Endpoint Protection Small Business Edition

 View Only

  • 1.  SEPM Infrastructure design

    Posted Mar 25, 2013 12:48 PM

    Dear All,

    I need your guidence as here are very expertise ppl who can answer my questions

    1) If I have 2 locations one is USA and other is Banglore then how I can consider the SEPM infra and client are 50000-1 Lakh. What is advantage of Liveupdate Administrator server over this Design. Also what are ideal disaster recovery (BCP plan) for this.

    2)If I am getting 1000 incident (infection of virus) in 5 min then how I should respond to this situation.What is primary focus to this incident management.

    3)If My SEPM has all required ports and network configaration done and still It can't update the virus defination itself then what may be possibility.What is RCA of this,

    Please answer it according to and relevent to questions only. I will appreciate if u genuinly answer this question rather than pasting links.



  • 2.  RE: SEPM Infrastructure design

    Posted Mar 25, 2013 01:00 PM
      |   view attached

    1) You're best bet would be to configure GUPs in your locations to provide clients with updates so they don't need to come over the WAN, taking up bandwidth.

    2) You would need to determine if this is coming from one or multiple PCs. Once that is determined, you need to see what action is being taken on the risk. Cleaned, deleted, or quarantined are the obvious choices. For machines that are unable to be remediated, you will need to manual work on the machine to get it corrected.

    3) Well it depends. Can it connect to the SEPM/GUP, is there enough hard drive space, are definitions corrupt. There could be a host of reasons. You have the ability to configure debugging on both SEPM and clients to help you troubleshoot this.

    For some additional reading though I would highly recommend going over the Sizing and Scalability guide. It is attached and it is very useful.

     



  • 3.  RE: SEPM Infrastructure design

    Posted Mar 26, 2013 12:02 AM

    hello Ks,

    Just look this one of discussion

    https://www-secure.symantec.com/connect/forums/sepm-desing-large-environment



  • 4.  RE: SEPM Infrastructure design

    Broadcom Employee
    Posted Mar 26, 2013 12:37 AM
    1) If I have 2 locations one is USA and other is Banglore then how I can consider the SEPM infra and client are 50000-1 Lakh. What is advantage of Liveupdate Administrator server over this Design. Also what are ideal disaster recovery (BCP plan) for this. You may want to set one SEPM at USA and other at Banglore. The remote sites being GUP. ENable replication between these 2 SEPMs. 2)If I am getting 1000 incident (infection of virus) in 5 min then how I should respond to this situation.What is primary focus to this incident management. You need to anayze what is the kind of attack, check the writeup and follow ' Best practices for troubleshooting viruses on a network ' http://www.symantec.com/business/support/index?page=content&id=TECH122466 http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&depthpath=0 3)If My SEPM has all required ports and network configaration done and still It can't update the virus defination itself then what may be possibility.What is RCA of this, You may need to trouble shoot on the LU part. However you can update the SEPM using the JDB file, this will update AV definition only.


  • 5.  RE: SEPM Infrastructure design
    Best Answer

    Posted Apr 02, 2013 04:49 AM
    1. If I have 2 locations one is USA and other is Banglore then how I can consider the SEPM infra and client are 50000-1 Lakh. What is advantage of Liveupdate Administrator server over this Design. Also what are ideal disaster recovery (BCP plan) for this.

    -U can create SEPM both location and make replication to each other for BCP (disaster recovery).

    For Liveupdate Administrator details please refere below

    https://www-secure.symantec.com/connect/forums/lua-server

    https://www-secure.symantec.com/connect/forums/lua-and-sepm-lu

    Symantec Endpoint Protection 12.1: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager

    http://www.symantec.com/business/support/index?page=content&id=TECH160736

     

    2) If I am getting 1000 incident (infection of virus) in 5 min then how I should respond to this situation. What is primary focus to this incident management?

    • Check the source of infected machines and remove from network.
    • Check the networks threat protection report in SEPM and work on top sources of attack
    • Simultaneously submit the suspicious /virus file to Symantec support with critical business application requirement.

    Submit these suspicious Threat files on - 

    https://submit.symantec.com/essential

    http://www.threatexpert.com

    Secondly, I would suggest you to work on the below Articles:

    Using Symantec Help (SymHelp) Tool, how to Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    http://www.symantec.com/docs/TECH203027

     

    3. If My SEPM has all required ports and network configuration done and still It can't update the virus definition itself then what may be possibility. What is RCA of this?

    Symantec Endpoint Protection Manager (SEPM) 12.1 is not updating 32 or 64 bit virus definitions.

    Article:TECH166923  |          Created: 2011-08-11    |          Updated: 2012-06-16              |          Article URL http://www.symantec.com/docs/TECH166923



  • 6.  RE: SEPM Infrastructure design

    Broadcom Employee
    Posted Apr 02, 2013 07:09 AM

    Hi,

    I would like to answer your questions.

    1) If I have 2 locations one is USA and other is Banglore then how I can consider the SEPM infra and client are 50000-1 Lakh. What is advantage of Liveupdate Administrator server over this Design. Also what are ideal disaster recovery (BCP plan) for this.

    -->  You should decide whether you want failover and replication between two sites or not?

    If yes..then need to configure SEPM at each location.

    If not then can have a GUP at each location & sub branches.

    Liveupdate administrator is useful if having multiple SEPM's in the network and don't want each SEPM to go to the Internet to take the updates. LUA will go over the Internet and will pass on available updates to the SEPM's.

    LUA is also useful if having multiple Symantec products. LUA can download multiple products updates over the internet.

    2)If I am getting 1000 incident (infection of virus) in 5 min then how I should respond to this situation.What is primary focus to this incident management.

    --> Probably in that case it can be a new threat. Try to find out source machine, what kind of infection it is, SEP taken actions. If SEP is not taking any action then log a Severity 1 case with Symantec to received immediate assistance. Symantec security response team can guide you further.

    3)If My SEPM has all required ports and network configuration done and still It can't update the virus definition itself then what may be possibility.What is RCA of this,

    -->  Then need to identify what can be the possible root cause.

    Take a help of this article in that case.

    Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart

    http://www.symantec.com/docs/TECH95790



  • 7.  RE: SEPM Infrastructure design

    Posted Apr 03, 2013 12:10 AM

    Thank you so much to chetan, K33,Pete and brian for helping me and providing me idea for above query.