Welcome to the Part 1 out of 3 discussing the terms, technologies and concepts related to Symantec Endpoint Protection and Symantec Security Software. In the series you will find description and explanation of several SEP related technologies, tools and concepts alongside of the relevant links to Symantec KB articles. The terminology articles are based upon the available official documentations and publications from Symantec KBs and Implementation Guides for SEP. Any comments or ideas what should be included in the series are welcome. I hope this series will be informative to you.

The Series consists of following articles:
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 1 (A-G)
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 2 (H-R)
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 3 (S-Z)

This is the fist part of the series concerning the following terms:

Administrator-defined Scans - type of antivirus/antimalware scans set up on the SEPM manager and provided to SEP client over the assigned policy. Administator-defined scans can be either scheduled scans or on-demand scans. Administrators define scheduled scans to run on client computers at configurable intervals. Administrators can predefine a specific set of scan settings for running on-demand scans on clients from the management console. On-demand scans are manual scans run on a client at the administrator's request.

Scheduling an administrator-defined scan
http://www.symantec.com/docs/HOWTO16379
Customizing administrator-defined scans for clients that run on Windows computers
http://www.symantec.com/docs/HOWTO54927

Anti-MAC Spoofing - a setting in Virus and Malware Protection of Symantec Endpoint Protection. When enabled, Symantec Endpoint Protection allows incoming and outgoing address resolution protocol (ARP) traffic if an ARP request was made to that specific host. All other unexpected ARP traffic is blocked and an entry is generated to the Security log.

Detecting potential attacks and spoofing attempts
http://www.symantec.com/docs/HOWTO55408

Antivirus and Antispyware Protection - protects computers from viruses and security risks, and in many cases can repair their side effects. The protection includes real-time scanning of files and email as well as scheduled scans and on-demand scans. Virus and spyware scans detect viruses and the security risks that can put a computer, as well as a network, at risk. Security risks include spyware, adware, and other malicious files. Antivirus and Antispyware Protection can reduce the amount of false positives and improve scan perfromance when used together with several other SEP technologies like: SONAR, File System Auto-Protect, Insight Lookup, Download Insight.

Symantec Endpoint Protection Manager - Antivirus and Antispyware - Policies explained
http://www.symantec.com/docs/TECH104430

Application and Device Control (ADC) - is an advanced security feature included in Symantec Endpoint Protection and offers two types of control, or protection, over client computers: application control and device control. Application Control provides administrators with the ability to monitor and/or control the behavior of applications - some of the possible scenarios:
■ Prevent malware from taking over applications
■ Restrict the applications that can run
■ Prevent users from changing configuration files
■ Protect specific registry keys
■ Protect particular folders, such as \WINDOWS\system
Device control manages the hardware devices that access client computers. It can be used in following ways:
■ Block or allow different types of devices that attach to client computers, such as USB, infrared, and FireWire devices
■ Block or allow serial ports and parallel ports
Another part of Application and Device Control is System Lockdown - a feature used to ensure that the system stays in a known and trusted state. Some of the ADC policies were designed to protect against the activities associated with certain particular threats and are recommended for use in outbreak situations.

Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies
http://www.symantec.com/docs/TECH145973
Symantec Endpoint Protection Manager - Application and Device Control (ADC) - Policies explained
http://www.symantec.com/docs/TECH104431
How to configure Application Control in Symantec Endpoint Protection 11.0 : Configuring Application Control Policies
http://www.symantec.com/docs/TECH102525
How to use Application and Device Control to limit the spread of a threat.
http://www.symantec.com/docs/TECH93451
How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage
http://www.symantec.com/docs/TECH97618

Application learning - allows Symantec Endpoint Protection (SEP) clients to report information and statistics about the executables that are run on them. The information is provided to the SEPM and collected in the SEPM database. The purpose of this information is to build a list of known applications in an environment to create Application-based firewall rules, Host Integrity (HI) rules and can be used as a reference for Centralized Application Exceptions.

How to set up learned applications in the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH102994
Best Practices Guide to Application Learning in Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH134367

BASH (Behavioural Analysis and System Heuristics)- is an underlying technology for a number of SEP 12.1 features, and is not limited to Proactive Threat Protection or SONAR. The SEP components heavily based on the BASH technology are Tamper Protection, Suspicious Behaviour Detection/System Change Detection, SONAR, Reputation Submissions.

Bloodhound - is a component of a heuristic protection. Bloodhound isolates and locates the logical regions of a file to detect a high percentage of unknown viruses. Bloodhound then analyzes the program logic for virus-like behavior.

What is the difference between the Bloodhound and Proactive Threat Protection (TruScan) technologies?
http://www.symantec.com/docs/TECH92436
How to enable, disable, or configure Bloodhound(TM) heuristic virus detection in Symantec Endpoint Protection.
http://www.symantec.com/docs/TECH92424

Browser Intrusion Prevention - is a new advanced protection feature included with the SEP 12.1 client. This technology works in conjunction with, but is separate from the Client Intrusion Detection System (CIDS) used by the client firewall-based IPS engine in SEP. BIPS uses IPS signatures to detect the attacks that are directed at browser vulnerabilities. Browser intrusion prevention monitors attacks on Internet Explorer and Firefox. Browser intrusion prevention is not supported on any other browsers. This type of intrusion prevention uses attack signatures as well as heuristics to identify attacks on browsers.

Expected behavior of Browser Intrusion Prevention
http://www.symantec.com/docs/TECH172174
How intrusion prevention works
http://www.symantec.com/docs/HOWTO81344
Supported Browser versions for Browser Intrusion Prevention
http://www.symantec.com/docs/TECH174537

Central Quarantine– is a central static repository of detected threats where SEP clients can forward the infected items from their own local Quarantine. The Central Quarantine consists of two components: the Quarantine Server and the Microsoft Management Console (MMC) snap-in.  It provides a single source to co-locate all quarantined items on the network. Quarantined items can be all viewed from the Console and they are automatically submitted to Symantec Security Response. The Central Quarantine stays completely optional as in normal circumstances SEP and SEPM by itself can handle quarantined items on their own. Central Quarantine Server and Client Console require separate installations - the installers can be found on the Part2_Tools.exe image attached to the SEP installation media.

Symantec™ Central Quarantine Implementation Guide
http://www.symantec.com/docs/DOC3258
Installing and configuring the Central Quarantine
http://www.symantec.com/docs/TECH105496
Setting up Symantec Endpoint Protection clients to forward infected files to a Central Quarantine Server.
http://www.symantec.com/docs/TECH104755
Installing the Quarantine Server
http://www.symantec.com/docs/HOWTO26760

Centralized Exceptions - are part of the Centralized exception policy and allow for exclusion of certain items from future detection from different SEP Scan components like AV, Truscan, Sonar or even Tamper Protection. It is possible to exclude items like: Known security risks, Extensions, Files, Folders.

Symantec Endpoint Protection Manager - Centralized Exceptions - Policies explained
http://www.symantec.com/docs/TECH104432
Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 11
http://www.symantec.com/docs/TECH104326

Checksum Utility - utility used to create a file fingerprint list. The list contains the path and the file name and corresponding checksum for each executable file or DLL that resides in a specified path on the computer. The utility is installed with Symantec Endpoint Protection on the client computer and offers an alternative to some other available third-party tools.

Creating a file fingerprint list with checksum.exe
http://www.symantec.com/docs/HOWTO81199

Cleanwipe - a tool used to prepare or clean any supported Windows computer before Symantec Endpoint Protection installation. CleanWipe should be used as a last resort after all other means to prepare or clean a computer for Symantec Endpoint Protection installation have failed. May be used as well to clean and remove corrupted SEP installations. Software currently supported by Cleanwipe Tool: SEP/SEPM, SNAC, SAV, Symantec Client Security, SPC, Windows Liveupdate. Tool maybe obtained only directly from Symantec Support.

New Cleanwipe version is introduced for SEP 12.1 RU2
https://www-secure.symantec.com/connect/articles/new-cleanwipe-version-introuduced-sep-121-ru2

Client / Computer Mode - two different modes defining how the policies should be applied to the clients in groups. If the client software runs in user mode, the client computer gets the policies from the group of which the user is a member. If the client software runs in computer mode, the client computer gets the policies from the group of which the computer is a member.

About user mode and computer mode
http://www.symantec.com/docs/HOWTO27008

Client Deployment Wizard - GUI based SEPM wizard that helps quickly locate unprotected computers on which youneed to install the client software. The wizard also provides an email deployment link so that users can download the client software by using the Web. Other option of deployment consist of Push deployment of the installation package over the network or export of the installation package as .exe or .msi executable.

How to install clients using "Client Deployment Wizard" in the Symantec Endpoint Protection Manager 12.1
http://www.symantec.com/docs/TECH164308

Communication Update Package Deployment - a new feature implemented in SEPM 12.1 RU2 that allows for remote deployment of communication settings (sylink.xml) to the SEP Clients directly from SEPM. It is an automated machanism replacing the older methods of sylink replacement such as Sylinkdrop or Sylink Replacer tools. This feature may be used for a large number of computers, for the computers that cannot be physically accessed easily, or the computers that require administrative access.

Restoring client-server communications with Communication Update Package Deployment
http://www.symantec.com/docs/HOWTO81109
SEP 12.1 RU2 and Reset Client Communication
https://www-secure.symantec.com/connect/articles/sep-121-ru2-and-reset-client-communication

Content Distribution Monitor - utillity used to monitor the health and status as well as general content deployment of Group Update Providers in the environment. This is a lightweight, stand-alone tool designed to be run directly on the Symantec Endpoint Protection Manager (SEPM) server, and should return a graphical display of the content distribution status.

SEP Content Distribution Monitor / GUP monitoring tool.
http://www.symantec.com/docs/TECH156558
SEP Content Distribution Monitor (for GUP health-checking)
https://www-secure.symantec.com/connect/downloads/...
SEP Content Distribution Monitor - Introduction
https://www-secure.symantec.com/connect/videos/sep-content-distribution-monitor-introduction

Dbvalidator - a tool used to find a broken database object and broken links in the database.

How to use the Database Validation tool (DBValidator.bat) for Symantec Endpoint Protection Manager
http://www.symantec.com/docs/HOWTO39461
How to use the Validation Tool for the Symantec Endpoint Protection Manager Database.
http://www.symantec.com/docs/TECH104892

DevViewer - tool used to view the devices on a client computer and obtain the class IDs or device IDs of them. This ID is needed when creating or editing Application and Device Control Policies. DevViewer can be found on CD2 of the SEP Installation media under ...Tools\NoSupport\DevViewer.

DevViewer - a tool for finding hardware device ID for Device Blocking in Symantec Endpoint Protection
http://www.symantec.com/docs/TECH103401

Disaster Recovery - set of procedure steps used when in case of hardware failure or database corruption. Depending on the SEPM version and the database type used the steps may differ. Mostly the steps will include the backup of the database and configuration files. Later stage includes restore process of SEPM, the database, server ceritificates and client communication.

Symantec Endpoint Protection 12.1: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH160736
Symantec Endpoint Protection 11.x: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH102333

Doscan - a tool that enables to run a quick or a scheduled SEP client scans from command prompt, batch scripts or the windows task scheduler. DoScan is not a separate scanner – it does use the same scan engine build-in in SEP – for it to run Autoprotect on the SEP client needs to be enabled. DoScan.exe is located directly in the SEP installation folder and does not require a separate download.

DoScan.exe – SEP Antivirus scans from Command Prompt – Introduction
https://www-secure.symantec.com/connect/articles/d...
How to run a scan from a command line using Symantec Endpoint Protection using DoScan.exe
http://www.symantec.com/docs/TECH104287

Download Insight - is a new advanced protection feature included with the SEP 12.1 clients. DI is a part of Auto-Protect protection. This feature allows the SEP client to leverage Symantec's Cloud-based reputation database when files are downloaded or executed directly from popular Web browsers, text messaging clients, and other portals. Supported portals include Internet Explorer, Firefox, Microsoft Outlook, Outlook Express, Windows Live Messenger, and Yahoo Messenger. Download Insight determines that a downloaded file might be a risk based on evidence about the file's reputation. Download Insight is supported only for the clients that run on Windows computers.

Expected behavior of Download Insight
http://www.symantec.com/docs/TECH171776
Managing Download Insight detections
http://www.symantec.com/docs/HOWTO55252
Customizing Download Insight settings
http://www.symantec.com/docs/HOWTO55253

Early Launch Anti-Malware Driver -  works with the Microsoft ELAM driver to provide protection for the computers in the network when they start up and before third-party drivers initialize. The settings are supported on Microsoft Windows 8. Malicious software can load as a driver or rootkits might attack before the operating system completely loads and Symantec Endpoint Protection starts. Rootkits can sometimes hide themselves from virus and spyware scans. Early launch anti-malware detects these rootkits and bad drivers at startup.

Managing early launch anti-malware (ELAM) detections
http://www.symantec.com/docs/HOWTO81107
Adjusting the Symantec Endpoint Protection early launch anti-malware (ELAM) options
http://www.symantec.com/docs/HOWTO81106

Embedded Database -  the database stores security policies and events. The database is installed on the computer that hosts Symantec Endpoint Protection Manager. Embedded database is a Sybase SQL DB and is an alternative to use a of remote MS SQL DB - that is also supported with SEPM. The embedded database does not require configuration and is the easiest to install. The embedded database supports up to 5,000 clients.

Maintaining the database
http://www.symantec.com/docs/HOWTO55337
Symantec Endpoint Protection Manager 12.1.2 Database Schema
http://www.symantec.com/docs/DOC6039

Encryption password - The password that encrypts communication between the Symantec Endpoint Protection Manager, clients, and optional Enforcer hardware devices. The password can be from 1-32 alphanumeric characters and is required. Encryption password cannot be changed or recovered after creation of the database. It is required for disaster recovery purposes. During the default SEPM installation, the entered administrator password will be the same as the encryption password. If you change the administrator's password, the encryption password does not change.

The Encryption Password and Symantec Endpoint Protection 11 (SEP11)
http://www.symantec.com/docs/TECH93119

Enforcer - a software component that enforces policy compliance in three ways: Gateway Enforcer, DHCP Enforcer, or LAN Enforcer. Enforcers authenticate clients to ensure they are running the Symantec Agent and comply with Host Integrity rules. A Gateway Enforcer is used for enforcement at access points for external computers connecting remotely through a VPN, Wireless LAN, or Remote Access Server (RAS). A LAN Enforcer is used for enforcement for internal clients that connect to the LAN through a switch that supports 802.1x authentication. A DHCP Enforcer is used for enforcement of internal clients that gain access to the LAN by receiving a dynamic IP address through a Dynamic Host Configuration Protocol (DHCP) server.

Symantec Network Access Control 11.0 LAN Enforcement Overview
http://www.symantec.com/docs/TECH102536
Symantec Network Access Control 11.0 Gateway Enforcement Overview
http://www.symantec.com/docs/TECH102537
Configuring a connection between an Enforcer appliance and a Symantec Endpoint Protection Manager
http://www.symantec.com/docs/HOWTO81652

Explicit Group Update Provider -  a type of Group Update Provider (GUP) include since SEP 12.1 RU2 version. It allows configuration of an explicit list of Group Update Providers that clients can use to connect to Group Update Providers that are on subnets other than the client's subnet. Especially recommended for roaming clients.

