In this article we will create a backup of Symantec Endpoint Encryption Management Server Database.

Table of Contents

For more information on Active Directory:

https://technet.microsoft.com/en-us/sysinternals/adexplorer.aspx

1. Connect to your database using SQL Server Management Studio

​

2. Find Your Database. (For Example: SEEMSDb)

3. Right click on your Database > Tasks > Back Up

4. Verify Destination Directory.

5. Success

Put All of your backup files in Safe and Secure Place.

Hi all, 

pls find attached a set of policies created by SEs and BCS to help with Ransomware. It is not a protective policy but helps detecting these kind of malware. 

Just for sake of good order this is not an officially supported policy and the use is on the own risk. 

So pls test it extensively before to take it into production. 

Feedback very welcome.

Sven

SEPM AppDevCtrl acts as a versatile swiss army-knife, and can be used as a precision tool as well as a general solution. Take care when using it, as it's easy to break your system with a misconfigured rule.

The policies described here place strong rules in effect, it is recommended, that only „Testing mode” is active first – and also on a test system.

After testing, mass distribution of this ruleset can be orchestrated with SEPM Group Management.

Here follows, how to defend critical files (Word and Excel documents, etc.) of an enterprise, from unauthorized access, like a CryptoLocker or Ransomware encryption. Make an Application Control rule with the following in mind:

• Monitor every process, except Word, Excel, Windows processes, SEP processes, and legit enterprise applications, like a filing app

• Monitor the non-whitelisted processes's file accesses. If the file is a *.doc, *.docx, *.xls or *.xlsx block the access, else allow it.

From testing logs, we can tune our whitelist. After there are no denies in the log on valid applications, distribute the rule to the production system. It is also recommended to run only in test mode for a few days on the live system – there might be legit processes trying to access these files, that did not occur in the test environment.

Naturally the surveilled files/extensions can be broadened, but keep in mind to broaden the whitelisted applications also – and re-test the rule after changes.

You can find the settings for sending mail to administrators at the following link:

https://www-secure.symantec.com/connect/articles/d...

at section 2: "Create a "Notification condition" under Monitors/Notifications:"

We have two applications with clickonce installation. Mangoclient.exe and polisportmessenger.exe (this application was created by our organization).

In our SEPM we configure both applications to be ignored. Below you can see the exception policy

We have 25 machines with SEP and, in some machines, the applications described above, are blocked and removed.

Best Regards

Vladimiro Oliveira

Here we assume that you have a compatible database already created for use SEE.
System requirements and compatible versions of MSSQL can be found here:
http://www.symantec.com/docs/TECH224478

For the initial setup of the server before installation, follow the setup steps below:

On Microsoft Windows Server 2008

To enable the web server (IIS) server role and role services on Microsoft Windows Server 2008:

1. Click Start > Administrative Tools > Server Manager.

2. In the left pane of the Server Manager snap-in, right-click Roles and click Add roles.

3. On the welcome page of the Add Roles Wizard, click Next.

4. On the Select Server Roles page, select Web Server (IIS).

5. Click Next and then click Next again.

6. On the Select Role Services page, go to Web Server > Application Development and click ASP.NET.

7. On the Add role services and features required for ASP.NET dialog box, click Add Required Role Services.

    Selecting this option also automatically selects .NET Extensibility, ISAPI Extensions, and ISAPI Filters.

8. Expand the Security option and then click Basic Authentication.

9. Expand Management Tools and check IIS Management Scripts and Tools. Check IIS6ManagementCompatibility.

    Make sure all the components under Management Compatibility are also checked.

10. Click Next and then click Install.

11. After the AddRolesWizard indicates that the installation is successful, click Close.

12. In the left pane of the ServerManager snap-in, right-click Features and click Add features.

13. In the Select Features window, select .NET Framework 3.5.1 features.

14. Select Group Policy Management.

15. Expand Remote Server Administration Tools > Role Administration Tools and select AD DS and AD LDS Tools.

16. Click Next and then click Install.

17. After the AddRolesWizard indicates that the installation is successful, click Close.

OR

Just Follow Few Steps Below

Enable Roles and Features using Power shell Script in just 2 simple steps.

I created a simple yet Powerful Power Shell Script which does all the hard work for you in just few clicks.

Here is the method to execute same in power shell

Download File From Attachment: SEE Roles & Features.PS1

1. Run Power Shell as Administrator

2. Open Downloaded File in Notepad ( SEE Roles & Features.PS1 )

3. Copy Everything and Paste into Power shell

4. Just Hit Enter and sit back Relax. It will automatically restart your computer.

 OR

Enable Roles and Features Manually

1.  Open the Server Manager, and select “Add Roles”.

2.  Click “Next”.

3.  Select “Web Server (IIS)”

4.  Click “Next”. Click “Install”

5. Go to Web Server (IIS)

6. Select Add Role Services and Ver.ify that ASP.NET is Checked

7. Add Role Services > Management Tools (Select From Screen Below)

8. Add Feature > .NET Framework 3.5.1

9. Add Feature > Select Group Policy Management

10. Add Features > Remote Server Administration Tools

11. Add Features > AD DS and AD LDS Tools

OR 

You can download SEE Roles & Features.PS1 file from attachment and just RUN in PowerShell to automate whole process.

Modify the script if needed.

