Symantec Data Loss Prevention (SDLP, current version 11.6) is often being installed in Windows environment. Thus there are a lot of tasks in SDLP that are connected to Active Directory. This article should give you an insight on how to make detection policies and rules work for a particular Active Directory user, or group of users, or how to make the policy work for all users except one particular Active Directory user.
Well, to enable DLP policy that, for example, detects USB removable device copy and prevents the action for a specific Active Directory user, you should do 3 steps:
Image may be NSFW. Clik here to view.
First go to System > Settings > Group Directories
Image may be NSFW. Clik here to view.
Then press Create New Connection button and set up new connection to Active Directory. Example screenshot will give you an idea on how to fill out the fields:
Image may be NSFW. Clik here to view.
So far it is simple. If your domain name is demo.com then in (Network Parameters) Base DN field you should type: DC=demo, DC=com
Choose Authentification type on server (it is almost always will be required to enter user name and password), type in credentials.
When done filling out fields press Test Connection buttion to ensure that everything is done properly.
Image may be NSFW. Clik here to view.
When testing connection succeed press Save button and continue to the second step.
Image may be NSFW. Clik here to view.
When directory connection is set up - the next step is to create User Group. Choose Manage > User Groups
Then create new user group (you can include one or many users depending on what kind of policy you will use this group). See example screenshot below for details:
Image may be NSFW. Clik here to view.
When done filling out the field press Save button and continue to the final step.
Image may be NSFW. Clik here to view.
Final step is to add rule to policy based on User Group (which is based on Directory Connection from step 1). To do so go to Manage > Policies > Policy List and choose the policy to modify (or you can create the new one). To add desired user based rule Groups tab in policy settings should be chosen.Then it depends if you want to add rule for particualr AD user or make an exception for AD user you then press button Add Rule or Add Exception correspondingly. Example below shows exeption rule:
Image may be NSFW. Clik here to view.
when, for example, Sender/User based on Directory Server Group is selected click Next and you will be able to set up the user based rule.
Image may be NSFW. Clik here to view.
Just select user group that was set up on step 2, name exception, click Ok, then save the policy.
Few days ago Symantec introduce new version of PGP US. With 3.3 version comes some really good changes, fixes and what's really new PGP products name mapping was changed.
1. To upgrade you PGP US server first of all you have to login at http://fileconnect.symantec.com using your licence serial number.
2. In next step just download file called SymantecEncryption3.3.0_PUP.zip.
3. When download will be completed just unzip it. You should find two files:
SymentecEncryption3.3.0_PUP.zip
SymentecEncryption3.3.0_PUP.zip.sig
4. Unzip SymentecEncryption3.3.0_PUP.zip. You should get file called SymantecEncryption3.3.0.pup it's our upgrade file.
5. In next step just open PGPUS web console at https://your_pgp_server:9000 and login.
6. Before you upgrade PGPUS remember to make a backup of your Organization key and PGPUS to do that just folow this short instruction:
Go to System=>Backups
Image may be NSFW. Clik here to view.
7. Click Backup Now a chose proper name for your backup after that click Backup button.
Image may be NSFW. Clik here to view.
8. Now you can backup your Organization Key to do that just go to Keys=>Organization Keys and click on your organization key.
Image may be NSFW. Clik here to view.
9. In new window click Export button.
Image may be NSFW. Clik here to view.
10. Now select Export Keypair and set your password for keys and click Export button and save ASC file to disk.
Image may be NSFW. Clik here to view.
11. Now you are ready to go with your upgrade. Just go to System=>Updates
Image may be NSFW. Clik here to view.
12. Click Upload Update Package... and browse for your SymantecEncryption3.3.0.pup file. Now just click Uploadbutton.
Image may be NSFW. Clik here to view.
13. You have to wait few minutes for uploading process...
Image may be NSFW. Clik here to view.
14. After proper upload you should get information that everything goes ok and file was uploaded successfully. Now click install button to update server.
Image may be NSFW. Clik here to view.
15. You get warning message that reboot is required to make upgrade, just click OK button.
Image may be NSFW. Clik here to view.
16. After that you will be automatically logged out and information about update will appear.
Image may be NSFW. Clik here to view.
That's all, for about few seconds you will have the new 3.3 version PGPUS. I hope this article will be usefull. Have a nice day for all :)
First of all, I prepared this tutorial for everyone who wants to enable ssh access without study admin guide and so on. So below you can find full step by step instruction with sample images how to enable it.
You can find this instruction attached in pdf format so if you would like to send it to your coustomer or something like this you are ready to go just download, attach, send ;)
Remember only three things (if you would like to change something in your PGPUS via SSH):
1. If you would like to write something in command line via SSH on your PGPUS you have to be authorized in writing by Symantec Support.
2. Changes can be implemented only by a Symantec Partner, reseller or Symantec Technical Support.
3. All changes hae to be summarized and documented in a text file in /var/lib/ovid/customization on the PGP Universal Server itself.
If you want to use SSH access for troubleshooting, logs checks and any other read only operations you are ready to go by your own without any agreement from any other and without worries about symantec support.
So lets start.
1. First of all you need to have puttygen on you computer. You can download it at putty.org.
Image may be NSFW. Clik here to view.
2. When download will be completed just open puttygen. You should see something like this, select SSH-2 DSA and change default value to 2048. After that click Generate button.
Image may be NSFW. Clik here to view.
2. Now move mouse cursor several times in key area to generate random values.
Image may be NSFW. Clik here to view.
3. When key generation process will be completed type your password for your keys and save public and privite key to disk. Remember to store your private key and password in really secure location becouse you will use it to log into your PGPUS via SSH with root privileges.
Image may be NSFW. Clik here to view.
4. At the end copy public key informations.
Image may be NSFW. Clik here to view.
5. Now you can login to PGPUS web console at https://your_pgp_server:9000
Image may be NSFW. Clik here to view.
6.In next step go to System=>Administrators and click admin account.
Image may be NSFW. Clik here to view.
7. In new window click plus button to import public key information.
Image may be NSFW. Clik here to view.
8. I new windows select Import Key Block and paste public key information copied from putty gen and click Import button.
Image may be NSFW. Clik here to view.
9. When import will be completed you should see SSHv2 Key informations. Click Save button to accept changes.
Image may be NSFW. Clik here to view.
10. Now download putty client from putty.org and open it on your computer. Provide your PGPUS ip address or hostname.
Image may be NSFW. Clik here to view.
11. Now go to Connection=>SSH=>Auth and browse for your private key saved on your computer. After all click Open button to connect with PGPUS.
Image may be NSFW. Clik here to view.
12. Accept server key by licking Yes button.
Image may be NSFW. Clik here to view.
13. In SSH console type user as root and when you will be prompted for password type your key password you set in putty gen.
Image may be NSFW. Clik here to view.
14. And your're in. You are now ready to go with PGPUS and SSH access. Good luck:) and remember you can only make some read-only task other changes or implementatiotions your're making on your own risk and without symantec support.
The Symantec Webgates may be centrally managed by the Symantec Central Intelligence Unit (CIU). The CIU provides consolidated reporting representing the information and data stores by all of the webgates in the system.
In addition, the CIU provides a central configuration facility where each Web Gateway, and all of the webgates may be configured at once.
Any Symantec Web Gateway appliance can be configured to manage one or more other Symantec Web Gateway appliances. An appliance that is configured to manage other appliances is called a Central Intelligence Unit. On the Central Intelligence Unit, most Web GUI pages let you make changes or view reports for all managed appliances or individual managed appliances.
You can continue to log on to the Web GUI of managed appliances after you configure a Central Intelligence Unit. Managed appliances can be configured in any operating mode other than Central Intelligence Unit. When you configure an appliance as a Central Intelligence Unit, that appliance cannot function as a Symantec Web Gateway.
Central Intelligence features:
Centralized management: Make the same change to multiple appliances at the same time or make unique changes to individual appliances from the Central Intelligence Unit.
Centralized reporting: View consolidated reports from all managed appliances.
Here is the graphical implemention of the SWG CIU:
1. Boot and install SWG appliance.
2. Launch browser to access SWG IP:
Image may be NSFW. Clik here to view.
3. Input your license and choose the server type as CIU:
Image may be NSFW. Clik here to view.
4. Input the information of your admin account:
Image may be NSFW. Clik here to view.
5. Review your server information:
Image may be NSFW. Clik here to view.
6. After finish the setting, your CIU server will be reboot:
Image may be NSFW. Clik here to view.
7. When you launch browser to access the CIU address, you will find out the Web UI is different to a SWG. It's said that this is a Central Intelligence server:
Image may be NSFW. Clik here to view.
