Hi There,
I'm Rafeeq, I work as a security consulant for a client, we handle their entire security infrastructure,including IPS signatures and network monitoring.
My client has around 2000+ computers in their environment. They had a mixed enviroment consisting of SAV 8.x and SAV10 running on two different domains with mixed mode. Their license was about to end for SAV 10 this september , hence they decided to go for an upgrade , client did not have any second thoughts of chosing different antivirus vendors no matter even if it comes for free, the reason they had (i'm sure we all agree to these points :) )
1) The detection rate of symantec is higher than any other antivirus companies i agree to this coz symantec has global sensors all over for this detection
4 symatnec SOC
74 symantec Monitored Countries,
40,000 +Registered Sensors in 180+ countries ,
8 Symantec Security Response Centers
2) Clients had bitter taste of virus earlier with SAV10 however once the virus submitted to security response team the signatures were quick.
No antivirus would detect 100% virus in wild being in security its our responsibilty to submit suspecious files to help ourselves and others. Signature creation was other main concern and symantec well suited in this,NSS would run with latest even if you dont have AV installed.Client is worried coz they are into consulting firm and data protection is the main concern.This is why they choose Symantec
VB100 Track Record: Symantec AV has protected its
users since 1999 against all viruses that are actually in
the wild.
No failure since 1999
For more information please find the link www.virusbtn.com
3) With advanced virues and malwares in wild and hackers being creative, clients concern were to have more than one protection technology, SAV has just AntiVirus and when I explained SEP 11 features, it was exactly what they have been looking for
a) Proactive Threat Scan -Behavioral-based protection
unlike all other heuristic-based technologies,
it scores both good and bad behaviors of unknown
applications providing more accurate detection of malware.
b) Accurately detects malware without the need to set-
up rule-based configurations or the worries of false positivies :)
c)Generic Exploit Blocking prevents entry of new threats at
the network layer, using vulnerability-based Intrusion
Prevention Solution.
Blocks all new exploits (including variants) of a
vulnerability with a single signature
Blocks malware BEFORE it can enter a system.
4) Clients should be centrally managed,our SEPM does very well ,monitor tabs giving you a quick look about whats happening in your network need not have to go through various logs to check if machines are infected, home and monitor tab would give a quick results
Everything is single but powerful
Delivers a single management agent for all Symantec
Endpoint Protection technologies and the Symantec
Network Access Control product.
Reduces administrative effort
Unified and central reporting, licensing and maintenance
Requires no change to the client when adding SNAC
5) In this time cost is the main concern, they had a software to block unnessary programs from running( i dont want to name it here :) ) say like yahoo messenger, unwanted sites and downloading stream mp3s'. I clearly explained them about our application and device control , well pleased with this new feature as it eased their administration and would reduce extra cost involved.
a)Application Control
Allows administrators to control access to specific
processes, files, and folders by users and other
applications. It provides application analysis, process
control, file and registry access control, module and DLL
control. It enables administrators to restrict certain
activities deemed as suspicious or high risk.
Prevents malware from spreading or doing harm to
the endpoint,Locks down endpoints to prevent data leakage
b)Device Control
Controls which peripherals can be connected to a
machine and controls how they are used. It locks down an
endpoint by preventing thumb drives, CD burners, to
printers, and other USB devices from connecting.
Prevents sensitive and confidential data from being
extracted or stolen from endpoints (data leakage)
Prevents endpoints from being infected by viruses
spread from peripheral devices
6) Client were in different domains , domain feature in SEPM helped to group them out,AD import , automatic reports about virus definitions update and virus infection definetly helps to get a quick look and resolve the issue at the earliest.They never used reporting component in SAV and this one was a blessing.
7) they have a different team for IPS as of now, hopefully with SEP 11 advanced feature we should be able to get all the different teams under on roof, Symantec Secuirty team :) we have discussed this with client, as you know its gonna take some time Lot of flexibilty while using IPS
Administrators can also create custom,signatures to tailor the level of protection to their environment.
Blocks malware BEFORE it can enter a system
Gives administrators complete control to manageintrusion prevention signatures
8) Support was another cost concern, symantec does not limit on cases, no changers for new incidents,as far as you have good support.
no need to be in queue to get a tech on line, using mysupport you can raise a case via web, tech is sure to call you ( trus me :) ) chat support for starters and remote installation assistane, what more you can expect ? i know there is always more with symantec.
As i'm here, forum is the best. Different people different thoughts, experiences, i know many are masters :) its sure that issues get resolved ,Pauls active involvement with complex issues/bugs and you have symantec employees to help you out.There are what made us to go with Symantec Product.
9)To help customers to upgrade from Symantec AntiVirus to Symantec Endpoint Protection 11.0 Symantec has services ranging from Remote Installation for SMB customer to Consulting options for enterprise customers. Migration will be especially easy for Altiris customers. Altiris has preconfigured modules for upgrading to SEP and is available for free.Isn't a good news :) ?
As I mentioned earlier we had different versions running, our main objective was to remove 8.X remotely as quickly as possible.reboot the box and install SEP I used just symantec tools to complete the task hope this helps you all one or the other day, Symantec goes through lot of security checks before publishing tools that's why i trust them and use them with no worries.
First, migrating the 64-bit box was quite easy, as we simply migratee policies and pushed SEP directly on top of SAV 10.2. Hhowever, SAV 8 needed to be removed manually, wherein a reboot was required. The main task was to remove SAV 8 from 150+machines remotely , reboot and install SEP.we decided to go with a fresh install of SEP 11.
We were able to remove SAV 8 remotely by utilizing the uninstall key from the registry on a SAV 8 machine.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstal
This is in the "add/remove" programs. Simply check the keys for SAV 8, and locate the uninstall string key which will be on the right hand side.Mine was something like this
MsiExec.exe /i {C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}
Note:Script would not run if its password protected
Copied the string to a notepad named it script. bat added few switch to run it silent and no reboot, modified string would look like this.
MsiExec.exe /norestart /q/x{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D} REMOVE=ALL,
**********************************************************
Installed SEPM on one of the servers, used the migration and deployment wizard, selected sylink remote as the package to be pushed after replacing existing script.bat with our removal script.bat
SAV 8 systems name were in a text file 1 ip address/line, select that , bang!!, uninstall completed from all the machines within 5 mins :), rebooted all the machines using our windows shutdown -i cmd.created the 32bit packages in the mean time with one single policy,machines came up less than 7 mins, were unprotected so the installation should be quick used clientremote.exe to push the package, it took 15 mins to install on 100+ desktops, well reported to the manager with virus definitions took around 20+ mins. never seen such an installation before :) Now on the server removed ssc manually, rebooted and installed SEP on the server the next was to upgrade 10.2 to SEP 11, quite simple , followed the standard migration document, separated 32bit and 64bit machines, create 64bit package and started push install, things went absolutely cool.:) we need to reboot all the installed boxes, shall do that on weekends. would keep adding system there after.We are working on replication and GUP as of now, I’m sure that it will be successful configuration, will let you know soon, have fun while migrating to SEP good day !
My Symantec My Pride