It is possible to add the latest version of SEP Client installer without having to upgrade the SEPM server to the latest version. While it’s always recommend that SEPM is updated at the same time, there may be a case where you need to plan this upgrade at a later time but needed to deploy the latest version of SEP Client, then this is how you can do this.

Firstly, you will need to grab your Symantec serial number and head over to https://fileconnect.symantec.com– enter your serial number and navigate your way into “Symantec Endpoint Protection” – from there, pick the language you want to use. For this article, I’ve picked ‘International English’ and you will be taken to the download page.

From there, pick the 2nd choice (Full Installation) It contains Windows, Macs & Linux clients at its current version (at the time of writing this, v12.1.6 MP4) – I preferred this version because the SEP clients comes with an .info file which will make copying to SEPM console very easily, which I will explain later on in this article. Also the SEPM installer is included with this, which you can use it for future planning & upgrading. So it’s like killing two birds with one stone by using a single download file! :)

Start the download & save it. For best practice, I would recommend that you run an MD5 signature checker against the MD5 number displayed on the download page to ensure the download is not corrupted. I use WinMD5 which is freeware to compare the signatures.

Once matched and you’re happy with it, copy the file over to the server and extract them in a suitable location. For this example, I used D:\Sources\SEPM v12.1.6 MP4 to extract the files into this but don’t start the installer. Cancel any prompts if any.

Now, launch the SEPM console and go to Admin -> Install Package and ensure that ‘Client Install Package’ is selected. Then from there, click on ‘Add a Client Install Package’

The ‘Add a Client Install package’ window will pop up. This is where you fill in the details. Click on the Browse button and go to the location where you saved the extracted files to. For this example, I’ve gone to D:\Sources\SEPM v12.1.6 MP4\SEPM\Packages

Here, you will find the .info files – click on one of them and then finally click on the OK button. It will begin importing into SEP & updating the database. It will take around 5 minutes or so. Repeat for other clients.

Once completed, you will have a list with the latest SEP clients. You can remove the old versions if you like, but hold off with that until you’re happy with the new versions on some machines for testing, for example.

For others who have more than one Domain, there are two ways to do this, depending on how you set up your Domains:

1. If you have Replication set up to sync clients, you do not need to do anything and the latest SEP clients will be synced across.

2. If you do not have Replication set up to sync clients, change Domain and follow the steps above to add them manually.

And this is how you add the latest SEP Client to SEPM, ready for deployments to your clients across the network.

Helpful links

WinMD5: http://www.winmd5.com

A guide to Endpoint Protection files on FileConnect: https://support.symantec.com/en_US/article.INFO2576.html

Download the latest version of Symantec Endpoint Protection: https://support.symantec.com/en_US/article.TECH103088.html

Configuring SEP Client Logging and External Logging

The external logging feature in the Symantec Endpoint Protection Manager (SEPM) allows for saving log data outside of a SEPM server.

These two methods are:

1. Exporting log data to a dump file
2. Exporting log data to an external logging server.

Both methods are configured in the SEPM console. The following is a high-level overview of the related logging options.

The client-logging configuration can be done without setting up external logging.

Obtaining Log Files from Managed Clients

Generally, it is desirable to gather log data from managed SEP clients. There are two locations in the SEPM to configure logging options for clients  and to instruct them to send log data to the SEPM.

Note: It is important to consider disk space requirements on the SEPM and on the clients when gathering log data from clients.

The first location is in the Clients, <Site/Group>, Client Log Settings screen, shown here:

The second location is in the Virus and Spy ware Protection policy applied to clients. Note that there could be multiple policies for managing a variety of clients and each policy assigned to clients will require logging configuration. (If groups inherit settings from the parent site, only the parent site will need to be modified.)

When editing a policy, a new screen will appear over the main SEPM screen that contains these logging options. That screen is shown here:

Configuring External Logging in the SEPM Console

Now that clients are sending log data to the SEPM, it may be desirable to save that log data externally, either to dump files or to an external logging server.

To configure external logging, browse to the following location in the SEPM console:

Admin, Servers, <Site>, Configure External Logging

References:

http://www.symantec.com/docs/HOWTO81168 - Exporting log data to a text file

http://www.symantec.com/docs/HOWTO81169 - Exporting Data to a Syslog Server

Hi All,

As I am working on DLP since long almost more then 4 years which includes different role right from planing, implementation,Administration,incident management and consulting. Below best practices is consolidated from various sources like Symantec etc

Successful DLP program required below 5 attributes

DLP Data Governance Framework

• Below are some of the best practices that should be adopted in order to have a successful pre and post DLP deployment.