8. From Administrator --> Configuration --> Central Mgmt, you can configure the CIU and the managed SWG:
Image may be NSFW. Clik here to view.
Now, you can manage and review the logs/reports from all your SWG in one console.
This is the third in an informal series of articles intended to help admins make the best use of Symantec AntiVirus for Linux, keeping those boxes protected from today's many emerging threats without killing the CPU or the network bandwidth.
This article will focus on the area with which many admins encounter the most trouble- how to keep SAV for Linux up-to-date.
How Often Are New Definitions Released?
New certified definitions are posted for SAVFL once per day. These definitions contains all the AntiVirus signatures against all known threats, regardless of what OS they are designed to exploit. Do not put off updating SAVFL on your Linux file server, thinking that there cannot be that many new Linux worms since last week. SAVFL needs the latest definitions to stop the latest Windows/Mac/Android threats affecting clients that access that file server. Make sure that SAVFL is updated every day.
OK, How Does SAVFL Get Updated?
There are three ways:
Internet LiveUpdate servers (The default. Recommended if you have only a few SAVFL clients)
Internal LiveUpdate Administrator 2.x server (Recommended if you have many SAVFL clients.)
Intelligent Updater (Useful in certain circumstances, such as completely isolated computers.)
What Happens When I Push This Button?
SAVFL comes with Java LiveUpdate (JLU) built into it. Clicking "LiveUpdate" from the SAVFL GUI will, by default, start a session that retrieves updates from the Internet. A session can also be manually started from the command line: sav liveupdate -u
Image may be NSFW. Clik here to view.
As long as the SAVFL client is updating every day, the files downloaded will be of manageable size.
If the SAVFL client goes out-of-date by weeks, then a full set of definitions will need to be downloaded. That can be a couple hundred MB.
"We Have A Lot of Linux Machines- that Many Updates Would Kill Our Network Bandwidth!"
If you establish an internal LiveUpdate Administrator 2.x server (LUA 2.x), it will download the update files from the Internet source servers once, and then make them available to all of your SAVFL clients on the corporate LAN. Here is an official Symantec article on configuring the LUA 2.x server for SAVFL contents:
Configuring LiveUpdate Administrator 2.x to Download and Distribute Symantec Antivirus for Linux Contents
Article URL http://www.symantec.com/docs/TECH152311
The initial download is large, but then each subsequent day's download is small. Here is what LUA 2.x looks like making that first download of SAVFL materials, in case you have never seen the product:
Image may be NSFW. Clik here to view.
The SAVFL clients then need to have their setting updated so they know to look to that internal source, rather than keep looking on the Internet Here is an article on how to configure the SAVFL clients to use that internal LUA 2.x server's Distribution Center (DC):
Configuring Symantec Antivirus for Linux (SAVFL) to download definitions from the Distribution Center of an internal LiveUpdate Administrator (LUA) 2.x Server
Article URL http://www.symantec.com/docs/TECH93505
And here is an excellent article by another member of the Connect Forum (give it a "thumbs up" vote!)
Using IU's every day would consume a lot of bandwidth. The size of the current Linux IU file (20130122-004-unix.sh) is 421.54 MB. This will only grow as more and more threats are discovered.
Intelligent Updaters are a great solution in certain circumstances (completely isolated computers that still require defenses, bringing a computer up-to-date if JLU is failing for some reason) but for day-to-day use, Internet or internal LiveUpdate servers are usually the best option.
OK, You Convinced Me. I'll Configure my SAVFL Clients' Java LiveUpdate. So, How Do I Do That?
If you need to change the LiveUpdate schedule, source server, or other parameters, three ways are possible:
Several admins have found it easy to create a valid liveupdate.conf file containing the proxy, LUA, etc details for their environment and place that in each SAVFL machine's /etc directory. If there are many SAVFL clients to configure, and there is no SAV 10 Windows client on hand to generate the GRC.DAT, dropping the liveupdate.conf file is what I recommend.
Sorry, I Don't Speak Klingon
Opening /etc/liveupdate.conf with a standard text editor presents a page full of odd text and characters:
Image may be NSFW. Clik here to view.
This is actually by design. The contents of this configuration file are encrypted to prevent tampering. Editing the liveupdate.conf file on SAVFL must be done using a special tool. The following article contains all the details:
To see the details on a Java LiveUpdate session, read liveupdt.log. This log file takes practice to read, but can tell you what product components were checked for updates, what server the SAVFL client tried to connect to, if that connection was successful, what files were downloaded and if they were then processed.
By default this log is located in the /opt/Symantec/LiveUpdate directory, but that is configurable in liveupdate.conf.
Note that this log only covers Java LiveUpdate activity, not Intelligent Updater. That tool generates it own logs.
In case JLU sessions are not completing correctly, the following article may help:
Many Connect Forum members have expressed and interest in a managed "Symantec Endpoint Protection for Linux" client. (You may show your interest for such at the link below.) Until that becomes available, SAVFL Reporter can collect some information from all of the legacy SAV for Linux clients in the organization, and display details in a report within Symantec Endpoint Protection Manager (SEPM). This report can make it easy to spot clients with definitions that are out of date.
Symantec Endpoint Protection Small Business Edition 2013(以下 SEP SBE 2013)ならば、「検索したサイトに悪意のあるコードが含まれていないか」、「ダウンロードしたファイルが安全か、どのくらい普及しているのか」、こうした情報を提供し、不用意なアクセスを防止、またはダウンロードを停止します。
電子メールを媒介とするマルウェアの 39.1% は、マルウェアが添付ファイルに含まれているのではなく、悪意のあるコードを持った Web サイトを参照するハイパーリンクで構成されています。また、悪質な Web サイトの 61% は、そのコードによって安全性が低下し、感染状態にありますが、本来は健全な Web サイトです。安心してインターネットを使って情報収集をしたり、PC を安全に使うためには、Web から侵入する脅威を防御する機能が必須です。
Probably not everyone is familiar that there is a quite easy way to run quick or scheduled SEP client scans from command prompt, batch scripts or the windows task scheduled with the SEP tool – DoScan. DoScan is not a separate scanner – it does use the same scan engine build-in in SEP – for it to run Autoprotect on the SEP client needs to be enabled.
DoScan.exe is located directly in the SEP installation folder:
C:\Program Files\Symantec\Symantec Endpoint Protection\Doscan.exe– 32bit OS
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Doscan.exe– 64bit OS
Important note: Using a direct call to the doscan.exe binary with a SYSTEM account may not work in SEP 12.1. For script usage it is recommended to call the doscan.exe from the following location:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\[SEPVersion]\Bin\doscan.exe (example: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin\doscan.exe) – for additional information please check http://www.symantec.com/docs/TECH199513
Here some examples in a historical overview over the options offered in Doscan.exe:
SEP 11 RU5 or earlier:
Image may be NSFW. Clik here to view.
SEP 11 RU6 MP1 to RU7 MP3:
Image may be NSFW. Clik here to view.
SEP 12.1 RTM – 12.1 RU2:
Image may be NSFW. Clik here to view.
For the purpose of the article we will focus the latest version of DoScan.exe as it provides most features.
/L[ist] - Lists all the local and administrator scans configured for this computer.
Image may be NSFW. Clik here to view.
/ScanName "<Configured Scan Name>" - Runs the specified local or administrator scan.
No additional scan options can be set – these will be taken over from the scheduled scan settings as configured in the policy
The name of the scan needs to be specified
/C[mdLineScan] --Performs a quick scan.
/ScanAllDrives --Scans all disk drives.
/ScanDrive "<drives>" -Scans the specified drives with default scan options.
For example: /ScanDrive "A-C,E,V-S,Z" scans drives A, B, C, E, S, T, U, V, Z.
/ScanFile "<file name>" -Scans the specified file with default scan options. Multiple files can be specified with multiple /ScanFile switches.
For example: / ScanFile "%WinDir%\notepad.exe" /ScanFile "C:\Test"
/ScanDir "<folder name>" -Scans the specified folder with default scan options. Multiple folders can be specified
with multiple /ScanDir switches.
For example: /ScanDrive "%WinDir%\System32" /ScanDir "%Temp%" /ScanDir "C:\Test"
"<Scan file/folder name>" --Specifies a single file/folder to scan.
[/O] or [/Cloudscan] - Specifies that the item should also be sent
to the Cloud for scanning.
The switch will only apply to a single file item.
/F[ileList] "<List file name>" --Specifies a text file that lists full paths
of files/folders to scan.
/O or /Cloudscan - Specifies that the item should also be sent
to the Cloud for scanning.
The switch will only apply if filelist contains a single file item.
/A[sync] --Start scan asynchronously.
/Sync --Start scan synchronously. (default)
/H[elp] -- Displays this help dialog.