About the types of Group Update Providers
http://www.symantec.com/docs/HOWTO80957
Understanding "Explicit Group Update Providers (GUPs) for Roaming Clients" in Symantec Endpoint Protection (SEP) 12.1.2
http://www.symantec.com/docs/TECH198640
SEP 12.1 RU2 And Explicit Group Update Providers
https://www-secure.symantec.com/connect/articles/s...
What is the processing order of an Explicit GUP list within version 12.1.2 of Symantec Endpoint Protection?
http://www.symantec.com/docs/TECH196741

File Fingerprint List - consists of a list of checksums, one for each application on a client computer. It includes the complete file paths of those applications. You can create a file fingerprint list from a software image that includes all the applications that you want to allow users to run. You can manage file fingerprint lists in Symantec Endpoint Protection Manager and use them in your system lockdown configuration. To create a file fingerprint list, you can use the Checksum.exe utility. The utility is installed along with Symantec Endpoint Protection on the client computer.

Creating a file fingerprint list with checksum.exe
http://www.symantec.com/docs/HOWTO81199
Managing file fingerprint lists
http://www.symantec.com/docs/HOWTO55133

File System Auto-Protect - File System Auto-Protect is a type of ongoing or background scan that provides real-time protection for files on your computer. Whenever files are being accessed, copied, saved, moved, opened, or closed, Auto-Protect scans them to ensure that a threat or security risk is not present. According to the settings in the policy Auto-Protect offers several options for mitigating the detected threats such as: Clean risk, Quaranatine risk, Delete risk, or Leave alone.

What is Auto-Protect ?
http://www.symantec.com/docs/TECH94990

Firewall - a feature is part of Network Threat Protection in SEP. Firewall allows or blocks network traffic based on the various criteria that the administrator sets. If the administrator permits it, end users can also configure firewall policies. Firewall is responsible for executing following tasks:
■ Prevents any unauthorized users from accessing the computers and networks in your organization that connect to the Internet
■ Monitors the communication between your computers and other computers on the Internet
■ Creates a shield that allows or blocks attempts to access the information on your computers
■ Warns you of connection attempts from other computers
■ Warns you of connection attempts by the applications on your computer that connect to other computers
The Symantec Endpoint Protection firewall uses firewall policies and rules to allow or block network traffic. The Symantec Endpoint Protection includes a default Firewall policy with default firewall rules and firewall settings for the office environment. Firewall rules control how the client protects the client computer from malicious
inbound traffic and malicious outbound traffic. The firewall automatically checks all the inbound and the outbound packets against these rules. The firewall then allows or blocks the packets based on the information that is specified in rules.

About the Symantec Endpoint Protection firewall
http://www.symantec.com/docs/HOWTO55247
Symantec Endpoint Protection Manager - Firewall - Policies explained
http://www.symantec.com/docs/TECH104433
Managing firewall protection
http://www.symantec.com/docs/HOWTO55053
How a firewall works
http://www.symantec.com/docs/HOWTO55054
How the firewall uses stateful inspection
http://www.symantec.com/docs/HOWTO55098
About firewall rules
http://www.symantec.com/docs/HOWTO55261
About inherited firewall rules
http://www.symantec.com/docs/HOWTO55483

Group Update Provider (GUP) - a client computer designated to locally distribute content updates to clients - usually within a specified subnet only - although it can provide updates as well across subnets when correctly configured. A Group Update Provider downloads content updates from the SEPM Server only and distributes them to clients. A Group Update Provider helps conserving bandwidth by localizing content distribution - there are as well available settings for throttling the available bandwith for content download from SEPM to a GUP. GUP can only distribute content updates - definitions and does not support distribution of Product updates such as new version of the SEP installer. According to settings the is possibility to specifify either a single GUP or multiple GUPs for a specific group of clients. Newer SEP versions offer as well a new implementation of GUP - Explicit Group Update Provider.

Best Practices and Troubleshooting for Group Update Providers
https://www-secure.symantec.com/connect/blogs/best...
Group Update Provider: Sizing and Scaling Guidelines
http://www.symantec.com/docs/TECH95353
Best Practices with Symantec Endpoint Protection (SEP) Group Update Providers (GUP)
http://www.symantec.com/docs/TECH93813
Configuring the Group Update Provider (GUP) in Symantec Endpoint Protection 11.0 RU5 and later
http://www.symantec.com/docs/TECH96419
About the types of Group Update Providers
http://www.symantec.com/docs/HOWTO80957

Opening an Exchange/Outlook email which has been archived by Enterprise Vault might to some people seem like the simplest of things to do in the entire universe, with Enterprise Vault.  There are a number of different things at play though, so in this article I will describe several ways that archived items can be opened, and what might be 'different' in each situation/case.

- Double click

This is the classic way to open an archived item, provided of course the archived item in the mailbox got replaced by a shortcut.  With the introduction and adoption of things like Virtual Vault it is now not 110% of the time that shortcuts get created.  Needless to say double clicking on a shortcut in Outlook is quite likely to be the most natural way that people open archived items.

It's not the only way that you can double click on an item though - you can do this in OWA, Windows Explorer (via searching with Windows Search), Office 2011 for Mac, and more!  Double click is almost everywhere because of the different extensions, or add-ins, that Enterprise Vault provides.   These add-ins and extensions intercept or enhance the functionality, and, in most cases, handle the retrieval of the 'full' item based on information in the shortcut.

- Forward an archived item

If you click on a shortcut, and then click on 'Forward', the Enterprise Vault Outlook Add-in will retrieve the item, and put it in the message that is being forwarded.  This is important because you may be forwarding the mail to someone who is inside your organisation, but not an Enterprise Vault user, or someome outside your organisation.

Like the 'double click' description above, it is also possible to invoke this type of opening of an item from other applications other than Outlook - again all made possible by add-ins and extensions which come with Enterprise Vault?

- Search and open

The Enterprise Vault Outlook Add-in has an 'integrated' search feature which lets end users search archived items. The result list is just a snippet of the email, and when you've located the one that you think you want to see more of, you will single click the link, and the full item will be retrieved and displayed.  This, I would call, is 'Search and open'. It's quite common if you're looking for something that is old, and archived.  For example if you know that everything over 6 months old is archived, then searching for something is the best way to try to find it - and it doesn't rely on the shortcut being in the mailbox, because the search takes place against the archive, on the server, with the result list returned to the end-user.

- Browser Search and open

Some end-users prefer to use Browser Search, perhaps because it has more powerful searching and filtering possibilities.  Just like the 'integrated' search I mentioned just now when you look at the list of results, you have the option to click one of them and see them, and there is a 'view original item' link which will open the full original item for you.

- Archive Explorer and open

Another way that people open an archived item is to use Archive Explorer. This is an inbox/mailbox type interface in to your archived items, and, when you double click on an item in Archive Explorer it will be retrieved for the end-user.  There are also options relating to the right clicking of an item, and being able to move or copy an item to a folder in the mailbox - this will also cause a retrieval.

- Virtual Vault

Virtual Vault is used by many people, and depending on the policy settings, opening an item from inside Virtual Vault will result in the item being retrieved and displayed to the user.  If the item is already in the content cache, ie vault cache, then the item will be retrieved from vault cache, ie local disk, rather than downloading the item from the Enterprise Vault server.

- Vault Cache

Very similar to the above description is opening an item from Vault Cache. This doesn't have to be from inside Outlook though, it can be from the 'start' menu in Windows 7 for example.

What happens with regards to Vault Cache and Virtual Vault comes about from various policy settings, which I won't get into in this article.  Needless to say you'll either have 'all' the archived content, or none, or storing-opened-items.  This last one is quite interesting. What it means is that initially nothing is stored locally, there is only the MDC file (the virtual vault, aka metadata cache).  When an item is retrieved, it is stored locally, not thrown away. This means that if the same item is retrieved again, via another double click, even several days/weeks later, the item will then come from vault cache, rather than from the Enterprise Vault server.  It's an interesting policy to consider.

Many hats

As you can see opening an archived email can take many many different forms.  There is no 'right' or 'wrong' way in my mind, but users may or may not know about the different possibilities.  In fact, you might find that users don't know about many of these different options -- perhaps you can help educate them by having training sessions highlighting some of these possibilities?  These different ways of opening archived items are made possible by various 'extensions' to Enterprise Vault; either the Enterprise Vault Outlook Add-in, the OWA Add-in, Mac Add-in, and so on.  If you don't have all these installed and configured then some of these options aren't going to be available to your end-users.

Have you encountered an odd twist in the listed items? Have I missed any out? Let me know in the comments below...

Here is an automatic way to mark Affected Users with VIP field in ServiceDesk 7.5, with these caveats:

• We have one team that creates and maintains Active Directory (AD) user accounts. 
• We also have an easy rule on who gets a VIP flag (CEO and two levels of reports) so it is easy looking on Organizational Chart to determine who should be a member of the AD Security Group.

Building on one process that can be accomplished in Helpdesk v6:
http://www.symantec.com/connect/articles/give-your-companys-upper-management-vip-helpdesk-status-they-deserve.

HOW WE DID IT:

1. Create an Active Directory (AD) Security Group  (for this example, the name is SymantecServiceDeskVIPs)

2. Microsoft Sync and import Groups in ServiceDesk from specific OU where new Security Group was created.
 ServiceDesk > Admin > Active Directory > Sync Profiles > YOUR AD Sync Profile

3. Find the group and verify the users are in the AD Group that has been imported into ServiceDesk.
 ServiceDesk > Admin > Users > Accounts . List Groups > search for name: SymantecServiceDeskVIPs

NOTE:  Click 'Edit Group' on SymantecServiceDeskVIPs > copy "Group ID" GUID.  You will need this later.

4. On your SMP, Create an Automation Policy (Manage > Policies > Automation Policies)

 Name:  Scottrade ServiceDesk Set VIP from AD Group Policy
 Schedule:  Repeat every 1 day (time scheduled AFTER AD import runs)
 Data Source:  Raw SQL Query

              USE processmanager75  --(OR WHATEVER YOU CALLED YOUR SERVICEDESK DATABASE)
              UPDATE [User]
             SET [User].VIP = 1
             FROM processmanager75.dbo.[User]
             WHERE [UserID] IN
             (SELECT U.[userid] FROM [UserReferenceIDLookup] UR
             left join processmanager75.dbo.[User] U
             on UR.[UserID] = U.[userid]
             WHERE UR.[ReferenceID] = 'e06e07f8-04f5-11e3-b407-005056a45ffe') --YOURDOMAIN\SymantecServiceDeskVIPs GUID

5. Login to your ServiceDesk, click on Reports, create new report and use this SQL:
ServiceDesk > More > Reports > Incident Management folder > Add Report icon in the top right.

 Name:  VIP Users List
 On User table, select fields: First, Last, DisplayName, VIP.

This is what the auto generated report SQL looks like:
             select
                 UserTable.FirstName as [UserTable.FirstName],
                 UserTable.LastName as [UserTable.LastName],
                 UserTable.DisplayName as [UserTable.DisplayName],
                 UserTable.VIP as [UserTable.VIP]
             from
                 [User] as UserTable with (NOLOCK) left outer join
                 UserAddress as UserAddress0 with (NOLOCK) on
                     ((UserTable.UserID = UserAddress0.UserID))
             where
                 ('3DCA0263-D5EF-48ae-BF96-A161989DFB8E' = '3DCA0263-D5EF-48ae-BF96-A161989DFB8E' and
                 UserTable.AccountActive = 'True' and
                 UserTable.VIP = 'True' and
                 UserTable.DisplayName like '%%')
             order by
                 [UserTable.VIP] asc

NOTE:  When you run the report, it should match the number you viewed in the imported Security Group.

6. As a bonus, we were also worried about someone editing a user or creating a manual user and making them VIP without 
anyone knowing.  So we created another Automation Policy to take *away* VIP status *IF NOT* in the AD Security.

7. On your SMP, create a second Automation Policy (Manage > Policies > Automation Policies)

 Name: ServiceDesk Remove VIP field if NOT in Security Group
 Schedule:  Repeat every 1 day (time scheduled AFTER AD import runs)
 Data Source:  Raw SQL Query

             USE processmanager75        --(OR WHATEVER YOU CALLED YOUR SERVICEDESK DATABASE)
             UPDATE [User] SET [User].VIP = 0
             FROM processmanager75.dbo.[User]
             WHERE [UserID] NOT IN
             (SELECT U.[userid] FROM [UserReferenceIDLookup] UR
             left join processmanager75.dbo.[User] U
             on UR.[UserID] = U.[userid]
             WHERE UR.[ReferenceID] = 'e06e07f8-04f5-11e3-b407-005056a45ffe') --YOURDOMAIN\SymantecServiceDeskVIPs GUID

Hope this article helps take one small process off your plate....

In a continuation from my previous article, this article will look at using SEP 12.1 System Lockdown in blacklist mode to stop the spread of a malicious actor on your network. In order for System Lockdown to work properly, you do need to have the Application and Device Control component installed.

You do not, however, need to have an ADC policy assigned to the group the machines reside in that will use this feature.

Moving on, did you know System Lockdown has a Blacklist mode? If not, let's get started.

When you go into the System Lockdown settings, blacklist mode does not appear:

How do we make it appear? Stop the SEPM service and navigate to: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc and open the conf.properties file in a text editor. Add the following line at the end of the file:

scm.systemlockdown.blacklist.enabled=1

Save the changes and restart your SEPM service. Blacklist mode should now appear:

Much better. The objective of Blacklist mode is to block any file(s) that are in the Unapproved Applications list.

This can be utilised in the event of an attack and/or outbreak on your network. For instance, you notice a suspicious file appearing on multiple PCs but have no idea where it came from. It appears to be opening other suspicious processes. SEP is up to date and running a full scan reveals no infections. You upload the suspicious piece to multiple virus checker websites and only or two say that this is malicious. You decide to use System Lockdown in blacklist mode to stop it from spreading until you can figure out exactly what is going on.

Enable Blacklist Mode, enable System Lockdown, and add the filename to the Unapproved Applications list. Click OK and ensure your clients update their policy:

When the file attempts to execute, it will be stopped dead in its tracks:

This is a quick and dirty way but very useful for incident response and will allow you to quickly get a handle on the situation.

I hope this article will be helpful for you. Comments/Questions/Criticisms are encouraged.

Brian

What is my SWV build number against its Friendly version name ?
Where is the Release Notes corresponding to a specific SWV version ?
Where is the Admin/User Guide corresponding to a Specific SWV version ?

Here it is !!

Note: This article lists only builds released to the public as a GA release . If you have a build not listed here, it was provided either as a test build or a one-of-a-kind fix (one-off) not intended for distribution to the general public. HFs (Hot Fixes) builds are also NOT listed here.

****Next Article to help with Symantec Worksapce Streaming Release Archive****

This article will go into some detail on how to block RDP while allowing only specific connections using the SEP 12.1 firewall. This is also applicable to SEP 11.x.

Often times, a request comes in to block the RDP protocol for a group of machines but allow it to one "special" machine. Here's how we can accomplish that.

First, we need to Add a Network Service. Login to your SEPM and go to Policies >> Policy Components >> Network Services >> Add a Network Service

Add the necessary info for the RDP protocol. RDP works over TCP 3389:

Once finished, click OK to save your work. You now have a new network service added for RDP.

Now, you need to create the rules to block/allow RDP. You can either create a new firewall policy or edit your existing one. For this article, I started with a new one.

Let's first start by adding the "Block ALL RDP" rule

In your firewall policy, click Add Rule

Give it a name, click Next

Tick the radio button for Block connections, click Next

Tick the radio button for Only the applications listed below, click Add

Add the RDP filename, mstsc.exe, click OK

Select Any computer or site so all computers and sites will be blocked from using RDP, click Next

Add the RDP network services that you created earlier

Tick the radio for Yes to create a log entry, click Finish

The Block ALL RDP rule will be placed at the top.

Now, to create our Allow Specific RDP exclusion

Add another rule and give it a name, click Next

Tick the radio button for Only the applications listed below, click Add

Add the RDP filename, mstsc.exe, click OK

Now, we need to add what computer we want to have RDP access to. Tick the radio button for Only the computers and sites listed below, click Add:

You have a few options to choose from but I will add it by IP address

Add the RDP network services that you created earlier

Tick the radio button for Yes to create a log entry, click Finish

Move the Allow Specific RDP rule to the top, above the Block rule that you created. This ensures only the PC you specified as an exception can be RDP'd to.

