04.24.08

Hyper-V support in Processors

Posted in Hardware at 9:04 pm by webmaster

Hyper-V requires an x64 based system that has either Intel-VT or AMD-V support. The host system’s CPU must have data execution protection enabled (the Intel XD bit or the AMD NX bit).

This link at Intel shows you which CPU’s have virtualization support in them.  The second component required to take advantage of virtualiation technologies is support for the technologies in the bios (They must be enabled).  This link has a tool to check the capability of virtualization support in Intel processors.

The AMD story is a little more confusing.  You can see what AMD processors support virtualization here.  and here

This is also a great link for understanding the current processors that are out there.

Acer laptop

Permalink Comments off

04.21.08

SEP resources

Posted in OS, SAV at 10:07 am by webmaster

Included below is a list of Symantec Endpoint Protection Resources.  Look at the bottom to find easy ways to find more.

Server

SEP Documentation pdf

SBS Best Practices pdf

Performance Tweaks html

Disaster Recovery pdf

SEP network ports pdf

Liveupdate settings pdf 

SEPM debugging pdf

A similar DEP issue that I ran into with SEP pdf

Clients

Lock down client settings pdf 

Add program exception pdf

Add uninstall policy pdf

Check for connectivity to sepm pdf 

Change from unmanaged client to managed pdf 

Symantec Endpoint Protection Manager – Between 300MBs and 500MBs
Symantec Endpoint Protection client – Between 25MBs and 80MBs
Symantec Endpoint Protection Manager Console – Between 40MBs and 80MBs

 

Symantec Searches

Symantec search engines are not the best to work around that I search the site in two different ways:

KB Search Symantec KB Search Type “Endpoint Protection” in KB window

Symantec SEP search Search Engine setup by Symantec to search form SEP content

 

Permalink Comments off

04.18.08

Symantec Endpoint Protection MR2 Release, deployment in a SBS2003 environment

Posted in OS, SAV at 3:43 pm by webmaster

Symantec End Point Protection has been out for a while now and with the MR2 release they have overcome most of the deficiencies in the original release (See my two part original glimpse).  This blog post attempts to identify the complete procedure for deploying SEP in a Small Business Environment with special attention paid to software used with SBS 2003 (Backup Exec Exchange etc). 

Disclaimer: Please thoroughly understand what you are doing because it is very easy to break your existing SBS box.  Install on test server first.  Ensure you have a good backup/restore strategy before proceeding.  Because this software was just released this week I may be updating this blog post over time as I come across things to make it even better.

Phase 1            Preparation  

• Obtain Serial number for product    (Call Symantec licensing department with older SAV serial if necessary)
• Register serial at Symantec to ensure you receive productupdates        
• Download Programs
• Download JRE  (Since this original post I have come top learn that this step is not recomended anymore)
• http://java.sun.com/products/archive/j2se/5.0_05/ 
• Download SEP MR2 CD1 & CD2  
• https://fileconnect.symantec.com         
• Check System requirements for MR2  (console, manager and database) 
• 1 G P3 CPU  
• 1 G memory (Supposed to run in as little as 256 MBytes)  
• 8 G Disk  
• Check server configuartion for the following items
• Ensure IIS is installed (When installing on SBS IIS will exist.  When installing on windows 2003/2008 this may not be the case.  Have appropriate media available.)
• Check existing configuration for auto/secheduled/server/client scan times, exclusions, settings and customizations
• Check add/remove programs for the existance of Java, Symantec Backup Exec, Outlook Web Access and Other web applications.
• Ensure the File and printr sharing gpo is enabled (This should be the case on SBS but not on windows 2003/2008)
• Download and reference the following manuals  
• http://www.symantec.com/endpointsecurity/migrate/  
• installationguide  
• migrationguide  
• gettingstartedguide
• Peruse and understand the following notes                        
• Ensure you preinstall JAVA  
• Note Backup Exec/OWA Port Conflict, always use custom port  
• Ensure you are logged into the console during install (Do not install using rdp)  
• Never migrate servers because of known issues with migrations (Talk to Symantec, apparently these still exist in MR2)
• Understand the following terms in this blog post
• SEP Symantec Endpoint Protection 
• SSC Symantec System Center 
• AV & AS stands for Antivirus and Antispyware 
• Summary of installation steps are 
• install and configure software 
• migrate clients currently attached to SSC 
• remove SSC 
• install SEP on SBS 

Phase 2            Install JRE (use wizard defaults)

Note newer versions of java were known to have caused issues with SEP prior to MR2  

1. Use add/remove programs to document what is currently installed on the system.  Pay attention to any Java, Sun and Symantec programs installed on the system.  You may also want to glance at the IIS websites so you have a clear idea of what is installed and running.
2. Download the version of java described above.
3. Disable the current Symantec Autoprotect if you are paranoid
4. Install the version of java described above using all the defaults
5. Reboot your system

