Here are some of my notes for configuring SEPM (Symantec Endpoint Protection Manager) and SEP (Symantec Endpoint Protection) Client. It only records some of my working experience which I met during Symantec Project. M ost of notes is just for reminding me how to complete this task. It might not fit into all situations since it is only specific for my environment. The version I am using is 14.2.1 (14.2 RU1). One SEPM installed at main site, and another SEPM installed at DR site. They are replicated to each other through configuration. We are using MS SQL Express since the environment is not that big size , less than 1000 users.
Import Client Packages
1. Download Full Installation Package from MySymantec website
It will be Symantec_Endpoint_Protection_14.2.1_MP1_Full_Installation_EN.exe file. Not All_Client_EN.zip file.
2. Extract it
You will need to use unzip software to extract it to a folder, although it is a exe file.
3. Log into SEPM Server from RDP session
Strongly recommend to log into SEPM server to do importing steps. Using Web GUI, sometimes, it will fail to import the client.
4. Launch Mgmt Console from SEPM Server local
5. Import
The clients info files will be found following extracted folder: such as , D:\Temp\Symantec_Endpoint_Protection_14.2.1_MP1_Full_Installation_EN\SEPM\Packages
Check Exception List at Endpoint
- On SEPM management console:
- 1. Put all machines which will have specific exception rules into separate folder
- 2. Make sure policy inheritance is off
- 3. Copy existing global exception policy to a new one. Add a new exception rule in to new exception policy then assign it to this folder
- Browse to the registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\AV\EXCLUSIONS
Note: On 64bit window machines the registry path is:
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions
- HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\AV\EXCLUSIONS
- Expand the key to view the various applications listed there.
- Mostly, you will just need to check ScanningEngines
On SEP client machine to verify policy:
Change SEP Client Feature Set
- In the SEPM console, click Admin.
- Click Install Packages on the bottom.
- Click Client Install Feature Set on the top.
- If a feature set that meets the required needs does not exist, then choose Add Client Install Feature Set.
- Give the feature set a unique name.
- Select the features needed: Antivirus/Antispyware, Network Threat Protection, Proactive Threat Protection.
- Choose OK.
- On the left, click Clients.
- Select the group with the SEP clients in it, and then click the Install Packages tab in the right pane.
- Under Tasks, choose Add Client Install Package.
- In that screen, select the correct package in the drop-down menu for use with this group (32 bit or 64 bit base install files). Both packages can be separately assigned to the same group.
- Uncheck Maintain existing client features when updating.
- Below that, select the feature set needed from the drop down menu.
- If Upgrade Schedule is not selected, then clients will receive the instructions to change their installation when they check in with the manager. This launches MSIEXEC on the client.
- After the installation completes restart the machine if prompted.
Here is another way you can change your SEP client’s feature set. They have to have SEP installed already.
Limited Administrator Log In Issue
While working on SEPM, I found an issue, I am not sure how to log in with a limited local administrator. Creating a limit administrator is fine, but when I tried to log in, the log in window
What I found is , Limited Administrator only can log in to default domain. In my case, it is Default. It is not your sepm server computer name, it is not your domain name.
Disable/Enable SEP Client
From Command line:
Instead of “smc -stop” and “smc -start”, use the commands “start smc -stop” and “start smc -start“.
 |
| Disabled SEP Client |
 |
| Enabled SEP Client |
Once system rebooted, SEP service will start it again. To complete disable service even after rebooted, the only way is to remove the SEP program.
Create Windows File Exceptions
Recently received a report, SEP might interfere with Docker containers on Windows Server 2016 based on kb Endpoint Protection interfering with Docker containers on Windows Server 2016
Here is the step how to add those exceptions in:
TBC
Configure Failover Server List
My environment has two SEPM servers. One is acting as main, and second is at DR site. Both installed SEPM with embedded MSSQL (MSSQL Express).
Both sites configured as bidirectional replication site for each other.
Since I am not use normal ms sql database, my environment doesn’t support failover and load balancing. But it does support redundancy for SEPM client to communicate with SEPM servers.
