Hello,

For one reason or another you might come into a situation were you are unable to login to the Symantec Endpoint Manager Console, Symantec provides a tool that helps to reset the admin password, this tool is placed by default in the SEP Manager installation folder which means you are required to have physical access to the OS  on which the SEP Manager is installed. in this guide i am going to walk you through resetting the admin password.

For versions below than Symantec Endpoint Protection 12.1 Release Update 1 Maintenance Patch 1 (RU1 MP1), you may like to use resetpass.bat utility.

The Symantec Tool is a batch file located in the following path “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools”

You can use the resetpass.bat to reset the password for the Symantec Endpoint Protection Manager admin account.

Note: If you change the admin account name to something other than admin and then run resetpass.bat, it changes the account name back to admin.

To reset the administrator password

     1. On the computer that runs Symantec Endpoint Protection Manager, start Windows Explorer.

     2. Go to the \Program Files\Symantec\Symantec Endpoint Protection Manager\Tools folder.

     3. Double-click resetpass.bat. The password is reset to admin.

     4. Change the password as soon as possible.

Note: If the account has been locked out due to repeated logon attempts, the resetpass.bat tool does not unlock the account. The default lockout period is 15 minutes.

Important Note: For the Symantec Endpoint Protection Enterprise Edition, do not use the admin account when setting up Active Directory Authentication. You must use a new Administrator account to use Active Directory authentication. For more information, see the knowledge base article, How to setup a SEPM administrator account to use your Active Directory authentication.

Check these Articles:

Resetting the administrator user name and password to admin

http://www.symantec.com/docs/HOWTO54992

Setting up authentication for administrator accounts

http://www.symantec.com/docs/HOWTO55479

Symantec Endpoint Protection 12.1 Release Update 1 Maintenance Patch 1 (RU1 MP1) or greater does not use resetpass.bat and it has been removed from the Tools directory.

If you have system administrator access rights for a site, you can allow your administrators to reset passwords. A password is reset by sending an email that contains a link to activate a temporary password.

Note: You can use this method to reset a password only for the administrator accounts that authenticate by using Symantec Management Server authentication. This method does not work for any administrator accounts that authenticate by using either RSA SecurID authentication or directory authentication.

Note: A temporary password can be requested only once per minute from a single Symantec Endpoint Protection Manager console.

For security reasons, entries are not verified on the server. To check whether the password reset was successful, you must check the administrator email.

If a mail server is configured, the mail server is used to send the email. If the email cannot be sent for any reason, the SMTP service is used to send the email. We recommend that you configure a mail server .

Hello Everyone,

By default when you do a install of Symantec Endpoint Protection Manager an 'admin' account gets created with full access and permissions to all areas of Symantc Endpoint Protection Manager.

You use administrators to manage your company's organizational structure and network security. For a small company, you may only need one administrator. For a large company with multiple sites and domains, you most likely need multiple administrators, some of whom have more access rights than others.

You can create additional administrators as per business requirement.

To add new administrator first time you need to login with 'admin' account.

Go to the Admin--> Administrators --> Add an administrator

In this demonstation I have created two more an administrators.

User1 - System administrator

User2 - Limited Administrator

By looking at an admin symbol you can gauge what kind of rights they have.

A limited administrator can be granted access to perform tasks within a single domain. These tasks include:

If logged in as an administrator then license tab & Domain tab will not be listed.

If you do not want administrator to manged the single site then you can remove that access as well.

Go to the Admin --> Administrator --> Edit an administrator, in this example Edit User1 an administrator --> Access rights --> Site rights-> Select 'Not authorized to manage this site'

Now user1 won't get an access to Server tab,License tab & domain tab, check this screenshot.

In this demonstation we have created 'User2' as a limitead administrator. User2 is allowed to only managed installation packages.

After login User2 will be only able to see Administrator tab & Installation package.

In the administrator tab he will be able to see only his own account.

Helpful Articles:

About administrators

http://www.symantec.com/docs/HOWTO55478

Managing domains and administrator accounts

http://www.symantec.com/docs/HOWTO55094

Adding an administrator account

http://www.symantec.com/docs/HOWTO55403

About access rights

http://www.symantec.com/docs/HOWTO55041

Configuring the access rights for a limited administrator

http://www.symantec.com/docs/HOWTO55037

How to change Manage Group permissions for Limited Administrators in SEPM for multiple groups.

http://www.symantec.com/docs/TECH92651

Which administrator activities are logged in the Symantec Endpoint Protection Manager console?

http://www.symantec.com/docs/TECH141668

About administrator account roles and access rights (Endpoint Protection 12.1.2)

http://www.symantec.com/docs/HOWTO81226

Symantec™ Protection Engine for Network Attached Storage replaces Symantec AntiVirus™ for Network Attached Storage.

Symantec Protection Engine provides virus scanning and repair services for a number of network-attached storage (NAS) devices. Symantec Protection Engine for Network Attached Storage features the Symantec™ Protection Engine, a carrier-class virus scanning and repair engine. The Symantec Protection Engine features all of the virus-scanning technologies that are available in Symantec antivirus products, making the Symantec Protection Engine one of the most effective virus solutions available for detecting and preventing virus attacks.

You can scan files for viruses automatically as they are accessed from storage before the requesting user gains access to it. Based on a configurable virus scan policy, when a virus is found in a file, the file is repaired. The clean file is stored on the NAS device and only then is the requesting user granted access.

Symantec Protection Engine uses the following protocols to interface with network attached storage devices:

• The Internet Content Adaptation Protocol (ICAP), version 1.0,as presented in RFC 3507 (April 2003)
• A proprietary implementation of remote procedure call (RPC)
• The Protection Engine native protocol

Each NAS device maintains a connection with Symantec Protection Engine to request scanning and repairing of files.

About software components

In most cases, adding virus scanning to a supported NAS device requires installation and configuration of the following components:

• Symantec Protection Engine, which provides the virus scanning and repair services
• Connector, which lets the NAS device communicate with Symantec Protection Engine

The connector handles the communication between the Protection Engine and the NAS device and interprets the results that are returned from the Protection Engine after scanning. The manufacturer of the NAS device develops and provides support to the connector. The connector typically is installed and configured on the NAS device. (In some cases, the manufacturer pre-installs the connector.)

The figure below shows a typical integration of a network attached storage device with Symantec Protection Engine.

1. The client tries to access a file on the network attached storage device.
2. The network attached storage device, by means of a connector, sends the file to the Symantec Protection Engine for scanning.
3. Symantec Protection Engine scans the file, repairs it if it is infected, and returns the clean file to the network attached storage device.
4. The network attached storage device writes the cleaned file to disk, caches the fact that the file has been cleaned, and sends the file to the client.

About the connector

The connector handles the communication between the Protection Engine and the NAS device and interprets the results that are returned from the Protection Engine after scanning. The manufacturer of the NAS device develops and provides support for the connector. The connector typically is installed and configured on the NAS device. (In some cases, the manufacturer pre-installs the connector.)

In some cases, no connector is necessary. The NAS device handles the communication with the Protection Engine, and any configuration options are available directly on the device.

Welcome to the Part 1 out of 3 discussing the terms, technologies and concepts related to Symantec Endpoint Protection and Symantec Security Software. In the series you will find description and explanation of several SEP related technologies, tools and concepts alongside of the relevant links to Symantec KB articles. The terminology articles are based upon the available official documentations and publications from Symantec KBs and Implementation Guides for SEP. Any comments or ideas what should be included in the series are welcome. I hope this series will be informative to you.

The Series consists of following articles:
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 1 (A-G)
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 2 (H-R)
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 3 (S-Z)

This is the fist part of the series concerning the following terms:

Administrator-defined Scans - type of antivirus/antimalware scans set up on the SEPM manager and provided to SEP client over the assigned policy. Administator-defined scans can be either scheduled scans or on-demand scans. Administrators define scheduled scans to run on client computers at configurable intervals. Administrators can predefine a specific set of scan settings for running on-demand scans on clients from the management console. On-demand scans are manual scans run on a client at the administrator's request.

Scheduling an administrator-defined scan
http://www.symantec.com/docs/HOWTO16379
Customizing administrator-defined scans for clients that run on Windows computers
http://www.symantec.com/docs/HOWTO54927

Anti-MAC Spoofing - a setting in Virus and Malware Protection of Symantec Endpoint Protection. When enabled, Symantec Endpoint Protection allows incoming and outgoing address resolution protocol (ARP) traffic if an ARP request was made to that specific host. All other unexpected ARP traffic is blocked and an entry is generated to the Security log.

Detecting potential attacks and spoofing attempts
http://www.symantec.com/docs/HOWTO55408

Antivirus and Antispyware Protection - protects computers from viruses and security risks, and in many cases can repair their side effects. The protection includes real-time scanning of files and email as well as scheduled scans and on-demand scans. Virus and spyware scans detect viruses and the security risks that can put a computer, as well as a network, at risk. Security risks include spyware, adware, and other malicious files. Antivirus and Antispyware Protection can reduce the amount of false positives and improve scan perfromance when used together with several other SEP technologies like: SONAR, File System Auto-Protect, Insight Lookup, Download Insight.

Symantec Endpoint Protection Manager - Antivirus and Antispyware - Policies explained
http://www.symantec.com/docs/TECH104430

Application and Device Control (ADC) - is an advanced security feature included in Symantec Endpoint Protection and offers two types of control, or protection, over client computers: application control and device control. Application Control provides administrators with the ability to monitor and/or control the behavior of applications - some of the possible scenarios:
■ Prevent malware from taking over applications
■ Restrict the applications that can run
■ Prevent users from changing configuration files
■ Protect specific registry keys
■ Protect particular folders, such as \WINDOWS\system
Device control manages the hardware devices that access client computers. It can be used in following ways:
■ Block or allow different types of devices that attach to client computers, such as USB, infrared, and FireWire devices
■ Block or allow serial ports and parallel ports
Another part of Application and Device Control is System Lockdown - a feature used to ensure that the system stays in a known and trusted state. Some of the ADC policies were designed to protect against the activities associated with certain particular threats and are recommended for use in outbreak situations.

Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies
http://www.symantec.com/docs/TECH145973
Symantec Endpoint Protection Manager - Application and Device Control (ADC) - Policies explained
http://www.symantec.com/docs/TECH104431
How to configure Application Control in Symantec Endpoint Protection 11.0 : Configuring Application Control Policies
http://www.symantec.com/docs/TECH102525
How to use Application and Device Control to limit the spread of a threat.
http://www.symantec.com/docs/TECH93451
How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage
http://www.symantec.com/docs/TECH97618

Application learning - allows Symantec Endpoint Protection (SEP) clients to report information and statistics about the executables that are run on them. The information is provided to the SEPM and collected in the SEPM database. The purpose of this information is to build a list of known applications in an environment to create Application-based firewall rules, Host Integrity (HI) rules and can be used as a reference for Centralized Application Exceptions.

How to set up learned applications in the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH102994
Best Practices Guide to Application Learning in Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH134367

BASH (Behavioural Analysis and System Heuristics)- is an underlying technology for a number of SEP 12.1 features, and is not limited to Proactive Threat Protection or SONAR. The SEP components heavily based on the BASH technology are Tamper Protection, Suspicious Behaviour Detection/System Change Detection, SONAR, Reputation Submissions.

Bloodhound - is a component of a heuristic protection. Bloodhound isolates and locates the logical regions of a file to detect a high percentage of unknown viruses. Bloodhound then analyzes the program logic for virus-like behavior.

What is the difference between the Bloodhound and Proactive Threat Protection (TruScan) technologies?
http://www.symantec.com/docs/TECH92436
How to enable, disable, or configure Bloodhound(TM) heuristic virus detection in Symantec Endpoint Protection.
http://www.symantec.com/docs/TECH92424

Browser Intrusion Prevention - is a new advanced protection feature included with the SEP 12.1 client. This technology works in conjunction with, but is separate from the Client Intrusion Detection System (CIDS) used by the client firewall-based IPS engine in SEP. BIPS uses IPS signatures to detect the attacks that are directed at browser vulnerabilities. Browser intrusion prevention monitors attacks on Internet Explorer and Firefox. Browser intrusion prevention is not supported on any other browsers. This type of intrusion prevention uses attack signatures as well as heuristics to identify attacks on browsers.

Expected behavior of Browser Intrusion Prevention
http://www.symantec.com/docs/TECH172174
How intrusion prevention works
http://www.symantec.com/docs/HOWTO81344
Supported Browser versions for Browser Intrusion Prevention
http://www.symantec.com/docs/TECH174537

Central Quarantine– is a central static repository of detected threats where SEP clients can forward the infected items from their own local Quarantine. The Central Quarantine consists of two components: the Quarantine Server and the Microsoft Management Console (MMC) snap-in.  It provides a single source to co-locate all quarantined items on the network. Quarantined items can be all viewed from the Console and they are automatically submitted to Symantec Security Response. The Central Quarantine stays completely optional as in normal circumstances SEP and SEPM by itself can handle quarantined items on their own. Central Quarantine Server and Client Console require separate installations - the installers can be found on the Part2_Tools.exe image attached to the SEP installation media.

Symantec™ Central Quarantine Implementation Guide
http://www.symantec.com/docs/DOC3258
Installing and configuring the Central Quarantine
http://www.symantec.com/docs/TECH105496
Setting up Symantec Endpoint Protection clients to forward infected files to a Central Quarantine Server.
http://www.symantec.com/docs/TECH104755
Installing the Quarantine Server
http://www.symantec.com/docs/HOWTO26760

Centralized Exceptions - are part of the Centralized exception policy and allow for exclusion of certain items from future detection from different SEP Scan components like AV, Truscan, Sonar or even Tamper Protection. It is possible to exclude items like: Known security risks, Extensions, Files, Folders.

Symantec Endpoint Protection Manager - Centralized Exceptions - Policies explained
http://www.symantec.com/docs/TECH104432
Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 11
http://www.symantec.com/docs/TECH104326

Checksum Utility - utility used to create a file fingerprint list. The list contains the path and the file name and corresponding checksum for each executable file or DLL that resides in a specified path on the computer. The utility is installed with Symantec Endpoint Protection on the client computer and offers an alternative to some other available third-party tools.

Creating a file fingerprint list with checksum.exe
http://www.symantec.com/docs/HOWTO81199

Cleanwipe - a tool used to prepare or clean any supported Windows computer before Symantec Endpoint Protection installation. CleanWipe should be used as a last resort after all other means to prepare or clean a computer for Symantec Endpoint Protection installation have failed. May be used as well to clean and remove corrupted SEP installations. Software currently supported by Cleanwipe Tool: SEP/SEPM, SNAC, SAV, Symantec Client Security, SPC, Windows Liveupdate. Tool maybe obtained only directly from Symantec Support.

New Cleanwipe version is introduced for SEP 12.1 RU2
https://www-secure.symantec.com/connect/articles/new-cleanwipe-version-introuduced-sep-121-ru2

Client / Computer Mode - two different modes defining how the policies should be applied to the clients in groups. If the client software runs in user mode, the client computer gets the policies from the group of which the user is a member. If the client software runs in computer mode, the client computer gets the policies from the group of which the computer is a member.

About user mode and computer mode
http://www.symantec.com/docs/HOWTO27008

Client Deployment Wizard - GUI based SEPM wizard that helps quickly locate unprotected computers on which youneed to install the client software. The wizard also provides an email deployment link so that users can download the client software by using the Web. Other option of deployment consist of Push deployment of the installation package over the network or export of the installation package as .exe or .msi executable.

How to install clients using "Client Deployment Wizard" in the Symantec Endpoint Protection Manager 12.1
http://www.symantec.com/docs/TECH164308

Communication Update Package Deployment - a new feature implemented in SEPM 12.1 RU2 that allows for remote deployment of communication settings (sylink.xml) to the SEP Clients directly from SEPM. It is an automated machanism replacing the older methods of sylink replacement such as Sylinkdrop or Sylink Replacer tools. This feature may be used for a large number of computers, for the computers that cannot be physically accessed easily, or the computers that require administrative access.

