Welcome to the Part 2 out of 3 discussing the terms, technologies and concepts related to Symantec Endpoint Protection and Symantec Security Software. In the series you will find description and explanation of several SEP related technologies, tools and concepts alongside of the relevant links to Symantec KB articles. The terminology articles are based upon the available official documentations and publications from Symantec KBs and Implementation Guides for SEP. Any comments or ideas what should be included in the series are welcome. I hope this series will be informative to you.
The Series consists of following articles:
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 1 (A-G)
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 2 (H-R)
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 3 (S-Z)
This is the second part of the series concerning the following terms:
Hardware ID (HWID) - an unique identifier generated on every SEP Client. According to hardware ID SEPM Server is able to differentiate the clients and recognize them as separate entities even in case where the names of the machines are identical. Common issue may occur during the deployment of cloned images where every clone image has already SEP preinstalled and is being deployed with cloned HWID as well.
How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1 clients
Configuring Symantec Endpoint Protection 11.x client for deployment as part of a drive image
How to prepare a Symantec Endpoint Protection 12.1 client for cloning
Heartbeat - is a process performed when the SEP client checks in with the SEPM. Heartbeat interval is normally controlled by communications policies set at the Symantec Endpoint Protection Manager (SEPM). During the heartbeat process client will check with SEPM if there is any new policy applied to the group that is relevant for this client or if there are any definitions updates available. At this point client will upload as well its own logs to the SEPM Server for processing.
Symantec Endpoint Protection: The Heartbeat Process
About Accelerated Heartbeat in Symantec Endpoint Protection (SEP) Clients.
Host Integrity (HI) - The Host Integrity policy is the foundation of Symantec Network Access Control. Host integrity is being used to make sure that the client computers that access the network meet organization's security policy. Host Integrity enables enterprises to enforce security policies at all entry points to the enterprise network including VPN, Wireless, and RAS dial-up servers. Host Integrity includes the ability to check for the presence and update status of firewalls, intrusion prevention, anti-virus and other third-party applications before granting access to an enterprise network. In case the Host Integrity policy is failed the machine in question will be denied access to the production network and if specified forwarded to the quarantined network.
Creating and testing a Host Integrity policy
What you can do with Host Integrity policies
Symantec Endpoint Protection 11.0 / Symantec Network Access Control 11.0 Host Integrity Overview
Insight Lookup - uses the latest definitions from the cloud and the Insight reputation database to make decisions about files. If you disable Insight lookups, Insight Lookup uses the latest definitions only to make decisions about files. Insight Lookup also uses the Automatically trust any file downloaded from an intranet website option. Insight Lookup does not run on right-click scans of folders or drives on your client computers. Insight Lookup does run on right-click scans of selected files.
How the Insight Lookup process works
How Symantec Endpoint Protection uses reputation data to make decisions about files
Intelligent Updater (IU) - is an executable file that can be used to update virus definitions for the Symantec Endpoint Protection client. To update the definitions, run either the Daily Certified or Rapid Release Intelligent Updater on the local computer. SEP 12.1 RU3 include further enhancement to IU functionality in form of SONAR and IPS Intelligent Updater (IU) support.
Virus Definitions & Security Updates
How to update definitions for Symantec Endpoint Protection using the Intelligent Updater
Internet Email Auto-Protect - additional feature of File-System Autoprotect in Symantec Endpoint Protection. Internet Email Auto-Protect protects both incoming email messages and outgoing email messages that use the POP3 or SMTP communications protocol over the Secure Sockets Layer (SSL). When Internet Email Auto-Protect is enabled, the client software scans both the body text of the email and any attachments that are included. The addin is a separate SEP feature and needs to be specifically selected during the installation. Internet Email Auto-Protect may be not required or even recommended if other types of Auto-Protect for Outlook or Lotus Notes are already in place.
Configuring Internet Email Auto-Protect
Intrusion Prevention System (IPS) - part of the Network Threat Protection in SEP alongside of SEP Firewall. Unlike antivirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them. IPS is very good at detecting "drive-by" downloads of malware and fake antivirus scanner web pages, which Auto-Protect cannot prevent. In today's complex threat environment, this technology is an effective complement to antivirus technology, and its usage should be considered a necessity on any network that is connected to the Internet.
Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained
Best practices regarding Intrusion Prevention System technology
Best Practices for the Intrusion Prevention System component of Symantec Endpoint Protection on high-availability/high bandwidth servers.
