1. Request that the licensing team provide a .slf file for your Mobility Suite license and transfer it to the /tmp/ directory on the Mobility Suite Front End. You will also want to copy over the "fix_applied_licenses.py" file that is attached to this article into the same /tmp/ directory. Please note that the attached filed will need to be unzipped before being copied to the /tmp/ directory.

2. Apply the license file:

cd /usr/local/nukona/appstore_cu/
python manage.py scripts tenantaccount mobavent1 --apply_license /tmp/*.slf

3. Fix the license file:

cp /tmp/fix_applied_licenses.py /usr/local/nukona/appstore_cu/apps/appstore/scripts
chown nginx:nginx /usr/local/nukona/appstore_cu/apps/appstore/scripts fix_applied_licenses.py
python manage.py scripts fix-applied-licenses TenantName

4. Register the license file:

cd /usr/local/nukona/appstore_cu/
python manage.py scripts reregister-els -t TenantName

If all of these commands completed successfully, then the license(s) should now appear in the Admin Console.

The attached document highlights step-by-step instructions on how to supress monit alerts for celery only, without compromising health checks.  

Bookmarks within Connect!

We’ve provided a way to bookmark the content you read on Connect that you want to save for later. These bookmarks are saved to a space in your Connect profile – so it doesn’t matter where you are browsing the community from, you can easily find that helpful post again and again!

Saving and managing Bookmarks is simple.

First, find content that you just can’t live without – that article or forum post that you know you are going to need to visit again and again.

Click on the “Bookmark” link (You’ll currently find that link at the bottom of  the Article, Download, and Video pages.) That’s is, you’re done.

But where are those bookmarks saved? Some magical place on the interwebs? Nah, they are easy to find.

Expand the menu below your profile and you’ll see “My Bookmarks” right near the top. That’s the spot!

Next, click on My Bookmarks and you’ll find all of your bookmarks along with some information about each post, including the option to remove them from your list.

...And finally...

Regardless of what browser or device you are using to access Connect, these bookmarks will be available to you – no need to sync browsers or lose information because you’ve changed devices.

Happy Bookmarking!
~The Connect Team

Hi all, 

pls find attached a set of policies created by SEs and BCS to help with Ransomware. It is not a protective policy but helps detecting these kind of malware. 

Just for sake of good order this is not an officially supported policy and the use is on the own risk. 

So pls test it extensively before to take it into production. 

Feedback very welcome.

Sven

SEPM AppDevCtrl acts as a versatile swiss army-knife, and can be used as a precision tool as well as a general solution. Take care when using it, as it's easy to break your system with a misconfigured rule.

The policies described here place strong rules in effect, it is recommended, that only „Testing mode” is active first – and also on a test system.

After testing, mass distribution of this ruleset can be orchestrated with SEPM Group Management.

Here follows, how to defend critical files (Word and Excel documents, etc.) of an enterprise, from unauthorized access, like a CryptoLocker or Ransomware encryption. Make an Application Control rule with the following in mind:

• Monitor every process, except Word, Excel, Windows processes, SEP processes, and legit enterprise applications, like a filing app

• Monitor the non-whitelisted processes's file accesses. If the file is a *.doc, *.docx, *.xls or *.xlsx block the access, else allow it.

From testing logs, we can tune our whitelist. After there are no denies in the log on valid applications, distribute the rule to the production system. It is also recommended to run only in test mode for a few days on the live system – there might be legit processes trying to access these files, that did not occur in the test environment.

Naturally the surveilled files/extensions can be broadened, but keep in mind to broaden the whitelisted applications also – and re-test the rule after changes.

You can find the settings for sending mail to administrators at the following link:

https://www-secure.symantec.com/connect/articles/d...

at section 2: "Create a "Notification condition" under Monitors/Notifications:"

We have two applications with clickonce installation. Mangoclient.exe and polisportmessenger.exe (this application was created by our organization).

In our SEPM we configure both applications to be ignored. Below you can see the exception policy

We have 25 machines with SEP and, in some machines, the applications described above, are blocked and removed.

