Symantec Endpoint Protection 11.0 Frequently Asked Questions

Article:TECH102211  |  Created: 2007-01-19  |  Updated: 2012-05-14  |  Article URL http://www.symantec.com/docs/TECH102211
Article Type
Technical Solution


Issue



This document answers specific questions about Symantec Endpoint Protection 11.0 (SEP 11) that administrators of earlier Symantec products may have.


Solution



General

Are there any features or functions in Symantec AntiVirus 10.x (SAV 10.x) that are not in Symantec Endpoint Protection?
SAVRoam is not in Symantec Endpoint Protection, because the reasons it existed (that is, scalability of Symantec AntiVirus servers and inter-site bandwidth) have been addressed in Symantec Endpoint Protection. Also, other new functionality such as failover, load balancing, Group Update Providers (GUPs), and auto-location address parts of the original SAVRoam purpose.

A different communication model replaces the Virus Definition Transport Method (VDTM) in Symantec Endpoint Protection. This change can affect firewall administrators (who need to know new communication ports and protocols) and administrators who used tool sets built around the Virus Definition Transport Method technology (e.g. using Quarantine Server to provide updates).

Is VMware supported as a platform for Symantec Endpoint Protection?
VMware is a supported platform for Symantec Endpoint Protection, but it is not an optimized experience. Optimization will come in future releases as the Symantec Endpoint Protection team works with VMware to provide better integration kits.

Will the LiveUpdate Administrator be updated?
Yes. A new version of LU Admin released concurrently with Symantec Endpoint Protection.  The new internal LiveUpdate server tool is called LiveUpdate Administrator 2.x (LUA 2.x).  For the latest information, please see Current Versions of LiveUpdate Administrator Tools.

Does Symantec Endpoint Protection support computers with multiple Network Interface Cards (NIC)?
Yes. You can have multiple NICs on the Symantec Endpoint Protection Manager (SEPM) and clients.

Will I be able to use the Symantec Endpoint Protection Manager to manage other Symantec products in the future?
Yes. The ultimate goal is to have the Symantec Endpoint Protection Manager (SEPM) manage all Symantec Endpoint technologies and products, which includes: Data Leakage Protection (DLP), Critical System Protection (SCSP), and Symantec AntiVirus for Linux (SAVFL). Refer to the Symantec Endpoint Security Web Portal for updates to the roadmap.

Note: administration and management of Macintosh clients through the SEPM was introduced in SEP 11 RU6.  For more information on SEP for Macintosh, please see Symantec Endpoint Protection for Macintosh Frequently Asked Questions.  Older SAV for Mac clients cannot be administered through the SEPM.


Will there be a Symantec Security Information Manager (SSIM) collector for Symantec Endpoint Protection?
Yes. An SSIM collector released concurrently with Symantec Endpoint Protection.

Does the Group Update Provider replace the secondary management server which was previously used in Symantec AntiVirus/Symantec Client Security?
The answer depends on how the secondary management server was used in your network. You must consider the amount of clients that require to retrieve content updates. A Group Update Provider can provide content for over 10,000 clients assuming some best practice are followed. For more information, see the following KB article; http://www.symantec.com/business/support/index?page=content&id=TECH95353&locale=en_US. In practice, you can replace a secondary management server with a Group Update Provider, a Symantec Endpoint Protection Manager, a Symantec Endpoint Protection Manager and Database (site), or consolidate it into an existing site.

Can I configure where client log files are copied on the Symantec Endpoint Protection Server?
Yes. Unlike previous versions of Symantec AntiVirus, you can now configure where client logs are copied to on the Symantec Endpoint Protection Manager.


Protection Features

Does generic exploit blocking scan for Microsoft vulnerabilities only, or other software as well?
Generic exploit blocking protects mostly against Microsoft vulnerabilities, but there are other vulnerability signatures included as well.

