Endpoint Protection

Until today all new definitions er deployed and installed on clients according to  following article. http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007100820002048 Someone told me that Symantec cannot guarantee  those definitions. The same person also recommend me to create a test group that will receive the updates. After some while the same definitions can then be distributed to the rest of the workstations and servers. Is it more secure to follow these  guidlines?? For me - it looks bothersome, unpractical and needless.  Assume that Symantec can guarantee new upodates.

Hope someone can give med needed info for best practice on the topic. if Symantec is not able to give me the needed guarantee for new updates.

On following web site Symantec talk about certified definitions, http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/ab48c3a74d05a3a188257348007a25b4?OpenDocument. Does it still mean that the updates are not 100% secure.

In practice some times newer definitions may give false positiveness.Means It may detect some non virus files as virus files.This is a rare case but it is possible.You can install and configure Liveupdate administrator .This software will give you an option for testing your updates.Configure it,then point a group of test client to download updates from this.
Refer this article and KB
Installing and configuring LiveUpdate Administrator 2.x
Installation and configuration of LUA

Hei Aravind,

Our network is closed, without Internet connections at all.  Is it still possible to use LU? All definitions update are done through jdb-files. The procedure is described in the follwong article

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007100820002048

We don't ahve CD#2, since all software is downloaded through Internet.

 

Rgds

Geir

Have a look at this KBs
Updating downloads in an internal Live Update Administrator Server using the downloads from an external Live Update Server
Current version of LiveUpdate Administrator

Hi Aravind,

One more questions (hope it's ok)
Is it possible to use LU together with SEPM + JDB files?

Rgds
Geir

If you are having LUA you can point your SEPM to download updates from it.So jdb file is not required.JDb file will update only AV /AS but if you point like this it will update all the three in the clients..

So then I can install/configure LUA on specific server. Preferable a different server than todays SEPM server. All new definitions will be downloaded and installed on LUA. The LUA can then specify which server/workstation that will receive the updates for test purposes(test group).  After some period the updates will be downloaded to SEPM (which will deploy all updates the all server/workstations). Today all updates are done through jdb files. Hope it's not necessary to reconfig all setups.

What is the filename that  LUA can/will use. What about SEPM server? Will the server still use jdb-files, or do I have to do some reconfigs.

Thanks again for usefull information

Rgds
Geir

I am not getting you exactly what you mean.The procedure is something like this.Installing and configuring a LUA server in a PC which is having Internet access.It will download the updates from Symantec servers and it will put it in the distribution center.You have to manually copy all the files to a share which is accessible to your internal LU server(This server sits in the same network of your SEPM).Then this LU server download updated from this share and distribute .LUA sever is downloading the files in some special formats.It is not using JDB format.As far as know JDB file format  is only used for the SEPM update when we download from Internet.Once if we paste in incoming folder SEPM extracts it .Internally SEPm is not using jdb file format.The resultant update will be same if you update via jdb/Direct internet/LUA..
Configuration required in SEPM side
1.In the test group's LU policy you have to specify the url of internal liveupdate server test distribution center url .You have to keep onlu use liveupdate sever option. 2.In SEPM go to Admin-->servers--->local site---->edit site properties--->liveupdate--->source server--->use internal live update sever If you are having any more query pls post

Today all updates are done through JDB-files (downloaded from Internet to an usb flash memory)   Afterwards the jdb file is copied to the incoming folder on SEPM server. All new updates are then deployed automatically to all serverer/workstations simultaneously.

Wonder if it's possible to create a policy  which is valid only for a test group (new definitions). Next distribute the same defininitions file to all other server and workstations if the definitions file is ok/verfied.

Another solutions can be to download the jdb-file, and one day later use the same file for deploying. If something is wrong with the jdb file (McAfee) then I would have heard about it.

Rgds
Geir

For assigning a separate policy for a geoup first you have to remove the inheritance (SEPM--->Clients--->Test group--->policies).Then you can do this in two ways
1.In SEPM--->policies--->liveupdate.Create a new policy and assign to the test group
2.In SEPM --->clients--->test group--->policies. click on liveupdate policy ,it will promt for creating a non share policy click on it and do the modifications click ok

I didn't understand what you mean by " jdb file (McAfee)".jdb is symantec SEPM update file and  McAfee is another AV vendor.
 

Thnaks again,
Today all update definitions are done through downloading the jdb-files, save the content below the inbox directory on the SEPM server. Next the updates are distributed automaticallay to all server and workstations. That's our procedure today. Until today this procedure is ok, and everything seems to work as espected.

But for some weeks ago somethings strange happend with McAfee customers (blue screen ++).  We will of course avoid this  
scenario in future.  And some guy from Symanytec told me to distribute the the definitiions to a small group og serverer/client. After a while I can distribute the contents to rest of the servers/clients. My problem/questions is following:

1: What is the procedure to create a test group?
2: What is the procedure to distribute updates only to the test group?
3: What it the procedure to distribute the updates to the rest of the server/clients?


Assume it's  normal procedure for Symantec customer.


Rgds
Geir

PS:
Maybe it's odd questions, but I'm a new Symantec customer without sufficients experience

1: What is the procedure to create a test group?