Additional notes:
Old version on DoScan.exe from SEP 11 RU5 and below did have an addition switch for scan logs location specification:
/Logfile=”Log file path and filename”
- The file needs to be quoted
- The default log path is “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\Doscan.log” if not specific path and file name was specified
This switch has been removed from the 11 RU6 MP1 version onwards and now (as well in SEP 12.1) the logs default to the standard scan log location - same as for the scans from GUI (on example of SEP 12.1):
+ C:\Documents and Settings\All Users\Application Data\Symantec \Symantec Endpoint Protection\12.1.2015.2015.105\Data\Logs\AV\[date_of_scan].log
The progress of the scan executed from command prompt will run in background and won’t be reflected in the SEP client GUI at all.
As doscan is not a separate scan engine- it cannot be started from a bootable disk alone and needs Autoprotect on the SEP client to be up and running.
While a system scan has been executed by doscan, starting another scan from client GUI won’t be possible and will error out with following information:
Image may be NSFW. Clik here to view.
DoScan is designed as command prompt execution of SEP scans and an alternative to the scans started from GUI. For scanning large amount of data or network drives a different dedicated for this purpose Symantec Product is recommended that comes with very strong and enhanced command-line support – Symantec Scan Engine.
Introduction to Tools included on the CD2 of the SEP 12.1 RU2 installation media. The CD contains several tools for management and troubleshooting not only directly for SEP but as well other related Symantec software. Here are the tools that we get on the CD:
Image may be NSFW. Clik here to view.
1. CentralQ - Central Quarantine Installation
Consists of Central Quarantine Server and Client Console. In the folder you will find as well Symantec™ Central Quarantine Implementation Guide in .pdf file. The version of the Central Quarantine is 3.6.7180.
The Quarantine Server receives virus and security risk submissions from Symantec Endpoint Protection clients and forwards these submissions to Symantec. The Quarantine Console lets you manage the Quarantine Server and these submissions. If you determine that your network requires a central location for all quarantined files, you can install the Central Quarantine.
Tool used to view the devices on a client computer and obtain the class IDs or device IDs. This ID is needed when creating or editing Application and Device Control Policies. Tool comes with a brief instructions in .html format.
This folder contains the documentation and examples for working with Symantec Endpoint Protection Manager web services. It includes the following items:
* In the Remote_Management_Integration_Guide subfolder: - A programmer's guide for how to integrate your remote management solution using Symantec Endpoint Protection web services. Content includes information about how to authenticate your web service calls using Symantec's implementation of the OAuth 2.0 standard, how to create a web service client using the WSDL files that are included with the build, and basic conceptual material about individual web services. - The entry point filename is index.html. (Open this file to open the programmer's guide in your browser. Only Firefox and Internet Explorer are supported.)
* In the ReferenceGuide subfolder: - The code documentation for Symantec Endpoint Protection web services. This documentation is generated from the Javadoc comments using doxygen. Included are an extensive overview page and package-level comments, as well as details about each web service method. - The entry point filename is index.html. (Open this file to open the reference guide in your browser. All popular browsers are supported.)
* In the SampleCode subfolder: - A set of PowerShell example scripts to help you get started writing your own web service client(s).
* In the WSDL subfolder: - Static versions of the Web Services Description Language files that you need to build your web services client.
4. ITAnalytics - Altiris IT Analytics Version 7.1.206
Installation comes along with IT Analytics for Symantec Endpoint Protection Read Me in .pdf file.
IT Analytics Solution software complements and expands upon the reporting that is offered in many Symantec solutions. It brings multi-dimensional analysis and robust graphical reporting features to Symantec Management Platform. This functionality allows users to explore data on their own, without advanced knowledge of databases or third-party reporting tools. It empowers users to ask and answer their own questions quickly and easily. IT Analytics may be used as well with Symantec Endpoint Protection.
5. JAWS - JAWS Scripts for Symantec Endpoint Protection 12.1
Symantec Endpoint Protection 12.1 makes use of the JAWS screen reader (assistive technology) program and a set of scripts to improve reading of menus and dialogs in SEP and provide compliance with Section 508 product accessibility. The JAWS screen reader, available from Freedom Scientific (www.freedomscientific.com) must be installed. The installation can occur anytime before or after SEP is installed. Symantec’s JAWS scripts have been tested with JAWS version 11 and 12.
6. LiveUpdate - Liveupdate Administrator in version 2.3.2 (LUAESD.exe)
Folder contains as well the documentation on .pdf (LiveUpdate Administrator Users Guide.pdf). Liveupdate Administrator is software used for definition distribution for Symantec Security Products. Allows for more detailled configuration and scheduling than the direkt defs distribution from SEPM Server.
8. NoSupport - a couple of unsupported Symantec tools.
* MoveClient - MoveClient Script version 3.0. Comes with usage guide in .pdf file.
MoveClient.vbs is a Visual Basic script which, when properly configured, will move one or more clients from a SEPM group to another group of your choice based on the hostname, username, IP address or operating system of the client. It also has the ability to switch client mode from user mode to computer mode or visa versa.
* Qextract - The Quarantine Extract command line tool extracts and restores files from the Quarantine of the Symantec Endpoint Protection client. Tool provided with brief usage guide in .html format.
Tool may be needed if the Symantec Endpoint Protection client quarantines a file that you determine is a false positive. The tool uses the QEXTRACT command. The command includes different options to target a file or groups of files for restoration. The targeted file is always restored to the directory path from which it was initially quarantined.
* SEPprep - Tool in version 1.0.9 for removing installation of 3rd party AV products. Comes with guide in a .pdf file.
SEPprep is a unsupported tool that is designed to uninstall any competitive product automatically. This tool can also launch another application before or after removing all competitive products. Therefore you can configure this tool to first remove all competitive products (including Norton products) and then launch the SEP installer automatically and silently.
9. OfflineImageScanner - Symantec Offline Image Scanner (SOIS.exe) Version 1.0.2.1
Tool used for scanning offline VMware virtual system images.
Features:
* SOIS scans and detects threats in offline VMware virtual disks (.vmdk files) * SOIS has been developed for users of Symantec Endpoint Protection (SEP) which does not have support for scanning VMware virtual disks. You need to have a valid license of SEP before you can use SOIS. Please see the EULA for details. * This product does not ship with AntiVirus (AV) definitions nor does it download them from Symantec's servers. If you have SEP/SAV installed on your computer, SOIS uses those definitions. * SOIS is compatible with AV definitions of SEP (versions 11 and 12) and SAV (version 10) only. Other versions of SEP/SAV are not supported. * SOIS scans FAT32 and NTFS file-systems on Windows .vmdk files. Linux .vmdk files are not supported. * SOIS has a command-line interface as well so that it may be used from within scripts.
Tool helps to deploy the clients software by pushing the installer to remote computers and automatically installing it. It has options for deploying SEP full install packages or patches as well as self-installing executables.
The installer comes along with the Altiris Symantec™ Endpoint Protection Integration Component 7.1 SP1 Release Notes in .pdf file
The Symantec Endpoint Protection Integration Component helps facilitate migration to Symantec Endpoint Protection through robust software delivery mechanisms. The software provides detailed reporting, broad deployment views (dashboards), bandwidth throttling, and advanced discovery. This free component can scale for both local and remote endpoints. The Symantec Endpoint Integration Component combines Symantec Endpoint Protection with your other Symantec Management Platform Solutions. You can Inventory computers, update patches, deliver software, and deploy new computers. You can also back up and restore your systems and data, manage DLP agents, manage Symantec Endpoint Protection clients. You can do this work from a single, Web-based Symantec Management Console.
Reference: How to use Symantec Endpoint Protection Integration Component in conjunction with Symantec Endpoint Protection http://www.symantec.com/docs/HOWTO73212
How to create and deploy a Symantec Endpoint Protection install package using the Altiris Symantec Endpoint Protection Integration Component http://www.symantec.com/docs/HOWTO60858
12. SylinkDrop
Ttool used for replacing the communication settings (sylink.xml file) on SEP client. Available versions for PC and Macintosh. Another tool that may be used to achieve the same goal would be Sylink Replacer - this on is not available on the CD2 of SEP installation.
Tool used for both SEP client and SEPM Server troubleshooting but not exlusively. The complete list of Symantec products it is used for consist of:
Image may be NSFW. Clik here to view.
Symhelp is a new version (designed for SEP 12.1 RU2) that replaces the old Symantec Support Tool.
The SymHelp on CD is in the version: 2.1.1.74. The latest available version from Symantec is 2.1.5.87. The revision of the SymHelp tool are updated constantly - if possible use the latest available from Symantec. SymHelp may be downloaded as well directly from the SEP GUI - by going into Help -> Download Support tool -> this redirects directly to the Symantec Article mentioned below in the reference.
