Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

SEPM Infrastructure design

Created: 25 Mar 2013 • Updated: 02 Apr 2013 | 6 comments
kishorilal1986's picture
This issue has been solved. See solution.

Dear All,

I need your guidence as here are very expertise ppl who can answer my questions

1) If I have 2 locations one is USA and other is Banglore then how I can consider the SEPM infra and client are 50000-1 Lakh. What is advantage of Liveupdate Administrator server over this Design. Also what are ideal disaster recovery (BCP plan) for this.

2)If I am getting 1000 incident (infection of virus) in 5 min then how I should respond to this situation.What is primary focus to this incident management.

3)If My SEPM has all required ports and network configaration done and still It can't update the virus defination itself then what may be possibility.What is RCA of this,

Please answer it according to and relevent to questions only. I will appreciate if u genuinly answer this question rather than pasting links.

Comments 6 CommentsJump to latest comment

.Brian's picture

1) You're best bet would be to configure GUPs in your locations to provide clients with updates so they don't need to come over the WAN, taking up bandwidth.

2) You would need to determine if this is coming from one or multiple PCs. Once that is determined, you need to see what action is being taken on the risk. Cleaned, deleted, or quarantined are the obvious choices. For machines that are unable to be remediated, you will need to manual work on the machine to get it corrected.

3) Well it depends. Can it connect to the SEPM/GUP, is there enough hard drive space, are definitions corrupt. There could be a host of reasons. You have the ability to configure debugging on both SEPM and clients to help you troubleshoot this.

For some additional reading though I would highly recommend going over the Sizing and Scalability guide. It is attached and it is very useful.

 

AttachmentSize
SEP_Sizing and Scalability Best Practices_v2.3.pdf 688.76 KB

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

W007's picture

hello Ks,

Just look this one of discussion

https://www-secure.symantec.com/connect/forums/sep...

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

pete_4u2002's picture

1) If I have 2 locations one is USA and other is Banglore then how I can consider the SEPM infra and client are 50000-1 Lakh. What is advantage of Liveupdate Administrator server over this Design. Also what are ideal disaster recovery (BCP plan) for this.

You may want to set one SEPM at USA and other at Banglore. The remote sites being GUP. ENable replication between these 2 SEPMs.

2)If I am getting 1000 incident (infection of virus) in 5 min then how I should respond to this situation.What is primary focus to this incident management.

You need to anayze what is the kind of attack, check the writeup and follow '
Best practices for troubleshooting viruses on a network '

http://www.symantec.com/business/support/index?pag...
http://www.symantec.com/business/theme.jsp?themeid...

3)If My SEPM has all required ports and network configaration done and still It can't update the virus defination itself then what may be possibility.What is RCA of this,
You may need to trouble shoot on the LU part. However you can update the SEPM using the JDB file, this will update AV definition only.

K33's picture
  1. If I have 2 locations one is USA and other is Banglore then how I can consider the SEPM infra and client are 50000-1 Lakh. What is advantage of Liveupdate Administrator server over this Design. Also what are ideal disaster recovery (BCP plan) for this.

-U can create SEPM both location and make replication to each other for BCP (disaster recovery).

For Liveupdate Administrator details please refere below

https://www-secure.symantec.com/connect/forums/lua-server

https://www-secure.symantec.com/connect/forums/lua-and-sepm-lu

Symantec Endpoint Protection 12.1: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager

http://www.symantec.com/business/support/index?page=content&id=TECH160736

 

2) If I am getting 1000 incident (infection of virus) in 5 min then how I should respond to this situation. What is primary focus to this incident management?

  • Check the source of infected machines and remove from network.
  • Check the networks threat protection report in SEPM and work on top sources of attack
  • Simultaneously submit the suspicious /virus file to Symantec support with critical business application requirement.

Submit these suspicious Threat files on - 

https://submit.symantec.com/essential

http://www.threatexpert.com

Secondly, I would suggest you to work on the below Articles:

Using Symantec Help (SymHelp) Tool, how to Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

http://www.symantec.com/docs/TECH203027

 

3. If My SEPM has all required ports and network configuration done and still It can't update the virus definition itself then what may be possibility. What is RCA of this?

Symantec Endpoint Protection Manager (SEPM) 12.1 is not updating 32 or 64 bit virus definitions.

Article:TECH166923  |          Created: 2011-08-11    |          Updated: 2012-06-16              |          Article URL http://www.symantec.com/docs/TECH166923

SOLUTION
Chetan Savade's picture

Hi,

I would like to answer your questions.

1) If I have 2 locations one is USA and other is Banglore then how I can consider the SEPM infra and client are 50000-1 Lakh. What is advantage of Liveupdate Administrator server over this Design. Also what are ideal disaster recovery (BCP plan) for this.

-->  You should decide whether you want failover and replication between two sites or not?

If yes..then need to configure SEPM at each location.

If not then can have a GUP at each location & sub branches.

Liveupdate administrator is useful if having multiple SEPM's in the network and don't want each SEPM to go to the Internet to take the updates. LUA will go over the Internet and will pass on available updates to the SEPM's.

LUA is also useful if having multiple Symantec products. LUA can download multiple products updates over the internet.

2)If I am getting 1000 incident (infection of virus) in 5 min then how I should respond to this situation.What is primary focus to this incident management.

--> Probably in that case it can be a new threat. Try to find out source machine, what kind of infection it is, SEP taken actions. If SEP is not taking any action then log a Severity 1 case with Symantec to received immediate assistance. Symantec security response team can guide you further.

3)If My SEPM has all required ports and network configuration done and still It can't update the virus definition itself then what may be possibility.What is RCA of this,

-->  Then need to identify what can be the possible root cause.

Take a help of this article in that case.

Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart

http://www.symantec.com/docs/TECH95790

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

kishorilal1986's picture

Thank you so much to chetan, K33,Pete and brian for helping me and providing me idea for above query.