Make sure you save your settings and that the firewall policy is correctly applied to the group.

First, let's attempt to RDP to a random machine:

Seems we cannot:

Upon checking the Traffic log, we see the following entry confirming our rule is working:

Let's try an RDP to our exception machine

Working as expected...

I hope this article will be helpful for you. Comments/Questions/Criticisms are encouraged

Brian

Hello,

I wanted to share with you some thoughts and ideas about a common business use case for sending mail that brings a couple of risks that shouldn’t be forgotten as it can have a huge impact on your entire mail infrastructure.

As we are all familiar with common security best practice in mail we know that we should NOT be

• an open email relay!
• send E-mails with non existing sender addresses!
• send E-mails with domains not even ours!

Nevertheless these three items are very often violated and we don't even know or see it until we experience general problems of your outbound mail flow by having massive queues of non delivered messages or getting complains about messages that were rejected etc..

The typical use case for these violations starts with a request from a project or a different group needs to have mail access for their business application. Now what you do on your gateways is to possible allow these application server to send you emails, that you route through your systems. Other than the common E-mail backend solutions like Exchange or Domino (sometimes by nature of the system design), the operators and designer of these business applications are neither familiar with email standards nor security standards. What brings u to the problem that they will only make sure that their mail can be delivered to your system and then their application is working.

Often forgotten by the application owners is to take care about the settings like sender domains or even a valid sender address. In purpose I don’t want to start the discussion about message design in accordance to RFCs or other standards, like mime declaration and boarders or even the quality of the recipient data.

Beside I also want to mention possible compromized authorized systems that are using your infrastructure for flooding the internet with new spams, that even could be part of a DOS or DDoS attack.

This bring us straight to the point that these application servers are sending through your SMTP gateways:

• E-mails with non-existing sender addresses
• E-mails with sender domains, that are not even yours
• E-mails with existing sender addresses, that are not even yours
• E-mail volumes that leads to a classification of your systems as potential spammer
• E-mails that are poorly designed that a spam filter will drop these

The potential risk is:

• Bad reputation of your sending IPs or Subnets that harms your entire E-mail infrastructure
• Being blacklisted by your mail partner, that will impact your entire E-mail flow
• E-Mail rejects due to SPF validation of sending domain
• Loss of potential data due to existing mail addresses not in your address space for mail partners replying to the message
• Accidently initiator of a NDR spam attack or another SMTP based attack.

To address these risks often there are procedures and processes designed that require manual steps, that sometimes are considered, but sustainable forgotten, what requires a technical control if you really want to protect your infrastructure from being in purpose or accidently abused.

Within the Symantec Messaging Gateway you have a couple of possibilities to address these issues and the following is providing you a step-by-step guidance in how to set it up.

1. Verify your sending domains as first improvement to make sure that only messages from your authorized domains will be sent by your systems.

1. Create a dictionary for authorized sending domains

    

2. Create a Content Control Policy that is verifying the sending domain and in case bounce the message from the application server
   

Note. In case you can enable this policy also in pass through mode (deliver normally), just to monitor and get the statistik of violations you have in your environment as maybe malware took over authorized systems that are sending spam through your SMTP gateways, even the best way on that level is to block as if a domain is not even yours, you shouldnt do this anyway and Maybe today you already add your disclaimer information to such emails.

2. Enable the outbound spam filter to verify as first instance whether your mails might have potential looking like spam to others.

Note. In case you can enable this policy also in pass through mode (deliver normally), just to monitor and get the statistik of spam that you have sent out. This will help you to identify sending systems in your infrastructure if you get complains about your sending behavior from mail recipients.

3. Enable the outbound throttling capabilityto prevent your application server spamming the receiver that may blacklist your SMTP gateways impacting your overall messaging environment

4. Verify your sending addresses to be fully compliant with regards to the sender/receiver part as a follow up to #1 domain validation. (Most difficult part due to possible unknown senders)

1. Create a dictionary for authorized sending addresses
   
    
2. Create a Content Control Policy that is verifying the sending addresses and in case bounce the message from the application server
   

Hope this makes sense to you and you can apply it fully or partially to either your system/application Messaging Gateways or the full Messaging Gateway infrastructure you have in place.

Please feel free to share your thoughts on this.

Regards,

toby

The screenshots and tests have been made with the SMG 10.5 pre-release that you can find here. (In a previous release the functions should be available except the outbound throttling capability.

Here is a short information about the Option available in Netbackup for VMware.

VMware Credentials in Netbackup:

1. Click Media and Device Management > Credentials > Virtual Machine Servers.
2. Click Actions > New > New Virtual Machine Server.
3. On the Add Virtual Machine Server dialog, enter the name of a virtual machine server (vCenter server or ESX server).

Note: The credentials for ESX or vSphere client are needed that Netbackup can create and access the virtual machine Snapshots.

VMware backup host

• Backup Media Server: This option allows a Windows media server that is selected in the policy to operate as the backup host. (Selection of the media server is determined by the specified storage unit.) To operate as the backup host, the Windows media server must contain NetBackup client software.
  Note: The storage unit that is specified in the policy must be unique to your Windows media servers. If the storage unit is also available on a UNIX media server, the snapshot cannot succeed.
  Note: When the Backup Media Server option is selected, NetBackup cannot determine a host to perform policy validation. To validate the policy, temporarily select one of the possible media servers as the backup host (do not select Backup Media Server). When the policy validates successfully, reset the backup host to Backup Media Server.
• backup_host_name: Select a particular backup host to perform the backup.
  Note: The backup hosts (but not backup media servers) must be identified in the Administration Console as follows: Go to Host Properties > Master servers > double-click the master server > Master Server Properties > VMware Access Hosts.

Enable file recovery from VM backup

• Enable recovery of individual files.
• all the files inside the virtual machines can be restored in the virtual machine or 2 different location
• still the full VM can be restored to the ESX / vSphere server

Enable block-level incremental backup

• For block-level backups of the virtual machine. This option reduces the size of the backup image.

Exclude deleted blocks

• Reduces the size of the backup image by excluding any unused or deleted blocks within the file system on the virtual machine. This option supports the following file systems: Windows NTFS, and Linux ext2, ext3, and ext4.
• This option uses proprietary mapping technology to identify vacant sectors (allocated but empty) within the file system.
  To back up a virtual machine that contains Veritas Storage Foundation Volume Manager volumes, disable this option. Also make sure that the Enable file recovery from VM backup option is disabled.

Exclude swapping and paging files

• Reduces the size of the backup image by excluding the data in the guest OS system paging file (Windows) or the swap file (Linux).
• Note: This option does not exclude the swapping and paging files from the backup: it only excludes the data in those files. If the files are restored, they are restored as empty files

Primary VM Identifier

• VM hostname:  The network host name for the virtual machine. (This option is the default.) NetBackup obtains the host name by means of a reverse lookup on the virtual machine's IP address. If no host name can be found, the IP address is used as the host name.
• VMware display name: The name of the virtual machine as displayed in the VMware interface. A display name is assigned to the virtual machine when the virtual machine is created. When virtual machines are included in a NetBackup policy, restrictions apply to the characters that are allowed in the virtual machine display name. Note: The restrictions also apply to other vSphere objects, such as floppy image name, parallel port or serial port file name, and CD-ROM ISO name. Each display name must be unique in your VMware environment.
• VMware BIOS UUID: The ID assigned to the virtual machine when the virtual machine is created. This ID may or may not be unique, depending on whether the virtual machine has been duplicated. This option is included for compatibility with the existing policies that use the older VM UUID identifier.
• VM DNS Name: The VMware DNS Name of the virtual machine. In vSphere Client, this name appears on the virtual machine's Summary tab.
  Note: This name may or may not be associated with the virtual machine's IP address. VMware Tools obtains this name from the host name that is configured in the virtual machine. For further information on this name, refer to the documentation for the guest operating system.
• VM instance UUID: The globally unique ID assigned to the virtual machine when the virtual machine is created. This ID uniquely identifies the virtual machine within a vCenter server. Even if the virtual machine has been duplicated (such as within a vCloud), only the original virtual machine retains this instance ID. (The virtual machine duplicates are assigned different instance UUIDs.) This option applies only to backup hosts (NetBackup clients) at 7.5 or later. If your backup host is 7.5 or later, this option is recommended instead of the VMware BIOS UUID option.
  Note: VM instance UUIDs are not available for standalone ESX 3.5 or ESXi 3.5 servers or for servers that VirtualCenter 2.5 manages.

 Orphaned Snapshot Handling

• Ignore: NetBackup ignores any existing virtual machine snapshots (including snapshots previously created by NetBackup) and proceeds with snapshot creation and the backup.
• Abort: If any snapshot exists on the virtual machine, NetBackup aborts the job for that virtual machine only.
• Remove NBU: If a virtual machine snapshot exists that a NetBackup backup previously created: NetBackup removes the old snapshot, creates an updated snapshot, and proceeds with the virtual machine backup. (This option is the default.)

Enable Exchange Recovery

• This option enables recovery of the Exchange databases or mailbox messages from the virtual machine backups. If this option is disabled, you can recover the entire virtual machine from the backup, but you cannot recover the databases or mailbox messages individually.

Enable SQL Server Recovery

• This option enables recovery of individual files from Microsoft SQL data in the virtual machine backup. If this option is disabled, you can recover the entire virtual machine from the backup, but you cannot recover the SQL files individually.

Enable SharePoint Recovery

• This option enables recovery of SharePoint objects from the virtual machine backup. If this option is disabled, you can recover the entire virtual machine from the backup, but you cannot recover the SharePoint objects individually.

For Exchange, SQL and Sharepoint Recovery are the following notes:

To use the Enable SharePoint Recovery option, note:

• The Enable file recovery from VM backup option must be enabled.
• The Enable block-level incremental backup option must be disabled.

Transport Modes

• san: For unencrypted transfer over Fibre Channel (SAN) or iSCSI.
• hotadd: Lets you run the VMware backup host in a virtual machine. This feature requires ESX 3.5 Update2 or later.For instructions on this transport mode and on installing the backup host in a VMware virtual machine, refer to your VMware documentation.
• nbd: For unencrypted transfer over a local network that uses the Network Block Device (NBD) driver protocol. This mode of transfer is usually slower than Fibre Channel.
• nbdssl: For encrypted transfer (SSL) over a local network that uses the Network Block Device (NBD) driver protocol. This mode of transfer is usually slower than Fibre Channel.
• Move Up, Move Down: Use these buttons to change the order in which NetBackup tries each selected mode. Highlight a mode and click Move Up or Move Down.For example: assume that all four transport modes are selected, and the order is san, hotadd, nbd, and nbdssl. If one of the virtual disks cannot be accessed using san, the san transport mode is not used for any of the virtual machine's disks. NetBackup then tries to use the hotadd mode for all the disks. NetBackup continues to try each mode until it finds one that succeeds for all the disks.

Assumptions:
NetBackup 7+, Unix master server

Intro:
If you are restoring a file recently written to tape, there's a fair chance that the tape will still be in use.
If the restore job is time-sensitive (and, really aren't they all?) here is a procedure I've tried to release
the tape (at the expense of killing the jobs that were writing to it).
I'll refer to the tape mediaID as "<mediaID>", replace this with the ID of your media - say AH0101.

1. From master server – suspend ALL scheduling  
   master#   /usr/openv/netbackup/bin/admincmd/nbpemreq -suspend_scheduling

2. Dump the current job that is using that media
   master# /usr/openv/netbackup/bin/admincmd/nbrbutil  -listActiveMediaJobs <MediaId>

   If that fails, you can try an older invocation
   master# /usr/openv/netbackup/bin/admincmd/nbrbutil -dump | grep <MediaID>  | sed 's/.*firstuserid//;s/(Media_Drive_Allocation_Record.*//' | grep jobid

    

3. Try  /usr/openv/netbackup/bin/admincmd/nbrbutil   -releaseMedia   <MediaID>

   Else cancel the jobs that are using it. 
    master#  bpdbjobs -cancel 397341,23422,43224  (sample unix process IDs)
    

4. Wait five minutes until the jobs are done.
    
5. Suspend the tape so that other jobs don’t grab it and start writing to it.
    master#  bpmedia –suspend   -m <MediaID> -h  auspcrpbak01  –v
     (only needed on the media server that had grabbed the allocation of that media. Exit status = 0 )

6. Resume scheduling jobs to the media server
    master#  /usr/openv/netbackup/bin/admincmd/nbpemreq -suspend_scheduling
    
8. Resume the restore job. Restore jobs will still use suspended media.
    
9. Once the restore completes, unsuspend the media  <MediaID>.  But if we forget to do this, the tape will be recycled into the pool once data on it expires.

Welcome to the Part 3 out of 3 discussing the terms, technologies and concepts related to Symantec Endpoint Protection and Symantec Security Software. In the series you will find description and explanation of several SEP related technologies, tools and concepts alongside of the relevant links to Symantec KB articles. The terminology articles are based upon the available official documentations and publications from Symantec KBs and Implementation Guides for SEP. Any comments or ideas what should be included in the series are welcome. I hope this series will be informative to you.

The Series consists of following articles:
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 1 (A-G)
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 2 (H-R)
Symantec Endpoint Protection Terminology Guide - Concepts, Technologies, Terms - Part 3 (S-Z)

This is the third part of the series concerning the following terms:

SAV for Linux (SAVFL) - software designed to provide Antivirus protection on Linux OS. Symantec AntiVirus for Linux includes real-time antivirus file protection
through Auto-Protect scanning, and file system scanning via manual and scheduled scans. Symantec AntiVirus for Linux requires a specific kernel on the system before installing Symantec AutoProtect package or otherwise you should compile your own kernel with our AutoProtect to ensure it will function properly

Best practice to install Symantec Antivirus for Linux
http://www.symantec.com/docs/TECH150596
System requirements for Symantec AntiVirus for Linux 1.0
http://www.symantec.com/docs/TECH101598
SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide
https://www-secure.symantec.com/connect/articles/s...
SAV for Linux: A (Somewhat) Illustrated Guide Part 2
https://www-secure.symantec.com/connect/articles/s...
SAV for Linux: A (Somewhat) Illustrated Guide Part 3
https://www-secure.symantec.com/connect/articles/sav-linux-somewhat-illustrated-guide-part-3

SAVFL Reporter - provides log records and inventory information to the Symantec Endpoint Protection Manager via its legacy reporting channel. This allows you to monitor and report on SAVFL client activities from the Symantec Endpoint Protection Manager console. Important note is that installing SAVFL and SAVFL Reporter will not cause the Linux machines to be displayed on the SEPM's clients tab.

Symantec AntiVirus for Linux (SAVFL) Reporter 1.0.10 Release Notes
http://www.symantec.com/docs/DOC3474
SAV for Linux: A (Somewhat) Illustrated Guide Part 4: SAVFL Reporter
https://www-secure.symantec.com/connect/articles/s...
How to enable the 12.1 Symantec Endpoint Protection Manager (SEPM) to receive logging from legacy clients
http://www.symantec.com/docs/TECH157463

Security Virtual Appliance (SVA) -  is a Linux-based virtual appliance that you install on a VMware ESX/ESXi server. The Security Virtual Appliance integrates with VMware's vShield Endpoint. The Shared Insight Cache runs in the appliance and lets Windows-based Guest Virtual Machines (GVMs) share scan results. Identical files are trusted and therefore skipped across all of the GVMs on the ESX/ESXi host. Shared Insight Cache improves full scan performance by reducing disk I/O and CPU usage.

