Protection Manager, you must install Internet Information Services (IIS).

How to install Symantec Endpoint Protection Manager (SEPM)

    Load the installation CD and start the installation process.

    On the installation panel, select Install Symantec Endpoint Protection Manager.

    In the License Agreement window, select I agree to the terms of the license agreement. Click "Next.

    In the Destination Folder window, change or leave the default value for the installation folder.

    Perform one of the following actions:

    • To configure the Symantec Endpoint Protection Manager IIS (Internet Information Service) web server as the only web server on this computer, select Create a separate website and click Next.

      To configure the Symantec Endpoint Protection Manager IIS Web server to work with other Web servers on this computer, select Use default website, and then click Next.

      If the installation is performed on a server under Windows control 2003 SB, then to configure the web server you must select the Use default website option.

    In the window confirming that you are ready for installation, click Install.

    Once the installation is complete, the "Setup Wizard Complete" window will open. Click Finish. The Management Server Setup Wizard will launch in approximately 15 seconds.

How to configure Symantec Endpoint Protection Manager

    In the Management Server Configuration Wizard panel, select a configuration type.

Note: If Simple Configuration is selected, the SEPM Administrator password is used as the encryption password. If the administrator password is subsequently changed, the encryption password remains unchanged.

    In the Site Type window, select Install first site and click Next.

    In the Server Information window, change or leave the default values ​​for the following fields and click Next:

    • Server name

      Server port

      Server data folder

    In the Site Name field, change or leave the default name and click Next.

    In the Encryption Password window, enter the password in both fields and click Next.

    Save this password during the installation of Symantec Endpoint Protection in work environment. It is specified when recovering from a disaster and adding Enforcer hardware components.

    In the Select Database Server window, select Embedded Database and click Next.

    In the user settings panel, specify the password that must be entered when logging into the console as the "Admin" user. Click "Next. Or create a user who is a domain administrator.

Once installation is complete, you can deploy the client using the Migration and Deployment Wizard. Log in to the console with the username and password you specified earlier.

Configuring and Deploying Client Software

The Migration and Deployment Wizard allows you to configure the client software package. You can then run the Push Deployment Wizard to deploy the client software package. If the user chooses not to run the Push Deployment Wizard, it can be launched manually in the future. To do this, you need to run the ClientRemote.exe program from the \tomcat\bin folder.
Note: The following steps describe how to install the client on 32-bit computers (not 64-bit computers). During installation you will need to specify a folder to copy installation files. It is recommended that you create this folder before starting the procedure. Installation must be performed by a Windows domain or workgroup administrator.

When you deploy the client to computers that are behind a firewall and running Windows XP or Windows Vista, there are additional factors to consider. The firewall must allow remote deployment on TCP port 139. On workgroup computers running Windows XP, you must disable idle general access to files. To prepare computers with operating Windows system Vista, see "Preparing Windows Computers for Remote Client Deployment." (in English) :

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007091021513648

How to set up a client

    In the Management Server Configuration Wizard Completed window, select Yes and click Finish.

    In the "Welcome to the Migration and Deployment Wizard" window, click Next.

    In the Select the action you want window, select Deploy client and click Next.

    In the next window, select Enter a name new group to which you want to add clients, enter a group name, and then click Next.

    In the next window, deselect the client programs that should not be installed and click Next.

    In the next window, specify options for packages, files, and user experience.

    Click the Browse button, select a folder for the installation files, and click Open.

    In the next window, select Yes and click Finish.

Do not enable the Admin Console launch option. It may take up to 5 minutes to create and export the installation package for the group. Then the Push Deployment Wizard will open.

How to deploy a client using the Push Deployment Wizard

    In the Push Deployment Wizard, in the Available Computers list, select the computers on which you want to install the client, and then click Add.

    If the client is deployed locally and Windows Firewall is not configured to handle Java, it may block this feature by displaying a message asking you to configure it. This window may be displayed below the Push Deployment Wizard window, meaning it will not be visible to the user. If the Push Deployment Wizard stops responding, move its window to the side and check to see if there is a Windows Firewall message window hidden underneath it.

    In the "Remote Client Identification" window, enter the username and password to log into the domain or work Windows group these computers and click OK.

    Once all computers are selected and shown in the right pane, click Finish.

    Once the installation is complete, click Finish.

Login to the console and search for your group in the console

First of all, you need to log into the console and find your group.

Login to the management console

The management console is designed to manage clients.

How to log into the management console

    Select Start > Programs > Symantec Endpoint Protection Manager > Symantec Endpoint Protection Manager Console.

    At the Symantec Endpoint Protection Manager login window, enter the user name admin.

    In the password field, enter the administrator account password that you specified during installation. Click the Login button.

Finding your group in the console

After logging into the console, you need to find the group created during installation. You should then ensure that this group includes the computers on which the software was installed.

Activating Symantec Network Access Control

If you purchased Symantec Endpoint Protection along with Symantec Network Access Control, follow these steps: additional actions to activate Symantec Network Access Control.

How to activate Symantec Network Access Control

    Close the Symantec Endpoint Protection Manager console if it is open.

    Insert the Symantec Network Access Control product CD.

    On the installation panel, select Install Symantec Network Access Control.

    Click Install Symantec Endpoint Protection Manager.

    In the Management Server Update window, click Next.

    Click Continue.

    When the Server Update Status window displays a message indicating the update was successful, click Next.

    Click Finish.

    Log in to the Symantec Endpoint Protection Manager console.

    On the Policies tab, select Host Integrity.

    In the right pane, select Host Integrity Policy.

    In the Tasks section, select Assign Policy.

    In the Assign Host Integrity Policy window, select the group to which you want to assign the policy.

    Click the Assign button and then click Yes to confirm the change.

Symantec Network Access Control is now enabled in Symantec Endpoint Protection Manager and on clients in the created group.