• While choosing a DLP product, organizations should check whether the DLP product supports the data formats in which data is stored in their environment.
• After choosing a DLP product, DLP implementation should start with a minimal base to handle false positives and the base should be increasing with more identification of critical or sensitive data.
• DLP operations should be effective in triaging to eliminate false positives and fine tuning of DLP policies.
• A regular updating of risk profiles and a thorough documentation of the DLP incidents.
• A proper DLP Discovery tool will accurately locate unencrypted PCI wherever it resides, DLP processes guide users to automatically encrypt the information, remove the information or other remediation according to the defined policies of the organization
• Continuous DLP Discovery scanning may be applied at desired frequency or on demand to audit security status and maintain awareness of PCI data locations. DLP Endpoint will control the copying of unencrypted PCI on connected devices.
• Identify potential places where PCI information might leak. For most organizations it is recommended to inspect the following channels:

• Email – Consider all out bound email traffic including attachments.
• Web traffic – Gmail, and other web mail providers, Facebook and other social media sites should be monitored
• Other protocols – In particular unencrypted communications should not be crossing the organizational firewall without first identifying the information
• Data storage – Identify and categorize the information on all storage under control of the organization, including file servers, file shares, SAN, SharePoint servers, user home directories, workstations and laptops in order to determine the assets requiring review and inspection.
• USB, DVD – Consider workstations that allow USB m ass storage or DVD burning and any devices that can be physically disconnected and carried away.
• Scan data stores for PCI information. Once assets have been determined, identify any potential regulated or sensitive information on that information asset.
• Apply controls. Repeat these steps until a satisfactory level of understanding is developed in the form of a map to the protected information and appropriate controls are in place and understood by the stakeholders and system users.
   

• Best practices which can be implemented as per organization culture and policy

• Identify and classify the data
• Provide view only access
• Implement data management life cycle
• Do not allow unauthorized devices in your network
• Do not permit copying for sensitive data onto Removable media
• Improve authorization and access control measure
• Understand the flow of data in your network
• Understand your policies and create awareness
• Audit your own compliance
• Blocking wireless communication
• Making all USB removable storage read-only except authorized devices
• Blocking files containing personal identity information
• Disabling all CD/DVD burners from writing
• If policies matured then start blocking one by one policy

I had to check several different documents for information on preparing and installing SEP 12.1.6 on RHEL 7.2 so I decided to create the following concise guide. 

Pre-installation Requirements

1. Download and install Oracle Java from: http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html.

   I prefer the RPM version of the JDK because it will run immediately and automatically after the download completes. Alternatively, the command line to manually install the rpm version is:  rpm -i <filename.rpm>
    

2. Install the JCE components
   1. Download the files from: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html. (This link will change slightly as new versions are released. This link was the latest version available as of February 2016.)
   2. Unzip the file. It will contain two .jar files which may be in a subdirectory similar to "UnlimitedJCEPolicyJDK8".
   3. Copy the two *.jar files to the following directory, overwriting the original files with the same name. (Make a backup of the two original files beforehand, if desired.)

            /usr/java/<java build #>/jre/lib/security/
       

3. Run the following command to install other required and recommend components:
    
   1. "yum install glibc.i686 libgcc.i686 libX11.i686"
   2. See: http://www.symantec.com/docs/TECH228118 for related info.

SEP Installation:

1. The SEPM should have a linux package file named: SymantecEndpointProtection.zip.  Copy (using scp, pscp or similar tool) the zip file to the linux box.
2. Put the zip file in a new subdirectory and unzip SymantecEndpointProtection.zip.
3. Run: chmod 755 install.sh
4. Run: "./install.sh -i" (without quotes).

The installation should complete, barring any other issues. 

Installation logs:

• /root/sepap-install.log
• /root/sepap-legacy-install.log
• /root/sepfl-install.log
• /root/sepfl-kbuild.log
• /root/sep-install.log
• /root/sepjlu-install.log
• /root/sepui-install.log

Note: Not all of the above install log files may be present, depending on version, components, etc.

Main Client Log Directory

‘ll’ list of /var/symantec/Logs/

============================

-rw-------. 1 root root      1489      Feb  9 16:29                 02092016.log
-rw-------. 1 root root 5989001      Feb 10 12:14               02102016.log
-rw-------. 1 root root 5988807     Feb 11 01:02                02112016.log
-rw-------. 1 root root      1227      Feb 11 01:06                AVMan.log
-rw-------. 1 root root        238      Feb  9 15:48                 debug.log ***
-rw-------. 1 root root            0      Feb  9 15:48                 LUMan.log
-rw-------. 1 root root          72      Feb  9 15:48                 seclog.log
-rw-------. 1 root root        151      Feb 11 01:02                serialize.dat
-rw-------. 1 root root      3640      Feb 11 08:42                syslog.log

============================

Other Log files:

• /opt/Symantec/LiveUpdate/liveupdt.log
   
• /opt/Symantec/symantec_antivirus/vpdebug.log  ***
   
• /opt/Symantec/virusdefs/defutil.log ***
   
• /var/log/messages  (system daemon logging for smcd, rtvscand, and symcfgd)                       

*** These logs do not exist until they are specifically configured. See links to articles below for more details. 

For information on running sadiag.sh for linux, see: http://www.symantec.com/docs/HOWTO111042.
 

For additional configuration and logging info, see http://www.symantec.com/docs/TECH229238.