Best Regards

Vladimiro Oliveira

Here we assume that you have a compatible database already created for use SEE.
System requirements and compatible versions of MSSQL can be found here:
http://www.symantec.com/docs/TECH224478

For the initial setup of the server before installation, follow the setup steps below:

On Microsoft Windows Server 2008

To enable the web server (IIS) server role and role services on Microsoft Windows Server 2008:

1. Click Start > Administrative Tools > Server Manager.

2. In the left pane of the Server Manager snap-in, right-click Roles and click Add roles.

3. On the welcome page of the Add Roles Wizard, click Next.

4. On the Select Server Roles page, select Web Server (IIS).

5. Click Next and then click Next again.

6. On the Select Role Services page, go to Web Server > Application Development and click ASP.NET.

7. On the Add role services and features required for ASP.NET dialog box, click Add Required Role Services.

    Selecting this option also automatically selects .NET Extensibility, ISAPI Extensions, and ISAPI Filters.

8. Expand the Security option and then click Basic Authentication.

9. Expand Management Tools and check IIS Management Scripts and Tools. Check IIS6ManagementCompatibility.

    Make sure all the components under Management Compatibility are also checked.

10. Click Next and then click Install.

11. After the AddRolesWizard indicates that the installation is successful, click Close.

12. In the left pane of the ServerManager snap-in, right-click Features and click Add features.

13. In the Select Features window, select .NET Framework 3.5.1 features.

14. Select Group Policy Management.

15. Expand Remote Server Administration Tools > Role Administration Tools and select AD DS and AD LDS Tools.

16. Click Next and then click Install.

17. After the AddRolesWizard indicates that the installation is successful, click Close.

OR

Just Follow Few Steps Below

Enable Roles and Features using Power shell Script in just 2 simple steps.

I created a simple yet Powerful Power Shell Script which does all the hard work for you in just few clicks.

Here is the method to execute same in power shell

Download File From Attachment: SEE Roles & Features.PS1

1. Run Power Shell as Administrator

2. Open Downloaded File in Notepad ( SEE Roles & Features.PS1 )

3. Copy Everything and Paste into Power shell

4. Just Hit Enter and sit back Relax. It will automatically restart your computer.

 OR

Enable Roles and Features Manually

1.  Open the Server Manager, and select “Add Roles”.

2.  Click “Next”.

3.  Select “Web Server (IIS)”

4.  Click “Next”. Click “Install”

5. Go to Web Server (IIS)

6. Select Add Role Services and Ver.ify that ASP.NET is Checked

7. Add Role Services > Management Tools (Select From Screen Below)

8. Add Feature > .NET Framework 3.5.1

9. Add Feature > Select Group Policy Management

10. Add Features > Remote Server Administration Tools

11. Add Features > AD DS and AD LDS Tools

OR 

You can download SEE Roles & Features.PS1 file from attachment and just RUN in PowerShell to automate whole process.

Modify the script if needed.

Purpose:

Automatic reset of package does not work for upgrade packages
 

Cause:

When streaming upgrade packages the SWS environment assume that we will not touch the RW sublayer and any information written to in a layer while activated will now exist in the RW sublayer and not the RO sublayer. By design an upgrade package will only change files and registry keys in the RO sublayer.

Solution:

With the 7zip or other compression utility extract the contents of the xpf and look for the _package.xml. There are two variables that needs to changed:

• baseVersion
• Version

Change

<PackageInformation id="{e9e8a019-c358-4ed7-aec3-dbca05eb6a4a}"version="1" type="snapshot"baseVersion="0" iconFileId="4294967295" iconFileType="" icoIconFileId="4294967295" category="">

To

<PackageInformation id="{e9e8a019-c358-4ed7-aec3-dbca05eb6a4a}"version="1" type="snapshot"baseVersion="2" iconFileId="4294967295" iconFileType="" icoIconFileId="4294967295" category="">

Next save the file and re-compress the file to a zip.

rename the file from .zip to .xpf.

Make sure you have your screen sharing software handy. Common examples are RealVNC, TeamViewer, LogMeIn, etc...

Navigate to the deployment server folder shown below and edit the RemoteControlTools.ini file.

C:\Program Files (x86)\Altiris\eXpress\Deployment Server\RemoteControlTools.ini

The default text you will find inside this file is the pathing for Remote Desktop Connection. To add a new screen sharing option, copy the text shown below and modify to your needs.