14. Virtualization - contains of the following tools:
* SecurityVirtualAppliance - A Symantec Security Virtual Appliance that contains the vShield-enabled Shared Insight Cache for VMware vShield infrastructures.
The Symantec Endpoint Protection Security Virtual Appliance is a Linux-based virtual appliance that you install on a VMware ESX/ESXi server. The Security Virtual Appliance integrates with VMware's vShield Endpoint. The Shared Insight Cache runs in the appliance and lets Windows-based Guest Virtual Machines (GVMs) share scan results. Identical files are trusted and therefore skipped across all of the GVMs on the ESX/ESXi host. Shared Insight Cache improves full scan performance by reducing disk I/O and CPU usage.
* SharedInsightCache - Network-based Shared Insight Cache, for use in any virtual infrastructure.
The Shared Insight Cache tool improves scan performance in virtualized environments by not scanning files that a Symantec Endpoint Protection client has determined are clean. When the client scans a file for threats and determines it is clean, the client submits information about the file to Shared Insight Cache. When any another client subsequently attempts to scan the same file, that client can query Shared Insight Cache to determine if the file is clean. If the file is clean, the client does not scan that particular file. If the file is not clean, the client scans the file for viruses and submits those results to Shared Insight Cache.
The Virtual Image Exception (VIE) tool is designed specifically for environments leveraging virtualization technologies where a single baseline image is used to deploy many identical or nearly identical Virtual Desktop Infrastructure (VDI) clients. The VIE tool is used to add a new Extended File Attribute (EFA) value to all existing files on a machine before imaging. The EFA value remains valid until the file is modified. The Symantec Endpoint Protection (SEP) 12.1 client checks for this attribute before scanning files and skips scanning any files that are marked as "known good" by the VIE tool. Scans on VDI clients created with images processed by the VIE tool will experience lower I/O load, CPU usage, and network bandwidth usage during scheduled and manual scans.
In the 1990's, I remember working on large offices full of computers where only the odd server had any AntiVirus installed at all. Those were the relatively early days before users were well educated about security matters. We all learned fast when the networks fell victim to that era's series of viruses and worms.
Today, it seems that there is a smartphone in every pocket. These Androids have more storage and processing power that those desktop machines of the 90's, far better networking capabilities and usually much more personal information on them than an office computer. While the people carrying those phones have learned to keep their desktops, servers and laptops protected, most are still walking around without any AV or firewall on their powerful mobile computers. It's no surprise that every day the bad guys develop new threats that target the Android OS, and there have already been enormous Android botnets discovered.
Symantec sponsors mobilesecurity.com with information and educational resources that can help raise awareness of these current threats. Symantec also offers two products designed to keep those Android phones, tablets and other devices secure: here's an article with details on which is best suited to an individual or company's need:
Deploying the large-scale enterprise product, Symantec Mobile Security 7.2, is not as straightforward as mailing every cell phone the .apk (Android installer file) and instructing owners to run it.
A management server needs to be set up first, and then
the Android clients use their browser to connect to that Symantec Management Platform and download the .apk.
Protection is only enabled once that .apk is installed and the Mobile Security client app is enrolled with the server.
This illustrated article walks admins through how to set up Symantec Mobile Security 7.2 (SMS 7.2) on the server and then on the phone. This is a process which some admins can find confusing and time consuming: hopefully the example walk-through below will ease admins over any pain points.
Know Before You Go
Here is a link to the official documentation: read these and keep them on hand! This Connect article is a a quick illustration, not a comprehensive install guide.
Be sure the server that will be the Symantec Management Platform 7.1 SP2 (formally known as Altiris ITMS) meets all the system requirements before beginning your install. It does require a capable server: guaranteed, there will be poor performance and errors if the server chosen is an old machine already in use by several other server programs, or if a small and underpowered VMWare image is used. Ensure you have:
4 GB RAM minimum
5 GB free Hard Drive (minimum)
Microsoft Windows Server 2008 x64 R2
Microsoft SQL Server 2005 (SP2/SP3/SP4) or Microsoft SQL Server 2008 (SP1/SP2/R2/R2,SP1). SQL Server Express will do for testing and for installations serving less than 500 devices.
Microsoft .NET Framework 3.5
Microsoft Silverlight 3.x, 4.x, 5
Microsoft IIS 7.5 (IIS 6.0 compatibility)
Internet Explorer 7,8, or 9
JRE 6 or higher
(See below for a couple additional recommendations about the SMP, too.)
SMS 7.2 can defend Androids with version 2.2 and above. It can also protect older Windows Mobile 5 through 6.5 devices.
OK, I Know Now. Let's Go!
If you already have Symantc Installation Manager (SIM) and an Altiris/Symantec Management Platform (SMP) server set up, installation is easy! SMS 7.2 SP1 can be deployed right from the Symantec Installation Manager (SIM).
If not, the SIM can be downloaded from fileconnect (go to https://fileconnect.symantec.com and use your Serial Number). The SIM is the file named “Symantec_Mobile_Security_7.2_SMP-SIM_IE.exe” – install it! SIM will be the tool used to install SMS 7.2 (and the SMP necessary to manage it).
In the Symantec Installation Manager, place a check next to Symantec Mobile Security MR1. SIM will automatically add any other dependent products that are needed (including Altiris/Notification Server/Symantec Management Platform.)
Image may be NSFW. Clik here to view.
There will be some readiness checks run. If the server is not up to standard or lacks a necessary component, details will be provided. It is very important that all requirements are met here at the beginning.
As promised above, I would also like to add two necessities that are not on that list:
A fixed IP address. To save no end of headaches later, your Symantec Management Platform server absolutely needs a fixed IP. If the server IP address changes after installation and deployment of the Mobile Security app to the clients, it's very difficult for the Android phones (and Windows Mobile devices, too) to be configured to communicate with a new address.
The latest Java. There have been many Java vulnerabilities (and threats which exploit them) discovered in recent months. Be sure your SMP server is running a release that is recent and patched against these threats.
Image may be NSFW. Clik here to view.
Several screens worth of configuration information will be required. Here is how I (successfully) filled these out for a new server called MICKSMS72 which is in an Active Directory domain.
Image may be NSFW. Clik here to view.
Image may be NSFW. Clik here to view.
Once everything is entered correctly and SIM has downloaded and verified all the necessary files, you are ready to roll! Confirm all details are correct and then Begin install.
Image may be NSFW. Clik here to view.
Coffee Time....
Installation can take a while (especially if no SMP was already installed). Here's an install in progress....
Image may be NSFW. Clik here to view.
Once it is successfully installed, you will see your products listed in SIM. (Yes, there are two entries for Symantec Mobile Security. That is normal and correct.)
Image may be NSFW. Clik here to view.
Fun with the Symantec Management Console
Now, time to go have a look at the Symantec Management Console! It is the place to go to create polices, view reports and logs, carry out actions like removely blaring an alarm from a stolen Android....
The SMC is a web-based admin interface. It can be run from the SMP server from the start menu (Start, Programs, Symantec, ) or from any Internet Explorer web browser which can access the SMP machine: http://[IP of SMP server]/Altiris/Console. A login credentials pop-up will deliver a "401- Unauthorized" to keep out anyone who should not be accessing these components.
Image may be NSFW. Clik here to view.
Once logged in, click Home > MobileSecurity and then in the left pane, select Settings. Make sure that the Mobile Security Gateway installed on the SMP is Active.
Image may be NSFW. Clik here to view.
Here's an article with more information about MSG:
Next, ensure that your SMP is configured to allow the Android phone owners to be able to enroll themselves! There are a couple of ways to do this (see the Quick Start Guide for full details) but I generally configure SMP to recognize the users already present in my Active Diretcory domain. (I have created a Group called androidusers in Active Directory Users and Computers. Any users approved to have SMS 7.2 on their Android is added there.)
On the console, go to Home > Mobile Security > Settings > Android Configuration.
Under Device Enrollment > Device authentication, select "Use Active/LDAP authentication"
Supply valid information for your AD Domain Controller(s) or other LDAP server.
Image may be NSFW. Clik here to view.
Enough Backstory. Get Some Androids on Screen!
Now it is time to download, install and enroll the Mobile Security client app on the Android. Open the browser on the Android and enter in http://[IP of SMP server]/MobileSecurityDeployment/AndroidInstall.aspx. A MobileSecurity.apk package will be downloaded.
Image may be NSFW. Clik here to view.
Click through the install of that downloaded app... I won't illustrate it here because it's pretty straightforward.
Launch the MobileSecurity app and the user is prompted to Enroll. A couple of tricky points:
When it is asking for Server, the app is asking for the Management Server Gateway. Be sure to use port 443, not the port 80 used for downloading the app!
