Endpoint Protection

I am writing this hoping that the "powers that be" at Symantec read it.

I'm sorry, but as a long-time partner with Symantec, we are severing ties to Symantec Endpoint Protection.


Since when, by default, should a viral threat on a computer be "left alone"?
Since when, by default, should a virus infected file be cleaned, then quarrantined, or "left alone"?

This product does not work very well. As a matter of fact, we have had several outbreaks over the last few weeks on our customers' networks.
Problem is, is that even AFTER changing the defaults, virus files are "left unchanged".

How did these viruses get on my network to begin with? Becuase your product stinks, that's how.

Your product is a resource hog on both the server and the client end. 1 GB for an A/V client?
Are you kidding me?
RTV scanning that uses over 40% of available resources ALL THE TIME??????!!!!!??????

If you enable network threat detection, your computer is no longer available for shared resources? By default? Kindly tell me how you run that on a server. Oh, by your own admission, your best practices is to NOT run it on a server. That's brilliant.

Let me guess, there are 100 KnowledgeBase articles telling me how to configure this POS product, and why it doesn't work right.

Why doesn't it work out of the box?

Why is it the reporting feature doesn't work half the time? Why is it it drops clients for no reason whatsoever, leaving them orphaned out on the network? Why is Live Update turned off by default install on all the clients?
Why is it the IIS website interferes with any other IIS website already installed?

I have better things to do with my time than manage your software. It is not my full-time job to manage AV software on my clients' networks. My job is to manage their networks.


This product is trully awful, and we will NOT be renewing any support contracts. We're not the biggest company, but if you multiply 100 X whatever it costs for an annual support contract, we're hoping you get thepoint.

It seems you are talking about the first release 11.0.7xx.
Am I correct?

In MR4 4014, scanning performance is not good, my client have 512 MB or 1GB RAM but scanning time they are not able to work.

are you talking about real-time o full scan?

Full scan

Rtvscan taking memory while scanning 89,356K  and CPU use 80

It seems that the owner of this discussion is talking about the real time scanner, therefore, it is better if we don't mix different issues in the same discussion.
At moment it is better if you schedule your full scans when the users are in the lunch break or others no working time, this is a well known best practices.
We already implemented a smart solution regarding the scanner performance in our latest consumer product, NIS 2009, it is great and it is reasonable to await the same innovation in our other products. If you still want to talk about the full scan, it is better if you open a your own discussion.

As a fellow long term partner of Symantec, the biggest lesson that I have learned is that Symantec has top notch quality deliverables. Security comes with a price, and with SEP 11, that price is education. Here at Inacom, we have payed that price, and have turned around the image that our customers had of SEP, which sounded amazingly simlar.

SEP is a powerful tool that is also a complex application. If you don't know how to use it, then you will never learn to appreciate it. Before you dump SEP, try using your PartnerNet access to get some education on the product and then re-evaluate your above post. Additionally, try to apporach this after a good night's sleep and with an open mind. It will help. Oh yes, Starbucks can be beneficial around 10:00 AM.

So before you send a perfectly good Lamboughini to the junkyard,  go to driving school.

-Lee

Inacom Information Systems
inacom.com

If you applied latest pach MR4 MP2 with latest revision; then bugs will back off. because in previous product i also faced some issues you mentioned above; but later on when i applied patch . atleast for me problem was resolved.

most of the av product now a days takes around 150 MB ram;

as unlike traditional AV; now they give budled features

like real time protection;
management agent
network threat protection;
firewall;

and obviously this features will take more memory.

no ajeet; he is actually talking about the various performance issue that he is facing related to symantec software

Re: "Since when, by default, should a viral threat on a computer be "left alone"?
Since when, by default, should a virus infected file be cleaned, then quarrantined, or "left alone"?"

I'm not sure if this is the default. We didn't touch that part of the settings and the malwares - at least most of it -  are dealt with.
Those that are left alone are either still being downloaded and in use but were removed after the process was finished.

"Why is Live Update turned off by default install on all the clients?" - it would be better to have them update internally, especially if companies are stingy on internet bandwidth usage which would put all the load on the server without the use of GUP.

RTVscan when is standby is at 4MB for me. But scanning a computer would definitely slow down any PC for ALL antivirus softwares because it reads all the files - icluding those that are not in use.

As for the rest of the rants..."Murphy's Law"?

The price of security. Compare this to a person entering an unsecured building with one going through metal detectors, security doors, cavity checks and other checkpoints. Who do you think will arrive first? Who will be more annoyed? And who will feel safe?

I cannot agree more that SEP 11.x is very complicated product, we should spend lots of time to design how this product can very well manage our environment, as well as what features we need to turn on. honest speaking, this is security protection, it will run all time on a client machine, each minor value/configuration we set from central console requires deep thought. I will never use the default value. SEP 11.x is not orginal SAV, this product now is based from Sygate software.
I have been using Symantec AV product for many years, I remembered those old days that Norton AV gave me the headache, it caused NT workstation blue screen, I stood on the floor that day, what I could see ocean of blue on almost single monitor, we left Symantec and brought another product into our environment. later we returned back to Symantec when they introduced SAV 7.x. 
I have to say none of the security products is perfect. during past few years, whenever I worked new contract with Symantec, I never forgot to evaluate other major competitors products. as part of the initial review undertaken, we invetigated the products in the market place. we decieded that Symantec is the product will fit most of our need. 
We spent almost 4 to 6 months to test SEP 11.x, (By the way, I almost dropped this product at the begining evaluation phase as the name of the product is just so sensitive to me as I live in New York city). Now I am doing my pilot phase and plan to have the product going to production around August. in our oppionon, Symantec Endpoint Protection is a good product, but requires lot administrative training and will cause some confusion if we do not invest tons of time to get fimilar with the product.