Restoring client-server communications with Communication Update Package Deployment
http://www.symantec.com/docs/HOWTO81109
SEP 12.1 RU2 and Reset Client Communication
https://www-secure.symantec.com/connect/articles/sep-121-ru2-and-reset-client-communication

Content Distribution Monitor - utillity used to monitor the health and status as well as general content deployment of Group Update Providers in the environment. This is a lightweight, stand-alone tool designed to be run directly on the Symantec Endpoint Protection Manager (SEPM) server, and should return a graphical display of the content distribution status.

SEP Content Distribution Monitor / GUP monitoring tool.
http://www.symantec.com/docs/TECH156558
SEP Content Distribution Monitor (for GUP health-checking)
https://www-secure.symantec.com/connect/downloads/...
SEP Content Distribution Monitor - Introduction
https://www-secure.symantec.com/connect/videos/sep-content-distribution-monitor-introduction

Dbvalidator - a tool used to find a broken database object and broken links in the database.

How to use the Database Validation tool (DBValidator.bat) for Symantec Endpoint Protection Manager
http://www.symantec.com/docs/HOWTO39461
How to use the Validation Tool for the Symantec Endpoint Protection Manager Database.
http://www.symantec.com/docs/TECH104892

DevViewer - tool used to view the devices on a client computer and obtain the class IDs or device IDs of them. This ID is needed when creating or editing Application and Device Control Policies. DevViewer can be found on CD2 of the SEP Installation media under ...Tools\NoSupport\DevViewer.

DevViewer - a tool for finding hardware device ID for Device Blocking in Symantec Endpoint Protection
http://www.symantec.com/docs/TECH103401

Disaster Recovery - set of procedure steps used when in case of hardware failure or database corruption. Depending on the SEPM version and the database type used the steps may differ. Mostly the steps will include the backup of the database and configuration files. Later stage includes restore process of SEPM, the database, server ceritificates and client communication.

Symantec Endpoint Protection 12.1: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH160736
Symantec Endpoint Protection 11.x: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH102333

Doscan - a tool that enables to run a quick or a scheduled SEP client scans from command prompt, batch scripts or the windows task scheduler. DoScan is not a separate scanner – it does use the same scan engine build-in in SEP – for it to run Autoprotect on the SEP client needs to be enabled. DoScan.exe is located directly in the SEP installation folder and does not require a separate download.

DoScan.exe – SEP Antivirus scans from Command Prompt – Introduction
https://www-secure.symantec.com/connect/articles/d...
How to run a scan from a command line using Symantec Endpoint Protection using DoScan.exe
http://www.symantec.com/docs/TECH104287

Download Insight - is a new advanced protection feature included with the SEP 12.1 clients. DI is a part of Auto-Protect protection. This feature allows the SEP client to leverage Symantec's Cloud-based reputation database when files are downloaded or executed directly from popular Web browsers, text messaging clients, and other portals. Supported portals include Internet Explorer, Firefox, Microsoft Outlook, Outlook Express, Windows Live Messenger, and Yahoo Messenger. Download Insight determines that a downloaded file might be a risk based on evidence about the file's reputation. Download Insight is supported only for the clients that run on Windows computers.

Expected behavior of Download Insight
http://www.symantec.com/docs/TECH171776
Managing Download Insight detections
http://www.symantec.com/docs/HOWTO55252
Customizing Download Insight settings
http://www.symantec.com/docs/HOWTO55253

Early Launch Anti-Malware Driver -  works with the Microsoft ELAM driver to provide protection for the computers in the network when they start up and before third-party drivers initialize. The settings are supported on Microsoft Windows 8. Malicious software can load as a driver or rootkits might attack before the operating system completely loads and Symantec Endpoint Protection starts. Rootkits can sometimes hide themselves from virus and spyware scans. Early launch anti-malware detects these rootkits and bad drivers at startup.

Managing early launch anti-malware (ELAM) detections
http://www.symantec.com/docs/HOWTO81107
Adjusting the Symantec Endpoint Protection early launch anti-malware (ELAM) options
http://www.symantec.com/docs/HOWTO81106

Embedded Database -  the database stores security policies and events. The database is installed on the computer that hosts Symantec Endpoint Protection Manager. Embedded database is a Sybase SQL DB and is an alternative to use a of remote MS SQL DB - that is also supported with SEPM. The embedded database does not require configuration and is the easiest to install. The embedded database supports up to 5,000 clients.

Maintaining the database
http://www.symantec.com/docs/HOWTO55337
Symantec Endpoint Protection Manager 12.1.2 Database Schema
http://www.symantec.com/docs/DOC6039

Encryption password - The password that encrypts communication between the Symantec Endpoint Protection Manager, clients, and optional Enforcer hardware devices. The password can be from 1-32 alphanumeric characters and is required. Encryption password cannot be changed or recovered after creation of the database. It is required for disaster recovery purposes. During the default SEPM installation, the entered administrator password will be the same as the encryption password. If you change the administrator's password, the encryption password does not change.

The Encryption Password and Symantec Endpoint Protection 11 (SEP11)
http://www.symantec.com/docs/TECH93119

Enforcer - a software component that enforces policy compliance in three ways: Gateway Enforcer, DHCP Enforcer, or LAN Enforcer. Enforcers authenticate clients to ensure they are running the Symantec Agent and comply with Host Integrity rules. A Gateway Enforcer is used for enforcement at access points for external computers connecting remotely through a VPN, Wireless LAN, or Remote Access Server (RAS). A LAN Enforcer is used for enforcement for internal clients that connect to the LAN through a switch that supports 802.1x authentication. A DHCP Enforcer is used for enforcement of internal clients that gain access to the LAN by receiving a dynamic IP address through a Dynamic Host Configuration Protocol (DHCP) server.

Symantec Network Access Control 11.0 LAN Enforcement Overview
http://www.symantec.com/docs/TECH102536
Symantec Network Access Control 11.0 Gateway Enforcement Overview
http://www.symantec.com/docs/TECH102537
Configuring a connection between an Enforcer appliance and a Symantec Endpoint Protection Manager
http://www.symantec.com/docs/HOWTO81652

Explicit Group Update Provider -  a type of Group Update Provider (GUP) include since SEP 12.1 RU2 version. It allows configuration of an explicit list of Group Update Providers that clients can use to connect to Group Update Providers that are on subnets other than the client's subnet. Especially recommended for roaming clients.

About the types of Group Update Providers
http://www.symantec.com/docs/HOWTO80957
Understanding "Explicit Group Update Providers (GUPs) for Roaming Clients" in Symantec Endpoint Protection (SEP) 12.1.2
http://www.symantec.com/docs/TECH198640
SEP 12.1 RU2 And Explicit Group Update Providers
https://www-secure.symantec.com/connect/articles/s...
What is the processing order of an Explicit GUP list within version 12.1.2 of Symantec Endpoint Protection?
http://www.symantec.com/docs/TECH196741

File Fingerprint List - consists of a list of checksums, one for each application on a client computer. It includes the complete file paths of those applications. You can create a file fingerprint list from a software image that includes all the applications that you want to allow users to run. You can manage file fingerprint lists in Symantec Endpoint Protection Manager and use them in your system lockdown configuration. To create a file fingerprint list, you can use the Checksum.exe utility. The utility is installed along with Symantec Endpoint Protection on the client computer.

Creating a file fingerprint list with checksum.exe
http://www.symantec.com/docs/HOWTO81199
Managing file fingerprint lists
http://www.symantec.com/docs/HOWTO55133

File System Auto-Protect - File System Auto-Protect is a type of ongoing or background scan that provides real-time protection for files on your computer. Whenever files are being accessed, copied, saved, moved, opened, or closed, Auto-Protect scans them to ensure that a threat or security risk is not present. According to the settings in the policy Auto-Protect offers several options for mitigating the detected threats such as: Clean risk, Quaranatine risk, Delete risk, or Leave alone.

What is Auto-Protect ?
http://www.symantec.com/docs/TECH94990

Firewall - a feature is part of Network Threat Protection in SEP. Firewall allows or blocks network traffic based on the various criteria that the administrator sets. If the administrator permits it, end users can also configure firewall policies. Firewall is responsible for executing following tasks:
■ Prevents any unauthorized users from accessing the computers and networks in your organization that connect to the Internet
■ Monitors the communication between your computers and other computers on the Internet
■ Creates a shield that allows or blocks attempts to access the information on your computers
■ Warns you of connection attempts from other computers
■ Warns you of connection attempts by the applications on your computer that connect to other computers
The Symantec Endpoint Protection firewall uses firewall policies and rules to allow or block network traffic. The Symantec Endpoint Protection includes a default Firewall policy with default firewall rules and firewall settings for the office environment. Firewall rules control how the client protects the client computer from malicious
inbound traffic and malicious outbound traffic. The firewall automatically checks all the inbound and the outbound packets against these rules. The firewall then allows or blocks the packets based on the information that is specified in rules.

About the Symantec Endpoint Protection firewall
http://www.symantec.com/docs/HOWTO55247
Symantec Endpoint Protection Manager - Firewall - Policies explained
http://www.symantec.com/docs/TECH104433
Managing firewall protection
http://www.symantec.com/docs/HOWTO55053
How a firewall works
http://www.symantec.com/docs/HOWTO55054
How the firewall uses stateful inspection
http://www.symantec.com/docs/HOWTO55098
About firewall rules
http://www.symantec.com/docs/HOWTO55261
About inherited firewall rules
http://www.symantec.com/docs/HOWTO55483

Group Update Provider (GUP) - a client computer designated to locally distribute content updates to clients - usually within a specified subnet only - although it can provide updates as well across subnets when correctly configured. A Group Update Provider downloads content updates from the SEPM Server only and distributes them to clients. A Group Update Provider helps conserving bandwidth by localizing content distribution - there are as well available settings for throttling the available bandwith for content download from SEPM to a GUP. GUP can only distribute content updates - definitions and does not support distribution of Product updates such as new version of the SEP installer. According to settings the is possibility to specifify either a single GUP or multiple GUPs for a specific group of clients. Newer SEP versions offer as well a new implementation of GUP - Explicit Group Update Provider.

Best Practices and Troubleshooting for Group Update Providers
https://www-secure.symantec.com/connect/blogs/best...
Group Update Provider: Sizing and Scaling Guidelines
http://www.symantec.com/docs/TECH95353
Best Practices with Symantec Endpoint Protection (SEP) Group Update Providers (GUP)
http://www.symantec.com/docs/TECH93813
Configuring the Group Update Provider (GUP) in Symantec Endpoint Protection 11.0 RU5 and later
http://www.symantec.com/docs/TECH96419
About the types of Group Update Providers
http://www.symantec.com/docs/HOWTO80957

In a continuation from my previous article, this article will look at using SEP 12.1 System Lockdown in blacklist mode to stop the spread of a malicious actor on your network. In order for System Lockdown to work properly, you do need to have the Application and Device Control component installed.

You do not, however, need to have an ADC policy assigned to the group the machines reside in that will use this feature.

Moving on, did you know System Lockdown has a Blacklist mode? If not, let's get started.

When you go into the System Lockdown settings, blacklist mode does not appear:

How do we make it appear? Stop the SEPM service and navigate to: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc and open the conf.properties file in a text editor. Add the following line at the end of the file:

scm.systemlockdown.blacklist.enabled=1

Save the changes and restart your SEPM service. Blacklist mode should now appear:

Much better. The objective of Blacklist mode is to block any file(s) that are in the Unapproved Applications list.

This can be utilised in the event of an attack and/or outbreak on your network. For instance, you notice a suspicious file appearing on multiple PCs but have no idea where it came from. It appears to be opening other suspicious processes. SEP is up to date and running a full scan reveals no infections. You upload the suspicious piece to multiple virus checker websites and only or two say that this is malicious. You decide to use System Lockdown in blacklist mode to stop it from spreading until you can figure out exactly what is going on.

Enable Blacklist Mode, enable System Lockdown, and add the filename to the Unapproved Applications list. Click OK and ensure your clients update their policy:

When the file attempts to execute, it will be stopped dead in its tracks:

This is a quick and dirty way but very useful for incident response and will allow you to quickly get a handle on the situation.

I hope this article will be helpful for you. Comments/Questions/Criticisms are encouraged.

Brian

This article will go into some detail on how to block RDP while allowing only specific connections using the SEP 12.1 firewall. This is also applicable to SEP 11.x.

Often times, a request comes in to block the RDP protocol for a group of machines but allow it to one "special" machine. Here's how we can accomplish that.

First, we need to Add a Network Service. Login to your SEPM and go to Policies >> Policy Components >> Network Services >> Add a Network Service

Add the necessary info for the RDP protocol. RDP works over TCP 3389:

Once finished, click OK to save your work. You now have a new network service added for RDP.

Now, you need to create the rules to block/allow RDP. You can either create a new firewall policy or edit your existing one. For this article, I started with a new one.

Let's first start by adding the "Block ALL RDP" rule

In your firewall policy, click Add Rule

Give it a name, click Next

Tick the radio button for Block connections, click Next

Tick the radio button for Only the applications listed below, click Add

Add the RDP filename, mstsc.exe, click OK

Select Any computer or site so all computers and sites will be blocked from using RDP, click Next

Add the RDP network services that you created earlier

Tick the radio for Yes to create a log entry, click Finish

The Block ALL RDP rule will be placed at the top.

Now, to create our Allow Specific RDP exclusion

Add another rule and give it a name, click Next

Tick the radio button for Only the applications listed below, click Add

Add the RDP filename, mstsc.exe, click OK

Now, we need to add what computer we want to have RDP access to. Tick the radio button for Only the computers and sites listed below, click Add:

You have a few options to choose from but I will add it by IP address

Add the RDP network services that you created earlier

Tick the radio button for Yes to create a log entry, click Finish

Move the Allow Specific RDP rule to the top, above the Block rule that you created. This ensures only the PC you specified as an exception can be RDP'd to.

Make sure you save your settings and that the firewall policy is correctly applied to the group.

First, let's attempt to RDP to a random machine:

Seems we cannot:

Upon checking the Traffic log, we see the following entry confirming our rule is working:

Let's try an RDP to our exception machine

Working as expected...

I hope this article will be helpful for you. Comments/Questions/Criticisms are encouraged

Brian

Hello,

I wanted to share with you some thoughts and ideas about a common business use case for sending mail that brings a couple of risks that shouldn’t be forgotten as it can have a huge impact on your entire mail infrastructure.

As we are all familiar with common security best practice in mail we know that we should NOT be

• an open email relay!
• send E-mails with non existing sender addresses!
• send E-mails with domains not even ours!

Nevertheless these three items are very often violated and we don't even know or see it until we experience general problems of your outbound mail flow by having massive queues of non delivered messages or getting complains about messages that were rejected etc..

The typical use case for these violations starts with a request from a project or a different group needs to have mail access for their business application. Now what you do on your gateways is to possible allow these application server to send you emails, that you route through your systems. Other than the common E-mail backend solutions like Exchange or Domino (sometimes by nature of the system design), the operators and designer of these business applications are neither familiar with email standards nor security standards. What brings u to the problem that they will only make sure that their mail can be delivered to your system and then their application is working.

Often forgotten by the application owners is to take care about the settings like sender domains or even a valid sender address. In purpose I don’t want to start the discussion about message design in accordance to RFCs or other standards, like mime declaration and boarders or even the quality of the recipient data.

Beside I also want to mention possible compromized authorized systems that are using your infrastructure for flooding the internet with new spams, that even could be part of a DOS or DDoS attack.

This bring us straight to the point that these application servers are sending through your SMTP gateways:

• E-mails with non-existing sender addresses
• E-mails with sender domains, that are not even yours
• E-mails with existing sender addresses, that are not even yours
• E-mail volumes that leads to a classification of your systems as potential spammer
• E-mails that are poorly designed that a spam filter will drop these

The potential risk is:

• Bad reputation of your sending IPs or Subnets that harms your entire E-mail infrastructure
• Being blacklisted by your mail partner, that will impact your entire E-mail flow
• E-Mail rejects due to SPF validation of sending domain
• Loss of potential data due to existing mail addresses not in your address space for mail partners replying to the message
• Accidently initiator of a NDR spam attack or another SMTP based attack.

