The servers will need a different approach than the clients, this will include Domain controllers and the Exchange Servers, please advise of the best practices.

Thank  you

Check these links will help you out.

P.S: DC and Exchanges are excluded automatcially

installing on Exchanger Server 2003 best practice
https://www-secure.symantec.com/connect/forums/installing-exchanger-server-2003-best-practice

Installing SEP on Exchange Server

https://www-secure.symantec.com/connect/forums/installing-sep-exchange-server

On the Exchange server and the Domian Controller or any other server in the network You need to install the  AV and AVS and NTP , It is not recommened .

As far as the Exclusion is concerned there is no need to create any exclusion on these servers.

Symantec Endpoint Protection 11.0 compatibility with 64-bit platform

Q: Why doesn't Device Control work on Windows Vista 64-bit?
A: Device Control will not work on a client running the 64-bit version of Windows Vista 64-bit. Windows Vista's Patch Guard prevents this action . The Device Control feature does not currently exist on any 64-bit platforms.

Q: SymProtect and Windows Vista 64-bit Operating Systems.
A: Windows Vista’s Patch Guard feature prevents the 64-bit version operating systems from supporting “Process” and “Internal Object” protection. Only registry and file protection are available on 64-bit platforms.

Q: Overflow Protection and any 64-bit operating system.
A: Vista's Patch Guard feature prevents 64-bit platforms from supporting any of the Overflow Protection functionality. This feature does not exist on any 64-bit platforms.

Q: Are there any limitations on the AntiVirus and AntiSpyware on 64-bit platforms?
A: These components will work as expected with the exception of right-clicking on an item and choosing "Scan for Viruses...". Right-click AV/AS scanning is disabled on 64-bit platforms.

Q: Keylogger ability on 64-bit platforms (Part of the Proactive Threat Scan).
A: The keylogger engine experiences reduced effectiveness because of Patch Guard restrictions. The keylogger engines detect two kinds of keyloggers, pollers and hookers. Due to Patch Guard, Symantec Endpoint Protection 11.0 does not have poller keylogger detections on 64-bit platforms.

Q: What is the level of compatibility for Mail Scanning on 64-bit platforms?
A: Lotus Notes (Domino), Microsoft Exchange and POP3/SMTP scanning plugins are not supported on 64-bit platforms.

Q: Why does Proactive Threat Scan not detect test samples on Windows XP 64-bit operating systems?
A: Symantec Endpoint Protection 11.0 does not support the use of Proactive Threat Scan (Heuristics) on 64-bit operating systems.

Q: Does System Lockdown work on 64-bit?
A: No, as stated in the product documentation, System Lockdown does not work on 64-bit clients.

If you're as pleased as I am that SEP automagically excludes Exchange and DC folders, but wish it would automatically exclude a bunch more of the most common technologies, vote this up:

https://www-secure.symantec.com/connect/idea/more-built-automatic-exceptions

Hi Bryan,

Will Symantec Mail Security for MS Exchange (SMSMSE) also be installed on these servers?  If so, there are two additional directories that must be manually excluded.  Details are in the following article:

Configuring exclusions when Symantec Mail Security for Microsoft Exchange and either Symantec Endpoint Protection or Symantec AntiVirus Corporate Edition are installed together

In general: SMSMSE and SEP or SAV install well on Exchange servers, and will co-exist very well together.  They even share their AV definitions.  Other than manually exclusing those two directories, there are no real additional steps that need to be taken.

Be sure to check back on the forum or contact Tech Support if additional help is needed for your deployment!

Thanks and best regards.

Mick


 

 

Mick, a few years ago I was scolded by Symantec Support for having SMSMSE Rapid Release enabled and also using (then) SAV VDT. I was told I could use one or the other but not both. Never found any documentation to that effect. And never found a problem doing it, either.

With current versions of SEP & SMSMSE, is it OK to use Rapid Release and also allow SEP to use the same LiveUpdate policy used on other SEP clients?

Hi There Jeff,

You should be 100% fine using RR defs with SMSMSE on a server that is also a SAV or SEP client.  Perhaps there was an issue a few years ago, but I've seen it working fine now. 

A couple things to keep in mind: due to recent years' explosion in the number of threats, today's RR defs are a lot bigger than they were in the past.  The current ones are 50MB or larger.  Be sure that the Exchange server has a good, fast network connection that will be capable of downloading a file this size swiftly.  Also keep in mind that RR defs are released roughly every hour (22 releases yesterday, for example ) so over the course of a day, these 50 MB files can really add up to a lot of bandwidth consumed.  I'd only recommend enabling RR defs on a server with a connection that can comfortably handle that.

(Check out the most recent Internet Security Threat Report for more information on the number of threats currently in circulation.... interesting reading.)

Also don't forget to open up FTP ports, if planning to use RR defs.  The files are downloaded and applied using a different mechanism than the LiveUpdate or VDTM that the SEP or SAV client is using. 

Final plug: do make sure that your SMSMSE is the latest version (5.0.13 or 6.0.9) and that SAV or SEP is up  to date, too.  There have been recent releases for both AV products: SAV 10.1 MR9 and SEP 11 RU5.  A quick upgrade of SMSMSE and SAV/SEP will give your server all the latest enhancements and improvements, plus cover vulnerabilities known to exist in earlier versions of some SMSMSE components. 

Best regards again,

Mick 

Thanks, Mick.

And thanks for not scolding me. I'm very sensitive<g>.

RR is a tiny part of our bandwidth usage, here, and FTP downloads from Symantec are open through ISA, of course, or it would not have been working. We're one release behind on both SMSMSE & SEP, but will be upgrading soon.