Steps to Deploy SEP Client By Active Directory GPO

Create MSI package in SEPM console

1. Login SEPM console ->Admin ->Install Package.
2. Click on Client Install Settings ->Add Client Installation Settings.

       3.    Add  Client Installation Settings->Give Name as per below screen shot.

    4. Export Client Package ->Unchecked “Create a Single EXE file for  this package.”

5.Export the MSI package.

7. Copy MSI package NETLogon folder.

How to create Group Policy in AD

1. Start ->Run type gpmc.msc.
2. Open Group Policy management Console.
3. Click Domain Name -> right Click ->Create a GPO in this Domain.

4. Open New GPO dialog Box ->Give the GPO name (Software Installation)->Ok.

 5. Select GPO Edit ->Open New Dialog box ->Computer Configuration ->Policies ->Software Settings -> Software Installation.

 6. Software Installation ->New ->Package

 7. Open Shared NETLogon Location ->Select SEP package ->open.

 8. Select Deployment Method (Assigned)

 9. Affter Assigned package showing below Image.

10. Assgin the package respected OU.

11. Restart system ->Running below configuration.

12 After Sep Client Showing Respected SEPM Group.

Hello,

I have found one of the Best way to uninstall SEP clients in a large numbers with the help of GPO.I have tested this in my test environment. By the help of this Article you will be able to uninstall the SEP client through Group Policy Object.

What you have to do is create a startup or shut down script.

Note:-In SEPM side you need to remove uninstall password.

1. To Remove Uninstall Password settings in SEPM go to

SEPM console->Clients tab ->Policies ->General Settings-> Security Settings.

To Get Uninstall String in SEP client

Uninstall String is different for Every version of Sep client

SEP Client  12.1.671.4971.105

MsiExec.exe /I{A3AEEA68-AC93-4F6F-8D2D-78BBF7E422B8}

SEP 12.1.2

MsiExec.exe /I {C2103AF2-E66C-446B-9791-9207840EC821}

Follow these steps to get Uninstall Strings.

1. Start->RUN->Regedit
2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A3AEEA68-AC93-4F6F-8D2D-78BBF7E422B8}.

Create Batch File

@Echo off

MsiExec.exe /x {C2103AF2-E66C-446B-9791-9207840EC821}  /qn

Exit

Create Batch file as uninstall.bat and save it into AD net logon folder (Shared Location).

How to run Batch file Through Group Policy

1. Start Run ->GPMC.MSC. 

2. Right click on Domain name and select create a GPO in the domain

3. Give the GPO name (SEP uninstall)

4. Edit Newly Created GPO SEP uninstall.

5. Go to Computer Configuration ->Policies ->Windows Settings ->Select Script (Startup/Shutdown).

6. Select Startup Script ->Add.

7. Browse Batch file ( Shared Location) -> Ok.

8. Apply Ok.

9. Select AD OU where you want to apply and  select Link an Existing GPO.

10. Select GPO and OK.

10 Restart Computer.

11.This process will take 5 to 10 min. for removing Sep client.

Note:-

• In SEPM side you need to remove uninstall password.
• I have tested this process in my testing environment successfully
• Please use this article First in your test environment then apply to your production environment.

I hope this Article will helpfull to you all……

Hi all,

We would like to invite you to join us at the first EMEA Compliance User Group at our Wood Street London offices on 23 May where we will be hosting a get together with our Product Management leaders and customers such as yourselves. We will be hosting this in a roundtable format, so that everyone gets an equal opportunity to learn, share and engage with other CCS customers from around the UK/EMEA.

Our agenda is:

10:45-11:15       Registration with Tea & Coffee
11:15-11:30       Introduction and Welcome
11:30-12:30       Introductions- ALL

12:30-13:30       Symantec Roadmap
13:30-14:30       Lunch
14:30-15:15       Customer Presentation
15:15-15:45       Coffee & Networking
15:45-17:00       Q & A and Group discussion
                             (Symantec panel for Q & A)
17:00-18:30       Drinks at local bar

Please click here to register for the meeting.

The purpose of this article is to provide insight on how to use the various features within SEP 12.1 for Incident Response. This will be the first in a series of articles showing you various ways to utilize SEP 12.1 for this purpose. I make no assumptions regarding your environment so this is provided "As-is." You should always test before deploying into your production environment or at the very least, understand the consequences associated with it. Let's get started.

PROBLEM: You receive a call in the middle of the night that a virus is loose on your network. SEP 12.1 appears to only be stopping a few infected files but some still remain. The technician who first noticed the infection performed a quick analysis and sent you a file which SEP does not appear to remediate. You quickly confirm this by submitting to https://www.virustotal.com and see that Symantec does not yet have a signature for this piece of malware. You head to the office and get to work. After submitting the file to Symantec Security Response, you decide to use the "Application to Monitor" feature which is inside the Exceptions policy.

As we can see, for the purposes of this article, the undetected malicous file running on PCs is called apt.exe

This filename needs to be added so that is can be monitored and reported back to the SEPM any time it executes.

To add, open your Exception policy and select the Exceptions tab

Click Add >> Windows Exceptions >> Application to Monitor

The "Add an Application to Monitor" windows appears and we add the filename and click "Add"

After being added, click OK to save to the policy. Once the clients check in and pickup the latest policy, this application will be monitored (Log Only) when it is executed and reported back to the SEPM. This process can take some time depending on how often your clients are configured to heart beat in so be wary of this if you don't see logs for awhile. This feature is better used in situations where the heart beat is set at a lower time interval (5-15 minutes) or especially if the clients are in Push mode. After we have waited for some time, we need to check our Application log to see if the process has showed up so we can configure an action to be taken on it when it tries to execute.

Go back to your Exception policy and select the Exceptions tab again. This time, select Add >> Windows Exception >> Application

The "Add Application Exception" window will come up, set the View to "Watched Applications"

This view will only show applications that you specifically added to be monitored and filters out all the others that you don't need to see at this point.

Now, we can select the apt.exe file and to the Action of your choice. I will set it to "Terminate"

Click OK to add to the Exception policy and you will see the new exception added using the Hash of the executable. Click OK to save to the policy

Once your clients pickup the new policy, SEP will now block the file from executing

This feature is very useful in cases where SEP is not yet detecting a malicious executable. You can use it for Incident Response purposes while Symantec creates a signature. And it will stop the further spreading of malware throughout your network.

