Installation_and_Administration_Guide_SEP14.3.1.pdf
Document Details
Uploaded by PowerfulPoplar
2020
Tags
Full Transcript
Symantec Endpoint Protection Installation and Administration Guide December 2020 14.3 RU1 Table of Contents Release Notes..........................................................................................................................
Symantec Endpoint Protection Installation and Administration Guide December 2020 14.3 RU1 Table of Contents Release Notes.....................................................................................................................................27 What's new for Symantec Endpoint Protection 14.3 RU2?....................................................................................... 27 System requirements for Symantec Endpoint Protection (SEP) 14.3 RU3.............................................................. 30 Known issues and workarounds for Symantec Endpoint Protection (SEP)............................................................38 Supported virtual installations and virtualization products...................................................................................... 45 About Endpoint Protection release types and versions............................................................................................46 Where to get more information.................................................................................................................................... 47 What's new for all releases of Symantec Endpoint Protection (SEP) 14.x.............................................................. 48 What's new for Symantec Endpoint Protection 14.3 RU1 MP1.................................................................................58 What's new for Symantec Endpoint Protection 14.3 RU1?....................................................................................... 58 What's new for Symantec Endpoint Protection 14.3 MP1 (14.3.0.1).........................................................................63 What's new for Symantec Endpoint Protection 14.3?............................................................................................... 64 What is Symantec Endpoint Protection?........................................................................................ 66 How Symantec Endpoint Protection technologies protect your computers........................................................... 66 Symantec Endpoint Protection architecture components.........................................................................................69 Getting Started................................................................................................................................... 71 Symantec Endpoint Protection Quick Start Guide.....................................................................................................75 Installing Symantec Endpoint Protection Manager.................................................................................................... 79 Configuring Symantec Endpoint Protection Manager after installation.................................................................. 80 Installing Symantec Endpoint Protection Manager with a custom configuration...................................................81 Logging on to the Symantec Endpoint Protection Manager console...................................................................... 83 Activating or importing your Symantec Endpoint Protection product license....................................................... 86 Purchasing Symantec Endpoint Protection licenses.................................................................................................89 Installing Symantec Endpoint Protection clients with Save Package......................................................................90 Installing the Symantec Endpoint Protection client for Mac..................................................................................... 91 About authorizing system extensions for Symantec Endpoint Protection for macOS 10.15 or later................. 92 Managing kernel extension authorization when deploying the Symantec Endpoint Protection client for Mac.....................................................................................................................................................................92 Installing the Symantec Agent for Linux or the Symantec Endpoint Protection client for Linux............................... 93 Getting started on the Linux agent....................................................................................................................95 About auto-compile for the Symantec Endpoint Protection client for Linux...................................................... 96 About the Linux client graphical user interface................................................................................................. 97 Installing Symantec Endpoint Protection clients with Remote Push.......................................................................98 Installing Symantec Endpoint Protection clients with Web Link and Email..........................................................100 What do I do after I install the management server?.............................................................................................. 101 Communication ports for Symantec Endpoint Protection...................................................................................... 103 2 Installing and Uninstalling the Management Server and Clients................................................106 Network architecture considerations......................................................................................................................... 106 About choosing a database type............................................................................................................................... 107 About basic management server settings................................................................................................................ 107 About SQL Server configuration settings................................................................................................................. 108 About SQL Server database authentication modes.................................................................................................111 Internationalization requirements...............................................................................................................................112 Uninstalling Symantec Endpoint Protection Manager............................................................................................. 113 Managing the Symantec Endpoint Protection client installation............................................................................ 113 Preparing Windows and Mac computers for remote deployment.......................................................................... 114 Choosing a method to install the client using the Client Deployment Wizard........................................................ 116 Choosing which security features to install on the client....................................................................................... 117 Managing client installation packages.................................................................................................................... 117 Exporting client installation packages.....................................................................................................................118 Importing client installation packages into Symantec Endpoint Protection Manager............................................. 119 Windows client installation package and content update sizes..............................................................................120 Creating custom Windows client installation packages in Symantec Endpoint Protection Manager...................... 121 About the Windows client installation settings........................................................................................................121 Customizing the client installation settings............................................................................................................. 122 Uninstalling existing security software.................................................................................................................... 122 Choosing whether to download cloud-based or local-based definitions using the client installation type.............. 124 Third-party security software removal in Endpoint Protection 14...........................................................................125 Third-party security software removal in Symantec Endpoint Protection 14.3 RU1 and later................................ 125 Restarting the client computers from Symantec Endpoint Protection Manager..................................................... 127 About managed and unmanaged clients................................................................................................................ 128 How to get an unmanaged client installation package...........................................................................................129 Installing an unmanaged Windows client............................................................................................................... 130 About uninstalling the Symantec Endpoint Protection client.................................................................................. 131 Uninstalling the Symantec Endpoint Protection client for Windows....................................................................... 132 Uninstalling the Symantec Endpoint Protection client for Mac...............................................................................132 Uninstalling the Symantec Agent for Linux or the Symantec Endpoint Protection client for Linux......................... 133 Upgrading and Migrating to the Latest Release of Symantec Endpoint Protection (SEP)....... 135 Upgrade best practices for Endpoint Protection 14.x............................................................................................. 136 Supported and unsupported upgrade paths to the latest version of Symantec Endpoint Protection 14.x.........140 Increasing Symantec Endpoint Protection Manager available disk space before an upgrade............................ 141 Upgrading a management server............................................................................................................................... 142 Best practices for upgrading from the embedded database to the Microsoft SQL Server Express database... 143 Reducing the database size when the database is full before an upgrade to Microsoft SQL Server Express... 145 Enabling FILESTREAM for the Microsoft SQL Server database.............................................................................146 3 Reducing the database size to less than 10 GB before an upgrade to Microsoft SQL Server Express.............. 147 Making more disk space available to upgrade to the default Microsoft SQL Server Express database............. 149 Configuring encrypted communication between Symantec Endpoint Protection Manager and Microsoft SQL Server.............................................................................................................................................................................150 Upgrading an environment that uses multiple embedded databases and management servers........................158 Stopping and starting the management server service.......................................................................................... 