In addition to very advanced anti-virus and anti-spyware protection settings, Symantec Endpoint Protection has a very rich firewall options. It allows you to restrict access not only to certain intranet resources, but also to external ones, for example, deny access to certain sites on the Internet. To do this we need to change policy firewall (Firewall Plicy). Let's look at the example of denying access to a website. vk.com:

  1. Opening Symantec Endpoint Protection Manager, go to the section Policies. On the menu Policies choose Firewall. To edit the firewall policy, click on it right click mouse -> Edit(Fig.1):

2. In the window Firewall Policy select a section Rules, then press the button Add Rule(Fig.2):

3. The Add Firewall Policies Wizard window will open ( Add Firewall Police Rule Wizard). Give our rule a name and click Next(Fig.3):

4. Select an action for our rule. Choose Block Connections and press Next(Fig.4):

6. Then you need to select “What we are blocking access to.” Two options: Any computer or site(any computer or website) or Only the computers and sites listed below(only computers or sites from the list). Select the second option and press the button Add(Fig.6):

7. In the window Add Host, in the window Address Type choose DNS Domain. In the window DNS Domain enter *.vk.com and press OK. Next we see. that our entry appears in the list of hosts *.vk.com(Fig.7-8):

Symantec Endpoint Protection 12 is an enterprise antivirus solution that provides administrator antivirus network enterprises necessary tools on the deployment of an enterprise anti-virus network, its monitoring, as well as on managing the operating parameters of anti-virus clients on protected objects.

Symantec Endpoint Protection 12 implements the classic client-server architecture adopted for use in many enterprise antivirus products, but there are also differences. The best way to see them is through the benefits of the new version of Symantec Endpoint Protection 12.

The server side of Symantec Endpoint Protection 12 has a number of improvements relative to earlier versions:

  • Centralized license management from the management console;
  • Protection Server version 2 provides centralized data storage and integration of management functions across Symantec products;
  • The Symantec Protection Server login screen allows you to request that your forgotten password be sent via email;
  • Ability to reset a forgotten password from Symantec Endpoint Protection Manager;
  • Ability to specify the reboot time of client computers for the convenience of users;
  • The Monitors page of Symantec Endpoint Protection Manager contains a set of standard notifications about the most frequently occurring events.
  • Dispatch Linux clients information about events in Symantec Endpoint Protection Manager;

Symantec Endpoint Protection 12 improves server and client performance with the following improvements:

  • In the new version, the management server automatically performs maintenance of the server database;
  • When scanning, Insight technology is used, which excludes reliably harmless files from scanning;
  • LiveUpdate component responsible for updating software modules And virus databases, can be run while clients are idle, only when there is updated content on the update server.

Of no small importance is the expanded support for virtual environments in Symantec Endpoint Protection 12, which is manifested in the following:

  • The Shared Insight Cache server allows clients to share scan results; identical files on all clients will be scanned only once, thanks to this the total scanning time is reduced, according to the manufacturer, by up to 80%;
  • The Virtual Image Exception utility reduces scanning volume by excluding files from a reliably reliable, base image of the virtual system;
  • Symantec Endpoint Protection automatically detects the hypervisor running a client on a virtual platform, allowing you to create policies for groups of clients on virtual platforms;

Also in Symantec Endpoint Protection 12, closer integration of the management server with clients running Mac OS X is implemented. In particular, in version 12, you can configure policies for Mac clients, both for individual stations and for groups.

Let's take a closer look at the capabilities of the Symantec Endpoint Protection 12 management server.

System requirements for Symantec Endpoint Protection Manager

To run the Symantec Endpoint Protection management server Manager computer must meet the following system requirements.

CPU:

  • 32-bit processor: minimum Intel Pentium III 1 GHz or equivalent (Intel Pentium 4 or equivalent processor recommended);
  • 64-bit processor: Minimum 2 GHz Pentium 4 with x86-64 support or equivalent processor.

Note: Intel processors Itanium IA-64 and PowerPC are not supported.

RAM:

  • 1 GB random access memory for 32-bit operating systems;
  • 2GB of RAM for 64-bit operating systems, or more if required by the operating system.

HDD:

  • At least 4GB;

Monitor resolution:

  • 800x600.

Operating system:

  • Windows 7;
  • Windows XP (32-bit, SP3 or later; 64-bit, all SPs);
  • Windows Server 2003 (32-bit, 64-bit, R2, SP1 or later);
  • Windows Server 2008 (32-bit, 64-bit);
  • Windows Small Business Server 2008 (64-bit);
  • Windows Small Business Server 2011 (64-bit);
  • Windows Essential Business Server 2008 (64-bit).

Web browser:

  • Microsoft Internet Explorer 7, 8 or 9;
  • Mozilla Firefox 3.6 or 4.0

Note: Symantec Endpoint Protection Manager version 12 allows you to manage older clients, regardless of the operating system they are running.

Symantec Endpoint Protection Manager can use either the built-in database or use:

  • MS SQL Server 2000, SP4 or later;
  • MS SQL Server 2005, SP2 or later;
  • MS SQL Server 2008.

Note Note: If you install Symantec Endpoint Protection Manager and SQL database on the same computer, you must have at least 4GB of RAM.

Installing the Symantec Endpoint Protection Manager antivirus server

Symantec Endpoint Protection Manager is intended for installation only on Microsoft Windows family of operating systems. After starting the installation, a welcome window is displayed, which contains links that allow you to familiarize yourself with the preliminary information that you need to know before starting to deploy an anti-virus network, begin the actual installation procedure of the management server, install additional administration tools, or exit the installation program without performing any actions. or actions.

Figure 1: Installation Welcome WindowSymantecEndpointProtectionManager

The actual installation of Symantec Endpoint Protection Manager begins with a window that lists the installation steps:

  • Installation of the management server and console;
  • Setting up a management server;
  • Database creation;
  • Transfer necessary information from previous version(if it is needed);
  • Installing antivirus clients

A window is then displayed with the text of the license agreement, which you must accept to continue with the installation. In the next window, you can select an installation folder, and the Symantec Endpoint Protection Manager installer will be ready to install the required components.