Liveupdate - also known as Windows Live Update (WLU). A critical component of SEP / SEPM responsible for updating the content definitions. Initially used by both SEP clients and SEPM (SEP 11.x). Since SEP 12.1 WLU on SEP clients has been replaced by integrated component Liveupdate Engine (LUE). The Symantec Endpoint Protection Manager (SEPM) in version 12.1 still uses a Windows LiveUpdate to download definitions from internet Symantec LiveUpdate servers.
How to update virus definitions and other content with Symantec Endpoint Protection and Symantec Network Access Control
Symantec Endpoint Protection Manager - LiveUpdate - Policies explained
Liveupdate Administrator (LUA) - is an enterprise Web application that allows you to manage updates on multiple internal Central Update servers, called Distribution Centers. Updates are downloaded from an external site to an internal LiveUpdate Administrator server. From there, the updates can either be sent immediately to a production distribution center to be downloaded by SEP clients or SEPM. LUA allows for more detailled configuration and scheduling than the direct definition distribution from SEPM Server. The latest version of this software is 188.8.131.52. LUA installer can be found on CD2 of SEP installation media in Liveupdate folder - the executable for installation is LUAESD.exe.
Knowledgebase Articles for Liveupdate Administrator (LUA)
Installing and Configuring LiveUpdate Administrator (LUA)
When to use LiveUpdate Administrator
Best Practices for LiveUpdate Administrator (LUA) 2.x
LiveUpdate Administrator 2.3: What's New
Liveupdate Engine (LUE) - a Liveupdate component directly integrated into SEP 12.1 Clients. LUE replaces the traditional Windows Live Update (WLU) previously used in SEP 11.x Clients. Note: WLU is still being used on 12.1 SEPM Server.
About LiveUpdate in Symantec Endpoint Protection version 12.1
The Log.LiveUpdate file is missing or out of date on a Symantec Endpoint Protection 12.1 client
Load Point Analysis (LPA) - Within each of the various versions of Windows, there are specific locations within the file system and registry that are used to load applications and related files. While these are used by legitimate programs, they are also commonly used as attack vectors for malware such as viruses, trojans, worms, and spyware. Load Point Analysis uses Power Eraser technology to scan the most common load points and provides a list of suspected malware similar to Symantec Power Eraser. Load Point Analysis uses Symantec Insight and other file checks to score the trustworthiness of a file. Load Point Analysis examines all of the files that start automatically on a computer and assigns a score to them. This score tells you which, if any, of those files should be investigated further in order to determine whether they are malicious. Score may be achieved from few different criteria: file certification, local analysis, Symantec Reputation Database check.
About the Load Point Analysis scan in Symantec Help
How to Run Load Point Analysis for Symantec Support
Using SymHelp, how do we collect the Load Point Analysis Logs and Submit the same to Symantec Technical Support Team
Location Awereness - feature allows the application of location specific security policies enabling clients the ability to switch locations based on the defined criteria. For this example the defined criteria will be if a client cannot communicate with its Endpoint Protection Manager then switch to the new defined location where the security policy is to retrieve updates from an outside source. Some of possible other location awareness criteria may include -> computer IP address; type of the network connection; IP address of the available DHCP, DNS servers; used IP range scope; the location of the connection; Wireless SSID; specific registry key presence; etc.
Best Practices for Symantec Endpoint Protection Location Awareness
Using location awareness with groups
How To Optimize Endpoint Protection for Branch Offices using GUPs, Load Balancing, and Location Awareness
How to Use Location Awareness as Fault Tolerance for Content Updates
Enabling location awareness for a client
Lotus Notes Auto-Protect - additional feature of File-System Autoprotect in Symantec Endpoint Protection. This type of Auto-Protect provides real-time protection against attachments to Lotus Notes emails. The addin is a separate SEP feature and needs to be specifically selected during the installation.
Configuring Lotus Notes Auto-Protect
Macintosh Symantec Uninstaller (SymantecUninstaller.English.tgz) - tool intended for all Symantec products on the Mac, not just SEP. Tool can be obtained from CD2 of SEP installation media.