About the Symantec Endpoint Protection Security Virtual Appliance
http://www.symantec.com/docs/HOWTO81080
VMware software requirements to install a Symantec Security Virtual Appliance
http://www.symantec.com/docs/HOWTO81081
Installing a Symantec Endpoint Protection Security Virtual Appliance
http://www.symantec.com/docs/HOWTO81083
Configuring the Symantec Endpoint Protection Security Virtual Appliance installation settings file
http://www.symantec.com/docs/HOWTO81082

SEP Support Tool (SST)- is a utility designed to diagnose common issues encountered with Endpoint Protection and the Endpoint Protection Manager. The tool can be used as well to proactively to ensure that the target machine is ready to install the Endpoint Protection manager or client. This is an older version of a troubleshooting tool (designed mainly for SEP 11.x), currently replaced by Symhelp tool.

The Symantec Endpoint Protection Support Tool
http://www.symantec.com/docs/TECH105414

SEPprep- is a unsupported tool that is designed to uninstall any competitive product automatically. This tool can also launch another application before or after removing all competitive products.  Therefore you can configure this tool to first remove all competitive products (including Norton products) and then launch the SEP installer automatically and silently.

SEPprep competitive product uninstall tool
http://www.symantec.com/docs/TECH148513

SERT - Symantec Endpoint Recovery Tool - is a bootable CD utility that can scan and remove malware from an infected computer. SERT is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. It is also necessary against specific threats which have the ability to completely hide from Windows.

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions
http://www.symantec.com/docs/TECH131732
Symantec Endpoint Recovery Tool (SERT)
https://www-secure.symantec.com/connect/videos/sym...
Symantec Endpoint Recovery Tool (SERT)
https://www-secure.symantec.com/connect/articles/s...
How to make the Symantec Endpoint Recovery Tool boot from a USB memory stick
http://www.symantec.com/docs/TECH131578

Shared Insight Cache (SIC) - the tool improves scan performance in virtualized environments by not scanning files that a Symantec Endpoint Protection client has determined are clean. When the client scans a file for threats and determines it is clean, the client submits information about the file to Shared Insight Cache. When any another client subsequently attempts to scan the same file, that client can query Shared Insight Cache to determine if the file is clean. If the file is clean, the client does not scan that particular file. If the file is not clean, the client scans the file for viruses and submits those results to Shared Insight Cache.

About the Symantec Endpoint Protection Shared Insight Cache tool
http://www.symantec.com/docs/HOWTO55311
How Shared Insight Cache works
http://www.symantec.com/docs/HOWTO55318
Network-based Shared Insight Cache - Best Practices and Sizing guide
http://www.symantec.com/docs/TECH174123
Installation and Configuration of SEP Shared Insight Cache
http://www.symantec.com/docs/TECH185897

Smart DHCP - A smart traffic filtering option that allows a Dynamic Host Configuration Protocol (DHCP) client to receive an IP address from a DHCP server while protecting the client against DHCP attacks from a network. If a Symantec Protection Agent sends a DHCP request to a DHCP server, it waits for five seconds to allow for an incoming DHCP response. If a Symantec Protection Agent does not send a DHCP request to a DHCP server, then Smart DHCP does not allow the packet. Smart DHCP does not block packets. It simply allows the packet if a DHCP request was made. Any other DHCP blocking or allowing is done by the normal security rule set. See also Dynamic Host Configuration Protocol (DHCP).

SEP Client Firewall Rules Policies (Network Threat Protection/NTP) for finding clients using non-approved DHCP/DNS servers
http://www.symantec.com/docs/TECH161639

Smart DNS - A smart traffic filtering option that allows a Domain Name System (DNS) client to resolve a domain name from a DNS server while providing protection against DNS attacks from the network. This option blocks all Domain Name System (DNS) traffic except outgoing DNS requests and the corresponding reply. If a client computer sends a DNS request and another computer responds within five seconds, the communication is allowed. All other DNS packets are dropped. Smart DNS does not block any packets; blocking is done by the normal security rule set.

SEP Client Firewall Rules Policies (Network Threat Protection/NTP) for finding clients using non-approved DHCP/DNS servers
http://www.symantec.com/docs/TECH161639

SONAR - is a real-time protection that detects potentially malicious applications when they run on your computers. SONAR provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats. SONAR uses heuristics as well as reputation data to detect emerging and unknown threats. SONAR provides an additional level of protection on your client computers and complements your existing Virus and Spyware Protection, intrusion prevention, and firewall protection. SONAR replaces the Truscan heuristic protection from SEP 11.x Version.

About SONAR
http://www.symantec.com/docs/HOWTO81392
Managing SONAR
http://www.symantec.com/docs/HOWTO81373

Sylink Monitor - is a utility that provides an alternative to manual enabling of sylink debugging on SEP clients. Currently the use if the tool is no longer recommended as the same type of logging with even more configuration options may be collected with SymHelp tool.

How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows Registry
http://www.symantec.com/docs/TECH104758

SylinkDrop - tool used for replacing the communication settings (sylink.xml file) on SEP clients. Available versions for PC and Macintosh. Another tool that may be used to achieve the same goal would be Sylink Replacer or push of the communication settings directly from SEPM to the client machines.

SylinkDrop or SylinkReplacer fails to assign Symantec Endpoint Protection clients to a new Client Group
http://www.symantec.com/docs/TECH103041
Recovering client communication settings by using the SylinkDrop tool
http://www.symantec.com/docs/HOWTO55428

Sylink Replacer- an utility designed to replace Sylink.xml files in existing Symantec Endpoint Protection (SEP) clients. Utility provides a much more automated and scalable solution for replacing communication settings in comparison to Sylink Drop. Currently if possible (only SEPM 12.1 RU2 and higher) it is recommended to use Communication Update Package Deployment from SEPM instead of Sylink Replacer.

Using the "SylinkReplacer" Utility
http://www.symantec.com/docs/TECH105211
The Sylinkreplacer tool for connecting SEP clients to a SEPM
https://www-secure.symantec.com/connect/downloads/sylinkreplacer-tool-connecting-sep-clients-sepm

Symantec Antivirus Corporate Edition (CE) 10.x - legacy Symantec Antivirus solution. Product reached its End-of-Support-Life (EOSL) on July 4, 2012 and was replaced by newer SEP 11.x and SEP 12.1 software solutions. Depending on the version old legacy SAV CE may be directly upgraded either to SEP 11.x or 12.1 - please consult relevant migration documentation for supported upgrade paths.

End of Life announcement for Symantec AntiVirus Corporate Edition and Symantec Client Security
http://www.symantec.com/docs/TECH178551
Frequently asked questions about Symantec AntiVirus 10.x End of Support Life
http://www.symantec.com/docs/TECH184999
How to request a virus definition extension for Symantec AntiVirus 10.x Corporate Edition beyond its End-of-Support-Life date
http://www.symantec.com/docs/HOWTO73168

Symantec Endpoint Protection Enterprise Edition 11.x / 12.1 - Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Mac computers, and servers in your network against malware such as viruses, worms, Trojan horses, spyware, and adware. Additionally it is able to provide protection against even the more sophisticated attacks that evade traditional security measures such as rootkits and zero-day attacks.
The suite comprises of Antivirus / Antimalware protection, Firewall, IPS and Application and Device Control. In 12.1 version SEP is built on multiple additional layers of protection, including Symantec Insight and SONAR both of which provide protection against new and unknown threats. For more information about the respective SEP features please look up the specific terms in this series of articles.
The most recent SEP 12.1 version is 12.1 RU3. Latest version of Symantec Endpoint Protection 11.x is 11 RU7 MP3 - please note that the next (and at the same time the last SEP 11.x version in the series) will be SEP 11 RU7 MP4 - after this release SEP 11.x will reach End of Support on 2014-09-27.

Symantec Endpoint Protection
http://www.symantec.com/endpoint-protection
Release Notes and System Requirements for all versions of Symantec Endpoint Protection and Symantec Network Access Control
http://www.symantec.com/docs/TECH163829
Symantec™ Endpoint Protection, Symantec Endpoint Protection Small Business Edition, and Symantec Network Access Control 12.1.3 Release Notes
http://www.symantec.com/docs/DOC6549
New fixes and features in Symantec Endpoint Protection 12.1.3
http://www.symantec.com/docs/TECH206828
What's new with Latest Symantec Endpoint Protection SEP 12.1.RU3
https://www-secure.symantec.com/connect/blogs/what...
Latest Symantec Endpoint Protection Released - SEP 12.1.RU3
https://www-secure.symantec.com/connect/forums/lat...
Upgrading or migrating to Symantec Endpoint Protection 12.1.3 (RU3)
http://www.symantec.com/docs/TECH206823

Symantec Endpoint Protection Manager - centralized management console for Symantec Endpoint Protection Clients. From within the SEPM Manager it is possible to distribute settings, policies, content and product updates to the managed SEP clients. It allows for detailed logging and reporting collected from all managed clients. The manager can be accessed either locally through java-based console or remotely via web-based console or remote java-based console. To note is that the local java-based console does not require separate Java installation as it is already integrated with the manager. SEPM uses by default an integrated embedded database, but if configured it can take avail of a remote SQL Server Database. From the advanced SEPM installation / configuration options it is supported to use several SEPM Servers in Replication, Failover or Load-Balancing modes. It is recommended to review the sizing and scalability best practices before installing SEPM as it has certain installation and later on space and bandwith requirements.

Installing Symantec Endpoint Protection Manager
http://www.symantec.com/docs/HOWTO80785
Upgrading or migrating to Symantec Endpoint Protection 12.1.3 (RU3)
http://www.symantec.com/docs/TECH206823
How to install the Symantec Endpoint Protection Manager(s) for replication
http://www.symantec.com/docs/TECH105928
Symantec Endpoint Protection Sizing and Scalability Best Practices White Paper
http://www.symantec.com/docs/DOC4448
Symantec Endpoint Protection 12.1: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH160736
How to move Symantec Endpoint Protection Manager 12.1 from one machine to another
http://www.symantec.com/docs/TECH171767

Symantec Endpoint Protection SBE 12.1- Symantec Endpoint Protection Small Business Edition incorporates many of the features from Symantec Endpoint Protection Enterprise Edition. It is designed for small-to-medium businesses with up to 250 clients. Same as the full version the SBE protects against malware such as viruses, worms, Trojan horses, spyware, and adware. Please review the release and implementation documentation about SBE version as several of the features and functionalities included natively in 12.1 EE may be missing in 12.1 SBE edition. From the most importart differences to mention:
■ no SQL Database support
■ no Application and Device Control feature
■ no Host Integrity enforcement
■ no Shared Insight Cache support
■ no AD Synchronisation option
■ does not include several other components such as Risk Tracer, Virtual Image Exception, Group Update Providers
■ includes some limitations regarding the available management options in the SEPM GUI

Feature comparison between SEP 12.1 SBE and EE
https://www-secure.symantec.com/connect/articles/f...
Installing and configuring Symantec Endpoint Protection Small Business Edition
http://www.symantec.com/docs/TECH91893
Symantec™ Endpoint Protection, Symantec Endpoint Protection Small Business Edition, and Symantec Network Access Control 12.1.3 Release Notes
http://www.symantec.com/docs/DOC6549
Knowledgebase Articles for Symantec Endpoint Protection SBE 12.1. RU3
https://www-secure.symantec.com/connect/blogs/knowledgebase-articles-symantec-endpoint-protection-sbe-121-ru3

Symantec Endpoint Protection SBE 2013 - Symantec Endpoint Protection Small Business Edition 2013 offers simple, fast and effective protection against viruses and malware. It is available as a cloud-managed service which means there are no additional hardware requirements for the management layer as all administrative task are executed from a web-based console. SBE 2013 has as well an option available for on-premise management application in case this is more preferable to cloud-managed one. Similar to other SEP 12.1 solution as SBE and Enterprise Edition the SBE 2013 offers an unified security solution with a variety of features like Antivus and Antimalware protection, Firewall, heuristic Sonar protection, etc.

Symantec Endpoint Protection Small Business Edition 2013
http://www.symantec.com/endpoint-protection-small-...
Quick Start Tips for SEP Small Business Edition 2013
https://www-secure.symantec.com/connect/articles/quick-start-tips-sep-small-business-edition-2013

Symantec Protection Center (SPC) -  a centralized security management console that allows organizations to identify emerging threats, prioritize tasks and accelerate time to protection based on relevant, actionable intelligence. Protection Center is a free product, available at no additional charge for existing Endpoint Protection 12 customers. Protection Center allows for management of Symantec Endpoint Protection together with other Symantec products in a single environment. Symantec Endpoint Protection is integrated with Protection Center by means of a series of Web services.  Protection Center incorporates early warning notifications from the
Symantec Global Intelligence Network, which is one of the world’s largest commercial cyber intelligence communities.

Symantec Protection Center
http://www.symantec.com/page.jsp?id=protection-center
About Symantec Endpoint Protection and Protection Center
http://www.symantec.com/docs/HOWTO55225
About setting up Symantec Endpoint Protection in Protection Center
http://www.symantec.com/docs/HOWTO55231

Symantec Protection Suite (SPS) - a budled product of Symantec Security Software, available both in Small Business Edition as well as Enterprise editions, comprising of following components:
■ Endpoint Protection
■ Endpoint Protection for Macintosh
■ Antivirus for Linux
■ Mail Security for Microsoft Exchange
■ Mail Security for Domino
■ Messaging Gateway
■ System Recovery Desktop Edition
■ Symantec Protection Center
■ Web Gateway
SPS provides multiple layers of protection for endpoint security, messaging security, web, data loss prevention, and data and system recovery, allows as well for  deployment of integrated essential endpoint and messaging security technologies as unified solutions with coordinated management.

Symantec Protection Suite Enterprise Edition
http://www.symantec.com/protection-suite-enterpris...
Compare Antivirus Software & Security Products
http://store.symantec.com/antivirus-comparison
Protect More, With Less - See How Symantec Protection Suite Can Do It
http://www.symantec.com/tv/products/details.jsp?vid=1211579625001

Symantec Vulnerability Protection - SEP browser add-on known previously under the name of "Browser Intrusion Prevention" and is a new advanced protection feature included with the SEP 12.1 client. This technology works in conjunction with, but is separate from the Client Intrusion Detection System (CIDS) used by the client firewall-based IPS engine in SEP.

Enabling or disabling network intrusion prevention or browser intrusion prevention
http://www.symantec.com/docs/HOWTO80887
Supported Browser versions for Browser Intrusion Prevention
http://www.symantec.com/docs/TECH174537
Expected behavior of Browser Intrusion Prevention
http://www.symantec.com/docs/TECH172174

SymHelp- tool used for both SEP client and SEPM Server troubleshooting but not exlusively. The complete list of Symantec products it is used for consist of Backup Exec, Symantec DLP, SEP and SEPM, Symantec Mail Security, Symantec System Recovery. Symhelp is a new version (designed for SEP 12.1 RU2 and higher) that replaces the old Symantec Support Tool. SymHelp may be downloaded directly from the SEP GUI - by going into Help -> Download Support tool -> this redirects directly to the Symantec Article mentioned below in the reference.

Symantec Help (SymHelp)
http://www.symantec.com/docs/TECH170752
About Symantec Help (SymHelp)
http://www.symantec.com/docs/TECH170735
Symantec Help (SymHelp) FAQ
http://www.symantec.com/docs/TECH203496

System Lockdown- System Lockdown allows administrators to tightly control which applications users running the SEP Client can execute. The approved applications are contained in a so-called fingerprint list which contains checksums and locations of all applications that are approved for use. Implementing System Lockdown is a two step process. First, a fingerprint list needs to be created, and then this fingerprint list needs to be imported into the Symantec Endpoint Protection Manager for use in Client Policies. You can use system lockdown to control applications in the following ways:
■ Control all the applications that can run whether or not the user is connected to the network.
■ Block almost any Trojan horse, spyware, or malware that tries to run or load itself into an existing application.

