Endpoint Protection

Our Exchange server is the last machine we have that needs to be upgraded to the SEP client and I would like to get some feedback prior to doing so.  According to Symantec if I install only the Antivirus and Antispyware features of the suite I should be fine.  However, I have read several horror stories on the boards about people having difficulties with installing the SEP client on an Exchange machine.  Some people have said that even installing just the Antivirus and Antispyware features messed their server up.  Others have said to stop the Exchange services and then run the install and everything will be fine.  I would be installing the MR4 client (pre MP1).  Ideally, I would also like to install Network Threat Protection in order to use Application and Device Control logging on the server, but if I can't I will accept that.

To give you a better idea of what is running on the server here are a list of applications/roles for the server:

Domain Controller

Schema Master

Domain Naming Master

Global Catalog Server

Exchange Server

WSUS Server

Several SQL Express installations

Obviously, I would rather not do anything that might break this server. I would appreciate any feedback or help.

Thanks.

Adrian

Anyone have any opinions on this?

SEP should automatically detect Exchange and install itself with the appropriate options, exclusions, etc.  Our exchange install went without a hitch.

Did you just install just the Antivirus and Antispyware feature or did you install others?  What version are you running on your Exchange server?  We would be installing MR4.

We only install the AV/Anti-Spyware component on our servers.  NEVER have we installed the Network Threat Protection or the ProActive Scanning on any servers, much less an Exchange box.  We are currently using MR4 MP1.

I agree with the above statements. 

With regards to file servers / exchange servers, just install the Antivirus / Antispyware components, not the Network Threat Protection.   This will prevent the SEP software from making changes to firewall and/or connectivity settings.

AV/AS only on Exchange w/DC, GC, DNS, SQL Express, BackupExec and SMS Distribution server.  No problems so far.

Thanks to everyone for the information.  I will just go with the AV/AS feature.  It's good to see there were many installs without problems.

Question. When you all installed the client on an Exchange box, did you use SEPM or manually install? How did you know the Exchange store was detected and exempted along with the other required stuff? Does the client tell you?

 

I am planning on installing an x64 client using SEPM on my Echange 2007 box after I hear from you all. I'd hate to learn the hard way with a corrupt store.....

Thanks for the help.

Charlie

You can check this registry to find out what exactly it is excluding if you want to exclude anything else aswell then you can go ahead and add it to Centralized Exceptions

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Exchange Server

I will not say it is not advised to have NTP on the server.Because if you are not installing NTP that means you are not only missing out with Firewall but IPS as well.I would suggest to have NTP on the server as well ( PTP wont work on server).The only issue with NTP is Firewall Rules.If you have all your Firewall Rules in place everything should work great and secured.

Is there a comprehensive list of exclusions that are automatically detected on installation? In preparing for deployment to our servers, I'm preparing role-based exclusion lists (IIS, SQL, Exchange, BE, etc...) and it sure would be nice to know what will be automatically taken care of and what won't be...

Charlie,

When we install on any server, we use an exported installation package with the features we want (components, location, silent or not, etc.), copy that package to the server in question, and manually launch the setup.  This way we can monitor the install more closely just in case.

Well, did the client install on our Exchange 2007 server (all roles on one box with FSE). Windows 2003 R2, etc. This box only has Exchange installed.

I used SEPM to push the x64 client based on all the confidence this thread seemed to exude.... I assumed that SEP would detect Exchange and configure accordingly.

You guys must have been lucky, or I am a moron..... 'cause SEP was all but blind to our Exchange, as far as I can tell. No exceptions, no registry entry labeled "exchange exceptions" as suggested above, etc. I used a separate group with it's own policies and installed only AV/AS, nothing else.

If you read MS's Technet article on file level scanners and Exchange 2007, it is pretty scary what they want you to exclude. There is a pretty good Symantec article on SAV 10 and Exchange 2007, so why isn't there one for SEP 11????

JFTR, if folks are assuming SEP is always Exchange aware, they may be in for a rude awakening as their stores get corrupted!

 

Charlie

 

 

Sorry, I should have clarified my response with the version of MR4 installed on the server.  I had real bad results installing MR4 MP1A on this server that clients from a remote site that use this server for DC/Exchange/Primary DNS all started to generate a lot of data traffic to the Secondary DNS server.  They were maxing out their data circuit.

When I uninstalled MP1A and reinstalled MR4, all is back to normal.  I don't know what kind of traffic was generated, just know that it was a LOT.  On the graph, MR4 MP1A was installed on the server that is remote to this site at 11:38am yesterday (auto upgrade) and was uninstalled and MR4 reinstalled at 12:40pm today.