To address these risks often there are procedures and processes designed that require manual steps, that sometimes are considered, but sustainable forgotten, what requires a technical control if you really want to protect your infrastructure from being in purpose or accidently abused.

Within the Symantec Messaging Gateway you have a couple of possibilities to address these issues and the following is providing you a step-by-step guidance in how to set it up.

1. Verify your sending domains as first improvement to make sure that only messages from your authorized domains will be sent by your systems.

1. Create a dictionary for authorized sending domains

    

2. Create a Content Control Policy that is verifying the sending domain and in case bounce the message from the application server
   

Note. In case you can enable this policy also in pass through mode (deliver normally), just to monitor and get the statistik of violations you have in your environment as maybe malware took over authorized systems that are sending spam through your SMTP gateways, even the best way on that level is to block as if a domain is not even yours, you shouldnt do this anyway and Maybe today you already add your disclaimer information to such emails.

2. Enable the outbound spam filter to verify as first instance whether your mails might have potential looking like spam to others.

Note. In case you can enable this policy also in pass through mode (deliver normally), just to monitor and get the statistik of spam that you have sent out. This will help you to identify sending systems in your infrastructure if you get complains about your sending behavior from mail recipients.

3. Enable the outbound throttling capabilityto prevent your application server spamming the receiver that may blacklist your SMTP gateways impacting your overall messaging environment

4. Verify your sending addresses to be fully compliant with regards to the sender/receiver part as a follow up to #1 domain validation. (Most difficult part due to possible unknown senders)

1. Create a dictionary for authorized sending addresses
   
    
2. Create a Content Control Policy that is verifying the sending addresses and in case bounce the message from the application server
   

Hope this makes sense to you and you can apply it fully or partially to either your system/application Messaging Gateways or the full Messaging Gateway infrastructure you have in place.

Please feel free to share your thoughts on this.

Regards,

toby

The screenshots and tests have been made with the SMG 10.5 pre-release that you can find here. (In a previous release the functions should be available except the outbound throttling capability.

Welcome to the Part 2 out of 3 discussing the terms, technologies and concepts related to Symantec Endpoint Protection and Symantec Security Software. In the series you will find description and explanation of several SEP related technologies, tools and concepts alongside of the relevant links to Symantec KB articles. The terminology articles are based upon the available official documentations and publications from Symantec KBs and Implementation Guides for SEP. Any comments or ideas what should be included in the series are welcome. I hope this series will be informative to you.

The Series consists of following articles:
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 1 (A-G)
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 2 (H-R)
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 3 (S-Z)

This is the second part of the series concerning the following terms:

Hardware ID (HWID) - an unique identifier generated on every SEP Client. According to hardware ID SEPM Server is able to differentiate the clients and recognize them as separate entities even in case where the names of the machines are identical. Common issue may occur during the deployment of cloned images where every clone image has already SEP preinstalled and is being deployed with cloned HWID as well.

How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1 clients
http://www.symantec.com/docs/TECH163349
Configuring Symantec Endpoint Protection 11.x client for deployment as part of a drive image
http://www.symantec.com/docs/TECH102815
How to prepare a Symantec Endpoint Protection 12.1 client for cloning
http://www.symantec.com/docs/HOWTO54706
 

Heartbeat - is a process performed when the SEP client checks in with the SEPM. Heartbeat interval is normally controlled by communications policies set at the Symantec Endpoint Protection Manager (SEPM). During the heartbeat process client will check with SEPM if there is any new policy applied to the group that is relevant for this client or if there are any definitions updates available. At this point client will upload as well its own logs to the SEPM Server for processing.

Symantec Endpoint Protection: The Heartbeat Process
http://www.symantec.com/docs/TECH191617
About Accelerated Heartbeat in Symantec Endpoint Protection (SEP) Clients.
http://www.symantec.com/docs/TECH93724
 

Host Integrity (HI) - The Host Integrity policy is the foundation of Symantec Network Access Control. Host integrity is being used to make sure that the client computers that access the network meet organization's security policy. Host Integrity enables enterprises to enforce security policies at all entry points to the enterprise network including VPN, Wireless, and RAS dial-up servers. Host Integrity includes the ability to check for the presence and update status of firewalls, intrusion prevention, anti-virus and other third-party applications before granting access to an enterprise network. In case the Host Integrity policy is failed the machine in question will be denied access to the production network and if specified forwarded to the quarantined network.

Creating and testing a Host Integrity policy
http://www.symantec.com/docs/HOWTO55759
What you can do with Host Integrity policies
http://www.symantec.com/docs/HOWTO81726
Symantec Endpoint Protection 11.0 / Symantec Network Access Control 11.0 Host Integrity Overview
http://www.symantec.com/docs/TECH102534
 

Insight Lookup- uses the latest definitions from the cloud and the Insight reputation database to make decisions about files. If you disable Insight lookups, Insight Lookup uses the latest definitions only to make decisions about files. Insight Lookup also uses the Automatically trust any file downloaded from an intranet website option. Insight Lookup does not run on right-click scans of folders or drives on your client computers. Insight Lookup does run on right-click scans of selected files.

How the Insight Lookup process works
http://www.symantec.com/docs/TECH169282
How Symantec Endpoint Protection uses reputation data to make decisions about files
http://www.symantec.com/docs/HOWTO55275
 

Intelligent Updater (IU) -  is an executable file that can be used to update virus definitions for the Symantec Endpoint Protection client. To update the definitions, run either the Daily Certified or Rapid Release Intelligent Updater on the local computer. SEP 12.1 RU3 include further enhancement to IU functionality in form of SONAR and IPS Intelligent Updater (IU) support.

Virus Definitions & Security Updates
http://www.symantec.com/security_response/definiti...
How to update definitions for Symantec Endpoint Protection using the Intelligent Updater
http://www.symantec.com/docs/TECH102606
 

Internet Email Auto-Protect - additional feature of File-System Autoprotect in Symantec Endpoint Protection. Internet Email Auto-Protect protects both incoming email messages and outgoing email messages that use the POP3 or SMTP communications protocol over the Secure Sockets Layer (SSL). When Internet Email Auto-Protect is enabled, the client software scans both the body text of the email and any attachments that are included. The addin is a separate SEP feature and needs to be specifically selected during the installation. Internet Email Auto-Protect may be not required or even recommended if other types of Auto-Protect for Outlook or Lotus Notes are already in place.

Configuring Internet Email Auto-Protect
http://www.symantec.com/docs/HOWTO27134
 

Intrusion Prevention System (IPS) - part of the Network Threat Protection in SEP alongside of SEP Firewall. Unlike antivirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them. IPS is very good at detecting "drive-by" downloads of malware and fake antivirus scanner web pages, which Auto-Protect cannot prevent. In today's complex threat environment, this technology is an effective complement to antivirus technology, and its usage should be considered a necessity on any network that is connected to the Internet.

Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained
http://www.symantec.com/docs/TECH104434
Best practices regarding Intrusion Prevention System technology
http://www.symantec.com/docs/TECH95347
Best Practices for the Intrusion Prevention System component of Symantec Endpoint Protection on high-availability/high bandwidth servers.
http://www.symantec.com/docs/TECH162135
 

Liveupdate - also known as Windows Live Update (WLU). A critical component of SEP / SEPM responsible for updating the content definitions. Initially used by both SEP clients and SEPM (SEP 11.x). Since SEP 12.1 WLU on SEP clients has been replaced by integrated component Liveupdate Engine (LUE). The Symantec Endpoint Protection Manager (SEPM) in version 12.1 still uses a Windows LiveUpdate to download definitions from internet Symantec LiveUpdate servers.

How to update virus definitions and other content with Symantec Endpoint Protection and Symantec Network Access Control
http://www.symantec.com/docs/TECH102467
Symantec Endpoint Protection Manager - LiveUpdate - Policies explained
http://www.symantec.com/docs/TECH104435
 

Liveupdate Administrator (LUA) - is an enterprise Web application that allows you to manage updates on multiple internal Central Update servers, called Distribution Centers. Updates are downloaded from an external site to an internal LiveUpdate Administrator server. From there, the updates can either be sent immediately to a production distribution center to be downloaded by SEP clients or SEPM. LUA allows for more detailled configuration and scheduling than the direct definition distribution from SEPM Server. The latest version of this software is 2.3.2.99. LUA installer can be found on CD2 of SEP installation media in Liveupdate folder - the executable for installation is LUAESD.exe.

Knowledgebase Articles for Liveupdate Administrator (LUA)
https://www-secure.symantec.com/connect/articles/k...
Installing and Configuring LiveUpdate Administrator (LUA)
http://www.symantec.com/docs/TECH102701
When to use LiveUpdate Administrator
http://www.symantec.com/docs/TECH154896
Best Practices for LiveUpdate Administrator (LUA) 2.x
http://www.symantec.com/docs/TECH93409
LiveUpdate Administrator 2.3: What's New
https://www-secure.symantec.com/connect/videos/liveupdate-administrator-23-whats-new
 

Liveupdate Engine (LUE) - a Liveupdate component directly integrated into SEP 12.1 Clients. LUE replaces the traditional Windows Live Update (WLU) previously used in SEP 11.x Clients. Note: WLU is still being used on 12.1 SEPM Server.

About LiveUpdate in Symantec Endpoint Protection version 12.1
https://www-secure.symantec.com/connect/articles/a...
The Log.LiveUpdate file is missing or out of date on a Symantec Endpoint Protection 12.1 client
http://www.symantec.com/docs/TECH168602
 

Load Point Analysis (LPA) - Within each of the various versions of Windows, there are specific locations within the file system and registry that are used to load applications and related files. While these are used by legitimate programs, they are also commonly used as attack vectors for malware such as viruses, trojans, worms, and spyware. Load Point Analysis uses Power Eraser technology to scan the most common load points and provides a list of suspected malware similar to Symantec Power Eraser. Load Point Analysis uses Symantec Insight and other file checks to score the trustworthiness of a file. Load Point Analysis examines all of the files that start automatically on a computer and assigns a score to them. This score tells you which, if any, of those files should be investigated further in order to determine whether they are malicious. Score may be achieved from few different criteria: file certification, local analysis, Symantec Reputation Database check.

About the Load Point Analysis scan in Symantec Help
http://www.symantec.com/docs/TECH96291
How to Run Load Point Analysis for Symantec Support
http://www.symantec.com/docs/TECH203028
Using SymHelp, how do we collect the Load Point Analysis Logs and Submit the same to Symantec Technical Support Team
https://www-secure.symantec.com/connect/articles/using-symhelp-how-do-we-collect-loadpoint-logs-and-submit-same-symantec-technical-support-t
 

Location Awereness- feature allows the application of location specific security policies enabling clients the ability to switch locations based on the defined criteria. For this example the defined criteria will be if a client cannot communicate with its Endpoint Protection Manager then switch to the new defined location where the security policy is to retrieve updates from an outside source. Some of possible other location awareness criteria may include -> computer IP address; type of the network connection; IP address of the available DHCP, DNS servers; used IP range scope; the location of the connection; Wireless SSID; specific registry key presence; etc.

Best Practices for Symantec Endpoint Protection Location Awareness
http://www.symantec.com/docs/TECH98211
Using location awareness with groups
http://www.symantec.com/docs/HOWTO26994
How To Optimize Endpoint Protection for Branch Offices using GUPs, Load Balancing, and Location Awareness
http://www.symantec.com/docs/TECH94122
How to Use Location Awareness as Fault Tolerance for Content Updates
http://www.symantec.com/docs/TECH94265
Enabling location awareness for a client
http://www.symantec.com/docs/HOWTO26992
 

Lotus Notes Auto-Protect - additional feature of File-System Autoprotect in Symantec Endpoint Protection. This type of Auto-Protect provides real-time protection against attachments to Lotus Notes emails. The addin is a separate SEP feature and needs to be specifically selected during the installation.

Configuring Lotus Notes Auto-Protect
http://www.symantec.com/docs/HOWTO27132
 

Macintosh Symantec Uninstaller(SymantecUninstaller.English.tgz) - tool intended for all Symantec products on the Mac, not just SEP. Tool can be obtained from  CD2 of SEP installation media.

Symantec Endpoint Protection for Macintosh Frequently Asked Questions
http://www.symantec.com/docs/TECH134203
How to uninstall Symantec Endpoint Protection for Macintosh
http://www.symantec.com/docs/TECH132120
 

Management Server Configuration Wizard - graphical wizard used to re/configure the SEPM Server. Initialy the wizard is being automatically started during the first SEPM installation. In later stages it may be manually executed to reconfigure the SEPM settings. Wizard is being as well used during any disaster recovery scenarios where it allows to import a previously saved recovery file that includes client-server connection information. The recovery file enables the management server to reinstall existing backed-up certificates and to automatically restore the communication to the existing clients.

Reinstalling or reconfiguring Symantec Endpoint Protection Manager
http://www.symantec.com/docs/HOWTO80828
 

Network Access Control (SNAC) - Symantec product / feature to validate and enforces policy compliance for the computers that try to connect to the production network. This validation and enforcement process begins before the computer connects to the network and continues throughout the duration of the connection. The Host Integrity policy is the security policy that serves as the basis for all evaluations and actions. SNAC clients may interact with a Symantec Enforcer. The Enforcer ensures that all the computers that connect to the network that it protects run the client software and have a correct security policy. SNAC can work as well in so called self-enforcement mode where it uses the Symantec desktop firewall to police network access, providing the easiest and fastest enforcement deployment option.

Symantec Endpoint Protection and Symantec Network Access Control Implementation Guide 12.1
http://www.symantec.com/docs/DOC4321
About the types of enforcement in Symantec Network Access Control
http://www.symantec.com/docs/HOWTO55734
How Symantec Network Access Control works
http://www.symantec.com/docs/HOWTO55733
 

Network Activity Tool - a built-in SEP tool that can help identify files that are making suspicious network connections. When the tool is being run the details of all applications that are either making or listening for connections from other computers are now displayed, as well as the protocols, ports and processes involved. As many of today's threats are largely designed to spread to other computers, receive commands from an unknown remote computer, or to download additional threats from the Internet, monitoring the applications and their connections can identify processes that are acting suspiciously.

Overview of the SEP Network Activity Tool
https://www-secure.symantec.com/connect/articles/o...
Using Symantec Endpoint Protection 11's Network Activity Tool to Identify Suspicious Processes
http://www.symantec.com/docs/TECH92950
Symantec Endpoint Network Activity Tool
https://www-secure.symantec.com/connect/videos/symantec-endpoint-network-activity-tool
 

Network Threat Protection (NTP) - this layer of SEP protection comprises firewall and intrusion prevention protection. The rules-based firewall prevents unauthorized users from accessing your computer. The intrusion prevention system automatically detects and blocks network attacks. The firewall allows or blocks network traffic based on the various criteria that the administrator sets. If the administrator permits it, end users can also configure firewall policies. The Intrusion Prevention System (IPS) analyzes all the incoming and the outgoing information for the data patterns that are typical of an attack. It detects and blocks malicious traffic and attempts by outside users to attack the client computer. Intrusion Prevention also monitors outbound traffic. For mor information about IPS and Firewall please look up those specific terms in the series of this article.

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper
http://www.symantec.com/docs/TECH116730
 

Offline Image Scanner (SOIS.exe) - a standalone tool used for scan and detect threats in offline VMware virtual system images (.vmdk files). SOIS is compatible with AV definitions of SEP (versions 11 and 12) and SAV (version 10). SOIS scans FAT32 and NTFS file-systems on Windows .vmdk files. Linux .vmdk files are not supported. The tool can be found on CD2 of SEP installation media.

About the Symantec Offline Image Scanner tool
http://www.symantec.com/docs/TECH146500
How to use the Symantec Offline Image Scanner tool (SOIS)
http://www.symantec.com/docs/TECH164012
 

Outlook Auto-Protect - additional feature of File-System Autoprotect in Symantec Endpoint Protection. This scan gives Outlook and Outlook Express users additional protection from threats sent by email. The addin is a separate SEP feature and needs to be specifically selected during the installation. Outlook Auto-Protect may be not required or even not recommended in case where the Outlook clients are usins an Exchange Server already protected by Symantec Mail Security.