When the installation of the Symantec Endpoint Protection Manager components is complete, the installation program moves to the next step, configuring the management server. The first screen of the Management Server Configuration Wizard prompts you to select a default configuration (for local networks consisting of less than 100 computers), or set a custom configuration.

Drawing 2: Choiceconfigurations

The next screen asks you to enter the number of computers connected to the network, with the following options offered (this setting affects how many revisions antivirus databases will be stored on the server):

  • Less than 100;
  • From 100 to 500;
  • From 5000 to 1000;
  • More than 1000.

The next step in the Symantec Endpoint Protection Manager Configuration Wizard is to create a site. In Symantec Endpoint Protection terminology, a site is a database and one or more management servers working with this database (or a cluster of databases). You can create multiple sites in the infrastructure. This is done to reduce traffic between regions, because between sites, you can replicate not all information, but only part of it, for example, only policies and group membership information, but not replicate information about event logs and updates.

Figure 3: Website creationantivirus network

Figure 4: Anti-virus website and server settings

On the next screen of the installation program, you must choose between the built-in database and an external one based on MS SQL server, and then either create a new database or connect to an existing one. After this, you need to create an administrator account.

Figure 5: Creating a system administrator account

After this, you are prompted to either set an encryption password for client communication with the management server, automatically or manually. This password may come in handy if necessary disaster recovery operation of the anti-virus network.

On the next screen you need to enter parameters email box administrator and SMTP server for the management server to send notifications.

Optionally, you can select a check box that allows the management server to send information about the operation of the antivirus network to optimize Symantec solutions when developing new versions. This displays detailed information about what information is being sent and why.

Figure 6: Participation in the optimization programSymantec

At the end of the installation, a new database is initialized, if necessary. The final screen of the Symantec Endpoint Protection Manager Setup Wizard prompts you to run the Migration Wizard with Symantec AntiVirus (if necessary) and to start the management server immediately after installation is complete.

This completes the installation and initial configuration of the Symantec Endpoint Protection anti-virus network management server.

Methods for deploying an antivirus network based on Symantec Endpoint Protection 12

The last step in deploying an antivirus network based on Symantec Endpoint Protection 12 is installing clients.

This procedure can be carried out in several ways:

  • Use client distributions for various operating systems from the Symantec Endpoint Protection 12 distribution;
  • Using the Client Deployment Wizard.

We examined the first of these options in detail in the first part of the Symantec Endpoint Protection 12 review.

Figure 7: Client Deployment Wizard

The Client Deployment Wizard prompts you to select the following as parameters for your work:

  • Type installation package with whom the work will be carried out;
  • The group of stations to which the client installation will be applied;
  • Set of installed components;
  • Installation options;
  • Content options;
  • The preferred mode of operation is relative to computers or relative to network users.

Figure 8: Selecting a group and set of components to install

The Client Deployment Wizard offers several ways to install clients:

  • Web link and Email;
  • Remote mailing;
  • Save the package.

In the first case, computer users independently download the Symantec Endpoint Protection client distribution package using a link from an email and install it on their computer. In the second case, the installation is performed remotely automatically. In the third case, it is possible to create a distribution kit on the administrator’s computer, and then provide it to users of protected stations in any way in a convenient way. Most often, the latter option is used when there are tools and policies for centralized software distribution within companies.

Figure 9: Client installation methodSymantecEndpointProtection

For a remote installation, the administrator is asked to use the network browsing tool built into the wizard to select computers on which to install Symantec Endpoint Protection clients. For remote installation, you will need to specify administrator account settings on the appropriate computers.

Figure 10: Selecting computers for remote client installation

Administering an antivirus network using Symantec Endpoint Protection Manager

Working with the Symantec Endpoint Protection Manager console begins with a window in which you must enter a username, password, and specify the antivirus server to which you want to connect. A password recovery function is also available in case of loss, which is quite rare in products of this class.

Figure 11: Console login windowSymantecEndpointProtectionManager

When you first log into the administrator console, a window is displayed on top of the main interface, which lists the main tasks of the local network administrator, as well as links to console interface elements associated with these tasks. These tasks include checking the license status, setting up automatic updates, deploying clients, and configuring the anti-virus server settings. This approach allows an administrator who has no experience with Symantec Endpoint Protection 12 to quickly become familiar with the product.

Figure 12: Console Welcome WindowSymantecEndpointProtectionManager

The main elements of the administrator console (Home, Monitors, Reports, Policies, Clients and Admin) are located on the vertical toolbar located on the left side of the window. They are available at any time, which makes it easier to move from one task to another from any console window, the number of which is quite large.

The main console window contains basic information about the operation of the anti-virus network, which allows the administrator, immediately after logging into the console, to assess the state of the anti-virus network, as well as detect possible problems in its work and take prompt action. Among such information general state protection, license status, status of protected computers, global threat level and last information O malware ah, as well as a report on actions taken against malicious objects detected on the enterprise network and links to the most important reports on the operation of the anti-virus network.

Drawing 13: MainwindowconsolesSymantec Endpoint Protection Manager

The interface of the "Monitors" section of the main dashboard contains the following tabs: "Overview", "Logs", "Team Status" and "Notifications".

The Overview tab displays recent threat summaries and other summaries in pie charts. The “Logs” tab displays information about events that occurred in the anti-virus network in tabular form. The Team Status tab allows you to view information about the commands your administrator has recently run. Finally, on the “Notifications” tab, you can view notifications about events occurring in the anti-virus network, which are displayed according to the corresponding notification settings.

Figure 14: Monitors section of the Symantec Endpoint Protection administrator console

The “Reports” section of the console interface is dedicated to various types of reports and is divided into two tabs – “Quick reports” and “Scheduled reports”. The first tab allows you to quickly set parameters for the report that you want to view and display it on the screen upon request. Scheduled reports are created automatically at any frequency according to the settings. The range of reports that can be viewed is quite extensive. The information in them is offered both in text and graphic form - for a more visual perception of statistics.

