Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Migration Success Story

Created: 29 Apr 2009 • Updated: 01 May 2009 | 10 comments
Language Translations
shaun_b's picture
+12 12 Votes
Login to vote

Migration Success Story

It all started with a frantic call from a client. Around 11pm on a Friday night, one of our customers called us with some bad news. They were infected with Conficker. The infection spread quickly, as their current AV solution, Trend Micro, was unable to detect, or remove the infection. There were significant consequences associated with the infection: their customers were unable to access business critical services; access to remote sites was unavailable; and a large majority of their domain accounts were being consistently locked out. Basically, all business critical functions came to a halt. These all stemmed from the Conficker virus and we immediately booked a flight to arrive onsite on Saturday morning.

Once we arrived onsite we determined that the Trend Micro solution was not able to detect or remove the Conficker.B virus. We wanted to prove that Symantec Endpoint Protection was the solution that would not only detect the threat, but also remediate the virus so that all business critical functionality was restored. We staged an ad-hoc SEP environment, and quickly migrated a handful of suspected infected clients from Trend Micro to SEP 11. The results were overwhelming. Not only were we able to now detect the virus, we were also able to remediate the threat, stop propagation, and restore functionality to these assets.

After the client agreed that SEP was able to provide the mitigation they so desperately needed, we quickly provisioned a PO, the CIO signed off, and our next task was to deploy SEP to nearly 5000 clients in less than 48 hours. We went to work to define the associated SEP design and architecture requirements. Given the simplicity of SEP and its group structure capabilities, this was completed in less than an hour. Once we had the design in hand, we configured the SEP environment accordingly and then needed to move forward with a migration strategy.

Given the fact that SEP comes bundled with many different uninstall scripts, including Trend Micro, we were able to create an install package that seamlessly un-installed Trend Micro, and installed SEP11. After some quick testing, we pushed out the SEP11 installation package in a phased approach, to 500 clients at a time. In the first day alone, we were able to install SEP to close to 2500 clients successfully. By the second day, we had almost all 5000 clients deployed in the environment.

The reporting capabilities within SEP gave us a holistic view of just how intrusive and effective the virus had on the environment. Trend Micro was unable to produce the effective reporting information that the client so desperately required. Using the advanced reporting capabilities in SEP, we were able to establish just how intrusive the virus was in propagating across the many different segments of the organization and quickly adapt strategies to remediate the threat.

Once we were assured that SEP was deployed to the majority of the hosts, our next step was to completely remediate the Conficker threat. We determined that by proactively running full system scans, configured in the associated SEP policies, and using some of the unique Proactive Threat Protection (PTP) and Network Threat Protection (NTP) capabilities, would provide us with the most efficient and effective capabilities to remove the Conficker virus.

We configured SEP to run a full system scan on all of the hosts immediately. The results were surprising. Over 75% of their workstations and servers were infected with Conficker. The default configurations of SEP removed the virus from the majority of all the infected machines. Some of the assets required a reboot in order to completely eradicate the virus. Since we could also issue reboot commands through the SEP console, this gave us the ability to remove the virus in a very quick and efficient methodology.

Our next challenge was how to identify infected machines that did not have any anti-virus protection. These machines were still attempting to infect other machines, and were causing bandwidth links to become saturated, as a result of the virus, on the many different network segments. SEP has the capability to scan for unmanaged clients, identifying machines and assets that do not have SEP installed. A quick scan revealed about 100-200 clients that did not have anti-virus protection. We quickly deployed SEP to these remaining endpoints, scanned and removed the infection, and were able to restore functionality to the remaining network segments.

By this time, it was close to 5pm on Sunday, and we wanted to understand the remaining risks to the organization to ensure that when people returned to work on Monday, they would not be faced with issues that would affect business functionality. We were able to create key reports within SEP that showed the status of our remediation attempts, but also identifying other threats that Trend Micro was not able to find. These threats primarily involved key-loggers, spyware and other virus remnants that Trend Micro could not identify or remove. We then setup notifications to alert the client on any threats that they needed to take action on. This allowed them to take a proactive approach to security in their environment, rather than the reactive approach they were so used to following.

