Latest Posts

Symantec SEPM Configuration and Client Deployment Notes

Here are some of my notes for configuring SEPM (Symantec Endpoint Protection Manager) and SEP (Symantec Endpoint Protection) Client. It only records some of my working experience which I met during Symantec Project.  M ost of notes is just for reminding me how to complete this task. It might not fit into all situations since it is only specific for my environment.  The version I am using is 14.2.1 (14.2 RU1). One SEPM installed at main site, and another SEPM installed at DR site. They are replicated to each other through configuration. We are using MS SQL Express since the environment is not that big size , less than 1000 users. 

Import Client Packages



1. Download Full Installation Package from MySymantec website

It will be Symantec_Endpoint_Protection_14.2.1_MP1_Full_Installation_EN.exe file. Not All_Client_EN.zip file.

2. Extract it
You will need to use unzip software to extract it to a folder, although it is a exe file.

3. Log into SEPM Server from RDP session
Strongly recommend to log into SEPM server to do importing steps. Using Web GUI, sometimes, it will fail to import the client.

4. Launch Mgmt Console from SEPM  Server local

5. Import
The clients info files will be found following extracted folder: such as ,  D:\Temp\Symantec_Endpoint_Protection_14.2.1_MP1_Full_Installation_EN\SEPM\Packages




Check Exception List at Endpoint

    On SEPM management console:
    1. Put all machines which will have specific exception rules into separate folder
    2. Make sure policy inheritance is off
    3. Copy existing global exception policy to a new one. Add a new exception rule in to new exception policy then assign it to this folder


    On SEP client machine to verify policy:

  1. Browse to the registry key:
    • HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\AV\EXCLUSIONS
      Note: On 64bit window machines the registry path is:
      HKEY_LOCAL_MACHINE\Software\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions
       
  2. Expand the key to view the various applications listed there.
    • Mostly, you will just need to check ScanningEngines

Change SEP Client Feature Set

For managed clients, the installation features can be modified for an entire group through the Symantec Enpoint Protection Manager (SEPM) (enterprise edition only).
  1. In the SEPM console, click Admin.
  2. Click Install Packages on the bottom.
  3. Click Client Install Feature Set on the top.
  4. If a feature set that meets the required needs does not exist, then choose Add Client Install Feature Set.
  5. Give the feature set a unique name.
  6. Select the features needed: Antivirus/Antispyware, Network Threat Protection, Proactive Threat Protection.
  7. Choose OK.
  8. On the left, click Clients.
  9. Select the group with the SEP clients in it, and then click the Install Packages tab in the right pane.
  10. Under Tasks, choose Add Client Install Package.
  11. In that screen, select the correct package in the drop-down menu for use with this group (32 bit or 64 bit base install files). Both packages can be separately assigned to the same group.
  12. Uncheck Maintain existing client features when updating.
  13. Below that, select the feature set needed from the drop down menu.
  14. If Upgrade Schedule is not selected, then clients will receive the instructions to change their installation when they check in with the manager. This launches MSIEXEC on the client.
  15. After the installation completes restart the machine if prompted.

Limited Administrator Log In Issue

While working on SEPM, I found an issue, I am not sure how to log in with a limited local administrator. Creating a limit administrator is fine, but when I tried to log in, the log in window

What I found is , Limited Administrator only can log in to default domain. In my case, it is Default. It is not your sepm server computer name, it is not your domain name.




Disable/Enable SEP Client


From Command line:
Instead of "smc -stop" and "smc -start", use the commands "start smc -stop" and "start smc -start".
Disabled SEP Client
Enabled SEP Client

Once system rebooted, SEP service will start it again. To complete disable service even after rebooted, the only way is to remove the SEP program.

Create Windows File Exceptions


Recently received a report, SEP might interfere with Docker containers on Windows Server 2016 based on kb Endpoint Protection interfering with Docker containers on Windows Server 2016

Here is the step how to add those exceptions in:


TBC



Configure Failover Server List

My environment has two SEPM servers. One is acting as main, and second is at DR site. Both installed SEPM with embedded MSSQL (MSSQL Express).

Both sites configured as bidirectional replication site for each other.

Since I am not use normal ms sql database, my environment doesn't support failover and load balancing. But it does support redundancy for SEPM client to communicate with SEPM servers.

The following screenshot shows default configuration for management server list. Priority 1 is having main SEPM. Priority 2 is having DR site SEPM.


Note: if you would like to edit this default settings, you will have to create a new list and assign it to all groups. Default list is not editable.  Those default lists were created when you installed your replication site server.

SEPM Preferences

SEPM Console Web GUI preference will show some settings to control how the security status will show on the SEP agent.


SEPM Clean Expired clients

Following settings show SEPM will clean up those clients did not connected to SEPM server in 15 days.


References















No comments