158 Preventing replication during an upgrade................................................................................................................ 159 Restoring replication....................................................................................................................................................160 Choosing which method to upgrade the client software........................................................................................ 160 Upgrading client software with AutoUpgrade...........................................................................................................162 Applying AutoUpgrade settings to other groups..................................................................................................... 164 Upgrading Symantec Endpoint Protection 14.3 RU2+ to a supported language.................................................. 164 Installing Endpoint Protection client patches on Windows clients........................................................................165 Upgrading the Symantec Linux Agent.......................................................................................................................166 Updating the kernel modules for the Symantec Linux Agent.................................................................................167 Upgrading Group Update Providers.......................................................................................................................... 168 Upgrade resources for Symantec Endpoint Protection...........................................................................................169 Licensing Symantec Endpoint Protection.....................................................................................170 Checking the license status in Symantec Endpoint Protection Manager..............................................................171 Backing up and recovering your license file (.slf)................................................................................................... 171 Purging obsolete clients from the database to make more licenses available..................................................... 172 What does a Symantec Endpoint Protection license cover?..................................................................................172 About multi-year licenses........................................................................................................................................... 173 Symantec Endpoint Protection product license terminology................................................................................. 173 Licensing an unmanaged Windows client................................................................................................................ 174 Managing the client-server connection......................................................................................... 175 Configuring management servers and the server-client connection..................................................................... 175 Setting up HTTPS communications between a Symantec Endpoint Protection Manager and the clients..............175 Verifying port availability.................................................................................................................................. 176 Changing the HTTPS port for Apache for client communication.................................................................... 176 Enabling HTTPS client-server communications.............................................................................................. 177 Improving client and server performance............................................................................................................... 179 About server certificates......................................................................................................................................... 180 Best practices for updating server certificates and maintaining the client-server connection.................................181 Update the server certificate on the management server without breaking communications with the client... 182 Updating or restoring a server certificate........................................................................................................ 184 Reconfiguring Symantec Endpoint Protection Manager after changing the computer's IP address and host name........................................................................................................................................................................185 Checking whether the client is connected to the management server and is protected..................................... 186 Symantec Endpoint Protection client status icons..................................................................................................188 4 Using the policy serial number to check client-server communication.................................................................188 Updating policies and content on the client using push mode or pull mode....................................................... 189 How does the client computer and the management server communicate?........................................................ 190 How do I replace the client-server communications file on the client computer?................................................192 Restoring client-server communications with Communication Update Package Deployment............................193 Exporting the client-server communications file (Sylink.xml) manually................................................................194 Importing client-server communication settings into the Windows client............................................................ 195 Importing client-server communication settings into the Linux client.................................................................. 195 IPv6 networking support............................................................................................................................................. 196 Managing Groups, Clients, Administrators, and Domains.......................................................... 197 Managing groups of clients........................................................................................................................................ 197 How you can structure groups................................................................................................................................198 Adding a group........................................................................................................................................................198 Importing existing groups and computers from an Active Directory or an LDAP server........................................ 199 About importing organizational units from the directory server.......................................................................199 Connecting Symantec Endpoint Protection Manager to a directory server.....................................................200 Connecting to a directory server on a replicated site..................................................................................... 201 Importing organizational units from a directory server.................................................................................... 202 Disabling a group's inheritance...............................................................................................................................202 Blocking client computers from being added to groups......................................................................................... 203 Moving a client computer to another group............................................................................................................203 Managing client computers.........................................................................................................................................204 Viewing the protection status of client computers.................................................................................................. 205 Enabling protection on the client computer............................................................................................................ 206 Searching for the clients that do not have the client software installed................................................................. 206 Searching for information about client computers.................................................................................................. 207 What are the commands that you can run on client computers?.......................................................................... 207 Running commands on client computers from the console................................................................................... 209 Ensuring that a client does not restart................................................................................................................... 210 Switching a Windows client between user mode and computer mode.................................................................. 210 Configuring a client to detect unmanaged devices................................................................................................ 211 Password-protecting the Symantec Endpoint Protection client.............................................................................. 212 Preventing and allowing users to change the client's user interface..................................................................... 213 Collecting user information..................................................................................................................................... 214 Checking on your Mac client using AppleScript scripts......................................................................................... 215 Managing your Linux client using the command line tool (sav)............................................................................. 216 Managing remote clients............................................................................................................................................. 217 Managing locations for remote clients.................................................................................................................... 218 Enabling location awareness for a client................................................................................................................220 Adding a location to a group.................................................................................................................................. 221 5 Changing a default location.................................................................................................................................... 221 Setting up Scenario One location awareness conditions....................................................................................... 222 Setting up Scenario Two location awareness conditions....................................................................................... 224 Configuring communication settings for a location.................................................................................................225 About strengthening your security policies for remote clients................................................................................ 226 Best practices for Firewall policy settings for remote clients.......................................................................... 