I’m currently in a webex seminar for Symantec Endpoint Security – the moderator has not joined yet. I thought I would share thoughts and ideas as this went along – and for reference to myself at a later date. I realize this is no apple speech or Nintendo launch – but we all have to get our real time blogging skills up to date somehow. I signed and view no disclosure agreement in the invitation that was given to me and I would not have violated it if I did. This is not specific to my job or company so I don’t feel I’m violating any trust.
The seminar is scheduled to be 1 hour and 15 minutes – unless it’s a really short seminar and its only 1 minute 15 seconds – in that case I guess this is a hug waste of time.
Waiting for the moderator – we just got a message that the seminar will start in 3 minutes – 2 minutes late btw.
The presenter according to the slide is Kevin Haley, Director of Technical Product Management in the Endpoint Security Group.
Since my understanding is that replaces Symantec Anti-virus there is a drastic change as they consolidate all the products they have purchased in the past trying to get them to work cohesively.
The seminar just started only 4 minutes late.
Kevin is responsible for Symantec End Point protection.
Agenda:
Goals of the seminar
Overview of the product
Migration and Migration issues
Additional tools
Goals:
They’ve muted the participants for our own anonymity *roll eyes* – I know from experience that this is solely to not get stopped by possible trigger points that listeners may have.
We have options of typing in questions and getting them answered in real time.
Product Overview:
Symantec Endpoint Protection 11.0 and Symantec Multi-tier protections 11.0
Multi tier is the new version of SAV Enterprise Edition 8, 9, 10 – customer with upgrade protection and support with Symantec will get a free upgrade. This also includes SAV for Mac OSX.
Endpoint protection 11.0 – is the upgrade for SAV CE, SCS, Symantec Sygate Enterprise Protection, and Whole Confidence online for corporate PC’s get this in their upgrade contract
They now took a poll if we entered the beta test for Symantec Endpoint Protection – 9% did public – 20% did external and 69% did not (this was a seminar poll for the participants.
They are talking about the reasons for integrating everything
Parts
Antispyware – Leads in root kit detection and removal *unless they are keeping quiet for Sony
Antivirus
Firewall technology – taken from Symantec Client Security and Sygate
Intrusion Prevention – Behavior Based Threat protection – SONAR whole security – network traffic protection
Device Control/ Application Control
Network Access Control – add on client
New client is all bubbly and vista like – take that how you want. New help and support button allows some basic troubleshooting info in one spot. Access to windows accounts info, disk space, log files, and version information. You can also import or export policies from the client. Any client installed by default from the CD are initially self managed – if you want them to be managed by default you need to create an installation package on your management server.
You can change all policies not just the firewall based on location.
The file that tells if the client is managed or unmanaged is located in the file sylink.xml – contains also server list, certificate info, heartbeat, and communications. There is a tool to auto edit the file included on the cd for easy managed to unmanaged deployment. You could also edit this manually and the file is said to be documented.
Intrusion prevention capability – network based intrusion prevention tied into the tcp stack – generic exploit blocking from SCS and Sygate IDS which supports custom signatures – signature format is similar to Snort. Behavior blocking – proactive threat scan from whole security – innovative behavior based analysis – uniquely accurate low .004% false positive rate (testing for 2 years) via the web site and the consumer product (your enterprise beta testers) – enables broad deployment on endpoints. 20 million installations during the test – so 40 false positives for every 1 million PC’s – can also do white listing so false positives only show up once.
Stupid picture of a cookie jar with a digital camera and video camera – cookies disappear in the night and you want to catch who is doing this used camera for random images or camcorder you can review the film later but the camcorder solution is more expensive – so proactive threat scanning takes a picture of all the processes every 15 minutes and analyzes it. *is this seriously the best analogy?????????