Does generic exploit blocking require signature updates?
Yes. Symantec Security Response creates signatures for new vulnerabilities as necessary.

Does Symantec Endpoint Protection provide protection against buffer overflows?
Yes. Symantec Endpoint Protection provides Buffer Overflow protection through its Network Intrusion Prevention System (IPS).

What does Proactive Threat Protection (PTP) view as good and bad behavior?
Proactive Threat Protection views signed applications as good behavior. Some examples of bad behavior include several open ports, listening on ports, and unsigned applications.

How often does Proactive Threat Protection scan the computer?
By default, Proactive Threat Protection runs a scan every 15 minutes and whenever a new process loads. Trojan horses are remediated by default, while keyloggers are only logged.

Does Proactive Threat Scan replace Tamper Protection? Aren't some of their protection features redundant?
Proactive Threat Scan does not replace Tamper Protection. Instead the two protection features complement each other. Tamper Protection protects Symantec processes against attack. Proactive Threat Scan technology protects your computers against unknown vulnerabilities and zero day attacks.

How has Symantec Endpoint Protection improved scan throttling?
Previously, Symantec AntiVirus set the priority of a scan so that the scan would not interfere with other processes using system resources. This method proved ineffective, as it was not necessarily the priority of the scan that degraded performance, but more how many processes used CPU or I/O activities. Symantec Endpoint Protection now watches for the new and existing processes that take CPU time, I/O activities, and using memory. When the Symantec Endpoint Protection scanner sees these types of events, it sleeps for a short period before it checks to see if system resources were freed. The overall experience for the end user is that their applications are not interfered with by the scanner and that the scan completes in a timely manner.

Can I use wildcards and system variables when creating centralized exceptions?
For Security Risk Exceptions and Tamper Protection Exceptions, you can use predefined system variables by specifying a prefix variable along with a file or a folder name.
Wildcards are not supported for Security Risk Exceptions and Tamper Protection Exceptions.

Is Rootkit detection and removal part of the Symantec Endpoint Protection Client?
Yes. The Symantec Endpoint Protection Client protects against rootkits. Additional information is available in Security Response's January 2012 white paper on Rootkits.


Installation

Can I install the Symantec Endpoint Protection client as unmanaged?
Yes. The Symantec Endpoint Protection client installation on the CD installs the client as unmanaged by default.

Can I create a single installation package that includes the Symantec Endpoint Protection and Symantec Network Access Control clients?
Yes. Although the Symantec Endpoint Protection client is one product and the Symantec Network Access Control (SNAC) client is another product, you can create an installation package that installs both products, and manage both products from a single Symantec Endpoint Protection Manager.


Can I install the Symantec Endpoint Protection Manager on 32-bit Windows XP SP2?
Yes, but NOT recommended. Windows XP SP2 is limited to ten simultaneous connections. The Endpoint Protection Manager uses Internet Information Service (IIS) for reporting. Therefore, the number of simultaneous connections is easily reached.

Can I uninstall clients from the Symantec Endpoint Protection Manager Console?
No. You cannot remotely uninstall Symantec Endpoint Protection clients from the Symantec Endpoint Protection Manager console. You can use Altiris or third party solutions such as SMS to uninstall clients remotely.

Can the Symantec Endpoint Protection client be deployed over a VPN connection?
While such a method of deployment is feasible, it is not recommended due to the risk of packet loss, which can result in an incorrect installation. The recommended method is to download the SETUP.EXE program directly to the computer and then proceed with the installation locally.