I hope this article will be helpful for you. Comments/Questions/Criticisms are welcome!

Brian

Who Should Read This?

Symantec.cloud customers who wish to set up Symantec Endpoint Protection Small Business Edition 2013 (SEP SBE 2013) as a cloud managed service.

Please note this guide is designed to provide a quick-setup for the setup of SEP SBE 2013 in simple implementations. For further information of for use in more complex environments, please refer to the appropriate administration guides or contact your Symantec.cloud support or account representative.

Pre-requisites:

• Customers should have received their provisioning confirmation email from Symantec.cloud Order Services. This will include their CMES Portal login and password.
• Existing AV programs must be removed first, in addition to any other type of security software such as a Local Firewall, Malware-Bytes, Ad-Aware etc.  Specific details on this can be found here
• SEP SBE 2013 requires access to the below hosts - please ensure access to these are allowed via any proxies used and/or firewall on ports 80 and 443.

Setup Steps:

1.       Log in to the CMES portal at https://hostedendpoint.spn.com/ using supplied username and password.

2.       Select “Add Computer” from the Quick Tasks window

3.       Chose the desired method for delivering the installation package – if installing on the current machine use “Install Symantec.cloud on this computer”, otherwise chose to download the distributable package or email invites to download the package. As an MSI, the downloadable file can be distributed and installed via removable media or using a policy-level roll-out. 

4.       Once the install is complete, the computer  can be viewed  under the ‘Computers’ TAB.

5.       Click on the computer to view its history, order an immediate scan (if the PC is online) inspect what services apply to it.

6.       By default the computer will have the default policy set to it which is appropriate for most situations. If it is desired to change this policy, use the “Add new Group” button to create a new group and assign this machine to it. Once the group is created, select the “Endpoint Protection Policy” which will be the current default policy.

7.       Select “Create a New Policy” and chose the aspects of the service to apply. If the software is being installed on a server it may be appropriate to set “custom exclusions” to prevent the scanning of service folders.  Refer to the SEP SBE 2013 guide for a further explanation of each of the modules.

8.       To protect further machines repeat steps 3-8.

Additional Resources:  Relevant help for Symantec Endpoint Protection Small Business Edition 2013 including troubleshooting can be found here. For further information contact Symantec.cloud at support.cloud@symantec.com

Recently I stumbled on a Tab Loading Issue inside the Asset view.

The Mainproblem appeared to be the Tag Tab which was not loading as expected.

First things first, I checked my log (AppServer and SymConsole).
After a few Seconds i found the related Log entries.

Appserver Log was showing the following:

with another 9 Same "moveNext 0 0 "RetryHelper.Call(Search) entries.

Console Log displayed kind of the same "stuff": 

 Apparent you can see the "root of all Evil"

Error in GetAllTagsOfBusinessObject for: CN=011eaff2-307a-4f31-85a9-502286219090,CN=Solaris 10,CN=Solaris,CN=ESM Structure,CN=Asset System,CN=Asset Management,CN=BusinessObjects,O=Symantec

GetAllTagsOfBusinessObject. Okay, Let me check.

#IMPORTANT NOTE
#(Symantec does not recommend browsing inside ADAM, please make sure you know what you're doing. I don't take any responsibility)
#END NOTE

After a few browses inside ADAM I found the attribute "symc-csm-BusinessObject-Tag". 
It was showing somithing like the following:

CN=ddcc0269-20c8-4108-ba49-afbf443079e8\0ADEL:24b1fd12-b70c-47e5-9231-cd550f86e926,CN=Deleted Objects,O=Symantec

Since i now that there never existed a "CN=Deleted Objects" container I obviously found the dirty vermin. A CN called CN=ddcc0269-20c8-4108-ba49-afbf443079e8\0ADEL:24b1fd12-b70c-47e5-9231-cd550f86e926 also never existed. At the moment i don't know what caused the Issue. Maybe Symantec Support will puzzle out (Case#: 04196190).

Anyway. My Problem was solved Setting the Value to "<not set>". As you can imagine, i Scripted all the Work for my nearly 2000 Unix Assets.
Luckily i didn't set very much tags on the Assets until now. Or even if i had set more of them - it was done by recon rules - no worries at my site.

A few Lines of code made my Day. Contact me for further Help. I'm not posting the "Full" Script due to respect of Symantec Support.

$OSs = @( "" )
$OSs | % { $OS="$_"
$ConnectString = [adsi]""
$strFilter = "(ObjectClass=symc-csm-AssetSystem-Asset-ESM-Agent)"

$objSearcher = New-Object adsisearcher([adsi]$ConnectString,"($strFilter)")
$objSearcher.SearchScope = "1"
$objSearcher.SearchRoot = $ConnectString
$objSearcher.PropertiesToLoad.clear()
$objSearcher.PropertiesToLoad.AddRange(('CN', 'symc-csm-BusinessObject-Tag'))

$SearchResult = $objSearcher.FindAll()

$SearchResult | % {
$Asset = [ADSI]$_.GetDirectoryEntry()
$Asset."symc-csm-BusinessObject-Tag"
$tmpString = $Asset."symc-csm-BusinessObject-Tag".ToString()
if ( $tmpString.Contains("CN=Deleted Objects") ) { $Asset."symc-csm-BusinessObject-Tag".Value = $null
$Asset.CommitChanges()
}
}
}

Hello,

Complicated is the word that best describes the modern world of the IT manager. IT managers in small or medium sized businesses (SMBs) face a particularly challenging environment where the demands of the organization are high and resources are limited. Security is becoming a major part of the IT manager’s job and delivering adequate security for any organization is more challenging than ever due to the changing threat landscape, increased mobility of end users and the costs required to implement in-depth security.

The endpoint is the last mile for the organization. In many cases it is the last line of defense against threats and the majority of companies have an endpoint solution in place. However, the challenges around effectively securing and managing the endpoint are significant and go far beyond simply picking a specific product from a vendor. Administrators have to ensure consistency, constant updates and protection for employees both inside and outside the corporate network.

This paper will address some of the key reasons why managing endpoint security is so complex. The current threat landscape, the sophistication of attacks and other pressures facing administrators today are some of the reasons that contribute to this complexity that in many cases can endanger the organization.