It can be any group in SEPM.Create group in SEPM with desired name sy test.Remove inheritance.In the LU policy for this group for internal live update server provide the url of test distribution center.

2: What is the procedure to distribute updates only to the test group?
See the answer for Q1
3: What it the procedure to distribute the updates to the rest of the server/clients?

provide the production distribution center url for internal live update server in SEPM.So SEPM will download and provide updates for rest of the client.Keep necessary time interval between the schedule for running production and testing distribution centers so that test clients will first get the updates and after a particular interval say 6 hours SEPM will get updates.

Note:Pls go through my earlier posts and links once again and if you are having any further query  post here..

So far I have not configured a LU-server (is it essential )?  According to your notes - it's possible create a policy which can distribute updates between several groups (based on a jdb file). Is it correct??

Also try to find the descriptin in the Admin Guide, without success.  All I need is referance to the admin guide

Configuring LUA is one way of doing which is mostly in use.
Another way is create a test environment with one SEPM and few clients which is connecting to it.Download jdb file update in test environment and see any problem is present.If it is ok use the same file in production SEPM for updating the clients.The disadvantage of this method is jdb file will update only AV/AS.

Thanks again,

In SEPM Console window we have created three groups - each group represent different site in our domain. Is it possible to create a new group for testing new defitions? How is it possible to combine it with allready existing groups?

If you have any article or referance to the manual it will be great. Appreciate more information.

Thanks again,

In SEPM Console window we have created three groups - each group represent different site in our domain. Is it possible to create a new group for testing new defitions? How is it possible to combine it with allready existing groups?

If you have any article or referance to the manual it will be great. Appreciate more information.

I think you are asking about the possibility of LUA.If that is the case create one more group for testing and move some clients to it.While selecting the clients assure that you are covering all the important softwares required for your company are included.(I mean present in those clients).So that we can check the maximum possibility of false  positiveness. 

Thnks
I have createted a new group called Test Group. Additionaly I can also move some clients to it. Assume I  have to do more setups/configs, since a new definitions update file automatically will be propogated to all clients/servers simultaneously.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007100820002048


How is SEPM able to separate Test Group from other regular groups? If possible to manage it, all problems will disappear. Do you have an article and/or referance to an article or manpages that describe the procedure? 

If I have one SEPM for old definitions(verified definitions), and one SEPM for testing purpose,  the config/setup should be straight-forward. Looks remarkable if that's necessary.  Hope someone can give me further details if it's possible to combine it on one SEPM.

Geir

Go through this KB once
Configuring a LiveUpdate Settings policy

I am not finding any other do which is not mentioned in this thread.If anything found ,I will post here

Keeping two different SEPMs is the best way.If you cannot do that ,In SEPM Go to Policies--->liveupdate--->Liveupdate content policy ,here you add a policy say with the name good updates to lock down the definitions to a particular version which is working fine and assign to all groups except test group .Put the new definition in SEPM then it will get updated in the test group clients.if you are fining the definition passes the test again modify "good updates" and select that revision.
have a look at this KB also
How to Backdate Virus Definitions in Symantec Endpoint Protection Manager

Do I need a new license for the second SEPM?

In case of SEP license is only based on no. of clients.So you need not to pay for another SEPM.

Thanks a lot.
At last one more questions.  
Is it necessary to install client/server agent software once again (from the new consol windows)?
If not - it should be suffcient to install SEPM again, and search  for the worstations/and servers which will participate  in the new test group.   

Geir

How you are planning to do?By using LUA?Keeping one more SEPM?

The plan i to install a new SEPM on my workstation. Is it ok to remove some clients from the "OLD SEPM", and incorporate the same clients on the "New SEPM"??

Assume it's not needed to remove the client SW, and deploy the same agent sw from the "New SEPM"? At least the SW is identical.

Rgds
geir

Install new SEPM .Use one of the following method to connect the selected clients to connect new SEPM How to point Symantec Endpoint Protection(SEP) clients to a new Symantec Endpoint Protection Manager after you have either uninstalled, are going to decommission or replace the Existing Primary Symantec Endpoint Protection Manager (SEPM). 

Is it necessary to uninstall the agent SW (on the client) through Add/remove programs? Or is it sufficient to follow the guidlinese?

It is no need to reinstall the SW.Create sylink file from new SEPM put it in the clients.

Solution 3

When I try to rename Sylink.xml I got following error message: "Cannot rename Sylink: It's being used by another person or program. Close any programs that might be using the file and try again"

 This is my workstation (which also have installed SEPM).

Ha ve also try to stop smc + reboot, So far without success.

Rgds
Geir

PS:
Sorry for all questions

 I stopped/start  the process through services, then it worked as expected, Thanks

If I move a new jdb file to the incomming directory, the updates are downloaded to the client, but according to the SEPM console window the updates are not propogated to the client. The icon is a blue workstation (without a green icon).

Hope you can give me some hints

Rgds
Geir

If I move a new jdb file to the incomming directory, the updates are downloaded to the client, but according to the SEPM console window the updates are not propogated to the client. The icon is a blue workstation (without a green icon).

Hope you can give me some hints

Rgds
Geir