The most common cause for failed enrollments is that the user is not one that the SMP knows about. Be sure to be specifying a user who was configured in Android Configuration, Device Enrollment.
If that is an Active Directory domain user, type in domain \ username
The second most common cause for failure is fat fingers. &: ) Be sure that passwords are typed correctly!
Here's a successful enrollment:
Image may be NSFW. Clik here to view.
Once that is done, the Android device appears in the SMC and the client app's GUI is enabled. Here a scan has detected the eicar test file.....
Image may be NSFW. Clik here to view.
...And here is our friend androidguy1 in the SMC.
Image may be NSFW. Clik here to view.
License and Registration, Please
Generally, there’s no need to license SMS 7.2 from the beginning. When installed, it automatically has a 30-day trial license which offers full functionality. After that 30 day period is when the product will need to have the license applied. Here’s an article which has some additional details:
Remember: this is just a brief overview of the installation process for SMS 7.2. Full details are in the guides, above, and Symantec has created hundreds of knowledgebase articles should anything go wrong with the Symantec Management Platform. A quick search should get you back on your way. If you get stuck, peers in the Connect Forum can help or you can call on professional assistance from Technical Support.
If setting up the SMP server seems like a lot of work, remember: it's something that generally only has to be done once. &: ) Once the SMP is in place, it is an easy process to set up additional MSG's, create advanced architectures, deploy policies and so on.
So: time to live life to the fullest in the 21st century! Please do give Symantec Mobile Security 7.2 a try, and get those Androids protected!
Please do leave comments below to provide feedback on how your own install went, and highlight any tips you have discovered that other admins may find useful.
Clustering allows multiple PGP Universal Servers in an organization to synchronize with each other.
When you have two or more PGP Universal Servers operating in your organization, you can configure them to synchronize with each other; this arrangement is called a “cluster.” The benefits of clustering include lower overhead (spreading the system load between the PGP Universal Servers in the cluster means greater throughput) and the ability for email services to continue working even if one of the servers in the cluster goes down.
Servers in a cluster can all keep data replicated from the other servers in the cluster: users, keys, managed domains, and policies. For those servers running PGP Universal Web Messenger they can also replicate Web Messenger data.
Cluster members interact with each other as peers. Every server in a cluster can serve all types of requests, and any server can initiate persistent changes.
For the most part, cluster members all share the same database and configuration information -- changes on one are replicated to all the other cluster members. However, not all configuration settings are global, and it is possible to configure a cluster such that not all servers in the cluster provide all services.
The following settings and data are considered global and are replicated to all servers in the cluster:
Consumers (internal and external users, devices, and their public keys and properties)
Group configurations, the group's public key, and consumer policies
Managed domains and mail settings (policies, dictionaries, archive servers, message templates)
Directory synchronization settings
Organization keys and certificates
Ignition keys
Trusted keys
Configured keyservers
Web Messenger data, if replication is enabled and if the target server has a valid license
Learn Mode
PGP Verified Directory data (though the service can be enabled or disabled on individual servers).
The following settings are not replicated:
Server TLS/SSL certs
Mail routes
Mail proxies
As the administrator, you have some degree of control over what data is replicated to which cluster members:
You can allow or prevent the private keys of internal users and groups from being replicated to individual servers.
You can configure the Web Messenger service to run only on a subset of cluster members, which limits Web Messenger data replication to only those servers running Web Messenger. Further, you can configure Web Messenger data replication so that it is replicated only to a subset of the eligible cluster members. For example, if you have a cluster of four servers, three of which run Web Messenger, you can configure Web Messenger replication so that each user's mailbox is replicated to only one or two of the three eligible servers.
You can choose to set the order in which each cluster member searches LDAP directories, or specify that all cluster members use the same search order.
Cluster members may reside either inside or outside an organization's inner firewall -- members outside the firewall are considered to reside in the DMZ. Cluster members in the DMZ cannot initiate contact with systems on the internal network; therefore, in order to add a cluster member that resides in the DMZ, a server on the internal network must be configured first, and can then initiate a join, acting as the "sponsoring" server for the server in the DMZ.
In enterprises you find yourself very often in a layered approach of defense mechanisms and also very often a more vendor strategy due to potential advantage of identifying a Threat that the other vendor didn't catch so far.
(In my opinion - When you have a closer look you will see that for enterprises you have actually not that many vendors that can deal with your environment and in the end, the remaining partners that stay ahead to be potential candidate for protecting your environment are doing quite similar and in terms of malware detection they are even similar as there is always one who is detecting something sooner and this keeps the balance when seeing over the years.)
At one hand side there are Threats that will just damage your systems that will affect your availability to the market. The other category is more oriented in information and data theft, where the purpose could be financial.
In both situations the risk to your data and the system is given either to conflict with your confidentiality, integrity or availability that can harm your business.
So what would be a strategy in protecting your organisation from such Threats? As the 100% solution is never given we can try to at least determine approaches and proposals to have a good coverage for most of the cases.
In the following I would like to focus mainly on the endpoint.
Identification of Layers
When you know what the layers in your environment are and what you can get out of these you have already a good valuable source of information that will help you identifying potential harmful source systems that can impact your corporate. The reason why I focus on the internal systems is, because that system at some point is getting infected isn’t the surprise today, but it will become a problem when an infected system is appear in your network and either spread or capture data and information and submit it to an uncontrolled area outside your boarder.
Wherefrom you can get some information about suspicious activity in your environment, when we assume that an infected endpoint is in your corporate network.
Image may be NSFW. Clik here to view.
Just to give you an example what these could be:
Proxy - Check logs for indications of accessing malicious sites.
Often web proxy solutions will provide categories that you may have defined to block access to, but only because a system in your environment can't access it, it doesn't automatically means that you have solved the problem
Event logs - Check these logs for indications like suspicious login attempts.
Check N-IDS or Firewall Logs for abnormality
Logs of your mail system in terms of suspicious mail activity
User perception
Security Solutions like Antivirus (just mentioned it as peripheral point as we assume that there is no definition available)
... and many more that comes to mind
Based on these available logs you can figure out systems infected and the systems that potentially are infected.
Examples to demonstrate a use case:
A system appears as clean in the antimalware management console, but is appearing in the proxy logs to access malicious websites.
A system is connecting a resource system on specific ports that are known to be vulnerable and will get blocked by a Network IPS.
A system appears to perform 1000 logon attempts within 1 minute to an internal HR website.
For more information about detecting malware activity in your network feel free to contact Symantec as there are solutions that may simplify the way of how to monitor your internal network to stay ahead of possible malware activity.
Please feel free to comment if there are interests about the simplified way to detect malware activity in your network and your thoughts.
Now I would like to give you an impression how to hunt down malware on endpoints that you may have discovered either way as a potential infected.
Simplification of Threat Types
In this section I will simplify the types of Threats existing, independent from the usual way of the risk or damage they can cause:
Image may be NSFW. Clik here to view.
Low-Medium Level Viruses, Spyware and Risks
You will notice these types as single occurrence on SEPM in
Viruses
Spyware and Risks
(Cleaned/Blocked), (Deleted) and (Quarantined)
(Cleaned/Blocked), (Deleted) and (Quarantined)
if there is a bad reputation, signature or behavioral aspect known.
Furthermore an appearance can be given in the Still infected section if the Threat is detected on a protected drive like a CD. In that case the Thread is being detected and blocked but is being displayed as still infected as it wasn’t removed/cleaned or quarantined due to the drive protection
In corporates you very often see these types in user profiles or temporary folders that will be accessed by the user or via user interaction through an application like a browser.
Typical Threats for this category is Trojan.Zbot, Trojan.FakeAV or JS.Runfore that gets on the client by f.e drive by download.
High-Critical Level Viruses, Spyware and Risks
You will notice these types occurring on SEPM in
Viruses
Spyware and Risks
(Suspicious), (Newly Infected) and (Still Infected)
(Suspicious), (Newly Infected) and (Still Infected)
if there is a bad reputation, signature or behavioral aspect known, or more often occurring in
Viruses
Spyware and Risks
(Cleaned/Blocked), (Deleted) and (Quarantined)
(Cleaned/Blocked), (Deleted) and (Quarantined)
In corporates you often see these types on different paths of computers like system root, other folders by users or flash drives, depending of the type of Threat and privileges that the Threat comes in through.
Furthermore an appearance can be given in the Still infected section if the Threat is detected on a protected drive like a CD. In that case the Thread is being detected and blocked but is being displayed as still infected as it wasn’t removed/cleaned or quarantined due to the drive protection
Typical Threats for this category are W32.Downadup.B or W32.Sality.AE. These types mainly get spread when users have administrative privileges on systems and systems aren’t patched etc.