It will then provide an introduction as to why a hosted endpoint solution is the answer to this complex relationship and finally, it will introduce Symantec Endpoint Protection.cloud, a solution that can help transform this relationship status from “it’s complicated” to “happily ever after”.

more in attached Whitepaper....

Dans la 18ème édition  de l’ISTR (Internet Security Threat Report) publiée en Avril 2013, les équipes et laboratoires de Symantec ont constaté que le taux de détection de SPAM est en baisse pour la seconde année consécutive :

• En 2011, 75% des messages étaient du SPAM.
• En 2012 ce volume a diminué pour atteindre les 69%.

Ces messages représentent toujours une importante quantité de messages indésirables et leur filtrage une réelle problématique pour les entreprises de toutes tailles.

Symantec Messaging Gateway a obtenu la certification VB SPAM pour la 20 ème fois consécutive. En Mars 2013, elle a obtenu l’award VBSpam+ avec un taux moyen de détection de plus de 99% et un taux de faux positif inférieur à 0,02%.

Depuis 2011 et la version 9.5 de Symantec Messaging Gateway (anciennement Brightmail) de nouvelles politiques de détection AntiSpam avaient été mise en place pour améliorer la granularié du filtrage et répondre aux nouvelles exigences de filtrage de courriels.

En effet, cette version permettait déjà d’activer les trois politiques de détection suivante :

• Détection de Newsletter
• Détection de messages à caractère Marketing
• Détection de messages contenant des URLs Suspectes

La version 10 continue d’améliorer le taux de détection d’antispam en les rendant spécifiques à chaque client. En effet, les appliances Symantec Messaging Gateway ont désormais la capacité de créer et de recevoir des mises à jour AntiSpam qui sont dédiées à votre environnement et qui proviennent directement des soumissions que vous avez pu réaliser auprès de Security Response.

Cette version permet également de tracer ces soumissions vers Symantec et de connaitre précisement le sort réservé à cette dernière, c'est-à-dire la version et numéro de signature avec laquelle le message sera alors détecté comme un SPAM ou non plus comme un SPAM (En effet, il est possible aussi de soumettre des faux négatifs)

L'ensemble des nouveautés de la version 10 sont disponible dans ce document : http://www.symantec.com/docs/DOC5801

Vous trouverez ci-dessous les différentes étapes pour activer et bénificer de cette fonctionnalité :

1- Pour utiliser la règle Customer Specific Submissions, vous devez tout d'abord activer cette fonctionnalité et enregistrer votre Appliance ou Appliance virtuelle pour quelle celle-ci reçoive directement ces nouvelles règles depuis Symantec.

Allez dans le menu SPAM, puis dans "Paramètres" et cliquez enfin sur “Paramètres d'émission” tel que dans l'image ci-dessous:

Votre applicance va alors recevoir un ID permettant de l'identifier.

2- Une fois cette nouvelle fonctionnalité sélectionnée vous devez valider les termes de la politique de confidentialité pour valider son activation. 

3- L'enregistrement de votre Appliance est en cours ... Un message vous confirmera le succès de l'opération

4- Une fois cette nouvelle fonctionnalité activée et votre Appliance enregistrée, vous pouvez maintenant activer et utiliser cette nouvelle politique AntiSpam.

5- Avant d'utiliser cette politique, vous devez maintenant spécifiez qui a le privilège de soumettre des messages. Il existe deux façons de les identifier:

• Par défaut, seul les administrateurs et utilisateurs définis pourront y avoir accès.
• Ou avec la seconde option, tous les utilisateurs pourront soumettre des messages à Symantec excepté les utilisateurs spécifiés dans la liste.

Dans le même menu, rendez vous sur le second onglet "Liste des emetteurs"

6- Avant de soumettre un message, allez dans le menu SPAM pour définir l'action de mise en quarantaine lorsqu’un message sera intercepté par cette règle.

Par défaut vous allez voir 4 actions pour cette règle:

• Rajouter un Tag dans le sujet
• Supprimer le message
• Mettre le message en Quarantaine
• Délivrer normalement le message

7- Activer la politique et Appliquez la politique

9- Maintenant, la fonctionnalité est activée, il est possible de soumettre des messages.

Il existe 3 façons différentes et complémentaires de soumettre des messages :

• Vous pouvez le charger manuellement depuis l'interface d'administration : Allez dans “SPAM / Emissions / Emettre des messages"

• Vous pouvez utiliser la quarantaine de gestion d'incident pour soumettre des messages directement depuis les boutons “Ceci est un spam” ou “Non-spam”
• Enfin, vous pouvez également utiliser les boutons “Ceci est un spam” ou “Non-spam” depuis la quarantaine des SPAMs

10- Lorsque une soumission est envoyée vous devez alors en confirmer l'envoie aux laboratoires de Symantec. 

11- Un message apparaitra pour confirmer le succès de l'opération

12- Enfin, vous pouvez maintenant avoir une vue sur le statut de ces soumissions.Rendez-vous dans "Etat / Emissions / Détails de l'émission" :

13- Vous pouvez utiliser les différents filtres à disposition pour retrouver plus rapidement votre soumission et accéder aux détails.

14- Lorsque vous cliquez sur une soumission, vous avez accès à l'historique de cette soumission pour connaitre le sort réservé à cette soumission et connaitre son traitement au sein des laboratoires Symantec. Vous pouvez alors connaitre à partir de quel moment et avec quelle version de signature la soumission a été prise en compte sur votre Appliance.

Hello,

CIOs are under increasing pressure to reduce desktop and application management costs while providing seamless and secure access to corporate resources across an array of user devices. They also realize that increased regulatory requirements coupled with a rising trend of sophisticated security threats demand new approaches to desktop delivery and management.

This white paper, presented by Symantec™ and VMware®, outlines desktop and application management challenges and ways to address them through a secure, scalable, hosted virtual desktop solution: desktop as a service (DaaS). This paper explains how service providers can deliver a truly differentiated hosted virtual desktop experience through a combination of Symantec and VMware technologies and best practices. It also discusses what drives adoption of DaaS, describes its key elements, and explains how it benefits both IT and end users.

With Symantec Data Loss Prevention version 11.x, you can index documents stored on a remote SharePoint server using WebDAV.