What is Auto-Protect ?
http://www.symantec.com/docs/TECH94990
 

Power Eraser (SPE) -  is aimed at the detection and clean-up of "zero-day" threats as well as other threats which may have infected the user’s system. Zero-day threats are those that take advantage of a newly discovered hole in a program or operating system before the developers have made a fix available – or before they are even aware that a hole exists. Power Eraser is designed to complement mainline antivirus applications by detecting and remediating specific types of threats:
■ New variants of existing threats that are not detected by the current definition sets
■ Fake antivirus applications and other rogueware
■ Rootkits
■ System settings that have been tampered with maliciously
Because Symantec Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. Power Eraser is accessible from the SymHelp Tool and alongside with Symantec Load Point Analysis belongs to Symantec Threat Analysis Tools.

About Symantec Power Eraser
http://www.symantec.com/docs/TECH134803
Symantec Power Eraser User Guide
http://www.symantec.com/theme.jsp?themeid=spe-user...
Symantec Power Eraser using Symantec Help (SymHelp) Tool
https://www-secure.symantec.com/connect/articles/symantec-power-eraser-using-symantec-help-symhelp-tool
 

Proactive Threat Protection (PTP)- Proactive threat scanning provides an additional level of protection to a computer that complements existing AntiVirus, AntiSpyware, Intrusion Prevention, and Firewall protection technologies.  The Heuristic process scan analyzes the behavior of an application or a process. The scan determines if the process exhibits the characteristics of a threat, such as Trojan horses, worms, or key loggers. The processes typically exhibit a type of behavior that a threat can exploit, such as opening a port on a user's computer. This type of protection is sometimes referred to as protection from "Zero-day attacks". Proactive Threat Protection also includes Application and Device Control Policies.

Symantec Endpoint Protection: About Proactive Threat Protection.
http://www.symantec.com/docs/TECH102733
 

Pull / Push Mode - You can specify whether Symantec Endpoint Protection Manager pushes the policy down to the clients or that the clients pull the policy from Symantec Endpoint Protection Manager. The default setting is push mode where client establishes a constant HTTP connection to the server. Whenever a change occurs with the server status, it notifies the client immediately. If pull mode is selected, then by default, clients connect to the management server every 5 minutes (according to set heartbeat), but you can change this default heartbeat interval.

How the client computers get policy updates
http://www.symantec.com/docs/HOWTO80782
Configuring push mode or pull mode to update client policies and content
http://www.symantec.com/docs/HOWTO80912
Steps to change the communication mode in client groups
http://www.symantec.com/docs/TECH94711
 

Push Deployment Wizard - tool helps to deploy the clients software by pushing the installer to remote computers and automatically installing it. It has options for deploying SEP full install packages or patches as well as self-installing executables. There is a difference between Push Deployment Wizard available in SEP 11.x and SEP 12.1. However, both are meant for same purpose. Remote Push Deployment Wizard could be used as an alternative to Client Deployment wizard. Currently the preferred recommended way of client deployments is the push performed directly from SEPM using the Client Deployment Wizard.

Overview of Push Deployment Wizard in Symantec Endpoint Protection 12.1
http://www.symantec.com/docs/TECH183172
Deploying client software with the Push Deployment Wizard
http://www.symantec.com/docs/HOWTO17943
Deploying client software with the Push Deployment Wizard
http://www.symantec.com/docs/HOWTO11088
 

Quarantine - When virus and spyware scans detect a threat orSONARdetects a threat, Symantec Endpoint Protection places the files in the client computer's local Quarantine. Antivirus and Antispyware Policy to configure client Quarantine settings. By default, Symantec Endpoint Protection rescans items in the Quarantine when new definitions arrive. It automatically repairs and restores items silently. By default, the Quarantine stores backup, repaired, and quarantined files in a default folder. It automatically deletes files after 30 days. The default local quarantine location on SEP 12.1 client would be: C:\ProgramData\Symantec\Symantec Endpoint Protection\<SEP version number>\SRTSP\Quarantine.

How to Manage Quarantined files.
http://www.symantec.com/docs/TECH106443
How to delete Quarantined items from the Symantec Endpoint Protection Manager.
http://www.symantec.com/docs/TECH106444
 

Remote Console for SEPM - Symantec Endpoint Protection Manager Console - remote console that allows for a remote management of Symantec Endpoint Protection Manager in a Java client - requires a Java 6 or 7 client download. Remote console can be accesses from SEPM Web Access (http://[servername]:9090). When you log on remotely, you can perform the same tasks as administrators who log on locally. What you can view and do from the console depends on the type of administrator you are.

Logging on to the Symantec Endpoint Protection Manager console
http://www.symantec.com/docs/HOWTO81152
Support for Java 7 and above
http://www.symantec.com/docs/TECH190910

Reputation - Symantec collects information about files from its global community of millions of users and its Global Intelligence Network. The collected information forms a reputation database that Symantec hosts. Symantec products leverage the information to protect client computers from new, targeted, and mutating threats. The data is sometimes referred to as being "in the cloud" since it does not reside on the client computer. The client computer must request or query the reputation database. Manual and Scheduled scans can use full internal (IRON) and cloud-based community/symantec Reputation information as part of their scans, when configured to do so.

How Symantec Endpoint Protection uses reputation data to make decisions about files
http://www.symantec.com/docs/HOWTO55275
Does Symantec Endpoint Protection 12.1 Always Use Reputation to Detect Malicious Files?
http://www.symantec.com/docs/TECH197502
 

Risk Tracer - an additional feature in the Antivirus and Antispyware SEP -> File System Auto-Protect protection. Risk Tracer is able to identify the source of network share-based virus infections on client computers. Risk Tracer must first be enabled in Antivirus and Antispyware policy in order to view the information it can collect. To function fully, Risk Tracer requires Network Threat Protection (NTP) and IPS to be installed and IPS Active Response to be enabled. The results of the Risk Tracer analysis can be found under "Risk Distribution by Attacker" chart under "Summary" tab on SEPM Montors which should show the IP addresses of the risk attackers. Under certain circumstances the tracer may be not able to detect the exact source of the infection and will report the source as simply unknonwn. Risk Tracer is available in both SEP 11.x and SEP 12.1 Product lines.

What is Risk Tracer?
http://www.symantec.com/docs/TECH102539
About Risk Tracer
http://www.symantec.com/docs/HOWTO27137
How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection
http://www.symantec.com/docs/TECH94526
 

Rx4DefsSEP - legacy utility used to completely remove and replace (corrupted) virus definitions on SEP 11.x clients. Rx4DefsSEP tool is a further development of Rx4Defs and Rx4Defs64 tool previously designed only for SAV. It is not intended for operation with SEP 12.1 systems due to changes in folders and operations. The tool does not replace definitions for Symantec Endpoint Protection Manager. For instances where the tool cannot be used anymore (like in case of 12.1 clients) the manual procedures for cleanup of SEP definitions are recommended.

Using the "Rx4DefsSEP" utility
http://www.symantec.com/docs/TECH93036
How to clear out corrupted definitions for a Symantec Endpoint Protection client manually
http://www.symantec.com/docs/TECH103176
 

Welcome to the Part 3 out of 3 discussing the terms, technologies and concepts related to Symantec Endpoint Protection and Symantec Security Software. In the series you will find description and explanation of several SEP related technologies, tools and concepts alongside of the relevant links to Symantec KB articles. The terminology articles are based upon the available official documentations and publications from Symantec KBs and Implementation Guides for SEP. Any comments or ideas what should be included in the series are welcome. I hope this series will be informative to you.

The Series consists of following articles:
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 1 (A-G)
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 2 (H-R)
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 3 (S-Z)

This is the third part of the series concerning the following terms:

SAV for Linux (SAVFL) - software designed to provide Antivirus protection on Linux OS. Symantec AntiVirus for Linux includes real-time antivirus file protection
through Auto-Protect scanning, and file system scanning via manual and scheduled scans. Symantec AntiVirus for Linux requires a specific kernel on the system before installing Symantec AutoProtect package or otherwise you should compile your own kernel with our AutoProtect to ensure it will function properly

Best practice to install Symantec Antivirus for Linux
http://www.symantec.com/docs/TECH150596
System requirements for Symantec AntiVirus for Linux 1.0
http://www.symantec.com/docs/TECH101598
SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide
https://www-secure.symantec.com/connect/articles/s...
SAV for Linux: A (Somewhat) Illustrated Guide Part 2
https://www-secure.symantec.com/connect/articles/s...
SAV for Linux: A (Somewhat) Illustrated Guide Part 3
https://www-secure.symantec.com/connect/articles/sav-linux-somewhat-illustrated-guide-part-3

SAVFL Reporter - provides log records and inventory information to the Symantec Endpoint Protection Manager via its legacy reporting channel. This allows you to monitor and report on SAVFL client activities from the Symantec Endpoint Protection Manager console. Important note is that installing SAVFL and SAVFL Reporter will not cause the Linux machines to be displayed on the SEPM's clients tab.

Symantec AntiVirus for Linux (SAVFL) Reporter 1.0.10 Release Notes
http://www.symantec.com/docs/DOC3474
SAV for Linux: A (Somewhat) Illustrated Guide Part 4: SAVFL Reporter
https://www-secure.symantec.com/connect/articles/s...
How to enable the 12.1 Symantec Endpoint Protection Manager (SEPM) to receive logging from legacy clients
http://www.symantec.com/docs/TECH157463

Security Virtual Appliance (SVA) -  is a Linux-based virtual appliance that you install on a VMware ESX/ESXi server. The Security Virtual Appliance integrates with VMware's vShield Endpoint. The Shared Insight Cache runs in the appliance and lets Windows-based Guest Virtual Machines (GVMs) share scan results. Identical files are trusted and therefore skipped across all of the GVMs on the ESX/ESXi host. Shared Insight Cache improves full scan performance by reducing disk I/O and CPU usage.

About the Symantec Endpoint Protection Security Virtual Appliance
http://www.symantec.com/docs/HOWTO81080
VMware software requirements to install a Symantec Security Virtual Appliance
http://www.symantec.com/docs/HOWTO81081
Installing a Symantec Endpoint Protection Security Virtual Appliance
http://www.symantec.com/docs/HOWTO81083
Configuring the Symantec Endpoint Protection Security Virtual Appliance installation settings file
http://www.symantec.com/docs/HOWTO81082

SEP Support Tool (SST)- is a utility designed to diagnose common issues encountered with Endpoint Protection and the Endpoint Protection Manager. The tool can be used as well to proactively to ensure that the target machine is ready to install the Endpoint Protection manager or client. This is an older version of a troubleshooting tool (designed mainly for SEP 11.x), currently replaced by Symhelp tool.

The Symantec Endpoint Protection Support Tool
http://www.symantec.com/docs/TECH105414

SEPprep- is a unsupported tool that is designed to uninstall any competitive product automatically. This tool can also launch another application before or after removing all competitive products.  Therefore you can configure this tool to first remove all competitive products (including Norton products) and then launch the SEP installer automatically and silently.

SEPprep competitive product uninstall tool
http://www.symantec.com/docs/TECH148513

SERT - Symantec Endpoint Recovery Tool - is a bootable CD utility that can scan and remove malware from an infected computer. SERT is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. It is also necessary against specific threats which have the ability to completely hide from Windows.

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions
http://www.symantec.com/docs/TECH131732
Symantec Endpoint Recovery Tool (SERT)
https://www-secure.symantec.com/connect/videos/sym...
Symantec Endpoint Recovery Tool (SERT)
https://www-secure.symantec.com/connect/articles/s...
How to make the Symantec Endpoint Recovery Tool boot from a USB memory stick
http://www.symantec.com/docs/TECH131578

Shared Insight Cache (SIC) - the tool improves scan performance in virtualized environments by not scanning files that a Symantec Endpoint Protection client has determined are clean. When the client scans a file for threats and determines it is clean, the client submits information about the file to Shared Insight Cache. When any another client subsequently attempts to scan the same file, that client can query Shared Insight Cache to determine if the file is clean. If the file is clean, the client does not scan that particular file. If the file is not clean, the client scans the file for viruses and submits those results to Shared Insight Cache.

About the Symantec Endpoint Protection Shared Insight Cache tool
http://www.symantec.com/docs/HOWTO55311
How Shared Insight Cache works
http://www.symantec.com/docs/HOWTO55318
Network-based Shared Insight Cache - Best Practices and Sizing guide
http://www.symantec.com/docs/TECH174123
Installation and Configuration of SEP Shared Insight Cache
http://www.symantec.com/docs/TECH185897

Smart DHCP - A smart traffic filtering option that allows a Dynamic Host Configuration Protocol (DHCP) client to receive an IP address from a DHCP server while protecting the client against DHCP attacks from a network. If a Symantec Protection Agent sends a DHCP request to a DHCP server, it waits for five seconds to allow for an incoming DHCP response. If a Symantec Protection Agent does not send a DHCP request to a DHCP server, then Smart DHCP does not allow the packet. Smart DHCP does not block packets. It simply allows the packet if a DHCP request was made. Any other DHCP blocking or allowing is done by the normal security rule set. See also Dynamic Host Configuration Protocol (DHCP).

SEP Client Firewall Rules Policies (Network Threat Protection/NTP) for finding clients using non-approved DHCP/DNS servers
http://www.symantec.com/docs/TECH161639

Smart DNS - A smart traffic filtering option that allows a Domain Name System (DNS) client to resolve a domain name from a DNS server while providing protection against DNS attacks from the network. This option blocks all Domain Name System (DNS) traffic except outgoing DNS requests and the corresponding reply. If a client computer sends a DNS request and another computer responds within five seconds, the communication is allowed. All other DNS packets are dropped. Smart DNS does not block any packets; blocking is done by the normal security rule set.

SEP Client Firewall Rules Policies (Network Threat Protection/NTP) for finding clients using non-approved DHCP/DNS servers
http://www.symantec.com/docs/TECH161639

SONAR - is a real-time protection that detects potentially malicious applications when they run on your computers. SONAR provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats. SONAR uses heuristics as well as reputation data to detect emerging and unknown threats. SONAR provides an additional level of protection on your client computers and complements your existing Virus and Spyware Protection, intrusion prevention, and firewall protection. SONAR replaces the Truscan heuristic protection from SEP 11.x Version.

About SONAR
http://www.symantec.com/docs/HOWTO81392
Managing SONAR
http://www.symantec.com/docs/HOWTO81373

Sylink Monitor - is a utility that provides an alternative to manual enabling of sylink debugging on SEP clients. Currently the use if the tool is no longer recommended as the same type of logging with even more configuration options may be collected with SymHelp tool.

How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows Registry
http://www.symantec.com/docs/TECH104758

SylinkDrop - tool used for replacing the communication settings (sylink.xml file) on SEP clients. Available versions for PC and Macintosh. Another tool that may be used to achieve the same goal would be Sylink Replacer or push of the communication settings directly from SEPM to the client machines.

SylinkDrop or SylinkReplacer fails to assign Symantec Endpoint Protection clients to a new Client Group
http://www.symantec.com/docs/TECH103041
Recovering client communication settings by using the SylinkDrop tool
http://www.symantec.com/docs/HOWTO55428

Sylink Replacer- an utility designed to replace Sylink.xml files in existing Symantec Endpoint Protection (SEP) clients. Utility provides a much more automated and scalable solution for replacing communication settings in comparison to Sylink Drop. Currently if possible (only SEPM 12.1 RU2 and higher) it is recommended to use Communication Update Package Deployment from SEPM instead of Sylink Replacer.

Using the "SylinkReplacer" Utility
http://www.symantec.com/docs/TECH105211
The Sylinkreplacer tool for connecting SEP clients to a SEPM
https://www-secure.symantec.com/connect/downloads/sylinkreplacer-tool-connecting-sep-clients-sepm

Symantec Antivirus Corporate Edition (CE) 10.x - legacy Symantec Antivirus solution. Product reached its End-of-Support-Life (EOSL) on July 4, 2012 and was replaced by newer SEP 11.x and SEP 12.1 software solutions. Depending on the version old legacy SAV CE may be directly upgraded either to SEP 11.x or 12.1 - please consult relevant migration documentation for supported upgrade paths.

