Video Screencast Help

win xp april 2014

Created: 06 Dec 2013 • Updated: 06 Dec 2013 | 13 comments
This issue has been solved. See solution.

Hi all,

My company works with Win XP on client machines, we are in the proces of a migration to Win 7, Win 8 or maybe VDI.

I know Win XP support ends april 2014, maybe we will be fully migrated, more likely we will be not. On the client machines we are running SEP, i would like to know will our client machine be "secure" even after april 2014 when Microsoft stops updating / supporting win XP, so no security patches will be installed..?

Thanks,

levd

Operating Systems:

Comments 13 CommentsJump to latest comment

.Brian's picture

What version of SEP are you running? If 11.x, 11.x support ends very soon, Jan 5th 2014. This is the date on which engineering support and content (i.e. virus definitions) would no longer be made available for either of these products. These products would then continue to receive partial support up to their scheduled End of Support Life (EOSL) dates of 27 September 2014 and 6 April 2016, respectively.

Symantec has made the decision to extend the availability of content for both products for one year, from 5 January 2014 to 5 January 2015, to allow customers more time to complete their migration to the latest version of Endpoint Protection. To accommodate this extension, the EOSL date for Endpoint Protection 11.x has also been extended from 27 September 2014 to 5 January 2015. To align with that same date, the EOSL date for Endpoint Protection SBE 12.0 has been pulled in, from 6 April 2016 to 5 January 2015.

Content will be extended for all supported operating systems of those products with the exception of Windows 2000, Windows Fundamentals, and Mac OS X for Power PC. Windows 2000 content will be extended until 27 September 2014. No content extensions will be offered for Windows Fundamentals and Mac OS X for Power PC.

In order to take advantage of this extension, you will be required to have an active maintenance agreement for Endpoint Protection. There are no extension SKUs to purchase and there is nothing special you need to do to receive the extension. Best effort support will be provided for the content during this extension period, however there will not be any defect or bug fixes during this time. All content and technical support for these two versions of the product will cease on 5 January 2015.

Support life extension for Endpoint Protection 11.x and Endpoint Protection Small Business Edition 12.0.x

Article:TECH211491  |  Created: 2013-10-11  |  Updated: 2013-11-26  |  Article URL http://www.symantec.com/docs/TECH211491

 

If on 12.1 than you should be fine.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

levd's picture

Hi Brian,

Thanks for this info, i still have some machines running on 11.x.

But thats not my real question, im mean with the end of life for win xp and MS stopping support and security patches, almost all my client systems run 12.1.x but will this be secure enough? I mean with MS stopping support.

levd

.Brian's picture

Hey levd

SEP will still continue to receive updates even though MS is stopping support.

The problem is now XP is going unpatched once it hits EOL. So any new vulnerabilities will not be fixed. Symantec will still have AV and IPS signatures available to protect you.

Ideally, you want to get away from XP though.

Hope that answers it.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
levd's picture

Hi Brian,

Thanks for the answer i just was wandering if xp will be safe enough with sep installed after april 2014.

thanks again!

levd

.Brian's picture

I'm glad I could help wink

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Western5's picture

In another thread it was commented "The problem is now XP is going unpatched once it hits EOL. So any new vulnerabilities will not be fixed. Symantec will still have AV and IPS signatures available to protect you." This implies Windows XP without Microsoft post April 2014 extended patch support plan* is secure. Is Symantec saying that? While we are very happy Symantec customers I'm not confident reliance on end point protection is sufficient. * available for large enterprises with an equally large cost.

Best There Is_Best There Was_Best There Ever Will Be's picture

It doesn't sounds like anything is implied. Once MS drops support, no further patches will be produced. Symantec will still provide signature updates.

This link spells it out:

http://www.symantec.com/docs/TECH204937

Western5's picture

I am truly NOT trying to be negative.

The OP had replied  "Thanks for the answer i just was wandering if xp will be safe enough with sep installed after april 2014."

My concern is - and this is absolutely not a slam at any A/V product - even with the best a/v in the world XP systems are vulnerabble to new created attacks post April 2104.

Best There Is_Best There Was_Best There Ever Will Be's picture

Of course. When it comes to vulnerabilities, any AV or IPS works like a bandaid. The true fix lies with MS. Since XP support is being dropped, it's time to upgrade to win7/8 and get rid of XP. Not always easy task within a corp environment but it is what it is...

ecguy's picture

levd,

I have to agree with what others have said on here.  Symantec will attempt to add vulnerability detections to its antivirus and IPS definitions but Symantec will not be able to protect you against every vulnerability out their, just due to the sheer number of vulnerabilties.

Also, vulnerabilties in products from other software vendors that will no longer support XP will be of concern also.

This is why I strongly suggest that your company downloads Microsoft's EMET 3.0.  It adds extra vulnerabilty protections that newer Operating Systems like Windows 7 and Windows 8.1 have intregrated into them and will help to protect your Windows XP systems.

Microsoft also released EMET 4.1, but that relies on .net 4.0 and seems to work much better on newer Operating Systems where as EMET 3.0 is still supported and works great with Windows XP.

I strongly suggest downloading EMET 3.0 and using the "office" profile built into the program, but removing java and adobe product from that list, as it will break their auto updaters.

Once XP is no longer officially supported, you may want to use the "all" profile and test addiing additional programs to EMET that are not already in the profiles.  I strongly suggest testing all of this before putting anything into a production enviroment.

More info on EMET 3.0:

http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx

http://www.insanitybit.com/2012/05/30/emet-v3-0-whats-new-and-how-to-set-it-up/

Western5's picture

 

Thanks ecguy - I agree. 

For large corporatations extended MS patch management ($200 per device - max $2M for all devices) combined with a solid A/V infrastructure is probably the best route. 

Of course as others pointed out - this is only if you are stuck with XP owing to legacy applications. 

.Brian's picture

Which I am...

We will take to virtualising the app(s) and running in a sandboxed environment.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ecguy's picture

I know from a personal perspective I have a few programs for personal use that I use on a regular basis that unfortunately require Windows XP.

In a cost savings move on my part I will be using the combination of Symantec Endpoint IPS, ESET NOD32 Antivirus, and Malwarebytes active protection with EMET 3.0 installed with the "all" profile set. This machine will not be used for web browsing, sitting behind a separate firewall, and should have only exposure to the exisiting patched Windows 7 machines that will be on my own network, thus I feel fairly confident that this one machine should be safe for some time.

Since no one antivirus vendor/solution/or company will be able to protect an unsupported OS from every vulnerability out their, I plan on using Symantec Endpoint's IPS in conjunction with other vendors software, inorder to hopefully cover as much of my exposure as possible.  This is not meant to be a knock aginst Symantec or any other company, it is just a fact that no one entity can completely protect an unsupported operating system.

If I was doing the same in a production enviroment or felt the need to purchase new hardware at this point, I would simply use VMware Workstation(PC)/Fusion(Mac) and create an isolated Windows XP VM.  A person could even install Endpoint 12.1.4 on it and manually update the Antivirus and IPS defintions without the VM ever being exposed to an outside network.

levd,

If your company will not be able to migrate away from Windows XP before April 2014 deadline, I strongly recommend that you contact Microsoft and pay the extra money to buy your company some time to move away from XP.  If you need Windows XP for specific applications, like myself, I would suggest installing Windows 7 or newer on the machine and taking advantage of software like VMware's unity feature to run those applications in the Windows 7 enviroment.

If the issue is budget, well, I would suggest you consider asking those who make the budget decisions how much your businesses security is worth....(hopefully not in a rude way) as running an unsupported OS in a production enviroment for many large companies may cost them much more in the long run.