SEP 12.1.RU6 MP5 (also known as SEP 12.1.6 MP5)
RU – Release update
MP – Maintenance Patch
SEP upgrade guide
Server port: 8443
Web console port: 9090
Client communications port: 8014
Web services port: 8444
Server control port: 8765
Reporting port: 8445
SEP -> Use either default embedded database or Microsoft SQL server
Embedded database: Recommended for organization with one site and one management server
SEP general recommendations for virus / worm prevention
1. Users should have complex passwords
2. Apply security updates / patches
3. Limit network share
4. Don’t browse on servers
5. Ensure clients having up to date SEP definitions
SEP performance recommendations
1. Store atleast 3- 4 days of SEP content revisions. Symantec release 3 revisions a day and for 3 days it will be 9 revisions. Storing higher revisions increase the storage space requirements on SEP server but clients will get update from SEP server instead of going to online to get updates.
- In the Symantec Endpoint Protection Manager console, click Admin > Servers > Local Site.
- Right-click Local Site and select Edit Properties.
- Click LiveUpdate.
- Under “Disk Space Management for Downloads“, select the number of content revisions to be retained.
2. Hearbeat interval: For an environment with 1000+ clients, heartbeat interval should be atleast 30 minutes.
3. SEP has an inbuilt embedded database, but it is not recommended for an environment which has > 5000 clients. MS SQL server is recommended.
4. Don’t set SEP to scan for viruses on clients once the definitions are downloaded into them. This is especially needed when the clients are on a shared storage and in a Virtual environment.
5. IPS – Intrusion prevention system works on Network level. It brings a increased CPU, Network latency and memory usage on servers. IPS cause major issues if:
> CPU utilization is >35% on the server
> Network usage is 300mbps or more
> Server uses teaming NICs.
6. SEPM (SEP manager) should not be installed on a critical server or high resource usage such as Domain controller, Exchange server or DB server. Server OS is recommended and a separate machine / VM is recommended.
SONAR – Symantec Online Network Automatic Response.
SONAR uses reputation data and heuristics to detect virus. If insight lookup is disabled, SONAR uses heuristics to detect viruses but protection is limited and false positives increase.
SEP client logs
You can find SEP client logs by opening SEP and click view logs
For SEPM server logs, we can export the logs using a tool called Symantec Endpoint Protection Manager Log Collection Tool.
1. To do that, goto the following location:
\Program Files\Symantec\Symantec Endpoint Protection Manager\Tools
2. Double click collectLog.cmd file
3. Now the logs will be collected and will be placed in the Tools folder. We can find it with the name SEPM_logs.zip
The following logs can be collected through this tool:
- Server logs
- Secars logs
- Console logs
- Config wizard logs
- Liveupdate logs
- Installshield logs
SEPM issues faced:
- SONAR quarantine services: With 12.1.1. Upon update, SEP’s SONAR falsely identified Symantec’s MSS division’s own applications as virus and quarantined those services (.exe files) as a result services were stopped on the server and there was a major outage. We got huge number of service stop alerts from many of the servers. Upon troubleshooting many things, we found SEP quarantined those files, we immediately resolved the issue on the affected server and on SEPM (added exclusions for those exe files) and that very day worked with SEP support team and got another update which resolved the issue.
- SEP disk usage issue with 12.1.1: Resolved by upgrading to 12.1.4.
- Network isolation with 12.1.1: Upon reboot some server would not come online. Network intrusion prevention needs to be restored then only the server will come up. This happened on critical servers including DCs. Reinstalling SEP fixed the issue.
- Network and disk latency in VM environment: We have experienced a severe slowness across the environment everyday recently. We thought it is because the Dev members were running performance testing caused the issue. We have asked them to stop but it continued, we then used scripts at the ESX level, VM level to find the issue it all pointed to SEP.
I then checked the settings in it and found number of not recommended settings across the server:
- Content revisions to store was just 1. Changed it to 3 days (9 content revisions).
- Forced clients to get updates from SEPM server and not online.
- Increased heartbeat interval from 30 minutes to 1 hour.
- Changed the Download randomization settings from 30 minutes to 3 hours.
- Disabled the option to scan the VMs every time it gets the updates. Since our environment has shared storage, this severely impacted the performance of the VMs.
Changing the above said options reduced the latency. We have also rescheduled the DB backup settings.