Application Control – you can disable certain application
Device protection – block devices by type – trying to stop items like USB, infrared, Bluetooth, serial , parallel , firewire, scsi, PCMCIA – can block read/write execute on burnable media drives – can block all USB except keyboard and mouse – *I would just use a browser
Features overview
email report distribution on a schedule
centralized event logging
customizable reports
real time event viewing
notifications view
event export to SSIM or 3rd part
Embedded and MS SQL support
Client install package builder
patch and update
remote installation
import and sync with Ad
authenticate with AD
customized agent package installation
Migration from SAV, SCS, SSEP,& SNAC
Centralized Web Based console
Simplified interface for SMB and enterprise
Role Based Access
Administrative domains
Assign rights by user or group
User defined multi tier groups
RSA SecurID
Integrated management of all agent components
single console for management of AV, FW, NAC and other policies
Group based polices
- I missed the last two.
Migration
Standard migration steps so far – document, design, install architecture, migrate existing groups and policies, configure reporting, configure server/site (policies, groups, Admins, notifications etc. , create and test client packages,
Java based Management – talk to it on HTTPS (admin and client) clients can be configured for HTTP if you want unencrypted traffic- SQL database for storage.
Database contains
Group structure
policies
patches
logs
content
only replicates
Group Policies/Logs/Content
SQL can be separate from the management sever – many management servers can use a single database. Numbers are to be determined but there is basic info in the documentation – hard numbers will not be available in FCS (First Customer Shipment)
Distributed environment – multiple management servers and databases – Management servers always replicate policies and group information between them – so they will all know about ALL the clients and policies – any client can check into any server – but you can restrict that by server or server group – you can also setup a order it checks in. Logging replication is optional and they call it filtering – if you have a current architecture where all information rolls up to a master server you can still do that – or you can replicate all logs to all servers.
Supports migration from SAV, SCS, and SSEP – clients upgrade to SAV 11.0 will automatically connect to new SESM
Look and feel for reporting data is the same
First use wizard simplifies initial setup
SEPM can run on the save server as a SAV management server since they are designed to coexist since they use different executables.
Migration 1 – on same server as your SAV server
Install SEPM
Move Group and Policy info from SSE
Install SAV 11
Decommission original Parent server
Migration 2 – different server
Policies can migrate with first use wizard – other steps very similar
Reporting migration
Sav 10.1 – you can redirect clients to the new SEP 11 database for reporting.
Client installation – support to install over SAV 9-10.1, SCS 3-3.1, SEP 5.1, SPA 5.1 (don’t have to uninstall these products)
Already rolled out internally at Symantec with 5000 users
First use wizard – which will enable you to migrate your groups, policies, users to your new management server – they will not install the client automatically on a management server-so this will have to be done manually. They warn about installing the client firewall on the servers install – LOL – I can see why but I wonder how many administrators actually did that.
Content distribution
SEPM gets client updates and content from Symantec live update – clients can be patched from management server using only a small difference file that can be pushed down.
Still can get content from central internal live update server or rapid release definitions
Clients send events, operation state, and command status to the SEPM server – commands are sent to client from server, profiles, content, updates sent to client – content and updates only the different micro definitions they don’t’ have are sent instead of all the definitions each time.
Clients with a group update provider – will go to the group update provider for content (av defs, etc.)
The group update providers caches information from the SEPM server – designed for low bandwidth architectures.
Unmanaged clients can still go to live update on their own
Additional tools
http://edm.symantec.com/endpointsecurity/
http://www.symantec.com/endpointsecurity/migrate – migration information
Consulting Services and support
Goodbyes and that’s the end
Questions and Answer from the text box:+
Question: Sorry missed what said… Did you mention Macintosh would be included?
Answer: Yes, MAC will be included
Question: Will the Multi-Tier console server handle Macintosh clients?
Answer: MAC will not be managed by the SEPM console this release
Question: Will it be Vista compliant?
Answer: Yes
Question: Will the Symantec Multi-tier Protection for MAC be able to utilize the Parent Servers for Windows?
Answer: No. MAC has its own console as it stands today.
Question: Asking about the console. Will there still be a seperate console server for Macs?
Answer: Yes
Question: So there won’t be a Mac solution if we’re a SEPM customer?
Answer: MAC is included in the Multi-Tier Protection but it is managed by a seperate console and server structure
Question: What is the upgrade from SAVCE
Answer: Symantec Endpoint Protection 11.0
Question: is the full endpoint suite required, or can you still purchase products separately?
Answer: You get everything as long as you are current on maintenance.
Question: Assuming no more console?