Figure 15: One of the reports generated by the Symantec Endpoint Protection administrator console

The “Policies” section includes work settings various components anti-virus network, as well as configuring the operation of protection components on protected clients. This section is the most extensive among all sections of the administration console. Policies are divided into several types: Virus Protection, Firewall, Intrusion Prevention, Application and Device Control, LiveUpdate and Exceptions. For each policy type, a detailed interface for setting the corresponding policies is available. Actually, all management of the operating parameters of the anti-virus network as a whole and the protection settings on protected stations is carried out by applying the appropriate set of policies.

Figure 16: Policies section of the Symantec Endpoint Protection administration console

The “Protection against viruses and spyware” policy includes settings for all protection components on stations running Windows and Mac OS X. There is no point in listing them in detail, because they are described in the first part of the Symantec Endpoint Protection 12 review. These settings have also been supplemented with policies for carrying out certain actions on protected computers at the request of the administrator, for example, “Administrator scans.” For scanning of this type a different priority for using resources, different rules for responding to detected threats, etc. can be set.

It is also worth noting that anti-virus policies managed from the SEPM console allow the use of optimization technologies within the corporate infrastructure. This includes Shared Insight Cache technology (files scanned on one machine will not be scanned on others), and Virtual Image Exception technology (i.e. exclusion from scanning files from a standard image virtual machine used within the organization).

And one more important point: the policy allows you to configure which rules the user can change locally and which ones he cannot. The open lock in the picture below shows the actions that can be changed. If you click on this lock, it will become closed. From this point on, the user will not be able to configure this parameter on the workstation.

Figure 17: Virus and spyware protection policy

The “Firewall” policy is responsible for the settings of firewalls on protected computers and also repeats the corresponding settings in the client interface. The firewall in Symantec Endpoint Protection is only available for Windows clients. The Firewall policy is divided into several sections: “Rules”, “Built-in rules”, “Protection and hidden viewing" and "Integration with Windows".

Enabling built-in rule sets allows traffic to pass through system services, without adding the corresponding rules manually, because this is not always an easy task. So, you can just check a few checkboxes to allow DHCP, DNS, WINS or adapter traffic Token Ring. On the other hand, these rules can prevent the client from working with NetBIOS packages, and also prevent reverse DNS resolution, which can be used to determine the name based on the IP address.

Figure 18: Firewall policy in the Symantec Endpoint Protection administration console

The Intrusion Prevention Policy includes settings for Symantec Endpoint Protection functionality related to protecting against attacks on the network and the user's browser. Using this policy, you can independently enable or disable protection against attacks on the network and on the browser, as well as configure exceptions to the operation of this policy.

The “Manage applications and devices” policy is divided into two parts – “Manage applications” and “Application devices”, respectively.

In application management, you can block or log various actions: launching certain applications, launching programs from removable media or reading/writing information on removable media, prohibit users from independently installing any applications, and also introduce some other prohibitions. It is worth noting that the presence of such policies can significantly increase the efficiency of the enterprise local network administrator.

The Symantec Endpoint Protection application management policy does not have the ability to define settings for working with a group of applications at once (for example, browsers). Instead, it is possible to add a specific application to the policy by process name or hash sum (templates and system variables are supported), and you can also use conditions associated with application behavior (attempts to access the registry, attempts DLL loading, attempts to start processes, etc.), as well as conditions associated with the application launch source (CD drive, network drive, virtual disk, local disk, etc.).

In device management, you can prevent certain types of devices from connecting to your computer by class ID or device ID. The proposed list of devices looks quite complete; if necessary, you can add your own types. Among the devices whose connections can be controlled:

  • Input devices (keyboard, mouse, etc.);
  • USB devices in general;
  • Devices connected via the IDE bus;
  • Printers;
  • Devices connecting via infrared and Bluetooth;
  • Modems;
  • Smart card readers, etc.

RFigure 19: Application and device management policy in the Symantec Endpoint Protection administration console

The “LiveUpdate” policy includes fairly flexible settings related to organizing updates to anti-virus network components. They are divided into three groups - “Server settings” (settings related to the choice of update server and proxy server settings), “Scheduling” (settings related to update frequency and conditions for updating attempts), and “Advanced settings”.

The last group of policy settings, “LiveUpdate,” contains such useful settings as “The LiveUpdate connection requires standard HTTP headers,” the absence of which could lead to problems when using certain proxy servers on the enterprise local network.

An important feature present in Symanetc Endpoint Protection is the ability to use Group Update Providers (GUPs). GUP allows us to minimize update traffic, which is especially important for delivering updates to regions with narrow communication channels, as well as to relieve SEPM control servers by reducing the number of requests to them for updates. To activate the GUP functionality, you do not need to install additional software; you just need to indicate which servers will be the update providers.

Figure 20: Policy "LiveUpdate» in the Symantec Endpoint Protection administration console

The “Exceptions” policy collects settings and policies related to exceptions from scanning objects in various protection components and is divided into two groups – “Exceptions” and “Client Restrictions”. The first group of settings is responsible for the exceptions that are configured by the anti-virus network administrator, and the second group of settings is responsible for what types of objects users can add to exceptions themselves.

DrawingFigure 21: Exceptions policy in the Symantec Endpoint Protection administration console

The “Clients” section of the administration console is dedicated to working with clients of the anti-virus network. In particular, from this section you can assign certain operating policies to all clients or clients belonging to a certain group, obtain information about clients, add or remove a client from the anti-virus network, and similar actions. Also from this section you can deploy and update clients to the latest versions.

Through the “Clients” section, you can integrate with AD for easy grouping of assets, i.e. there is no need to re-create the client group structure.

Figure 22: Clients section in the Symantec Endpoint Protection administration console

Finally, the “Admin” section of the console contains information useful for the administrator, as well as basic settings and actions used to manage the anti-virus network as a whole. The interface of this section is divided into five subsections: “Administrators”, “Domains”, “Servers”, “Installation packages” and Licenses.

In the “Administrators” subsection, it is possible to perform actions on local network administrators - create administrator accounts, delete them, rename them, and also change the password. It is also possible to link SEPM users to domain users (that is, the domain user’s password will be used to log into the SEPM console).