226 About turning on notifications for remote clients.................................................................................................... 227 About monitoring remote clients from the management server............................................................................. 227 Monitoring roaming Symantec Endpoint Protection clients from the cloud console...............................................228 Managing administrator accounts..............................................................................................................................229 About administrator accounts and access rights....................................................................................................230 Adding an administrator account and setting access rights................................................................................... 232 Choosing the authentication method for administrator accounts........................................................................... 232 Using RSA SecurID authentication with Symantec Endpoint Protection Manager......................................... 233 Configuring two-factor authentication with Symantec VIP...............................................................................235 Configuring Symantec Endpoint Protection Manager to authenticate administrators who log on with smart cards.................................................................................................................................................................235 Testing directory server authentication for an administrator account.............................................................. 237 Changing the password for an administrator account or the default database...................................................... 240 Resetting a forgotten Symantec Endpoint Protection Manager password............................................................. 241 Displaying the Forgot your password? link so that administrators can reset lost passwords............................. 242 Enabling Symantec Endpoint Protection Manager logon passwords to never expire............................................ 242 Displaying a message for administrators to see before logging on to the Symantec Endpoint Protection Manager console.................................................................................................................................................................... 243 Displaying the Remember my user name and Remember my password check boxes on the logon screen.....243 Granting or blocking access to remote Symantec Endpoint Protection Manager consoles................................... 244 Unlocking an administrator's account after too many logon attempts.................................................................... 245 Changing the timeout period for staying logged on to the Symantec Endpoint Protection Manager console.........245 About domains............................................................................................................................................................. 246 Adding a domain..................................................................................................................................................... 247 Switching to the current domain............................................................................................................................. 248 Using Policies to Manage Security................................................................................................ 249 Performing the tasks that are common to all policies............................................................................................ 249 The types of security policies................................................................................................................................. 250 Updating client policies........................................................................................................................................... 252 Adding a policy........................................................................................................................................................252 Editing a policy........................................................................................................................................................253 Finding a policy's default settings........................................................................................................................... 253 Copying and pasting a policy on the Policies page.............................................................................................. 254 Copying and pasting a policy on the Clients page................................................................................................254 6 Assigning a policy to a group or location............................................................................................................... 255 Replacing a policy...................................................................................................................................................256 Exporting and importing individual Endpoint Protection policies............................................................................ 256 About shared and non-shared policies................................................................................................................... 257 Converting a shared policy to a non-shared policy................................................................................................258 Unassigning a policy from a group or location.......................................................................................................258 Preventing users from disabling protection on client computers............................................................................259 Monitoring the applications and services that run on client computers..................................................................262 Enabling application learning.................................................................................................................................. 263 Searching for information about the learned applications that the computers run................................................. 264 Managing firewall protection...................................................................................................................................... 265 How a firewall works...............................................................................................................................................266 About the Symantec Endpoint Protection firewall.................................................................................................. 266 About firewall settings for the Mac client................................................................................................................267 Creating a firewall policy.........................................................................................................................................268 Managing firewall rules........................................................................................................................................... 270 Adding a new firewall rule............................................................................................................................... 271 About firewall server rules and client rules..................................................................................................... 272 About the firewall rule, firewall setting, and intrusion prevention processing order.........................................273 About inherited firewall rules........................................................................................................................... 274 Changing the order of firewall rules................................................................................................................ 275 How the firewall uses stateful inspection........................................................................................................ 276 About firewall rule application triggers............................................................................................................ 276 About firewall rule host triggers.......................................................................................................................279 Adding host groups..........................................................................................................................................280 About firewall rule network services triggers...................................................................................................281 Adding network services to the default network services list..........................................................................281 About firewall rule network adapter triggers....................................................................................................282 Adding a custom network adapter to the network adapter list........................................................................282 Importing and exporting firewall rules............................................................................................................. 283 Importing or exporting firewall rules on the client........................................................................................... 284 Customizing firewall rules................................................................................................................................ 284 Configuring firewall settings for mixed control........................................................................................................291 Enabling communications for network services instead of adding a rule...............................................................292 Automatically blocking connections to an attacking computer............................................................................... 293 Detecting potential attacks and spoofing attempts.................................................................................................293 Preventing outside stealth attacks on computers...................................................................................................294 Disabling the Windows Firewall.............................................................................................................................. 295 Managing intrusion prevention...................................................................................................................................296 How intrusion prevention works..............................................................................................................................298 7 About Symantec IPS signatures............................................................................................................................. 298 About custom IPS signatures................................................................................................................................. 299 Creating exceptions for IPS signatures.................................................................................................................. 299 Setting up a list of excluded computers................................................................................................................. 301 Enabling network intrusion prevention or browser intrusion prevention................................................................. 