How to configure System Lockdown in Symantec Endpoint Protection 11.0
http://www.symantec.com/docs/TECH102526
Configuring system lockdown
http://www.symantec.com/docs/HOWTO80848
About system lockdown
http://www.symantec.com/docs/HOWTO27322
System lockdown prerequisites
http://www.symantec.com/docs/HOWTO27321
How to configure System Lockdown to allow Microsoft Security Updates
http://www.symantec.com/docs/TECH103977

Tamper Protection - provides real-time protection for Symantec applications, drivers and services. It prevents Symantec processes from being attacked or affected by non-Symantec processes, such as worms, Trojans, viruses, and security risks. Tamper Protection blocks as well registry changes for the keys related to Symantec Endpoint Protection.

What should I do when I get a Tamper Protection Alert?
http://www.symantec.com/docs/TECH97931

Third Party Management (TPM)- an alternative to allow third-party content distribution solutions to update the managed SEP clients instead of usual updates from SEPM/GUP or Livedupdate Servers. The setting may be activated in the Liveupdate policy. Third Party Management setting activation is required if the SEP client is to be updated with a .jdb file containing virsu definitions. Third Party Management is not required for defintions updates performed with use of Intelligent Updater.

How to manually update definitions for a managed Symantec Endpoint Protection Client using the .jdb file
http://www.symantec.com/docs/TECH104363
Configuring a LiveUpdate Settings policy to allow third-party content distribution to managed clients
http://www.symantec.com/docs/HOWTO80943
Enabling third-party content distribution to managed clients with a LiveUpdate Settings Policy
http://www.symantec.com/docs/HOWTO27639

Third Party Security Software Removal- a new feature of SEP installer introduced in SEP 12.1 RU1 MP1 and further enhanced in 12.1 RU2. When the feature is being activated for the installation package, Symantec Endpoint Protection can perform security software removal as part of its installation process. Installation packages that are deployed with this feature will remove any currently installed security software from several third-party vendors. For list of supported security software by this feature refer to the below documentation.

About the third-party security software removal feature in Symantec Endpoint Protection 12.1 RU1 MP1 and later
http://www.symantec.com/docs/TECH178757
Third-party security software removal support in Symantec Endpoint Protection 12.1.2 and later
http://www.symantec.com/docs/TECH195029

Truscan- a legacy proactive threat protection technology from SEP 11.x that was replaced in SEP 12.1 by the SONAR functionality - used to facilitate detections of new and unknown risks. By default, Truscan scans detect the processes that behave like Trojan horses and worms or processes that behave like keyloggers. Same as newer SONAR, Truscan looks at the behavior of active processes at the time that the scan runs. The scan engine looks for behavior such as opening ports or capturing keystrokes. If a process involves enough of these types of behaviors, the scan flags the process as a potential threat. The scan does not flag the process if the process does not exhibit suspicious behavior during the scan.

Understanding TruScan proactive threat detections
http://www.symantec.com/docs/HOWTO27054

Unmanaged Detector - a dedicated SEP client that works on a local network and looks at ARP traffic on that subnet to determine whether found machines in the subnet are running SEP already. The collected data is then forwarded to the Unmanaged Detector’s SEPM which compares the IP address and MAC address of detected systems against its known list of managed endpoint clients and reports on the unmanaged endpoint clients. An unmanaged detector is configured by right-clicking a managed SEP client in the Clients page of the SEPM console, and selecting "Make unmanaged detector". In order to act as an unmanaged detector, SEP clients must have Network Threat Protection (NTP) enabled and be in Computer Mode. User Mode clients or clients without the firewall component (NTP) cannot act as unmanaged detectors.

Best Practices: When to use the "Find Unmanaged Computers" or "Unmanaged Detector" features in Symantec Endpoint Protection 11.0
http://www.symantec.com/docs/TECH104340
Configuring a client to detect unmanaged devices
http://www.symantec.com/docs/HOWTO80763
SEP 12.1 - What does it mean to set a client as an Unmanaged Detector?
http://www.symantec.com/docs/TECH183746
What does it mean to set a client as an Unmanaged Detector?
http://www.symantec.com/docs/TECH105722

Unmanaged SEP Client - standalone SEP Client is administered directly by the end-user and is not reporting to the SEPM Server at all. An unmanaged client cannot be administered from the console. The primary computer user must update the client software, security policies, and virus definitions on the unmanaged client computer.

About managed and unmanaged clients
http://www.symantec.com/docs/HOWTO81263
Difference between a managed Symantec Endpoint Protection (SEP) Client and an Unmanaged SEP Client
http://www.symantec.com/docs/TECH185894
Installing an unmanaged client
http://www.symantec.com/docs/HOWTO81309
How to create an Unmanaged client from within the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH176907

Virtual Client Tagging- a new feature introduced in SEP 12.1. The feature in enabled by default on Symantec Endpoint Protection Manager and allows the SEPM to automatically identify and manage virtual clients. With Virtual Client Tagging the administrators can check in the properties of each SEP clients (from SEPM console) if the client at hand is virtualized or not.

Best practices for virtualization with Symantec Endpoint Protection 12.1, 12.1 RU1, and 12.1 RU1 MP1
http://www.symantec.com/docs/TECH173650

Virtual Image Exception (VIE) - a tool is designed specifically for environments leveraging virtualization technologies where a single baseline image is used to deploy many identical or nearly identical Virtual Desktop Infrastructure (VDI) clients. The VIE tool is used to add a new Extended File Attribute (EFA) value to all existing files on a machine before imaging. The EFA value remains valid until the file is modified. The Symantec Endpoint Protection (SEP) 12.1 client checks for this attribute before scanning files and skips scanning any files that are marked as "known good" by the VIE tool. Scans on VDI clients created with images processed by the VIE tool will experience lower I/O load, CPU usage, and network bandwidth usage during scheduled and manual scans.

About the Symantec Virtual Image Exception tool
http://www.symantec.com/docs/TECH172218
Using the Virtual Image Exception tool on a base image
http://www.symantec.com/docs/HOWTO55325

Web Console for SEPM - remote console that allows for a remote management of Symantec Endpoint Protection Manager from a web browser. Web console can be launched from SEPM Web Access (http://[servername]:9090). When you log on remotely, you can perform the same tasks as administrators who log on locally. What you can view and do from the console depends on the type of administrator you are.

Logging on to the Symantec Endpoint Protection Manager console
http://www.symantec.com/docs/HOWTO81152
How to install Web Console (Java Console) for Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH105171

The Story So Far...

This is the fourth in an informal series of illustrated articles about how admins (and end users) can best protect their mobile endpoints using Symantec Mobile Security 7.2. (This is a cool Enterprise product aimed at corporate networks, rather than a company that just has a few Androids or Windows Mobile devices that need protecting.) The three earlier articles:

1. Illustrated Guide to Installing Symantec Mobile Security 7.2: how is the management server (Symantec Management Platform) of SMS 7.2 installed, and what does its interface look like? 
2. Getting to Know the Symantec Mobile Security 7.2 Client: what does SMS 7.2 look like on an Android phone or tablet?  How to view its activities, launch an update, know when it is trying to alert you to danger.... 
3. About Windows Mobile in Symantec Mobile Security 7.2: all about "Android’s ugly older brother."-  &: ) SMS 7.2 also protects Windows Mobile devices (phones, PDA's, various Point-Of-Sale equipment).  This article illustrates WM and how to administer them from the server console
    

By popular request, this fourth article deals with a cosmetic issue that many admins encounter: what to do about the "old" versions of the Mobile Security Gateway that appear in the SMP.

That's Great!  Erm... What's a Mobile Security Gateway? 

All Android devices communicate to their Symantec Management Platform (SMP) though a server known as a Mobile Security Gateway (MSG).  This MSG can be on the SMP server itself (one MSG is deployed there by default, when the management components of SMS 7.2 are installed) or your MSG can be on a separate server elsewhere in the organization.  Different groups of Androids can communicate through different MSG's.  Which one MSG a group of Androids will use is configured by policy (on the "Communications" tab, to be specific).

These MSG servers are often placed in the DMZ.  To illustrate, here's a diagram ripped off from page 105 of the Symantec™ Mobile Security 7.2 MR1 Implementation Guide:

This article has more information on what MSG's are and what they do:

Recommendations for Configuring a Healthy Mobile Security Gateway for Symantec Mobile Security 7.2
http://www.symantec.com/docs/TECH197866 
 

...and here's an example of what the MSG's look like, when displayed in the SMP's user interface.  In this example, there is one MSG on the SMP itself ("MICKSMS72") and one MSG in the DMZ ("EX2008EN"):

(Sharp-eyed readers will note that both MSG's make available for download an old version of the Android client- 7.2.0.145.  Definitely make sure that your MSG's are providing the latest and greatest- at the moment, that is SMS 7.2 MR1 hot fix 3.)

Hey! When I look at my MSG's, I see a scary message, "Verify Failed" or "Install Failed"

Don't panic. That's a common cosmetic issue on Windows servers that do not have the Altiris server's expected Short Date Format of YYYY-MM-DD.  This article explains all:

"Verify Failed" Messages Appear for the Mobile Security Gateway for Symantec Mobile Security 7.2
http://www.symantec.com/docs/TECH198622 
 

Whew!  That's Good.  But why are there two different Gateway Versions?  Did something go wrong when the SMP was upgraded? 

Nope.  When the SMP is upgraded by applying hot fixes, the version of the MSG is not automatically changed.  Here's an article with details of how the latest available release is applied to the SMP and Android clients. 

Upgrading Symantec Mobile Security 7.2
http://www.symantec.com/docs/TECH206224 
 

Though there are two different versions of the MSG (7.2.695.0 and 7.2.721.0), both work fine with any current release of SMP and the Android clients.  There's no compelling technical reason to upgrade the MSG on a functioning server.

If I really want to, can I get the newer MSG version deployed anyway?

Yes, but it will take a little work.  (This might be a substantial amount of work, if there are a large number of Android devices currently using that MSG.)  Here's what to do....

It's not possible to simply overwrite an existing MSG and progress it to a newer build.  In order to get a MSG up to the latest release, you must:

1. Delete the old MSG
2. Deploy a new MSG in its place

This is slightly complicated by the fact that the SMP will not allow a MSG to be deleted if any policies are configured to use it. So the actual steps are:

1. Ensure they you have more than one MSG
2. Clone your existing policy (if necessary) and change its configuration with regards to the MSG that will be used 
3. Ensure that all Androids have received this new policy and that none are still communicating through the old MSG
4. Delete the old MSG
5. Deploy new MSG in its place
6. Change the policy in use so that the Android clients communicate through their original, upgraded MSG

Can you walk me through that step-by-step? 

Sure.  &: )

1. Ensure they you have more than one MSG

Detailed instructions on how to create a second MSG can be found in:

Recommendations for Configuring a Healthy Mobile Security Gateway for Symantec Mobile Security 7.2
http://www.symantec.com/docs/TECH197866 
 

You might need to deploy a Symantec Management Agent ("Altiris agent") onto the second server first.  A server can't be set up an a MSG unless it has an agent that is communicating with the SMP.
 

2. Clone your existing policy (if necessary) and change its configuration with regards to the MSG that will be used

Just click "Add New Policy...."  In the window that opens, there will be a prompt "Enter a name for the new Mobile Security Policy then select an existing Mobile Security Policy to clone." 

The new policy will be created in no time.  Changing what gateway the Androids will communicate through is easy.  Just pick the desired MSG from the Policy's "Communications" tab where it says "Mobile Security Gateway that the device will communicate with."  In my example, I am creating a policy where all Androids communicate through the DMZ gateway "EX2008EN"..... 

3. Ensure that all Androids have received this new policy and that none are still communicating through the old MSG

Make sure that there's no policy left which references the old MSG for communications, and then make all Androids check in.  "Update Device Protection" will do that.   

In practice, it can take a while for all the Androids in a large organization to check in, apply their new policy settings, and begin communicating through their new MSG.  On the Mobile Security Gateway screen in the GUI, it is possible to see how many devices are connected through each MSG.  Ensure that there are no Androids still connecting through the MSG that is to be deleted- they will need to re-enroll later, if so! 

4. Delete the old MSG.

Highlight the old MSG and click the red X to delete it.  There will be a warning message if you have not completed Step 3, above!

If there are no policies left which call for this MSG, then the warning message will warn you if there are any Androids still using this MSG. 

Even if there are Androids that will be affected, it will be possible to click OK to proceed and delete the MSG.  Check the Symantec Management Agent on that server to make sure that the Uninstall Gateway Task has completed.

5.  Deploy new MSG in its place

Just click on New...

Pick the server where the MSG should go by clicking "select a server" and navigating....

Click "OK" - the "new" MSG will soon appear in the GUI!  At first it will display with a Gateway version of 7.2.0.0 and a status of "Waiting for rollout."  This is normal.  Open the Symantec Management Agent to make sure that the Update Mobile Security Gateway task has completed successfully:

Within a few minutes, the MSG's will both have the latest version in the GUI:

6. Change the policy in use so that the Android clients communicate through their original, upgraded MSG
 

Change the MSG to use on the policy "Communications" tab, as illustrated above.  If a second MSG was created for temporary use while the older one was being "upgraded," verify that no Androids are still using it and then safely delete it.

That's all!  The Mobile Security Gateway has been successfully upgraded.     

In Conclusion.... 

Many thanks for reading!

As stated above, this procedure really should not be necessary if all Androids are communicating successfully through their existing MSG's.  Please do leave comments below to provide feedback, and please do highlight any tips that you have discovered that other admins may find useful. 

Please also do comment with any requests for future articles in this series!  This illustrated guide was create due to popular demand, so perhaps your request will be, too.

So you have a Windows clustered file server, and want to use Accelerator.....but what about Windows Change Journals and NetBackup Track files?

• Windows Change Journals follow the file system, so what happens when it’s moved to the new node?
• NetBackup Track files are put on the local file system (c:\Program Files….).

Did some trial-and-error and found the following solution, I have performed several tests and have not found anything wrong with it:

1. Add all physical nodes to a policy which backs up C:\ and System State.
    
2. Enable Change Journal in Host Properties for the client.
    
3. Create a NetBackup Policy for the cluster file system.
   Attributes: Enable Accelerator, Target must be MSDP (or other supported)
   Client: Virtual hostname for the file system
   Backup Selection: T:\ (or whatever the file system is mounted as on the cluster nodes)
    
4. Run a manual first backup of the file system with “Accelerator Forced Rescan” schedule.
   Verify the track log is generated on client in:
   C:\Program Files\VERITAS\NetBackup\track\<master server hostname>\<media server hostname>\<cluster node>\<policy name>\<backup selection>\track_journal.v?.dat”

   Verify change journal is enabled:
   fsutil usn queryjournal t:
    

5. Create a directory on the shared file system drive:
   T:\NetBackup\track\<master server hostname>\<media server hostname>\<cluster node>\<policy name>
   Move the content of:
   C:\Program Files\VERITAS\NetBackup\track\<master server hostname>\<media server hostname>\<cluster node>\<policy name>\
   to
   T:\NetBackup\track\<master server hostname>\<media server hostname>\<cluster node>\<policy name>

   Then link to the shared path:
   mklink /D “C:\Program Files\VERITAS\NetBackup\track\<master server hostname>\<media server hostname>\<cluster node>\<policy name>” “T:\NetBackup\track\<master server hostname>\<media server hostname>\<cluster node>\<policy name>”

   Verify the link works using cd in CLI or explorer.