End of Life announcement for Symantec AntiVirus Corporate Edition and Symantec Client Security
http://www.symantec.com/docs/TECH178551
Frequently asked questions about Symantec AntiVirus 10.x End of Support Life
http://www.symantec.com/docs/TECH184999
How to request a virus definition extension for Symantec AntiVirus 10.x Corporate Edition beyond its End-of-Support-Life date
http://www.symantec.com/docs/HOWTO73168

Symantec Endpoint Protection Enterprise Edition 11.x / 12.1 - Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Mac computers, and servers in your network against malware such as viruses, worms, Trojan horses, spyware, and adware. Additionally it is able to provide protection against even the more sophisticated attacks that evade traditional security measures such as rootkits and zero-day attacks.
The suite comprises of Antivirus / Antimalware protection, Firewall, IPS and Application and Device Control. In 12.1 version SEP is built on multiple additional layers of protection, including Symantec Insight and SONAR both of which provide protection against new and unknown threats. For more information about the respective SEP features please look up the specific terms in this series of articles.
The most recent SEP 12.1 version is 12.1 RU3. Latest version of Symantec Endpoint Protection 11.x is 11 RU7 MP3 - please note that the next (and at the same time the last SEP 11.x version in the series) will be SEP 11 RU7 MP4 - after this release SEP 11.x will reach End of Support on 2014-09-27.

Symantec Endpoint Protection
http://www.symantec.com/endpoint-protection
Release Notes and System Requirements for all versions of Symantec Endpoint Protection and Symantec Network Access Control
http://www.symantec.com/docs/TECH163829
Symantec™ Endpoint Protection, Symantec Endpoint Protection Small Business Edition, and Symantec Network Access Control 12.1.3 Release Notes
http://www.symantec.com/docs/DOC6549
New fixes and features in Symantec Endpoint Protection 12.1.3
http://www.symantec.com/docs/TECH206828
What's new with Latest Symantec Endpoint Protection SEP 12.1.RU3
https://www-secure.symantec.com/connect/blogs/what...
Latest Symantec Endpoint Protection Released - SEP 12.1.RU3
https://www-secure.symantec.com/connect/forums/lat...
Upgrading or migrating to Symantec Endpoint Protection 12.1.3 (RU3)
http://www.symantec.com/docs/TECH206823

Symantec Endpoint Protection Manager - centralized management console for Symantec Endpoint Protection Clients. From within the SEPM Manager it is possible to distribute settings, policies, content and product updates to the managed SEP clients. It allows for detailed logging and reporting collected from all managed clients. The manager can be accessed either locally through java-based console or remotely via web-based console or remote java-based console. To note is that the local java-based console does not require separate Java installation as it is already integrated with the manager. SEPM uses by default an integrated embedded database, but if configured it can take avail of a remote SQL Server Database. From the advanced SEPM installation / configuration options it is supported to use several SEPM Servers in Replication, Failover or Load-Balancing modes. It is recommended to review the sizing and scalability best practices before installing SEPM as it has certain installation and later on space and bandwith requirements.

Installing Symantec Endpoint Protection Manager
http://www.symantec.com/docs/HOWTO80785
Upgrading or migrating to Symantec Endpoint Protection 12.1.3 (RU3)
http://www.symantec.com/docs/TECH206823
How to install the Symantec Endpoint Protection Manager(s) for replication
http://www.symantec.com/docs/TECH105928
Symantec Endpoint Protection Sizing and Scalability Best Practices White Paper
http://www.symantec.com/docs/DOC4448
Symantec Endpoint Protection 12.1: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH160736
How to move Symantec Endpoint Protection Manager 12.1 from one machine to another
http://www.symantec.com/docs/TECH171767

Symantec Endpoint Protection SBE 12.1- Symantec Endpoint Protection Small Business Edition incorporates many of the features from Symantec Endpoint Protection Enterprise Edition. It is designed for small-to-medium businesses with up to 250 clients. Same as the full version the SBE protects against malware such as viruses, worms, Trojan horses, spyware, and adware. Please review the release and implementation documentation about SBE version as several of the features and functionalities included natively in 12.1 EE may be missing in 12.1 SBE edition. From the most importart differences to mention:
* no SQL Database support
* no Application and Device Control feature
* no Host Integrity enforcement
* no Shared Insight Cache support
* no AD Synchronisation option
* does not include several other components such as Risk Tracer, Virtual Image Exception, Group Update Providers
* includes some limitations regarding the available management options in the SEPM GUI

Feature comparison between SEP 12.1 SBE and EE
https://www-secure.symantec.com/connect/articles/f...
Installing and configuring Symantec Endpoint Protection Small Business Edition
http://www.symantec.com/docs/TECH91893
Symantec™ Endpoint Protection, Symantec Endpoint Protection Small Business Edition, and Symantec Network Access Control 12.1.3 Release Notes
http://www.symantec.com/docs/DOC6549
Knowledgebase Articles for Symantec Endpoint Protection SBE 12.1. RU3
https://www-secure.symantec.com/connect/blogs/knowledgebase-articles-symantec-endpoint-protection-sbe-121-ru3

Symantec Endpoint Protection SBE 2013 - Symantec Endpoint Protection Small Business Edition 2013 offers simple, fast and effective protection against viruses and malware. It is available as a cloud-managed service which means there are no additional hardware requirements for the management layer as all administrative task are executed from a web-based console. SBE 2013 has as well an option available for on-premise management application in case this is more preferable to cloud-managed one. Similar to other SEP 12.1 solution as SBE and Enterprise Edition the SBE 2013 offers an unified security solution with a variety of features like Antivus and Antimalware protection, Firewall, heuristic Sonar protection, etc.

Symantec Endpoint Protection Small Business Edition 2013
http://www.symantec.com/endpoint-protection-small-...
Quick Start Tips for SEP Small Business Edition 2013
https://www-secure.symantec.com/connect/articles/quick-start-tips-sep-small-business-edition-2013

Symantec Protection Center (SPC) -  a centralized security management console that allows organizations to identify emerging threats, prioritize tasks and accelerate time to protection based on relevant, actionable intelligence. Protection Center is a free product, available at no additional charge for existing Endpoint Protection 12 customers. Protection Center allows for management of Symantec Endpoint Protection together with other Symantec products in a single environment. Symantec Endpoint Protection is integrated with Protection Center by means of a series of Web services.  Protection Center incorporates early warning notifications from the
Symantec Global Intelligence Network, which is one of the world’s largest commercial cyber intelligence communities.

Symantec Protection Center
http://www.symantec.com/page.jsp?id=protection-center
About Symantec Endpoint Protection and Protection Center
http://www.symantec.com/docs/HOWTO55225
About setting up Symantec Endpoint Protection in Protection Center
http://www.symantec.com/docs/HOWTO55231

Symantec Protection Suite (SPS) - a budled product of Symantec Security Software, available both in Small Business Edition as well as Enterprise editions, comprising of following components:
* Endpoint Protection
* Endpoint Protection for Macintosh
* Antivirus for Linux
* Mail Security for Microsoft Exchange
* Mail Security for Domino
* Messaging Gateway
* System Recovery Desktop Edition
* Symantec Protection Center
* Web Gateway
SPS provides multiple layers of protection for endpoint security, messaging security, web, data loss prevention, and data and system recovery, allows as well for  deployment of integrated essential endpoint and messaging security technologies as unified solutions with coordinated management.

Symantec Protection Suite Enterprise Edition
http://www.symantec.com/protection-suite-enterpris...
Compare Antivirus Software & Security Products
http://store.symantec.com/antivirus-comparison
Protect More, With Less - See How Symantec Protection Suite Can Do It
http://www.symantec.com/tv/products/details.jsp?vid=1211579625001

Symantec Vulnerability Protection - SEP browser add-on known previously under the name of "Browser Intrusion Prevention" and is a new advanced protection feature included with the SEP 12.1 client. This technology works in conjunction with, but is separate from the Client Intrusion Detection System (CIDS) used by the client firewall-based IPS engine in SEP.

Enabling or disabling network intrusion prevention or browser intrusion prevention
http://www.symantec.com/docs/HOWTO80887
Supported Browser versions for Browser Intrusion Prevention
http://www.symantec.com/docs/TECH174537
Expected behavior of Browser Intrusion Prevention
http://www.symantec.com/docs/TECH172174

SymHelp- tool used for both SEP client and SEPM Server troubleshooting but not exlusively. The complete list of Symantec products it is used for consist of Backup Exec, Symantec DLP, SEP and SEPM, Symantec Mail Security, Symantec System Recovery. Symhelp is a new version (designed for SEP 12.1 RU2 and higher) that replaces the old Symantec Support Tool. SymHelp may be downloaded directly from the SEP GUI - by going into Help -> Download Support tool -> this redirects directly to the Symantec Article mentioned below in the reference.

Symantec Help (SymHelp)
http://www.symantec.com/docs/TECH170752
About Symantec Help (SymHelp)
http://www.symantec.com/docs/TECH170735
Symantec Help (SymHelp) FAQ
http://www.symantec.com/docs/TECH203496

System Lockdown- System Lockdown allows administrators to tightly control which applications users running the SEP Client can execute. The approved applications are contained in a so-called fingerprint list which contains checksums and locations of all applications that are approved for use. Implementing System Lockdown is a two step process. First, a fingerprint list needs to be created, and then this fingerprint list needs to be imported into the Symantec Endpoint Protection Manager for use in Client Policies. You can use system lockdown to control applications in the following ways:
■ Control all the applications that can run whether or not the user is connected to the network.
■ Block almost any Trojan horse, spyware, or malware that tries to run or load itself into an existing application.

How to configure System Lockdown in Symantec Endpoint Protection 11.0
http://www.symantec.com/docs/TECH102526
Configuring system lockdown
http://www.symantec.com/docs/HOWTO80848
About system lockdown
http://www.symantec.com/docs/HOWTO27322
System lockdown prerequisites
http://www.symantec.com/docs/HOWTO27321
How to configure System Lockdown to allow Microsoft Security Updates
http://www.symantec.com/docs/TECH103977

Tamper Protection - provides real-time protection for Symantec applications, drivers and services. It prevents Symantec processes from being attacked or affected by non-Symantec processes, such as worms, Trojans, viruses, and security risks. Tamper Protection blocks as well registry changes for the keys related to Symantec Endpoint Protection.

What should I do when I get a Tamper Protection Alert?
http://www.symantec.com/docs/TECH97931

Third Party Management (TPM)- an alternative to allow third-party content distribution solutions to update the managed SEP clients instead of usual updates from SEPM/GUP or Livedupdate Servers. The setting may be activated in the Liveupdate policy. Third Party Management setting activation is required if the SEP client is to be updated with a .jdb file containing virsu definitions. Third Party Management is not required for defintions updates performed with use of Intelligent Updater.

How to manually update definitions for a managed Symantec Endpoint Protection Client using the .jdb file
http://www.symantec.com/docs/TECH104363
Configuring a LiveUpdate Settings policy to allow third-party content distribution to managed clients
http://www.symantec.com/docs/HOWTO80943
Enabling third-party content distribution to managed clients with a LiveUpdate Settings Policy
http://www.symantec.com/docs/HOWTO27639

Third Party Security Software Removal- a new feature of SEP installer introduced in SEP 12.1 RU1 MP1 and further enhanced in 12.1 RU2. When the feature is being activated for the installation package, Symantec Endpoint Protection can perform security software removal as part of its installation process. Installation packages that are deployed with this feature will remove any currently installed security software from several third-party vendors. For list of supported security software by this feature refer to the below documentation.

About the third-party security software removal feature in Symantec Endpoint Protection 12.1 RU1 MP1 and later
http://www.symantec.com/docs/TECH178757
Third-party security software removal support in Symantec Endpoint Protection 12.1.2 and later
http://www.symantec.com/docs/TECH195029

Truscan- a legacy proactive threat protection technology from SEP 11.x that was replaced in SEP 12.1 by the SONAR functionality - used to facilitate detections of new and unknown risks. By default, Truscan scans detect the processes that behave like Trojan horses and worms or processes that behave like keyloggers. Same as newer SONAR, Truscan looks at the behavior of active processes at the time that the scan runs. The scan engine looks for behavior such as opening ports or capturing keystrokes. If a process involves enough of these types of behaviors, the scan flags the process as a potential threat. The scan does not flag the process if the process does not exhibit suspicious behavior during the scan.

Understanding TruScan proactive threat detections
http://www.symantec.com/docs/HOWTO27054

Unmanaged Detector - a dedicated SEP client that works on a local network and looks at ARP traffic on that subnet to determine whether found machines in the subnet are running SEP already. The collected data is then forwarded to the Unmanaged Detector’s SEPM which compares the IP address and MAC address of detected systems against its known list of managed endpoint clients and reports on the unmanaged endpoint clients. An unmanaged detector is configured by right-clicking a managed SEP client in the Clients page of the SEPM console, and selecting "Make unmanaged detector". In order to act as an unmanaged detector, SEP clients must have Network Threat Protection (NTP) enabled and be in Computer Mode. User Mode clients or clients without the firewall component (NTP) cannot act as unmanaged detectors.

Best Practices: When to use the "Find Unmanaged Computers" or "Unmanaged Detector" features in Symantec Endpoint Protection 11.0
http://www.symantec.com/docs/TECH104340
Configuring a client to detect unmanaged devices
http://www.symantec.com/docs/HOWTO80763
SEP 12.1 - What does it mean to set a client as an Unmanaged Detector?
http://www.symantec.com/docs/TECH183746
What does it mean to set a client as an Unmanaged Detector?
http://www.symantec.com/docs/TECH105722

Unmanaged SEP Client - standalone SEP Client is administered directly by the end-user and is not reporting to the SEPM Server at all. An unmanaged client cannot be administered from the console. The primary computer user must update the client software, security policies, and virus definitions on the unmanaged client computer.

About managed and unmanaged clients
http://www.symantec.com/docs/HOWTO81263
Difference between a managed Symantec Endpoint Protection (SEP) Client and an Unmanaged SEP Client
http://www.symantec.com/docs/TECH185894
Installing an unmanaged client
http://www.symantec.com/docs/HOWTO81309
How to create an Unmanaged client from within the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH176907

Virtual Client Tagging- a new feature introduced in SEP 12.1. The feature in enabled by default on Symantec Endpoint Protection Manager and allows the SEPM to automatically identify and manage virtual clients. With Virtual Client Tagging the administrators can check in the properties of each SEP clients (from SEPM console) if the client at hand is virtualized or not.

Best practices for virtualization with Symantec Endpoint Protection 12.1, 12.1 RU1, and 12.1 RU1 MP1
http://www.symantec.com/docs/TECH173650

Virtual Image Exception (VIE) - a tool is designed specifically for environments leveraging virtualization technologies where a single baseline image is used to deploy many identical or nearly identical Virtual Desktop Infrastructure (VDI) clients. The VIE tool is used to add a new Extended File Attribute (EFA) value to all existing files on a machine before imaging. The EFA value remains valid until the file is modified. The Symantec Endpoint Protection (SEP) 12.1 client checks for this attribute before scanning files and skips scanning any files that are marked as "known good" by the VIE tool. Scans on VDI clients created with images processed by the VIE tool will experience lower I/O load, CPU usage, and network bandwidth usage during scheduled and manual scans.

About the Symantec Virtual Image Exception tool
http://www.symantec.com/docs/TECH172218
Using the Virtual Image Exception tool on a base image
http://www.symantec.com/docs/HOWTO55325

Web Console for SEPM - remote console that allows for a remote management of Symantec Endpoint Protection Manager from a web browser. Web console can be launched from SEPM Web Access (http://[servername]:9090). When you log on remotely, you can perform the same tasks as administrators who log on locally. What you can view and do from the console depends on the type of administrator you are.

Logging on to the Symantec Endpoint Protection Manager console
http://www.symantec.com/docs/HOWTO81152
How to install Web Console (Java Console) for Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH105171

On the previous article:

https://www-secure.symantec.com/connect/articles/i...

we made a basic introduction to Symantec Protection Engine. In this article, we will go through the installation of the SPE.