WebDAV (Web-based Distributed Authoring and Versioning) is a standard that provides extensions to the HTTP 1.1 protocol, allowing users to collaboratively edit and manage files on remote Web servers. Microsoft IIS deployments that host SharePoint instances can be enabled to accept WebDAV connections from Web clients.

Once you have enabled WebDAV for SharePoint, you can use the "Remote SMB Share" option available during IDM index configuration to index the remote documents. Symantec Data Loss Prevention supports remote IDM indexing using WebDAV for SharePoint 2007 and SharePoint 2010 instances.

Here are the steps to implement remote indexing of SharePoint documents using WebDev:

1. Install 'WebDAV Publishing' for IIS role:

2. Launch IIS Manager, select the sharpoint site --> WebDAV Authoring Rules, click 'Open Feature' under Actions list:

3. Click 'Enable WebDAV' under Actions list:

4. From the server where the Enforce Server is installed, install the Desktop Experience feature:

5. Enable and Start WebClient service:

6. Launch browser to access the SharePoint:

7. Locate the documents that need to index:

8. Select 'Library Tools' --> 'Library', click 'Open with Explorer':

9. Find the UNC path of the documents:

10. Launch browser to log into Enforce, select 'Manage' --> 'Data Profiles' --> 'Indexed Documents':

11. Select 'Use Remote SMB Share', input the UNC path of the shared documents, and the credential to scan the documents:

Then, you can create a policy to protect these shared documents on the SharePoint server.

Notes:

If you cannot connect the Enforce Server computer to the SharePoint Server computer after enabling WebDAV, make sure that you have started the WebClient service on the Enforce Server computer. You must start this service and test the WebDAV connection before you configure IDM indexing.

If you plan to re-index SharePoint documents periodically as they are updated, it may be useful to map the remote network resource to the local computer where the Enforce Server is installed.

Hello,

Here are few popular "How to..." which would be assistance to the Symantec Endpoint Protection Users.

Series 1 contains the following "How to..."

1) HOW to Enable the Risk Tracer in Symantec Endpoint Protection Manager.

2) HOW to Auto-Upgrade the SEP clients.

3) HOW to Enable Liveupdate on the SEP clients 

4) How to Enable Unmanaged Detector in SEP 12.1

=============================================================================================================

1)      Login into the SEPM console

2)      Go to Polices >> Virus and Spyware Policy >> Edit the Virus and Spyware Policies

3)      Go to “Auto-Protect”  and then Advanced

4)      Under Advanced – Click on Risk Tracer

5)      Enable Risk Tracer

This Option will find out the “Source Computers” in the network which are infected and attacking other internal computers, so that we can work on those computers.

Articles:

What is Risk Tracer?

http://www.symantec.com/docs/TECH102539

About Risk Tracer

http://www.symantec.com/docs/HOWTO27137

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH94526

=============================================================================================================

2) HOW to..... Auto-Upgrade the SEP clients.

1) Login into SEPM

2) Go to Admin

3) Select  “Client install Settings”

4) In Tasks – Select “ Add Client install Settings”

5) Type the Name As :  SEP 12.1 RU2 Upgrade

6) Select an Installation type : SILENT

7) Upgrade Settings : Select Remove all previous logs and policies, and reset client-server communication settings.

8) Click Ok

9)  Go to Clients Tab

10) Select the Clients Group to which you want to upgrade to SEP 12.1 RU2

11) Go to “install Packages” Tab at the Top

12) In Tasks Select : Add a Client Install Package

13) In the Add Client install Package – Select the Latest Client Package SEP 12.1 RU2 WIN32BIT

14) In Install Settings : Select “SEP 12.1 Ru2 Upgrade settings that we have initially created

15) Click Ok

16) Repeat Step ( 13 ) and add WIN64BIT package

In the Add Client install Package – Select the Latest Client Package SEP 12.1 RU2 WIN64BIT

Now we have added the SEP 12.1 RU2 client package to the Clients group, lets monitor the status of the clients as they should now automatically upgrade to SEP 12.1 RU2.

Articles:

Upgrading clients by using AutoUpgrade in Symantec Endpoint Protection 11.x

http://www.symantec.com/docs/HOWTO17911

Upgrading clients by using AutoUpgrade in Symantec Endpoint Protection 12.1

http://www.symantec.com/docs/HOWTO80780

Upgrade clients to SEP 12.1 by Auto upgrade feature

https://www-secure.symantec.com/connect/articles/upgrade-clients-sep-121-auto-upgrade-feature

VIDEO - Upgrade clients to SEP 12.1 using Auto upgrade feature

=============================================================================================================

3) HOW to..... Enable Liveupdate on the SEP clients ?

1)      Login into the Symantec Endpoint Protection Manager Console

2)      Edit the Liveupdate Policy

3)      Check the box next to : Use a Liveupdate Server

4)      Enable – Allow users to manually launch Lieupdates

5)      Click OK and update the Policy on the SEP clients.

6)      Liveupdate Option will be enabled on the SEP client after the Policy is updated.

Articles:

How to allow Symantec Endpoint Protection (SEP) users to run LiveUpdate manually

http://www.symantec.com/docs/TECH105653

Symantec Endpoint Protection Manager 11.x - LiveUpdate - Policies explained

http://www.symantec.com/docs/TECH104435

Symantec Endpoint Protection Manager 12.1 - LiveUpdate - Policies explained

http://www.symantec.com/docs/TECH178257

=============================================================================================================

4) How to ...... Enable Unmanaged Detector in SEP 12.1

1)      Login into SEPM Console

2)      Go to Clients Tab

3)      Select one of the clients machine that you would like to make as “Unmanaged Detector”

4)      Right click on the client and Click on “Enable as Unmanaged Detector”

5)      Navigate to Monitors Tab

6)      Go to Notifications – Notification Conditions

7)      Add “Unmanaged computers”

8)      Configure the Notification Condition (Unmanaged Conditions)

Articles:

Best Practices: When to use the "Find Unmanaged Computers" or "Unmanaged Detector" features in Symantec Endpoint Protection 11.0

http://www.symantec.com/docs/TECH104340

Configuring a client to detect unknown devices

http://www.symantec.com/docs/HOWTO27421

What does it mean to set a client as an Unmanaged Detector?

http://www.symantec.com/docs/TECH105722

=============================================================================================================

The Story So Far...