Installation Logs

/root/sep-install.log

/root/sepap-install.log

/root/sepap-legacy-install.log

/root/sepfl-install.log

/root/sepfl-kbuild.log

/root/sepjlu-install.log

/root/sepui-install.log

*** Not all of these logs may be present, depending on version, components installed, etc.

System startup files

/etc/init.d/autoprotect

/etc/init.d/rtvscand

/etc/init.d/smcd

/etc/init.d/symcfgd

/etc/rc*.d/ with the four files list in init.d

Main SEP directory

/opt/Symantec/

/opt/Symantec/autoprotect/

/opt/Symantec/autoprotect/symap*.ko

/opt/Symantec/autoprotect/symev*.ko

/opt/Symantec/bin/

/opt/Symantec/bin/navdefutil

/opt/Symantec/LiveUpdate/

/opt/Symantec/LiveUpdate/bcprov-jdk15on-148.jar

/opt/Symantec/LiveUpdate/jlu-3.10.0.26.jar

/opt/Symantec/LiveUpdate/jlu.jar

/opt/Symantec/LiveUpdate/jluold.jar

/opt/Symantec/LiveUpdate/liveupdt.log

/opt/Symantec/LiveUpdate/tmp

/opt/Symantec/LiveUpdate/uninstall-3.10.0.26.sh

/opt/Symantec/LiveUpdate/uninstall.sh

/opt/Symantec/symantec_antivirus/

/opt/Symantec/symantec_antivirus/libecomlodrlin.so

/opt/Symantec/symantec_antivirus/libpatchapp.so

/opt/Symantec/symantec_antivirus/libsep-cve.so

/opt/Symantec/symantec_antivirus/libsep-cve.so.1 -> libsep-cve.so

/opt/Symantec/symantec_antivirus/libsep-util.so

/opt/Symantec/symantec_antivirus/libsep-util.so.1 -> libsep-util.so

/opt/Symantec/symantec_antivirus/libsepcommon.so

/opt/Symantec/symantec_antivirus/libsepcommon.so.1 -> libsepcommon.so

/opt/Symantec/symantec_antivirus/libSlicMan.so

/opt/Symantec/symantec_antivirus/libSlicMan.so.1 -> libSlicMan.so

/opt/Symantec/symantec_antivirus/libSyLog.so

/opt/Symantec/symantec_antivirus/libSyLog.so.1 -> libSyLog.so

/opt/Symantec/symantec_antivirus/plugins/

/opt/Symantec/symantec_antivirus/plugins/AVMan.plg

/opt/Symantec/symantec_antivirus/plugins/LuMan.plg

/opt/Symantec/symantec_antivirus/rtvscand

/opt/Symantec/symantec_antivirus/sadiag.sh

/opt/Symantec/symantec_antivirus/sav

/opt/Symantec/symantec_antivirus/savluwrap

/opt/Symantec/symantec_antivirus/savtray

/opt/Symantec/symantec_antivirus/smcd

/opt/Symantec/symantec_antivirus/symcfg

/opt/Symantec/symantec_antivirus/symcfgd

/opt/Symantec/symantec_antivirus/symcfgdata.inf

/opt/Symantec/symantec_antivirus/symcfgpop

/opt/Symantec/symantec_antivirus/tools/

/opt/Symantec/symantec_antivirus/tools/libgcc_s.so.1

/opt/Symantec/symantec_antivirus/tools/liblog4cpp.so.4

/opt/Symantec/symantec_antivirus/tools/libstdc++.so.6

/opt/Symantec/symantec_antivirus/uninstall.sh

/opt/Symantec/symantec_antivirus/unsupported/

/opt/Symantec/symantec_antivirus/unsupported/xsymcfg

/opt/Symantec/symantec_antivirus/update_java_home.sh

/opt/Symantec/symantec_antivirus/upgrade.sh

/opt/Symantec/symantec_antivirus/vpdebug.log

/opt/Symantec/virusdefs/

/opt/Symantec/virusdefs/20160210.052/

/opt/Symantec/virusdefs/20160210.052/*dat, *sig, *txt, *so, *grd, *inf files (35 files total)

/opt/Symantec/virusdefs/20160211.002/

/opt/Symantec/virusdefs/20160211.002/*dat, *sig, *txt, *so, *grd, *inf files (35 files total)

/opt/Symantec/virusdefs/binhub/

/opt/Symantec/virusdefs/binhub/*dat, *sig, *txt, *so, *grd, *inf files (35 files total)