Robins, are you there? We are still waiting to know the build of your installation.

Education and get into details is the key.

robins is here.

For the record, and to clear up some misunderstandings.

We have this product installed (with paid support) in about 100 different customer locations.
Most are smaller companies with 10-20 users, some as many as 250+ users.

First my performance complaint.
If REAL-TIME protection is to be taking place, it will be running all the time, and it can be a real hog, when compared to competitors products.
(we're in the testing phase for other products and the performance difference is quite noticable).

Secondly, and probably more importantly.
The defaults for the protection packages are indeed set to "leave alone". (Clean, quarrantine, then leave alone. So, if a virus cannot be cleaned, quarrantined, it just leaves it alone. Someone explain that rationale to me.)
Check it and see.
You have to, because of this, alter the default packages. If you haven't checked what it's set at, then YOU need some education about this product.

As for what version of the software, we instituted it at the very beginning of it's shelf life, and have been downloading and installing it ever since, so I would have to assume we've used them all.

WOULDN'T LIVE UPDATE UPGRADE the product version as well?

It would be rather ironic if it didn't.........humorous, actually.

I didn't write this to start a flame war. Especially not to discuss or argue who knows more about Symantec products.

I know enough, been using Symantec AV products for years. I shouldn't HAVE to take a week to learn this. I only know that it is WAY too complicated, and has WAY too many bugs, and has taken up WAY too much of our time.

Couple these things with the recent outbreaks of virus activity on our Symantec protected networks, and we have decided that we have seen enough.

While I don't really expect "set it and forget it", set it and have the defaults work is always nice.

Have a good day.

"Clean, quarrantine, then leave alone. So, if a virus cannot be cleaned, quarantined, it just leaves it alone. Someone explain that rationale to me."

Asuming that cleaned and quarantined failed, tho only other logical options is for Symantec to either delete it and leave it alone.
Both are good options.
First the delete. Once a malware is detected and the first 2 options failed, it will be deleted...end of story.

Now why leave it alone, you ask?

- What if the malware infected a critical system file, most users would prefer to run a bugged OS that to be met with the BSOD or hang up in the POST telling that there is a missing file and that it cannot proceed. You may argue that you can copy the missing file from a clean install but that too would sometimes fail.

- The next option is for the user to send the file to Symantec for Rapid Release and definition updates. You further protect yourself since SEP or SAV will now be aware of the malware.

this are various options provided by symantec; we do use them based on our need for perticular file and application

1)mission critical file--leave alone
2) important file--clean/ quarantine infection
3)ordinary file--delete infection / file

live update is used for downloading signatures and rapid release files; and as per the functionality it will not upgrade the product.

Robin,

Try and understand there is no product called as usless, if purely depends upon the our network configuration and it is manageblity.

It depends upon how we deploy the product and what features we enable and configure.

Just like that you cannot blame a product.

 

Symantec Endpoint Protection is a Enterprise software so it can't detecting any other file and keep deleting it.
The Quality of an Enterprise level Antivirus depends upon the False Positives.

You said you have got many outbreaks in last few weeks.
This has nothing to do with SEP it has to do with the browsing habbit of your employees.
Have strict policies ,Disable Autoplay and USB drives.
Whatever Antivirus you are using you need to have a Security Administrator looking on the threat graph from last few years.
Any antivirus software you install  who will have to be prepared for outbreaks.
90% of times virus enter your network using social engineering either by Spam or some Website offering something for free..

For your other issues Symantec Endpoint Protection has too many features which makes it a very Environment Specific product since it has to interact with too many things on your system.
Everything should work out of box in the ideal situation but everybody has their own network and application that might conflict.
So you have to configure it properly.
Call Support open a case and I think most of your issues would be resolved in a day.

Robin,

As suggested with in any network Antivirus software alone cannot prevent virus outbreaks.

The virus out breaks depends upon various factors:
1) How do you Protect or scan your mail for Spams, Virus, Maliciou codes & Bot nets

2) How do you restrict your clients by preventing  them for accessing Malicious Site. (what is the WEB filtering Product you are using)

3) Have you configured the Firewall by disabling the unwanted ports.

4) what is the patch mangement you are using to patch the Microsoft Vulnerablity (Critcial updates).

 4) Is all your systems installed with antivirus and having latest updates.and perodically scanned. Just to ensure atleast the latest virus will be taken care.

  Please understand Antivirus works or protect only at Files and Folder level.   You need to protect your systems and network with additional security solutions.

. 

I agree with most of the posts and disagree some of the points.

To keep an environment safe is a network administrator responsibility (of course, you can argue it is everyone's responsibility), I just feel that it is not fair to just simply blame the software vendor product if we have any issues. It is absolutely right that we paid the software and software is supposed to do it designed for. however, antivirus and anti malware is different from other application. we need to configure the product to fit our environment, such as, how often do you expect the client to receive the virus definition 4 times a day or once a day? we all know Antivirus software without latest virus definition will protect us from nothing. with the latest definition, we also need to monitor the environment, we can create pc health report on the host that missing latest definitions and request the support guys to fix them.

I am not trying to get the software vendor out of this loop. it is their responsibility to provide effective virus definitions within timely fashion, for some critical malware, they not only should provide the definition in quickest possible time, as well as they should give us the removal be/cleanup tools. 

I will not blame our users, they are users, they should follow the rule we set up in the computer environment and sometimes we may need to do to prevent any expected issues from happening, one of the first things we should do is to get away the administrative privilege from the user right, if a user is not the local admin on a box, even on a day we have outbreak, I do not think virus or malware can do much on those machines.

I wish some day that we can manage and control our environment very well, maybe we no longer need antivirus software.