Endpoint Protection

Hello,

some questions abour the SNAC on SEP 12.1 clients :

- I have a Host integrity policy in a Location, and a lot of other policies (Antivirus, Firewall, Exceptions...).

I want to have my client put in the Quarantine zone if the HI fails. In this Quanrantine zone, I set a different Firewall and Liveupdate policy. Do I have to duplicate in this Quarantine zone all other policies, even if they are the same as in the no-quarantine zone ?

One strange behaviour is than it seems that when I'm in this Quarantine zone, the IPS on lcient goes to disabled... Only thing that can explain this is that in the quarantine zone I don't duplicate the IPS policy. If that is the reason, why does my Antivirus is not disabled because I don't have the duplicate policy in this quarantine zone as well ?

- In the HI policy, I check the signature age on client. I checked 'If not, update the signature file' and enter the following program command line : ' "c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SepLiveUpdate.exe" '.

I heard that this file replace the LUALL and is ONLY able to update on LUA servers over internet or localy, but not SEPM servers ! So how can I do if I need to force a client to check update on the SEPM server if I don't have local LUA and no access on internet ? Is there a solution with the URL update and a specific SEPM URL ? Or an 'intelligent package' -like that can be created on hte SEPM to be available for the client ?

Moreover, If the sepliveupdate fails, how to force a repeated check each X minutes for example ? I saw an option in the HI policy but only for URL download..

Thanks in advance for your help.

Regards

First off, please note you have posted in the SEP forums, and a separate one exists for SNAC.

1. As far as the policies assigned within the "Quarantine Policies when Host Integrity Fails" section goes, you should assign any and all policies you need, even if they are the same as the non-quarantine policies.
2. Regarding the strange behaviour, this is becasue AV/AS cannot be disabled by withdrawing the policy, whereas the other compoents (i.e. IPS) can be entirely disabled by not assigning a correpsonding policy
3. Running SepLiveUpdate.exe will indeed initiate a LU session to whatever LU servers you configured in the LU policy assigned to the "Quarantine Policies..." section.  You cannot force a client to update from the SEPM other than to get it to do another heartbeat ("smc -updateconfig" might be of help here).
4. You can amend the retry settings under the LU Policy you assign to the "Quarantine Policies..." section.

Hope some of that helps and makes sense 

Thanks a lot for these answers.

I appreciate.

Have a good day.

Regards

One last question regarding this topic :

I understand that we have to duplicate all policies from the no-quarantine zone to the quarantine zone.

Is it needed also for the Host Integrity policy or we only have to keep in in the no-quarantine zone ? For example, if I have a sepliveupdate.exe forced in the policy, I want to be sure that even in this quarantine zone the setting is correctly applied.

Thanks in advance

 ...You can't add a HI policy to the Quarentine Policies list, see attached picture.  As far as Quaratine policies go, you can only select from AV&AS, FW, IPS, A&DC, LU and CE.

#EDIT#  As always, it'd be much appreciated if you could mark any posts you find useful with a "Thumb's Up" or as the Solution.  Ta!