This is the third in an informal series of illustrated articles about how admins (and end users) can best protect their mobile endpoints using Symantec Mobile Security 7.2. (This is a cool Enterprise product aimed at corporate networks, rather than a company that just has a few Androids or Windows Mobile devices that need protecting.) The two earlier articles:

1. Illustrated Guide to Installing Symantec Mobile Security 7.2: how is the management server (Symantec Management Platform) of SMS 7.2 installed, and what does its interface look like? 
2. Getting to Know the Symantec Mobile Security 7.2 Client: what does SMS 7.2 look like on an Android phone or tablet?  How to view its activities, launch an update, know when it is trying to alert you to danger.... 

This article will cover how SMS 7.2 protects Windows Mobile devices (phones, PDA's, various Point-Of-Sale equipment) and how to administer them from the server console.

Windows What?

Though it may have a small market share of today's cell phone market, Microsoft has been in the mobile game since the beginning.  They have offered Pocket PC, Windows CE (Compact Edition) and many other cool products for PDA's and cell phones that have evolved over the years.  Symantec Mobile Security 7.2 (like the older Symantec Endpoint Protection Mobile Edition 6) can work with the older WM versions that are built on Windows CE.  That is, Windows Mobile 5, 6.0, 6.1 and 6.5.

Operating Systems Support for Symantec Mobile Security Products
Article URL http://www.symantec.com/docs/TECH102048

The newer Windows Phone 7 and Windows Phone 8 are built from a completely different code base- they are somewhat similar in name, but that is about it.  The SMS 7.2 client software will not install on them. 

Here’s Symantec's public KBs on the subject:

Symantec AntiVirus Product for Windows Phone 7 Platform
Article URL http://www.symantec.com/docs/TECH145141

Those who would be interested in an Enterprise product for this platform can cast a vote for the following Connect Forum Idea (enhancement request): Symantec Endpoint Protection Mobile Edition for Windows Phone 7

Windows Why?

Though viruses and exploits against WM are not as popular these days as threats written for Android, there are still plenty of ways to attack Windows Mobile (and POS devices that use it!).  See the article How to Secure Your Mobile Point of Sale Devices and remember: embedded devices, PDA's and mobiles are powerful enough to do a lot of damage, and often serve as an unprotected "back door" into networks that focus all their defenses on traditional servers and desktops.  Ensure they are protected!

What does SMS 7.2 Do on Windows Mobile?

The SMS 7.2 client is different on Windows Mobile than it is on Android.  On Android, there's malware protection, web protection, anti-theft features and so on.  On Windows Mobile, there are three main components:

1. AntiVirus: scans for malware.  SMS 7.2 on WM features Auto-Protect technology, scheduled scans, and manual scans. 
2. Firewall: blocks unwanted network connections
3. Mobile Security Agent: keeps the client in touch with its server.

There are some other features, too (like AntiSpam for text messages and a File Access Log).  Full details on the protection and features can be found in Section 3, Securing Windows Mobile devices, of the Symantec Mobile Security 7.2 MR1 Implementation Guide. 

Installing SMS 7.2 on Windows Mobile

Installation on the Windows Mobile device is pretty straightforward.  There's a .cab file  ("Symantec Mobile Security 7.2 Windows Mobile 6.0/6.1/6.5 Agent (.zip)") which needs to be copied to the device.  This can be downloaded from the device's browser, emailed to the device, copied manually or sent over by the customer's Mobile Device Manager software, if they have a MDM managing the devices. Once it is on the device, a simple click will start the install process...

Note that there will be a reboot needed in order for the firewall to work correctly. 

One cool trick is that the SMS client software can be installed on Windows Mobile silently (that is, without showing the end user screens like the one pictured above.  Details can be found in the following article:

How to Install and Uninstall Symantec Mobile Security 7.2 Silently on a Windows Mobile device
Article URL http://www.symantec.com/docs/TECH206648 
 

One Common Issue

When the SMS 7.2 client is installed on the Windows Mobile device, it is initially "unmanaged."  In order to know which server to connect to and receive policies from, there is a file called AgentInstallConfig.xml which must be exported from the SMP and dropped into the device's \My Documents\ directory.  (Once it is copied there, it will be immediately processed by SMS 7.2 and will disappear.)

The AgentInstallConfig file is exported from the Mobile Security Agent Policy page of the SMP.

In case there are any failures to register and communicate, ensure that Windows Mobile's wifi is switched on and then check out the advice in the following article.

Error Messages Displayed When Attempting to Deploy the Initial Configuration Files to Windows Mobile Devices Running Symantec Mobile Security 7.2
Article URL http://www.symantec.com/docs/TECH96607 
 

After that, there should be a "Healthy Connection" to the server.  The client will download and apply new policies, upload logs and inventory, and appear in the server's management console.

OK, Windows Mobile: Here's What to Do....

The policies which configure Windows Mobile devices are not as prominently featured as the policies for Androids.  In the Symantec Management Console, go to Manage > Policies > Mobile Security > Windows  and chose the policy desired.

Here are illustrated instructions on how to direct the Windows Mobile device to look for new LiveUpdate definitions from an internal server, rather than the Internet LU source servers:

Updating Windows Mobile Devices from an Internal LiveUpdate Administrator 2.x Server
Article URL http://www.symantec.com/docs/TECH159934

In case any difficulty is encountered getting those policies applied to the Windows Mobile devices, the following article provides some important tips....

Applying Policies Configured for Windows Mobile Devices in Symantec Mobile Security 7.2
Article URL http://www.symantec.com/docs/TECH201752 
 

Life of Pie

Want to know how those Windows Mobiles are doing? The Windows Mobile reports on the SMP can be found under Resports> Mobile Security> Windows.

Here's an example Infected Status Summary Report for Windows Mobile Devices:

Here is the LiveUpdate Status Summary Report:

Not all of the reports are pie charts.  Here's an example Security Infections & Breaches Report:

There's a similar Threat Details report under All Mobile Devices- one of the few reports where data from Androids and Windows Mobiles is listed side-by-side.

If all you are looking for is a list of the managed Windows Mobile devices, click on Device Information.  Right-clicking on the entries will all you to take a closer look with Resource Manager.  It's possible to View Inventory and View Events from that page, getting detailed information on the activities of that device.