301 Integrating browser extensions with Symantec Endpoint Protection to protect against malicious websites...........302 Configuring client notifications for intrusion prevention and Memory Exploit Mitigation......................................... 308 Managing custom intrusion prevention signatures................................................................................................. 308 Creating a custom IPS library......................................................................................................................... 309 Adding signatures to a custom IPS library......................................................................................................310 Changing the order of custom IPS signatures................................................................................................ 311 Defining variables for custom IPS signatures................................................................................................. 312 Assigning multiple custom IPS libraries to a group.........................................................................................312 Testing custom IPS signatures........................................................................................................................ 313 Hardening Windows clients against memory tampering attacks with a Memory Exploit Mitigation policy........313 Symantec Endpoint Protection Memory Exploit Mitigation techniques...................................................................317 Ransomware mitigation and protection with Symantec Endpoint Protection.......................................................319 Ransomware protection using Symantec Endpoint Protection.............................................................................. 321 Preventing and handling virus and spyware attacks on client computers........................................................... 324 Removing viruses and security risks...................................................................................................................... 325 Identifying the infected and at-risk computers.................................................................................................327 Checking the scan action and rescanning the identified computers............................................................... 327 How Windows clients receive definitions from the cloud....................................................................................... 328 Managing scans on client computers..................................................................................................................... 330 About the types of scans and real-time protection..........................................................................................331 About the types of Auto-Protect...................................................................................................................... 333 About virus and security risks......................................................................................................................... 335 About the files and folders that Symantec Endpoint Protection excludes from virus and spyware scans....... 336 About the default Virus and Spyware Protection policy scan settings............................................................ 338 How Symantec Endpoint Protection handles detections of viruses and security risks....................................340 How Symantec Endpoint Protection handles detections on Windows 8 computers....................................... 341 Setting up scheduled scans that run on Windows computers............................................................................... 342 Setting up scheduled scans that run on Mac computers....................................................................................... 343 Setting up scheduled scans that run on Linux computers..................................................................................... 344 Running on-demand scans on client computers.................................................................................................... 345 Adjusting scans to improve computer performance............................................................................................... 345 Adjusting scans to increase protection on your client computers.......................................................................... 347 Managing Download Insight detections.................................................................................................................. 349 How Symantec Endpoint Protection uses Symantec Insight to make decisions about files...................................351 How does Symantec Endpoint Protection use advanced machine learning?........................................................ 352 8 How does the emulator in Symantec Endpoint Protection detect and clean malware?......................................... 354 Managing the quarantine for Windows clients....................................................................................................... 355 Managing the virus and spyware notifications that appear on client computers.................................................... 357 About the pop-up notifications that appear on Windows 8 clients......................................................................... 358 Enabling or disabling Symantec Endpoint Protection pop-up notifications that appear on Windows 8 clients....... 358 Managing early launch anti-malware (ELAM) detections....................................................................................... 359 Adjusting the Symantec Endpoint Protection early launch anti-malware (ELAM) options......................................360 Configuring a site to use a private Insight server for reputation queries................................................................360 Configuring client groups to use private servers for reputation queries and submissions..................................... 361 Customizing virus and spyware scans......................................................................................................................362 Customizing the virus and spyware scans that run on Mac computers................................................................. 364 Customizing the virus and spyware scans that run on Linux computers............................................................... 364 Customizing Auto-Protect for Windows clients.......................................................................................................365 Customizing Auto-Protect for Mac clients...............................................................................................................366 Customizing Auto-Protect for Linux clients.............................................................................................................367 Customizing Auto-Protect for email scans on Windows computers....................................................................... 368 Customizing administrator-defined scans for clients that run on Windows computers...........................................369 Customizing administrator-defined scans for clients that run on Mac computers.................................................. 370 Customizing administrator-defined scans for clients that run on Linux computers................................................ 370 Randomizing scans to improve computer performance in virtualized environments on Windows clients.............. 371 Modifying global scan settings................................................................................................................................372 Modifying log handling and notification settings on Windows computers.............................................................. 373 Modifying log handling settings on Linux computers..............................................................................................373 Customizing Download Insight settings.................................................................................................................. 373 Changing the action that Symantec Endpoint Protection takes when it makes a detection................................... 374 Allowing users to view scan progress and interact with scans on Windows computers........................................ 376 Configuring Windows Security Center notifications to work with Symantec Endpoint Protection clients................377 Submitting Symantec Endpoint Protection telemetry to improve your security...................................................378 Understanding server data collection and client submissions and their importance to the security of your network.................................................................................................................................................................... 386 Managing the pseudonymous or non-pseudonymous data that clients send to Symantec....................................388 How Symantec Endpoint Protection minimizes the impact of client submissions on your network bandwidth....... 388 Specifying a proxy server for client submissions and other external communications...........................................389 Managing SONAR.........................................................................................................................................................390 About SONAR......................................................................................................................................................... 391 Handling and preventing SONAR false positive detections................................................................................... 392 Adjusting SONAR settings on your client computers............................................................................................. 393 Monitoring SONAR detection results to check for false positives.......................................................................... 394 Changing Tamper Protection settings.....................................................................................................................395 About application control, system lockdown, and device control......................................................................... 395 9 Setting up application control..................................................................................................................................396 Enabling and testing default application rules........................................................................................................ 397 The structure of an Application Control and Device Control policy........................................................................398 Adding custom rules to Application Control........................................................................................................... 399 Best practices for adding application control rules..........................................................................................401 Best practices for choosing which condition to use for a rule.........................................................................402 Testing application control rules..............................................................................................................................403 Configuring system lockdown................................................................................................................................. 