Symantec Endpoint Protection for Macintosh Frequently Asked Questions
How to uninstall Symantec Endpoint Protection for Macintosh
Management Server Configuration Wizard - graphical wizard used to re/configure the SEPM Server. Initialy the wizard is being automatically started during the first SEPM installation. In later stages it may be manually executed to reconfigure the SEPM settings. Wizard is being as well used during any disaster recovery scenarios where it allows to import a previously saved recovery file that includes client-server connection information. The recovery file enables the management server to reinstall existing backed-up certificates and to automatically restore the communication to the existing clients.
Reinstalling or reconfiguring Symantec Endpoint Protection Manager
Network Access Control (SNAC) - Symantec product / feature to validate and enforces policy compliance for the computers that try to connect to the production network. This validation and enforcement process begins before the computer connects to the network and continues throughout the duration of the connection. The Host Integrity policy is the security policy that serves as the basis for all evaluations and actions. SNAC clients may interact with a Symantec Enforcer. The Enforcer ensures that all the computers that connect to the network that it protects run the client software and have a correct security policy. SNAC can work as well in so called self-enforcement mode where it uses the Symantec desktop firewall to police network access, providing the easiest and fastest enforcement deployment option.
Symantec Endpoint Protection and Symantec Network Access Control Implementation Guide 12.1
About the types of enforcement in Symantec Network Access Control
How Symantec Network Access Control works
Network Activity Tool - a built-in SEP tool that can help identify files that are making suspicious network connections. When the tool is being run the details of all applications that are either making or listening for connections from other computers are now displayed, as well as the protocols, ports and processes involved. As many of today's threats are largely designed to spread to other computers, receive commands from an unknown remote computer, or to download additional threats from the Internet, monitoring the applications and their connections can identify processes that are acting suspiciously.
Overview of the SEP Network Activity Tool
Using Symantec Endpoint Protection 11's Network Activity Tool to Identify Suspicious Processes
Symantec Endpoint Network Activity Tool
Network Threat Protection (NTP) - this layer of SEP protection comprises firewall and intrusion prevention protection. The rules-based firewall prevents unauthorized users from accessing your computer. The intrusion prevention system automatically detects and blocks network attacks. The firewall allows or blocks network traffic based on the various criteria that the administrator sets. If the administrator permits it, end users can also configure firewall policies. The Intrusion Prevention System (IPS) analyzes all the incoming and the outgoing information for the data patterns that are typical of an attack. It detects and blocks malicious traffic and attempts by outside users to attack the client computer. Intrusion Prevention also monitors outbound traffic. For mor information about IPS and Firewall please look up those specific terms in the series of this article.
Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper
Offline Image Scanner (SOIS.exe) - a standalone tool used for scan and detect threats in offline VMware virtual system images (.vmdk files). SOIS is compatible with AV definitions of SEP (versions 11 and 12) and SAV (version 10). SOIS scans FAT32 and NTFS file-systems on Windows .vmdk files. Linux .vmdk files are not supported. The tool can be found on CD2 of SEP installation media.
Outlook Auto-Protect - additional feature of File-System Autoprotect in Symantec Endpoint Protection. This scan gives Outlook and Outlook Express users additional protection from threats sent by email. The addin is a separate SEP feature and needs to be specifically selected during the installation. Outlook Auto-Protect may be not required or even not recommended in case where the Outlook clients are usins an Exchange Server already protected by Symantec Mail Security.
What is Auto-Protect ?
Power Eraser (SPE) - is aimed at the detection and clean-up of "zero-day" threats as well as other threats which may have infected the user’s system. Zero-day threats are those that take advantage of a newly discovered hole in a program or operating system before the developers have made a fix available – or before they are even aware that a hole exists. Power Eraser is designed to complement mainline antivirus applications by detecting and remediating specific types of threats:
■ New variants of existing threats that are not detected by the current definition sets
■ Fake antivirus applications and other rogueware
■ System settings that have been tampered with maliciously
Because Symantec Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. Power Eraser is accessible from the SymHelp Tool and alongside with Symantec Load Point Analysis belongs to Symantec Threat Analysis Tools.
About Symantec Power Eraser
Symantec Power Eraser User Guide
Symantec Power Eraser using Symantec Help (SymHelp) Tool
Proactive Threat Protection (PTP) - Proactive threat scanning provides an additional level of protection to a computer that complements existing AntiVirus, AntiSpyware, Intrusion Prevention, and Firewall protection technologies. The Heuristic process scan analyzes the behavior of an application or a process. The scan determines if the process exhibits the characteristics of a threat, such as Trojan horses, worms, or key loggers. The processes typically exhibit a type of behavior that a threat can exploit, such as opening a port on a user's computer. This type of protection is sometimes referred to as protection from "Zero-day attacks". Proactive Threat Protection also includes Application and Device Control Policies.
