Endpoint Protection

 View Only
Back to Library

SEPM Day to Day Administration work (v12.1.5) 

Jan 13, 2015 10:39 AM

You’ve installed & set up the SEPM console. You’ve also deployed the SEP clients to PCs across the network. The job is done… or so you thought. While it can ‘run’ itself most of the time, there are some thing you will have to monitor the health of the computers and also the network to ensure you are fully protected.

Note: This is based on SEPM v12.1.5 console.

Does the clients communicate to the server OK? Are they picking up any viruses/malware? Is it downloading the latest definitions OK? This is where the Day to Day Administration work comes in. It will only take about 10-15 minutes of your time a day, depending on what the issue is. By doing this, you are making sure your network is in its best of health.

I will give you an example of what I do first thing in the morning…

I log on to the console and look at the ‘Home Page’. I make sure that both ‘Latest from Symantec’ and also ‘Latest on Manager’ are up to date. You can cross reference the dates & revision number with http://www.symantec.com/security_response/definitions.jsp if needed so you know it’s downloading the definitions without any issue.

I then look at under ‘Virus and Risks Activity Summary’ – see if there is anything you need to do, especially under ‘Still Infected’ table – this is where you do some work if it cannot get rid of the virus.

It will be also helpful to keep your eyes on the ‘Symantec Security Response’ and find out what level it is for the ThreatCon. Most of the time, it will be between 1 (Normal) and 2 (Increased alertness) but anything more than 2, you will need to be prepare for any attacks.

If you want ‘in depth’ details of the status of your network, you can use the Reports feature to run some reports to your needs and take action if needed based on the reports you generated. This can also be set up as scheduled reports to be emailed to you so you don’t have to do it manually. (Reports icon -> Scheduled Reports tab)

Under ‘Endpoint Status’, check to see if there is anything need to be looked at for ‘Out of date’, ‘Disabled’ and also ‘Host Integrity Failed’ – click on the numbers to get the full details.

There are other things you may want to do, which are:

  • Top source of attack

  • Disk space size where SEPMN is installed on (Full disk will prevent from new definitions being downloaded & extracted)

  • Out of date SEP client

  • Computers needing a restart

  • 'Left Alone' risk needs to be looked at

 

Is there anything else you do as part of your Day to Day Administration work on SEPM? Please do share with us!

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

PFUNK2803
Apr 10, 2015 11:40 AM

My experience with SEP 12...

Day to day in a 41k+ system environment with SAV 10 through SEP 12RU5 and Windows NT4 through Win2012 plus MAC clients.

Login in to console...

2500 systems need to restart

2400 systems out of date

1300 disabled

22000 up to date

13000 offline

In the last hour - 415 viruses cleaned/blocked, 87 quarantined, 277 still infected.

Arrive at work and check E-mail for SEP alerts...have over 50. Spend next hour trying to find out where LiveUpdate or GUP is broken. Start going over reports of software issues with SEP. Spend another hour fixing a bad LU DC. Get phone call from Symantec support...they can't open a log file and need me to send them another one. Search Google for article I saw last month on crashing SEP 12RU5 console issue to try and apply fix...so my consoles stop crashing. Get another call about systems not updating and they are reinstalling SEP on 100 systems. Run upgrade on another 100 systems..hope network doesn't croak. Spend another hour trying to get clients to update before having to CleanWipe and reinstall. Write script to wipe corrupt defs on clients...only works on 10% due to differences in versions. Find out file is flagged on Virustotal but not in current defs...send to Symantec. Leave work. Spend half the night working with overseas sites to fix SEP issues. Migrate 50 clients from SEP 11 to SEP 12...discover issue with custom app and SEP 12 at remote site. Revert back to SEP 11.

Wake up and repeat on Saturday from home. Shake fist at computer screen. Dream of only having 500 clients on 1 console with all having same OS.

 

Ramji Iyyer
Apr 09, 2015 08:32 AM

In large environments with more than 1000 GUPs SEP Content Distribution Monitor / GUP monitoring tool.

does not help. need to be a part of SEPM design or Should have a filter in computer status which only shows us GUP details.

Migration User
Mar 24, 2015 08:33 PM

Great article Tony!

I should also like to put a supplementary recomendation if you use GUP to update clients.

You can configure SEP Content Distribution Monitor to monitoring GUPs:

SEP Content Distribution Monitor / GUP monitoring tool.

Article:TECH156558  | Created: 2011-03-25  | Updated: 2012-03-28  | Article URLhttp://www.symantec.com/docs/TECH156558

https://www-secure.symantec.com/connect/downloads/new-sep-content-distribution-monitor-gup-health-checking

 

 

Mithun Sanghavi
Mar 03, 2015 05:58 AM

Thank you Tony for sharing your experience and an utmost expertize.

Symantec and its admin users would surely like to hear more of such experiences.

Thumbs up!!

 

Migration User
Feb 18, 2015 07:02 AM

Thank you Tony,

I am responsible for the day to day administration job of Symantec end point protection so this will really be useful for me.

 

Roopa

TonyS
Feb 11, 2015 05:46 AM

Hi Roopa,

All of them can be found on the 'Home' button of the SEPM console.

'Left Alone' can be also found when looking at the logs at Monitors -> Logs -> Risk under 'Event Action'

'Top source of attack' is on the Home screen of SEPM, under 'Favorite Report' -> Edit and pick the report you want to be displayed.

And finally, for the disk space you can view the disk space size via Windows Explorer. Also, depending on how you set up the email notification, it will email you when the disk space size is almost all gone (Health Monitoring).

Hope this helps.

Tony

Migration User
Feb 11, 2015 01:27 AM

Hello,

 

This is a very useful article. Thank you very much. I am trying to use this in my day to day administration activity and have a couple of questions.

Where do I find "Latest on Manager" windows definitions? The link you have provided only states " Latest on Symantec"

Next -  I am unable to find these below queries too on SEPM console. can you please advice?

 - Top source of attack

  • Disk space size where SEPMN is installed on (Full disk will prevent from new definitions being downloaded & extracted

  • 'Left Alone' risk needs to be looked at

  • Regards,

  • Roopa

Mick2009
Jan 26, 2015 04:44 AM

Excellent recommendations, Tony!

The SEPM collects and presents powerful intelligence about what is going on within the network.  Without an admin reading and reacting to that information, though, security issues can persist and become major incidents.  Monitoring these logs and reports and using SEPM's alert features, like you recommend, is an absolute "must do."

With thanks and best regards,

Mick

Related Entries and Links

No Related Resource entered.