404 Creating a file fingerprint list with checksum.exe............................................................................................ 407 Importing or merging file fingerprint lists in Symantec Endpoint Protection Manager..................................... 409 Manually updating a file fingerprint list in Symantec Endpoint Protection Manager........................................410 Interaction between system lockdown and Symantec EDR deny list (blacklist) rules.....................................410 Creating an application name list to import into the system lockdown configuration...................................... 411 Automatically update file fingerprint lists to allow or block for system lockdown............................................ 412 Setting up and testing the system lockdown configuration before you enable system lockdown....................415 Running system lockdown in allow mode........................................................................................................416 Running system lockdown in deny mode........................................................................................................417 Managing device control......................................................................................................................................... 418 Allowing or blocking devices on client computers...........................................................................................418 About the hardware devices list...................................................................................................................... 419 Obtaining a device vendor or model for Windows computers with DevViewer............................................... 420 Adding a hardware device to the Hardware Devices list................................................................................ 421 Managing exceptions in Symantec Endpoint Protection.........................................................................................422 Which Windows exceptions do I use for what type of scan?.................................................................................423 Creating exceptions for Virus and Spyware scans.................................................................................................424 Excluding a file or a folder from scans........................................................................................................... 426 Excluding known risks from virus and spyware scans on Windows clients.................................................... 427 Excluding file extensions from virus and spyware scans on Windows clients and Linux clients..................... 428 Monitoring an application to create an exception for the application on Windows clients...............................428 Specifying how Symantec Endpoint Protection handles monitored applications on Windows clients............. 429 Excluding a trusted web domain from scans on Windows clients.................................................................. 429 Creating a Tamper Protection exception on Windows clients......................................................................... 430 Creating an exception for an application that makes a DNS or host file change............................................431 Excluding a certificate from scans on Windows clients.................................................................................. 431 Restricting the types of exceptions that users can configure on client computers.................................................432 Creating exceptions from log events...................................................................................................................... 432 Configuring Web and Cloud Access Protection.......................................................................................................433 What is Web and Cloud Access Protection?......................................................................................................... 435 Verifying that the Web and Cloud Access Protection tunnel method is enabled and connected on the client........438 Testing Web and Cloud Access Protection policies in a browser.......................................................................... 440 10 About Web and Cloud Access Protection for the Mac client................................................................................ 442 Web and Cloud Access Protection Settings...........................................................................................................442 Testing Symantec Endpoint Protection Manager policies.......................................................................................443 Testing a Virus and Spyware Protection policy...................................................................................................... 444 Blocking a process from starting on client computers............................................................................................445 Preventing users from writing to the registry on client computers......................................................................... 445 Preventing users from writing to a particular file....................................................................................................446 Adding and testing a rule that blocks a DLL..........................................................................................................447 Adding and testing a rule that terminates a process............................................................................................. 449 Testing a default IPS policy.................................................................................................................................... 449 How to update content and definitions on the clients................................................................ 451 Choose a distribution method to update content on clients.................................................................................. 452 Choose a distribution method to update content on clients based on the platform............................................ 455 Downloading content from LiveUpdate to the Symantec Endpoint Protection Manager..................................... 456 Checking that Symantec Endpoint Protection Manager has the latest content......................................................459 About the types of content that LiveUpdate downloads.........................................................................................460 Configuring clients to download content from an internal LiveUpdate server..................................................... 464 Configuring clients to download content from an external LiveUpdate server.................................................... 465 Configuring Symantec Endpoint Protection Manager to connect to a proxy server to access the Internet and download content from Symantec LiveUpdate....................................................................................................... 466 Specifying a proxy server that clients use to communicate to Symantec LiveUpdate or an internal LiveUpdate server.......................................................................................................................................................................466 Configuring the LiveUpdate download schedule to client computers................................................................... 467 Configuring the amount of control that users have over LiveUpdate....................................................................469 Mitigating network overloads for client update requests........................................................................................469 About randomization of simultaneous content downloads.................................................................................... 470 Randomizing content downloads from the default management server or a Group Update Provider................470 Randomizing content downloads from a LiveUpdate server.................................................................................. 471 Configuring Windows client updates to run when client computers are idle....................................................... 472 Configuring Windows client updates to run when definitions are old or the computer has been disconnected.................................................................................................................................................................472 Configuring clients to download content from the Symantec Endpoint Protection Manager..............................473 Testing engine updates before they release on Windows clients.......................................................................... 473 Reverting to an older version of the Symantec Endpoint Protection security updates....................................... 475 Using Group Update Providers to distribute content to clients............................................................................. 476 About the types of Group Update Providers.......................................................................................................... 477 Configuring clients to download content from Group Update Providers................................................................ 479 Searching for the clients that act as Group Update Providers...............................................................................480 About the effects of configuring more than one type of Group Update Provider in your network...........................481 Using Intelligent Updater files to update content on Symantec Endpoint Protection clients..............................482 11 Using third-party distribution tools to update client computers............................................................................ 483 Configuring a LiveUpdate Settings policy to allow third-party content distribution to managed clients.................. 484 Preparing unmanaged clients to receive updates from third-party distribution tools.............................................. 484 Distributing the content using third-party distribution tools.....................................................................................485 Monitoring, Reporting, and Enforcing Compliance......................................................................488 Setting up Host Integrity............................................................................................................................................. 488 How Host Integrity works........................................................................................................................................ 489 About Host Integrity requirements.......................................................................................................................... 489 Adding predefined requirements to a Host Integrity policy.................................................................................... 490 Setting up remediation for a predefined Host Integrity requirement.......................................................................491 Allowing users to delay or cancel Host Integrity remediation......................................................................... 491 Configuring the frequency of Host Integrity check settings.................................................................................... 