Before the installation of the SPE, you need to make sure the JRE installed. And, please note that the SPE only support 32bit JRE.

1. Start the installation:

2. Accept the license:

3. The installation location:

4. Select the authentication method:

From the new version of the SPE on, it supports Active Directory-based authentication.

5. Input the password of the administrator:

Bay Dynamics' Risk Fabric pulls data threads from multiple Security and IT Operations sources and weaves them together to provide federated insight that represents the true risk posture of an organization. The solution provides organizations with context-aware information risk intelligence to enable them to confront and correct security risks. This document highlights use cases that show both the analytical and integration capabilities of Risk Fabric, where an organization leverages Symantec DeepSight DataFeeds (i.e. Security Risk DataFeed, IP Reputation DataFeed, Domain and URL Reputation DataFeed) to proactively protect their environment, along with systems management tools such as Microsoft System Center Configuration Manager (SCCM).  

Welcome to the Liveupdate (LUE) vs. Liveupdate (WLU) discussion. In this article I will try to provide you with a closer look at the SEP Liveupdate used in SEP/SEPM 11.x based on the WLU - Windows Liveupdate and confront it with the new Liveupdate Engine (LUE) from SEP 12.1. We will look at the differences between the two as well as general charactieristics including the different versions of the LU, file locations, logs, types of downloads, monikers, etc. I will provide you as well some hopefully useful tips and reference links at the end. Please feel free to comment and discuss

Differences

► Windows LiveUpdate (WLU)
- component used by both SEP 11.x Clients and SEPM 11.x.
- in 12.1 Version only used by SEPM
- Liveupdate SEP Clients settings can be managed from Symantec Liveupdate applet in Control Panel
- Liveupdate component (WLU) can be removed or reinstalled from "Add/Remove Programs" in Control Panel - both on the SEP client as well as on the SEPM Server
- the main log file for the Liveupdate activities is same on both SEP Client and SEPM - Log.Liveupdate

Symantec Liveupdate settings in Control Panel (click to increase size)

► LiveUpdate Engine (LUE)
- Liveupdate component directly integrated into SEP 12.1 Clients - it replaces the traditional Windows Live Update (WLU) previously used on SEP 11.x Clients
- Liveupdate Engine is used only by SEP 12.1 Clients. SEPM Servers no matter the version are still using the WLU.
- Liveupdate SEP clients settings are being managed directly from the SEPM Manager - there is no Symantec Liveupdate applet in the Control Panel available
- Liveupdate Engine is integrated with SEP Client and thus cannot be removed or deinstalled
- Log.Liveupdate is as before still present on the SEPM Server; the SEP clients log the LU activities to the Lue.log - although some restrictions apply and for example downloads from GUP or SEPM are not logged here at all - the log concerns only downloads from Liveupdate Servers - either LUA or Symantec Internet Servers

 File locations

The given locations are default - if SEP/SEPM was installed to a custom path the below locations may be different.

1. Installation paths (only for WLU) - applying for all Operating Systems

2. Configuration files (applying only for WLU)

3. Executables

4. Log files

5. Liveupdate Downloads

6. SEP client definition locations

Definitions folder on SEP 12.1 will contain several types of definition updates installed on the SEP Client - those are located in following subfolders:

• BASHDefs - Behavior And Security Heuristics
• ccSubSDK_SCD_Defs - Submission Control Data
• EfaVTDefs - Extended File Attributes and Signatures
• HIDefs - Host Integrity
• IPSDefs - IPS Signatures
• IronRevocationDefs - Iron Revocation List
• IronSettingsDefs - Iron Settings
• IronWhitelistDefs - Iron Whitelist
• SRTSPSettingsDefs - SRTSP Settings
• VirusDefs - Virus Definitions

NOTE: The number of different definition revisions stored on SEP Client is different for 11.x and 12.1 versions. SEP 11.x will store by default 3 latest revisions of each definition. SEP 12.1 will store only 1 latest revision.

7. SEPM Liveupdate definitions locations (WLU)

...folder will contain following definition subfolders:

• sepm121RU2ApPrtlLst - AP Portal List
• sesmIPSdef32 - IPS Signatures Win32
• sesmIPSdef64 - IPS Signatures Win64
• spcBASH - Behavior And Security Heuristics
• spcCIDSdef - CIDS Signatures
• spcEfaVT - Extended File Attributes and Signatures
• spcIronRl - Iron Revocation List
• spcIronS - Iron Settings
• spcIronWl - Iron Whitelist
• spcScd - Submission Control Data
• spcVirDef32 - Virus Definitions Win32
• spcVirDef64 - Virus Definitions Win64

Other Liveupdate elements and considerations

1. Content Definitions available on SEPM for client downloads

The definitions files are stored in following location (depending on the 32/64 bit architecture):

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content

The latest definition revisions stored here will be shown as well in the SEPM Java console in "Admin-> Servers-> Local Site-> Show LiveUpdate Downloads".

The content folder will include several (20-22) subfolders named according to the content definition monikers - this may differ from SEPM to SEPM. The translations of the monikers to content names applying to your SEPM can be found in the following file:

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\ContentInfo.txt
or
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\ContentInfo.txt

Examples of monikers for both SEP 12.1 and 11.x:

Symantec Endpoint Protection 12.1
{535CB6A4-441F-4e8a-A897-804CD859100E}: SEPC Virus Definitions Win32 v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{07B590B3-9282-482f-BBAA-6D515D385869}: SEPC Virus Definitions Win64 (x64) v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{50B092DE-40D5-4724-971B-D3D90E9EE987}: SEPC SRTSP Settings - 12.1 RU2 - SymAllLanguages
{ECCC5006-EF61-4c99-829A-417B6C6AD963}: Decomposer - 1.0.0 - SymAllLanguages
{C13726A9-8DF7-4583-9B39-105B7EBD55E2}: SEP PTS Engine Win32 - 6.1.0 - SymAllLanguages
{DB206823-FFD2-440a-9B89-CCFD45F3F1CD}: SEP PTS Engine Win64 - 6.1.0 - SymAllLanguages
{EA960B33-2196-4d53-8AC4-D5043A5B6F9B}: SEP PTS Content - 6.1.0 - SymAllLanguages
{D6AEBC07-D833-485f-9723-6C908D37F806}: SEPC Behavior And Security Heuristics v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{C25CEA47-63E5-447b-8D95-C79CAE13FF79}: Symantec Known Application System - 1.5.0 - SymAllLanguages
{812CD25E-1049-4086-9DDD-A4FAE649FBDF}: Symantec Security Content A1 - MicroDefsB.CurDefs - SymAllLanguages
{E1A6B4FF-6873-4200-B6F6-04C13BF38CF3}: Symantec Security Content A1-64 - MicroDefsB.CurDefs - SymAllLanguages
{E5A3EBEE-D580-421e-86DF-54C0B3739522}: Symantec Security Content B1 - MicroDefsB.CurDefs - SymAllLanguages
{CC40C428-1830-44ef-B8B2-920A0B761793}: Symantec Security Content B1-64 - MicroDefsB.CurDefs - SymAllLanguages
{D3769926-05B7-4ad1-9DCF-23051EEE78E3}: SESC IPS Signatures Win32 - 11.0 - SymAllLanguages
{42B17E5E-4E9D-4157-88CB-966FB4985928}: SESC IPS Signatures Win64 - 11.0 - SymAllLanguages
{55DE35DC-862A-44c9-8A2B-3EF451665D0A}: SEPC CIDS Signatures v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{4F889C4A-784D-40de-8539-6A29BAA43139}: SESC Submission Control Data - 11.0 - SymAllLanguages
{B6DC6C8F-46FA-40c7-A806-B669BE1D2D19}: SEPC Submission Control Data - 12.1 - SymAllLanguages
{E8827B4A-4F58-4dea-8C93-07B32A63D1C5}: SEPC Extended File Attributes and Signatures 12.1 RU2 - MicroDefsB.CurDefs - SymAllLanguages
{EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758}: SEPC Iron Whitelist v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{810D5A61-809F-49c2-BD75-177F0647D2BA}: SEPC Iron Revocation List v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{263395A0-D3D8-4be4-80B5-202C94EF4AA0}: SEPC Iron Settings v12.1 - MicroDefsB.CurDefs - SymAllLanguages

Symantec Endpoint Protection 11.x:
{C60DC234-65F9-4674-94AE-62158EFCA433}: SESC Virus Definitions Win32 v11 - MicroDefsB.CurDefs - SymAllLanguages
{1CD85198-26C6-4bac-8C72-5D34B025DE35}: SESC Virus Definitions Win64 (x64) v11 - MicroDefsB.CurDefs - SymAllLanguages
{ECCC5006-EF61-4c99-829A-417B6C6AD963}: Decomposer - 1.0.0 - SymAllLanguages
{C13726A9-8DF7-4583-9B39-105B7EBD55E2}: SEP PTS Engine Win32 - 6.1.0 - SymAllLanguages
{DB206823-FFD2-440a-9B89-CCFD45F3F1CD}: SEP PTS Engine Win64 - 6.1.0 - SymAllLanguages
{EA960B33-2196-4d53-8AC4-D5043A5B6F9B}: SEP PTS Content - 6.1.0 - SymAllLanguages
{C25CEA47-63E5-447b-8D95-C79CAE13FF79}: Symantec Known Application System - 1.5.0 - SymAllLanguages
{812CD25E-1049-4086-9DDD-A4FAE649FBDF}: Symantec Security Content A1 - MicroDefsB.CurDefs - SymAllLanguages
{E1A6B4FF-6873-4200-B6F6-04C13BF38CF3}: Symantec Security Content A1-64 - MicroDefsB.CurDefs - SymAllLanguages
{E5A3EBEE-D580-421e-86DF-54C0B3739522}: Symantec Security Content B1 - MicroDefsB.CurDefs - SymAllLanguages
{CC40C428-1830-44ef-B8B2-920A0B761793}: Symantec Security Content B1-64 - MicroDefsB.CurDefs - SymAllLanguages
{D3769926-05B7-4ad1-9DCF-23051EEE78E3}: SESC IPS Signatures Win32 - 11.0 - SymAllLanguages
{42B17E5E-4E9D-4157-88CB-966FB4985928}: SESC IPS Signatures Win64 - 11.0 - SymAllLanguages
{4F889C4A-784D-40de-8539-6A29BAA43139}: SESC Submission Control Data - 11.0 - SymAllLanguages

NOTE: If your SEPM is managing both SEP 11.x and 12.1/12.1 RU2 clients it will download content for both these versions - the amount of the moniker subfolders in the ...\content folder will be greater and will contain monikers from both above lists.

2. LiveUpdate versions

When speaking about Liveupdate component versions we refer only to WLU. Here a specific SEP or SEPM version will have a specific LU version - those two are designed to work together - this becomes very important when we need to reinstall the LU on the machine. Taking LU version that does not correspond to our SEP or SEPM version can cause many unexpected problems. Below the list of all recent SEP 12.1 and 11.x releases with their correspoding Liveupdate versions:

NOTE: Be aware that when browsing online resources you may come across a newer Liveupdate version 3.5. This version is only for Norton Home & Home Office products and not intended for use with Symantec Enterprise products, such as Symantec Endpoint Protection or Symantec AntiVirus!

3. LU Session initiation from GUI on SEP Clients

No matter if we have to do with SEP 11.x or 12.1 Client starting the LU session from SEP GUI is exactly the same. We click on the "Liveupdate" button in the SEP Client GUI to execute the session. Depending on the settings from SEPM there are few things of consideration here:

• Liveupdate button may be greyed-out -> this means the settings for Liveupdate sessions are strictly managed from SEPM and SEP Client user is not allowed to start the session locally. Normally in this case the session will start according to schedule (if client is downloading updates from Liveupdate Server) or on the heartbeat from SEPM if any new definitions are available.
• Liveupdate button is available but no window pop-up when clicked -> this means that the user has been allowed to initiate the LU session but either SEPM or GUP is source of the updates and in such case the LU Session will run in silent mode. The recommended way for the user to check if the session has started is to open the SEP System log and search for the entries indicating such fact.
• Liveupdate button is available and there is a pop-up windows when clicked- after execution user gets a pop-up windows showing the LU Express session -> user is allowed to initiate the LU Session. The source of the updates for clients is the Liveupdate Server. User will see the session progress in the pop-up window as well as will be informed about session completion or failure. Additionaly user may as well compare the corresponding logs about the session result

4. LU Session initiation from command prompt on SEP Clients

This method can be combined with execution through scripts or task manager if required - both WLU and LUE have a specific executables for starting the LU Session. Luall.exe for WLU and SepLiveUpdate.exe for LUE. Locations for those executables are shown under "File locations" in this article. Important to note is that executing of the luall.exe will give us either an express mode session or an interactive mode session - depending on the Symantec Liveupdate applet setting in the Control Panel. Executing the SepLiveUpdate.exe by default results in a silent mode session without any user interaction.

5. LU Session initiation on SEPM

For SEPM Server we can start the LU Session either directly from SEPM console (Admin -> Servers -> Local Site -> Download Liveupdate Content) or by executing the LUALL.exe in the same manner as on the SEP Client (described above).

6. LU reinstallation

As already indicated only WLU can be reinstalled as the LUE is integrated within the client itself. Recommended steps for reinstallation of the LU component on either SEP Client (11.x) or SEPM Server are:

1. Remove Live update from "Add/ Remove Programs"
2. Reboot the machine
3. In Windows Explorer, if they are present delete the following folders, without saving the existing content (respectively to the used version and OS):
- C:\ProgramData\Symantec\LiveUpdate
- C:\ProgramData\Application Data\Symantec\LiveUpdate
- C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate
- C:\Program Files (x86)\Symantec\LiveUpdate (64bit)
4. Install LU using lusetup.exe (execute with local admin rights - build in administrator, take into consideration the appropriate LU version for your SEP/SEPM)
5. Re-register LU component with SEP Client or SEPM
* [SEPM] -> in C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin:
- Type lucatalog -cleanup and press Enter.
- Type lucatalog -forcedupdate and press Enter (SEPM 12.1)
* [SEP Client] -> run repair on the SEP client from "Add/ Remove Programs"
6. In  C:\Program Files (x86)\Symantec\LiveUpdate start luall.exe (execute with local admin rights)
7. Let the Live update express session run till the end and check if any errors are occuring
8. [SEPM ONLY] If the session was successfull check the path: "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content" to see if there is any content downloaded under respective moniker folders

NOTE: Important thing to notice are the different commands during the re-registration of the LU compoment with SEPM depending on the SEPM version: * for SEPM 11.x commands are: "lucatalog -cleanup" and "lucatalog -update" * for SEPM 12.1 commands are: "lucatalog -cleanup" and "lucatalog -forcedupdate"

7. Liveupdate policy for SEP client

Policy used to specify the source of the definition updates for SEP clients as well as the schedule of updates. Possible update soucers are:

• Management Server (SEPM)
• Group Update Provider (GUP)
• Symantec Internet Liveupdate Server
• Internal Liveupdate Server (LUA)
• Third Party Management (TPM) - in most cases manual update through Intelligent Updater or .jdb file

NOTE: The schedule for LU downloads as seen in the LU policy (see screenhot) applies only to updates from either Symantec Internet Liveupdate Servers or Internal Liveupdate Server (LUA). Even if set the schedule is not honored for download updates from SEPM/GUP. For those type of downloads there is currently no possibility to set up a schedule as they are being initiated according to their heartbeat (pull mode) or as soon as the definitions are available (push mode).

Reference for configuration of Liveupdate policy for SEP clients:
Configure liveupdate to run on client computers - Part 1
https://www-secure.symantec.com/connect/articles/configure-liveupdate-run-client-updates-when-client-computers-are-idle

8. Liveupdate settings for SEPM Server

Settings used to configure the definitions download source for SEPM Server. Possibilities inlude either Symantec Internet Liveupdate Server or Internal Liveupdate Server (LUA). Liveupdate settings for SEPM can be configured in "Admin-> Servers -> Local Site-> Edit Properties-> Liveupdate".

