Endpoint Protection

Hi @ all

Since today, bevore I installed a SEP client on a machine I decided first, which SEP modules I want to use on it and after just installed the proper designed "Install feature set". Unfortunately I have to reinstall the client, when I want to add a module to the client because my SEP Server is just available over port 443... Can I not just install all features on the clients and servers and disable them in the policies without getting any error?

Thanks for your help and ideas.

Hello,

When you are installing SEP on a machine with specific features, these features are not installed on the machine.

To enable these Features, you would have to Install the features and only then the policies would be reflected to those Features.

To install these Features you could either use Autoupgrade OR via installing the package OR adding these features from Add/ remove Programs on the local machine.

Check these Articles:

How Symantec Endpoint Protection protection features work together

http://www.symantec.com/docs/HOWTO55268

How to add or remove features to existing Symantec Endpoint Protection (SEP) client installations

http://www.symantec.com/docs/TECH90936

Symantec Endpoint Protection Recommended Best Practices for Securing an Enterprise Environment

http://www.symantec.com/docs/TECH166816

Hope that helps!!

This article sounds good Mithun (http://www.symantec.com/docs/TECH166816) thanks for sharing.

Hi Mithun, am I wrong or you don't get what I'm asking for?

I'm asking for installing all features and disabling them via policy without getting any error.

Hello,

This is by design.

Disabling the policies would show the error on the SEP client GUI, as these features are installed but disabled. To ensure the user is aware that the features may not work correctly.

hi,

Check this artical.

http://www.symantec.com/connect/articles/how-disable-sep-features-client-gui-sep

Yes I agree above comments.

When you will be disabled any feature ,showing error on SEP Client GUI.

Even when you withdraw the policies from SEPM the features will not be removed on the actual client.

If after installation you decide to remove a feature(s) you have to use the add/remove features or the below doc should help you.

MSI command line reference for Symantec Endpoint Protection 11.0

http://www.symantec.com/business/support/index?page=content&id=TECH102668

Hope that helps.

Hi,

There is no need to uninstall & reinstall.

Q.Can I not just install all features on the clients and servers and disable them in the policies without getting any error?

--> It's not the correct approach & I believe it's not possible also.

Best option would be re-deoploy SEP packages.Either through remote push or auto upgrade.

Upgrading clients by using AutoUpgrade. Auto upgrade method can remove installed features also.

http://www.symantec.com/docs/TECH96789

Hi Chetan

Thanks for your information. Is AutoUpgrade available through SEPM Servers that are just available on port 443?

Thanks for your information

Hi,

Push deployment ports, used on management servers and clients: TCP 139 and 445, UDP 137 and 138, and TCP ephemeral ports.

Check following article for more details.

Steps to prepare computers to install Symantec Endpoint Protection 12.1 client

http://www.symantec.com/docs/TECH163112

Which Communications Ports does Symantec Endpoint Protection use?

http://www.symantec.com/docs/TECH163787

Our could I just install the SEP Firewall and open all ports on it? This is the same as just not installing it, right?

Yes, Installing SEP firewall & opening all the the ports is same as just not installing it.

So, the solution is:

the following technologies can be installed and then be disabled by policy without getting an error:

- Sonar
- Auto Protect
- Advanced download protection
- SMTP/POP scanner
- Network Intrusion Prevention
- Browser Intrusion Prevention
- Application Control
- Device Control

In order to pre-insall the firewall on the clients and disable it by policy without getting an error you have to implement a workarround by enabling a policy which just doesn't blocks any ports.