   Run an incremental backup and verify that it works:
   03-09-2013 16:14:38 - Info bpbkar(pid=5272) change journal enabled for <T:\>       
   03-09-2013 16:14:39 - Info bpbkar(pid=5272) using change journal data for <T:\>
    

6. Failover the cluster service to next cluster node and perform the following actions:
   Create the directory structure in local file system:
   mkdir C:\Program Files\VERITAS\NetBackup\track\<master server hostname>\<media server hostname>\<cluster node>\

   Then create the same link here:
   mklink /D “C:\Program Files\VERITAS\NetBackup\track\<master server hostname>\<media server hostname>\<cluster node>\<policy name>” “T:\NetBackup\track\<master server hostname>\<media server hostname>\<cluster node>\<policy name>”

   Verify the link works using cd in CLI or explorer.

   Open the cluster policy and close it again (the policy verification seems to sometimes contact the client and “let NBU client know that there is Change Journal enabled for this file system).
   Restart the “NetBackup Client Service” on the node (this is not always necessary but better to be safe than sorry J ).

   Run an incremental backup. First time it returns with this messages, I think its because Windows has lost track of the USN count when the file system was moved):
   03-09-2013 16:19:53 - Info bpbkar(pid=3676) change journal enabled for <T:\>       
   03-09-2013 16:19:53 - Info bpbkar(pid=3676) NOT using change journal data for <T:\>: unable to locate journal data

   Rerun the incremental and 2nd attempt should state OK:
   03-09-2013 16:27:37 - Info bpbkar(pid=4788) change journal enabled for <T:\>       
   03-09-2013 16:27:38 - Info bpbkar(pid=4788) using change journal data for <T:\>

   Repeat this section for each cluster node.
    

7. Configure the master server alternate restore permissions. On the master server update the file(s):
   …\Veritas\NetBackup\db\altnames\<physical cluster node name>
   and insert the virtual cluster node name(s) on a separate line.

Results:

So what’s the point if it loses track after failover anyway?

I used 133.000 files, 34.000 folders, 23Gb data for the test.

“server1” active, first full backup already done, no real change to files.

03-09-2013 16:14:38 - Info bpbkar(pid=5272) change journal enabled for <T:\>       

03-09-2013 16:14:39 - Info bpbkar(pid=5272) using change journal data for <T:\>      

03-09-2013 16:15:04 - Info bpbkar(pid=5272) accelerator sent 70023680 bytes out of 249973760 bytes to server, optimization 72.0%

03-09-2013 16:15:04 - Info bptm(pid=32083) waited for full buffer 6 times, delayed 1988 times   

03-09-2013 16:15:13 - Info bptm(pid=32083) EXITING with status 0 <----------       

03-09-2013 16:15:13 - Info dkaarnbume01(pid=32083) StorageServer=PureDisk:dkaarnbume01; Report=PDDO Stats for (dkaarnbume01): scanned: 244142 KB, CR sent: 15348 KB, CR sent over FC: 0 KB, dedup: 93.7%

1:35 minutes, Full Accelerator support....

Failed over the file service to “server2”, and ran the incremental:

03-09-2013 16:19:53 - Info bpbkar(pid=3676) change journal enabled for <T:\>       

03-09-2013 16:19:53 - Info bpbkar(pid=3676) NOT using change journal data for <T:\>: unable to locate journal data

03-09-2013 16:20:57 - Info bpbkar(pid=3676) 5000 entries sent to bpdbm       

03-09-2013 16:21:12 - Info bpbkar(pid=3676) 10000 entries sent to bpdbm       

03-09-2013 16:21:32 - Info bpbkar(pid=3676) 15000 entries sent to bpdbm       

03-09-2013 16:22:24 - Info bpbkar(pid=3676) 20000 entries sent to bpdbm       

03-09-2013 16:22:42 - Info bpbkar(pid=3676) 25000 entries sent to bpdbm       

03-09-2013 16:23:07 - Info bpbkar(pid=3676) 30000 entries sent to bpdbm       

03-09-2013 16:23:28 - Info bpbkar(pid=3676) accelerator sent 188777472 bytes out of 366990336 bytes to server, optimization 48.6%

03-09-2013 16:23:28 - Info bptm(pid=529) waited for full buffer 233 times, delayed 12480 times   

03-09-2013 16:23:38 - Info bptm(pid=529) EXITING with status 0 <----------       

03-09-2013 16:23:39 - Info dkaarnbume01(pid=529) StorageServer=PureDisk:dkaarnbume01; Report=PDDO Stats for (dkaarnbume01): scanned: 358418 KB, CR sent: 20429 KB, CR sent over FC: 0 KB, dedup: 94.3%

4:51 minutes. Yes it was slower, but notice that it only scanned approx. 30.000 entries, I believe this is because of the shared NetBackup Track file.

Second incremental on “server2”:

03-09-2013 16:27:37 - Info bpbkar(pid=4788) change journal enabled for <T:\>       

03-09-2013 16:27:38 - Info bpbkar(pid=4788) using change journal data for <T:\>      

03-09-2013 16:28:01 - Info bpbkar(pid=4788) accelerator sent 70024704 bytes out of 249974784 bytes to server, optimization 72.0%

03-09-2013 16:28:01 - Info bptm(pid=1808) waited for full buffer 9 times, delayed 991 times   

03-09-2013 16:28:09 - Info bptm(pid=1808) EXITING with status 0 <----------       

03-09-2013 16:28:09 - Info dkaarnbume01(pid=1808) StorageServer=PureDisk:dkaarnbume01; Report=PDDO Stats for (dkaarnbume01): scanned: 244143 KB, CR sent: 15429 KB, CR sent over FC: 0 KB, dedup: 93.7%

1:32 minutes, So it’s already working normally again.

Ran an full rescan backup on “server2” as a reference, which shows what the backup time would have been without any accelerator working:

03-09-2013 16:29:45 - Info bpbkar(pid=5824) change journal enabled for <T:\>       

03-09-2013 16:29:45 - Info bpbkar(pid=5824) NOT using change journal data for <T:\>: checksum validation requested  

03-09-2013 16:30:17 - Info bpbkar(pid=5824) 5000 entries sent to bpdbm       

03-09-2013 16:30:31 - Info bpbkar(pid=5824) 10000 entries sent to bpdbm       

--cut--

03-09-2013 16:41:18 - Info bpbkar(pid=5824) 160000 entries sent to bpdbm       

03-09-2013 16:41:44 - Info bpbkar(pid=5824) 165000 entries sent to bpdbm       

03-09-2013 16:42:13 - Info bpbkar(pid=5824) accelerator sent 797236224 bytes out of 24888171520 bytes to server, optimization 96.8%

03-09-2013 16:42:14 - Info bptm(pid=4467) waited for full buffer 1318 times, delayed 41120 times   

03-09-2013 16:42:49 - Info bptm(pid=4467) EXITING with status 0 <----------       

03-09-2013 16:42:49 - Info dkaarnbume01(pid=4467) StorageServer=PureDisk:dkaarnbume01; Report=PDDO Stats for (dkaarnbume01): scanned: 24309036 KB, CR sent: 54489 KB, CR sent over FC: 0 KB, dedup: 99.8%

14:01 minutes, It scanned all entries and ran for much longer period, like a normal backup.

One of the most common questions asked by Enterprise Vault administrators on the Symantec Connect forums is: “Why does this mailbox not get archived?”. There are many different reasons why the mailbox may not be archiving, and in this article we'll go through several of them.

Finding Out

Finding out that a mailbox is not being archived is always something of a challenge. You can of course review the Exchange Mailbox Archiving Reports, but they might only give you part of the picture. Usually finding out involves the user, perhaps sometime after the 'problem' started happening, contacting the help desk and raising a ticket for what is perceived as items which aren't getting archived when they should.

Simply a change in policy

Users aren't necessarily the greatest at determining why some items are not being archived, when they believe that they should be. Often a user will be used to certain items, or folders being archived, and then because a policy has changed server side the items aren't any longer eligible, or take longer to become eligible. So a simple change in policy could lead to an end-user contacting the help desk and reporting an issue which is in fact a non-issue, at least as far as the server or configuration goes.

For these types of things it is always worth while when changing policies that will affect end-users to firstly communicate the change to end-users, and secondly ensure that the help desk is sufficiently capable of diagnosing this as the source of the end-user 'problem'. That too involves communication, perhaps at a much deeper level then to end-users.

Disabled account or hidden mailbox?

The first real cause of items not being archived is to check if the users Active Directory account has been disabled. As we know Enterprise Vault by default does not archive mailboxes where the account is hidden. Likewise, the mailbox might be hidden from the Exchange Address Book. Just as with disabled accounts, hidden mailboxes by default aren't archived by Enterprise Vault.

It's possible to look at the ExchangeMailboxEntry in SQL to see what was found in terms of these two attributes, the last time the provisioning task ran. Better, of course, is to look at the properties of the account in Active Directory:

Check to see if it is disabled. To see if the account is hidden from the address book, then there are a couple of ways to see whether that is the situation. Firstly if you open Outlook with an online Outlook profile (rather than cached mode) you will also see the online address book. Secondly you could check the properties of the mailbox in Exchange Management Console:

Removed from provisioning group?

Sometimes users might be either deliberately or accidentally moved to a different provisioning group, which then affects what gets archived. Deliberately moving a user might be because they need to go into a different policy, for example you might have different provisioning groups for users with laptops versus desktops. A side effect thought might be that the new provisioning group has a slightly different archiving policy too, leaving items un-archived, when it's expected that they should be.

Accidentally moving provisioning groups is more common than you might think. Take for example provisioning which is based on end-users active directory group membership or even the Organizational Unit their account resides in. Should you remove them from a group, or add them to a different group then you may accidentally have also changed both their desktop policy and their mailbox archiving policy.

Disabled from EV archiving?

Sometimes a users mailbox will have been disabled from archiving, by an administrator. This can be seen in the mailbox archiving report to start with:

Sometimes this disabling from archiving will result in an end-user contacting the help desk to say that things don't appear to be being archived. For this situations the help desk needs a quick way to validate that the underlying issue is because the user has been disabled from archiving, and not some deeper configuration issue. One option here is to ensure that the mailbox archiving reports are available to help desk staff, or even have them emailed to a group mailbox each day.

User set 'Do Not Archive' at a high level?

If end-users use Microsoft Outlook, and they have the client set to 'full' rather than 'light', then they may have the option to change the archiving policy on particular folders. Either deliberately or accidentally they may have set a folder, at a high level, to be excluded from archiving, as can be seen here:

Of course they might have set that on the Inbox... which will usually affect a large amount of messages from being correctly archived, and worse they may have selected the root of the mailbox:

That effectively stops everything in the mailbox from being archived.

If you use the Mailbox Archiving Report and expand the details, you get information the number of folders marked as 'do not archive', which is very helpful!

Moved to a different mailbox server?

From time to time in a multiple mailbox server environment end-users might have their mailbox moved from one server to another.  In some situations this can lead to the mailboxes not getting processed by an archiving task - for example maybe the target server doesn't even have an archiving task, or operates on a completely different schedule.

Wrong mix of policy settings?

Sometimes in a purely quota based archiving situation it might seem like items are not being archived, but really that might be perfectly normal. The mailbox could just simply be under the quota, and the related quota-based percentage in their associated policy. To check if that is the case we can do some rudimentary checks in SQL, or if you are also an Exchange administrator you can check on the Exchange side instead. I'll go with the SQL side, since an EV administrator might have access to SQL, but might not have access to Exchange.

So, first of all run this query...

Select * from ExchangeMailboxEntry where MbxDisplayname = 'ABC'

Secondly have a look at the policy that the user is touched by. It might be straight forward in your environment, with a small number of policies, but if you have a large number of policies the best way to find the right policy is as follows:

1. Open the Vault Admin Console

2. Navigate to the site level, then expand Targets

3. Right click on 'Exchange' and choose 'Display Policies Assigned to Mailboxes'

4. Enter a good filter to limit the result list, and do the search for the mailbox you are interested in

Now, the SQL query will show the current mailbox size, and the quotas imposed, and the policy will show the percentage that will mean the EV Archiving Task won't need to archive anything.

Summary

As you can see there are many different ways that a mailbox can end up being excluded or partially excluded from archiving. Some are not accidental, like moving users between Active Directory groups or Organizational Units, others might be more deliberate like users stopping archiving on top level folders in the mailbox. 

Hopefully this article has given you an insight into many of the different causes for the issue of 'why isn't this mailbox being archived'. I'm sure that there are other obscure reasons too. Let me know if you have encountered these or other issues, in the comments...

On the previous article:

https://www-secure.symantec.com/connect/articles/i...

we made a basic introduction to Symantec Protection Engine. In this article, we will go through the installation of the SPE.

Before the installation of the SPE, you need to make sure the JRE installed. And, please note that the SPE only support 32bit JRE.

1. Start the installation:

2. Accept the license:

3. The installation location:

4. Select the authentication method:

From the new version of the SPE on, it supports Active Directory-based authentication.

5. Input the password of the administrator:

The following describes how the values for the resource keys are created on Mac clients. Run 'aex-helper info resource' on any Unix, Linux or Mac client that has the SMP agent installed to see the resource keys and their values for that machine. 

For 7.1 SP2 and above for Mac

1. First ‘name.domain’ resource key

When Targeted Agent Settings are set to Computer:

   A. Name: the value in System Preferences Sharing UI
   B. Domain: empty

When Targeted Agent Settings are set to DNS:

   A. Name: If nodename or hostname resolve, get the DNS name. If hostname is empty, use nodename.
   B. Domain: If nodename or hostname resolve, use DNS domain. Otherwise, use local system call to domainname. If domain name is empty OR if targeted agent setting to use /etc/resolv.conf is checked, then use the /etc/resolve.conf domain. 

2. ‘fqdn’ resource key

    A. Concatenation of the values for first 'name.domain' key when targeted agent settings are set to DNS. The ‘fqdn’ key is reported if it differs from the first ‘name.domain’ key.

3. Second ‘name.domain’ resource key

    A. This is a copy of the ‘fqdn’ resource key and is used for backward compatibility with NS6. The second ‘name.domain’ key is reported only if it differs from the first ‘name.domain’ key.

4. ‘macaddress’ resource key

    A. Contains the mac addresses of the client computer. 

5. ‘uniqueid’ resource key

    A. This is composed of ComputerID, MotherboardID and Mac Address. However, on Mac clients the ComputerID and MotherboardID are blank so this is literally a hashed value of the mac address values. If you find that you must exclude 'macaddress' as a resource key for Mac clients, then the 'uniqueid' should also be excluded. 

7.5 for Mac

An additional ‘name.domain’ resource key is added for Mac computers bound to an active directory domain. This 'name.domain' key contains the organizational values., e.g., ‘OU=…’. This shows as the second ‘name.domain’ key and is only reported if it differs from the first ‘name.domain’ key. 

We now return to “As the Ghost Solution Suite Turns”

Last time, we learned that WinPE 2.0 was replaced by its evil twin, WinPE3.1!

(https://www-secure.symantec.com/connect/articles/creating-and-using-winpe31-image-gss-251)

You may be yelling at your TV right now “don’t, it’s a trap!  Everyone will know you are the evil twin when you still can’t load the driver I need!”

GSS can “load” any network or storage driver you want.  I say “load” in quotes because it just checks for info in a manifest, and if the info is there, it lets the process continue.  Go back to your COMMON folder under ProgramData\Symantec\Ghost\Template\COMMON and find your new PE3 folder again.  Inside of it you will see the following 2 files

1.       Drivers.manifest.txt

2.       Pci.manifest.txt

Make copies of both of them and add “ – Original” to the names so you have the working ones

Open drivers.manifest.txt.  you will see a lot of entries that look like this:

"Intel I217" = {

        class = network,

        selected = 0x1,

        drivers = ({

            path = "Broadcom.DGE-500SX\\NETDGE.INF",

            os = ("VISTA")

        })

    },

You know what is interesting about the one I just listed?  It says Intel 217, but points to a Broadcom driver.  Its because I made it up and inserted it into the file as a dummy entry to help GSS think it has a driver.  “class = “ can be either NETWORK or STORAGE.  Selected is whether it thinks the box is selected.  Drivers is where the file is (steal a different one you already added), and OS is the OS boxes that would be checked, separated by spaces (if you care [“VISTA” “2008”]).