[Remote Desktop]
Display-Name=&Remote Desktop
RemoteToolEXEFilePath=mstsc.exe
CommandLine=/v:"%COMPNAME%"

An example of this modification might resemble the below text..

[Remote Desktop]

Specifies the name of the configuration that is being added to this file.

Display-Name=&My VNC

Specifies the name that will appear in the Ghost Console.

RemoteToolEXEFilePath=*

Specifies the path to the screen sharing software exe.

CommandLine

This will append variables to the start command for the screen sharing software. Variables used here are computer name and computer I.P.

Each screen sharing software has its own set of variables that will be received during startup. Research will need to be done to find the specific command line variables that fit the screen sharing software that is chosen.

Right click on any computer located in your Ghost Solution Suite console, navigating to Remote Control. The new connection should now be displayed under this section.

If configured correctly, selecting this connection should run the .exe program specified in the config file and pass the variables to the exe on startup.

Quick Start Guide - Installing Ghost Solution Suite 3.1

This document will help to explain the install process of Windows ADK and Ghost Solution Suite 3.1.

Please review the installation and upgrade guide located at https://support.symantec.com/en_US/article.DOC8558.html before installing Ghost Solution Suite.

NOTE: There are certain prerequisites that must be met.

Installing Windows ADK & WinPE

1. Windows ADK can be downloaded from the link below, select the WinPE 10 download link.

https://msdn.microsoft.com/en-us/windows/hardware/dn913721%28v=vs8.5%29....

*always download the ADK version that is specified in the Ghost Solution Suite requirements

2. Run the adksetup.exe file and select a location to install.

*It is recommended to install the ADK into the default directory shown below

3. Choose whether to opt in or out of the windows program, and then accept the Windows agreement on the next screen.

4. Ghost Solution Suite only requires the boxes that are checked in the screenshot below, feel free to install all features that fit your needs.

5. After the Windows ADK has finished installing, it is now time to install Ghost Solution Suite.

Installing Ghost Solution Suite 3.1

1. Download Ghost Solution Suite 3.1 from your account dashboard at My.Symantec.com

2. Run the application Symantec_Ghost_Solution_Suite_3_1.exe selecting “Extract & Execute App”. This will extract the Ghost Solution Suite installer files into the C:\DSSETUP folder located on the hard drive.

3. After Ghost Solution Suite extracts, the setup.exe file will automatically run. There are 4 options for install Ghost Solution Suite, For the sake of this tutorial “Simple Install” will be used and “Install PXE” will be selected.

Simple Install - The Simple Install option places all the Ghost Solution Suite Server Components - Ghost Solution Suite Server, Ghost Solution Suite Console,Ghost Solution Suite Share, and Ghost Solution Suite Database - on the same computer.

Custom Install – The Custom Install option lets you distribute all the Ghost Solution Suite Server Components - Ghost Solution Suite Server, Ghost Solution Suite Console, Ghost Solution Suite Share, and Ghost Solution Suite Database - on different computers. You can install Ghost Solution Suite Server with a Microsoft Data Engine (MSDE) or install it on an existing SQL Server.

Thin Client Install - The thin client install option lets you install the Thin Client view of the Ghost Solution Suite Console on your computer. You can install Ghost Solution Suite Server with a Microsoft Data Engine (MSDE) or install it on an existing SQL Server. You need not provide a license file for the Thin Client installation.

Component Install - The component install option lets you add selected Ghost Solution Suite Server Components - Ghost Solution Suite Console, PXE Server, and Ghost Solution Suite Agents to the existing Ghost Solution Suite Share. You can also add Microsoft Sysprep files.

4. The next screen will ask where Ghost Solution Suite 3.1 should be installed to, the location of your Ghost Solution Suite license file and the username and password for an administrator account on the computer.

The username and password selection is critical as Ghost Solution Suite services require administrator privileges to run successfully.

5. The next dialogue box is a prompt for installing the SQL server. If SQL server is not yet installed on the Ghost Solution Suite server, selecting yes will install Microsoft SQL Server 2014 Express.

If SQL Server is already installed, follow the instructions of the dialogue window and restart the Ghost Solution Suite setup, using the “Custom Install” option.

6. Ghost Solution Suite 3.1 should now finish installing, this can take a while to create the necessary file structure and Express database. Select finish once the install process has completed.