Other Viruses, Spyware and Risks
These types of Threats are for example Rootkits, Master Boot Record Viruses or other complex malware frameworks.
These types can be everywhere on a system and sometimes they can be easily detected and repaired/removed, others require a complex removal.
Mitigation, Remediation and Removal
After we have simplified the existing Threats and also the aspect on how and where to find information regarding systems that might be infected, we have 2 important steps accomplished, as we can compare the possible infected systems with the actual system at risk.
The SEPM will show you an infected system that is on the Still Infected list in the Computer Status Logs. Furthermore in previous logs of the Risk or Sonar Log you may find other indications of infected files.
As a result you can flag the systems
Viruses
Spyware and Risks
Clean* System
Suspicious appearance in external logs: NO
Appearance in SEP log files: NO
Suspicious System
Suspicious appearance in external logs: YES
Appearance in SEP log files: NO
Infected System
Suspicious appearance in external logs: NO
Appearance in SEP log files: YES
Infected System
Suspicious appearance in external logs: YES
Appearance in SEP log files: YES
*) At the moment there is no indication that the system is infected, but it doesn’t mean automatically that the system is clean.
For the mitigation and removal strategy we can now apply following scheme
Low-Medium Level
High-Critical Level
Other
Clean System
Suspicious System
Check and follow best practice for removal like update definitions and fullscan
Analysis
Check and follow best practice for removal like update definitions and fullscan
Analysis
Check and follow best practice for removal like update definitions and fullscan
Analysis
Infected System
Check and follow best practice for removal like update definitions and fullscan
Check and follow best practice for removal like removal tools
Check and follow best practice for removal like reinstall system
Regarding the scheme, I think the overall approach is clear to everyone and can be found here:
But I want to spend a few more words in the next section on the Analysis as this is the most interesting point in detecting Threats not included in the Virus definitions yet.
Analyzing systems that show suspicious activity
The analysis requires a bit of understanding in terms of the operating systems and the applications running on it.
As a prerequisite you should have enabled for your systems the application learning, which will help you to understand your environment better and in addition will help you to sort out potential risks on clients.
When having application learning in place you actually see filling your database in dbo.SEM_APPLICATION, what will help you discovering possible threats like follows.
Based on this table you can also investigate on suspicious files active in your environment, which you can relate to threats that you may want to submit for investigation or even want to block.
Image may be NSFW. Clik here to view.
You will also notice that a lot of these temporary files that you have been seeing once will not appear again, what is the actual purpose of these temporary folders, but also malware is taking advantage of these folders.
But in any case these files shouldn’t be allowed to use your network connection, what might bring us to the point of firewall restrictions.
This I wanted to share as a generic approach for your environment independent from single incidents you will correlate to a machine.
When you have a system on your suspicious list you could check on applications running on the system via search for applications.
Image may be NSFW. Clik here to view.
Once you searched for a hostname you could see the list or particular files that are running or have been executed on the system.
Image may be NSFW. Clik here to view.
Now it comes to the point where you need to check for legitimate applications and some that are not. Probably based on exclusion criteria you could filter out suspicious ones in the temporary folders of the users or system.
Once you found a suspicious one you should try to get the file for submission in accordance to the regular submission process.
Independent you can see in the Detail View of the file one what clients the same type is active what will give you a clear picture on how much your environment would be affected.
Image may be NSFW. Clik here to view.
But what to do when you have something that is for sure not related to your business and looks like malware, that maybe shows a negative rating at various online virus scanner or even was mentioned already by Symantec to be a Threat and will be included in the next pattern.
Mitigation and Solution
Based on the information you have about the file you could apply an Application Control Policy to block executing this file
Image may be NSFW. Clik here to view.
Therefore create an Application Rule and apply it to the executable, which can be done based on the filename.
Image may be NSFW. Clik here to view.
Be aware that a name in most of the cases is variously choosen or in case of generic names that can be also called like a part of the operating system. So it probably would make sense to go for the file fingerprint, what is more specific than a name.
Image may be NSFW. Clik here to view.
Once the rule is applied the application is getting blocked in case it gets started again. For already running applications this would require an restart of the application what could be done by a reboot, what will block the application from that time on.
In addition to prevent immediately, spreading the threat or submitting data to a command and control server you can apply a firewall configuration that will block the usage of any network interface.
Image may be NSFW. Clik here to view.
Make sure that the policy you have created to block malware activity is applied to all your systems.
SymHelp is a cross-product diagnostic utility designed for troubleshooting and identifying common issues that customers encounter.
SymHelp is designed to support the Symantec Endpoint Protection 12.1 RU2 and Windows 8 & Windows 2012 Operating Systems.
In case if you try running the Legacy SEP Support Tool on the machine with Windows 8 / Windows 2012 Operating System OR Symantec Endpoint Protection 12.1 RU2, then you may receive the error as below:
Image may be NSFW. Clik here to view.
Supported Products
Currently SymHelp supports the following Symantec products:
Symantec Backup Exec 11d to 2012
Symantec Backup Exec System Recovery 6.5 to 8.x
Symantec Data Loss Prevention 11.0 and later
Symantec Endpoint Protection 11.0 and later
Symantec Mail Security for Microsoft Exchange 6.5.2 and later
3. Select the location to where you want the file saved, and click Save
4. Go to the location of the downloaded file and double-click the SymHelp.exe icon.
Here are the Steps on how to collect the SymHelp Logs for the Symantec Support.
1) Once Symantec Help (SymHelp) application is Run, it would first verify with Symantec Server on the Version Status.
This Requires Internet Connection.
Image may be NSFW. Clik here to view.
2) If there is a newer Release of SymHelp, it would download the same and update itself automatically.
Image may be NSFW. Clik here to view.
3) Click on "I accept the EULA" and you would see the "Symantec Help" getting launched.
Image may be NSFW. Clik here to view.
4) You would see the Home Screen of "SymHelp". Please Select the Correct Products for which you have to submit the SymHelp Logs.
Image may be NSFW. Clik here to view.
5) Click on "Full data collection for Support" and Click on "Click on Start Scan" button.
Image may be NSFW. Clik here to view.
6) SymHelp would start Scanning and Collecting information of the computer client machine.
Image may be NSFW. Clik here to view.
Image may be NSFW. Clik here to view.
7) Once the SymHelp has completed Scanning and Collecting the Logs, you would see a screen similar as below:
Image may be NSFW. Clik here to view.
The Home Screen would show the Scan Status.
Please click on "Save" to save the report.
8) Insert all the Customer Information to Save the Report File, Browse to the Location to which you would like to Save the SymHelp Log file (Default Location would be the same location from where SymHelp.exe has been Run) and then click on "Save" Button.
Image may be NSFW. Clik here to view.
9) SymHelp would start the saving the file to the Destination Location.
Image may be NSFW. Clik here to view.
Image may be NSFW. Clik here to view.
10) By Default, Saved Location would be the same location from where SymHelp.exe has been Run.
Image may be NSFW. Clik here to view.
11) In case if we click on "Save and Send to Symantec Support", it would save and upload the SymHelp Logs to the Symantec FTP server.
The upload to the FTP server would require internet connection.
You would have to give the entire path to the Symantec Technical Support Technician when required.
Image may be NSFW. Clik here to view.
Image may be NSFW. Clik here to view.
To Create a Case with Symantec Technical Support, check these Articles below:
SymHelp is a cross-product diagnostic utility designed for troubleshooting and identifying common issues that customers encounter.
SymHelp is designed to support the Symantec Endpoint Protection 12.1 RU2 and Windows 8 & Windows 2012 Operating Systems.
In case if you try running the Legacy SEP Support Tool on the machine with Windows 8 / Windows 2012 Operating System OR Symantec Endpoint Protection 12.1 RU2, then you may receive the error as below:
Image may be NSFW. Clik here to view.
Supported Products
Currently SymHelp supports the following Symantec products:
Symantec Backup Exec 11d to 2012
Symantec Backup Exec System Recovery 6.5 to 8.x
Symantec Data Loss Prevention 11.0 and later
Symantec Endpoint Protection 11.0 and later
Symantec Mail Security for Microsoft Exchange 6.5.2 and later
9) To collect the SymHelp Load Point Analysis Logs for the Symantec Support, click on "Save"
Image may be NSFW. Clik here to view.
10) Insert all the Customer Information to Save the Report File, Browse to the Location to which you would like to Save the SymHelp Log file (Default Location would be the same location from where SymHelp.exe has been Run) and then click on "Save" Button.
Image may be NSFW. Clik here to view.
11) SymHelp would start the saving the file to the Destination Location.
Image may be NSFW. Clik here to view.
Image may be NSFW. Clik here to view.