Put in some placeholder like I did, and save it.  We now move on to the other one.

Open pci.manifest.txt.  This one is a little more fun.  If you have tried to run the PE3.1 image from the last article and got a missing driver error in the “To Virtual Partition” step, this is where the magic happens.  You will get the info for the missing driver.  Pay extra attention to the following info it lists.  It will give you a name, “PCI Vendor: 0x”, “PCI Device 0x”and “PCI Subsystem 0x”.  Look at the items in your PCI.manifest.txt.  Entries in this file look like this:

} {

    0x8086 = {

        0x2682 = (0xb0031458 0x31fe103c 0x898015d9 0x888015d9 0x848015d9 0x838015d9 0x818015d9 0x808015d9 0x31fe1014 0x2dd1014 0x3321014 0xb0031458 0x31fe103c 0x898015d9 0x888015d9 0x848015d9 0x838015d9 0x818015d9 0x808015d9 0x31fe1014 0x2dd1014 0x3321014),

        0x27c3 = (0x798015d9 0x918015d9 0x778015d9 0x2fc1014 0x2fd1014 0x2fe1014 0x3206103c 0x798015d9 0x918015d9 0x778015d9 0x2fc1014 0x2fd1014 0x2fe1014 0x3206103c)

    }

} {

Can you find a set that matches the 0x vendor code?  You may have more than one!  Each driver set you added adds its own entry in this table.  You will see lots of 0x8086, because that is Intel.  If you found one, piggy back into it (I recommend in the middle, its easier to make sure the stuff is correct).  Copy a line from inside of it and paste it in.  Change the deviceID on your pasted line to the PCI Device it gave you in the failure.  Change the numbers inside the parenthesis to match the Subsystem ID.  Put a comma at the very end if your line is in the middle of the entry set.

You should have ended up with a line that looks like this

0x153a = (0x1998103c),

In the middle of that set.  Save your file.  When you restore with that the next time you should not get an error.  If you get the error “failed to load the driver manifest”, you probably missed a comma.  Good thing you kept the originals!  Try it again.  Those braces and commas are everywhere

Today I'm going to talk about something that server admins fear the most. Server Documentation.

Introduction
1. First Steps -What Policies Apply to What Computers?
   1.1 Monitor Solution's Policy Guid
   1.2 Getting a list of all Enabled Monitor Solution Policies
   1.3 Enabled Monitor Policies by Computer
2. Formatting Revision for "Enabled Policies by Computer"
3. The Final SQL

As we all know, installing a server, configuring it and then generally playing with it (often till it breaks) is fun. But the moment you want a server to move into production, you just know someone is going to ask that fearsome question of "... and where is the documentation?". The emotional impact of this  question should not be underestimated;  it can be so severe it can result in a rather unsightly Administrator Implosion Event.

But, documentation is important. The process is critical  to confirm that what you think you've done is what you have done. It's also really rather helpful in the future when you need to make some changes, or as can often be the case, undo them.

So here's me nearly at that point of making a Monitor Solution 7.1 server live in our environment. So, I decided to avoid an AIE by documenting the setup. Very quickly I realised how complex documenting Monitor Solution is. Apart from all the usual bread-and-butter server installation and agent deployment bit,  we need to consider,

1. Policy documentation
2. Rule Documentation
3. Metric documentation

And there is really quite a lot there. Doing this manually is just soul destroying so I opened up a SQL window on the server and started to see what I could do to automate the task. After a couple of days the end result was very satisfying; I'd created a process for dumping the monitor server configuration in a format detailed enough to certainly convince me that it was a job well done.

As there is so much to my thought threads on approaching this, I've decided to make this a small series of bite sized articles. This first article will focus on how to present a summary computers with policies  so you can with ease include word graphics like this below in your server docs,

This is quite a useful report. When I first ran it I found  a machine which had fallen through the net and didn't have any policies applied. 

1. First Steps -What Policies Apply to What Computers?

Before we can write out full SQL for this report, we first need to find the T-SQL  which exposes our Monitor policies. The first step here is to find the policy class guid which is applicable to Monitor Solution.

1.1 Monitor Solution's Policy Guid

The view vitemClass will list all classes which are created by the solutions installed on the SMP so by first query here was,

SELECT type, 

       guid 

FROM   vitemclass 

WHERE  type LIKE '%Monitor%' 

Now, what I expected here was for a type to appear which would ring bells for agentless and agentbased monitor policies, only there wasn't. Instead I got 87 rows of types, none of which looked like a Monitor Policy object. So you get to see what these types look like, below is a small sample of the output.

A quick scouring of CONNECT helped here with Andrew Bosch's response to a response to a forum request. The user was asking for a query to find all targets associated with a policy. This query used the policy class guid ''0821A65B-5338-464C-824D-9F7CEC48EA56' for monitor policies.

If we put this into our vItemClass query however we see it won't be quite enough,

select Type from vItemClass where Guid like '0821A65B-5338-464C-824D-9F7CEC48EA56'

This was a surprise; this will only give us agent-based policy types. As agentless types also exist, there must be another Guid,  

SELECT type, 

       guid 

FROM   vitemclass 

WHERE  type LIKE 'Altiris.Monitor.Common.MonitorPack.MonitorPack%' 

This is much more revealing,

1.2 Getting a list of all Enabled Monitor Solution Policies

This is now most of the way there. And unfortunately this is where it get's messy. You see what we've got to do now is merge all the ordered policy entries for each computer into a single string.  Each row should have two columns, one for the computer and the other for the policies stuffed into an ordered string.

T-SQL has an excellent command for stuffing strings into strings, and it's called STUFF. For SQL 2005 Servers and beyond, you can use the STUFF command in conjunction with FOR XML to concatenate strings. If I take the above SQL table as being called OrderedPolicies, the SQL for our nicely stuffed output is,

SELECT Upper(vc2.name)                     AS 'Computer', 

       Stuff((SELECT Cast(',' AS VARCHAR(max)) 

                     + OrderedPolicies.policy 

              FROM   (SELECT ..... ......) OrderedPolicies 

              WHERE  OrderedPolicies.computerguid = vc2.guid 

              FOR xml path('')), 1, 1, '') AS [Policies Applied] 

FROM   vcomputer vc2 

where I've made the SQL look a bit cleaner by not duplicating the SQL for the OrderedPolicies table. The output is now pretty much exactly as I'd like it.

This is ready to be pasted into word as a table, have a table style applied and then perform a search/replace to replace the comma with a line break,

3. The Final SQL

For those who have made it here, here is the final SQL code I use to create my Computer policy distribution tables. You'll notice The SQL code below replaces the comma with the text "NL" . This is simlpy so I can perform the search/replace in a larger document without worrying about linebreaks being pushed in erroneously. You can change this to whatever suites you.

SELECT computer, 

       Replace([policies applied], ',', '"NL"') 

FROM   (SELECT Upper(vc2.name)                     AS 'Computer', 

               Stuff((SELECT Cast(',' AS VARCHAR(max)) 

                             + OrderedPolicies.policy 

                      FROM   (SELECT TOP 5000 vc.name          AS 'Computer', 

                                              vc.guid          AS 'ComputerGuid' 

                                              , 

PolicyCount.name AS 'Policy', 

PolicyCount.guid AS 'Policy Guid', 

PolicyCount.count 

FROM   vcomputer vc 

JOIN vpolicyappliestoresource 

ON vc.guid = 

vpolicyappliestoresource.resourceguid 

JOIN 

(SELECT vnonresourceitem.name, 

vnonresourceitem.guid, 

Count(*) AS 'Count' 

FROM   vpolicyappliestoresource 

JOIN vcomputer vc 

ON 

vpolicyappliestoresource.resourceguid = vc.guid 

    JOIN vnonresourceitem 

      ON vnonresourceitem.guid = 

vpolicyappliestoresource.policyguid 

WHERE  ( classguid = 

'0821A65B-5338-464C-824D-9F7CEC48EA56' 

OR 

classguid = 'F4767927-21AF-4875-B1B0-400852689DB1' ) 

AND enabled = 1 

GROUP  BY vnonresourceitem.guid, 

vnonresourceitem.name) PolicyCount 

ON vpolicyappliestoresource.policyguid = 

PolicyCount.guid 

ORDER  BY vc.name ASC, 

PolicyCount.count DESC, 

PolicyCount.name) OrderedPolicies 

WHERE  OrderedPolicies.computerguid = vc2.guid 

FOR xml path('')), 1, 1, '') AS [Policies Applied] 

FROM   vcomputer vc2) FormattedComputerPoliciesTbl 

ORDER  BY computer ASC 

And with that it's time to end this article. It's been a lot of SQL, but ultimately you don't need to understand it. Just take a minute to,

1. Paste the code above into SQL Server management studio
2. Run it
3. Copy the table formatted output into Microsoft Word
4. Search and Replace, changing the "NL" string to a manual linebreak
5. Format your table with your favourite style

The next coming in this series will cover the SQL for documenting how your active Monitor policies are built.

Ian./

Content:

• Problem description
• Finding a Solution
• Implementation
  • Import the xml
  • Modify the Custom Inventories
  • Monitor incoming Custom Inventories
• Conclusion

Problem description:

As I discovered for one of my customers yesterday [1] everything is not always as it seems in the SMP database. Especially when it comes to processed events.

Now I have checked the documentation and I experimented on a couple of my test SMP's to challenge the status-quo, and make sure Custom Inventory events are handled and registered as Custom Inventory events, not as Basic Inventory.

Finding a Solution:

The solution, as you will see is rather simple. Given the "Basic Inventory Capture Item" entry is handling the basic inventory, custom inventory and even Compliance inventory events, the class registered for this guid is capable of handling multiple or any types of NSE. So to have a custom entry doing the same, we only need to clone the item.

Cloning the item itself is difficult, given it is hidden and read-only. However we can export it, modify it to suit our needs and import it back. Then of course, we need to amend all custom inventory tasks to use the new guid.

Here is the modified item xml, with the edits in bold italic:

<?xml version="1.0" encoding="utf-8" ?>
<item guid="{EB16AFB6-C0AB-434C-9AFA-72B468227BE8}" classGuid="{7c32a539-d757-45f1-acad-6bf9578d7cf5}">
  <!--  Type: Altiris.NS.StandardItems.Messaging.InventoryCaptureItem  -->
  <!--  Assembly: Altiris.NS.StandardItems, Version=7.1.8400.0, Culture=neutral, PublicKeyToken=d516cb311cfb6e4f  -->
  <name>Custom Inventory Capture Item</name>
  <alias>custominventory</alias>
  <ownerNSGuid>{ef47834a-4200-4742-a82c-631f8c78df70}</ownerNSGuid>
  <productGuid>{d0e33520-c160-11d2-8612-00104b74a9df}</productGuid>
  <itemAttributes>Hidden, Readonly</itemAttributes>
  <itemLocalizations>
    <culture name="">
      <description>Custom Inventory Capture Item</description>
      <name>Custom Inventory Capture Item</name>
    </culture>
  </itemLocalizations>
  <originNS guid="{ef47834a-4200-4742-a82c-631f8c78df70}" name="SMP-001.15-cloud.ads" url="http://SMP-001.15-cloud.ads/Altiris/NS/" />
  <licenseCheckRequired>false</licenseCheckRequired>
  <parentFolderGuid>3b298f2d-3a83-4979-b58d-e819a2e41d51</parentFolderGuid>
  <sourceNS guid="{ef47834a-4200-4742-a82c-631f8c78df70}" name="SMP-001.15-cloud.ads" url="http://SMP-001.15-cloud.ads/Altiris/NS/" />
  <security owner="@APPLICATION_ID" inherit="True">
    <aces>
      <ace type="reserved" name="@APPLICATION_ID">
        <permissionGrants>
          <permissionGrant guid="{eca6254f-5017-4730-9b3f-5add230829b7}" name="Delete" />
          <permissionGrant guid="{983a2d22-7a82-4db0-a707-52c7d6b1441e}" name="Read" />
          <permissionGrant guid="{ac296df1-eb40-4592-899f-25d5c07d45f6}" name="Write" />
          <permissionGrant guid="{819dae1e-b1a5-4643-81a1-26ef95feb8a8}" name="Change Permissions" />
          <permissionGrant guid="{726b1c09-7108-450d-ae24-5f8e93135ed6}" name="Clone" />
          <permissionGrant guid="{4ddc04c3-f0a5-4e88-84aa-c44c8c5ebcc4}" name="Read Permissions" />
        </permissionGrants>
      </ace>
    </aces>
  </security>
</item>

Implementation

Import the xml:

Copy the xml above, save the attached file or export the basic inventory capture item using the "Importexportutil.exe" and then open a command line prompt with your Altiris Administrator account.

Then enter '"<path_to_ns_directory>\bin\tools\importexportutil" /import /q <path_to_xml>' and press return. In my test SMP the command looked like this:

"c:\program files\altiris\notification server\bin\tools\importexportutil.exe" /import /q c:\custom_inventory.xml

The utility should report that the import was successful unless you have problems with the file path or xml (it can happen if you are using notepad for example).

Modify the Custom Inventories:

Depending on how your custom inventories are implemented, you will have to go back to the tasks or vbscript files and modify the following line:

nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"

with

nse.To = "{EB16AFB6-C0AB-434C-9AFA-72B468227BE8}"

if you are using the xml above or attached.

Monitor incoming Custom Inventories:

With the changes in place (or with just one custom inventory changed to validate the process works fine in your environment) you can then check incoming custom inventory messages with the following SQL:

select *
  from Evt_NS_Event_History
 where ItemGuid = 'EB16AFB6-C0AB-434C-9AFA-72B468227BE8'
 order by _eventTime desc

Conclusion:

With the changes in place you will be able to monitor the load caused on your server from Basic Inventory and Custom Inventory separately. You could even extend the content of this article to create an inventory message handler per custom inventory if you are generating a lot of data (and need to fine tune the data gathering process and event sent).

[1]When is a Basic Inventory not a Basic Inventory?

Bay Dynamics' Risk Fabric pulls data threads from multiple Security and IT Operations sources and weaves them together to provide federated insight that represents the true risk posture of an organization. The solution provides organizations with context-aware information risk intelligence to enable them to confront and correct security risks. This document highlights use cases that show both the analytical and integration capabilities of Risk Fabric, where an organization leverages Symantec DeepSight DataFeeds (i.e. Security Risk DataFeed, IP Reputation DataFeed, Domain and URL Reputation DataFeed) to proactively protect their environment, along with systems management tools such as Microsoft System Center Configuration Manager (SCCM).  

