Endpoint Protection

Hi all, 

I'm fairly new to the symantec product suite and I was wondering how I would come about scanning email attachments effectively.

Currently both Symantec Mail Security for Exchange 6.5.5.255 is scanning emails and their attachments, but our Symantec Endpoint Clients 11.0.5002.333 are also scanning emails and their attachments on the client side of things.

To me that doesn't sound logical.  How would I go about making this more productive ?

I tried searching for white papers or best practise documents through google but all I get are Knowledge Bases that explain problems with attachment scanning and so on.  I'm trying to gather usefull information concerning this topic but either I use the wrong search strings or I'm looking in the wrong place, hence this post here.

Would it be as easy as leaving Mail Security to scan all and excempting .OLK files through the Enpoint Clients ? I reckon this would effectivly disable scanning attachments?

Can I just disable "Enable Microsoft Outlook Auto-protect" in the Endpoint antivirus/antispyware policies that apply to my clients ? Would that be wise ?

The goal is to give the end users both on LAN and REMOTE (RAS/VPN) the best outlook experience possible.  So if we could SAFELY remove unnecessary tasks such as attachment scanning (since mail security scanned them on exchange server already) that that would be GREAT.

I hope I post this in the correct section/forum.

Kind regards

Steve

Can I just disable "Enable Microsoft Outlook Auto-protect" in the Endpoint antivirus/antispyware policies that apply to my clients ? Would that be wise ?

yes, you can do that. However SMSME and SEP client works different. SMSME is installed on ME server and scans the email. SEP also scans for the email only on desktop ( not to all email boxes as SMSME does).

Hi pete_4u2002, 

Thanks for your reply.

Yes I know that SMSME and SEP are completly different and that they both have a place where they do their job.

What I'm trying to figure out is ... currently they BOTH do the same job, and thats just not right in my view. (why scan emails on the client side, when they have already been scanned on the server side ? thats the idea here atleast ...)

They are both scanning emails and attachments.  My question very simple is ... can I just disable the "Enable Microsoft Outlook Auto-protect" on the SEP side.  Would I have covered everything safely then ?

In general I'm just trying to find people who have alot more experience in SEP and SMSME then me to nudge me in the right direction, I think my "think path" is correctly I just don't know SEP and SMSME well enough to understand how they truely work together, I'm just trying to make sure I'm not missing any small cracks that could give room for viruses to enter our network.

Kind regards

Hi

 Thats correct as pete said, "Disable the Microsoft Outlook Auto-protect" or you remove the Microsoft Outlook Auto-protect By Modify Installtion .

For modify Installation Go to addremove program-> Select the SEP -> Clickon change -> Select Modify

Under Antivirus you can uninstall the Microsoft outlook auto- protect .

Thank you pete_4u2002 and 

Thank you Optimus.prime  .... << awesome nick :) >>

for your replys.

I have now disabled "Microsoft Outlook Auto-protect" in the policy and did a manual policy pull on my test machine.

As soon as my test endpoint client gets the adjusted policy from the SEPM he goes from GREEN status (on the systray icon) to RED status (on the systray icon).  When I then hover over that systray icon, he gives me a baloon popup saying Auto-protect for outlook has been disabled.

Yeah well .... DUH ... thats what I wanted, why is he complaining about that ?

Also I feel like after he got the new policy he started a FULL scan of my computer and that is not nice cause it's taking nearly all the performance of my machine.

Am I doing something wrong ? Am I not taking certain reactions to this policy change into account ... such as this full scan that is running now ?

In my policy there is an "admin defined scan" that runs every Monday morning (weekly) so I don't understand why he is doing a full scan right now (wednesday).

Kind regards

Steve

Hi ,

   Did you use the Update content and scan in the manager?

You have to lock the setting in the policy (clicking on the lock icon), or it will always ask you to fix it.

sandra

Hi, Thank you Sandra for your reply ...

OMG I would have NEVER found this little lock icon, but it is INDEED what I needed todo to remove the warning that outlook auto-protect was disabled.

I seriously had to read your post like 10 times and had to search for like 15 minutes in SEPM to find this lock icoon, only to find it right in front of the checkbox where you enable/disable the option in question.

Thank you

Hi Optimus.prime,

Thanks again for your reply.

What do you mean with " Update content and scan in the manager "

Was this a reply to the fact my SEP complained "outlook autoprotect" was off or was it for the (what I think) was a full scan after I disabled the "outlook autoprotect" ?