492 Allowing the Host Integrity check to pass if a requirement fails.............................................................................493 Configuring notifications for Host Integrity checks................................................................................................. 493 Creating a Quarantine policy for a failed Host Integrity check...............................................................................494 Blocking a remote computer by configuring peer-to-peer authentication............................................................... 494 Adding a custom requirement from a template...................................................................................................... 495 Writing a customized requirement script................................................................................................................ 496 About registry conditions................................................................................................................................. 497 Writing a custom requirement to run a script on the client............................................................................. 498 Writing a custom requirement to set the timestamp of a file.......................................................................... 498 Writing a custom requirement to increment a registry DWORD value............................................................499 Creating a test Host Integrity policy with a custom requirement script.................................................................. 500 Monitoring endpoint protection.................................................................................................................................. 501 Finding unscanned computers................................................................................................................................503 Finding offline computers........................................................................................................................................ 504 Generating a list of the Symantec Endpoint Protection versions installed in your network....................................504 Running a report on the deployment status of clients............................................................................................505 Viewing risks........................................................................................................................................................... 505 Viewing attack targets and sources........................................................................................................................506 Viewing a daily or weekly status report..................................................................................................................507 Viewing system protection...................................................................................................................................... 507 Configuring reporting preferences.............................................................................................................................507 Logging on to reporting from a standalone web browser...................................................................................... 508 About the types of Symantec Endpoint Protection Manager reports.................................................................... 509 Running and customizing quick reports................................................................................................................... 516 Saving custom reports................................................................................................................................................ 517 How to run scheduled reports....................................................................................................................................518 Editing the filter used for a scheduled report.......................................................................................................... 519 Printing and saving a copy of a report..................................................................................................................... 520 12 Viewing logs..................................................................................................................................................................520 About the types of Symantec Endpoint Protection Manager logs..........................................................................521 Saving and deleting custom logs by using filters................................................................................................... 523 Viewing logs from other sites................................................................................................................................. 524 Exporting data to a Syslog server.......................................................................................................................... 524 Exporting log data to a text file.............................................................................................................................. 525 Configuring a failover server for external logging.................................................................................................. 526 Managing notifications................................................................................................................................................ 527 How notifications work............................................................................................................................................ 527 What are the types of notifications and when are they sent?................................................................................ 528 About partner notifications...................................................................................................................................... 531 Establishing communication between the management server and email servers..............................................531 Viewing and acknowledging notifications.................................................................................................................531 Saving and deleting administrative notification filters............................................................................................ 532 Setting up administrator notifications....................................................................................................................... 533 How upgrades from another version affect notification conditions.......................................................................534 Managing management servers, sites, and databases................................................................536 About the types of Symantec Endpoint Protection servers....................................................................................536 Exporting and importing server settings.................................................................................................................. 536 Managing Symantec Endpoint Protection Manager servers and third-party servers........................................... 537 Maintaining the database............................................................................................................................................ 538 Running automatic database backups....................................................................................................................540 Scheduling automatic database maintenance tasks.............................................................................................. 541 Increasing the Microsoft SQL Server database file size........................................................................................ 542 Specifying client log size and which logs to upload to the management server.................................................... 542 Specifying the log size and how long to keep log entries in the database............................................................ 543 About increasing the disk space on the server for client log data......................................................................... 543 Clearing log data from the database manually...................................................................................................... 544 Setting up failover and load balancing..................................................................................................................... 544 About failover and load balancing.......................................................................................................................... 545 Configuring a management server list for load balancing......................................................................................547 Installing a management server for failover or load balancing...............................................................................547 Assigning a management server list to a group and location................................................................................ 548 Setting up sites and replication................................................................................................................................. 549 What are sites and how does replication work?.................................................................................................... 550 How to resolve data conflicts between sites during replication..............................................................................552 Deciding whether or not to set up multiple sites and replication............................................................................553 Determining how many sites you need.................................................................................................................. 554 How to install a second site for replication............................................................................................................ 555 Changing the replication frequency and content.................................................................................................... 556 13 Replicating data immediately.................................................................................................................................. 557 Deleting sites...........................................................................................................................................................557 Disaster recovery best practices for Endpoint Protection...................................................................................... 557 Backing up the database and logs......................................................................................................................... 559 Backing up a server certificate............................................................................................................................... 560 Reinstalling or reconfiguring Symantec Endpoint Protection Manager.................................................................. 560 Generating a new server certificate........................................................................................................................561 Restoring the database...........................................................................................................................................562 Managing clients and policies from the Symantec Endpoint Security cloud console.............. 564 What is Symantec Endpoint Security (SES) and the Integrated Cyber Defense Manager (ICDm) cloud console?........................................................................................................................................................................ 