Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Connect And Protect Story - SAV 8 to SEP 11.

Created: 16 Jul 2009 • Updated: 09 Feb 2011 • 8 comments
Rafeeq's picture
+7 7 Votes
Login to vote

Hi There,

I'm Rafeeq, I work as a security consulant for a client, we handle their entire security infrastructure,including IPS signatures and network monitoring.
My client has around 2000+ computers in their environment. They had a mixed enviroment consisting of SAV 8.x and SAV10 running on two different domains with mixed mode. Their license was about to end for SAV 10 this september , hence they decided to go for an upgrade , client did not have any second thoughts of chosing different antivirus vendors no matter even if it comes for free, the reason they had (i'm sure we all agree to these points :) )

1) The detection rate of symantec is higher than any other antivirus companies i agree to this coz symantec has global sensors all over for this detection

              4 symatnec SOC
              74 symantec Monitored Countries,
              40,000 +Registered Sensors in 180+ countries ,
              8 Symantec Security Response Centers

2) Clients had bitter taste of virus earlier with SAV10 however once the virus submitted to security response team the signatures were quick.
No antivirus would detect 100% virus in wild being in security its our responsibilty to submit suspecious files to help ourselves and others. Signature creation was other main concern and symantec well suited in this,NSS would run with latest even if you dont have AV installed.Client is worried coz they are into consulting firm and data protection is the main concern.This is why they choose Symantec

            VB100 Track Record: Symantec AV has protected its
            users since 1999 against all viruses that are actually in
            the wild.
            No failure since 1999
            For more information please find the link www.virusbtn.com

3) With advanced virues and malwares in wild and hackers being creative, clients concern were to have more than one protection technology, SAV has just AntiVirus and when I explained SEP 11 features, it was exactly what they have been looking for

            a) Proactive Threat Scan -Behavioral-based protection
                unlike all other heuristic-based technologies,
                it scores both good and bad behaviors of unknown
                applications providing more accurate detection of malware.

            b) Accurately detects malware without the need to set-
                up rule-based configurations or the worries of false positivies :)

           c)Generic Exploit Blocking prevents entry of new threats at
            the network layer, using vulnerability-based Intrusion
            Prevention Solution.
            Blocks all new exploits (including variants) of a
            vulnerability with a single signature
            Blocks malware BEFORE it can enter a system.

4) Clients should be centrally managed,our SEPM does very well ,monitor tabs giving you a quick look about whats happening in your network need not have to go through various logs to check if machines are infected, home and monitor tab would give a quick results

               Everything is single but powerful

               Delivers a single management agent for all Symantec
               Endpoint Protection technologies and the Symantec
               Network Access Control product.
               Reduces administrative effort
               Unified and central reporting, licensing and maintenance
               Requires no change to the client when adding SNAC

5) In this time cost is the main concern, they had a software to block unnessary programs from running( i dont want to name it here :) ) say like yahoo messenger, unwanted sites and downloading stream mp3s'. I clearly explained them about our application and device control , well pleased with this new feature as it eased their administration and would reduce extra cost involved.

                    a)Application Control

                  Allows administrators to control access to specific
                  processes, files, and folders by users and other
                  applications. It provides application analysis, process
                  control, file and registry access control, module and DLL
                  control. It enables administrators to restrict certain
                  activities deemed as suspicious or high risk.
                  Prevents malware from spreading or doing harm to
                  the endpoint,Locks down endpoints to prevent data leakage

                  b)Device Control

                Controls which peripherals can be connected to a
                machine and controls how they are used. It locks down an
                endpoint by preventing thumb drives, CD burners, to
                printers, and other USB devices from connecting.
                Prevents sensitive and confidential data from being
                extracted or stolen from endpoints (data leakage)
                Prevents endpoints from being infected by viruses
                spread from peripheral devices

6) Client were in different domains , domain feature in SEPM helped to group them out,AD import , automatic reports about virus definitions update and virus infection definetly helps to get a quick look and resolve the issue at the earliest.They never used reporting component in SAV and this one was a blessing.

7) they have a different team for IPS as of now, hopefully with SEP 11 advanced feature we should be able to get all the different teams under on roof, Symantec Secuirty team :) we have discussed this with client, as you know its gonna take some time Lot of flexibilty while using IPS
Administrators can also create custom,signatures to tailor the level of protection to their environment.