Symantec Endpoint Protection: About Proactive Threat Protection.
Pull / Push Mode - You can specify whether Symantec Endpoint Protection Manager pushes the policy down to the clients or that the clients pull the policy from Symantec Endpoint Protection Manager. The default setting is push mode where client establishes a constant HTTP connection to the server. Whenever a change occurs with the server status, it notifies the client immediately. If pull mode is selected, then by default, clients connect to the management server every 5 minutes (according to set heartbeat), but you can change this default heartbeat interval.
How the client computers get policy updates
Configuring push mode or pull mode to update client policies and content
Steps to change the communication mode in client groups
Push Deployment Wizard - tool helps to deploy the clients software by pushing the installer to remote computers and automatically installing it. It has options for deploying SEP full install packages or patches as well as self-installing executables. There is a difference between Push Deployment Wizard available in SEP 11.x and SEP 12.1. However, both are meant for same purpose. Remote Push Deployment Wizard could be used as an alternative to Client Deployment wizard. Currently the preferred recommended way of client deployments is the push performed directly from SEPM using the Client Deployment Wizard.
Overview of Push Deployment Wizard in Symantec Endpoint Protection 12.1
Deploying client software with the Push Deployment Wizard
Deploying client software with the Push Deployment Wizard
Quarantine - When virus and spyware scans detect a threat orSONARdetects a threat, Symantec Endpoint Protection places the files in the client computer's local Quarantine. Antivirus and Antispyware Policy to configure client Quarantine settings. By default, Symantec Endpoint Protection rescans items in the Quarantine when new definitions arrive. It automatically repairs and restores items silently. By default, the Quarantine stores backup, repaired, and quarantined files in a default folder. It automatically deletes files after 30 days. The default local quarantine location on SEP 12.1 client would be: C:\ProgramData\Symantec\Symantec Endpoint Protection\<SEP version number>\SRTSP\Quarantine.
Remote Console for SEPM - Symantec Endpoint Protection Manager Console - remote console that allows for a remote management of Symantec Endpoint Protection Manager in a Java client - requires a Java 6 or 7 client download. Remote console can be accesses from SEPM Web Access (http://[servername]:9090). When you log on remotely, you can perform the same tasks as administrators who log on locally. What you can view and do from the console depends on the type of administrator you are.
Reputation - Symantec collects information about files from its global community of millions of users and its Global Intelligence Network. The collected information forms a reputation database that Symantec hosts. Symantec products leverage the information to protect client computers from new, targeted, and mutating threats. The data is sometimes referred to as being "in the cloud" since it does not reside on the client computer. The client computer must request or query the reputation database. Manual and Scheduled scans can use full internal (IRON) and cloud-based community/symantec Reputation information as part of their scans, when configured to do so.
How Symantec Endpoint Protection uses reputation data to make decisions about files
Does Symantec Endpoint Protection 12.1 Always Use Reputation to Detect Malicious Files?
Risk Tracer - an additional feature in the Antivirus and Antispyware SEP -> File System Auto-Protect protection. Risk Tracer is able to identify the source of network share-based virus infections on client computers. Risk Tracer must first be enabled in Antivirus and Antispyware policy in order to view the information it can collect. To function fully, Risk Tracer requires Network Threat Protection (NTP) and IPS to be installed and IPS Active Response to be enabled. The results of the Risk Tracer analysis can be found under "Risk Distribution by Attacker" chart under "Summary" tab on SEPM Montors which should show the IP addresses of the risk attackers. Under certain circumstances the tracer may be not able to detect the exact source of the infection and will report the source as simply unknonwn. Risk Tracer is available in both SEP 11.x and SEP 12.1 Product lines.
What is Risk Tracer?
About Risk Tracer
How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection
Rx4DefsSEP - legacy utility used to completely remove and replace (corrupted) virus definitions on SEP 11.x clients. Rx4DefsSEP tool is a further development of Rx4Defs and Rx4Defs64 tool previously designed only for SAV. It is not intended for operation with SEP 12.1 systems due to changes in folders and operations. The tool does not replace definitions for Symantec Endpoint Protection Manager. For instances where the tool cannot be used anymore (like in case of 12.1 clients) the manual procedures for cleanup of SEP definitions are recommended.