Endpoint Protection

Hi Team

1.I want a solution on Qurantine server , if a Qurantine server goes down what is the next step in an IT environemnt for directing the virus files.

I have 5000 users , what wil happen if Qurantine server goes down and how  suspicious files are handled .

2.Do we need to test the daily defination updates released from symantec , as the managemnt sys its risk to directly download the updates and distribute them in an IT environemnt, plz provide a solution on this.

Thanks

Symantec offers the quarantine server and you can set it up to handle quarantined files

Best Practices for using Quarantine Server in a Symantec Endpoint Protection environment

System requirements for the Central Quarantine Server

If server goes down, you can modify the AV policy to allow client computers to automatically submit quarantined items to Symantec Security Response.

It's up to you if you want to test. If you have the resources than it is a good idea, although Symantec has been very reliable when it comes to putting out good definitions.

Can you send me the link , what AV policy changes need to be done in  SEPM  , so that all 5000 clients submit the qurantined items to symantec security response

Edit your AV policy >> on left side, under Advanced Options, click Quarantine. Check the box for "Allow client computers to manually submit quarantined items to Symantec Security Response"

See this KBA on it:

Configuring clients to submit quarantined items to a Central Quarantine Server or Symantec Security Response

Another helpful reference as well:

How to Manage Quarantined files.

Thanks Brian,

Once the qurantined file are sent to symantec securty response , what is the SLA for the resolution ? (Process)

Do SEP clients need interntnet access to submit the suspicious file directly to symantec ?

Does Qurantine server need to have internt access to forward the unresolved infected files to Symantec once it recived all infected files from SEP clients?

The files are submitted anonymously so I doubt there is any formal process involved.

Yes, you would need internet connectivity for both.

SEP clients does not have internet access here in my environemnt , where the qurantine server may have internt access its a new design we have proposed.

So its a risk if the SEP does not have internt access and qurantien server goes down, all the infected files may impact the working environemnt

Plz suggest.

The files would be in quarantine so they won't be a risk to the client.

You would need to manaully remove the file from quarantine and submit to Symantec manually

Restoring a false positive from the Symantec Antivirus quarantine

Symantec has also got a unspported tool called QExtract located under Tools\NoSupport folder of the installation CD if you need to restore the quarantined file for multiple machines. Please follow the QurantineExtract.html file comes with the tool on how to use it.

Hi

For 5000 SEP clients , what is the hardware requirment (Example RAM, CPU etc)

Are there any standard sheet in symantec which says for this much SPE clients this much RAM is required, CPU is required etc.

I have gone through SEPM implementation guide which shows minimum requirments .

I need exact requirment for 5000 SEP clients , pls suggest.

Thanks

Check the attached guide for recommendations

Attachment(s)

SizingSizabilityBestPractices_SEP12.1.2.pdf   796 KB 1 version

 Hi Brian

Can you hlep in checking on the capabilities of Symantec Endpoint USB device encryption??