Answer: MAC will be managed by its own console. SEPM will manage all windows clients
Question: Can you turn off various components?
Answer: Yes, you can enable and disable the features as needed.
Question: Will it have built in reporting capabilities or do we need to continue with SAV reporter?
Answer: SEPM has reporting built in.
Question: Will the SEP v11 console be able to managed legacy clients (SAV10, etc)
Answer: No. It will not manage legacy SAV clients
Question: Will this all still be in a single agent?
Answer: Yes, Single Client with all the mentioned technologies
Question: Will these products be Vista logo’d or just Vista compliant? Also will you be providing both 32bit and 64bit clients?
Answer: Yes, we will be providing both 32 and 64 bit versions of the client. Vista compliant.
Question: What? We will need to run multiple consoles? Will they all feed into SSIM?
Answer: SEPM will manage the windows clients only with this release. Yes, we will have a collector for SSIM
Question: Will we go over migrating an existing Reporting Server to the built-in reporting in SEPM?
Answer: There is a white paper that will be available as well as a migration wizard
Question: would this be red if I disabled it from management side?
Answer: Yes
Question: does the user need admin rights to execute a FIX
Answer: The fix can be run as system by the client
Question: Are there different levels of users provided in the SEPM?
Answer: Yes, administrators can have different functions and rights as configured. There is limited administration.
Question: Will the 64-bit client differ by processor type, or will the 64-bit client be universal?
Answer: Universal
Question: Current installation from CD presents you an option to choose the management server if you want to install managed. Why has that been removed?
Answer: You can create packages that are “unmanaged” still it is just a different process.
Question: can it be locked so a cleint can’t remove from a server?
Answer: Yes
Question: In previous versions, we could specify management server. This is not possible
now?
Answer: Yes. It still is possible to specify the server that will manage the client.
Question: Will the client upgrade handle all current individual components that may be installed on the desktop (SSEP, SAV10, etc.)?
Answer: Yes, absolutely
Question: Does the new policy import/export replace the usage of GRC.dat and the need to at times manually implement it.
Answer: Yes. Sylink.xml is the new file used.
Question: Will the SPEM have the ability to set security access for other users/groups to manage their servers or sites?
Answer: Yes
Question: So the sylink.xml replaces the grc.dat except it doesnt disappear once processed by the client?
Answer: Yes, exactly
Question: When will this release be available?
Answer: End of the month
Question: can you import SNORT signaturs?
Answer: No, we support REGEX and have a language similiar to snort
Question: Is there a maximum network latency value between a policy sevrer andf end client that we should consider when determine the count and location of policy servers on our global network?
Answer: We will have a scalability document for distro
Question: Does the current license also include the signature subscription for IDS?
Answer: Yes
Question: Has the port range for communication between SErvers and Clients decreased? Or will it still range from 1024-4999?
Answer: It will be SSL
Question: Will this presentation be available for download so we can share with upper management?
Answer: Via email
Question: Does the client upgrade require a reboot from version 10.x
Answer: to start the firewall but not for AV protection
Question: We currently install the SAVCE client on Windows Server OS managed by a Parent server. Which product is recommended for Windows Server OS or which components are recommeded to be disabled on Server OS?
Answer: SEP can be run on servers and clients. All technologies are portable
Question: is the management console still MMC based?
Answer: No
Question: Is there a reporting server for this similar to the SAV 10 reporting server?
Answer: No, it is integrated now.
Question: When will training be available for SEP 11?
Answer: At release
Question: will we be able to customize the white list
Answer: Yes
Question: Does Behavior blocking handle rogue keyloggers?
Answer: Yes
Question: Will the new console be able to communicate with “legacy’ SSEP agents (or, can we upgrade the SSEP-PM without requiring the SSEP agents to upgrade at the same time)?
Answer: It will support legacy SSEP clients but not SAV.
Question: so just 443 and 80
Answer: Exactly!
Question: Can specific applications be “black listed”?
Answer: Yes
Question: what are the functionality differences between Sym Endpoint Protection and Sym Multi-tier Protection?
Answer: Same technologies SMP includes email protection and MAC/linux
Question: will the clients listen on a port for server initiated communication, or is the communication only initiated by the client?