The “Domains” subsection allows you to perform actions on the domains of the anti-virus network - rename a domain, change its properties, or add a new domain.

The “Servers” subsection allows you to perform actions on the anti-virus network servers, such as changing site properties, operations with LiveUpdate update servers, and others.

The “Installation packages” subsection shows available packages ready for deployment. In this section you can also export the installation package, add an installation package, delete or change its properties. It is also possible to update connected clients using the installation package to a new version.

The “Licenses” subsection displays information about the current license and also allows you to activate new license, change information about the Symantec partner with whom the client works, and also obtain information about purchasing additional licenses.

Figure 23:Chapter "Admin» in the Symantec Endpoint Protection administration console

conclusions

In the second part of the review, we looked at the possibilities of installing an anti-virus server, methods for deploying anti-virus network clients, as well as the anti-virus network administration capabilities offered by the management console.

Overall, Symantec Endpoint Protection 12 is a product that should not cause any problems for a trained LAN administrator to use on an enterprise LAN.

Availability of detailed documentation for the product in Russian (both full detailed documentation and manuals for quick installation and deployment) contributes to the rapid development of the product and the systematic study of its capabilities, which can be applied in practice.

The presence of many tips and links to documentation in the administration console interface will not leave an administrator who has recently used the product alone with questions that arise.

pros

Among the positive features of Symantec Endpoint Protection 12, based on the results of the second part of the review of this product, the following can be noted:

  • High level of documentation and many tips in the interface;
  • Intuitive hierarchy of the administrator console interface;
  • A high level of capabilities for managing anti-virus clients, which is organized through numerous policies associated with each protection component, which can be applied either to all computers at once or to individual computers and groups;
  • Ability to create policies for launching applications;
  • Controlling the connection of devices on user computers, which can be considered as part of the functionality of DLP systems;
  • A fairly flexible, multidimensional and visual reporting system that allows you to detect at any time both existing problems in the operation of the anti-virus network and identify problems whose causes arose some time ago;
  • Several ways to deploy Symantec Endpoint Protection 12 clients, some of which are quite unique (sending emails to employees with a link to the distribution, transferring a distribution compiled by the administrator, installing the client on computers remotely over the network), which allows the administrator to choose the most convenient one.
  • High scalability of the product, allowing it to be used in local networks of enterprises of various sizes, the presence of a database of its own implementation for small networks, the ability to integrate with other popular DBMS for large networks.
  • Optimizing component performance antivirus protection For virtual systems(in particular, it is possible to exclude from scanning files that are part of the reference image of the virtual system);
  • Symantec Endpoint Protection Manager supports integration with other Symantec products and solutions, which can increase administrator productivity when using different classes of Symantec products across the enterprise;

Minuses

  • Among the negative features of Symantec Endpoint Protection 12, one can point out the inequality in support for different operating systems. In particular, there is no anti-virus server for Linux systems, despite the fact that servers in many enterprises, especially recently, operate under these operating systems.
  • It is known that Linux versions of server applications are usually less demanding on hardware resources than Windows servers. The existing Symantec Endpoint Protection 12 antivirus server is still quite demanding on resources.
  • You can also note the insufficient usability of the application management policy - at the moment it is impossible to manage classes of applications at once (browsers, office applications etc.), which makes it difficult to set policies for programs of these classes. For example, a client wishing to bypass browser restrictions could find and use a browser that is not among the top five most popular, putting their computer (and, by extension, their entire network) at risk.
  • But for such cases, Symantec Endpoint Protection has the ability to prohibit the use of all applications, allowing only those that are directly authorized for use in the organization. The convenience of this approach depends on the number of allowed applications.
  • It can also be said that the administrator may encounter problems when installing clients remotely on protected computers, or when trying to configure sending event notifications to the administrator's email. In this case, the installation may not complete successfully, and notifications may not reach the mail, and, at the same time, the reason for the difficulties occurring is not always clear. The causes of these difficulties can be determined from the Symantec Endpoint Protection report files (logs), but the ability to interpret the logs depends on the qualifications of the administrator using this product.
  • In addition, in this case, the administrator can read the relevant sections of the documentation, which describe typical situations in which these problems may arise, and also conduct their own research in search of the causes of problems that arise in the network when using Symantec Endponit Protection. But the developers of this corporate product should pay more attention to automatic diagnosis of such situations, because their causes are quite typical, and searching for them on your own can take considerable time.

In general, Symantec Endpoint Protection 12 can be called one of the favorite products in ensuring the security of local enterprise networks, and future versions of this product will certainly take into account the listed shortcomings.

Choosing a corporate antivirus is not an easy matter and requires careful selection of applicants. Modern solutions are often offered in the form of a combine, which contains additional components such as a firewall and IPS, blocking all possible infection paths and reducing risks. This is exactly how Symantec Endpoint Protection 12 works.

Symantec Endpoint Protection 12 features

Symantes has long been famous for its products that provide protection against all sorts of modern threats that the Internet is rich in, among which antiviruses occupy a special place. Many probably still remember Norton Antivirus, which was installed on most PCs at the beginning of the century and successfully repelled virus attacks; it is still produced by Symantec and has not stopped developing. The truth is already called Norton Internet Security is designed to protect individual PCs, and the capabilities are much greater. The corporate sector is protected by the Symantec Endpoint Protection series, consisting of three solutions:

    Endpoint Protection Small Business Edition— for small companies (no more than 100 users), simple installation and configuration, all data is stored on local systems;
    Endpoint Protection.cloud— implementation in the form of SaaS, when there is no need to deploy your own management infrastructure, provides protection for Win systems in organizations of up to 250 PCs;
    Endpoint Protection— the most equipped solution that provides protection for workstations and servers running different operating systems and virtual environments, designed for organizations with 100+ users.