Please note Phase 2 has now NOT recomendded as it will sometimes cause SEPM CPU utilization issues.  Please do not perform any steps in Phase2 

Phase 3            Install the Symantec Endpoint protection Manager 

Warning, it is possible that during this installation your Exchange Server will not be available for clients to access  

1. Insert the Symantec Endpoint Protection 11.0 CD into the CD/DVD drive, the CD should auto run and the menu should appear.  Or unzip the cd you downloaded
1. double click setup.exe.    
2. Click “Install Symantec Endpoint Protection Manager“
3. A wizard will launch and a welcome dialog will appear, click Next  
4. Select I accept… then click Next  
5. Select the location to which you wish to install the Symantec Endpoint Protection 11.0 Manager (These are the program files and I used the default C:\Program Files\Symantec\Symantec Endpoint Protection Manager\), then click Next
6. Select Create a Custom website, then click next  
7. Click Install to kick off the installation. This can take up to 5 minutes to complete. When prompted, click Finish.
   (At this point, the Management Server Configuration Wizard will launch automatically)  

Phase 4            Management Server Config Wizard 

Note: Ensure database gets installed on correct partition (data partition)  Recommend placing database on data drive as it could grow as large as 4 G.      

1. Start the Management Server Configuration Wizard if it is already not started 
1. Start >> All programs >> Symantec Endpoint Protection Manager >> Management Server Configuration Wizard 
2. Select Advanced
3. Select less than 100
4. Ensure Install my first site is selected, then click Next  
5. Server name, ports and data directory
1. Change the Server port to 8440
2. Leave the web console port alone (Mine was 9090)
3. Change the server data folder to a location on your data drive. I used G:\Program Files\Symantec\Symantec Endpoint Protection Manager\data
4. click next
6. Select Yes to the folder does not exist 
7. Enter your company name as the Site Name, then click Next
     COMPANYNAME  
8. Enter an encryption password, then click Next
9. Embedded database will be selected by default, click Next  
10. Management Console system administrator account
1. admin
2. PASSWORD
3. PASSWORD
4. Email Address
5. click Next
   (Configuration will begin and can take up to 5 minutes to complete)  
11. When prompted, ensure No is selected, then Finish
    (the management console will automatically launch, Click exit on the same)  

Phase 5            Complete Configuration of custom port in IIS and SEP file  

1. Go to Services, Locate Symantec Endpoint Protection Manager & Stop the same.  
2. Open IIS Manager >> Expand server name >> Expend websites >> Right Click on Symantec Web Server >> Click on properties >> Next to TCP Port change the port  number to 8078 >> Click Apply >> Click ok  
   (You might find that the default website is not running, please don’t panic)  
3. Again Right Click on Symantec Web server >> Click Stop  
4. Once Again Right Click on Symantec Web server >> Click Start  
5. Right Click on default Website & click start
     (This will bring our exchange server up and running again.)
6. Close IIS Manager  
7. Go the following location and make a backup of the conf.properties file:
     \Program Files\Symantec\Symantec Endpoint protection Manager\Tomcat\etc\  
8. Open conf.properties in a notepad and add the following line at the end :
   scm.iis.http.port=8078  
   Ensure a carriage return at the end  
9. Click on file >> exit >> When prompted click on yes  
10. Go to Services, Locate Symantec Endpoint Protection Manager & Start the same.  
11. Click on Start >> All programs >> Symantec Endpoint Protection Manager >> Symantec Endpoint protection Manager  
12. Login using the following credentials - Username: admin, Password:   

Phase 6          Create ntfs and share permissions for packages

SEP has a slick deployment wizard but I also export the install packages on a network share for those times where that would be convenient.  At a minimum create a folder on your data drive to hold client installable packages.  I use:
  D:\sep\pkg\client
  D:\sep\pkg\server 

Optionally share the pkg folder out.

Phase 7            Create client computer installation package 

Use the migration wizard to create a client installation package.  

1. Start >> All programs >> Symantec Endpoint Protection Manager >> Migration and deployment wizard  
2. Next  
3. Deploy the client, Next
4. Name    SEPclientPkg  
5. Package Options  
1. AV & AS                                                         checked  
2. AVEP                                                   checked  
3. pop                                                       checked  
4. Microsoft Outlook                                   checked  
5. Lotus Notes                                           unchecked  
6. Network Threat Protection                       unchecked  (firewall)  
7. Trustscan Proactive Threat Management    checked             
8. Application and Device Control                grayed out  
9. Next  
6. Package Options 2  
1. 32 bit  
2. No Single exe    So we can deploy via gpo  
3. Silent  
4. Folder created in phase 6 above  
5. Next  
7. No Just create them I will deploy them later  

Phase 8            Create servercomputer installation package  

You create a server installation package different from the clients because server should not run Proactive threat management and I believe it allows for more options down the road for future server or client  customizations.