/opt/Symantec/virusdefs/definfo.dat

/opt/Symantec/virusdefs/defutil.log

/opt/Symantec/virusdefs/incoming

/opt/Symantec/virusdefs/temp

/opt/Symantec/virusdefs/texthub

/opt/Symantec/virusdefs/usage.dat

Main SEP Configuration & Log directory

/var/symantec/

/var/symantec/auto/            

/var/symantec/commandStatus.xml     

/var/symantec/communicationData.xml 

/var/symantec/heartbeatStatus.txt 

/var/symantec/index2.xml           

/var/symantec/licenseInfo.xml     

/var/symantec/Logs/ 

/var/symantec/Logs/02092016.log

/var/symantec/Logs/02102016.log

/var/symantec/Logs/02112016.log

/var/symantec/Logs/AVMan.log

/var/symantec/Logs/debug.log

/var/symantec/Logs/LUMan.log

/var/symantec/Logs/seclog.log

/var/symantec/Logs/serialize.dat

/var/symantec/Logs/syslog.log

/var/symantec/pending/

/var/symantec/pending/AVManOpstateInfo.xml

/var/symantec/pending/LUManOpstateInfo.xml

/var/symantec/pending/sepOpstateInfo.xml

/var/symantec/Quarantine 

/var/symantec/registration.xml

/var/symantec/registrationInfo.xml 

/var/symantec/sent/

/var/symantec/sent/AVManOpstateInfo.xml

/var/symantec/sent/LUManOpstateInfo.xml

/var/symantec/sent/sepOpstateInfo.xml

/var/symantec/serdef.dat

Other Configuration Files

/etc/liveupdate.conf

/etc/Symantec.conf

/etc/symc-defutils.conf

/etc/symantec/

/etc/symantec/dec3.cfg 

/etc/symantec/log4j.properties 

/etc/symantec/NLS 

/etc/symantec/NLS/15/rtvscan.msg

/etc/symantec/sep.slf 

/etc/symantec/setAid.ini 

/etc/symantec/setup.ini 

/etc/symantec/sylink.xml 

/etc/symantec/VPREGDB.BAK 

/etc/symantec/VPREGDB.DAT 

/etc/symantec/VPREGDB.SAV

Process Related Files
 

/etc/sysconfig/smcd

/etc/sysconfig/rtvscand

/etc/sysconfig/symcfgd

Hint: Try running this command to see the smcd, rtvscand and symcfgd processes:

      systemctl -a | grep -i symantec.

Note that the ‘autoprotect’ service may also be running, depending on configuration settings.

1. Create an "Application and Device Control" rule.

"Apply this rule to the following processes:" *

Add "File and Folder Access Attempts"

1.1. "Properties" of File and Folder Access Attempts

Apply to the following files and folders:

decrypt all*.txt

decrypt_instruction*.txt

*.doc.???????

*.docx.???????

*.xls.???????

*.xlsx.???????

*.pdf.???????

*.rtf.???????

*.txt.???????

*.zip.???????

*.pst.???????

*.locky

*.crypted

*.encryptedRSA

do not apply the following files and folders:

*.???.???

*.partial

1.2. "Actions":

Under the "Launch Process Attempts":

properties:

Apply to the following processes:

new "cryptolocker" and "download.ponic" variants md5's

Actions:

Terminate process, Enable logging, severity - 0, Send e-mail alert.

2. Create a "Notification condition" under Monitors/Notifications:

Done.

When the malware makes an action (encrypts any files), SEPM generates a mail to system administrators.

This is the moment you’ve been waiting for – Symantec has released Symantec Endpoint Protection (SEP) 12.1 Release Update 6 Maintenance Pack 4 (12.1.6 MP4). The exact version is 12.1.6860.6400. Hooray!!!

You can grab a copy from FileConnect using your serial number.

This release includes the fixes where SEP Client would roll back if you have “Cumulative Update for Windows 10” (KB3140743) installed on your Windows 10 Build 1511 platform. So if you have been experiencing this issue, this newly released update is for you.

And there are other fixes as well – have a read at http://www.symantec.com/docs/INFO3517

The Release Notes can be found at http://www.symantec.com/docs/DOC9223 where you can download the PDF.

The System Requirements has been updated as well to include the latest version, but I can’t see any much change compared with the previous revision - http://www.symantec.com/docs/TECH231877

And finally, the bonus with this new release is that it has fixed a few security vulnerabilities, which you can read more at https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160317_00– this is covered on both SEPM and SEP client. So it’s worthwhile an upgrade to the SEPM console too.

As always, TEST, TEST, TEST. And TEST this on the development network before releasing this to your live production network. Unless you’re feeling brave. ;)

Has anyone come across any issue/bugs with this new release? If so, share your findings by replying here.

At some point it might happen that the computer encrypted with Symantec Encryption Desktop (SED) cannot be accessed. There are many reasons why this happens and here are some tips which can be used to find a way for authenticating or decrypting the drive:
1. First of all, if the machine is not locked, ensure the correct passphrase is entered. In BootGuard window, "tab" key can be pressed to show the characters for passphrase.
Here is the sample passphrase “MyP@ssphras3” written with hidden characters (default):

And here is revealed once “tab” was pressed:

2. In that case, authentication can be to another user’s passphrase (if another user was added to the disk) or using the Admin passphrase.

3. Usually after few unsuccessful attempts the disk is locked. Here is shown when the disk is already locked:

If this is the case, the next attempt would be to use Local Self Recovery (LSR) if it was configured before. This is a set of 5 questions to be answered. At least 3 of the answers need to be correct to authenticate. To use it, select "Forgot Passphrase" from bottom-right corner:

and answer the questions (answers will be visible by default):

Failed attempt will get you back to the first question with the “Incorrect authentication, please try again” message:

4. If LSR was not configured, or the answers were incorrect, Whole Disk Recovery Token (WDRT) can be used. This is 28-character long token (it looks like “ECYH0-BY95Y-YCDPH-UKB29-3A2F5-6MJ”, without quotes “”). On managed environments, this is one-time use only (the new one is generated after each use). Helpdesk or Administrator should be asked for current WDRT. If SED is standalone, WDRT generates on first encryption showing in the following pop-up:

and it can be used multiple times until it is manually regenerated, or disk is decrypted and then encrypted again. Since it displays only once, it had to be kept in a secure place as informed by a pop-up displayed on first encryption.
WDRT needs to be entered in the same place as the passphrase. Ensure to click “tab” key so all characters can be seen. The token is not case sensitive, so it can be written with small/capital letters and with/without dashes between characters:

5. In some rare cases, WDRT is not accepted. One of the reason is that the old WDRT was used. In that case, in managed environments, the list of all generated tokens might be taken directly from the database. In this situation a formal case with Technical Support should be opened.