In Conclusion.... 

Many thanks for reading!

Please do leave comments below to provide feedback on how your Windows Mobile devices function with SMS 7.2, and highlight any tips you have discovered that other admins may find useful.

Symantec provides upgrades and enhancements for SCSP agents at the majority of major and minor releases. With these updates comes enhancements and changes to the default policies supported by that agent and the management server.

It is often the case that SCSP policies are configured to cater for specific, bespoke applications. If these policies are based on existing base policies, we can upgrade them using the newer and improved base policies. This can enhance policies features whilst maintaining previously configured options.

This process demonstrates how to maintain all existing settings, whilst updating the policy to include any enhancements or changes made during a version upgrade. The process is simple and allows room for error.

In this particular example I will use version 5.2.8 and upgrade to version 5.2.9.

Attached is a PDF that details the process for updated SCSP policies after severs, consoles and agents are updates. Please refer to the PDF for full instructions.

Hello,

Here are the steps on how to download Current Latest Products from Symantec Flexnetoperations (earlier Symantec Fileconnect).

Before you begin, you need to get your Serial number with our Customer care team or accessing the https://licensing.symantec.com

If you have the correct Serial number, follow these steps:

1 - Access the Symantec Flexnetoperations website (previously Symantec Fileconnect)

https://symantec.flexnetoperations.com/control/symc/registeranonymouslicensetoken

2 - In case, you want to change the choose the language of the site.

3 - Enter your Serial number and click in the "Submit Serial Number" button.

4 - Choose the language of the product that you will download.

5 - Please read the following agreement and select I Agree at the bottom before downloading your software.

6 - Select the file(s) to download and click on the "Download Selected Files" button.

NOTE: The Download Manager on the Symantec Fileconnect (https://symantec.flexnetoperations.com/control/symc/registeranonymouslicensetoken) requires Java. If it is not installed for the current browser you are using it will redirect to the Java website for download.

The Download Manager, would assist you when downloading single OR multiple files at the same time, this method allows you to select as many files as you wish, begin the download, and go on to other areas of business. The process requires that a Java Applet be installed on your machine that manages the download process, so that when one file completes it's download, the next in the queue is initiated. It also allows for the use of the "Resume Downloads" feature on the web site. We recommend the use of the Latest version Java Runtime Environment (JRE) version as there may be a bug, documented on the Sun site, between Verisign certificates and certain other versions of the JRE. This bug will still allow the download, but a warning will appear stating that it is not a trusted source.

7 - For using the HTTPS feature, you can click on the "Expand All" link to provide you with the HTTPS feature.

8 - Install the Java version.

9 - Select the path where you need to save the selected Symantec File (s).

10 - Download would start and after completed the file would be saved on the path provided.

If need further assistance, please contact the Symantec Technical Support Team.

FAQ - 

What is ESD (Electronic Software Delivery)?

ESD or Electronic Software Delivery is a software delivery method that allows for easy and secure download access. ESD provides immediate web-based access to your software, and simplifies much of the complexity inherent in the business software lifecycle.

... About Downloading Products

What is included in the file that I download?

Description of each downloadable file is listed on the Product Information Page. In most cases, the file that you download is actually made up of several files "zipped" together and contains everything that you would require from a CD-ROM, including documentation.

What do I do if I cannot find my product on the Product Download page?

It is possible that the software is listed under a different name than you expected or that it is associated to a different serial number. If you still cannot find it, contact Support.

Where can I find my serial number?

You can find your serial number on the License Certificate you received with your initial purchase or on your Version Upgrade notification.  Symantec Vouchers require registration via the Licensing Portal in order to receive a serial number.  For eFlex site license customers, your serial number will be located on your License Email Confirmation sent to you by the Licensing Portal.  If you need help locating your serial number, please contact Support.

Where can I get older versions of the software?

You will receive access to the most recent version of the software at the time of purchase.  If you are current on maintenance/support on the license, you will have access to upgrades to which you are entitled via your Version Upgrade serial number.  Older versions than what you purchased may not be available.  Refer to Symantec's End of Life Policy for more information on available of previous version products.  For more information, please contact Support.

Can large files be downloaded internationally?

Yes. FileConnect connects directly with multiple global internet service providers (ISP's) and we are able to provide quick access to major hubs worldwide. FileConnect's load balancing technology automatically selects the best provider; maximizing download throughput so the customers receive downloads through the fastest route possible.

Why is the byte count on the file I downloaded different than the listed size?

The file size listed is in bytes, while your system may list files in either kilobytes (KB) or megabytes (MB) which are not exactly one thousand and one million bytes respectively. If the downloaded file is substantially smaller than the listed size, it is possible that the download did not complete successfully.  In this case, try the download again.  If the problem persists, contact Support.

Why won't my .zip file unzip?

If you receive an error (e.g., not valid file format, or end of central directory not found) when trying to unzip your download, it typically means that you do not have a complete download. Please compare the file size listed on the Product Download page to what you have on your system.

What if my download doesn't complete?

For a complete download start the download again. If you have any problems, contact Support.

How long will my download take?

Your download time of the files depend on the size of the file, the speed of your connection, and the amount of traffic on the Internet. For approximate times, check the Estimated Times and Details of the file on the Product Download page.

This example will discuss how to combine SEP and DLP data within IT Analytics by leveraging Microsoft Report Builder to create and publish a SQL Server Reporting Services report. For the purposes of this exercise, we will modify an out-of-the-box SEP dashboard to conveniently display DLP information all on one report.

Modifying a Default Dashboard 

1. Within the Symantec Management Platform console, navigate to: Settings > Notification Server > IT Analytics, then click on Reports in the left menu tree.
2. Click the Report Builder tab and then the Launch Report Builder button. 
3. Allow a few minutes for the application to load. Note that depending on which version of SQL Server you have, you may have a different version of Report Builder. This example covers Report Builder 3.0, which comes standard with SQL Server 2008 SP2 or higher. Note that while SQL Server 2005 meets the minimum prerequisites for installation of IT Analytics, it will only include Report Builder 1.0. If possible, Symantec strongly recommends using SQL Server 2008 SP2 or higher to take advantage of new features included in Report Builder 3.0 for a more robust custom report authoring experience. 
4. From the Getting Started screen, select Open to load an existing report.

