In this post I identify helpful links and tips from Symantec experts and reveal how to get a fast expert-led analysis of Symantec Endpoint Protection for free – before you switch.
So you manage Symantec Endpoint Protection?
Scan the headers below for best practices in all areas of SEP and lots of links to helpful guides, as well as a way to get a free analysis of your SEP environment at the bottom using Symantec’s Best Kept Secret.
Symantec Endpoint Protection Installation planning
Installation is a big topic, so I encourage you to read Symantec’s Top 10 SEP installation best practices. The article covers things like ensuring all SEP clients and SEPMS are running the latest maintenance release, using the Group Update Provider (GUP) for content distribution, and how to ensure out-of-date SEP clients to still get incremental updates. It even explains the best way to use a MS-SQL database for large environments.
Symantec Endpoint Protection Upgrade planning
According to Symantec, an upgrade to version 12.1.5 will take much longer than you expect (sorry). It’s slow because the upgrade process converts all existing content to an optimized storage format, so plan for an extended upgrade time. Make sure you review the benefits of upgrading to the latest version of SEP 12.1.x, and check out Symantec’s Help diagnostic tool to determine if your system meets the minimum requirements.
Symantec Endpoint Protection Administration
There are a lot of moving parts to admin work, so here is a list of Symantec’s guides to content revision configuration, server certificate updates, GPO, testing authentication, central deployment, LiveUpdate, and clients with both SEP and Data Loss Prevention:
- Best Practices for configuring the number of content revisions to keep in Symantec Endpoint Protection Manager
- Best practices for updating server certificates and maintaining the client-server connection
- Best practice for GPO applied on Symantec Endpoint Protection (SEP) Services
- Best practices for testing whether a directory server authenticates an administrator account
- Best Practices for Central Deployment and Management of Symantec Endpoint Protection (SEP) in a Workgroup environment
- Best Practices for LiveUpdate Administrator (LUA) 2.x
- Best practices for clients that have Symantec Endpoint Protection and Data Loss Prevention installed
Symantec Endpoint Protection Policy Configuration
If your users do not use a VPN, you should change the LiveUpdate policy setting to use the default Symantec LiveUpdate server – this allows remote clients to update any time they connect to the Internet. Also, tune the scheduling frequency down to one hour. For all other locations, make sure you use the SEP Manager to distribute product software and content updates. The SEP manager updates are incremental, and smaller than the ones downloaded from the LiveUpdate server.
Symantec Endpoint Protection Firewall and intrusion prevention
Have you enabled Intrusion Prevention (IPS)? Unlike antivirus, IPS scans network traffic and identifies methods used to break malicious files into your network. You can add IPS using the Endpoint Protection Manager under add/remove programs and full Symantec IPS instructions are available here.
As for firewall, in version 12.1 and later firewall is a separate function that does not need to be installed for IPS to function, however, for version 11 you must have the firewall running for IPS to work. To run IPS and not firewall, you must withdraw the firewall policy to ensure IPS is protecting your network without forcing the use of the client firewall. View best practices on Symantec SEP firewall settings here.
Symantec Endpoint Protection Security
There are twelve best practices for security you should consider with SEP, I will list the top three here and link to the rest.
- The firewall should block incoming connections from the Internet to private services.
- Enforce a complex passwords policy.
- Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task.
Get nine more best practices like disabling and blocking service access, configuring email server to remove attachments and isolating compromised computers here: SEP top twelve security best practices.
Symantec Endpoint Protection Threat Remediation
There is a virus on your network, you need to collect logs on an infected computer, or respond to a virus in the history log. In some cases, you might need to remove a safe file from detection or remove a w32.Downadup or remediate a W32.Qaknot infected network. Here is a great list of best practices for all of the above.
- Best Practices for Troubleshooting Viruses on a Network
- Best practice for collecting logs on a possibly infected computer
- Best Practices for responding to “Left Alone” in the virus or threat history log
- Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe
- Best practices for removal of w32.Downadup
- Best practices for remediating W32.Qakbot infected networks
Symantec Endpoint Protection Virtualization
Using Symantec on a Windows Azure, Amazon WorkSpaces and other virtual endpoint? For Symantec 12.1, you want to isolate VDI client groups from policy changes to allow scheduled scans defined on different days or off hours. Update virus definitions using the LiveUpdate policy which will randomize client to SEP Manager communications and optimize I/O loads when they’re not updating simultaneously. Scan randomization does this too with minimal security impact
For more best practices like disabling ‘Run an Active Scan’ when new viruses arrive, configuring Shared Insight Cache, and how to exclude base images using the Virtual Image Exception tool and more, view best practices for SEP and virtualization here.
Automate a check of common SEP issues
The above information is just a slice of the best practices offered by Symantec on how to get the most from Symantec Endpoint Protection. With such a vast library to study, simply reviewing all of these documents and implementing changes will present a whole new set of challenges to each unique environment let alone the Symantec Endpoint Protection known issues.
Symantec’s Best Kept Secret: The (free) Symantec SEP Analyzer
Powered by an automated data collection process, it generates a report that provides baseline evaluation of your security posture. Use this report to gain visibility into the most important tasks to complete that will immediately improve your security posture and performance – free
A few key metrics include:
- Versioning – Are you running the latest version, or do vulnerabilities exist in the deployed version?
- Component Deployment – Which protection capabilities are deployed?
- Manager Performance – Is content stored correctly to ensure optimal definition distribution?
The data collection process takes about 15 minutes (or less) from start to finish and is completed by a Symantec engineer and Softchoice’s own dedicated Symantec expert, who will give you their recommendations.
Sign up for a free SEP Analyzer now and see if you qualify.