1. Start >> All programs >> Symantec Endpoint Protection Manager >> Migration and deployment wizard  
2. Next  
3. Deploy the client  
4. Name    SEPserverPkg  
5. Package Options  
1. AV & AS                                               checked  
2. AVEP                                                   unchecked
3. pop                                                     unchecked  
4. Microsoft Outlook                                  unchecked  
5. Lotus Notes                                         unchecked  
6. Network Threat Protection                      unchecked  (firewall)  
7. Truscan Proactive Threat Management     unchecked         
8. Application and Device Control                grayed out  
9. Next  
6. Package Options 2  
1. 32 bit  
2. No Single exe    So we can deploy via gpo  
3. Silent  
4. Folder created in phase 6 above  
5. Next  
7. No Just create them I will deploy them later  

Phase 9            Create separate client and server policies

Out of the box SEP’s AV & AS By default has the following settings in MR2 

• Full system scan 8 PM Monday  
• Updates every 4 hours 
• Users *can* modify the autoprotect scan options (as in disable it) 

I like to modify the default settings as follows so that end users can not turn off auto protect scan settings.

Create separate server and client policies for custom exclusions and modify the clients console to prevent turning off of autoprotect.

You may also want to change the client scan and server scan frequency settings.

1. Start >> All programs >> Symantec Endpoint Protection Manager >> Symantec Endpoint protection Manager Console 
2. Policies
3. Centralized Exceptions
4. To add a Centralized Exception Policy for clients perform the following steps
1. Click Add a Centralized Exception Policy
1. Type a name for the policy SEPClientExceptions  
2. Type a description for this policy
3. Click Centralized Exceptions  
4. Add –> Security Risk Exceptions –> Folder  
5. Prefix    none  
6. Folder   c:\folderToExclude  
7. OK  
8. This policy is not currently assigned, assign it now - yes  
9. Choose the client install package  
10. Yes 
5. To add a Centralized Exception Policy for the server perform the following steps  Will need similar settings for windows 2003/2008.
1. Download the SBS centralized exception policy
2. Import the centralized exception policy
1. Import a centralized exception policy
2. SBS2003 - exceptions.dat
3. Change the name (Prepend SEPServerExceptions)
4. Add any custom exclusions you want 
5. Assign to server created above
6. Modify default AV & AS options (Lock down settings for example autoprotect can be disabled on the client)  
1. Start >> All programs >> Symantec Endpoint Protection Manager >> Symantec Endpoint protection Manager Console
1. Clients
2. SEPclientPkg
3. Policies  Tab in right pane
4. AV and AS policy
5. This is a shared policy - Create non-shared policy from copy
6. Insert Custom Client Policy in the name (Custom - ***)
7. File System AutoProtect
8. Lock Enable File System AutoProtect  
9. Lock File Types  
10. OK

Phase 10            Ensure firewall is conducive to using the deployment wizard

Ensure that ports 137 138 139 445 (file and print sharing) is open on all your client firewalls to ensure the AV client can be pushed out.  Do this in group policy.  IIRC SBS group policy has this enabled by default.  SBS should, Windows Server 2003/2008 does not.

Phase 11          Deploy client package

Deploy the client packages to all the clients attached to SSC.  Do not deploy the server component yet.    Ensure that you have a clean connection to the DC before deploying (Example time seettings etc)

1. Start >> All programs >> Symantec Endpoint Protection Manager >> Migration and deployment wizard
2. Next 
3. Deploy the client  
4. Select an existing client install package 
5. Browse to the sep client package folder you created earlier
1. D:\sep\pkg\client\SEP_32-bit
6. Use Microsoft Windows Network to add the clients you want to add
7. OK  
8. Ensure all clients have been converted by ensuring the clients show up in SEP manager.  (SEPM –> Clients –> SEPclientPkg)  Note theywill still show up in the old Symantec System Center at this point.

Phase 12      Remove SSC

After all clients have been moved to SEP, SSC can be removed and SEP added to the server Note Reboot of server is required       

1. Use add remove programs to uninstall Symantec System Center  
2. Ensure you restart the server at his step

Phase 13 Deploy SEP to server        

1. Start >> All programs >> Symantec Endpoint Protection Manager >> Migration and deployment wizard
2. Next  
3. Deploy the server  
4. Select an existing serverinstall package  
5. Browse to the sep server package folder you created earlier  
1. D:\sep\pkg\server\SEP_32-bit  
6. Use Microsoft Windows Network to add the serveryou want to add  
7. OK
8. Finish

Phase 14    Post Installation Steps

1. Ensure you reboot the server
2. Check your exceptions
3. Check the event logs
4. Take a backup of pki folder
1. Start SEPM Console
2. Admin
3. Servers –> Local Site –> localhost
4. Backup Site now
5. Backup Schedule
6. weekly
5. Watch out for Data Execution Prevention.  While turning on backups on one serverDEP kicked in and prevented a lot of code from running.  Configuring an exclusion for DEP corrected the issue.

Permalink Comments off