Migration

What should I think about in advance before I begin migrating my Symantec AntiVirus environment to Symantec Endpoint Protection?
Consider several factors before you begin your migration:

  • Do you have the resources to create a test migration environment?
    If you can create such an environment, it would be highly beneficial before you begin migration so that you can test exactly how clients and servers are grouped, which settings are migrated, and the overall migration success rate.
  • Can you perform a complete migration to Symantec Endpoint Protection?
    If your network contains operating systems (such as Netware) that are not supported with Symantec Endpoint Protection, then Symantec System Center must manage a subset of the clients and servers.
  • Do you want to create a new client groupings or use the existing groupings from Symantec System Center?
  • How do you plan on migrating Symantec Endpoint Protection to your clients? Do you plan to use third party tools or the Migration and Deployment Wizard?
  • After you determine the method that you want to use to migrate your clients, you can determine whether to use certain Symantec Endpoint Protection features.
  • Are there client settings that you must disable or reconfigure to ensure successful migration?
  • Some client settings such as scheduled scans must be disabled before you begin migration.

Before you begin migration, you must read the migration chapters in the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control.

What are the general steps to migrating Symantec AntiVirus to Symantec Endpoint Protection?
You must complete the following steps to migrate Symantec AntiVirus to Symantec Endpoint Protection in the order listed:

  1. Uninstall the Reporting Sever if you have it installed.
  2. Use Symantec System Center to configure settings for the management server and clients that prepare them for migration.
    These settings changes are: disable scheduled scans, modify Quarantine purge options, delete histories, disable LiveUpdate, disable roaming, unlock server groups, and disable Tamper Protection. Install the Symantec Endpoint Protection Manager.
  3. Migrate your legacy clients and servers.
  4. Uninstall Symantec System Center
  5. Migrate the legacy client or server that was used to protect the computer running Symantec System Center.
     

This procedure is generalized. If you plan on managing endpoints with both Symantec System Center and Symantec Endpoint Protection Manager, the steps are different. You should consult the migration chapters in the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control for more information.

Should I install the Symantec Endpoint Protection Manager console on the same computer as Symantec System Center?
You can install the Symantec Endpoint Protection Manager console on the same computer as Symantec System Center, but it is not required. If you plan on managing a large number of legacy Symantec clients, a best practice is not to install the Symantec Endpoint Protection Manager console on the same computer that runs Symantec System Center to avoid performance and communication problems.

Do I need to create a completely new infrastructure after migrating to Symantec Endpoint Protection Manager?
No. You can reuse the infrastructure that you created for Symantec System Center. During the migration process, you are asked how your clients inherit settings: whether from their server group or parent management server. The option you choose affects how legacy clients and servers appear in the Symantec Endpoint Protection Manager console based on the previous Symantec System Center infrastructure.

Are all client settings migrated?
No. Tamper Protection settings are not migrated. Tamper Protection settings are included in the client general settings rather than the AntiVirus and AntiSpyware policy. Also, you must reconfigure the settings that you disabled for migration, such as scheduled scans, LiveUpdate, and Quarantine purge.
Previously, migrating to newer versions of Symantec AntiVirus required a full product installation, which stressed bandwidth limitations over WAN links.

Have there been any changes in this process to limit the problems with bandwidth?
With Symantec Endpoint Protection, you can create installation packages that contain only the components that are necessary for the targeted clients. Additionally, you can stagger client deployments to minimize performance issues in your network.

Do I need to restart the Symantec Endpoint Protection client after migration?
A restart is not required, but the computers that are not restarted after migration are protected with only AntiVirus/AntiSpyware features. You must perform a restart to protect your computers with firewall features.

What versions of Symantec AntiVirus/Symantec Client Security can I migrate to Symantec Endpoint Protection?
You can migrate Symantec AntiVirus 9.x and Symantec Client Security 2.x or newer versions to Symantec Endpoint Protection. You can also migrate from Symantec AntiVirus 10.2 for Windows Vista.

Can I migrate Symantec AntiVirus 8.x and Symantec Client Security 1.x or older versions?
No. The client installation routine blocks the migration for these unsupported versions. You must uninstall the older version, then install Symantec Endpoint Protection. Before you do so, you should ensure that Symantec Endpoint Protection supports the operating system platform. If Symantec Endpoint Protection does not support the operating system, you may want to continue using Symantec System Center to manage these clients, or consider an upgrade to a supported operating system.