564 Choosing between the on-premises management, hybrid management, or cloud-only management options........................................................................................................................................................................... 565 Enrolling a Symantec Endpoint Protection Manager domain into the cloud console.......................................... 567 What happens after you enroll a Symantec Endpoint Protection Manager domain into the cloud console?.....570 How a hybrid-managed Symantec Endpoint Protection Manager interacts with the Symantec Endpoint Security cloud console............................................................................................................................................................... 571 How 14.x Symantec Endpoint Protection Manager domain-enrolled cloud console features compare to on- premises Symantec Endpoint Protection Manager.................................................................................................. 574 How does the Symantec Endpoint Protection Manager Exceptions policy interact with the cloud console?....577 Enrolling sites with replication partners in the cloud console............................................................................... 580 Updating clients in low-bandwidth environments.................................................................................................... 582 Unenrolling Symantec Endpoint Protection Manager domains from the cloud console..................................... 583 Using Symantec Endpoint Protection in virtual infrastructures................................................. 585 About Shared Insight Cache.......................................................................................................................................585 About the Virtual Image Exception tool.................................................................................................................... 586 What do I need to do to use a network-based Shared Insight Cache?................................................................. 586 System requirements for implementing a network-based Shared Insight Cache.................................................587 Installing and uninstalling a network-based Shared Insight Cache....................................................................... 587 Enabling the use of a network-based Shared Insight Cache..................................................................................588 Customizing Shared Insight Cache settings.............................................................................................................589 About stopping and starting the network-based Shared Insight Cache service.................................................. 592 Viewing network-based Shared Insight Cache log events...................................................................................... 592 Monitoring network-based Shared Insight Cache performance counters............................................................. 593 Troubleshooting issues with Shared Insight Cache................................................................................................ 593 Using the Virtual Image Exception tool on a base image....................................................................................... 594 System requirements for the Virtual Image Exception tool.................................................................................... 594 Running the Virtual Image Exception tool.............................................................................................................. 595 Configuring Symantec Endpoint Protection to bypass the scanning of base image files.......................................595 Using Symantec Endpoint Protection in non-persistent virtual desktop infrastructures.................................... 596 14 Setting up the base image for non-persistent guest virtual machines in VDIs.....................................................596 Purging obsolete non-persistent VDI clients to free up licenses........................................................................... 597 How to manage the license count for non-persistent VDI clients.......................................................................... 597 vietool............................................................................................................................................................................ 598 vietool...................................................................................................................................................................... 598 Troubleshooting Symantec Endpoint Protection......................................................................... 599 URLs that allow (whitelist) SEP and SES to connect to Symantec servers.......................................................... 600 Troubleshooting computer issues with the Symantec Diagnostic Tool (SymDiag).............................................. 600 Identifying the point of failure of a client installation..............................................................................................600 Troubleshooting connectivity problems between Symantec Endpoint Protection Manager and the Symantec Endpoint Protection client.......................................................................................................................................... 601 Checking the connection to the management server on the client computer........................................................ 602 Investigating protection problems using the troubleshooting file on the client....................................................... 602 Enabling and viewing the Access log to check whether the client connects to the management server................602 Stopping and starting the Apache Web server.......................................................................................................603 Using the ping command to test the connectivity to the management server........................................................603 Using a browser to test the connectivity to Symantec Endpoint Protection Manager on the Symantec Endpoint Protection client.......................................................................................................................................................603 Checking the debug log on the client computer.....................................................................................................604 Checking the inbox logs on the management server.............................................................................................604 Restoring client-server communication settings by using the SylinkDrop tool....................................................... 605 Troubleshooting the Symantec Linux Agent............................................................................................................ 606 Troubleshooting communication problems between Symantec Endpoint Protection Manager and the console or the default database............................................................................................................................................... 607 Verifying the management server connection with the database...........................................................................607 Client and server communication files......................................................................................................................610 Troubleshooting reporting issues.............................................................................................................................. 610 Changing timeout parameters for reviewing reports and logs............................................................................... 611 Accessing reporting pages when the use of loopback addresses is disabled..................................................... 612 What you should know before you run Power Eraser from the Symantec Endpoint Protection Manager console.......................................................................................................................................................................... 613 Tasks to perform when you need to run Power Eraser from the Symantec Endpoint Protection Manager console.......................................................................................................................................................................... 615 Starting Power Eraser analysis from Symantec Endpoint Protection Manager....................................................617 Responding to Power Eraser detections...................................................................................................................618 Appendices....................................................................................................................................... 620 Symantec Endpoint Protection features based on platform................................................................................... 620 Symantec Endpoint Protection feature dependencies for Windows clients......................................................... 629 What are the tools included with Symantec Endpoint Protection?........................................................................631 Commands for the Windows client service smc in Symantec Endpoint Protection and Symantec Endpoint Security..........................................................................................................................................................................637 15 smc.exe command error codes.................................................................................................................................. 642 Installing Windows client software using third-party tools.....................................................................................643 About client installation features and properties.....................................................................................................644 About configuring MSI command strings................................................................................................................644 About configuring Setaid.ini.................................................................................................................................... 644 Symantec Endpoint Protection command-line client installation properties........................................................ 645 Installing Symantec Endpoint Protection client features using the command line.............................................. 646 Windows Installer parameters.................................................................................................................................... 647 Windows Security Center properties......................................................................................................................... 648 Command-line examples for installing the Windows client.................................................................................... 649 Installing Windows clients with Microsoft SCCM/SMS............................................................................................ 649 Installing Windows clients with an Active Directory Group Policy Object (GPO).................................................650 Creating a GPO software distribution..................................................................................................................... 