The following screenshot shows default configuration for management server list. Priority 1 is having main SEPM. Priority 2 is having DR site SEPM.
Note: if you would like to edit this default settings, you will have to create a new list and assign it to all groups. Default list is not editable. Those default lists were created when you installed your replication site server.
SEPM Preferences
SEPM Console Web GUI preference will show some settings to control how the security status will show on the SEP agent.
SEPM Clean Expired clients
Following settings show SEPM will clean up those clients did not connected to SEPM server in 15 days.
Change SEP Client Control
When you want to configure settings on a client but get the message, “Your Administrator has locked this feature” , here is the way to unlock it.
As you can see, as long as you set as server control from SEPM Location-specific settings, your end point user will not be able to select the option to Change Settings for your SEP features.
This option is only grey-ed out for non-administrator users. Anyone with a little special administration privilege will be able to click this option, especially on server side. In that case, we will need to go into policy to lock all possible option from SEP client. In that way, even administrator can not make change on those settings , although they can see the settings.
You will need lock this option for SEP client. Make sure all rules , including Scan Details, Actions, Notifications, Advanced, any place you found a unlock icon, change it to lock icon. You also need to do this for all policies, such as Firewall, Intrusion Prevention, Application and Device control, Memory Exploit Mitigation, etc.
Don’t forget the tamper protection lock.
SEPM DB Scheduled Backup
Manual backup can be performed at any moment by stopping Symantec Endpoint Protection Manager service and launching Backup and Restore from Start – All Programs – Symantec Endpoint Protection Manager. Please mind that backup may take some time so be patient – it depends on your database’s size and your computer’s speed. Actually, I found without stopping SEPM service, backup is still successful, but the DB might have issue later when do restoring.
Another way to start backup is to open the console, go to Admin panel and click on servers. Then choose your database and under tasks click on Back Up Site Now.
After the backup is finished, in the backup folder you will find .zip file containing the backup with date and time of backup in a file’s name.
Automatic backup is set through Symantec Endpoint Protection Manager console. Go to Admin panel and click on Servers. Select your database and under Tasks choose Edit Backup Settings. Set the schedule for backups and number of copies to keep (if this number is exceeded, the oldest copy is removed).
Change SEPM Data or Backup Folder
Note: Be aware of the following before making any changes to the location of the SEPM data folder:
- To prevent I/O bandwidth starvation, the SEPM data folder needs to be housed on a fast, local drive
- A copy of the data folder at the time of reconfiguration is left in the default location after the reconfiguration is completed. This is for archival purposes
- Customers updating their SEPMs Antivirus/Antispyware definitions via the .jdb will need to make sure they are placing the .jdb into the new data directory and not the archive
Modifying the SEPM data folder location:
Please make note of the following information before making any configuration changes to the SEPM: SEPM database type (SQL or Embedded), SQL Server location, instance name and port number (if applicable), SQL Authentication type and SQL credentials.
- Start the SEPM Management Server Configuration Wizard
- Select the Reconfigure the management server radio button then click the Next button
- Accept the defaults for Server name, Server port and Web console port
- Modify the Server data folder text box as required and click the Next button
- Select the correct database type (Microsoft SQL Server or Embedded database) and click the Next button
- For Embedded database:
- Verify the default Database server port
- Enter the correct password
- Click the Next button
- For Microsoft SQL Server:
- Verify the Database server name (including the instance name if the SEPM database is in a named instance)
- Verify the SQL server port
- Verify the Database name
- Verify the Authentication method and provide credentials
- Click the Next button
- After the Management Server Configuration Wizard completes, click the Finish button to complete the wizard.
The Management Server Configuration Wizard will create a copy of the original data folder in the location specified and configure the SEPM’s conf.properties file to point to this new location. After these modifications, the SEPM will keep the original data folder for archival purposes, but all new data will be written to and read from the new data folder location.
Backup/Restore SEPM
Backup:
References
- Verify if an Endpoint Client has Automatically Excluded an Application or Directory
- Manually import client packages into Endpoint Protection Manager