6. If still no solution, the disk should be slaved to another machine with PGP installed and those pgpwde commands from command line can be executed. Be aware that all command options after pgpwde are followed with double hyphen (-):
- Navigate to the “PGP Desktop” with:
cd "C:\Program Files (x86)\PGP Corporation\PGP Desktop"

- In order to check what is the disk number for the encrypted boot drive, run:
pgpwde --enum

- Assuming that the affected drive is "1", run this in order to see the status of the disk (is it encrypted, or only instrumented):
pgpwde --disk-status --disk 1

- Check if there are users assigned to this disk – passphrase for any of that assigned user would be used for the decryption. The command is:
pgpwde --list-users --disk 1

- Next command to run is the decryption command:
pgpwde --decrypt --disk 1 --passphrase <user-passphrase>

where "<user-passphrase>" is the passphrase of any user found in previous step.

- If, for some reason, this is not working the following command can be used to check if any of the known passprases are correct:
pgpwde --auth --disk 1 --passphrase <user-passphrase>

Again, if the passphrase is found, it can be used for the decryption described in the previous step

- Decryption can be also done with the Admin passphrase (if the Drive Encryption policy has Admin added for disk decryption). The syntax for the decrypting will be the same.

7. If still unsuccessful, there is also a chance to decrypt the disk if the Additional Decryption Key (ADK) was created before the disk was encrypted. The keyID of ADK and its passphrase will need to be checked as these are used in the command. Once these are already known, the following command will be used to decrypt the drive:
pgpwde --decrypt --keyid <ADK-keyID> --disk <disk-number> --passphrase <ADK-passphrase>

In SEP Manager UI, there is no settings available to set whether the system should download Rapid virus definitions automatically. These definitions can be downloaded manually, The latest Rapid definitions can be installed by downloading and copying to a certain folder manually. Sometimes it might be crucial to automatically install the latest Rapid definitions, e. g. when a fast mutating virus emerges or when a previously unknown virus outbreak happens to meet your systems.

To solve this problem, here is a PowerShell script. On the server, in the Task Scheduler, schedule it to automatically run in a given interval, e. g. every 3 hours. The script checks the Symantec FTP for Rapid definitions, and downloads them if they are newer than the last one downloaded previously. It copies the downloaded definitions into SEPM incoming folder (e. g.: „D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming”), where SEP Manager automatically detects and installs it. After this, it saves the last definitions name into a simple text file, later used to identify if there were any updates.

If the situation normalizes and the virus attacks fall back to the usual numbers, simply disable the script in Task Scheduler, so the system will only install only the certified definitions again.

The script's contents, copy it to your directory of choosing (e.g.: "D:\_scripts"):

$proto='ftp://'

$fqdn='ftp.symantec.com'

$docLibURN='/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/'

$usr='anonymous'

$pwd='pass'

$dstFolder='D:\_RapidRelease'

$RelVersion =$dstFolder+'\ReleaseVersion.txt'

$TargetFolder='D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming'

$verinfo = get-content $RelVersion

$verinfolast = $verinfo | sort-object | select-object -last 1

$docList=@{}

$proxy = [System.Net.WebRequest]::GetSystemWebProxy()

$proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials

$req = [system.Net.WebRequest]::Create($proto+$fqdn+$docLibURN)

$req.Credentials = new-object System.Net.NetworkCredential($usr, $pwd);

#$req.PreAuthenticate = $true

$req.proxy = $proxy

$req.Method = [System.Net.WebRequestMethods+FTP]::ListDirectoryDetails


try {

  $res = $req.GetResponse()

  $sr = [Io.StreamReader]($res.GetResponseStream())

  $webpage = $sr.ReadToEnd()

  $sr.Close()

  $res.Close()

  $weblines=$webpage -split "`r`n|`r|`n"

  switch -regex ($weblines) {

    '.*href="(?<docRelPath>.*\.jdb)".*\>(?<docFolderName>.*)\<.*' {

       $docList[$matches.docFolderName]=$matches.docRelPath

    }

  }


  $webclient = New-Object System.Net.WebClient

  $webclient.Credentials = new-object System.Net.NetworkCredential($usr, $pwd);

  $webclient.proxy = $proxy

  $docList.keys | sort-object | select-object -last 1 | % {

    if ($verinfolast -eq $_)

       {

           write-host ($dstFolder+'\'+$_+' Exists')

       }

       else

       {

        $webclient.DownloadFile($($proto+$fqdn+$docList.Item($_)),$dstFolder+'\'+$_)

        echo $_ >>$RelVersion

        Move-Item $dstFolder\*.jdb $TargetFolder

       }

  }


} catch [System.Net.WebException]  {

    $res = $_.Exception.Response

}

If you need to deploy Symantec Data Center Security: Server Advanced in an evaluation installation, or you just need to install several DCS agents on the critial business server, you can use SQL Server express edition.

The installation of the DCS:SA will install the server and the SQL Server express automatically.