5. Within the IT Analytics folder on your Report Server, open the Symantec Endpoint Protection Client Dashboard.

6. IMPORTANT: To prevent overwriting the out-of-the-box report with any edits, make sure to save this report with a different name. To clone this report, click the Report Builder icon in the upper left and then click Save As. Give the report an appropriate name, such as SEP and DLP Admin Dashboard.
7. Once the report has been resaved under a different name, click on the pie chart in the lower left corner and press they delete key to remove this chart from the dashboard. Also delete the pie chart in the lower right as well. You should now only have the top to charts on the canvas. This will leave room for the two DLP charts we will add.

8. We will now need to create a dataset for the first chart to be added. A dataset includes the desired fields and values to populate the report. To create a dataset, right-click on the Dataset folder in the Report Data pane on the left and choose Add Dataset.

9. For the first chart in this example, we will pull in a breakdown of the DLP agent version, so rename the new dataset DLPAgent, then select Use a dataset embedded in my report. Under the Data Source dropdown menu, make sure IT Analytics is selected and then click the Query Designer button.

10. Click the cube selector  on the upper left part of the Query Designer.
11. Select DLP Agent Status Cube from the Cube Selection window.

12. In the Metadata pane of the Query Designer window, expand Measures > Agents.

13. Drag the Agents Count measure to the query pane.

14. Expand the DLP Agent dimension and then drag and drop the Agent - Version attribute to the query pane.

15. Click OK in the Query Designer window and the Dataset Properties window to go back to the main report builder.
16. Click on Insert in the report builder menu and select Chart and Chart Wizard.

17. In the New Chart window, select the DLPAgent dataset we previously created and click Next. Note that the other datasets in there are for the other charts on the dashboard, which were already created from the original report.

18. Select Pie under Chart Type and click Next.

19. From Available fields, drag Agent___Version to the Series pane and Agents_Count to the Values pane and click Next.

20. Select Generic under the Styles pane and click Finish.

21. Click the directional arrows icon and drag the chart down to the lower left portion of the canvas, then click on the edges of the chart to resize to similar height and width as the other charts.

22. Right-click on the box around the chart and select Chart Properties. Under General properties, in the Color palette dropdown, select Pastel.

23. Click the Border properties on the left, then choose the Dotted style and Sliver for color, then click the Outline preset. Click OK to close the Chart Properties window.

24. Right-click on the actual pie chart itself and select 3D Effects. In the 3D Options section, make sure the Enable 3D box is checked, then click OK.

25. Right-click on the Chart Title and select Title Properties. Under the Title text section, rename the chart DLP Agent Version and click OK.

26. Right-click on the legend and select Legend Properties. Under the Legend position section, click the radio button at the bottom (6-o’clock) position, then click OK.

27. Highlight the <<Expr>> text at the top of the dashboard and replace it with the new title of: SEP and DLP Admin Dashboard.
28. Preview the report by clicking the Run button in the upper left hand portion of the toolbar.
29. Verify that the pie chart you just added displays as expected.

30. Select the Design button in the toolbar to go back to the Design view.
31. We will now need to create another dataset for the next chart to be added. To create a dataset, right-click on the Dataset folder in the Report Data pane on the left and choose Add Dataset.
32. Rename the new dataset DLPIncidents, then select Use a dataset embedded in my report. Under the Data Source dropdown menu, make sure IT Analytics is selected and then click the Query Designer button.

33. Click the cube selector  on the upper left part of the Query Designer.
34. Select DLP Endpoint Incident Summary Cube from the Cube Selection window.

35. In the Metadata pane of the Query Designer window, expand Measures > Incidents.

36. Drag the Agents Count measure to the query pane.

37. Expand the DLP Endpoint Incident dimension and then drag and drop the Endpoint Incident – User Name attribute to the query pane.

38. Click OK in the Query Designer window and the Dataset Properties window to go back to the main report builder.
39. Click on Insert in the Report Builder toolbar and select Chart and Chart Wizard.
40. In the New Chart window, select the DLPIncidents dataset we previously created and click Next. 

41. Select Pie under Chart Type and click Next.
42. From Available fields, drag Endpoint_Incident___User_Name to the Series pane and Incident_Count to the Values pane and click Next.

43. Select Generic under the Styles pane and click Finish.
44. Click the directional arrows icon and drag the chart down to the lower left portion of the canvas, then click on the edges of the chart to resize to similar height and width as the other charts.

45. Repeat Steps 22 - 26 from above to achieve the same look and feel that matches the other pie charts. Name the new chart Top Users Triggering DLP Incidents.

46. To filter the number of users to just the top 5, right-click on the edge of the chart and go back into Chart Properties, then click on Filters. Click the Add button to add a new filter, then under the Expression dropdown select [Incident_Count]. For the Operator dropdown, select Top N. Finally under the Value text box type 5. Click OK to close the chart properties window.

47. Click the Run button again to view the dashboard with live data.
48. Verify that only 5 values display for the top users pie chart.

49. Go back into Design mode and click the Save button to finalize the dashboard.
50. To link this report into the Symantec Management Platform console open the console then navigate to the Reports > IT Analytics > Reports folder.
51. Right-click on the Dashboards folder and select New > IT Analytics Report.

52. In the Report Type dropdown box, select Dashboard and then in the Report Name dropdown select the SEP and DLP Admin Dashboard report. Then click the Add Report button.

53. You should see a message saying that the report was added successfully.
54. Refresh your browser and expand the Dashboards folder.
55. Locate and select the report you just added and verify it displays as expected.

Hi,

This attached PDF will help you to perform SEP client Enterprise Edition Step by Step Install.

I have seen couple of request about this in the past.

Here is the attachement.

I hope it will help .

Hello Everyone,

I would like to share the upgrade process grahical overview from SBE 12.0 to SBE 12.1 RU3 version

From SEP 12.1 RU1 onwards Symantec is giving an options to download full product in two parts i.e par1 & part 2 or download individual files like SEPM setup, SEP 32 bit setup, SEP 64 bit setup, Tools as per requirement.

It gives more levarage to the Symantec customers to choose what he wants. In many cases it's seen that customer used to required only SEP setup and unnecssarily he had to download entire zip file which is around 1.5 GB in size. Here we can choose what we want !!!