NOTE: There is no direct possibility to configure the LU on SEPM to download updates from another SEPM. Such functionality is only possible outside of LU scope where two or more SEPM Servers are set up in a Failover or Replication configuration.

Reference for configuration of Liveupdate settings for SEPM Server:
Configure liveupdate to run on Symantec Endpoint Protection Manager (SEPM) - Part 2
https://www-secure.symantec.com/connect/articles/configure-liveupdate-run-symantec-endpoint-protection-manager-sepm-part-2

Further links and references

Windows LiveUpdate Client for Use with Symantec Endpoint Protection Manager 12.1
http://www.symantec.com/docs/TECH181305 
About LiveUpdate in Symantec Endpoint Protection version 12.1
https://www-secure.symantec.com/connect/articles/a...
How to Uninstall and Reinstall LiveUpdate on SEPM 12.1 (Enterprise Edition or Small Business Edition)
http://www.symantec.com/docs/TECH171060
How to Uninstall and Reinstall LiveUpdate When a Symantec Endpoint Protection Manager or Symantec Endpoint Protection Client is Installed (SEP 11.x)
http://www.symantec.com/docs/TECH102609
The Log.LiveUpdate file is missing or out of date on a Symantec Endpoint Protection 12.1 client
http://www.symantec.com/docs/TECH168602
How to update virus definitions and other content with Symantec Endpoint Protection and Symantec Network Access Control
http://www.symantec.com/docs/TECH102467

From time to time, a requirement comes down the pipeline in which a machine with a "special" purpose needs to be connected to the internal network. The requirements are as follows:

• No ability to "ping" the machine
• No inbound traffic allowed
• Only one IP address is allowed to access this machine via port 3389 for remote administration

Meeting the above requirements can be accomplished using the SEP firewall. For the purpose of this article, I'm using SEP 12.1 RU3.

Here's a screen shot of the three firewall rules created to accomplish our goal:

To test the first rule, Block Ping, we can verify the block with a simple Nmap scan:

The Traffic log from the SEP firewall also verifies the ping attempt is blocked:

Next, we can test the second rule, Allow Remote Administration, by doing a simple RDP to the machine from the allowed IP address. The Traffic log from the SEP firewall also confirms this is working:

Now, I did an Nmap scan from the allowed IP address to confirm port 3389 is open, which it is:

I also did an Nmap scan from a disallowed IP address to confirm port 3389 is closed, which it is:

Lastly, we can test the third rule, Block Incoming Traffic, by attempting to connect to a share on the machine. Access is denied:

The Traffic log from the SEP firewall also confirms the block was successful:

The SEP firewall is a great tool and has endless possibilities for controlling traffic on your network. The aim of this article was to give you a small snapshot into what is possible using the firewall. I hope this is helpful to you. Please feel free to leave feedback, whether positive or negative.

Building on the success of the previous version of IT Analytics for Symantec Data Loss Prevention and incorporating some fantastic user feedback, Symantec has just released version 3.0 of the reporting content pack. For existing IT Analytics customers, the new version of IT Analytics for Symantec Data Loss Prevention is now available for upgrade through the Symantec Installation Manager. Some of the highlights within the new version include:

New Cube: Incident Status History

Cube Updates

New Reports

Download and install the new version today and gain greater flexibility and insight into your Symantec Data Loss Prevention reporting!

Current users of IT Analytics for Symantec Data Loss Prevention 2.0 can now upgrade their installation to the new 3.0 version recently released by Symantec and gain significant benefits in both reporting and performance. This article outlines the process of upgrading from IT Analytics for Symantec Data Loss Prevention version 2.0 to version 3.0 in a simple, step-by-step format.

Upgrade Checklist

Before you perform the upgrade in your environment, consider the following:

• This article assumes you will be upgrading on the same server. If you are moving to another server and installing IT Analytics for Symantec Data Loss Prevention 3.0 at the same time, consider the following article on migrating an IT Analytics installation.
• Ensure the version of the Symantec Management Platform you are running is at least 7.1 SP2. If it is a prior version, you will need to upgrade the Symantec Management Platform before upgrading IT Analytics.
• Perform a backup of the server hosting the Symantec Management Platform and IT Analytics Data Loss Prevention, using the backup tool of your choice.
• Perform a backup of the CMDB database and the IT Analytics database in SQL Analysis Services (if SQL is hosted off-box). For more information about how to back up the CMDB database, see the following knowledge base article.
• This article assumes you have administrator access to the Symantec Management Console.
• Record the following configuration settings in the Symantec Management Console, in the event you might require to configure similar settings after the upgrade:

CAUTION: When you initiate the upgrade of IT Analytics from 2.0 to 3.0, the existing cubes, and reports are uninstalled due to the change in schema between versions. The new out-of-the-box reports and cubes must be reinstalled once the upgrade has completed. If you have customized any of the out-of-the-box cubes and reports in version 2.0, you must reapply those changes after upgrading to the 3.0 version. Any net new reports or cubes that were created in the previous version are not affected by the upgrade, however because of schema changes with the new version, they may not work as expected. If you have not modified the existing cubes or reports and have not developed any new cubes or reports, there are no additional steps beyond what is listed below.

Starting the Upgrade Process

1. Open the Symantec Installation Manager by clicking: Start > All Programs > Symantec > Symantec Installation Manager, and allow the application to load.
2. On the Installed Products screen, should see at least one product available for upgrade.

NOTE: Clicking on 'Upgrading installed products' will allow you to upgrade to the latest version of IT Analytics for Symantec Data Loss prevention, however this may also include other product upgrades or Symantec Management Platform maintenance packs along with it. For the purposes of this article, we will use a method to upgrade only the IT Analytics for Symantec Data Loss Prevention version, as described below.

3. Click on the Install New Products link at the top and on that screen, change the filter from Suites to Solutions.

4. Scroll down the list, and check the Symantec IT Analytics Data Loss Prevention Pack 3.0, or simply search for 'analytics' in the upper right to do a quick find.

5. Click Next.
6. Optional - On the Optional Installations page, select the Language Packs for installation and then click Next.
7. On the End User License Agreement page, verify that the correct products were selected, check 'I accept the terms in the license agreements,' and then click Next.
8. Verify that your contact information has not changed and then click Next.
9. On the Review Installation Details page, verify that Symantec IT Analytics Data Loss Prevention Pack 3.0 is listed.
10. Click Begin install to start the download and installation process.
11. If you are prompted to backup Notification Server cryptographic keys click Skip. This step is not necessary for upgrading to IT Analytics for Data Loss Prevention 3.0.
12. Verify the Installation Complete screen is displayed and click Finish.
13. On the resulting Installed Products screen, verify that the version for IT Analytics for Data Loss Prevention is now listed as 3.0.

Reinstalling Cubes and Reports

Once the upgrade completes, you need to reinstall the cubes and the reports that are included in IT Analytics for Data Loss Prevention version 3.0.

Reinstalling Cubes

1. In the Symantec Management Console, on the Settings menu, click Notification Server > IT Analytics Settings.
2. In the left pane, expand the Cubes folders.
3. In the Cubes page, click the Available tab.
4. Check all the cubes that you want to install. To install all of the available cubes, in the header row of the table, click Install.

5. Click Save Changes.
6. At the prompt, click OK to proceed with the installation.
7. IT Analytics Event Viewer window displays the progress of each cube that was selected. Click Close when the process has completed.

8. Verify that the cubes were successfully created by clicking the Installed tab, and then review the list of cubes. 

Reinstalling Reports

1. In the left pane, expand the Reports folders.
2. In the Report Setup window, click the Available tab.
3. Check all the reports that you want to install. To install all of the available reports, in the header row of the table, click Install.

4. Click Save Changes.
5. At the prompt, click OK to proceed with the installation.
6. IT Analytics Event Viewer window displays the progress of each report that was selected. Click Close when the process has completed.

7. Verify that the reports were successfully installed by clicking the Installed tab, and then review the list of reports.

Reconfiguring the Cube Processing Tasks

You can create and assign processing schedules for all installed cubes. Your business needs to dictate how often the cubes should be processed. For a typical configuration, all cubes should be processed daily. This task is essential for IT Analytics to function properly because the cubes do not contain any data until the cube processing is complete.

Note: If you had previously created cube processing tasks in the 2.0 version, those tasks should still be available after the upgrade, but because the cubes were uninstalled and reinstalled, you will have to reassociate the specific cubes with the apprpriate processing tasks. Also, keep in mind that the new Incident Status History Cube will have to be assigned to a processing task.

To reconfigure the cube processing tasks:

1. In the Symantec Management Console, on the Settings menu, click Notification Server > IT Analytics Settings.
2. In the left pane, expand the Processing folders. You should see that all cubes require processing.

3. If only using the default processing task, select the schedule that you want and then check the Enabled box. Symantec recommends processing cubes no more than once a day, depending on the number of cubes and amount of data in your environment. If you are using previously configured processing tasks, check that the schedules are in line with expectations.
4. Check the box for each available cube that you want to be processed on the current schedule. For a typical configuration select all cubes, however depending on the amount of data in your Oracle DLP database, you may need to create mulitple processing tasks for optimum performance.
5. Click Save Changes and confirm that the processing task is saved.
6. You can either wait until the scheduled processing time, or click Run Now. The selected processing tasks start asynchronously, which means that the task does not finish by the time that the page refreshes. This task can take several minutes to execute. The execution time depends on the number of the cubes that are selected and the size of data within the database. You can monitor its progress by viewing the events in the IT Analytics Event Viewer window while the manual processing task executes. 

7. After the processing trace has completed, click Close and you should notice that all of the cubes have now processed.

Verifying Your Upgrade

After cube processing completes, you can verify your upgrade and ensure that all of your configuration steps complete successfully.

To verify your upgrade:

1. In the Symantec Management Console, on the Reports menu, click All Reports.
2. In the left pane, under IT Analytics, expand the Cubes folder and then click on the new Incident Status History cube.
3. From the pivot table field list, drag in Status Changes and Incident - Product Area to create a quick cube view and ensure you are getting data. This will indicate that both the upgrade and cube process completed successfully.

4. In the left pane, under IT Analytics, expand the Reports folder and then click on the new DLP Remediation - Incident Search report. You should also see a much longer list of reports than was there previously. Once this report loads, it will indicate that the new reports from the upgrade were installed successfully.

According to the previous article:

https://www-secure.symantec.com/connect/articles/i...

we introduced how to install the Enterprise Manager (EM) for DLP Oracle DB.

In this article, we will have a graphic guide to use EM to add datafile for DLP DB in order to expand the tablespace of DLP.

1. Launch browser to log into EM as sys:

2. From 'Server' tab, select 'Tablespaces':

3. There are several tablespaces inside the DLP DB. All the DLP incidents and the attachment of the incidents will be stored in the tablespace named LOB_TABLESPACE. 

From the list, you can find out the usage of each tablespace.

4. Click the LOB_TABLESPACE, it will list all the datafiles of the tablespace:

Defaultly, there are 3 datafiles of the LOB_TABLESPACE, and the size of each datafile is about 32G. So, the default size of the LOB_TABLESPACE is about 100G. After the running of the DLP, and the increasing of the incidents, may be we will need to add more datafile to this tablespace.

5. From the list of the datafiles, select the last one, for example, LOB03.DBF.

The default action for this datafile is 'Create Like', then, click 'Go' button:

6. In the 'File Name' field, input the number next to the previous datafiles.

For example, if you already have 3 datafile which named LOB01.DBF, LOB02.DBF, LOB03.DBF, you must name the new datafile as LOB04.DBF

And, keep all the other options as the default, then click 'OK' button:

7. This will take several seconds or minutes to finish the creation:

8. After the creation, go back to the datafile list page, you will find our the new datafile added:

Just remember that, you don't need more further configuration about the tablespace and the datafile. The incidents and the attachments of incidents will be write into the new datafile of the LOB_TABLESPACE automaticly.

In a continuation from my two previous SEP 12.1 Incident Response articles, Part 1& Part 2, this article will look at using the Network Application Monitoring feature in SEP 12.1 in a situation where incident response is needed.

What is Network Application Monitoring?

The SEP client has the ability to detect and track any application on a workstation that can send and receive traffic. An application's content may change for two reasons:

• Malware has attacked the application
• The application was updated with a newer version

During an incident, you can enable this feature to get a better idea of what applications are doing on your network. It may also help you narrow down the suspect machine(s).

Let's look at how we enable:

Login to your SEPM and navigate to Clients>> select the group you want to enable this feature for>> Policies. Under Location-Independent Policies and Settings select Network Application Monitoring

Place a check in the box to Enable network application monitoring

You can also configure other settings if you wish. You can set an action to take when an application change is detected, display additional text to the end-user, or add applications that will not be monitored (I do not recommend in this in an IR situation as I want ful visibility of everything taking place on my network). Here is how I have configured it for my situation:

Now that this feature has been enabled, all network applications will be monitored going forward.

During an incident response situation, the end-users will see the following prompt when a network application changes:

They can click on Detail >> for more information

There will be an entry in the Security log on the SEP client:

To view this same incident from the SEPM, go to Monitors>> Logs. Set the Log type to Network Threat Protection and set the Log content to Attacks:

You can select the line item and click Details to get more info"

Once you determine whether this particular file is malicious or not, you can now take action and remove the suspect from your network and clean or deem it legitimate.

If you determine that the application is malcious and has spread to multipe PCs on the network you can also create a firewall rule to block the traffic to/from this application until the machines can be cleaned. And if you want to add another layer of security, you can add the application to be monitored so that it won't even be able to execute! Details are in my first article, How to utilize SEP 12.1 for Incident Response - PART 1

I hope this article will be helpful for you.

Comments/Questions/Criticisms are welcome!

As it often happens not all the required information or more frequently not all information in the expected form can be retieved from the SEPM logs or reports - the necessity for direct queries to SEPM database arise. The purpose of this article is to present some of the most helpful and useful SQL queries that can make lifes of the SEPM administrators much easier when specific information is required in an easily exportable and custommizable form.

There is not really much Symantec documentation covering this topic beside the SQL Schema references - for these please refer to:

Symantec Endpoint Protection Manager 12.1.2 Database Schema
http://www.symantec.com/docs/DOC6039
Symantec™ Endpoint Protection Manager Database Schema Reference
http://www.symantec.com/docs/DOC4935
 

You can find quite a few Symantec Connect threads on the matter, one of real value is the following:

SQL Querys to the database
https://www-secure.symantec.com/connect/forums/sql-querys-database

Beside this several other threads with specific questions and queries can be found - all the information is bit scattered though which makes finding the appropriate and sometimes even working queries a really difficult task. I hope presenting this article will allow you for fast browsing and search of useful queries - please note most of queries presented are not created by myself but taken from different sources in order to make them available in one place. If you have interest in this topic you can follow this article - I will do my best to update it with more queries over the time.

The article points mainly at SEP 12.1 and above - I will as well limit the information included here to queries targeted at getting the information out of the database and not for any changes directly to SEPM database - as such are not recommended by Symantec Support and should be performed from SEPM console level.

Any feedback or suggestions are welcome. Please share as well what kind of queries you would like to use or require in your day to day administrative tasks.