651 Adding computers to an organizational unit to install software.............................................................................. 652 Copying a Sylink.xml file to make a managed installation package.......................................................................653 Uninstalling client software with an Active Directory Group Policy Object.......................................................... 654 ™ Quick Start Guide for Symantec Endpoint Protection for Amazon Web Services.............................................654 What's new for Symantec Endpoint Protection (SEP) 14.0.1 (14 RU1).................................................................. 656 What's new in Symantec Endpoint Protection (SEP) 14......................................................................................... 659 Glossary............................................................................................................................................ 667 Bloodhound...................................................................................................................................................................667 Early Launch Anti-Malware......................................................................................................................................... 667 File Reputation..............................................................................................................................................................667 Insight............................................................................................................................................................................ 667 Insight Lookup..............................................................................................................................................................667 What is an.slf file?...................................................................................................................................................... 668 Risk Categories............................................................................................................................................................ 668 What is Shared Insight Cache?..................................................................................................................................668 SONAR........................................................................................................................................................................... 668 What is Virtual Image Exception?.............................................................................................................................. 668 Product Dialog Help.........................................................................................................................670 Logs............................................................................................................................................................................... 670 Basic filter settings for all logs and quick reports...................................................................................................670 Basic options for all logs.........................................................................................................................................670 Common additional filter settings for all logs and quick reports.............................................................................670 Audit log and quick reports.....................................................................................................................................672 Compliance log and quick report............................................................................................................................672 Application and Device Control logs and quick reports..........................................................................................673 Computer Status logs and reports..........................................................................................................................675 16 Deception logs and reports.....................................................................................................................................676 Network and Host Exploit Mitigation logs and quick reports.................................................................................. 677 SONAR logs............................................................................................................................................................ 678 Risk logs and quick reports.................................................................................................................................... 680 Scan logs and quick reports................................................................................................................................... 683 System logs and quick reports............................................................................................................................... 685 Monitors: Summary tab...........................................................................................................................................686 Client Log Settings for group name........................................................................................................................688 Choose Power Eraser Type....................................................................................................................................689 Site/Server Properties.................................................................................................................................................. 690 Site Properties: LiveUpdate.................................................................................................................................... 690 Download LiveUpdate Content............................................................................................................................... 690 Languages to Download......................................................................................................................................... 691 LiveUpdate Servers.................................................................................................................................................691 Add or Edit LiveUpdate Server...............................................................................................................................691 Platforms to Download............................................................................................................................................692 Download Schedule................................................................................................................................................ 692 Full Definitions Download....................................................................................................................................... 692 Content to Download for Client Types....................................................................................................................693 Policies.......................................................................................................................................................................... 693 Overview..................................................................................................................................................................693 Policy Components................................................................................................................................................. 694 Policies.................................................................................................................................................................... 695 Withdraw the type of Policy.................................................................................................................................... 696 Replace the policy...................................................................................................................................................696 Search for Applications........................................................................................................................................... 696 View Details.............................................................................................................................................................698 Exceptions Policy.........................................................................................................................................................698 Exceptions............................................................................................................................................................... 699 Exceptions: Client Restrictions............................................................................................................................... 699 Application to Monitor............................................................................................................................................. 699 Application Exception.............................................................................................................................................. 700 Application Exception by Fingerprint...................................................................................................................... 701 Known Security Risks Exceptions.......................................................................................................................... 702 Folder Exception..................................................................................................................................................... 702 File Access Exception.............................................................................................................................................703 File Exception..........................................................................................................................................................704 File and Folder Prefix Variables............................................................................................................................. 704 Security Risk Extension Exceptions....................................................................................................................... 706 Security Risk File or Folder Exception for Mac clients...........................................................................................706 17 Trusted Web Domain Exception............................................................................................................................. 706 Tamper Protection Exception.................................................................................................................................. 707 DNS or Host File Change Exception......................................................................................................................708 Add Folder Exception for Linux clients...................................................................................................................709 Add Certificate Exception........................................................................................................................................710 LiveUpdate Settings Policy