Latest Posts

Symantec SEPM Configuration and Client Deployment Notes

Here are some of my notes for configuring SEPM (Symantec Endpoint Protection Manager) and SEP (Symantec Endpoint Protection) Client. It only records some of my working experience which I met during Symantec Project.  M ost of notes is just for reminding me how to complete this task. It might not fit into all situations since it is only specific for my environment.  The version I am using is 14.2.1 (14.2 RU1). One SEPM installed at main site, and another SEPM installed at DR site. They are replicated to each other through configuration. We are using MS SQL Express since the environment is not that big size , less than 1000 users. 

Import Client Packages



1. Download Full Installation Package from MySymantec website

It will be Symantec_Endpoint_Protection_14.2.1_MP1_Full_Installation_EN.exe file. Not All_Client_EN.zip file.

2. Extract it
You will need to use unzip software to extract it to a folder, although it is a exe file.

3. Log into SEPM Server from RDP session
Strongly recommend to log into SEPM server to do importing steps. Using Web GUI, sometimes, it will fail to import the client.

4. Launch Mgmt Console from SEPM  Server local

5. Import
The clients info files will be found following extracted folder: such as ,  D:\Temp\Symantec_Endpoint_Protection_14.2.1_MP1_Full_Installation_EN\SEPM\Packages




Check Exception List at Endpoint Machine

    On SEPM management console:
    1. Put all machines which will have specific exception rules into separate folder
    2. Make sure policy inheritance is off
    3. Copy existing global exception policy to a new one. Add a new exception rule in to new exception policy then assign it to this folder


    On SEP client machine to verify policy:

  1. Browse to the registry key:
    • HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\AV\EXCLUSIONS
      Note: On 64bit window machines the registry path is:
      HKEY_LOCAL_MACHINE\Software\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions
       
  2. Expand the key to view the various applications listed there.
    • Mostly, you will just need to check ScanningEngines

Change SEP Client Feature Set

For managed clients, the installation features can be modified for an entire group through the Symantec Enpoint Protection Manager (SEPM) (enterprise edition only).
  1. In the SEPM console, click Admin.
  2. Click Install Packages on the bottom.
  3. Click Client Install Feature Set on the top.
  4. If a feature set that meets the required needs does not exist, then choose Add Client Install Feature Set.
  5. Give the feature set a unique name.
  6. Select the features needed: Antivirus/Antispyware, Network Threat Protection, Proactive Threat Protection.
  7. Choose OK.
  8. On the left, click Clients.
  9. Select the group with the SEP clients in it, and then click the Install Packages tab in the right pane.
  10. Under Tasks, choose Add Client Install Package.
  11. In that screen, select the correct package in the drop-down menu for use with this group (32 bit or 64 bit base install files). Both packages can be separately assigned to the same group.
  12. Uncheck Maintain existing client features when updating.
  13. Below that, select the feature set needed from the drop down menu.
  14. If Upgrade Schedule is not selected, then clients will receive the instructions to change their installation when they check in with the manager. This launches MSIEXEC on the client.
  15. After the installation completes restart the machine if prompted.

Limited Administrator Log In Issue

While working on SEPM, I found an issue, I am not sure how to log in with a limited local administrator. Creating a limit administrator is fine, but when I tried to log in, the log in window

What I found is , Limited Administrator only can log in to default domain. In my case, it is Default. It is not your sepm server computer name, it is not your domain name.




Disable/Enable SEP Client


From Command line:
Instead of "smc -stop" and "smc -start", use the commands "start smc -stop" and "start smc -start".
Disabled SEP Client
Enabled SEP Client

Once system rebooted, SEP service will start it again. To complete disable service even after rebooted, the only way is to remove the SEP program.

Create Windows File Exceptions on SEPM


Recently received a report, SEP might interfere with Docker containers on Windows Server 2016 based on kb Endpoint Protection interfering with Docker containers on Windows Server 2016

Here is the step how to add those exceptions in:


TBC











References















No comments