Endpoint Protection

The Story So Far...

This is the third in an informal series of illustrated articles about how admins (and end users) can best protect their mobile endpoints using Symantec Mobile Security 7.2. (This is a cool Enterprise product aimed at corporate networks, rather than a company that just has a few Androids or Windows Mobile devices that need protecting.) The two earlier articles:

1. Illustrated Guide to Installing Symantec Mobile Security 7.2: how is the management server (Symantec Management Platform) of SMS 7.2 installed, and what does its interface look like? 
2. Getting to Know the Symantec Mobile Security 7.2 Client: what does SMS 7.2 look like on an Android phone or tablet?  How to view its activities, launch an update, know when it is trying to alert you to danger.... 

This article will cover how SMS 7.2 protects Windows Mobile devices (phones, PDA's, various Point-Of-Sale equipment) and how to administer them from the server console.

Windows What?

Though it may have a small market share of today's cell phone market, Microsoft has been in the mobile game since the beginning.  They have offered Pocket PC, Windows CE (Compact Edition) and many other cool products for PDA's and cell phones that have evolved over the years.  Symantec Mobile Security 7.2 (like the older Symantec Endpoint Protection Mobile Edition 6) can work with the older WM versions that are built on Windows CE.  That is, Windows Mobile 5, 6.0, 6.1 and 6.5.

Operating Systems Support for Symantec Mobile Security Products
Article URL http://www.symantec.com/docs/TECH102048

The newer Windows Phone 7 and Windows Phone 8 are built from a completely different code base- they are somewhat similar in name, but that is about it.  The SMS 7.2 client software will not install on them. 

Here’s Symantec's public KBs on the subject:

Symantec AntiVirus Product for Windows Phone 7 Platform
Article URL http://www.symantec.com/docs/TECH145141

Those who would be interested in an Enterprise product for this platform can cast a vote for the following Connect Forum Idea (enhancement request): Symantec Endpoint Protection Mobile Edition for Windows Phone 7

Windows Why?

Though viruses and exploits against WM are not as popular these days as threats written for Android, there are still plenty of ways to attack Windows Mobile (and POS devices that use it!).  See the article How to Secure Your Mobile Point of Sale Devices and remember: embedded devices, PDA's and mobiles are powerful enough to do a lot of damage, and often serve as an unprotected "back door" into networks that focus all their defenses on traditional servers and desktops.  Ensure they are protected!

What does SMS 7.2 Do on Windows Mobile?

The SMS 7.2 client is different on Windows Mobile than it is on Android.  On Android, there's malware protection, web protection, anti-theft features and so on.  On Windows Mobile, there are three main components:

1. AntiVirus: scans for malware.  SMS 7.2 on WM features Auto-Protect technology, scheduled scans, and manual scans. 
2. Firewall: blocks unwanted network connections
3. Mobile Security Agent: keeps the client in touch with its server.

There are some other features, too (like AntiSpam for text messages and a File Access Log).  Full details on the protection and features can be found in Section 3, Securing Windows Mobile devices, of the Symantec Mobile Security 7.2 MR1 Implementation Guide. 

Installing SMS 7.2 on Windows Mobile

Installation on the Windows Mobile device is pretty straightforward.  There's a .cab file  ("Symantec Mobile Security 7.2 Windows Mobile 6.0/6.1/6.5 Agent (.zip)") which needs to be copied to the device.  This can be downloaded from the device's browser, emailed to the device, copied manually or sent over by the customer's Mobile Device Manager software, if they have a MDM managing the devices. Once it is on the device, a simple click will start the install process...

Note that there will be a reboot needed in order for the firewall to work correctly. 

One cool trick is that the SMS client software can be installed on Windows Mobile silently (that is, without showing the end user screens like the one pictured above.  Details can be found in the following article:

How to Install and Uninstall Symantec Mobile Security 7.2 Silently on a Windows Mobile device
Article URL http://www.symantec.com/docs/TECH206648 
 

One Common Issue

When the SMS 7.2 client is installed on the Windows Mobile device, it is initially "unmanaged."  In order to know which server to connect to and receive policies from, there is a file called AgentInstallConfig.xml which must be exported from the SMP and dropped into the device's \My Documents\ directory.  (Once it is copied there, it will be immediately processed by SMS 7.2 and will disappear.)

The AgentInstallConfig file is exported from the Mobile Security Agent Policy page of the SMP.

In case there are any failures to register and communicate, ensure that Windows Mobile's wifi is switched on and then check out the advice in the following article.

Error Messages Displayed When Attempting to Deploy the Initial Configuration Files to Windows Mobile Devices Running Symantec Mobile Security 7.2
Article URL http://www.symantec.com/docs/TECH96607 
 

After that, there should be a "Healthy Connection" to the server.  The client will download and apply new policies, upload logs and inventory, and appear in the server's management console.

Windows Mobile: Doing Things a Little Differently.... 

Two quick differences to be aware of:

1. When Mobile Security clients for Android enroll to the SMP, they generally require an approved user account (membership of a particular Active Directory group, etc).  There's no similar restriction for Windows Mobile clients.  No special user accounts need to be configured.
2. Androids communicate to the SMP through a Mobile Security Gateway (MSG): either the one that is automatically installed on the SMP, or perhaps another MSG deployed in the DMZ.  Windows Mobiles don't use a MSG.  They communciate directly to the SMP- so do be sure that the Windows Mobiles use an IP or FQDN that ensures SMP connectivity! 

OK, Windows Mobile: Here's What to Do....

The policies which configure Windows Mobile devices are not as prominently featured as the policies for Androids.  In the Symantec Management Console, go to Manage > Policies > Mobile Security > Windows  and chose the policy desired.

Here are illustrated instructions on how to direct the Windows Mobile device to look for new LiveUpdate definitions from an internal server, rather than the Internet LU source servers:

Updating Windows Mobile Devices from an Internal LiveUpdate Administrator 2.x Server
Article URL http://www.symantec.com/docs/TECH159934

In case any difficulty is encountered getting those policies applied to the Windows Mobile devices, the following article provides some important tips....

Applying Policies Configured for Windows Mobile Devices in Symantec Mobile Security 7.2
Article URL http://www.symantec.com/docs/TECH201752 
 

Life of Pie

Want to know how those Windows Mobiles are doing? The Windows Mobile reports on the SMP can be found under Resports> Mobile Security> Windows.

Here's an example Infected Status Summary Report for Windows Mobile Devices:

Here is the LiveUpdate Status Summary Report:

Not all of the reports are pie charts.  Here's an example Security Infections & Breaches Report:

There's a similar Threat Details report under All Mobile Devices- one of the few reports where data from Androids and Windows Mobiles is listed side-by-side.

If all you are looking for is a list of the managed Windows Mobile devices, click on Device Information.  Right-clicking on the entries will all you to take a closer look with Resource Manager.  It's possible to View Inventory and View Events from that page, getting detailed information on the activities of that device.

In Conclusion.... 

Many thanks for reading!

Please do leave comments below to provide feedback on how your Windows Mobile devices function with SMS 7.2, and highlight any tips you have discovered that other admins may find useful.