We've always used Symantec AV Products at our Company. In February 2008 I got awarded the responsibility of upgrading our domain wide AV Software from SAVCE 10.x to SEP 11 MP1 ( AV & Antispyware components only). I was tasked with planning the upgrade and then rolling out to SEP while preparing the necessary documentation for colleagues to troubleshoot/continue if I was unavailable for some time. We are a subsidairy of a global business & we're pretty much left to manage our own IT systems with occasional regulation from the powers above. Our network is spread out globally with 2 main sites in the UK , 1 main site in Germany & 1 main site in the US , with smaller satellite sites in various global locations. In total approximately 1200 Client machines & 150+ servers with Windows XP Professional Service Pack 2 O/S on Clients and Windows NT , 2000 & 2003 O/S on the servers. We decided to have our main management server located in the UK ( where our main IT element is located ) & then the other 3 main sites were to be used as replication partners & for fail over. The main site in the UK had a virtual infrastructure & the other sites were currently using 'real' servers but where scheduled to be virtualized late 2008 & early 2009. The benefit of having a virtual infrastructure immediately reared it's head. We could create a small virtual network, seperate to our windows network to test the SEP Management Console & Client communications & configure the product to meet our requirements. During initial testing of MP1 we noticed slow performance from the management console reporting functions & screen changing. Boot time for the management console server also increased by about 300% . After several discussions with Symantec Tech Support we concluded that it was due to the Virtualisation. Replication seemed fine, quite fast actually & the added bonus of Virtualization granted us the revert to snapshot feature which seemed particularly useful for performing upgrades , maintenance etc... We now had to see how easy it would be to migrate from SAVCE 10.x to SEP 11. After reading the relevant documentation and performing a few tests we decided it was much easier to export a list of the clients from the SAVCE 10.x console & import this list into the RemoteDeployment Wizard. Clients upgraded no problems. What we did notice was that years earlier when upgrading from SAVCE 8.x to SAVCE 10.x , this project wasn't completed & SEP couldn't upgrade from SAV 8.x due to it being a legacy application. We decided on uninstalling SAVCE 8.x machine and then upgrading straight to SEP rather than upgrade to 10.x then SEP . This left us with the AV application being installed in 2 different locations on clients. &progdir%\symantec\symantec endpoint protection & %progdir%\symantec Antivirus Client\ . Hopefully this wouldn't create issues later .... For the servers using Windows NT & legacy business critical applications we couldn't upgrade to SEP 11 due to NT not being supported & we couldn't upgrade the O/S due to the legacy applications not working on anything but NT. So at the moment we currently have 1 SAVCE 8.x client still. Just as we were about to commence the upgrade to SEP 11, we decided that seeing as we use Symantec Backup Exec at our main sites & 2 satellite sites we could implement LiveUpdate Administrator and manage updates exclusively through this. The setup was similar to the Management Console layout the UK main site would be the master site for Euro/Asia clients. However, we could use the main US Site as the master to any Americas clients as it had a seperate proxy server, any sites that had upward of 15 users & a Backup Exec server would be used as a distribution centre. LiveUpdate Administrator seemed to work perfectly at both sites , it was easy to configure in it's console & in the SEPM console. I can't remember any serious issues with the system until it was upgraded to the latest version recently. I've been advised that the only change to the transportation method was that it now uses http port 7070 instead of 8080 , but for some reason remote sites no longer receive all updates & it constantly says fail in the console. If we revert back to the previous version , everything works fine. We decided to initiate the roll out in stages. Firstly install the Management server at the UK main site. Configure policies , LUA settings , Reports etc then start to upgrade clients at this site in stages . Things started of spritely upgrades were going smoothly and silently , we did get the odd installation fault such as LiveUpdate not installing correctly or machines had a corrupt AD account , but these weren't too much of a hinderance. We must have installed and configured about 40-50 clients in the first week just to make sure that nothing seriously unexpected came up. Then it hit us early April .. .... W32.Sality.AE worm. http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99 .. SAV never detected it, so couldn't remove it or stop it from spreading. SEP detected it but couldn't remove it or stop it either. We initailly detected it on some client machines then figured out what servers these client machines had connections to and installed SEP and disconnected both clients & servers from the network. We submitted files to symantec response & rang tech support, this was business critical systems effected & we had no protection. We managed to find some 'other' AV Software that detected & removed W32.Sality.AE from the infected machines. Firstly we had to get the servers backup and running which was on overnight job for some of us. Then gradually over 2-3 days we re-connected the infected client systems to the network once they had been cleaned. We ran full system scans and they all appeared clear. We still had no response from Symantec about virus protection against this threat. Finally after a week , some rapid response definitions were sent to us & we were advised that the next batch of AV definitions would detect & remove W32.Sality.AE . We tested these on some stand-alone machines with the virus that we'd manage to store on a memory stick. SEP finally removed this threat. Marvellous. Now back to the upgrade from SAVCE 10.x to SEP 11..... Continue with the upgrade plan I thought. Management had different Idea's , now that SEP has the definitions that removed this threat , EVERY machine needs SEP on it by tomorrow!!! Out the window went the migration plan and on with the panic rollout we proceeded, amidst protestation from the IT Team. Problems appeared left, right & centre . Management servers on different subnets didn't want to replicate even though all correct ports were open and the servers could ping each other. Reporting components started spurring out 400+ system errors every 5 hrs that advised * No Problems Detected*. On Windows 2000 Servers ccSvcHst caused 100% CPU usage and thus degredated performance to an unusable level for the server ( either F&P or a Notes server ) . Client installations were still failing with random LiveUpdate errors but instead of 1-2 users ringing it was 20-30 users. On start up, clients were generating errors advising that Auto-Protect was malfunctioning but when investigating everything was fine. These problems combined with various service pack upgrades and problems that these brought have meant that this small AV upgrade project took till December 2009 to get all clients and servers that could be upgraded to SEP 11.x upgraded. As soon as the upgrade was complete we decided that it was time to Virtualize the other sites . Migrating the LUA servers from 'real' to virtual servers proved more troublesome than just moving the failover management servers due to the fact you can't import/export settings. As the management servers were all failover , this was a fairly easy process. Break the management server connection Install management server for replication on virtual servers check that replication works ammend management server lists to use new servers & remove redundant servers update LiveUpdate policy & servers with new info. By end of February 2009 all virutalization was complete. Everything looked good, Finally I could finish of the installation/configuration/troubleshooting/disaster recovery documentation and put SEP to bed :) Not quite, we have since taken over another part of our Global Business and decided to migrate them from their legacy symantec AV products to our SEP setup. 3 sites to migrate , all interconnected with each other. Some using SEP already & others using SAVCE 10.x and planning to upgrade to SEP. This went so smoothly I couldn't have imagined. Upgraded all legacy clients with help of local IT support from the sites and pointed them to the our management server here. Ran sylinkdrop.exe on the SEP clients they already had and pointed them to our SEP management server. All that is left to do is uninstall their SEP management console & re-install one that replicates back to our management server, although due to poor network link speed from India to the UK I'll have to wait till we have MPLS installed for this to work. SEP has been a project that has been frustrating yet very rewarding and it looks like it's nearly complete. Just 1 small MR4 MR2 upgrade to go and then I can give it a rest. Although management like the look of the Application & Device Control & the switching from Windows Firewall to SEP Firewall.... I can already see more work coming .....