Cause at the moment I'm not sure but since I moved my SEP client from an OLD SEPM to my NEW SEPM my computer feels "laggy" but I'm gonna make a new post about it since this one deals with the outlok auto-protect option.

Hi Steve,

Just a quick note: there's now a newer release of SMSMSE available: version 6.5.6. 

Release notes for Symantec Mail Security 6.5 for Microsoft Exchange
Article: TECH122809 | Created: 2010-01-28 | Updated: 2011-09-22 |
Article URL http://www.symantec.com/docs/TECH122809
 

That release corrects an important security vulnerability.

The version of SEP in use (SEP 11 RU5) is quite old- for stability, performance, and security I recommend upgrading to RU7.

Release notes for Endpoint Protection and Network Access Control 11
Article: TECH103087 | Created: 2007-01-12 | Updated: 2011-09-06 |
Article URL http://www.symantec.com/docs/TECH103087

(RU7 MP1 is expected to be released in about two weeks- keep an eye out!)

Thanks and best regards,

Mick

Thank you Mick for your reply.

Thats really nice of you to share this information with me.

For our company the end-user experience is the most important aspect when it comes down to deploying ICT tools and software such as antivirus protection and what not.

So perhaps you could point me to a document that would describe a migration from SEP RU5 to RU7 ?

I can update the SMSMSE thats just 1 server 1 install, but my SEP clients is a whole other deal.

We have our salesforce users on the road and they come in the office only like twice a year or so.

How would I go about deploying an upgrade to RU7 over connections that have UMTS/3G mobile broadband speeds ? (I guess I never really thought about upgrading the endpoint clients cause of the <<what I feel like>> complex procedure to handle this remotely)

Again I'm fairly new to the symantec produc lines, so I'm trying to catch up in knowledge, and building it up as I go.

Kind regards

Steve

Using the auto-upgrade features of SEP, it should be easy enough to assisn a RU7 client package to the client group and let the computers update themselves.  There will be a download of a new installer package, which will be larger the older the target client is.

Full details on how to use auto-upgarde can be found in the SEP admin guide.  Some online articles that may be of interest:

Symantec Endpoint Protection 11.0 RU7 Client-only patch (32 Bit)
Article: TECH165494
Article URL http://www.symantec.com/docs/TECH165494
 

Symantec Endpoint Protection 11.0 RU7 Client-only patch (64 Bit)
Article: TECH165498 
Article URL http://www.symantec.com/docs/TECH165498
 

Supported migration paths to 11.0.7000.975 (RU7)
Article: TECH165167
Article URL http://www.symantec.com/docs/TECH165167

How to Auto-Upgrade Remote Site Clients using IIS
Article: TECH97406
Article URL http://www.symantec.com/docs/TECH97406

Hope this helps! &: )

Thanks alot for the info Mick.

Greatly appreciated, ... and that goes for everyone in this discussion thread.

Thanks for all the help and effort !

Kind Regards

Steve

You are very welcome

sandra

Hi Mick,

Today I logged on to https://fileconnect.symantec.com/ but all I could see is SMS MSE 6.5.5 there is no 6.5.6 available for me to download within my "Symantec Protection Suite Enterprise Edition 3.0" license

Any other place I can download 6.5.6 ?

Regards

Steve

Hi Steve,

Do you have an older Symantec Protection Suite Enterprise Edition 3.0 serial number as well?  If so, use that on fileconnect and SMSMSE 6.5.6 will be visible straight away.  They are working on getting it visible for version 4.0 now.

More details can be found in : https://www-secure.symantec.com/connect/forums/response-secunia-advisory-smsmse-655255

Cheers again!

Hi Mick, 

Thanks for the reply.

I tried with my "Symantec Protection Suite Enterprise Edition 3.0 serial" but no joy.

I then tried with a 2009 "Symantec Multi-tier Protection 11.02" but also no joy.

I do not have a Symantec Protection Suite Enterprise Edition 4.0 serial anyways so the link you provided is not related to my issue I guess.

Regards

Steve

Can you send me the numbers you are using over Personal Message?  It should be there- I'll double-check.

One way or another we will get the latest and greatest builds to you. &: )   

Hi Mick,

I just checked again today when I saw your post, so I thought I'd check again first before I would send you my serial and now I can see SMS MSE 6.5.6

So all is good now thanks ;)

Regards

Steve