pc g 20090506

7/30/2019 Pc g 20090506

1/31

University of Texas at Arlington

PersonalConfigurationGuide forSymantec

EndpointProtection(Draft 0)

20090506

7/30/2019 Pc g 20090506

2/31

University of Texas at Arlington

Office of Information Technology

Information Security Office

Personal Configuration Guide for Symantec Endpoint Protection

This guide is provided by the Office of Information Technology (OIT), Information Security Officeas a basic and introductory guide for configuring the Symantec Endpoint Protection (SEP)software on personal devices.

This guide is intended for use by UT Arlington Students, Staff, and Faculty on theirpersonallyowned computers.

UT Arlington provides active students, faculty and staff one free copy of the SEP software forinstallation and use on their personally owned computer to help prevent and mitigate crosscontamination of information and computing resources.

The SEP client for personal use is preconfigured with the recommended default settings asspecified by Symantec. However, these settings may not provide optimal security protection forall users. Each individual is encouraged to familiarize themselves with the settings and optionsfor any software package in use on their personally owned computer. For example by defaultSymantec will detect spyware but will nor remove or quarantine said spyware. This guide willshow the user where to configure this setting and many more.

This guide does not provide a comprehensive summary of the settings and capabilities withinSEP. The user is encouraged to read the official Symantec users guide for the software.

2 UT Arlington - Windows XP Operating System Security Guide

7/30/2019 Pc g 20090506

3/31

Contents

Section 1 - What is SEP1.1 - Symantec Endpoint Protection pg. 41.2 - SEP Client pg. 4

Section 2 - Getting the Software2.1 - On-Line pg. 52.2 - BlazeWare pg. 52.3 - Report Piracy pg. 5

Section 3 - Installation 3.1 - Installation pg. 63.2 - First Time Installation pg. 73.3 - Update Installation pg. 12

Section 4 - The SEP GUI4.1 - GUI pg. 17

Section 5 - Client Configuration

5.1 - Default Configuration pg. 195.2 - Scheduled Scan pg. 195.3 - Antivirus Spyware Configuration pg. 255.4 - Proactive Threat Configuration pg. 285.5 - Other Settings pg. 30

Section 6 - Links and References pg. 31


7/30/2019 Pc g 20090506

4/31

1 - What is SEP------------------------------------------------------------------------------------------------

1.1 - Symantec Endpoint Protection

SEP is the evolutionary replacement to Symantec Antivirus (SAV). SEP is a bundled softwaresuite that includes antivirus, antispyware, firewall, intrusion prevention, and proprietary malwaredetection features. SEP is currently available for the Windows family of operating systems.Individuals with Linux and/or Mac must continue to use the appropriate versions of SAV for theircomputer.

The SEP suite is modular in fashion and most features can be enabled and/or disabledindependently to allow for a multitude of configuration options.The separate components within SEP includeAntivirus and Spyware Protection

Antivirus

SpywareEmailProactive Threat Protection

HeuristicsAnti-Keylogger

Network Threat ProtectionFirewallIntrusion Prevention (IPS)

Application Detection and Control

------------------------------------------------------------------------------------------------

1.2 - SEP Client

The SEP client is the end-user application that is installed on the local computing device that is tobe protected. The SEP client has active and passive operations with the active operation beingenabled by default. Passive operations can be scheduled to occur at regular intervals or can beleft to the user to perform manually.

System performance in SEP has been reported to be greatly improved over that of SAV. SEPhas a reported memory utilization of 24MB down 62% from SAV which had a memory utilizationof 62MB. SEP also reports a smaller physical footprint on the hard drive as compared to SAV.

During normal operations on a clean computer the user will not see obvious activity on the part ofthe SEP software. This can be changed so that the user receives more or less event notificationsabout various actions performed by the software.

The SEP client is fairly intuitive and beginner users should find the Graphical User Interface (GUI)ease to navigate and use.

------------------------------------------------------------------------------------------------


7/30/2019 Pc g 20090506

5/31

2 - Getting the Software------------------------------------------------------------------------------------------------

2.1 - On-Line

OIT will maintain a password protected web site with the most current software version available

for personal use. The web site can be found at www.uta.edu/antivirus.

Once you have opened the web site in a browser, navigate to the option for the Personal / Homeversion and follow the link to the file download. You will be prompted for your UTA NetID andpassword. Lastly, save the file to a location of your choosing.