Welcome to the Liveupdate (LUE) vs. Liveupdate (WLU) discussion. In this article I will try to provide you with a closer look at the SEP Liveupdate used in SEP/SEPM 11.x based on the WLU - Windows Liveupdate and confront it with the new Liveupdate Engine (LUE) from SEP 12.1. We will look at the differences between the two as well as general charactieristics including the different versions of the LU, file locations, logs, types of downloads, monikers, etc. I will provide you as well some hopefully useful tips and reference links at the end. Please feel free to comment and discuss

Differences

► Windows LiveUpdate (WLU)
- component used by both SEP 11.x Clients and SEPM 11.x.
- in 12.1 Version only used by SEPM
- Liveupdate SEP Clients settings can be managed from Symantec Liveupdate applet in Control Panel
- Liveupdate component (WLU) can be removed or reinstalled from "Add/Remove Programs" in Control Panel - both on the SEP client as well as on the SEPM Server
- the main log file for the Liveupdate activities is same on both SEP Client and SEPM - Log.Liveupdate

Symantec Liveupdate settings in Control Panel (click to increase size)

► LiveUpdate Engine (LUE)
- Liveupdate component directly integrated into SEP 12.1 Clients - it replaces the traditional Windows Live Update (WLU) previously used on SEP 11.x Clients
- Liveupdate Engine is used only by SEP 12.1 Clients. SEPM Servers no matter the version are still using the WLU.
- Liveupdate SEP clients settings are being managed directly from the SEPM Manager - there is no Symantec Liveupdate applet in the Control Panel available
- Liveupdate Engine is integrated with SEP Client and thus cannot be removed or deinstalled
- Log.Liveupdate is as before still present on the SEPM Server; the SEP clients log the LU activities to the Lue.log - although some restrictions apply and for example downloads from GUP or SEPM are not logged here at all - the log concerns only downloads from Liveupdate Servers - either LUA or Symantec Internet Servers

 File locations

The given locations are default - if SEP/SEPM was installed to a custom path the below locations may be different.

1. Installation paths (only for WLU) - applying for all Operating Systems

2. Configuration files (applying only for WLU)

3. Executables

4. Log files

5. Liveupdate Downloads

6. SEP client definition locations

Definitions folder on SEP 12.1 will contain several types of definition updates installed on the SEP Client - those are located in following subfolders:

• BASHDefs - Behavior And Security Heuristics
• ccSubSDK_SCD_Defs - Submission Control Data
• EfaVTDefs - Extended File Attributes and Signatures
• HIDefs - Host Integrity
• IPSDefs - IPS Signatures
• IronRevocationDefs - Iron Revocation List
• IronSettingsDefs - Iron Settings
• IronWhitelistDefs - Iron Whitelist
• SRTSPSettingsDefs - SRTSP Settings
• VirusDefs - Virus Definitions

NOTE: The number of different definition revisions stored on SEP Client is different for 11.x and 12.1 versions. SEP 11.x will store by default 3 latest revisions of each definition. SEP 12.1 will store only 1 latest revision.

7. SEPM Liveupdate definitions locations (WLU)

...folder will contain following definition subfolders:

• sepm121RU2ApPrtlLst - AP Portal List
• sesmIPSdef32 - IPS Signatures Win32
• sesmIPSdef64 - IPS Signatures Win64
• spcBASH - Behavior And Security Heuristics
• spcCIDSdef - CIDS Signatures
• spcEfaVT - Extended File Attributes and Signatures
• spcIronRl - Iron Revocation List
• spcIronS - Iron Settings
• spcIronWl - Iron Whitelist
• spcScd - Submission Control Data
• spcVirDef32 - Virus Definitions Win32
• spcVirDef64 - Virus Definitions Win64

Other Liveupdate elements and considerations

1. Content Definitions available on SEPM for client downloads

The definitions files are stored in following location (depending on the 32/64 bit architecture):

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content

The latest definition revisions stored here will be shown as well in the SEPM Java console in "Admin-> Servers-> Local Site-> Show LiveUpdate Downloads".

The content folder will include several (20-22) subfolders named according to the content definition monikers - this may differ from SEPM to SEPM. The translations of the monikers to content names applying to your SEPM can be found in the following file:

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\ContentInfo.txt
or
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\ContentInfo.txt

Examples of monikers for both SEP 12.1 and 11.x:

Symantec Endpoint Protection 12.1
{535CB6A4-441F-4e8a-A897-804CD859100E}: SEPC Virus Definitions Win32 v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{07B590B3-9282-482f-BBAA-6D515D385869}: SEPC Virus Definitions Win64 (x64) v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{50B092DE-40D5-4724-971B-D3D90E9EE987}: SEPC SRTSP Settings - 12.1 RU2 - SymAllLanguages
{ECCC5006-EF61-4c99-829A-417B6C6AD963}: Decomposer - 1.0.0 - SymAllLanguages
{C13726A9-8DF7-4583-9B39-105B7EBD55E2}: SEP PTS Engine Win32 - 6.1.0 - SymAllLanguages
{DB206823-FFD2-440a-9B89-CCFD45F3F1CD}: SEP PTS Engine Win64 - 6.1.0 - SymAllLanguages
{EA960B33-2196-4d53-8AC4-D5043A5B6F9B}: SEP PTS Content - 6.1.0 - SymAllLanguages
{D6AEBC07-D833-485f-9723-6C908D37F806}: SEPC Behavior And Security Heuristics v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{C25CEA47-63E5-447b-8D95-C79CAE13FF79}: Symantec Known Application System - 1.5.0 - SymAllLanguages
{812CD25E-1049-4086-9DDD-A4FAE649FBDF}: Symantec Security Content A1 - MicroDefsB.CurDefs - SymAllLanguages
{E1A6B4FF-6873-4200-B6F6-04C13BF38CF3}: Symantec Security Content A1-64 - MicroDefsB.CurDefs - SymAllLanguages
{E5A3EBEE-D580-421e-86DF-54C0B3739522}: Symantec Security Content B1 - MicroDefsB.CurDefs - SymAllLanguages
{CC40C428-1830-44ef-B8B2-920A0B761793}: Symantec Security Content B1-64 - MicroDefsB.CurDefs - SymAllLanguages
{D3769926-05B7-4ad1-9DCF-23051EEE78E3}: SESC IPS Signatures Win32 - 11.0 - SymAllLanguages
{42B17E5E-4E9D-4157-88CB-966FB4985928}: SESC IPS Signatures Win64 - 11.0 - SymAllLanguages
{55DE35DC-862A-44c9-8A2B-3EF451665D0A}: SEPC CIDS Signatures v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{4F889C4A-784D-40de-8539-6A29BAA43139}: SESC Submission Control Data - 11.0 - SymAllLanguages
{B6DC6C8F-46FA-40c7-A806-B669BE1D2D19}: SEPC Submission Control Data - 12.1 - SymAllLanguages
{E8827B4A-4F58-4dea-8C93-07B32A63D1C5}: SEPC Extended File Attributes and Signatures 12.1 RU2 - MicroDefsB.CurDefs - SymAllLanguages
{EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758}: SEPC Iron Whitelist v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{810D5A61-809F-49c2-BD75-177F0647D2BA}: SEPC Iron Revocation List v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{263395A0-D3D8-4be4-80B5-202C94EF4AA0}: SEPC Iron Settings v12.1 - MicroDefsB.CurDefs - SymAllLanguages

Symantec Endpoint Protection 11.x:
{C60DC234-65F9-4674-94AE-62158EFCA433}: SESC Virus Definitions Win32 v11 - MicroDefsB.CurDefs - SymAllLanguages
{1CD85198-26C6-4bac-8C72-5D34B025DE35}: SESC Virus Definitions Win64 (x64) v11 - MicroDefsB.CurDefs - SymAllLanguages
{ECCC5006-EF61-4c99-829A-417B6C6AD963}: Decomposer - 1.0.0 - SymAllLanguages
{C13726A9-8DF7-4583-9B39-105B7EBD55E2}: SEP PTS Engine Win32 - 6.1.0 - SymAllLanguages
{DB206823-FFD2-440a-9B89-CCFD45F3F1CD}: SEP PTS Engine Win64 - 6.1.0 - SymAllLanguages
{EA960B33-2196-4d53-8AC4-D5043A5B6F9B}: SEP PTS Content - 6.1.0 - SymAllLanguages
{C25CEA47-63E5-447b-8D95-C79CAE13FF79}: Symantec Known Application System - 1.5.0 - SymAllLanguages
{812CD25E-1049-4086-9DDD-A4FAE649FBDF}: Symantec Security Content A1 - MicroDefsB.CurDefs - SymAllLanguages
{E1A6B4FF-6873-4200-B6F6-04C13BF38CF3}: Symantec Security Content A1-64 - MicroDefsB.CurDefs - SymAllLanguages
{E5A3EBEE-D580-421e-86DF-54C0B3739522}: Symantec Security Content B1 - MicroDefsB.CurDefs - SymAllLanguages
{CC40C428-1830-44ef-B8B2-920A0B761793}: Symantec Security Content B1-64 - MicroDefsB.CurDefs - SymAllLanguages
{D3769926-05B7-4ad1-9DCF-23051EEE78E3}: SESC IPS Signatures Win32 - 11.0 - SymAllLanguages
{42B17E5E-4E9D-4157-88CB-966FB4985928}: SESC IPS Signatures Win64 - 11.0 - SymAllLanguages
{4F889C4A-784D-40de-8539-6A29BAA43139}: SESC Submission Control Data - 11.0 - SymAllLanguages

NOTE: If your SEPM is managing both SEP 11.x and 12.1/12.1 RU2 clients it will download content for both these versions - the amount of the moniker subfolders in the ...\content folder will be greater and will contain monikers from both above lists.

2. LiveUpdate versions

When speaking about Liveupdate component versions we refer only to WLU. Here a specific SEP or SEPM version will have a specific LU version - those two are designed to work together - this becomes very important when we need to reinstall the LU on the machine. Taking LU version that does not correspond to our SEP or SEPM version can cause many unexpected problems. Below the list of all recent SEP 12.1 and 11.x releases with their correspoding Liveupdate versions:

NOTE: Be aware that when browsing online resources you may come across a newer Liveupdate version 3.5. This version is only for Norton Home & Home Office products and not intended for use with Symantec Enterprise products, such as Symantec Endpoint Protection or Symantec AntiVirus!

3. LU Session initiation from GUI on SEP Clients

No matter if we have to do with SEP 11.x or 12.1 Client starting the LU session from SEP GUI is exactly the same. We click on the "Liveupdate" button in the SEP Client GUI to execute the session. Depending on the settings from SEPM there are few things of consideration here:

• Liveupdate button may be greyed-out -> this means the settings for Liveupdate sessions are strictly managed from SEPM and SEP Client user is not allowed to start the session locally. Normally in this case the session will start according to schedule (if client is downloading updates from Liveupdate Server) or on the heartbeat from SEPM if any new definitions are available.
• Liveupdate button is available but no window pop-up when clicked -> this means that the user has been allowed to initiate the LU session but either SEPM or GUP is source of the updates and in such case the LU Session will run in silent mode. The recommended way for the user to check if the session has started is to open the SEP System log and search for the entries indicating such fact.
• Liveupdate button is available and there is a pop-up windows when clicked- after execution user gets a pop-up windows showing the LU Express session -> user is allowed to initiate the LU Session. The source of the updates for clients is the Liveupdate Server. User will see the session progress in the pop-up window as well as will be informed about session completion or failure. Additionaly user may as well compare the corresponding logs about the session result

4. LU Session initiation from command prompt on SEP Clients

This method can be combined with execution through scripts or task manager if required - both WLU and LUE have a specific executables for starting the LU Session. Luall.exe for WLU and SepLiveUpdate.exe for LUE. Locations for those executables are shown under "File locations" in this article. Important to note is that executing of the luall.exe will give us either an express mode session or an interactive mode session - depending on the Symantec Liveupdate applet setting in the Control Panel. Executing the SepLiveUpdate.exe by default results in a silent mode session without any user interaction.

5. LU Session initiation on SEPM

For SEPM Server we can start the LU Session either directly from SEPM console (Admin -> Servers -> Local Site -> Download Liveupdate Content) or by executing the LUALL.exe in the same manner as on the SEP Client (described above).

6. LU reinstallation

As already indicated only WLU can be reinstalled as the LUE is integrated within the client itself. Recommended steps for reinstallation of the LU component on either SEP Client (11.x) or SEPM Server are:

1. Remove Live update from "Add/ Remove Programs"
2. Reboot the machine
3. In Windows Explorer, if they are present delete the following folders, without saving the existing content (respectively to the used version and OS):
- C:\ProgramData\Symantec\LiveUpdate
- C:\ProgramData\Application Data\Symantec\LiveUpdate
- C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate
- C:\Program Files (x86)\Symantec\LiveUpdate (64bit)
4. Install LU using lusetup.exe (execute with local admin rights - build in administrator, take into consideration the appropriate LU version for your SEP/SEPM)
5. Re-register LU component with SEP Client or SEPM
* [SEPM] -> in C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin:
- Type lucatalog -cleanup and press Enter.
- Type lucatalog -forcedupdate and press Enter (SEPM 12.1)
* [SEP Client] -> run repair on the SEP client from "Add/ Remove Programs"
6. In  C:\Program Files (x86)\Symantec\LiveUpdate start luall.exe (execute with local admin rights)
7. Let the Live update express session run till the end and check if any errors are occuring
8. [SEPM ONLY] If the session was successfull check the path: "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content" to see if there is any content downloaded under respective moniker folders

NOTE: Important thing to notice are the different commands during the re-registration of the LU compoment with SEPM depending on the SEPM version: * for SEPM 11.x commands are: "lucatalog -cleanup" and "lucatalog -update" * for SEPM 12.1 commands are: "lucatalog -cleanup" and "lucatalog -forcedupdate"

7. Liveupdate policy for SEP client

Policy used to specify the source of the definition updates for SEP clients as well as the schedule of updates. Possible update soucers are:

• Management Server (SEPM)
• Group Update Provider (GUP)
• Symantec Internet Liveupdate Server
• Internal Liveupdate Server (LUA)
• Third Party Management (TPM) - in most cases manual update through Intelligent Updater or .jdb file

NOTE: The schedule for LU downloads as seen in the LU policy (see screenhot) applies only to updates from either Symantec Internet Liveupdate Servers or Internal Liveupdate Server (LUA). Even if set the schedule is not honored for download updates from SEPM/GUP. For those type of downloads there is currently no possibility to set up a schedule as they are being initiated according to their heartbeat (pull mode) or as soon as the definitions are available (push mode).

Reference for configuration of Liveupdate policy for SEP clients:
Configure liveupdate to run on client computers - Part 1
https://www-secure.symantec.com/connect/articles/configure-liveupdate-run-client-updates-when-client-computers-are-idle

8. Liveupdate settings for SEPM Server

Settings used to configure the definitions download source for SEPM Server. Possibilities inlude either Symantec Internet Liveupdate Server or Internal Liveupdate Server (LUA). Liveupdate settings for SEPM can be configured in "Admin-> Servers -> Local Site-> Edit Properties-> Liveupdate".

NOTE: There is no direct possibility to configure the LU on SEPM to download updates from another SEPM. Such functionality is only possible outside of LU scope where two or more SEPM Servers are set up in a Failover or Replication configuration.

Reference for configuration of Liveupdate settings for SEPM Server:
Configure liveupdate to run on Symantec Endpoint Protection Manager (SEPM) - Part 2
https://www-secure.symantec.com/connect/articles/configure-liveupdate-run-symantec-endpoint-protection-manager-sepm-part-2

Further links and references

Windows LiveUpdate Client for Use with Symantec Endpoint Protection Manager 12.1
http://www.symantec.com/docs/TECH181305 
About LiveUpdate in Symantec Endpoint Protection version 12.1
https://www-secure.symantec.com/connect/articles/a...
How to Uninstall and Reinstall LiveUpdate on SEPM 12.1 (Enterprise Edition or Small Business Edition)
http://www.symantec.com/docs/TECH171060
How to Uninstall and Reinstall LiveUpdate When a Symantec Endpoint Protection Manager or Symantec Endpoint Protection Client is Installed (SEP 11.x)
http://www.symantec.com/docs/TECH102609
The Log.LiveUpdate file is missing or out of date on a Symantec Endpoint Protection 12.1 client
http://www.symantec.com/docs/TECH168602
How to update virus definitions and other content with Symantec Endpoint Protection and Symantec Network Access Control
http://www.symantec.com/docs/TECH102467