Getting up and running on Symantec Endpoint Protection for the first time

Article:HOWTO55274  |  Created: 2011-06-29  |  Updated: 2011-12-16  |  Article URL http://www.symantec.com/docs/HOWTO55274
Article Type
How To


Subject


Getting up and running on Symantec Endpoint Protection for the first time

You should assess your security requirements and decide if the default settings provide the balance of performance and security you require. Some performance enhancements can be made immediately after you install Symantec Endpoint Protection Manager.

Table: Tasks to install and configure Symantec Endpoint Protection lists the tasks you should perform to install and protect the computers in your network immediately.

Table: Tasks to install and configure Symantec Endpoint Protection

Action

Description

Plan your network architecture

Before you install the product, perform the following tasks:

  • Make sure the computer on which you install the management server has the minimum system requirements.

  • If you install or upgrade to the Microsoft SQL Server database, make sure that you have the user name and password information.

    See About SQL Server configuration settings.

  • For networks with more than 500 clients, determine the sizing requirements.

    You need to evaluate several factors to ensure good network and database performance. For example, you should identify how many computers need protection and how often to schedule content updates.

    For more information to help you plan medium to large-scale installations, see the Symantec white paper, Sizing and Scalability Recommendations for Symantec Endpoint Protection.

Install or migrate the management server

Whether you install the product for the first time, upgrade from a previous version, or migrate from another product, you install Symantec Endpoint Protection Manager first.

See Installing the management server and the console.

See About migrating to Symantec Endpoint Protection.

Increase the time that the console leaves you logged on

The console logs you out after one hour. You can increase this period of time.

See Increasing the time period for staying logged on to the console.

Create groups and locations

You can add the groups that contain computers based on the level of security or function the computers perform. For example, you should put computers with a higher level of security in one group, or a group of Mac computers in another group.

Use the following group structure as a basis:

  • Desktops

  • Laptops

  • Servers

See How you can structure groups.

See Adding a group.

You can migrate existing Active Directory groups when you install Symantec Endpoint Protection Manager. If you are running legacy Symantec protection, you usually upgrade policy and group settings from your older version.

See Importing an existing organizational structure.

You can apply a different level of security to computers based on whether they are inside or outside the company network. To use this method, you create separate locations and apply different security policies to each location. In general, computers connecting to your network from outside of your firewall need to have stronger security than those that are inside your firewall.

You can set up a location that allows the mobile computers that are not in the office to update their definitions automatically from Symantec's servers.

See Adding a location to a group.

Disable inheritance on special groups

By default, groups inherit the security and the policy settings from the default parent group, "My Company." You must disable inheritance before you can change the security and the policy settings for any new groups you create.

See Disabling and enabling a group's inheritance.

Change communication settings to increase performance

You can improve network performance by changing the client-server communication settings in each group by modifying the following settings:

  • Use pull mode instead of push mode to control when clients use network resources to download policies and content updates.

  • Increase the heartbeat interval and the randomization interval. For under 100 clients per server, increase the heartbeat to 15-30 minutes. For 100 to 1,000 clients, increase the heartbeat to 30-60 minutes. Larger environments might need a longer heartbeat interval.

  • Increase the download randomization to between one and three times the heartbeat interval.

See Randomizing content downloads from the default management server or a Group Update Provider.

See Configuring push mode or pull mode to update client policies and content.

For more information, see the Symantec Endpoint Protection sizing and scalability white paper.

Modify the Firewall policy for the remote computers group and the servers group

  • Increase the security for remote computers by making sure that the following default firewall rules for an off-site location stay enabled:

    • Block Local File Sharing to external computers

    • Block Remote Administration

  • Decrease the security for the servers group by making sure that the following firewall rule stays enabled: Allow Local File Sharing to local computers. This firewall rule ensures that only local traffic is allowed.

See Customizing firewall rules.

See Managing locations for remote clients.

Modify the Virus and Spyware Protection policy

Change the following default scan settings:

Activate the product license

Purchase and activate a license within 60 days of product installation.

See Activating your new or renewed Symantec Endpoint Protection 12.1 product license.

Prepare computers for client installation (optional)

Before you install the client software, perform the following tasks, if necessary:

  • Uninstall third-party virus protection software from your computers.

    For more information on a tool to uninstall any competitive product automatically, see the knowledge base article, SEPprep competitive product uninstall tool.

  • If you deploy client software remotely, first modify the firewall settings on your client computers to allow communication between the computers and the management server.

See About firewalls and communication ports.