Individuals that are active students, faculty, or staff of UT Arlington are permitted one copy ofSEP for use on their personally owned computer.

------------------------------------------------------------------------------------------------

2.2 - BlazeWare

OIT provides the campus with a software and documentation distribution CD named BlazeWare.

BlazeWare can be obtained at the UT Arlington Computer Store in Ransom Hall for the ultra lowcost of $5.* The fee charged is for the physical media and printing services, all software on the BlazeWareCD is free to active UT Arlington students, faculty and staff.

BlazeWare can also be obtained at various campus and security events throughout the year,such as student orientation and the student activities fair.

------------------------------------------------------------------------------------------------

2.3 - Report Piracy

SEP, Blazeware and other software covered by UT Arlington software agreements should neverbe purchased from anyone on-line or in person.

If you know of any UT Arlington branded software being sold by an entity other than the UTArlington Computer Store at Ransom Hall, or any UT Arlington branded software being distributedto individuals that are not active UT Arlington students, faculty or staff, please report the activity tothe Information Security Office, [email protected].

------------------------------------------------------------------------------------------------

http://www.uta.edu/antivirusmailto:[email protected]://www.uta.edu/antivirusmailto:[email protected]

7/30/2019 Pc g 20090506

6/31

3 - Installation------------------------------------------------------------------------------------------------

3.1 - Installation

Before installing SEP on your computer it is recommended that you fully uninstall and delete any

pre-existing antivirus and/or host based security products that may be on your computer.

If you are currently using a security software package from Symantecs Norton product line it isrecommended that this also be removed prior to installing SEP.

** SEP will work with passive spyware programs such as LavaSoft Ad-Aware or Safer NetworkingSpybot Search and Destroy. However SEP will have conflicts with active antivirus and firewall

programs like McAfee Antivirus, TrendMicro Internet Security, and avast! Antivirus to name a few.

After removing any conflicting antivirus and/or host based security products your computer shouldbe rebooted.

Installation of the SEP software is your typical Windows double click and follow the prompts

installation.

For our demonstration we will assume you are installing SEP from the latest version of theBlazeWare CD. The exact file name may vary.

If you have downloaded the software file to your desktop you should see an icon as in figure 00.

Figure 00


7/30/2019 Pc g 20090506

7/31

Or if you prefer to install directly from the BlazeWare CD you should see a Windows Explorerwindow as in figure 01.

Figure 01

------------------------------------------------------------------------------------------------

3.2 - First Time Installation

If you are installing SEP for the first time ever it is recommended that you remove any pre-existing antivirus and/or host based security products that may be on your computer.

Double click on the software file icon to initiate the installation.You will briefly see a Preparing to install message.

Figure 02


7/30/2019 Pc g 20090506

8/31

Followed by a Welcome message.Select Next

Figure 03

You will be prompted with the Symantec End Users License Agreement (EULA).Select your acceptance choiceSelect Next

Figure 04


7/30/2019 Pc g 20090506

9/31

You will be prompted to install the softwareSelect Install

Figure 05

You will see a status screen with various messages throughout the install process.

Figure 06


7/30/2019 Pc g 20090506

10/31

Once the installation has completed you will be prompted with the finish prompt.Select Finish.

Figure 07

Immediately following the software installation SEP will initiate a LiveUpdate of the software.During this process your computer will attempt to contact the servers at Symantec.com todownload the latest virus and content definitions.

Figure 08


7/30/2019 Pc g 20090506

11/31

Finally you will be prompted to reboot you computer.The antivirus components of SEP will begin protecting your computer before it is rebootedhowever the network components like the firewall and IPS will not take effect until after a reboot.

Figure 09

Once you have completely installed SEP and logged back into your computer following the rebootyou will see a new icon in the lower right corner of your task bar.

SEP will also add itself to the Windows Start menu

Figure 10

------------------------------------------------------------------------------------------------


7/30/2019 Pc g 20090506

12/31

3.3 - Update Installation

If you have installed a previous version of SEP on your computer and you are re-installing orupgrading to the newest version you can install over top of the old version of SEP.

Double click on the software file icon to initiate the installation.You will briefly see a Preparing to install message.

Figure 11

At the Welcome message select Next

Figure 12


7/30/2019 Pc g 20090506

13/31

You will be prompted for the type of software install.Most users will select Modify to upgrade the older version of SEP.

Figure 13

You will be prompted to select the components for installation.By default your installation should have all components enabled with the exception of Outlookand Lotus Notes protection.

Figure 14


7/30/2019 Pc g 20090506

14/31

Select Next

Figure 15

You will be prompted to install the softwareSelect Install

Figure 16


7/30/2019 Pc g 20090506

15/31

You will see a status screen with various messages throughout the install process.

Figure 17

Once the installation has completed you will be prompted with the finish prompt.Select Finish.

Figure 18


7/30/2019 Pc g 20090506

16/31

Immediately following the software installation SEP will initiate a LiveUpdate of the software.During this process your computer will attempt to contact the servers at Symantec.com todownload the latest virus and content definitions.

Figure 19

Finally you will be prompted to reboot you computer.The antivirus components of SEP will begin protecting your computer before it is rebootedhowever the network components like the firewall and IPS will not take effect until after a reboot.

Figure 20

------------------------------------------------------------------------------------------------


7/30/2019 Pc g 20090506

17/31

4 - The SEP GUI------------------------------------------------------------------------------------------------

4.1 - GUI

You can open the SEP GUI by double clicking on the gold shield on the system task bar or by

using the Start menu option (Start Programs Symantec Endpoint Protection SymantecEndpoint Protection).

Figure 21

The main view of the SEP GUI is your typical dashboard style interface with green, yellow, andred color indicators. As you can see in figure 22 our SEP client is all green and therefore a happyfully updated client.

Figure 22

To explore the GUI you can use the menu options on the left frame which are static and remainthe same on each view of the GUI. Optionally you can choose the individual Options buttons on

the right side of each of the three major components.


7/30/2019 Pc g 20090506

18/31

In the event you need assistance with your SEP software the first thing you will need to know ishow to find the version number.To do this...Select the yellow Help and Support button in the upper right of the main window.

Figure 23

Then select AboutThe version number will be immediately under the software name. In our example we haveversion 11.0.4.4014.26

Figure 24

------------------------------------------------------------------------------------------------


7/30/2019 Pc g 20090506

19/31

5 - Client Configuration------------------------------------------------------------------------------------------------

5.1 - Default Configuration

SEP will install with the recommended default settings as specified by Symantec. However,

these settings may not provide optimal security protection for all users. Each individual isencouraged to familiarize themselves with the settings and options for any software package inuse on their personally owned computer. For example by default Symantec will detect spywarebut will nor remove or quarantine said spyware.

Lets modify the client and tighten up some of the settings to provide your computer betterprotection against becoming infected.

------------------------------------------------------------------------------------------------

5.2 - Scheduled Scan

By default SEP only attempts to scan files as you use them via the Auto-Protect feature. Whilethis is fine for files that you get today, it is not so good for all the files that are already on yourcomputer.

To create a schedule scan select Scan for threats, the second option on the left-hand frame ofthe GUI. Then select Create a New Scan

Figure 25


7/30/2019 Pc g 20090506

20/31

It is recommended that the system perform an Active Scan once a day and a Full Scan once aweek as a minimum.

SEP is configurable to run an Active Scan at the time the computer is booted up as seen inFigure 25. **Note this scan is present but disabled by default. This however may add time to theboot process of your computer depending on how many other applications are also running atstartup. You can optionally configure SEP to run an active scan each time that new definitionsare downloaded. **This is a default action. With the system performing an Active Scan with eachnew definition set we can simply add a Weekly Full Scan.

The Active Scan only looks at certain locations on the hard drive, it is sometimes referred to as aquick scan. A Full Scan looks at the entire hard drive, although it is more complete it will takelonger to run. With this in mind you will want to choose a time for your Weekly Full Scan that yourcomputer will be powered up but possibly while you are not actively using. For example if you arethe active socialite something like Friday night at 8 PM while you are going out to eat. Or if youare a gamer something like 6 AM Saturday morning while you are still asleep after the Fridaynight tournament.

Select Full Scan and Next

Figure 26


7/30/2019 Pc g 20090506

21/31

One the following screen we can delve into Actions and define if SEP logs, quarantines, orremoves various types of detected risks. On the Notifications menu we can define how much wewant SEP to talk to us. Do we want SEP to perform its functions silently or do we want to see amessage every step along the way. With the Advanced and Centralized Exceptions we canfurther control how SEP behaves and remove specific files or folders from a scan.

First select Actions

Figure 27

Recommended SettingsMacro virus First Action: Clean risk / If first action fails: Quarantine risk.