What happens if the migration fails?
If the migration fails, you can analyze the installation log to determine why it failed. The Windows Installer and Migration and Deployment Wizard create log files that can be used to verify whether or not an installation was successful. The log files list the components that were successfully installed, and provide a variety of details that are related to the installation package. If the installation is not successful, an entry indicates that the installation failed. Typically, look for Value 3 to find failures. The log file (vpremote.log) that is created when you use the Migration and Deployment Wizard is located in the \\Windows\temp directory.

Are exclusions migrated?
Yes. During migration, when you select to inherit settings from the server group or parent management server, those exclusion settings are migrated to centralized exceptions in the Symantec Endpoint Protection Manager console. If you migrate clients individually by running the installation on the local client, client exclusion settings are not migrated.

Is there a report that shows me migration progress?
Yes. You can run a report from the Reports Page. Choose Computer Status as the Report Type, and select Client Migration as the report to run. The following information is available:

  • Client Migrations by Group
  • Migrated Clients that were kept in the Same Group
  • Clients Waiting to Migrate


How long does it take to migrate my environment?
The answer to this question varies. Symantec recommends that you create a test environment where you can understand and become proficient with how migration works, i.e. which settings to configure before migrating, how policies are migrated, and where they appear in the Symantec Endpoint Protection Manager console. After you become comfortable with Symantec Endpoint Protection Manager and how Symantec AntiVirus policies are translated in the new environment, you should perform migration in stages to ensure that your network remains protected.

Are there any best practices for migration?
The following are best practices for migrating Symantec AntiVirus to Symantec Endpoint Protection

  • Perform a site survey to determine which clients should be migrated to Symantec Endpoint Protection, and which clients should continue running Symantec AntiVirus.
  • Create a migration test environment where you can test migration procedures and results before you run the migration in your production environment.
  • If you have a large number of legacy Symantec AntiVirus clients and servers to manage, install the Symantec Endpoint Protection Manager on a different computer than the one running Symantec System Center.


You should refer to the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control for more information on migration best practices.

What kind of success rate should I expect when migrating from Symantec AntiVirus to Symantec Endpoint Protection?
The more thorough that you perform pre-migration analysis and tasks, the better your success rate during migration. For example, if you ensure that scheduled scans are disabled on your clients, the chance that those clients migrate successfully increases. Additionally, if you create a migration test environment before you migrate to your production environment, you can greatly increase the migration success rate of your clients.

If supported versions of Sygate and Symantec AntiVirus are installed on the same computer, does a migration to Symantec Endpoint Protection upgrade both products?
Yes. As long as both Sygate and Symantec AntiVirus versions can be migrated.


Symantec Endpoint Protection Client

What is device control?
Device control is a new feature that lets you block access to devices such as USB and Bluetooth on your Symantec Endpoint Protection clients.

Does the Symantec Endpoint Protection client support Exchange 2007?
The Symantec Endpoint Protection client supports email scanning on Exchange. Symantec Mail Security for Exchange supports Exchange 2007.

Will servers be able to function as firewall clients?
Yes. For your Symantec Endpoint Protection clients that are installed on server operating systems, you can configure the firewall policies to ensure the proper operation of the server computers.

Can Symantec Endpoint Protection deny access to a visitor laptop or computer that is not part of the domain?
Yes. You can use Symantec Network Access Control to deny access based on several configurable computer attributes. Symantec Network Access Control requires an additional license.

Can I protect my Linux computers with Symantec Endpoint Protection?
No, but you can use Symantec AntiVirus for Linux (SAVFL) to protect your Linux computers.

Is the Symantec Endpoint Protection client compatible with Symantec Gateway Security Appliances?
Yes. The Symantec Endpoint Protection client should work fine with Symantec Gateway Security appliances.