12) By Default, Saved Location would be the same location from where SymHelp.exe has been Run.
Image may be NSFW. Clik here to view.
13) In case if we click on "Save and Send to Symantec Support", it would save and upload the SymHelp Logs to the Symantec FTP server.
The upload to the FTP server would require internet connection.
You would have to give the entire path to the Symantec Technician when required.
Image may be NSFW. Clik here to view.
Image may be NSFW. Clik here to view.
14) In case you need to Submit the Load Point Analysis and Full Data Collection Report, you may need to follow the steps provided in the Article:
Your Technical Contact ID: (check with your Local Technical Support Representative)
You will receive a confirmation email with a tracking number, and within 24 to 48 hours you should receive an email telling you if the file is viral or not. If it is viral, you will be provided with a set of rapid release definitions. These can be installed to your system so that Symantec Endpoint Protection or Symantec AntiVirus can then detect the infected file and prevent a re-infection.
9) Submit the file to Threat Expert (owned by Symantec).
Automated analysis can be performed for some types of threats through http://www.threatexpert.com. This step can quickly identify the sites the threat is coded to contact so they can be blocked at the firewall. Symantec Support does not provide troubleshooting for http://www.threatexpert.com, and this step does not replace the need to submit files to Symantec Security Response.
Use Active Directory security groups to assign SEP policies. This concept demonstration use's Application and Device Control for user level device management.
Knowledge Required:
Active Directory Users and Computers
Microsoft Group Policy Management
Windows Registry
SEP 11 or 12
Application and Device Control rule development
SEP Client Modes:
User Mode: SEP client intial registration with the SEPM is in User Mode with a SEP package deployed to the endpoint in User Mode.
Computer Mode: Default client installation.
Switching from computer mode to user mode after installation does not allow for the client to always retain this mode.
Active Directory Users and Computers
For test purposes to satisfy the functionality of this concept, create an OU and move a few users into the OU who will be part of the concept.
Image may be NSFW. Clik here to view.
Create another OU and create three security groups which define what acess level the user will have on USB storage devices.
Image may be NSFW. Clik here to view.
Policy Model:
4 x Application and Device Control policies for USB management:
Default - A SILVER USB flash drive is permitted for use by any user with Read/Write access.
Restricted - all USB devices are blocked upon connection.
Read Only - A specific BLUE USB flash drive is permitted for specific users with Read Only access.
Read/Write - A specific BLUE USB flash drive is permitted for specific users with Read/Write access.
Hardware Reference:
For both the silver and blue USB drives the Device ID should be obtained from either within Windows device manager or using the DevViewer tool which is available on the SEP media. Do not use the Class ID for reference of the device. Add both of the Device ID's into the SEPM database.
Image may be NSFW. Clik here to view.
Device Control Policies:
Use a mix of device control and application control to allow silver (all users) and blue (for certain users) and block everything else at the time of connection. Device control will control the actual connection of the device and the application will grant the level of access once a device is connected successfully.
Image may be NSFW. Clik here to view.
Active Directory Integration:
Active Directory integration is required. Configure your SEPM to read from the AD domain(s) as required to import your users.
Image may be NSFW. Clik here to view.
Import your users OU as a client group within the SEPM client group hierarchy. Once the Users are sync'd (can be done manually by right click on the imported OU) then deploy the User Mode SEP client to their machines.
Image may be NSFW. Clik here to view.
Location Awareness:
Use the security groups in AD as the mechanism to determine which group a user belongs in order to apply the correct policy set.
This is achieved by using multiple locations within a client group.
Create three additional locations.
Default
ADC Policy = USB Default
Restricted
ADC Policy = USB Restricted
Read
ADC Policy = USB Read Only
Write
ADC Policy = USB Read and Write
The conditions that will be required for a client (user) to use the locations and the policy set assigned to each will be a check in the registry for a value of a certain registry key.
The registry to use in this demo is HKLM\SOFTWARE\Symantec\DeviceControl\USB
The value of the key will be 0=default, 1=Read, 2=Write, 3=Restricted.
The condition created will read the registry key value when the user logs on and the SEP client starts. The client will automatically be associated with the location depending on how the registry value is set. The SEP client will then adopt the policy set assigned to that location. In this case the Application and Device Control policies that we have created.
Registry Settings:
The registry settings are applied by using Group Policy Objects. The group policy that is applied is a change to the user configuration within the group policy. When a certain group policy is applied it alters the value of the registry key used for location awareness conditions. Group policy can be scoped to be assigned to users with permissions to recieve the GPO.
Group Policy:
Create four group polices: for Default, Read, Write and Restricted.
Image may be NSFW. Clik here to view.
Each individual GPO will write a registry value on the client machine when the user logs on.
Use the GPO scope's to ensure the correct GPO is applied to the client machine at logon.
The default will be applied at the highest level with a presedence of 1. Read, Write and Restricted will be applied directly to the users OU and enforced.
Image may be NSFW. Clik here to view.
The scope is set on each as follows:
Default
Image may be NSFW. Clik here to view.
Read
Image may be NSFW. Clik here to view.
Therefore if the user does not belong to any of the defined secuity groups of read, write or restricted the default GPO applied. This default GPO writes the registry key value of 0. This means that a user has read/write on the silver USB drive but all other USB devices (storage) are blocked.
The DeviceControl Read policy writes the registry value of 1, write = 2, restricted =3.
With the Read, Write and Restricted GPO's authenticated users scope have been removed. You only want to scope the GPO to the individual groups to ensure complete control of the users policy assignments within SEP.
Group Policy Settings:
Editing the GPO for DeviceControl Write. Under User Configuration -> Preferences -> Windows Settings -> Registry there is an entrie to update the USB registry key value to a value of 2.
Image may be NSFW. Clik here to view.
The path of the registry key is in the HKLM hive. This is because the SEP location conditions for reading the registry are pre-set to HKLM and cannot be changed to read the HKCU hive. So the HKLM registry key is set for this reason.
Example: This is the condition for the DeviceControl Default policy.
Image may be NSFW. Clik here to view.
SEP Locations:
SEP locations should be configured as follows:
Image may be NSFW. Clik here to view.
Image may be NSFW. Clik here to view.
The default client group will have just the single default location with the DeviceControl restricted policy applied. This will ensure that if the machine is logged on locally, because the SEP client is in User Mode and the account used is not within AD then the client will use the Default group policy settings. So even local administrators will not be able to write to any USB device.
End User Experience:
With this now in place, one of our users logs on to a workstation. The registry is referenced by SEP and the location changed appling the policies associated with the location and the level of access to the USB drives authorised for that user.
This concept can be used to apply any policy or control the SEP client in any way neccessary in your environment. This is also allows for operational overhead to be reduced significantly as helpdesk support can assist by moving users into security groups to control a 'SEP profile' associated for each user.
This can also be applied a the computer level in computer mode.
The principal functionality of this solution is to write a registry value based on a GPO which can only be applied to users within a specific security group and for SEP to reference the registry value for location conditions.
Enforcement & Monitoring:
You can run reports from within SEP and now Active Directory to establish which users have which level of access.
I also use Critical System Protection to monitor the Active Directory for changes made and schedule reports from CSP. CSP is also ideal for protecting the registry keys.
You will need to protect the registry key to only allow svchost.exe to manipulate the registry keys that you define, preventing a knowledgable end user from altering the registry key to gain temporary access to a USB device.
Sometimes there are events showing up in the Monitors page that have little immediate value and they tend to "clutter" the display. It might seem the way to overcome this is to fine-tune the policy responsible for generating the events. But at the same time, these might also be events that need to be retained for future forensic or compliance purposes. So now it seems we only want to "hide" these events so only more important events are displayed. Bulk-logging is what we need to achieve this. By configuring the event rules for the agent, we can pick out certain type of events and suppress their transmission to the management server. The problem is this; how do we know with any certainty our logging rule will capture the intended event(s)?
The solution? Test the rule by creating an alert (Monitors -> Alerts).
Image may be NSFW. Clik here to view.
For testing purposes, skip naming (because we're probably NOT saving the alert) and jump right to the "Filters" tab. After creating the rule(s), you can check which events will be affected by selecting the "Preview Events" button.
Image may be NSFW. Clik here to view.
Image may be NSFW. Clik here to view.
If the rule needs further fine-tuning, select the "Edit Filters" button. When the rule returns the events you are targeting, you're finished! Now simply recreated that rule in the "Log Rules" tab in the prevention or detection parameters found on the Configs page.
NOTE: When testing, the rule is compared to the number of events returned to the Homepage (see yellow high-lighting). Configure this setting under Preferences -> General. If this setting is configured to, for example, 1 hour, your rule will only be tested against that subset of events. For the purposes of rule testing, it might be better to (temporarily) set the Console Preferences to a larger event count rather than a time interval.