Answer: no client listen port. Client initiates all communication to the server
Question: Will SEP require SQL?
Answer: You can use SQL but the embedded (included) DB is Sybase
Question: Will mobile devices be supported? If so, what devices?
Answer: Seperate product
Question: Will the Q&A be made available after the call?
Answer: Yes
Question: any chance of getting a copy all the slides to review after the meeting?
Answer: Yes
Question: Is there an estimate available of the resource impact on a host machines due to the proactive threat scanning?
Answer: We will have this documented and available in a whitepaper
Question: Will SMS5 – Symantec Mobile Security Suite 5 integrate into SEP?
Answer: No.
Question: Do the antivirus capabilities within SEP 11 use less resources on a typical client and server? We have many problems with SAV 10 chewing up too much memory and CPU utilization, especially on virtual servers.
Answer: Yes, lower memory footprint
Question: Is there an override for the USB blocking?
Answer: Yes
Question: Can devices be blocked based on Manufacturer / Model?
Answer: No- windows class ID, not vendor class ID…..coming in the future though
Question: can usb thumb drives be blocked but other usb devices, ie scanner, printer be allowed?
Answer: Absolutely!
Question: is patch/maintenance release management going to be simplified over previous versions? (i.e. all inclusive rollups not requiring previous upgrades to a base version)?
Answer: Definitely
Question: so SMP includes the sygate firewall technology?
Answer: Yes!
Question: A new version of packager come with this – I am aware its unsupported but if new version does come with it will it be supported? If not any idea when?
Answer: Packager is gone. The packaging mechanism is the Sygate technology
Question: Will the schema be available for the database, so we can query it?
Answer: Definitely!!!
Question: Will SMSDOM (Mail Security for Domino) Still be supported as well as Premium Anti-Spam? How about for Exchange?
Answer: Yes
Question: Are the INTEL portions from previous NAV/SAV versions been eliminated altogether?
Answer: Yep
Question: Are the policies for the client available to be pushed via Group Policy in AD?
Answer: Yes
Question: can you restrict file types allowed to write to USB drives? i.e. allow MP3, but not DOC or XLS?
Answer: Yes.
Question: Can the Class ID blocking be managed by OUs, say the Director level can use usb drives, regular sales cannot?
Answer: Yes, using grouping
Question: Can individual components – say, the firewall portion – be disabled selectively? For example, we may want AV on a server but not necessarily firewall (even more specifically, for performance savings?).
Answer: YES!
Question: What version of java?
Answer: Local version
Question: how much space is required for the sql ie per machine?
Answer: DB size will vary by client count
Question: Does this version get away from storing client information in the registry?
Answer: Yep
Question: Can the management server be installed on VM?
Answer: Yep!
Question: Did he say the client port is 80?
Answer: Or 443 depending on selection by administrator
Question: is a certificate server required?
Answer: no
Question: In the current version of SAV10 Reporting, there is a vulnerability of the PHP component. Will SEPv11 provide better response to layered components that have known vulnerabilities?
Answer: Absolutely!
Question: the client/server traffic is based on port 80/443 correct? How is that going to affect clients running websites using port 80/443?
Answer: There should not be a conflict but the ports are configurable
Question: from the remediation aspect, will SAFE mode be required for a 100% detection and cleaning?
Answer: Depends on the threat. SEP 11 will clean better than SAV 10 though
Question: For replication what type of nbandwidth does it use over a WAN?
Answer: All documented in the scalability doc
Question: Since the client information is no longer in the registry how can we check AV status through scripts? Is there a WMI interface?
Answer: Some status can still be checked via the registry
Question: Since this is running on 80 or 443 is it using some type of web server underneath for communication (e.g. Tomcat/Apache/etc.)?
Answer: on the manager yes. There is a tomcat server and IIS
Question: We have encountered issues with the volume of network traffic generated by corrupted defs. How does the 11.x version address this issue?
Answer: corrupt defs should be a thing of the past.
Question: are there any JRE versions that are not supported or are recommended for the management console? Will the client itself require JRE to be installed for SEP to work?
Answer: CLient does not require JRE. The version installed is a local version specific to SEPM.
Question: will registry still use intel\landesk\virusprotect6 structure?
