Are there any features or functions in Symantec AntiVirus 10.x (SAV 10.

x) that are not in

Symantec Endpoint Protection?
SAVRoam is not in Symantec Endpoint Protection, because the reasons it existed (that is,
scalability of Symantec AntiVirus servers and inter-site bandwidth) have been addressed in
Symantec Endpoint Protection. Also, other new functionality such as failover, load balancing,
Group Update Providers (GUPs), and auto-location address parts of the original SAVRoam
purpose.

A different communication model replaces the Virus Definition Transport Method (VDTM) in
Symantec Endpoint Protection. This change can affect firewall administrators (who need to
know new communication ports and protocols) and administrators who used tool sets built
around the Virus Definition Transport Method technology (e.g. using Quarantine Server to
provide updates).

Is VMware supported as a platform for Symantec Endpoint Protection?

VMware is a supported platform for Symantec Endpoint Protection, but it is not an optimized
experience. Optimization will come in future releases as the Symantec Endpoint Protection team
works with VMware to provide better integration kits.

Will the LiveUpdate Administrator be updated?

Yes. A new version of LU Admin released concurrently with Symantec Endpoint Protection.
The new internal LiveUpdate server tool is called LiveUpdate Administrator 2.x (LUA 2.x).  For
the latest information, please see Current Versions of LiveUpdate Administrator Tools.

Does Symantec Endpoint Protection support computers with multiple Network Interface
Cards (NIC)?
Yes. You can have multiple NICs on the Symantec Endpoint Protection Manager (SEPM) and
clients.

Will I be able to use the Symantec Endpoint Protection Manager to manage other
Symantec products in the future?
Yes. The ultimate goal is to have the Symantec Endpoint Protection Manager (SEPM) manage
all Symantec Endpoint technologies and products, which includes: Data Leakage Protection
(DLP), Critical System Protection (SCSP), and Symantec AntiVirus for Linux (SAVFL). Refer
to the Symantec Endpoint Security Web Portal for updates to the roadmap.

Note: administration and management of Macintosh clients through the SEPM was
introduced in SEP 11 RU6.  For more information on SEP for Macintosh, please
see Symantec Endpoint Protection for Macintosh Frequently Asked Questions.  Older SAV
for Mac clients cannot be administered through the SEPM.

Will there be a Symantec Security Information Manager (SSIM) collector for Symantec
Endpoint Protection?
Yes. An SSIM collector released concurrently with Symantec Endpoint Protection.
Does the Group Update Provider replace the secondary management server which was
previously used in Symantec AntiVirus/Symantec Client Security?
The answer depends on how the secondary management server was used in your network. You
must consider the amount of clients that require to retrieve content updates. A Group Update
Provider can provide content for over 10,000 clients assuming some best practice are followed.
For more information, see the following KB article;
http://www.symantec.com/business/support/index?
page=content&id=TECH95353&locale=en_US. In practice, you can replace a secondary
management server with a Group Update Provider, a Symantec Endpoint Protection Manager, a
Symantec Endpoint Protection Manager and Database (site), or consolidate it into an existing
site.

Can I configure where client log files are copied on the Symantec Endpoint Protection
Server?
Yes. Unlike previous versions of Symantec AntiVirus, you can now configure where client logs
are copied to on the Symantec Endpoint Protection Manager.

Protection Features

Does generic exploit blocking scan for Microsoft vulnerabilities only, or other software as
well?
Generic exploit blocking protects mostly against Microsoft vulnerabilities, but there are other
vulnerability signatures included as well.

Does generic exploit blocking require signature updates?

Yes. Symantec Security Response creates signatures for new vulnerabilities as necessary.

Does Symantec Endpoint Protection provide protection against buffer overflows?

Yes. Symantec Endpoint Protection provides Buffer Overflow protection through its Network
Intrusion Prevention System (IPS).

What does Proactive Threat Protection (PTP) view as good and bad behavior?
Proactive Threat Protection views signed applications as good behavior. Some examples of bad
behavior include several open ports, listening on ports, and unsigned applications.

How often does Proactive Threat Protection scan the computer?

By default, Proactive Threat Protection runs a scan every 15 minutes and whenever a new
process loads. Trojan horses are remediated by default, while keyloggers are only logged.

Does Proactive Threat Scan replace Tamper Protection? Aren't some of their protection
features redundant?
Proactive Threat Scan does not replace Tamper Protection. Instead the two protection features
complement each other. Tamper Protection protects Symantec processes against attack. Proactive
Threat Scan technology protects your computers against unknown vulnerabilities and zero day
attacks.
How has Symantec Endpoint Protection improved scan throttling?
Previously, Symantec AntiVirus set the priority of a scan so that the scan would not interfere
with other processes using system resources. This method proved ineffective, as it was not
necessarily the priority of the scan that degraded performance, but more how many processes
used CPU or I/O activities. Symantec Endpoint Protection now watches for the new and existing
processes that take CPU time, I/O activities, and using memory. When the Symantec Endpoint
Protection scanner sees these types of events, it sleeps for a short period before it checks to see if
system resources were freed. The overall experience for the end user is that their applications are
not interfered with by the scanner and that the scan completes in a timely manner.

Can I use wildcards and system variables when creating centralized exceptions?
For Security Risk Exceptions and Tamper Protection Exceptions, you can use predefined system
variables by specifying a prefix variable along with a file or a folder name.
Wildcards are not supported for Security Risk Exceptions and Tamper Protection Exceptions.

Is Rootkit detection and removal part of the Symantec Endpoint Protection Client?
Yes. The Symantec Endpoint Protection Client protects against rootkits. Additional information
is available in Security Response's January 2012 white paper on Rootkits.

Installation

Can I install the Symantec Endpoint Protection client as unmanaged?

Yes. The Symantec Endpoint Protection client installation on the CD installs the client as
unmanaged by default.

Can I create a single installation package that includes the Symantec Endpoint Protection
and Symantec Network Access Control clients?
Yes. Although the Symantec Endpoint Protection client is one product and the Symantec
Network Access Control (SNAC) client is another product, you can create an installation
package that installs both products, and manage both products from a single Symantec Endpoint
Protection Manager.

Can I install the Symantec Endpoint Protection Manager on 32-bit Windows XP SP2?
Yes, but NOT recommended. Windows XP SP2 is limited to ten simultaneous connections. The
Endpoint Protection Manager uses Internet Information Service (IIS) for reporting. Therefore,
the number of simultaneous connections is easily reached.

Can I uninstall clients from the Symantec Endpoint Protection Manager Console?
No. You cannot remotely uninstall Symantec Endpoint Protection clients from the Symantec
Endpoint Protection Manager console. You can use Altiris or third party solutions such as SMS
to uninstall clients remotely.

Can the Symantec Endpoint Protection client be deployed over a VPN connection?
While such a method of deployment is feasible, it is not recommended due to the risk of packet
loss, which can result in an incorrect installation. The recommended method is to download the
SETUP.EXE program directly to the computer and then proceed with the installation locally.

Migration

What should I think about in advance before I begin migrating my Symantec AntiVirus
environment to Symantec Endpoint Protection?
Consider several factors before you begin your migration:

 Do you have the resources to create a test migration environment?

If you can create such an environment, it would be highly beneficial before you begin
migration so that you can test exactly how clients and servers are grouped, which settings
are migrated, and the overall migration success rate.
 Can you perform a complete migration to Symantec Endpoint Protection?
If your network contains operating systems (such as Netware) that are not supported with
Symantec Endpoint Protection, then Symantec System Center must manage a subset of
the clients and servers.
 Do you want to create a new client groupings or use the existing groupings from
Symantec System Center?
 How do you plan on migrating Symantec Endpoint Protection to your clients? Do you
plan to use third party tools or the Migration and Deployment Wizard?
 After you determine the method that you want to use to migrate your clients, you can
determine whether to use certain Symantec Endpoint Protection features.
 Are there client settings that you must disable or reconfigure to ensure successful
migration?
 Some client settings such as scheduled scans must be disabled before you begin
migration.

Before you begin migration, you must read the migration chapters in the Installation Guide for
Symantec Endpoint Protection and Symantec Network Access Control.

What are the general steps to migrating Symantec AntiVirus to Symantec Endpoint
Protection?
You must complete the following steps to migrate Symantec AntiVirus to Symantec Endpoint
Protection in the order listed:

1. Uninstall the Reporting Sever if you have it installed.

2. Use Symantec System Center to configure settings for the management server and clients
that prepare them for migration.
These settings changes are: disable scheduled scans, modify Quarantine purge options,
delete histories, disable LiveUpdate, disable roaming, unlock server groups, and disable
Tamper Protection. Install the Symantec Endpoint Protection Manager.
3. Migrate your legacy clients and servers.
4. Uninstall Symantec System Center
 5. Migrate the legacy client or server that was used to protect the computer running
Symantec System Center.
 

This procedure is generalized. If you plan on managing endpoints with both Symantec System
Center and Symantec Endpoint Protection Manager, the steps are different. You should consult
the migration chapters in the Installation Guide for Symantec Endpoint Protection and Symantec
Network Access Control for more information.

Should I install the Symantec Endpoint Protection Manager console on the same computer
as Symantec System Center?
You can install the Symantec Endpoint Protection Manager console on the same computer as
Symantec System Center, but it is not required. If you plan on managing a large number of
legacy Symantec clients, a best practice is not to install the Symantec Endpoint Protection
Manager console on the same computer that runs Symantec System Center to avoid performance
and communication problems.

Do I need to create a completely new infrastructure after migrating to Symantec Endpoint

Protection Manager?
No. You can reuse the infrastructure that you created for Symantec System Center. During the
migration process, you are asked how your clients inherit settings: whether from their server
group or parent management server. The option you choose affects how legacy clients and
servers appear in the Symantec Endpoint Protection Manager console based on the previous
Symantec System Center infrastructure.

Are all client settings migrated?

No. Tamper Protection settings are not migrated. Tamper Protection settings are included in the
client general settings rather than the AntiVirus and AntiSpyware policy. Also, you must
reconfigure the settings that you disabled for migration, such as scheduled scans, LiveUpdate,
and Quarantine purge.
Previously, migrating to newer versions of Symantec AntiVirus required a full product
installation, which stressed bandwidth limitations over WAN links.

Have there been any changes in this process to limit the problems with bandwidth?
With Symantec Endpoint Protection, you can create installation packages that contain only the
components that are necessary for the targeted clients. Additionally, you can stagger client
deployments to minimize performance issues in your network.

Do I need to restart the Symantec Endpoint Protection client after migration?

A restart is not required, but the computers that are not restarted after migration are protected
with only AntiVirus/AntiSpyware features. You must perform a restart to protect your computers
with firewall features.

What versions of Symantec AntiVirus/Symantec Client Security can I migrate to Symantec

Endpoint Protection?
You can migrate Symantec AntiVirus 9.x and Symantec Client Security 2.x or newer versions to
Symantec Endpoint Protection. You can also migrate from Symantec AntiVirus 10.2 for
Windows Vista.

Can I migrate Symantec AntiVirus 8.x and Symantec Client Security 1.x or older versions?

No. The client installation routine blocks the migration for these unsupported versions. You must
uninstall the older version, then install Symantec Endpoint Protection. Before you do so, you
should ensure that Symantec Endpoint Protection supports the operating system platform. If
Symantec Endpoint Protection does not support the operating system, you may want to continue
using Symantec System Center to manage these clients, or consider an upgrade to a supported
operating system.

What happens if the migration fails?

If the migration fails, you can analyze the installation log to determine why it failed. The
Windows Installer and Migration and Deployment Wizard create log files that can be used to
verify whether or not an installation was successful. The log files list the components that were
successfully installed, and provide a variety of details that are related to the installation package.
If the installation is not successful, an entry indicates that the installation failed. Typically, look
for Value 3 to find failures. The log file (vpremote.log) that is created when you use the
Migration and Deployment Wizard is located in the \\Windows\temp directory.

Are exclusions migrated?

Yes. During migration, when you select to inherit settings from the server group or parent
management server, those exclusion settings are migrated to centralized exceptions in the
Symantec Endpoint Protection Manager console. If you migrate clients individually by running
the installation on the local client, client exclusion settings are not migrated.

Is there a report that shows me migration progress?

Yes. You can run a report from the Reports Page. Choose Computer Status as the Report Type,
and select Client Migration as the report to run. The following information is available:

 Client Migrations by Group

 Migrated Clients that were kept in the Same Group
 Clients Waiting to Migrate

How long does it take to migrate my environment?

The answer to this question varies. Symantec recommends that you create a test environment
where you can understand and become proficient with how migration works, i.e. which settings
to configure before migrating, how policies are migrated, and where they appear in the Symantec
Endpoint Protection Manager console. After you become comfortable with Symantec Endpoint
Protection Manager and how Symantec AntiVirus policies are translated in the new environment,
you should perform migration in stages to ensure that your network remains protected.

Are there any best practices for migration?

The following are best practices for migrating Symantec AntiVirus to Symantec Endpoint
Protection

 Perform a site survey to determine which clients should be migrated to Symantec

Endpoint Protection, and which clients should continue running Symantec AntiVirus.
 Create a migration test environment where you can test migration procedures and results
before you run the migration in your production environment.
 If you have a large number of legacy Symantec AntiVirus clients and servers to manage,
install the Symantec Endpoint Protection Manager on a different computer than the one
running Symantec System Center.

You should refer to the Installation Guide for Symantec Endpoint Protection and Symantec
Network Access Control for more information on migration best practices.

What kind of success rate should I expect when migrating from Symantec AntiVirus to
Symantec Endpoint Protection?
The more thorough that you perform pre-migration analysis and tasks, the better your success
rate during migration. For example, if you ensure that scheduled scans are disabled on your
clients, the chance that those clients migrate successfully increases. Additionally, if you create a
migration test environment before you migrate to your production environment, you can greatly
increase the migration success rate of your clients.

If supported versions of Sygate and Symantec AntiVirus are installed on the same
computer, does a migration to Symantec Endpoint Protection upgrade both products?
Yes. As long as both Sygate and Symantec AntiVirus versions can be migrated.

Symantec Endpoint Protection Client

What is device control?

Device control is a new feature that lets you block access to devices such as USB and Bluetooth
on your Symantec Endpoint Protection clients.

Does the Symantec Endpoint Protection client support Exchange 2007?

The Symantec Endpoint Protection client supports email scanning on Exchange. Symantec Mail
Security for Exchange supports Exchange 2007.

Will servers be able to function as firewall clients?

Yes. For your Symantec Endpoint Protection clients that are installed on server operating
systems, you can configure the firewall policies to ensure the proper operation of the server
computers.

Can Symantec Endpoint Protection deny access to a visitor laptop or computer that is not
part of the domain?
Yes. You can use Symantec Network Access Control to deny access based on several
configurable computer attributes. Symantec Network Access Control requires an additional
license.

Can I protect my Linux computers with Symantec Endpoint Protection?

No, but you can use Symantec AntiVirus for Linux (SAVFL) to protect your Linux computers.

Is the Symantec Endpoint Protection client compatible with Symantec Gateway Security
Appliances?
Yes. The Symantec Endpoint Protection client should work fine with Symantec Gateway
Security appliances.

Does generic exploit blocking scan for Microsoft vulnerabilities only, or other software as
well?
Generic exploit blocking protects mostly against Microsoft vulnerabilities, but there are other
vulnerability signatures included as well.

Does generic exploit blocking require signature updates?

Yes. Symantec Security Response creates signatures for new vulnerabilities as necessary.

What ports do clients use to communicate with the Symantec Endpoint Protection
Manager?
Clients use the default ephemeral ports (1024 to 65535) for TCP for network communications.
The ephemeral port range that is used, however, rarely exceeds 5000.

Does the Symantec Endpoint Protection client rely on the grc.dat file for configuration
settings?
No. Sylink.xml has replaced the grc.dat file. The Symantec Endpoint Protection client relies on
Sylink.xml, which contains information such as the client's management server.

What is the Symantec Endpoint Protection client footprint?

The footprint when all components (AntiVirus, AntiSpyware, firewall, device control, IPS) are
active is 21MB space on the hard drive. The RAM footprint is between 20-25MB.

Can the Symantec Endpoint Protection client have no user interface (UI)?
Yes. You can configure UI settings from the Clients Page in the SEPM.

Is the Symantec Endpoint Protection Client for 64-bit a native 64-bit application?
No. The Symantec Endpoint Protection Client is not a native 64-bit application. Some
components are 64-bit, and some are not. Symantec Network Access Control is a native 64-bit
application.

Symantec Endpoint Protection Manager and Console

Can I manage legacy Symantec AntiVirus clients from the Symantec Endpoint Protection
Manager console?
No. You must use Symantec System Center to manage legacy Symantec AntiVirus clients and
servers. For example, if you have Netware servers running Symantec AntiVirus, you should
group these servers into a server group and use Symantec System Center to manage them.
Symantec Endpoint Protection does support forwarding reporting data from Symantec AntiVirus
to Symantec Endpoint Protection. This feature lets you view all data from one console.

Can I control the Symantec Endpoint Protection firewall by Group Policy Objects (GPO)
like XP and Vista?
No. Symantec Endpoint Protection integrates with Active Directory, but it does not integrate
with GPOs.

Can I centrally manage both PCs and Macintosh computers from the Symantec Endpoint
Protection Manager Console?
No. However, the capability to centrally manage Macintosh computers and PCs is planned. The
ultimate goal is to have the Symantec Endpoint Protection Manager manage all endpoint security
solutions released by Symantec.

Can I detect unprotected computers from the Symantec Endpoint Protection Manager
console?
Yes. You can use the Find Unmanaged Computers Task and Network Audit from the Clients
page to detect the computers that Symantec Endpoint Protection does not protect.

Is the Active Directory (AD) tracking mechanism Originator Identification (OID) or

domain name (dn)? Does a change to the name of the group in AD show up as a rename
after Symantec Endpoint Protection Manager is synched with AD, or does the sync cause a
new entry with the old entry still in Symantec Endpoint Protection Manager?
Everything is OID based. In this scenario, the group would be renamed within Symantec
Endpoint Protection Manager after the sync. For information on synchronization with the Active
Directory, see the following document:

"Organizational Units from Active Directory in Symantec Endpoint Protection 11.0"

http://www.symantec.com/docs/TECH102546

How can I connect to the Symantec Endpoint Protection Manager console through a
browser?
You can connect to the Symantec Endpoint Protection Manager by entering the following in your
browser: http://(IP address of Symantec Endpoint Protection Manager):9090

Can I install the Symantec Endpoint Protection Manager on a 64-bit computer?

Yes. You can install the Symantec Endpoint Protection Manager and Console on Windows XP
Professional 64-bit SP1 or later and Windows 2003 Server 64-bit SP1 or later.