It is possible to add the latest version of SEP Client installer without having to upgrade the SEPM server to the latest version. While it’s always recommend that SEPM is updated at the same time, there may be a case where you need to plan this upgrade at a later time but needed to deploy the latest version of SEP Client, then this is how you can do this.

Firstly, you will need to grab your Symantec serial number and head over to https://fileconnect.symantec.com– enter your serial number and navigate your way into “Symantec Endpoint Protection” – from there, pick the language you want to use. For this article, I’ve picked ‘International English’ and you will be taken to the download page.

From there, pick the 2nd choice (Full Installation) It contains Windows, Macs & Linux clients at its current version (at the time of writing this, v12.1.6 MP4) – I preferred this version because the SEP clients comes with an .info file which will make copying to SEPM console very easily, which I will explain later on in this article. Also the SEPM installer is included with this, which you can use it for future planning & upgrading. So it’s like killing two birds with one stone by using a single download file! :)

Start the download & save it. For best practice, I would recommend that you run an MD5 signature checker against the MD5 number displayed on the download page to ensure the download is not corrupted. I use WinMD5 which is freeware to compare the signatures.

Once matched and you’re happy with it, copy the file over to the server and extract them in a suitable location. For this example, I used D:\Sources\SEPM v12.1.6 MP4 to extract the files into this but don’t start the installer. Cancel any prompts if any.

Now, launch the SEPM console and go to Admin -> Install Package and ensure that ‘Client Install Package’ is selected. Then from there, click on ‘Add a Client Install Package’

The ‘Add a Client Install package’ window will pop up. This is where you fill in the details. Click on the Browse button and go to the location where you saved the extracted files to. For this example, I’ve gone to D:\Sources\SEPM v12.1.6 MP4\SEPM\Packages

Here, you will find the .info files – click on one of them and then finally click on the OK button. It will begin importing into SEP & updating the database. It will take around 5 minutes or so. Repeat for other clients.

Once completed, you will have a list with the latest SEP clients. You can remove the old versions if you like, but hold off with that until you’re happy with the new versions on some machines for testing, for example.

For others who have more than one Domain, there are two ways to do this, depending on how you set up your Domains:

1. If you have Replication set up to sync clients, you do not need to do anything and the latest SEP clients will be synced across.

2. If you do not have Replication set up to sync clients, change Domain and follow the steps above to add them manually.

And this is how you add the latest SEP Client to SEPM, ready for deployments to your clients across the network.

Helpful links

WinMD5: http://www.winmd5.com

A guide to Endpoint Protection files on FileConnect: https://support.symantec.com/en_US/article.INFO2576.html

Download the latest version of Symantec Endpoint Protection: https://support.symantec.com/en_US/article.TECH103088.html

The upgrade process from Ghost Solution Suite 3.0 to 3.1 is fairly simple and Ghost Solution Suite 3.1 can be directly installed over top of Ghost Solution Suite 3.0.

*This guide informs on the upgrade process from Ghost Solution Suite 3.0 to 3.1. Please backup all information/databases and view the Ghost Solution Suite documentation before proceeding.

1. Download Symantec_Ghost_Solution_Suite_3_1.exe and select "Extract & Execute App", this will create the familiar DSSETUP folder in the directory that is selected.

2. Stop all Ghost Solution Suite services before proceeding with install.

3. Navigate to the DSSETUP folder location and open this folder, the extracted location above was c:\DSSETUP. Navigate to Setup.exe within this folder and run as administrator.

4. Select Custom Install to preserve the database from the Ghost Solution Suite 3.0 install.

5. Accept the Software License Agreement

6. Select the location where Ghost Solution Suite 3.1 files should be saved, it is recommended to choose the location that Ghost Solution Suite 3.0 is installed at so files are overwritten and updated accordingly. Locate and link your license file in the prompt below.

7. Verify the IP address and install path are correct and enter a administrator username and password. This can be either a local administrator or a domain administrator.

8. Verify that the server found is the correct server and that the database name matches the Ghost Solution Suite 3.0 database.

9. Select either Windows NT authentication or SQL server authentication

10. Select yes to the below notification, this ensures that the Ghost Solution Suite 3.0 database is used with the new Ghost Solution Suite 3.1 install.

.

11. Configure PXE settings, by default the PXE server and GSS server use the same I.P address. Advanced installations may require changing the PXE server address to a different location.