After performing some reconnaissance around 11pm on Sunday, we were able to determine that the virus most likely originated from a USB thumb drive. Using SEP’s “Application & Device Controls” we setup a policy to prevent any USB thumb drives from being plugged into any host running SEP.

After an exhaustive 48 hours, Monday morning arrived. People began to show up for work, and we worked to install SEP on additional endpoints, such as laptops that were not connected to the network over the weekend. The client was amazed that the virus was not only remediated, but also that we were able to deploy roughly 5000 clients in the course of a weekend. The virus was remediated, SEP was deployed, and it was time to catch up on some well needed sleep.

I wish this scenario was just a one-time event, but it’s not. As a security analyst working at our company for over 8 years, we have to deal with these types of situations more often than not. Over the course of the last 6-8 months, we have seen a significant increase in virus remediation projects. The threat landscape is changing dramatically, and Conficker is a great example of that. Time after time as we arrive onsite to address virus remediation issues, I keep telling myself… “If only they were running SEP”.

In my opinion, Symantec Endpoint Protection version 11 is the hottest new endpoint security product. SEP is a reliable, fully redundant, scalable enterprise-class product that can protect your company using many different protection technologies. These technologies, including Anti Virus (with proactive threat management), Anti Spyware, Application / Device Control, Firewall, and Intrusion Prevention (part of the Network Threat Protection Engine) are leaps and bounds ahead of the competition and offer you a full 360 degrees of protection. The product has a smaller footprint, uses less memory, and has exceptional reporting capabilities that can be combined with automated notifications to provide your support team with a detailed perspective on the security status of your environment.

Comments 10 CommentsJump to latest comment

Nel Ramos's picture

@shaun_b: Thank you for that inspiring article. It was long but never boring. Good on the prep.

SEP really is ahead of its competitors. SEP even out performs SAV! One good example is that SAV could not detect executable Proxies but SEP was able to detect it and take proper action. Thanks to its heuristic scanning, this threat that IT inclined agents normaly slips into our network is not corrected.

One more good SEP feature is the USB restriction. It is a deterent. I liked the way SEP gives us our own personal way of counseling the assailant thru a customized message sent to him in real time.

 

Nel Ramos

+1
Login to vote
shaun_b's picture

Thanks!! 

0
Login to vote
sujay70524's picture

thx nice article

0
Login to vote
jabdallah@cbihome.com's picture

I've had similar experiences and completely agree with your findings.  GREAT JOB PSV!

+1
Login to vote
jcarlson's picture

Worked a few of those myself with similar results...easy to be confident walking in the door with the best technology in the world supporting you. 8^} 

+1
Login to vote
sukotto's picture

Great reading!

0
Login to vote
msmith421's picture

Great article!  I just did some major remediation work last week for a division running Tred.  Several viruses were able to spread undetected bringing production down 60% in the matter of a couple days.  I was able to clean up soem systems enough to load SEP, which then cleaned most of the machines competely in ONE pass!  The client is super happy with the performance of SEP!

+1
Login to vote
kristopherjturner's picture

How did you deploy SEP11 on this project?  We are testing Trend's OfficeScan 10 and also SEP11 right now.  Currently we are using Sophos's Antivirus solution.  We don't have Altiris so can't deploy that way.  We do however use SCCM (SMS) and also do have a Dell Management Console which is based off of Altiris.  Can the Endpoint plugin work on this?

0
Login to vote
Rioindonesia's picture

Hi All,

   I have 1600 client that need migrate from TREND Micro to SYmantec, I only have a Month.

The remote Installer is restricted here, I only have Bigfix aplication, can Any one help me how to do the remote UNINSTALL trend micro and after that do the Symantec installation.

If anyone have solution, please email me at rioh24@gmail.com or rioh24@yahoo.co.id . Thanks before..

0
Login to vote
Rioindonesia's picture

HI ALL,,

         Any one can helpme, I want to migrate 1600 PC from TREN MICRO AV to SYMANTEC.

The Remote installer is forbidden here and also the sharing folder.. So, I am using BIGFIX,

But I don't know the script, can any one know how to push the Uninstall TREN MICRO and After that Install Symantec End Point 11.

0
Login to vote