See Preparing for client installation.

Install the client software with the Client Deployment Wizard

Create a client installation package and deploy it on your client computers.

As a best practice, change the name of the default export package to a name that uniquely identifies the package in your system.

See Deploying clients using a Web link and email.

See Configuring client installation package features.

See Exporting client installation packages.

  • For the Auto-Protect components, uncheck Lotus Notes if you have Microsoft Outlook. If you have Mail Security, deselect Microsoft Outlook and Lotus Notes. To help block mass e-mailers, you can leave the standard POP/SMTP enabled but still disable Microsoft Outlook and Lotus Notes.

  • Use Computer mode for most environments, not User mode.

    See Switching a client between user mode and computer mode.

Check that the computers are listed in the groups that you expected and that the client communicates with the management server

In the management console, on the Clients > Clients page:

  1. Change the view to Client status to make sure that the client computers in each group communicate with the management server.

    Look at the information in the following columns:

  2. Change to the Protection technology view and ensure that the following protections are On:

    • Antivirus status

    • Firewall status

    See Viewing the protection status of clients and client computers.

  3. On the client, check that the client is connected to a server, and check that the policy serial number is the most current one.

    See Checking the connection or reconnecting to the management server.

See Troubleshooting communication problems between the management server and the client.

Make one client computer in each network segment into a detector for unprotected endpoints

For each network segment, enable one client computer to detect when a new computer that is not protected is added to the network. These computers are called unmanaged detectors and the option is Enable as Unmanaged Detector.

See Configuring a client to detect unknown devices.

Configure the content revisions available to clients to reduce bandwidth

Set the number of content revisions that are stored on the server to reduce bandwidth usage for clients.

  • Typically, three content updates are delivered per day. You configure the number of updates that are retained on the server. You generally want to store only the most recent content updates. A client that has not connected during the time it takes the server to accumulate the set number of updates, downloads an entire content package. An entire package is in excess of 100 MB. An incremental update is between 1MB and 2MB. You configure the number of stored updates to a setting that minimizes how often a client must download a complete update package.

  • As a rule of thumb, 10 content revisions use approximately 3.5 GB of disk space on the Symantec Endpoint Protection Manager.

For more information about calculating storage and bandwidth needs, see the Symantec Endpoint Protection sizing and scalability white paper.

Check the LiveUpdate schedule and adjust if necessary

Make sure that the content updates download to client computers at a time that affects users the least.

See Configuring the LiveUpdate download schedule for Symantec Endpoint Protection Manager.

Configure Symantec Endpoint Protection Manager to send email alerts

Alerts and notifications are critical to maintaining a secure environment and can also save you time.

See Managing notifications.

Configure notifications for a single risk outbreak and when a new risk is detected

Create a notification for a Single risk event and modify the notification for Risk Outbreak.

For these notifications, do the following:

  1. Change the Risk severity to Category 1 (Very Low and above) to avoid receiving emails about tracking cookies.

  2. Keep the Damper setting at Auto.

See Setting up administrator notifications.

Table: Tasks to perform two weeks after you install displays the tasks to perform after you install and configure the product to assess whether the client computers have the correct level of protection.

Table: Tasks to perform two weeks after you install

Action

Description

Exclude applications and files from being scanned

You can increase performance so that the client does not scan certain folders and files. For example, the client scans the mail server every time a scheduled scan runs.

You can improve performance by excluding the folders and files that are known to cause problems if they are scanned. For example, Symantec Endpoint Protection should not scan the proprietary Microsoft SQL Server files. To enhance performance and avoid any chance of corruption or files being locked when the Microsoft SQL Server must use them, you should create exceptions to prevent scanning of the folders that contain these database files.

For more information, see the knowledge base article, How to exclude MS SQL files and folders using Centralized Exceptions.

You can also exclude files by extension for Auto-Protect scans.

See Creating exceptions for Symantec Endpoint Protection.

See Customizing Auto-Protect for Windows clients.

See About commands you can run on client computers.

Run a quick report and scheduled report after the scheduled scan

Run the quick reports and scheduled reports to see whether the client computers have the correct level of security.

See About the types of reports.

See Running and customizing quick reports.

See Creating scheduled reports.

Check to ensure that scheduled scans have been successful and clients operate as expected

Review monitors, logs, and the status of client computers to make sure that you have the correct level of protection for each group.

See Monitoring endpoint protection.


Legacy ID



v45150512_v59371754


Article URL http://www.symantec.com/docs/HOWTO55274


Terms of use for this information are found in Legal Notices