12. Select "Ok" when notified that a DHCP service is required for PXE to function correctly.

13. Verify the I.P. address matches the address provided earlier for the GSS server, this is where the default DAgent settings will point to.

14. Select on this computer

15. Select install

16. Select "Yes" to replace the eXpress share (Make sure all prior images are backed up to a different location before proceeding).

After this process completes, verify that all services have been restart and Ghost Solution Suite 3.1 should be correctly installed. 

Below is an image of how the default content management system is shown in the 5.4.2 version of Symantec Mobility Suite:

Notice that the only option by default is to setup Work File. In order to enable the local content manager in Mobility Suite 5.4.2 as was available in older versions of Mobility Suite, the following commands need to be run from the Terminal on Mobility Suite Front End:

cd /usr/local/nukona/appstore_cu/
python manage.py scripts tenantaccount TenantName is_content_enabled=True

Please note that in the above command where "TenantName" is mentioned, the name of the tenant needs to be use in place of "TenantName" as shown in the below example:

Once these commands have been run, the Terminal will display "Done." as shown in the above image.

The Content page in the Mobility Manager will now show a "Mobility Manager content" slider and an "Add Content" button as shown in the below image:

Boot Disk Creator:

1. Navigate to Tools->Boot Disk Creator (Console Version), once the boot disk creator opens select tools -> Add Pre-Boot Device Driver

2. Browse to the location where the driver is stored. Ghost Solution Suite needs drivers to be in the .inf format and requires the .dll files to accompany the driver.

3. Select your driver format and then select “ok”, selecting “ok” once more will install the driver for all the Boot Disk Creator configurations.

4. Re-create your boot disk/automation environment and the driver should now be included.

PXE:

1. Open the PXE configuration menu and edit the target PXE environment.

2. Select edit boot image

3. Select the edit button and proceed with modifying the configuration

4. Navigate to the page shown below, this is where the drivers need to be added

5. Select Have Disk and enter a path for the driver, Choose the driver Architecture and select ok

6. Selecting ok once more will import the driver into the PXE configuration, patience is needed as this can take a bit to update.

7. Once the driver is loaded, there will be a prompt to reload the driver database, select yes and wait for the configuration to finish

8. Continue with the PXE configuration and rebuild the PXE environment

With the driver added and the PXE environment rebuilt, the driver should now be included in the PXE boot option.

The attached document highlights how to manually add a certificate to the Symantec Mobility Secure Proxy Java keystore.

Configuring SEP Client Logging and External Logging

The external logging feature in the Symantec Endpoint Protection Manager (SEPM) allows for saving log data outside of a SEPM server.

These two methods are:

1. Exporting log data to a dump file
2. Exporting log data to an external logging server.

Both methods are configured in the SEPM console. The following is a high-level overview of the related logging options.

The client-logging configuration can be done without setting up external logging.

Obtaining Log Files from Managed Clients

Generally, it is desirable to gather log data from managed SEP clients. There are two locations in the SEPM to configure logging options for clients  and to instruct them to send log data to the SEPM.

Note: It is important to consider disk space requirements on the SEPM and on the clients when gathering log data from clients.

The first location is in the Clients, <Site/Group>, Client Log Settings screen, shown here:

The second location is in the Virus and Spy ware Protection policy applied to clients. Note that there could be multiple policies for managing a variety of clients and each policy assigned to clients will require logging configuration. (If groups inherit settings from the parent site, only the parent site will need to be modified.)

When editing a policy, a new screen will appear over the main SEPM screen that contains these logging options. That screen is shown here:

Configuring External Logging in the SEPM Console

Now that clients are sending log data to the SEPM, it may be desirable to save that log data externally, either to dump files or to an external logging server.

To configure external logging, browse to the following location in the SEPM console:

Admin, Servers, <Site>, Configure External Logging

References:

http://www.symantec.com/docs/HOWTO81168 - Exporting log data to a text file

http://www.symantec.com/docs/HOWTO81169 - Exporting Data to a Syslog Server

The IT Management Suite 8.0 HF1 release introduces a number of enhancements/improvements of the Microsoft Active Directory Import page.

The following areas are changed:

1. View status
2. Filtering and sorting controls
3. List of import rules
4. Import rule caption

1. View status

The "9 / 9" number shows "number of displayed / total number of" import rules after filtering.
If you change or delete any import rules, the number of edited and/or deleted rules is also displayed.

2. Filtering and sorting

2.1 In the text box for filtering, you can type any text to match the rule content.
To clear the filtering text box, press "Esc".

2.2 The first icon next to the text box lets you filter the rules that import certain resource type (such as users, computers, etc).
The Schedules icon shows rules that have scheduling enabled.
The Active icon shows active rules.
To clear all resource type filters, press "Ctrl" and click the main filtering icon.

 2.3 The sorting icon lets you sort the rules by name, resource type, status, and last import time.
To clear all resource type filters, press "Ctrl" and click the main sorting icon.

3. List of import rules

Each rule item has more information displayed in the import rules list. The first icon in the rule caption shows the resource type that this rule imports. The import rules with enabled scheduling will have a green caption. The selected import rule has a blue glowing border.

4. Import rule caption

4.1 To edit the name of the import rule, double-click the title of the import rule, enter the new name,
and then click OK.
If you leave the name box empty, the import rule will get its default name.

Note! The changes are saved only if you click Save changes at the bottom of the page.

4.2 To enable/disable the import rule schedule, click the Schedule icon next to the import rule title.

If you have no defined schedules for the import rule and you click Schedule icon for the first time, the Rule Scheduling dialog box opens automatically.
To open the Rule Scheduling dialog box if the rule already has a schedule defined, press "Ctrl" and click the Schedule icon next to the rule name.

4.3 To open the Microsoft Active Directory Import Rule Task Runs report, press "Ctrl" and click the status icon on the right corner of the rule caption.

In order to further harden a Mobility Suite environment, TLS 1.0 and TLS 1.1 can be disabled leaving all SSL communication using only TLS 1.2 which is more secure. The steps to disabled TLS 1.0 and TLS 1.1 are as follows:

1. Navigate to '/usr/local/nukona/etc/nginx/conf.d/' using the Linux Terminal on the Mobility Suite Front End.

cd /usr/local/nukona/etc/nginx/conf.d/

2. Access the 'appstore_cu.conf' file for editing.

vi appstore_cu.conf

3. Navigate to the entry labeled 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;' and type 'i' to access removal of the TLSv1/TLSv2 entries.

i

4. Press the 'Escape' key and type ':wq' to save the edits to the file.

:wq

5. Restart the Mobility Suite's nginx service by typing in 'sudo service mm-nginx restart'.

sudo service mm-nginx restart

Once the service starts back up, the environment will no longer accept TLS 1.0 and TLS 1.1 connections.

Hi all, 

pls find attached a set of policies created by SEs and BCS to help with Ransomware. It is not a protective policy but helps detecting these kind of malware. 

Just for sake of good order this is not an officially supported policy and the use is on the own risk. 

So pls test it extensively before to take it into production. 

Feedback very welcome.

Sven

SEPM AppDevCtrl acts as a versatile swiss army-knife, and can be used as a precision tool as well as a general solution. Take care when using it, as it's easy to break your system with a misconfigured rule.

The policies described here place strong rules in effect, it is recommended, that only „Testing mode” is active first – and also on a test system.

After testing, mass distribution of this ruleset can be orchestrated with SEPM Group Management.

Here follows, how to defend critical files (Word and Excel documents, etc.) of an enterprise, from unauthorized access, like a CryptoLocker or Ransomware encryption. Make an Application Control rule with the following in mind:

• Monitor every process, except Word, Excel, Windows processes, SEP processes, and legit enterprise applications, like a filing app

• Monitor the non-whitelisted processes's file accesses. If the file is a *.doc, *.docx, *.xls or *.xlsx block the access, else allow it.

From testing logs, we can tune our whitelist. After there are no denies in the log on valid applications, distribute the rule to the production system. It is also recommended to run only in test mode for a few days on the live system – there might be legit processes trying to access these files, that did not occur in the test environment.

Naturally the surveilled files/extensions can be broadened, but keep in mind to broaden the whitelisted applications also – and re-test the rule after changes.

You can find the settings for sending mail to administrators at the following link:

https://www-secure.symantec.com/connect/articles/d...

at section 2: "Create a "Notification condition" under Monitors/Notifications:"