Does generic exploit blocking scan for Microsoft vulnerabilities only, or other software as well?
Generic exploit blocking protects mostly against Microsoft vulnerabilities, but there are other vulnerability signatures included as well.

Does generic exploit blocking require signature updates?
Yes. Symantec Security Response creates signatures for new vulnerabilities as necessary.

What ports do clients use to communicate with the Symantec Endpoint Protection Manager?
Clients use the default ephemeral ports (1024 to 65535) for TCP for network communications. The ephemeral port range that is used, however, rarely exceeds 5000.

Does the Symantec Endpoint Protection client rely on the grc.dat file for configuration settings?
No. Sylink.xml has replaced the grc.dat file. The Symantec Endpoint Protection client relies on Sylink.xml, which contains information such as the client's management server.

What is the Symantec Endpoint Protection client footprint?
The footprint when all components (AntiVirus, AntiSpyware, firewall, device control, IPS) are active is 21MB space on the hard drive. The RAM footprint is between 20-25MB.

Can the Symantec Endpoint Protection client have no user interface (UI)?
Yes. You can configure UI settings from the Clients Page in the SEPM.

Is the Symantec Endpoint Protection Client for 64-bit a native 64-bit application?
No. The Symantec Endpoint Protection Client is not a native 64-bit application. Some components are 64-bit, and some are not. Symantec Network Access Control is a native 64-bit application.


Symantec Endpoint Protection Manager and Console

Can I manage legacy Symantec AntiVirus clients from the Symantec Endpoint Protection Manager console?
No. You must use Symantec System Center to manage legacy Symantec AntiVirus clients and servers. For example, if you have Netware servers running Symantec AntiVirus, you should group these servers into a server group and use Symantec System Center to manage them. Symantec Endpoint Protection does support forwarding reporting data from Symantec AntiVirus to Symantec Endpoint Protection. This feature lets you view all data from one console.

Can I control the Symantec Endpoint Protection firewall by Group Policy Objects (GPO) like XP and Vista?
No. Symantec Endpoint Protection integrates with Active Directory, but it does not integrate with GPOs.

Can I centrally manage both PCs and Macintosh computers from the Symantec Endpoint Protection Manager Console?
No. However, the capability to centrally manage Macintosh computers and PCs is planned. The ultimate goal is to have the Symantec Endpoint Protection Manager manage all endpoint security solutions released by Symantec.

Can I detect unprotected computers from the Symantec Endpoint Protection Manager console?
Yes. You can use the Find Unmanaged Computers Task and Network Audit from the Clients page to detect the computers that Symantec Endpoint Protection does not protect.

Is the Active Directory (AD) tracking mechanism Originator Identification (OID) or domain name (dn)? Does a change to the name of the group in AD show up as a rename after Symantec Endpoint Protection Manager is synched with AD, or does the sync cause a new entry with the old entry still in Symantec Endpoint Protection Manager?
Everything is OID based. In this scenario, the group would be renamed within Symantec Endpoint Protection Manager after the sync. For information on synchronization with the Active Directory, see the following document:

"Organizational Units from Active Directory in Symantec Endpoint Protection 11.0"
http://www.symantec.com/docs/TECH102546


How can I connect to the Symantec Endpoint Protection Manager console through a browser?
You can connect to the Symantec Endpoint Protection Manager by entering the following in your browser: http://(IP address of Symantec Endpoint Protection Manager):9090

Can I install the Symantec Endpoint Protection Manager on a 64-bit computer?
Yes. You can install the Symantec Endpoint Protection Manager and Console on Windows XP Professional 64-bit SP1 or later and Windows 2003 Server 64-bit SP1 or later.


Client Deployment

Can Symantec Endpoint Protection components be installed independently of each other?
Yes. You can create installation packages with the following types of protection:

  • Antivirus and AntiSpyware only
  • Network Threat Protection only
  • Antivirus and AntiSpyware/Proactive Threat Protection
  • Antivirus and AntiSpyware/Proactive Threat Protection/Network Threat Protection



Content Distribution

Will there be regionalized updates for Symantec Endpoint Protection?
Yes. Localized patches are planned for this release.