Uses the Symantec Enforcer appliances and integrated software Enforcers to enable you to control network access. Network-based enforcement authenticates and allows network access only to the clients that meet the requirements in the Host Integrity policy.
If your deployment includes a Gateway Enforcer appliance, you can allow guests without compliant software to access your network temporarily. These Enforcers enable guest access by installing On-Demand clients on guest computers and dissolving them when guests log off.
If you want to demo all these functions, you require an Enforcer appliance in theory. But, you can install the Gateway Enforcer in ESXi for demo.
Here are the steps to install the Gateway Enforcer in ESXi:
1. Log into the ESXi host by vSphere client, choose 'Configuration' tab of the ESXi host, then select 'Networking' to add a new networking:
Image may be NSFW. Clik here to view.
2. Choose 'Create a vSphere standard switch', and don't select any adapter for this vSwitch:
Image may be NSFW. Clik here to view.
3. Input label for this vSwitch as 'Gateway Enforcer':
Image may be NSFW. Clik here to view.
4. After the vSwitch added, click 'Properties' of this vSwitch:
Image may be NSFW. Clik here to view.
5. For the properties of the vSwitch, choose to enable 'Promiscuous Mode':
Image may be NSFW. Clik here to view.
Image may be NSFW. Clik here to view.
6. Create a new virtual machine in the ESXi, select the guset OS as 'Red Hat Enterprise Linux 4 (32bit)':
Image may be NSFW. Clik here to view.
7. For the network connection of this virtual machine, select 2 NIC and choose 'Gateway Enforcer' for NIC 2:
Image may be NSFW. Clik here to view.
8. Mount the ISO of the enfoecer to install Gateway Enforcer. For the steps, please refer to the Implementation_Guide_SEP12.1.pdf
9. Create a new virtual machine as a client, select the Network Label as 'Gateway Enforcer':
Image may be NSFW. Clik here to view.
10. So, the client VM is connected to the Gateway Enforcer VM. If there is no SEP client installed inside the client VM, the page will be re-directed to the remediation server when accessing the internet:
Image may be NSFW. Clik here to view.
DONE. Then you can use this environment to demo the basic functions of Gateway Enforcer.
...Or, "The Illustrated Guide to the Padlock in Your Pocket."
Image may be NSFW. Clik here to view.
Hey! That Looks Cool! I want one of those.
The Mobile Security 7.2 app is Symantec's enterprise product for Android smartphones, tablets and other devices. Chances are, your corporate IT administrator will provide you with an email that describes exactly where to download and how to enroll (activate) SMS 7.2. Full details can be found in my first article, Illustrated Guide to Installing Symantec Mobile Security 7.2: read the intro, and then scroll down to the bottom for the stuff that applies to you, the end user.
One important note: you need a security product for your Android not because it looks cool, but because it will help prevent the bad guys from running up your phone bill, tracking your location, reading your text messages, snapping photos without your knowledge, secretly recording audio and all manner of other malicious stuff. See the Security Response blog and mobilesecurity.com for the latest horror stories.
Is This Thing On?
Once installed, Mobile Security is always running, even when the GUI is not open. Check out your Android's Settings, Applications, Manage Applications for details.
Image may be NSFW. Clik here to view.
Also have a look at Settings, Applications, Running Services. There we are again.
Image may be NSFW. Clik here to view.
Go ahead and try to stop those services. Uh-huh..... Guess what? Anything that the bad guys throw at Mobile Security will have just as little luck at knocking it down.
Let's Have a Little Look Around.
Once installed, click on the big "Mobile Security" padlock to launch the interface. (The little padlock in the system bar indicates that Mobile Security has identified a suspicious app which needs to be remedied. More on that later.)
Image may be NSFW. Clik here to view.
There are listings for Anti-Malware, LiveUpdate, Web Protection and Anti-Theft. (Unlike SMS 7.2 on Windows Mobile, there is no Firewall component or Mobile Agent).
The Scan button allows you to kick off a search for malicious apps any time you like. Hopefully your administrator may also have a scan scheduled on the device, which won't need any interaction from you at all. (A scan a week is what I recommend. They usually only take a few minutes and can really help.) Here's what a scan looks like, in progress......
Image may be NSFW. Clik here to view.
Here's what it looks like when it completes:
Image may be NSFW. Clik here to view.
And here's one I took when the scan found something malicious (don't worry, it's just a test file from eicar.org.)
Image may be NSFW. Clik here to view.
Note that Mobile Security puts that little padlock in the system bar when it finds a threat. It will occasionally nag you to remove that threat, if you don't take care of it immediately. (The Android OS prevents automatic removal without user interaction.)
It is also possible to launch a manual LiveUpdate session from the GUI, and switch Web Protection to Off, but that is otherwise about all the GUI can do. Like Symantec AntiVirus for Linux (SAVFL), it works away in the background and has a small GUI.
I Almost Stepped in That
When browsing the Internet with your Android's built-in browser, Mobile Security will keep a watchful eye out for you. If you are going toward a site that is known to contain malicious code or other threats, it will provide a warning:
Image may be NSFW. Clik here to view.
It is possible to proceed anyway, of course (unblocking the website for 30 minutes). Security is ultimately up to you, not the responsibility of any one tool like SMS 7.2.
What have I Done?
If you want to see what activities Mobile Security has been doing on your Android, open the Mobile Security GUI and click the phone/tablet/device's menu button. Four new options appear.
Image may be NSFW. Clik here to view.
Clicking Activity will show a list of what actions Mobile Security has been taking. Here's an example....
Image may be NSFW. Clik here to view.
Most of the items relate to communications with the server (Symantec Management Platform, SMP). If there are a bunch of "Failed to download new policy" errors mixed in with the successes, don't worry. Those mean that the Android was not in touch with the server at that time (Wi-Fi turned off, or perhaps out of range of the office network.) If there are nothing but these errors, then you'd best get in touch with your IT guys!
Those tech support engineers will likely ask you for the information that is on the Settings, Account screen. They'll probably ask you to click the Refresh policies and activity button there, too. That's a good way to check in immediately with the server, rather than wait for the next scheduled synch.
Image may be NSFW. Clik here to view.
Play around with the GUI a bit. Do feel free to leave comments and questions below! Here is a FAQ of common questions thus far....
Riddle Me This....
Q. Does the Mobile Security client have Auto-Protect like Symantec Endpoint Protection (SEP) client?
A. Nope. Android is a different environment with different rules and needs. Don't worry: Mobile Security will scan everything the instant it tries to install, in addition to scheduled scans and manual scans.
Q. This is my own private Android device, and my company wants me to install Mobile Security in accordance with their BYOD (Bring Your Own Device) policy. Are there any privacy issues I should be concerned about?
A.Not from Symantec. The Android can send anonymous malware detection data to Symantec as part of Community Watch, but this contains zero PII (Personally Identifiable Information). You can disable even this, if you like (Settings, General). Do ask your company's IT admin about what they have configured Mobile Security to collect and communicate to its server. This product has the capability to collect:
IMEI,
location,
phone number,
user email addresses,
the device's MAC address,
and with debugging they can view the names of files scanned and URL's evaluated by Web Protection.
Admins can enable or disable the collection of each of those settings, so it all depends on your company's policy.
Q. Is this Mobile Security app going to slow my Android to a crawl, or crash it?
A. While everything that runs consumes some resources, SMS shouldn't have any noticeable performance hit on other apps.
Q. Is this Mobile Security app going to kill my battery?
A.It has been engineered not to. I have been using the product for a year and haven't seen any noticeable decrese. (You shouldn't either, unless you have been playing with the GUI for hours like I have while writing this article.) Go into Settings, About Phone, Battery Use to see what is consuming battery on your phone.
According to the previous article Introduction to PGP Clustering, PGP Universal Server supports cluster mode to synchronize with each other. Here are the graphical steps to install a PGP cluster server:
1. Install the first PGP Universal Server normally in the first node, then, in another node, run the PGP Universal Server installation wizard, choose the setup type as to install a cluster member:
Image may be NSFW. Clik here to view.
2. Fillin the network information:
Image may be NSFW. Clik here to view.
3. Confirm the server information:
Image may be NSFW. Clik here to view.
4. After click Done button on the previous step, there will be a restarting:
Image may be NSFW. Clik here to view.
5. After the server restarted, input the license for this second Universal Server which is the same as the first one.
6. Input the IP or Hostname of the first Universal Server:
Image may be NSFW. Clik here to view.
7. Check the confirmation information:
Image may be NSFW. Clik here to view.
8. Then this second server will wait the first one the establish and complete the clustering process:
