Step Up to SEP

Symantec Endpoint Protection 11.0 is a single product that represents the culmination of Symantec’s recent purchases of Sygate and Whole Security.

SEP replaces a passel of products: AntiVirus Corporate Edition (SAV), Client Security, Confidence Online for Corporate PCs and Symantec Sygate Enterprise Protection.  It maintains AntiVirus’ robust virus, Trojan horse and spyware protection. From Client Security comes the client firewall component. SEP also includes client application and system access rules that can restrict user access to applications, folders and to running processes.

Symantec also claims that a new heuristics-based antivirus engine will better protect against zero-day attacks. The Management Console offers customization of the firewall and application rules to give group members varying levels of client- and network-access permissions.

SEP is available as a retail package, but Symantec now sells it on a per-seat license basis at a five-to-24-client quantity, which includes one year of basic maintenance. As this is a new product with some rough edges, the first-year maintenance agreement is highly recommended. The Web-based interface and client-package builder are new technologies and seemed a bit touchy during the first installations, both in the lab and in production.

SEP maintains the general management interface familiar to administrators of AntiVirus.  The Web-based applications drive the Management Console in place of the Microsoft Management Console snap-in of SAV.

Preparing for Migration

The first thing that will come as a relief to users of the old Symantec products is that SEP and its legacy counterparts can coexist on the server during and after migration. The migration documentation specifies requirements for running in side-by-side mode, but the most important thing to note is that on the legacy software, you will need to turn off Automatic Scheduled Scans, Central Quarantine and Automatic Live Update.

Although SEP maintains the general tree structure of SAV server and group management, its Web-based interface includes a plethora of new features that make it initially disorienting. SEP Manager requires Internet Information Server (IIS) on the server on which it is installed. It will set the SEP Web site as the default on the computer on which it is installed, although the management interface does run on port 8443. Running other Web services on the SEP Manager server will make installation more complex.

SEP Manager runs a Pervasive SQL database natively but can be configured to use Microsoft SQL Server in large environments. You should choose which database engine to run before migrating because using SQL Server requires a partial reinstallation and restore of the SEP Management Console.

During the first installation and during one production installation, the Migration and Deployment Wizard — which runs at the end of the installation process — hung up during the Creating Client Install Packages step. This forced a clean reinstall do some troubleshooting with the IIS Default Web Site permissions in conjunction with Symantec’s tech support.

Deploying Clients

SEP introduces a client-package creation process. This lets administrators customize the features and settings of the Symantec Endpoint Protection client. (The default-client package will be sufficient for small installations.) You create the client packages from the Management Console’s Admin view. They can be saved to a shared directory and installed from the client PC using administrator privileges.

SEP client installation requires Microsoft Software Installer 3.1.  If MSI 3.1 is not present on the client PC then the SEP client installer installs it automatically.

Push deployment can be invoked through the deployment wizard via the Management Console interface. But during my installations, preferred using the SAV-based clientremote.exe file. To run this program, go to: program files/symantec endpoint protection manager/tomcat/bin and run clientremote.exe. Like its SAV counterpart, the remote installer did not work 100 percent of the time, even on properly configured clients. A visit to the target PC was required for about one in six clients.

Performance Bump

Although SEP has more features, it does not appear to use more system resources than Symantec AntiVirus or Client Security. The running processes on the client are: rtvscan.exe, symcorpui.exe, ccapp.exe and ccsvchost.exe.  On average, these seem to take up about 20 megabytes of system memory when running on a client PC. Startup is noticeably slower than previous versions. But in the production environment, even older Pentium III PCs running Windows 2000 SP4 were able to load the client and operate with no noticeable degradation of performance as compared with previous versions of SAV.

Just FYI: In environments where client PCs access POP mail accounts, you will need to set firewall rules to allow appropriate inbound and outbound POP and Simple Message Transfer Protocol traffic.

Making the Leap

Symantec Endpoint Protection promises to be a complete and robust client-security solution. The flexibility offered in management and configuration options makes a compelling case for any organization with complex user network- and application-access needs. The pricing model and the currently available upgrade pricing make stepping into SEP from one of the previous Symantec products an attractive bottom-line proposition. And Symantec has done a good job of making the migration to SEP easy with side-by-side compatibility with its older products.

On the downside, installation on the servers is more complex and prone to bugs than in the more polished previous versions. SEP has the feel of a first-generation product, and there are “gotchas” in any first-time installation and configuration. Remote deployment also remains a challenge.

On balance, SEP has a compelling feature set and is a good value proposition. But migrating to it is not simple — even for experienced Symantec product administrators. If your enterprise has the staff and resources to pull off a complex installation process, then stepping up to what appears to be a good SEP client is probably a good idea. It will certainly be an excellent and smooth product once Symantec releases a few patches and point upgrades.