             Blocks malware BEFORE it can enter a system
             Gives administrators complete control to manageintrusion prevention signatures

8) Support was another cost concern, symantec does not limit on cases, no changers for new incidents,as far as you have good support.
no need to be in queue to get a tech on line, using mysupport you can raise a case via web, tech is sure to call you ( trus me :) ) chat support for starters and remote installation assistane, what more you can expect ? i know there is always more with symantec.
As i'm here, forum is the best. Different people different thoughts, experiences, i know many are masters :) its sure that issues get resolved ,Pauls active involvement with complex issues/bugs and you have symantec employees to help you out.There are what made us to go with Symantec Product.

9)To help customers to upgrade from Symantec AntiVirus to Symantec Endpoint Protection 11.0 Symantec has services ranging from Remote Installation for SMB customer to Consulting options for enterprise customers. Migration will be especially easy for Altiris customers. Altiris has preconfigured modules for upgrading to SEP and is available for free.Isn't a good news :) ?

As I mentioned earlier we had different versions running, our main objective was to remove 8.X remotely as quickly as possible.reboot the box and install SEP I used just symantec tools to complete the task hope this helps you all one or the other day, Symantec goes through lot of security checks before publishing tools that's why i trust them and use them with no worries.

First, migrating the 64-bit box was quite easy, as we simply migratee policies and pushed SEP directly on top of SAV 10.2. Hhowever, SAV 8 needed to be removed manually, wherein a reboot was required. The main task was to remove SAV 8 from 150+machines remotely , reboot and install SEP.we decided to go with a fresh install of SEP 11.

We were able to remove SAV 8 remotely by utilizing the uninstall key from the registry on a SAV 8 machine.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstal

This is in the "add/remove" programs. Simply check the keys for SAV 8, and locate the uninstall string key which will be on the right hand side.Mine was something like this

MsiExec.exe /i {C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}
Note:Script would not run if its password protected

Copied the string to a notepad named it script. bat added few switch to run it silent and no reboot, modified string would look like this.

MsiExec.exe /norestart /q/x{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D} REMOVE=ALL,

**********************************************************
Installed SEPM on one of the servers, used the migration and deployment wizard, selected sylink remote as the package to be pushed after replacing existing script.bat with our removal script.bat

SAV 8 systems name were in a text file 1 ip address/line, select that , bang!!, uninstall completed from all the machines within 5 mins :), rebooted all the machines using our windows shutdown -i cmd.created the 32bit packages in the mean time with one single policy,machines came up less than 7 mins, were unprotected so the installation should be quick used clientremote.exe to push the package, it took 15 mins to install on 100+ desktops, well reported to the manager with virus definitions took around 20+ mins. never seen such an installation before :) Now on the server removed ssc manually, rebooted and installed SEP on the server the next was to upgrade 10.2 to SEP 11, quite simple , followed the standard migration document, separated 32bit and 64bit machines, create 64bit package and started push install, things went absolutely cool.:) we need to reboot all the installed boxes, shall do that on weekends. would keep adding system there after.We are working on replication and GUP as of now, I’m sure that it will be successful configuration, will let you know soon, have fun while migrating to SEP good day !

My Symantec My Pride

Comments 8 CommentsJump to latest comment

Abhishek Pradhan's picture

Terrific one Rafeeq. I'm sure this will help a LOT of ppl out there looking for such information.

Cheers.

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

+2
Login to vote
Kedar Mohile's picture

Great piece of Information...

cheeerrrrrssssss..... :-)

+3
Login to vote
Vikram Kumar-SAV to SEP's picture

Hey thats a good one...Surely it will help many... 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+3
Login to vote
ben_cSEPticons_secured's picture

Very well said... If i was one of the listener, i would go for SEP too and that's because of the credibility of the details you've elucidate.

+1
Login to vote
Nel Ramos's picture

Very good story and inputs...
thanks...

Nel Ramos

+1
Login to vote
AravindKM's picture

Supper !!!!!!!!!!!

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

-1
Login to vote
Srikanth_Subra's picture

Great one..very intresting..

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

+1
Login to vote