What is the difference between Push and Pull modes when downloading policies and content from the management server?
Clients that use the Push mode download policies and content as soon as they become available. On push mode an open connection is kept so that the manager can contact the client immediately when data is available. Clients that use the Pull mode download policies and content based on the Heartbeat interval setting, which is set to 5 minutes by default. Because of the greater network bandwidth that is used with the push mode, it is recommended more for small and medium-sized networks.

Does the Group Update Provider need IIS installed on the computer?
No. The Group Update Provider uses a built-in, embedded HTTP server.

Can the Group Update Provider get updates from LiveUpdate as well as the Symantec Endpoint Protection Manager?
No. The Group Update Provider only receives its updates from the Symantec Endpoint Protection Manager.

What are the sizes of the various packages that are sent between the Symantec Endpoint Protection client and manager?
The following are estimates of the size of packages that are sent between the Symantec Endpoint Protection client and manager:

  • Heartbeat (with no updates to be exchanged) - When there is no traffic to be exchanged (i.e. no profile to download and no logs to update) then the heartbeat is between 2 KB/s and 3 KB/s.
  • Policies (i.e. AV/AS, Firewall, OS Protection, Host Integrity) - Typically varies between 20 KB and 80 KB, but can increase if detailed rules are included, or OS protection templates are used. Generally, after you set your policies to suit your network needs, you do not modify them on a regular basis.
  • IPS Signature Updates - Files range between 50 KB and 100 KB. Symantec supplies updates approximately every quarter unless a specific threat or vulnerability needs to be addressed.
  • AV Signatures - 50 KB to 100 KB daily for clients, if you assume that the signatures are updated successfully every day.
  • Logs - Logs are compressed at the client before they are uploaded to the Symantec Endpoint Protection Manager. Approximately, 800 log entries take up 1KB of file space.


How many clients can the Group Update Provider support?
The Group Update Provider can potentially handle up to 10,000 clients, assuming best practices are followed. See the following KB article for more information: http://www.symantec.com/docs/TECH95353


Reporting

How is legacy data added into the Symantec Endpoint Protection Manager database with a new schema?
Legacy data is normalized when it is inserted into the database.

Can Symantec Endpoint Protection Reporting gather data from legacy Symantec AntiVirus Reporting agents?
Yes. You can point the existing reporting agents to the Symantec Endpoint Protection Manager. Turn on the legacy client data log processing, and then all the data appears in the new console.

Can I export reports in PDF or HTML format?
No. Currently, you can only export reports in CSV format. The capability to export reports in PDF and HTML format is considered for a future release of Symantec Endpoint Protection.


Scaling

How many clients can I manage with a single Symantec Endpoint Protection Manager?
Symantec Endpoint Protection Manager can manage 50,000 clients as long as network resources are available.

How many clients can I manage if I use the embedded database?
Symantec recommends that you can use the embedded database for up to 5,000 clients. If you have more clients, you should use a stand alone database.


Best Practices

What is a best practice for managing clients with Symantec AntiVirus 9.x, 10.x, and 11.x, if you assume that the clients cannot be upgraded all at the same time?
The best practice for managing a combination of Symantec AntiVirus 9.x/10.x and Symantec Endpoint Protection 11.x clients is to install the Symantec Endpoint Protection Manager and Console on different computer than Symantec System Center. You can then migrate your legacy Symantec AntiVirus clients (that are supported) to Symantec Endpoint Protection 11.x in stages. You should read the Migration Overview and Sequence section in the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control.



References
This document is available in the following languages:


 



Legacy ID



2007071909500548


Article URL http://www.symantec.com/docs/TECH102211


Terms of use for this information are found in Legal Notices