Non-macro virus First Action: Clean risk / If first action fails: Delete risk.Security Risks First Action: Delete risk / If first action fails: Quarantine risk.Select OK

Figure 28


7/30/2019 Pc g 20090506

22/31

Now lets enable notifications so that we get a warning if a virus is detected.Select NotificationsThen select all three options

Display a notification message when a security risk is detected:Terminate processes automaticallyStop services automatically

Select OK and Next

Figure 29

Next we will select the time for the scanSelect At specified times and Next

Figure 30


7/30/2019 Pc g 20090506

23/31

In figure 31 we have selected Friday at 10 PM. Enter your preferred time.Select Next

Figure 31

Give your scan a name and description.Select Finish

Figure 32


7/30/2019 Pc g 20090506

24/31

Your GUI should now display your newly configured scan

Figure 33

------------------------------------------------------------------------------------------------


7/30/2019 Pc g 20090506

25/31

5.3 - Antivirus and Spyware Configuration

Within the Antivirus and Spyware Protection configuration most of the default settings will besufficient for the average computer. However we want to tighten up the actions that SEP will takewhen it identifies a risk.

Lets dig in to the configuration and change the default actions. This is very similar to the actionsets you defined in the scheduled scan. The only difference it that there are two specific actionsets that need to be configured. One set for the file system and one set for Email.

From the main GUI interface select Change Settings on the left frame.Select Configure Settings to the right of Antivirus and Spyware Protection.

Figure 34


7/30/2019 Pc g 20090506

26/31

Select the File System Auto-Protect tabSelect Actions

Figure 35



Figure 36


7/30/2019 Pc g 20090506

27/31

Select the Internet Email Auto-Protect tabSelect Actions

Figure 37



Figure 38


7/30/2019 Pc g 20090506

28/31

------------------------------------------------------------------------------------------------

5.4 - Proactive Threat Configuration

Within the Proactive Threat Protection configuration it is highly recommend that the actions foridentified keyloggers are increased. By default SEP will only log the fact that a keylogger wasfound. Since keyloggers can be used to steal data from your system we want to set this action toquarantine.

From the main GUI interface select Change Settings on the left frame.Select Configure Settings to the right of Proactive Threat Protection.

Figure 39


7/30/2019 Pc g 20090506

29/31

In the lower right corner of the window.Change the setting for When a commercial keylogger is detected from Log to QuarantineSelect OK

Figure 40

------------------------------------------------------------------------------------------------


7/30/2019 Pc g 20090506

30/31

5.5 - Other Settings

SEP is a powerful software product and has lots of configuration options. Take some time toexplore the interface and the various options. Be careful particularly with the Network Threat

Protection options as some of them can significantly impact the ability of your computer tocommunicate with other devices on the network.

If you wish to do more with the SEP firewall make sure you understand how the changes willaffect your system and make sure you know how to remove the changes made in the eventsomething breaks.

For more information about features and setting of SEP

Use the built in SEP help. Select the yellow Help and Support button in the upper right of themain window.

Figure 41

Or see the SEP Client Users Guide available on BlazeWare, client_guide.pdf

------------------------------------------------------------------------------------------------


7/30/2019 Pc g 20090506

31/31

6 - LINKS AND REFERENCES------------------------------------------------------------------------------------------------

Links:

UT Arlington Antivirus (Symantec)- http://www.uta.edu/antivirus

BlazeWare

- http://blog.uta.edu/security/2008/10/20/blazeware-fall-2008/

Symantec Threat Explorer (vendor site)

- http://www.symantec.com/norton/security_response/threatexplorer/index.jsp

Symantec Endpoint Protection (vendor site)

- http://www.symantec.com/business/endpoint-protection

Symantec Endpoint Protection FAQ (vendor site)

- http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007071909500548
http://www.uta.edu/antivirushttp://blog.uta.edu/security/2008/10/20/blazeware-fall-2008/http://blog.uta.edu/security/2008/10/20/blazeware-fall-2008/http://www.symantec.com/norton/security_response/threatexplorer/index.jsphttp://www.symantec.com/business/endpoint-protectionhttp://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007071909500548http://www.uta.edu/antivirushttp://blog.uta.edu/security/2008/10/20/blazeware-fall-2008/http://www.symantec.com/norton/security_response/threatexplorer/index.jsphttp://www.symantec.com/business/endpoint-protectionhttp://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007071909500548

pc g 20090506

Documents