The solution is built on a classic client-server architecture for corporate antiviruses. The Endpoint Protection Manager server is used for centralized management of settings, updating agents and databases, collecting status data and generating reports, and managing licenses. In Symantec terminology, the structure created using SEPM is called a site. The network can have several servers, sites and domains to evenly distribute the load with data replication, fast recovery and organize a hierarchical structure for ease of management and delegation of authority.
All settings are made using a local or Web Access web console (port 9090) built with using Java. Their appearance and functionality similar.
The console can integrate with other Symantec products, such as Protection Center, providing a unified security management environment, allowing you to learn about new threats and respond faster. IT Analytics extends Endpoint Protection's reporting functionality by additional functions analysis and graphical presentation of data.
A DBMS is used to store settings and information about clients. For networks of up to 5,000 systems with a single management server, you can use the built-in database, which installs automatically and does not require additional configuration. If there are more clients, or you plan to deploy several EP Managers with data replication or load balancing, you should install MS SQL Server.
The agent installed on end systems, several protection mechanisms are integrated:

  • antivirus that provides protection against viruses, spyware, Trojans, bots and rootkits
  • Rules-based firewall and IDS - protects against network attacks and malware downloads, is equipped with the function of blocking common points of vulnerability (GE) and protects the browser from targeted attacks;
  • Application and Device Control module – control of applications and devices that can be launched by a user or computer.

The agent can check mail incoming via POP3/SMTP, integrates with MS Outlook and IBM Lotus Notes. In addition, the client is adapted for use in virtual environment, simplifying the creation of policies, reducing the load on the VM and the number of I/O operations, including excluding standard image files from scanning (Virtual Image Exception). With help special server Shared Insight Cache agents share scan results and identical files are checked only once, which reduces the load on the system and reduces scanning time. The simultaneous launch of scans on several VMs is also blocked. Products from VMWare, MS Virtual Server and Hyper-V, Novell Xen are supported.
The client (as is customary in such products) is managed from the SEP server, but if the system operates autonomously and rarely connects to the corporate network, the so-called “unmanaged client” can be used. In the latter option, the user independently manages the antivirus settings. Software modules and anti-virus databases are updated using the additional LiveUpdate component; the process itself can be launched while clients are inactive.
Versions of the agent are available for different operating systems (Win, Linux and Mac OS X), which allows you to protect all computers in a heterogeneous environment. The client-side interface for Windows is completely Russified, for other operating systems - only English version. Licensed by SEP based on the number of clients, the SEPM console does not require an additional license. After installation, a very long 60-day test period is given, which allows you to evaluate the SEP in action, fully deploy and configure the agents.

A complete list of supported client operating systems can be found in the document “Symantec Endpoint Protection 12.1. Specification: Endpoint Security."
To install the agent, you will need a computer with an Intel Pentium III 1 GHz processor or higher, 512 MB of RAM (1 GB of RAM recommended) and 700 MB of hard drive space.
The Symantec Endpoint Protection client for Win supports versions 2k, XP, Vista, 7 and server versions 2k3/2k8. Including Small/Essential Business Server. The Linux client supports installation on: Debian 4/5/6, Ubuntu 8.04-11.04, Fedora 10/12/13/15, SLES/SLED 9/10/11, RHEL, Novell Linux Desktop 9 and Open Enterprise Server.
Symantec Endpoint Protection client for Mac
— PowerPC-based Mac with Mac OS X 10.4-10.5x;
- Mac on Intel based with Mac OS X 10.4-10.7 (i86 and x64 editions).
The Endpoint Protection Manager management server requires a computer of at least Pentium III 1 GHz, with 1 GB of RAM (4 GB recommended) with 4+4 GB free space(server+DB) running Win XP-2k8. You can use an embedded database or MS SQL Server 2kSP4/2k5SP2/2k8 as a database server.

Another optional component - Central Quarantine receives suspicious files from clients and submits the sample to Symantec Security Response for analysis. If a new virus is detected, an update is generated.
There has always been documentation strong point Symantec, a separate package with documentation and additional utilities 411 MB in size. Some of the manuals have been translated into Russian, which makes it easier to get acquainted with SEP. For system administrators, the “Implementation Guide for Symantec Endpoint Protection and Symantec Network Access Control” is intended for 1167 pages, where you can find answers to almost all questions.

Installing SEP Manager

The SEP Manager management server can only be installed on Windows OS. The process itself is not very complicated, but requires some care. After running setup.exe, a welcome window will appear, which, in addition to the SEPM installation itself, offers links that allow you to familiarize yourself with preliminary information and install other administration tools (LiveUpdate Administrator, server or Central Quarantine console). Under the “Install Symantec Endpoint Protection” menu there are two items that allow you to install the Manager itself or the “unmanaged” client. We launch the SEPM installation wizard, which will initially display a list of all further steps.

We begin accepting the license agreement, then select the directory in which SEPM will be installed and click “Install”. At the end of the installation process, the management server setup wizard will appear, on the first screen of which you will have to decide on the configuration. There are three options to choose from: Default (simple installation with one SEPM for a network of less than 100 PCs), Custom (custom configuration of parameters, networks of more than 100 PCs) and restoring settings when recovery help file.

Symanteс products use a number of mechanisms to detect and block 0-day malicious code: Insight, SONAR and Bloodhound. Insight technology is based on “sensors” located on millions of computers, comparing data exchange between systems, analyzing the age of the file and the source of distribution, on the basis of which a conclusion is made about the file’s security. Its use allows, among other things, to use fewer system resources during scanning, by scanning only files that are susceptible to threats. To reduce the load, the smart scanner scans files while the system is idle, so the user does not notice the antivirus running. SONAR technology uses a behavioral-reputational approach - it blocks 0-day vulnerabilities and highly targeted threats based on analysis results and comparison with a profile.
Proactive technology Bloodhound technology isolates certain areas of files and in the event of attempts by other programs to penetrate this perimeter, their actions are analyzed and a decision is made on the degree of danger.