After the installtion, you can use the following steps to backup the database:

1. Create a sql file named backup.sql which contains these SQL statements:

GO   
DECLARE   
@backupTime VARCHAR(20)  
DECLARE   
@fileName VARCHAR(1000)    
SELECT  
 @backupTime=(CONVERT(VARCHAR(8), GETDATE(), 112) +REPLACE(CONVERT(VARCHAR(5), GETDATE(), 114), ':', ''))    
SELECT  
 @fileName='E:\DCSDB_backup\DCSDB_'+@backupTime+'.bak' 
backup database SCSPDB to disk=@fileName

2. Create a bat file named backup.bat which contains the following statement:

sqlcmd -S localhost\SCSP -i E:\DCSDB_backup\backup.sql

3. Copy these two files to the backup folder, for example: E:\DCSDB_backup\:

4. Launch Task Scheduler from Windows start:

5. Right click 'Task Scheduler Library', select 'Create Basic Task':

6. Input the task name and description:

7. Select the trigger as 'Daily':

8. Set the task start time:

9. Select 'Start a program':

10. Select the backup.bat as the program/script:

11. Select 'Open the Properties dialog for this task when I click Finish':

12. Select 'Run whether user is logged on or not':

13. You can test the configuration of the task by start it manually:

14. After the task finished, there is a database backup file created on E:\DCSDB_backup\:

At times it may become necessary to troubleshoot Symantec Endpoint Encryption Device Control. The attached comprehensive pdf will allow an end user and administrator alike, to test communication thoroughly. If further assistance is required please contact Symantec support.

• Run the upgrade data pre-checker tool to check your current database against the new constraints introduced in Symantec Data Loss Prevention 14.

• Back up the Oracle database before you start the upgrade. You cannot recover from an unsuccessful upgrade without a backup of your Oracle database.

Symantec DLP Upgrade Path

Major releases may be upgaded to the next major release. 

Older major releases require multi-step upgrades in order to install newer versions of DLP. 

Release upgrades are cumulative and are to be applied to major versions only.

• You must stop all Network Discover/Cloud Storage Discover scans before you upgrade the Enforce Server to version 14
• If a version or 12.x detection server stops (shuts down) after you have upgraded the Enforce Server to version 14, you must upgrade that detection server to version 14 before it can restart.
• After you upgrade the Enforce Server to version 14, any configuration changes that you make have no effect on version 12.x detection servers.
• After you complete the upgrade, do not modify the host name or IP address of a detection server to point to a different detection server.
• Detection servers use the original configured IP address or host name to maintain and report server-level statistics.
• Restart the Vontu Monitor Controller service to verify the upgraded detection server versions in the Enforce Server administration console.

Through the Upgrade Wizard, which you access through the Enforce Server. The Upgrade Wizard provides the easiest and most efficient way to upgrade Symantec Data Loss Prevention.

Alternatively, for more details you can Follow below Upgrade Guide.

1. Go to https://fileconnect.symantec.com.

2. Enter a Serial Number for your Symantec DLP Products.

3. Download the software (zipped files) for the version you want to upgrade to

4. Unzip file “Symantec_DLP_14.0_Docs_Win-In.zip".

5. Open “Symantec DLP Upgrade Guide” from the unzipped files.

6. Follow the instructions given in the upgrade guide.

Preparing the Oracle database for a Symantec Data

Loss Prevention upgrades

The following Oracle-related preparations must be made before you use the Upgrade Wizard to upgrade the Symantec Data Loss Prevention database schema for version 14:

 Run the upgrade data pre-checker tool to check your current database against the new constraints introduced in Symantec Data Loss Prevention 14.

 Back up the Oracle database before you start the upgrade. You cannot recover from an unsuccessful upgrade without a backup of your Oracle database.

Using the upgrader data pre-checker tool

The upgrader data pre-checker tool is also available for download from

https://support.symantec.com/en_US/article.TECH228921.html

Download and extract the Zip File.

To run the upgrader data pre-checker tool

1.  On the Oracle host computer, log on as the Oracle user:

su – oracle

2. Open a command prompt and navigate to the Upgrader_Data_Prechecker

folder you extracted from your Platform ZIP file.

3. Log in to SQL*Plus as the Symantec Data Loss Prevention Oracle user:

sqlplus protect/protect@protect

4. Run the run.sql script:

@run.sql

5. The script runs for a few minutes and generates the report:

Upgrader_Data_Prechecker.html.

6. Open the report in a web browser to view the results, then take one of the

following actions:

• If the report lists any violated constraints, contact Symantec Technical Support at www.symantec.com/business/support. Your support contact will Ask you to email the Upgrader_Data_Prechecker.html file to assist in Resolving any violated constraint issues in your database before you upgrade Your system.
• If the report does not list any violated constraints, proceed with the upgrade Process.

To download the upgrade software

Copy the ZIP files to the computer from where you intend to perform the upgrade. That computer must have a reliable network connection to the Enforce Server.

To extract the ZIP files

1.  Extract the contents of the Symantec_DLP_14.0_Platform_Win-IN.zip file. Among other items, the ZIP file contains an upgrade_12.x_to_14.0 folder, which includes an upgrade JAR (Java archive) file that is required later when you run the Upgrade Wizard.

2. Extract the contents of the Symantec_DLP_14.0_Agent_Win-IN.zip file. Among other items, the ZIP file contains the

DLPDownloadHome\DLP\14.0\Endpoint\Win\x64\AgentInstall64.msi file for 64-bit endpoints and the

DLPDownloadHome\DLP\14.0\Endpoint\Win\x86\AgentInstall.msi for 32-bit endpoints. You use these files when you generate the agent installation package.

