Endpoint Protection

Let me start by saying I really like Symantec products - in general ... however, as relates with SAV and SEP ... is it just me that is frustrated?

Back in the SAV and SSC days, I liked the way things worked ... I wasn't crazy about the MMC interface, but I got used to it - and SAV was good, I mean good about stopping threats and viri and such.  I understand that we seem to be on an exponential growth of sophistication of attackers and attacks ... but ...

SEP was introduced - great in concept, horrible in execution.  At the time, users computers did not not have the system resources to run SEP -AND- their desired programs.  So we waited ...

SEP was fixed.  Don't actually recall what iteration, but somewhere along the line the demand on local machines was reduced, machines were replaced, and the footprint was reduced ... life was better ... until 2010.

SEP 11.0.4 filled root drives on servers with definition files ... the fix - 11.0.5.  Great!  (Not that I had anything else to do than update EVERY client's management server!)  Did no one think to TRY a 2010 date somewhere in 2009 to KNOW there would be a problem?  Not like WE can test this one!

Sep 11.0.5 and Windows 7.  Fine, 11.0.4 wasn't ready for 7 ... didn't 11.0.4 just release?  OK, maybe not ... but didn't Symantec have the beta of 7 to test with?  Shouldn't have been a surprise ... SO ... 11.0.5, OK.  Wait - why can't I log on to my Windows 7 box?  OH - SEP is eating my NTUSER.DAT file?  REALLY?  WHY?  Not like NTUSER.DAT is a NEW concept ... (I'm not alone on this: http://www.symantec.com/connect/forums/endpoint-protection-stopping-users-reciving-there-windows-profiles) ... and having just checked updates for RU5 (there are none) ... seems this isn't a problem in Symantec's view.

OK - moving on ...
Internet Security 2010 (and variants) ... REALLY?  This isn't a THREAT?  WHY isn't SEP stopping this?!  Yes, I know that I can deal with the management console and limit my exposure manually ... BUT ...
Since -forever- SAV/SEP has nailed the AngryZiber IP Scanner as a threat.  OK, MAYBE that can be used with malicious intent ... so I exclude it on my local box as it is a tool that I use ... fine.  Who is it that decided that Internet Security 2010 (and variants) is something that local admins can deal with while tools like the IP scanner are determined a threat?

I have clients asking about alternatives due to SEP becoming too much for them to manage.  I appreciate the argument and advocate for SEP.  When they start commenting on spending labor hours on updating servers and repairing machines - I have to concur with them ... SEP isn't working as desired.  (Recent complaints has been about reinstalling/updating SEP to 11.0.5 soon after the 11.0.4 release ... IS2010 problems ... etc.)

Is it just me?  Are other dedicated Symantec people looking at alternatives? 
Thanks for any perspective offered.

 

i hear you on your issues, although we have had a pretty good experience with SEP, i hear what you're saying.  As for the Internet security 2010, i REALLY hear you.  although its really easy to remove, i should be able to get it taken care of with sep, i have to remind myself that SEPs does a better job protecting systems from malicious software, not cleaning systems.  I only manage about 4000 clients, but i have to say we just don't have problems (knock on wood), but WHY doesn't SEP see Internet Security '10 and others as a threat like it did XP-AV and such, as a FakeAV signature.  so i'm on the fence, ive been using symantec products for so long, (ghost, sav, sep, altiris ns7, sd7, ds6, ita, etc.) and generally they are a great product, but i think you make a great point!  I want to see symantec be the absolute leader in the security/endpoint management world, i just hope they start putting out a product that we can trust more at the MR1 or MR2 phase and not have to wait two years before we feel comfortable introducing it into our environments....

Thank you for commiserating.  I agree that SEP mostly does a fine job at protecting ... sometimes TOO fine a job.  I didn't mention the Quickbooks issue that is as annoying as the others ... (SEP 11.0.5 mostly prevents access to the QB data files.)

Common work around for access to QB data seems to be removing RU5 and reinstalling 4 ... but wait, there's a virus def issue with 4 / 2010 / and filling the root drive with defs that aren't needed!

My frustrations stem from what seems to be lack of concern about these issues from Symantec.

We support multiple installations of SEP at K-12 and SMB clients - some with IT staff and some without (that would be us.)  If we were talking about a day downtime to revert to 4 or SAV - so be it ... but we are talking a few more (days) than that ... AND ... who do I bill for THAT work?

We pride ourselves in selecting the best fit solution for our clients - and traditionally Symantec has fit the bill - but when I start losing face at the hands of another (in this case Symantec) - I have to ask the question.

Thank you for letting me know I am not alone in my frustrations.

We reviewed our antivirus solution (SEP) with many of our campus technichians recently and while we certainly had concerns about SEP, we couldn't find that any other product that didn't have others making the same complaints against it.

... that I have no need to jump ship then!

Seems there isn't a week that goes by when something in SEP doesn't cause headaches.  We're eyeing Forefront.

All AV products are having issues detecting Fake AV malware. For example, see this post on the Forefront forum.


http://social.technet.microsoft.com/Forums/en-US/ForefrontclientMTR/thread/565db8a2-b3b7-4fd6-9edf-b09769197703/

I can give you examples from other AV company forums as well. This is not just a SEP problem.

Cheers,
Thomas

We had a issue here where SEP caused machines to reboot all the time. Once SEP was removed life was good for those PCs.  Anti virus should cause you less drama not more.  Not going to change as i have worked with others and have had issues with them to.  A person just needs to pick the lesser of 2 evils.

We are not facing any virus outbreak after the rollout of SEP 11 but we are  more busy in troubleshooting its sideeffects..

Regards...
Ramji Iyyer

Well, that's a rebuttal to one point.  You got a few more to go.

SEP 11.0.4 filled root drives on servers with definition files ... the fix - 11.0.5.  Great!  (Not that I had anything else to do than update EVERY client's management server!)  Did no one think to TRY a 2010 date somewhere in 2009 to KNOW there would be a problem?  Not like WE can test this one!

The issue experienced with temp files was an issue with MR4 that was fixed in a later build; the 2010 definition issue exacerbated the already-existing problem.  (MR4 MP1a or MP2, I can't recall off the top of my head.)   Migrating up to RU5 resolved the pre-existing temp issue.  The 2010 virus def issue was not something that was fixed with RU5.

MR4 (11.0.4000.2295) was released in Nov of 2008, for whoever said it was 'just' released ;)

ETA:

Title: 'Does Symantec Endpoint Protection protect me from fake anti-virus programs?'
Document ID: 2010020116202748
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020116202748

sandra