► SEP Client Information Query. Query result shows:
♦ SEP Computer name
♦ Installed SEP Version
♦ AV definition revision with the timestamp of the last update
♦ Assignement to SEPM Group
♦ Operating System
♦ Logged-on User
♦ MAC address
♦ IP address

select i.computer_name
, agent_version
, pat.version as vd_version
, dateadd(s,convert(bigint,LAST_UPDATE_TIME)/1000,'01-01-1970 00:00:00') lastupdatetime
, g.name as group_name
, i.OPERATION_SYSTEM
, i.CURRENT_LOGIN_USER
, i.MAC_addr1
, i.ip_addr1_text
, i.DELETED
from sem_agent as sa with (nolock) left outer join pattern pat on sa.pattern_idx=pat.pattern_idx
inner join v_sem_computer i on i.computer_id=sa.computer_id
inner join identity_map g on g.id=sa.group_id
inner join identity_map p on p.id=sa.last_server_id
inner join identity_map s on s.id=sa.domain_id
inner join identity_map q on q.id=sa.last_site_id
where
(sa.agent_type='105' or sa.agent_type='151') and sa.deleted='0' and I.DELETED = 0
order by group_name, operation_system, i.COMPUTER_name

► SEP Client Information Query. Query result shows:
♦ SEP computername
♦ Installed SEP Version
♦ AV definition revision with the timestamp of the last update
♦ Assignement to SEPM Group
♦ Operating System
♦ Logged-on User
♦ IP address
♦ Last scan time

SELECT DISTINCT "SEM_AGENT"."DELETED"
  , "PATTERN"."VERSION"
  , "SEM_AGENT"."AGENT_VERSION"
  , "SEM_CLIENT"."COMPUTER_NAME" "Computer Name"
  , "SEM_COMPUTER"."OPERATION_SYSTEM" "Operation System"
  , dateadd(s,convert(bigint,"SEM_AGENT"."CREATION_TIME")/1000,'01-01-1970 00:00:00') CREATION_DTTM
  , dateadd(s,convert(bigint,"SEM_AGENT"."LAST_UPDATE_TIME")/1000,'01-01-1970 00:00:00') Lastupdatetime
  , dateadd(s, convert(bigint,LAST_SCAN_TIME)/1000, '01-01-1970 00:00:00')"Last Scan Time"
  , "PATTERN"."PATTERNDATE" "Pattern Date"
  , "SEM_CLIENT"."USER_NAME" "User Name"
  , "V_SEM_COMPUTER"."IP_ADDR1_TEXT" "IP Address"
  , "IDENTITY_MAP"."NAME" "Group Name"
FROM (((("SEM_AGENT" "SEM_AGENT" INNER JOIN "SEM_CLIENT" "SEM_CLIENT" 
  ON (("SEM_AGENT"."COMPUTER_ID"="SEM_CLIENT"."COMPUTER_ID") 
  AND ("SEM_AGENT"."DOMAIN_ID"="SEM_CLIENT"."DOMAIN_ID")) 
  AND ("SEM_AGENT"."GROUP_ID"="SEM_CLIENT"."GROUP_ID")) INNER JOIN "SEM_COMPUTER" "SEM_COMPUTER" 
  ON (("SEM_AGENT"."COMPUTER_ID"="SEM_COMPUTER"."COMPUTER_ID") 
  AND ("SEM_AGENT"."DOMAIN_ID"="SEM_COMPUTER"."DOMAIN_ID")) 
  AND ("SEM_AGENT"."DELETED"="SEM_COMPUTER"."DELETED")) INNER JOIN "PATTERN" "PATTERN" 
  ON "SEM_AGENT"."PATTERN_IDX"="PATTERN"."PATTERN_IDX") INNER JOIN "IDENTITY_MAP" "IDENTITY_MAP" 
  ON "SEM_CLIENT"."GROUP_ID"="IDENTITY_MAP"."ID") INNER JOIN "V_SEM_COMPUTER" "V_SEM_COMPUTER" 
  ON "SEM_COMPUTER"."COMPUTER_ID"="V_SEM_COMPUTER"."COMPUTER_ID" 
  AND "SEM_AGENT"."DELETED"=0
ORDER BY "Computer Name"

► SEP Client ID information contains:
♦ SEP computername
♦ Client ID, Computer ID, Hardware ID
♦ Client Status
♦ Client creation and last update timestamp
♦ Operating System information
♦ SEP Client Version

SELECT [Comp].[COMPUTER_NAME]
, [Agent].[DELETED]
, [Agent].[CURRENT_CLIENT_ID]
, [Comp].[HARDWARE_KEY]
, [Comp].[COMPUTER_ID]
, dateadd(s,convert(bigint,[Comp].[TIME_STAMP])/1000,'01-01-1970 13:00:00') as Time_Stamp
, [Agent].[STATUS]
, dateadd(s,convert(bigint,[Agent].[CREATION_TIME])/1000,'01-01-1970 13:00:00') as Creation_Time
, dateadd(s,convert(bigint,[Agent].[LAST_UPDATE_TIME])/1000,'01-01-1970 13:00:00') as Last_Update_Time
, [Comp].[OPERATION_SYSTEM]
, [Agent].[AGENT_VERSION]

FROM [dbo].[SEM_AGENT] as [Agent] inner join [dbo].[SEM_COMPUTER] as [Comp] on [Agent].[COMPUTER_ID]=[Comp].[COMPUTER_ID]

/* where [Comp].[COMPUTER_ID] like 'Computer ID as used in the database' */
/* where [Comp].[COMPUTER_NAME] like 'NetBIOS name of computer' */
/* where [Agent].[CURRENT_CLIENT_ID] like 'Unique ID as displayed on General tab of client properties in console' */

order by [Comp].[COMPUTER_NAME] asc

► SEP to SEPM Server mapping - easy query to match the managed SEP clients with respective SEPM Servers. Results contain:
♦ SEP client name
♦ SEPM Server ID
♦ Status of the client
♦ IP (decimal) of the client

SELECT SEM_CLIENT.COMPUTER_NAME as Computer, SEM_AGENT.LAST_SERVER_ID as Server, SEM_AGENT.STATUS as Status, SEM_COMPUTER.IP_ADDR1 as IP
From SEM_CLIENT, SEM_AGENT, SEM_COMPUTER
Where SEM_AGENT.COMPUTER_ID = SEM_CLIENT.COMPUTER_ID and SEM_AGENT.STATUS = 1 and SEM_CLIENT.COMPUTER_NAME = SEM_COMPUTER.COMPUTER_NAME

► SEP Client System Logs - Query results contain:
♦ Time of the log entry,
♦ SEP client name,
♦ Name of the SEPM managing the client,
♦ Event description from system log
♦ Events are ordered by Time of the event

select DATEADD(s, CONVERT(bigint, l.EVENT_TIME)/1000, '01/01/1970 00:00:00') as Time , c.NAME, l.HOST_NAME, l.EVENT_DESC
from V_SERVERS c,
(select * from AGENT_SYSTEM_LOG_1 union select * from AGENT_SYSTEM_LOG_2) l
where c.ID = l.server_id
order by l.EVENT_TIME desc;

► Computer Status check - query for listing the computers with either offline (STATUS = 0) or online status (STATUS = 1). Results give the client computer ID and name.

select SEM_AGENT.COMPUTER_ID, SEM_COMPUTER.COMPUTER_NAME, SEM_AGENT.STATUS
from SEM_AGENT
left join SEM_COMPUTER on SEM_AGENT.COMPUTER_ID = SEM_COMPUTER.COMPUTER_ID
where sem_agent.STATUS = 0

► GUP Server list - shows enabled GUPs (IP address) alongside with the group and subnet assignement.

select Name,IP_ADDR1_TEXT,left(IP_ADDR1_TEXT,Len(IP_ADDR1_TEXT)-CHARINDEX('.',Reverse(IP_ADDR1_TEXT))) as Network from SEM_AGENT as SA 
LEFT OUTER JOIN 
V_SEM_COMPUTER as COMP ON SA.COMPUTER_ID = COMP.COMPUTER_ID
LEFT OUTER JOIN 
IDENTITY_MAP as ID_MAP ON ID_MAP.ID = SA.GROUP_ID
where 
SA.AP_ONOFF!=2 and SA.DELETED='0' and MAJOR_VERSION != '5' and SA.AGENT_TYPE='105'  and SA.computer_id in (select computer_id from GUP_list)
group by
left(IP_ADDR1_TEXT,Len(IP_ADDR1_TEXT)-CHARINDEX('.',Reverse(IP_ADDR1_TEXT))),name,ip_addr1_text

DECLARE @TimeZoneDiff int  
SELECT @TimeZoneDiff = datediff(minute, getutcdate(), getdate())
SELECT [GUP_LIST].[GUP_ID]
,[GUP_LIST].[COMPUTER_ID]
,UPPER([SEM_COMPUTER].[COMPUTER_NAME])
,[GUP_LIST].[IP_ADDRESS]
,CAST((case when IP_ADDRESS < 0 then 0xFFFFFFFF + IP_ADDRESS else IP_ADDRESS end / 256 / 256 / 256) & 0xFF as VARCHAR) + '.' + CAST((case when IP_ADDRESS < 0 then 0xFFFFFFFF + IP_ADDRESS else IP_ADDRESS end / 256 / 256) & 0xFF as VARCHAR) + '.' + CAST((case when IP_ADDRESS < 0 then 0xFFFFFFFF + IP_ADDRESS else IP_ADDRESS end / 256) & 0xFF as VARCHAR) + '.' + CAST( case when IP_ADDRESS < 0 then 0xFFFFFFFF + IP_ADDRESS else IP_ADDRESS end & 0xFF as VARCHAR) as GUP_IP_ADDRESS
,[GUP_LIST].[PORT]
,[GUP_LIST].[USN]
,dateadd(minute, @TimeZoneDiff, dateadd(second, [GUP_LIST].[TIME_STAMP]/1000, '01-01-1970 00:00:00')) as [Time Stamp]
,[GUP_LIST].[DELETED]
  FROM [dbo].[GUP_LIST] LEFT OUTER JOIN
dbo.SEM_COMPUTER ON dbo.GUP_LIST.COMPUTER_ID = dbo.SEM_COMPUTER.COMPUTER_ID

► Database content size - only refers to stored definition size and does not include client install packages

SELECT SUM(DATALENGTH(CONTENT))/1024.0/1024/1024
AS "content size (GB)" FROM BINARY_FILE
WHERE TYPE='DownloadedContentFile'

► Duplicated HWID query - result shows:
♦ Client computer ID and IP address
♦ Logged-in user
♦ Hardware Id

DECLARE @TimeZoneDiff int   
SELECT @TimeZoneDiff = datediff(minute, getutcdate(), getdate())
SELECT UPPER([COMPUTER_NAME])
   , [COMPUTER_ID]
   , [HARDWARE_KEY]
   , [CURRENT_LOGIN_USER]
   , dateadd(minute, @TimeZoneDiff, dateadd(second, [TIME_STAMP]/1000, '01/01/1970')) as [Time Stamp]
   , [IP_ADDR1_TEXT]
FROM [V_SEM_COMPUTER]
WHERE [COMPUTER_NAME] in
   (
      SELECT [COMPUTER_NAME]
      FROM [V_SEM_COMPUTER]
      WHERE [DELETED] = 0
      GROUP BY [COMPUTER_NAME]
      HAVING COUNT([COMPUTER_NAME]) >1
   )
ORDER BY [COMPUTER_NAME]
   , [Time Stamp] DESC

► Virus definitions query - gives following information:
♦ SEP client computer name
♦ Virus definitions
♦ Last check-in of client to SEPM
♦ SEP Client Version

SELECT SEM_COMPUTER.COMPUTER_NAME AS 'Computer name',
PATTERN.Version AS 'Virus definition used',
dateadd(second, SEM_AGENT.LAST_UPDATE_TIME/1000, '1970-01-01') AS 'Last check-in (GMT)', SEM_AGENT.AGENT_VERSION
FROM SEM_COMPUTER
INNER JOIN SEM_AGENT ON SEM_AGENT.COMPUTER_ID=SEM_COMPUTER.COMPUTER_ID
INNER JOIN SEM_CONTENT ON SEM_CONTENT.AGENT_ID=SEM_AGENT.AGENT_ID
INNER JOIN PATTERN ON PATTERN.PATTERN_IDX=SEM_AGENT.PATTERN_IDX
INNER JOIN (
SELECT SEM_COMPUTER.COMPUTER_NAME AS 'TempHostName',
MAX(SEM_AGENT.LAST_UPDATE_TIME) AS 'TempMax'
FROM SEM_COMPUTER
INNER JOIN SEM_AGENT ON SEM_AGENT.COMPUTER_ID=SEM_COMPUTER.COMPUTER_ID
GROUP BY COMPUTER_NAME)
TestTable ON TestTable.TempHostName=SEM_COMPUTER.COMPUTER_NAME
AND TestTable.TempMax=SEM_AGENT.LAST_UPDATE_TIME
WHERE PATTERN.PATTERN_TYPE='VIRUS_DEFS'
AND PATTERN.DELETED='0'
AND SEM_CONTENT.DELETED='0'
AND SEM_AGENT.DELETED='0'
AND SEM_COMPUTER.DELETED='0'
GROUP BY SEM_COMPUTER.COMPUTER_NAME, SEM_AGENT.LAST_UPDATE_TIME, PATTERN.Version, SEM_AGENT.AGENT_VERSION
ORDER BY SEM_COMPUTER.COMPUTER_NAME ASC, SEM_AGENT.LAST_UPDATE_TIME DESC;

► BIOS Version check - following information is returned:
♦ SEP Client computer name
♦ IP Address
♦ Group assignement
♦ BIOS Version

select DISTINCT SC.COMPUTER_NAME,
    SC.IP_ADDR1_TEXT,
    G.NAME,
    SC.BIOS_VERSION
FROM dbo.V_SEM_COMPUTER SC
INNER JOIN dbo.V_AGENT_SYSTEM_LOG ASL
ON SC.COMPUTER_ID = ASL.COMPUTER_ID
INNER JOIN dbo.V_GROUPS G
ON ASL.GROUP_ID = G.ID

where G.NAME NOT LIKE '%YOUR_VIRTUAL_GROUP_FOR_CLIENTS%'
AND
G.NAME NOT LIKE '%YOUR_VIRTUAL_GROUP_FOR_SERVERS%'
AND
SC.BIOS_VERSION IN (
    select BIOS_VERSION
    from dbo.V_SEM_COMPUTER
    where BIOS_VERSION like '%INTEL  - 6040000%'
    OR BIOS_VERSION LIKE '%XEN%'
    OR BIOS_VERSION LIKE '%VBOX%'
    OR BIOS_VERSION LIKE '%VRTUAL%'
)
order by SC.COMPUTER_NAME
;

► Computer/user mode query - reports on either computer mode ([POLICY_MODE] = 1) or user mode ([POLICY_MODE] = 0) on SEP Client

SELECT UPPER([COMPUTER_NAME]) as COMPUTER_NAME
, [USER_NAME]
, [POLICY_MODE]
FROM [SEM_CLIENT]
WHERE [POLICY_MODE] = 1
ORDER BY COMPUTER_NAME


SELECT UPPER([COMPUTER_NAME]) as COMPUTER_NAME
, [USER_NAME]
, [POLICY_MODE]
FROM [SEM_CLIENT]
WHERE [POLICY_MODE] = 0
ORDER BY COMPUTER_NAME

What Is Symantec Insight™ and SONAR

Symantec Insight™ is a cloud-based security technology that identifies new, mutating threats as soon as they are created. It uses the file’s age, frequency, location, and anonymous telemetry data to look for rapidly changing encryption and mutating codes. Insight is able to detect threats rapidly and accurately.

Symantec Online Network for Advanced Response (SONAR) proactively detects new threats based on their behaviors. Enhancing detection for zero-day threats, it complements Insight by working together to monitor and stop previously unknown malware.

Symantec Insight™ and SONAR offer an intelligent and innovative security approach that can detect malware as soon as it appears. Powering Symantec Endpoint Protection 12, these technologies create the fastest and most effective endpoint protection security solution – built for both physical and virtual environments – to stop malware from compromising your network.

Why signature-based security is not enough for today’s organizations

Mutating malware

Due to vast improvements in technology and greater access to malware toolkits, malware is mutating rapidly, finding new ways to encroach on organizations’ security. Signature-based antivirus solutions are only as effective as their latest signature definitions. Hence organizations require a solution that can detect and block new malware almost as soon as it is created, based on age, security rating, and how they can be associated with threats.

Mutating malware

Due to vast improvements in technology and greater access to malware toolkits, malware is mutating rapidly, finding new ways to encroach on organizations’ security. Signature-based antivirus solutions are only as effective as their latest signature definitions. Hence organizations require a solution that can detect and block new malware almost as soon as it is created, based on age, security rating, and how they can be associated with threats.

IT Analytics introduces powerful ad-hoc reporting and business intelligence tools, and along with it a few terms that may be new to you. To alleviate any confusion, this article describes a few key terms so that you can easily understand out-of-the-box functionality and start using the tool to gain deeper insight into your endpoint protection data to make informed decisions.