3. Extract the contents of the Symantec_DLP_14.0_Agent_Mac-IN.zip file. Among other items, the ZIP file contains the

DLPDownloadHome/14.0/Endpoint/Mac/x86_64/AgentInstall.pkg file. You use this file when you generate the agent installation package.

4. Note where you saved the upgrade JAR, MSI, and PKG files so you can quickly find them later.

Launching the Upgrade Wizard on the Enforce Server

Note: If your installation uses FIPS encryption, your browser will not be able to redirect from the Enforce Server administration console to the Upgrade Wizard user interface. In this case, you must manually browse to https://Enforce_server:8300.

• Clear your browser cache before upgrading the Enforce Server.
• Stop all DLP Endpoint Discover scans.
• Close all files and folders in your \SymantecDLP\ directory.

To launch the Upgrade Wizard on the Enforce Server

1. Ensure that all detection servers are running and are connected to the Enforce Server.

2. Log on to your Enforce Server administration console.

3. Go to System > Servers > Overview.

4. Click Upgrade.

The Upgrade System pop-up window appears

5. From the directory that includes that JAR file, select the file and click Open. The name of the file is 14.0_Upgrader_Windows.jar.

6. Click Launch Upgrade.

It may take several minutes for the Symantec Data Loss Prevention Upgrader Login panel to appear. If the Enforce Server returns an error or times out, you must correct the problem before continuing.

If no error occurs, the Symantec Data Loss Prevention Upgrader Login panel appears and you are ready to continue the upgrade

Performing an upgrade with the Upgrade Wizard

To upgrade the Enforce Server

1. On the Symantec Data Loss Prevention Upgrader Login panel, enter the Administrator user name and password, and then click logon.

The License Agreement panel appears.

2. Click Accept.

The System Check panel appears. When you click Next,

the Upgrade Wizard verifies that you have the minimum software version level required to upgrade to the current release version.

3 Click Next.

One of the following two outcomes results:

• If the check was successful, the System Check Succeeded panel appears.

• If at any point you see a message box stating that the upgrade has failed click Cancel.
• Fix the reported problem that is shown in the panel. After fixing the problem, log on to Enforce, and launch the upgrade again.

4 From the System Check Succeeded panel, click Next.

The Patch Distribution Status page appears.

5 Click Next.

The Welcome to Symantec Data Loss Prevention Upgrader panel appears.

6 Click Next.

The Pre-check panel appears and the Upgrade Wizard begins performing pre-upgrade tasks.

7 Click Next after the pre-check tasks complete.

8 From the Upgrade Enforce Server panel, click Next.

When the process has finished successfully, the following message appears: Done upgrading Enforce software.

If an error occurs, a message to that effect appears. Consult the logs for information, correct the problem, and launch the upgrade again.

9 Click Next after the Enforce upgrade completes.

11 Click Next.

• Select This DLP instance is a production system to indicate your system is in production .

13 Click Next after the Enforce upgrade completes.

The Patch Distribution Status page appears.

14 Click Next.

The Upgrade Detection Servers panel appears.

15 Select the detection servers you want to upgrade, or select all servers, then click Upgrade.

 (\SymantecDLP\Protect\updates\SymantecDLPDetectionBackup). Then it installs new ones.

After the wizard upgrades the detection servers you selected, green checkmarks appear next to those servers listed in the Upgrade Status column of the panel.

Note: When you run the Upgrade Wizard again, it does not upgrade the Enforce Server again.

You must upgrade the Enforce Server before trying to upgrade your detection servers.

16 Click Next.

The Success panel appears and prompts you to also upgrade your system endpoints.

17 Click Finish.

The Symantec Data Loss Prevention Login panel for Enforce Server appears.

19 Log on to the Enforce Server.

The Enforce Server administration console appears.

20 Clear your browser cache to ensure that the initial page does not appear blank or as a previous version.

21 To verify that all of your Symantec Data Loss Prevention products are licensed for the current release, navigate to System > Settings > General.

To verify the upgrade, review that your server version numbers are correct. Go to System > Servers > Overview and click Enforce Server or a detection server.

Note: The new version numbers for the upgraded detection servers do not display in the Enforce Server administration

console until the Vontu Monitor Controller service has been restarted. The service does not start until the upgrade is complete.

If you forgot your DCS management console symadmin password:

You can reset the password by modify the database.

Steps:

1. Launch Microsoft SQL Server Management Studio, log into DCS database as sa:

or scspdba:

2. Expand the tables under SCSPDB:

3. Check the table dbo.USR, the USERNAME column is used to store the management console user, the PWD is used to store the hash of the password:

4. Edit the db.USR table, and delete the value of PWD column for symadmin:

5. Commit the change to the database and confirm the change:

6. Restart Symantec Data Center Security Server Manager service:

7. Launch DCS management console, and try to log in as symadmin, DCS will let you to set a password for symadmin:

Symantec Managed PKI Use-case Demos: Adobe CDS User Document Signing (Job Aid in PDF format – download PDF to launch embedded video)

Use-case Overview
Digitally sign an Adobe PDF document. The PKI administrator configures the certificate profile, adds the end-user, and then sends an enrollment email to the user. The enrollment code is communicated to the end-user separately from the enrollment link. The end-user enrolls for the certificate and the certificate
is installed to their hardware token. The end-user digitally signs a PDF document.