Answer: Nope. All intel technologies for management are gone and the registry has been changed as far as structure
Question: How can we obtain the scalability document?
Answer: It will be posted at release
Question: has sepm been certified for vm
Answer: We support VM environments. Not sure if it is certified by VM
Question: Why is this not backwards capable with SAV 10 or 9? Upgrading an entire enterprise can take a while.
Answer: Completely different management architecture.
Question: is there a method for users to alter administrative scan schedule (but not any other option)?
Answer: Yes
Question: what about Sygate 4.1?
Answer: no
Question: Will you be able to save all the old data from the SAV 10.1?
Answer: yes, migration wizard will cover this
Question: no over intall for 7.x is that correct
Answer: right
Question: OVerinstall of 10.2 for Vista supported?
Answer: yes
Question: he said that scalability doc will be available about a month after SEP 11.0 release
Answer: probably sooner
Question: when you overinstall does this require a reboot on the endpoint
Answer: Yes, but not for AV, just for the FW
Question: Will the overinstall work even if the previous client is password protected? Or will it still require a registry hack to remove?
Answer: It will work
Question: can SAV10 client groups be migrated, or is there granularity to support that type of group?
Answer: Migration wizard will allow this
Question: Does SEP support NT4.0 clients?
Answer: no
Question: does it work on vm . Currently version 10 I have on vm
Answer: Yes
Question: Is the upgrade to SAV 11 more reliable than the upgrade to SAV 10? We were forced to use NONAV to pre-clean the SAV 8 and SAV 9 systems before going to SAV 10
Answer: Yes.
Question: What is the SEPM blog URL?
Answer: https://forums.symantec.com/syment?category.id=endpoint
Question: Is the installer follow standard MSI best practices?
Answer: Yes
Question: will management server install require reboot (windows server 2003)?
Answer: no
Question: This includes central management and reporting for the FW?
Answer: Yes
Question: Any problems creating an SMS package for installing to clients?
Answer: no
Question: to install over 4.1 do you need to uninstall 4.1, reboot and install SEP or can you uninstall 4.1, install SEP and reboot?
Answer: Yes
Question: Can our TAM answer questions regarding SEP 11 yet? Or do we have to wait until the release?
Answer: Yes
Question: We run Symantec Mail Security for Exchange. If we run SEPv11 on the same box, are the defs compatible? Can they co-exist?
Answer: They can co-exist
Question: you mentioned earlier that the client initiates all contact with the server. What about Virus sweeps, updates that you want to push, do you have to wait til the next time the client checks in
Answer: No
Question: does the patch require a reboot? We have lots a 24×7 servers.
Answer: no
Question: Will the dif patch require reboots on the clients?
Answer: no
Question: No problem to run in a mixed environment, e.g. legacy clients reporting to previous management console, newer clients reporting to newer management console?
Answer: no problem with a parallel environment
Question: We are going to have a lot of language requirements (Thai, German, French, Russian, Swedish, Japannesse, Chinesse). Is there a link on your web page to the supported language versions?
Answer: It will be posted but is not right now. Should be at release time. We are localizing alot of languages
Question: For definition distribution, what is the approx size of the diff-defs? If a client has been off the network for a week or longer, what is the approx size of the diff-def?
Answer: will vary
Question: Thanks for the GUP!!
Answer: 
Question: If a client goes to a GUP and then that client goes to another group will it still look for the GUP group A
Answer: no
Question: With ver9 and > Symantec expanded the feature set to combat spyware and malware, many customers complained of CE being bloated, memory-intensive, and causing issues with many line-of-business applications. With all these added features in this new product release can you point to any documentation related to this version benchmarks and/or performance specs compared to previous releases?
Answer: Its all documented. Check the portal
Question: will rapid release definitions be available for the Liveupdate server?
Answer: yes with LUA 2.5
Question: Not sure if this was asked. But when a client connects to a 11.0 server does it use a certificate like in the past for communications?
Answer: no
Question: Can the gups be configured as Primary, secondary, and can the clients recognize that
Answer: no
Question: when will this be available for download from the platinum site?
Answer: end of the month
Question: Thank You
Answer: You are welcome