Select the Custom option and enter the number of PCs on the network that SEPM will manage. Since we have the only server so far, in the next step we create a new website. Among alternative options— installation of an additional server, connection to an existing site or installation of an additional site. Next, we set the name of the site and server, and check the port numbers used by the SEPM components so that there are no conflicts with other applications. The next screen requires you to choose between an embedded database (default) or an external one. In the second case, you will then need to either create a new database or specify connection parameters to an existing one. After this, create an administrator account (fixed login admin) by specifying a password and email. To connect clients to the management server, a password is used, which is set manually or generated automatically. The same password is used when restoring the anti-virus network. So that SEPM can send notifications on behalf of the administrator, in the next step we specify the parameters SMTP servers and admin address. You can check the correctness of the parameters by clicking the “Send Test Email” button. We determine whether the SEPM server will send information about the operation of the antivirus to Symantec, after which we wait for some time until the database is initialized. This completes the installation. By checking the boxes in the last window, you can immediately launch the management console and/or run the migration wizard from Symantec Antivirus.

SEPM Console

After registering in the management console, we will see a separate window in which a list of initial tasks will be displayed, links to complete them and a small guide to the product. From here you can: check license status, configure automatic LiveUpdates, deploy agents, and configure SEPM server settings. If you close the window, you can quickly go to the named tasks by selecting it in the Common Task list, which is located in the upper right corner.
The console is visually divided into two fields. Elements of the main administrator menu (Home, Monitors, Reports, Policies, Clients and Admin) are located on the left in the vertical panel; all settings are made in the large field on the right. After selecting certain items, submenus will also be available; some of them are located at the bottom of the screen and are not immediately noticeable.
The first window (Home) displays basic information about the global threat level, the protection status of the anti-virus network and access to basic reports, which allows the administrator to assess the situation immediately after registration.
Server and administrator account settings are located in the Admin menu. By selecting this item, you can set new certificate site (when installing SEPM, a self-signed certificate is generated), change the settings of SEPM servers connected to the console, add/change a domain (after installation we have one Default domain), connect LDAP/Active Directory or a replication server, Secure ID authentication and much more.

By default, after 1 hour the administrator will need to re-login; this is very annoying during the first settings. Therefore, go to Admin - Servers - Local Site, click Edit Site Properties and set a higher value in General - Console timeout. In the remaining sub-panels, you configure the connection to LiveUpdate, optimize the operation of the web server, allow you to reset the administrator password (if you forgot it) and other settings.

To view summaries of threats, events that occurred in the anti-virus network, various notifications and information about commands performed by the administrator, are available in the Monitors menu. In Reports we will find several types of reports that visually present information, both graphically and textually.

Client Deployment

Now that the server is configured, you can start connecting client PCs, but first you need to install the agent on remote systems. To do this, create a package in the SEPM console using the Client Deployment Wizard. This package can later be distributed among PCs in any convenient way - embedded in an image, via group policies AD or just run it manually on the remote system.

The unmanaged client is installed from the SEPM deployment menu; at the “Client Type” stage, you can also specify the “Managed Client” option, but selecting this item will only exit the wizard.

SEPM components use several ports that must be opened by firewall rules - 8014 (client connections), 8443 (remote server management), 9090 (web console), 8444 (web service), 8765 (server management), 8445 (reports) . When deploying clients, you will need to open more: 137 - 139, 445, 2967.

Launch the Client Deployment Wizard and select New Package Deployment in the first window. Next is the main settings window in which you should select the type of installation package (Win 32/64 or Mac), the group to which the installation will be applied, the set of components ( full protection for server or clients, basic server protection), content (all or selected) and operating mode (computer or user). We decide on the method of installing clients: web link and email, remote distribution (Remote Push) and simply save the package for installation/distribution in any other way. In the first option, a link is generated, following which the user independently downloads and installs the package (if he has local administrator rights). In the second, the entire process occurs automatically; for this purpose, computers are searched on the network, then the administrator selects the ones needed and begins installation (user data with admin rights will be requested). After installing the agent, you will need to restart the computers.
Further, all settings can be managed from the SEPM console using policies. To simplify the distribution of similar installations, the concept of groups is used, into which computers or users are distributed.

Selecting from the list the desired group in the field on the right we get the opportunity to edit policies and other settings. After installation there is a group in the Clients console top level My Company with one default group Default Group. Next, the administrator independently creates groups (several levels of nesting are supported), it is possible to inherit group policies and copy groups.

Setting up policies

General settings for the operation of various antivirus components are made in the section Policies. Policies are divided into several types that correspond to antivirus components - Virus And Spyware Protection, Firewall, Intrusion Prevension, Application and Device Control, LiveUpdate and Exception. By selecting any of the items we will have access to more detailed settings. For example, going to the settings for anti-virus and anti-spyware policies, we will find three presets - recommended, enhanced and high security. When creating a new or editing an existing policy, a window will open containing two groups of settings (separately for Win and Mac). They define the parameters for scanning files, the use of additional technologies (Insight, SONAR), actions upon detection malicious files, resource use priority, quarantine, email checking and much more. Most of the parameters should be familiar to those who have at least once encountered the settings of a conventional antivirus and firewall. The administrator can allow the user to change some settings themselves. They are marked with a padlock icon. If the lock is closed, then local change is blocked.

Conclusion

Overall, SEP12 is a very easy-to-use and reliable product, the use of which should not cause any difficulties for an administrator even with a low level of training. Having high-quality documentation only simplifies the dating process.

This document is a translation from English. Changes may have been made to the original English document after the translation was published. Symantec does not guarantee that the translation corresponds to the full English text.

Situation:
This document describes how to install Symantec Endpoint Protection 11.0 on a network that does not contain older versions of Symantec AntiVirus.

Solution:
Installing and configuring Symantec Endpoint Protection Manager
The first installation of the management software is a two-step process. The first step is to install Symantec Endpoint Protection Manager. The second step is to install and configure the Symantec Endpoint Protection Manager database. In the first step, leave the default values ​​unchanged. In the second step, the user must enter at least one value - a password.