Client Deployment
Can Symantec Endpoint Protection components be installed independently of each other?
Yes. You can create installation packages with the following types of protection:

 Antivirus and AntiSpyware only

 Network Threat Protection only
 Antivirus and AntiSpyware/Proactive Threat Protection
 Antivirus and AntiSpyware/Proactive Threat Protection/Network Threat Protection

Content Distribution

Will there be regionalized updates for Symantec Endpoint Protection?

Yes. Localized patches are planned for this release.

What is the difference between Push and Pull modes when downloading policies and
content from the management server?
Clients that use the Push mode download policies and content as soon as they become available.
On push mode an open connection is kept so that the manager can contact the client immediately
when data is available. Clients that use the Pull mode download policies and content based on
the Heartbeat interval setting, which is set to 5 minutes by default. Because of the greater
network bandwidth that is used with the push mode, it is recommended more for small and
medium-sized networks.

Does the Group Update Provider need IIS installed on the computer?
No. The Group Update Provider uses a built-in, embedded HTTP server.

Can the Group Update Provider get updates from LiveUpdate as well as the Symantec
Endpoint Protection Manager?
No. The Group Update Provider only receives its updates from the Symantec Endpoint
Protection Manager.

What are the sizes of the various packages that are sent between the Symantec Endpoint
Protection client and manager?
The following are estimates of the size of packages that are sent between the Symantec Endpoint
Protection client and manager:

 Heartbeat (with no updates to be exchanged) - When there is no traffic to be

exchanged (i.e. no profile to download and no logs to update) then the heartbeat is
between 2 KB/s and 3 KB/s.
 Policies (i.e. AV/AS, Firewall, OS Protection, Host Integrity) - Typically varies
between 20 KB and 80 KB, but can increase if detailed rules are included, or OS
protection templates are used. Generally, after you set your policies to suit your network
needs, you do not modify them on a regular basis.
  IPS Signature Updates - Files range between 50 KB and 100 KB. Symantec supplies
updates approximately every quarter unless a specific threat or vulnerability needs to be
addressed.
 AV Signatures - 50 KB to 100 KB daily for clients, if you assume that the signatures are
updated successfully every day.
 Logs - Logs are compressed at the client before they are uploaded to the Symantec
Endpoint Protection Manager. Approximately, 800 log entries take up 1KB of file space.

How many clients can the Group Update Provider support?

The Group Update Provider can potentially handle up to 10,000 clients, assuming best practices
are followed. See the following KB article for more information:
http://www.symantec.com/docs/TECH95353

Reporting

How is legacy data added into the Symantec Endpoint Protection Manager database with a
new schema?
Legacy data is normalized when it is inserted into the database.

Can Symantec Endpoint Protection Reporting gather data from legacy Symantec
AntiVirus Reporting agents?
Yes. You can point the existing reporting agents to the Symantec Endpoint Protection Manager.
Turn on the legacy client data log processing, and then all the data appears in the new console.

Can I export reports in PDF or HTML format?

No. Currently, you can only export reports in CSV format. The capability to export reports in
PDF and HTML format is considered for a future release of Symantec Endpoint Protection.

Scaling

How many clients can I manage with a single Symantec Endpoint Protection Manager?
Symantec Endpoint Protection Manager can manage 50,000 clients as long as network resources
are available.

How many clients can I manage if I use the embedded database?

Symantec recommends that you can use the embedded database for up to 5,000 clients. If you
have more clients, you should use a stand alone database.

Best Practices

What is a best practice for managing clients with Symantec AntiVirus 9.x, 10.x, and 11.x, if
you assume that the clients cannot be upgraded all at the same time?
The best practice for managing a combination of Symantec AntiVirus 9.x/10.x and Symantec
Endpoint Protection 11.x clients is to install the Symantec Endpoint Protection Manager and
Console on different computer than Symantec System Center. You can then migrate your legacy
Symantec AntiVirus clients (that are supported) to Symantec Endpoint Protection 11.x in stages.
You should read the Migration Overview and Sequence section in the Installation Guide for
Symantec Endpoint Protection and Symantec Network Access Control.