Hi, we should take a look at the logs detected on the MRTG, to make sure what kind of traffic is using a lot of bandwidth. Please check the path /var/log/mrtg.log

My ISP doesn't want to pass the logs to me saying "its 1 giant file which just makes graphs. nothing to pass on." 

I have handled MRTG logs before, what you can request is just a part of the log, you can trim it, but just make sure the time you want to view.

Here's my ISP's repsone.  I'm not taking any sides, I simply don't know how MRTG works:

What are you trying to find ? MRTG takes a poll every 5 minutes to make a data point of how much bandwidth is being used. that's it, not flows are recorded, no source/destinations are recorded. Printing the MRTG as a .pdf is as good as looking directly at the log files because no flows are recorded. here is the MRTG log format ; http://oss.oetiker.ch/mrtg/doc/mrtg-logfile.en.html

I am not willing to test upgrading the server again, so I will not be logging a support call.  If I had a test environment, I would be more than happy to recreate the events that happened to me.

Hm. I have just installed one of the old version a while ago (MR2 maybe) on Exchange, AD, DNS, DHCP servers with NTP module included and we didnt had any problems, except that i had to do "DHCP allow" exception in the firewall policy. I was installing with the exported setup package. Now i have upgraded those servers to MR4 MP1a via Install Packages and everything is fine. Exchange 2003, Windows Server 2003.

I finally took the plunge and installed the client on our Exchange server.  It went off with out a hitch.  Thank you to everyone for their input on this.  I probably wouldn't have felt so comfortable doing so without it.

No problem at all Adrian.  I'm sure I speak for the rest of us in saying that i'm glad to hear that everything went so well.

This gives me some confidence that my Exchange 2003 / DC box won't suffer from this install.  However, did you end up shutting down Exchange services before running the install?  I'm running MR4 MP1.

I have personally installed MR4 to server 2003/exchange 2003 server (Main DC, DHCP, DNS and file services)

It did not interfere with my exchange at all.... for those of you concerned that it will cause issues on your exchange there is a few simple, key things, that need to be done.

AV/AS ONLY, any other options will just cause you grief.
Once installed set exceptions on local client (Or manager - make a seperate grp for server(s)) for Exchange's gather folder, DB Logs folder and the exchange mailstore folder...  It can't scan the database directly anyway....

Be sure to modify the scheduled scan that is there by default to a time when u know the server can handle the load (4AM or something) - It is advised that the full scan occur AFTER your backup routines and any other disk intensive maintenance that may be going on (Disk defrags, Exchange DB mailbox process, Exchange DB Indexing)

Follow those simple things there and all should be just dandy...

WireBug - thanks for the reply.  You make some good suggestions.  However, I thought SEP client would recognize Exchange and create it's own exceptions.  What prompted you to set them up manually?

I've been in IT a long time and one thing I learned is never assume something is done for you until you do it yourself :-)

Sometimes functions that are supposed to detect settings don't always work if you are not using the expected "standards" for locations and installs.

Looking in the local exceptions I did not see anything auto populated there. So to ensure the exceptions are in place I manually added to give myself that peace of mind knowing that it is set how I want it.

The SAV (10.x etc.) clients generally did a good job at this and you could see the exceptions in the client config. In the new SEP if it was already there, I could not locate anywhere that specified the exceptions.

In a nut shell, your always better safe than sorry. If you can't locate evidence that a setting exists, add it manually to ensure it does.

That's a good explanation.  I don't like assuming things are done either (my coworkers usually fault me for overdoing things).  However, I wanted to make sure you didn't have some other reason for explicitly making the settings.  It's too bad that SEP doesn't show you the exceptions, or some sign that it's made some local exceptions.

I've run SAV 10 on Exchange and made sure to apply the exceptions there.  I was thinking of setting the same exceptions on this install despite Symantec's assurance that it would be taken care of for me.

Take care!

I installed SEP64 11.0.4014_MR4_MP1 on Windows 2008 Server x64 with Exchange 2007 installed. AV/AS only.
No exceptions were added at all. Should it or should it not add these automatically?

This may help...
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007090220241148

There's another link in that article that explains more about using SEP with Exchange 2007.

Thank you for the reply. I have read that article and I am using a regular Exchange 2007 installation (no cluster services).

It clearly states:

The client software creates file and folder scan exclusions for the following Microsoft Exchange server versions:

• Exchange 5.5
• Exchange 2000
• Exchange 2003
• Exchange 2007

But still, no exclusions are created at all when I install.

Did you check the registry key listed in the article?  Although my server is running Exchange 2003, the registry key clearly lists the exceptions as advertised.

Yes I did. The folder/group HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\AV\Exclusions didn't even exist.

Yes I did. The folder/group HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\AV\Exclusions didn't even exist.

Thats the wrong location on a 64bit machine.  You want Software\Wow6432node\Symantec