Note:

  • The management software does not include Symantec Endpoint Protection or any other managed client.
  • Before installing Symantec Endpoint Protection Manager, you must install Internet Information Services (IIS).
How to install Symantec Endpoint Protection Manager (SEPM)
  1. Load the installation CD and start the installation process.
  2. On the installation panel, select the option Install Symantec Endpoint Protection Manager.
  3. In the welcome window, click the button Further.
  4. In the License Agreement window, select I agree to the terms of the license agreement. Click the button Further.
  5. In the Destination Folder window, change or leave the default value for the installation folder.
  6. Perform one of the following actions:
    • To configure the Symantec Endpoint Protection Manager IIS (Internet Information Service) web server as the only web server on this computer, select Create a separate website and press the button Further.
    • To configure the Symantec Endpoint Protection Manager IIS Web server to work with other Web servers on this computer, select Use default website and press the button Further.
  7. In the window confirming readiness for installation, click the button Install.
  8. Once the installation is complete, the "Setup Wizard Complete" window will open. Click Ready. The Management Server Setup Wizard will launch in approximately 15 seconds.
How to configure Symantec Endpoint Protection Manager
  1. In the Management Server Configuration Wizard panel, select a configuration type.
      • Note: If selected Simple configuration, the SEPM administrator password is used as the encryption password. If the administrator password is subsequently changed, the encryption password remains unchanged.
  2. Click the button Further.
  3. In the Site Type window, select Install the first website and press Further.
  4. In the Server Information window, change or leave the default values ​​for the following fields and click Further:
    • Server name
    • Server port
    • Server data folder
  5. In the "Site Name" field, change or leave the default name and click Further.
  6. In the Encryption Password window, enter the password in both fields and click Further.
    Save this password when you install Symantec Endpoint Protection in your production environment. It is specified when recovering from a disaster and adding Enforcer hardware components.
  7. In the Select Database Server window, select Built-in database and press Further.
  8. In the user settings panel, specify the password that must be entered when logging into the console as the "Admin" user. Click the button Further.
Once installation is complete, you can deploy the client using the Migration and Deployment Wizard. Log in to the console with the username and password you specified earlier.

Configuring and Deploying Client Software
The Migration and Deployment Wizard allows you to configure the client software package. You can then run the Push Deployment Wizard to deploy the client software package. If the user chooses not to run the Push Deployment Wizard, it can be launched manually in the future. To do this, you need to run the ClientRemote.exe program from the \tomcat\bin folder.

Note: The following steps describe how to install the client on 32-bit computers (not 64-bit computers). During installation, you will need to specify a folder to copy the installation files to. It is recommended that you create this folder before starting the procedure. Installation must be performed by a Windows domain or workgroup administrator.

When you deploy the client to computers that are behind a firewall and running Windows XP or Windows Vista, there are additional factors to consider. The firewall must allow remote deployment on TCP port 139. On workgroup computers running Windows XP, simple file sharing must be turned off. To prepare computers with operating system Windows Vista, see "Preparing Windows Computers for Remote Client Deployment." (in English) :
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007091021513648

How to set up a client

  1. In the Management Server Configuration Wizard Completed window, select Yes and press Ready.
  2. In the Welcome to the Migration and Deployment Wizard window, click Further.
  3. In the "Select the action you want" window, select Deploy client and press the button Further.
  4. In the next window, select Specify the name of the new group to which clients should be added, enter a group name and click Further.
  5. In the next window, deselect the client programs that should not be installed and click Further.
  6. In the next window, specify options for packages, files, and user experience.
  7. Click the "Browse" button, select the folder for the installation files and click the button Open.
  8. Click the button Further.
  9. In the next window select Yes and press Ready.
Do not enable the Admin Console launch option. It may take up to 5 minutes to create and export the installation package for the group. Then the Push Deployment Wizard will open.

How to deploy a client using the Push Deployment Wizard

  1. In the Push Deployment Wizard window, in the Available computers list, select the computers on which you want to install the client, and then click Add.
    If the client is deployed locally and Windows Firewall is not configured to handle Java, it may block this feature by displaying a message asking you to configure it. This window may be displayed below the Push Deployment Wizard window, meaning it will not be visible to the user. If the Push Deployment Wizard stops responding, move its window to the side and check to see if there is a Windows Firewall message window hidden underneath it.
  2. In the Remote Client Identification window, enter the username and password to log into the domain or working group Windows these computers and click OK.
  3. Once all computers are selected and shown in the right pane, click Ready.
  4. After installation is complete, click the button Ready.
Login to the console and search for your group in the console
First of all, you need to log into the console and find your group.

Login to the management console
The management console is designed to manage clients.

How to log into the management console

  1. Select Start> Programs> Symantec Endpoint Protection Manager> Symantec Endpoint Protection Manager Console.
  2. At the Symantec Endpoint Protection Manager login window, enter your username admin.
  3. In the password field, enter the administrator account password that you specified during installation. Click the button Login.
Finding your group in the console
After logging into the console, you need to find the group created during installation. You should then ensure that this group includes the computers on which the software was installed.

Activating Symantec Network Access Control
If you purchased Symantec Endpoint Protection along with Symantec Network Access Control, you must complete additional steps to activate Symantec Network Access Control.

How to activate Symantec Network Access Control

  1. Close the Symantec Endpoint Protection Manager console if it is open.
  2. Insert the Symantec Network Access Control product CD.
  3. On the installation panel, select Install Symantec Network Access Control.
  4. Click Install Symantec Endpoint Protection Manager.
  5. In the Management Server Update window, click Further.
  6. Click Continue.
  7. When the Server Update Status window displays a message indicating that the update was successful, click Further.
  8. Click the button Ready.
  9. Log in to the Symantec Endpoint Protection Manager console.
  10. On the Policies tab, select Host integrity.
  11. In the right pane, select Host Integrity Policy.
  12. Under Tasks, select Assign Policy.
  13. In the Assign Host Integrity Policy window, select the group to which you want to assign the policy.
  14. Click the button Assign and then click Yes to confirm the change.
Symantec Network Access Control is now enabled in Symantec Endpoint Protection Manager and on clients in the created group.

This document has been translated into following languages:

  • Brazilian-Portuguese:


2024 gtavrl.ru.