Endpoint SWAT: Protect the Endpoint Community

I have been working with SEP for many years and have always heard mixed reactions on whether or not to isntall NTP on servers.  What are most doing nowadays, I recently upgraded to 12.1.6, should I install NTP on my servers?  As of now I just have the AV component installed.

Thanks for any input

I've always installed the full suite on servers (AV, NTP, PTP and ADC). And where applicable all components are turned on. The place you need to be careful is with IPS and high bandwidth servers:

Best Practices for the Intrusion Prevention System component of Symantec Endpoint Protection (SEP) on high-availability/high bandwidth servers.

Aside from that, I see no reason to not install all components on servers. Unless of course you run into road blocks in your environment. The extra layers are stopping malicious activty, especially against external facing boxes. My recommendation is to test first but by all means do it if you can.

Additional article for reading:

Installation best practices for Endpoint Protection on Windows servers

If you have further questions, ask away!

Thanks I will give it a shot, is there a nice easy place to go in the SEPM to see what is being blocked after I installed the full suite so I can make my exceptions accordiingly?

Yes, there is.

Go to the Monitors page and select the Logs tab:

From here you will need to review a few different logs:

• Network Threat Protection (Firewall and IPS)
• SONAR (part of PTP)
• Risk
• Application and Device Control (if you use)

These are the ones that will show the detections for the corresponding component(s).

Great, thank you for the help, forgive me put I have a few more questions pertaining to other features in SEP.  Turns out I was missing alot of great information on this forum over the years.  Could you assist or should I setup another thread?  Questions are as follows

I setup System Lockdown on a test group and just have my workstations on it, I have it setup to log unapporved applications.  I pulled a fingerprint from my workstation via the SEPM.  Since I did that I have installed a new application, how do I get those hashes into the approved applications, run another fingerprint scan?  Also I would like to enable system lockdown one day, is everytime there is a software updates, such as windows update or adobe flash and reader update are my workstations going to not work and need a new fingerprint pulled?

Also how do you recomend monitoring and alerting on the data in sep, there doesn't seem to be a way to get an email notification in the event of virus infections etc, just scheduled reports, I appreciate any help you can offer.

There is an option to enable automatic updating of the whitelist:

Automatically updating whitelists or blacklists for system lockdown

Enabling automatic updates of whitelists and blacklists for system lockdown

Also, you can manually do it should you chose:

Manually updating a file fingerprint list in Symantec Endpoint Protection Manager

In terms of configuring alerts On the Monitors page select the Notifications tab and the Notification Conditions button.

Here is where you can setup any alert that you would like.

Thank you for all the information, I will check it out

You're welcome. Check back if you need anything.

If you go to the Monitors button then select the Notifications tab, and then click the Notifications Conditions button on the lower right. You will see a "Single Risk Event" that you can edit and add your email address to for virus notifications.

When system lockdown is enabled and say I have a user traveling with a laptop and they need to install a new app.  They install the app and run it and it won't work due to the system lockdown policy and they need to run it, what would be the though process to get them up and running quickly?