SBE 12.0 login screen.

After login to the SPC can verify the version details. Here we can see it's 12.0.122.192

Legacy version details are available here: https://www-secure.symantec.com/connect/articles/what-are-symantec-endpoint-protection-sep-versions-released-officially.

Go to the services & Stop the Symantec Protection Centre service prior to an upgrade, I have highlighted in the screenshot.

Once the download finishes successfully, extract the contents of the compressed file to a location of your choice

Navigate to the extracted files, then enter the SEPM folder and double-click on setup.exe.

After Setup.exe is ran, the setup initialization process will start,Ready to Install.

Click on Next,

License Agreement Page.

The install procedure will prompt for a backup of the existing database so it will be available if required in the future.

Click on Install to start Installation.

Management Server & Console Installation Summary Page, Click on Next.

Upgrade Wizard will start, click on next.

Data Collection Page, Check mark is optional.

Monitor the server upgrade status, if couldn't monitor then later on refer the upgrade logs.

Server Upgrade Status, Note that the database schema has changed with this version of SEPM.

We can see it's adding legacy packages and the latest packages into the databaes.

Upgrade Succeeded message will come up.

 Small Business Edition 12.1 RU3 login screen.

After login to the SEPM check the new version is listed.

After succesfull login confirm the email address mentioned in Admin --> Administrators --> Edit the administrator

Make sure valid email id mentioned and you are receiving emails successfully.

Activating your new or renewed Symantec Endpoint Protection 12.1 product license

http://www.symantec.com/docs/HOWTO55294

Refer this article as well: https://www-secure.symantec.com/connect/articles/s...

Thanks for viewing and hope it's been informative.

Here come the ADC's...

Symantec Endpoint Protection 11 and 12.1 have a fantastic feature called Application and Device Control (ADC).  Administrators can use this optional SEP component to block an unwanted process, whether it is a suspicious/malicious application or just a tool that admins would rather not have their managed endpoints running.  It can also be used to block unauthorized devices (USB thumb drives, smartphones, and so on).  Here is an overview article about ADC:

About application and device control
Article URL http://www.symantec.com/docs/HOWTO27048 
 

SEP 12.1 brought a couple of important ADC enhancements: it can now be used with 64-bit OS's, and there is now the ability to create an exception that will apply only to ADC and leave AntiVirus Auto-Protect functioning.  This article illustrates one instance in which this new Application Control exclusion enabled SEP 12.1 to interact with a legacy software component crucial to an important customer's business.

An Important Warning

Ask Mr. Computer Science Guy

Application Control works by injecting a Symantec library (sysfer.dll) into every process launched on controlled SEP clients. This library monitors key process function calls.  It can allow, deny and/or log process activity, depending on how the administrator has configured it.

Using the excellent Process Monitor tool from Sysinternals, it is possible to see the SYSFER.DLL module in a sample process...

Sysfer usually gets along well with other programs on a computer.  Historically, there have been some instances where there was a conflict.  As there are countless software programs developed every day by coders of mixed ability, there will doubtless be conflicts in the future.  Let me provide an example...
 

CRASH!

A legacy web application had been working for many years.  After SEP 12.1 RU2 was installed onto computers, however, it stopped functioning.  Application and Device Control was one of the SEP components deployed.  Tests confirmed that after this component was removed, the old application could function.

The Windows event logs contained Application Errors like the following:   

[date][time] Application Error Application Error win7.domain.local     1000 
Faulting application name: iexplore.exe, version: 8.0.7601.17514, time stamp: 0x4ce79912
Faulting module name: jvm.dll, version: 0.0.0.0, time stamp: 0x42527311
Exception code: 0xc0000005
Fault offset: 0x00050b58
Faulting process id: 0x6a0
Faulting application start time: 0x01ce4d5a8b411f08
Faulting application path: C:\Program Files\Internet Explorer\iexplore.exe
Faulting module path: C:\PROGRA~1\Oracle\JINITI~1.22\bin\hotspot\jvm.dll
Report Id: d403dc08-b94d-11e2-b198-0019b90b7215
 

This custom web application was built to rely upon Oracle's Jinitiator, a JVM discontinued in January 2008.  In the long term, a new web application would be written to replace it.  In the short term, though, if business was to continue it would be necessary to find a workaround- hopefully one that did not mean removing ADC from the endpoints completely.

Solution!

There was no way that Jinitiator could be updated as it was no longer under development.  If there was to be a way around the incompatibility, it would have to come from the SEP side.

The administrator logged into the Symantec Endpoint Protection Manager (SEPM) console and clicked on Policies, Exceptions.  A new Exception was added to the policy that was deployed to all the affected clients.  This new File Exception was created not for the module which was crashing (C:\PROGRA~1\Oracle\JINITI~1.22\bin\hotspot\jvm.dll) but created for the application which launched that module - C:\Program Files\Internet Explorer\iexplore.exe. 
 

Note that the exception / exclusion was created for Application Control alone.  "Security Risk" and "SONAR" were not checked- meaning that there were still robust protection technologies monitoring IE and protecting it against evilness. 

Once this policy was in place on the SEP clients, the legacy application functioned and ADC was protecting every process on the computer except for Internet Explorer. 

Tell Me More!  

Details on ADC and creation of exclusions can be found in the following articles:

Symantec Endpoint Protection Manager 12.1 - Application and Device Control (ADC) - Policies explained
Article URL http://www.symantec.com/docs/TECH188597 
 

Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 12.1
Article URL http://www.symantec.com/docs/TECH183201 
 

Excluding a file or a folder from scans
Article URL http://www.symantec.com/docs/HOWTO80920 
 

Excluding applications from application control
Article URL http://www.symantec.com/docs/HOWTO55212 
 

Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies
Article URL http://www.symantec.com/docs/TECH181679

How to block or allow device's in Symantec Endpoint Protection
https://www-secure.symantec.com/connect/articles/how-block-or-allow-devices-symantec-endpoint-protection
 

Many thanks for reading!  Please do leave comments and feedback below.

A few days ago I did a little research about possible configurations when we are using SEP 12.1.2 under Citrix Provisioning Services.

I share with you the first part of this research that used as a sources: Citrix and Symantec web sites.

Scenario 1

Symptoms>