Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Can SNAC block clients with no SEP installed?

Created: 05 Apr 2013 • Updated: 09 Apr 2013 | 6 comments
This issue has been solved. See solution.

Hello dear sir/madam,

I need your help and advice to be sure in next,

can SNAC block clients with no antivirus (exactly, SEP) installed? I mean, can a SNAC integrated SEPM prevent packet translating of such computers in the network? (No gateway enforcer installed on the network)

thank you very much friends

Operating Systems:

Comments 6 CommentsJump to latest comment

.Brian's picture

Yes, you can do this with a SNAC policy in the SEPM

https://www-secure.symantec.com/connect/forums/wha...

 

SEP and SNAC - An Unbeatable Combination

https://www-secure.symantec.com/connect/articles/s...

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ambesh_444's picture

Hello,

 

Yes you can configure,

Please check with these articals..

What all can you do with Symantec Network Access Control?

https://www-secure.symantec.com/connect/articles/what-all-can-you-do-symantec-network-access-control

Creating and testing a Host Integrity Policy

http://www.symantec.com/business/support/index?page=content&id=HOWTO11091

http://www.symantec.com/business/support/index?page=content&id=HOWTO55759

https://www-secure.symantec.com/connect/articles/working-custom-host-integrity-hi-policy-using-custom-requirement-logic

 

First you can Create policy

Check this artical.

https://www-secure.symantec.com/connect/articles/working-custom-host-integrity-hi-policy-using-custom-requirement-logic

Creating and testing a Host Integrity Policy

http://www.symantec.com/business/support/index?page=content&id=HOWTO11091

Check this thread

http://www.symantec.com/connect/forums/symantec-network-access-control-blockallow-access-mac-address

 

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

SMLatCST's picture

I'm going to go against the flow heresmiley and say that, unfortunately, you cannot prevent access to the network without some form of enforcement.

While SNAC on it's own can easily detect if there is an AV client installed (as per the above posts), it cannot (by itself) block network access.  For the blocking of network access, you need at least one of the below:

  • SEP Client (including the Firewall) installed, but this immediately negates the SNAC check anyway so is irrelevant
  • DHCP Enforcer
  • Gateway Enforcer
  • LAN Enforcer
  • Integrated Enforcer for NAP

What SNAC can do, without any of the above, is to kick off an install of your preferred AV (in your case SEP), but it does mean you'd need to be in the odd position of having the SNAC client installed, but not the SEP Client.

The more common scenario admins look to remediate, is if neither SNAC nor SEP are installed.  In which case, an enforcer (Gateway/Lan/etc.) is required.  This kind of check and remediation requires you look into the full SNAC license.

Is this an option?

SOLUTION
Chuck Edson's picture

SMLatCST is correct.  Without an Enforcer, you cannot enforce the rules you set up.

There has to be something to block access to the network.

If a post helps you, please mark it as the solution to your issue.

Detroit2Baku's picture

Thank you guys for your help, i will dig more to find a solution for this case, with or without SEP :)

best regards :)