Symantec Endpoint Protection Migration Reference Guide

Symantec Endpoint Protection Migration Reference Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 12.01.00.00

Legal Notice
Copyright 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, Bloodhound, Confidence Online, Digital Immune System, LiveUpdate, Norton, Sygate, and TruScan are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (Third Party Programs). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com

Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantecs support offerings include the following:

A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services

For information about Symantecs support offerings, you can visit our Web site at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available:

Product release level

Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:

Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/

Customer service
Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues:

Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs, DVDs, or manuals

Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apac@symantec.com semea@symantec.com supportsolutions@symantec.com

Upgrading or migrating to Symantec Endpoint Protection

This document includes the following topics:

Where to go for information on upgrading and migrating Supported server upgrade paths Supported client upgrade paths Migrations that are supported and unsupported for the Mac client Deciding which features to install on the client Feature mapping between 11.x and 12.1 clients Client protection features by platform Management features by platform Virus and Spyware Protection policy settings available for Windows and Mac LiveUpdate policy settings available for Windows and Mac Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1

Upgrading or migrating to Symantec Endpoint Protection Where to go for information on upgrading and migrating

Where to go for information on upgrading and migrating

Table 1-1 lists the key topics that pertain to upgrading and migrating to Symantec Endpoint Protection. To locate these topics, see the Symantec Endpoint Protection and Symantec Network Access Control Implementation Guide. Table 1-1 Task
Supported and unsupported upgrade paths

Product upgrade and migration resources Topic

For new installations, you deploy client software to your computers after you install the Symantec Endpoint Protection Manager. For existing installations, you upgrade existing clients to the new version of Symantec Endpoint Protection after you upgrade the Symantec Endpoint Protection Manager. See Supported client upgrade paths on page 10. See Supported server upgrade paths on page 9. See Migrations that are supported and unsupported for the Mac client on page 10.

Preparing computers to receive the "Preparing for client installation" client software installation packages Creating security policies for the clients "The types of security policies" "Adding a policy"

Configuring feature sets for clients "About the client installation settings" "Configuring client installation package features" See Deciding which features to install on the client on page 11. "About client deployment methods" Deploying clients to the client computers Migrating clients to a newer version "About client deployment methods"

"About migrating to Symantec Endpoint Protection"

Upgrading or migrating to Symantec Endpoint Protection Supported server upgrade paths

Table 1-1 Task

Product upgrade and migration resources (continued) Topic

How protection technologies and See Feature mapping between 11.x and 12.1 clients features from legacy clients map to on page 12. new clients Feature and policy descriptions "About the types of threat protection that Symantec Endpoint Protection provides" "The types of security policies" Feature dependencies "How Symantec Endpoint Protection protection features work together" See Client protection features by platform on page 15. "About product upgrades and licenses"

Feature availability by platform

Upgrade licensing

Migration procedures and general "About migrating to Symantec Endpoint Protection" information

For more information on migration, see the knowledge base article, Endpoint Security Migration & Installation.

Supported server upgrade paths

The following Symantec Endpoint Protection Manager upgrade paths are supported:

From 11.x to 12.1 (full version) From 12.0 Small Business Edition to 12 .1 (full version) From 12.1 Small Business Edition to 12.1 (full version)

Note: Symantec AntiVirus 9.x and 10.x server information can be imported during the installation of Symantec Endpoint Protection Manager version 12.1. The following downgrade paths are not supported:

12.1 (full version) to 12.1 Small Business Edition 11.x to 12.1 Small Business Edition

10

Upgrading or migrating to Symantec Endpoint Protection Supported client upgrade paths

Supported client upgrade paths

The following Symantec Endpoint Protection client versions can upgrade directly to version 12.1:

11.0.780.1109 11.0.1000.1375 - MR1 11.0.2000.1567 - MR2, with maintenance patches 11.0.3001.2224 - MR3 11.0.4000.2295 - MR4, with maintenance patches 11.0.5002.333 - RU5 11.0.6000.550 - RU6, with maintenance patches 12.0.122.192 Small Business Edition 12.0.1001.95 Small Business Edition RU1

Upgrading from Symantec Sygate Enterprise Protection 5.x, and Symantec AntiVirus 9.x and 10.x to 12.1 (full version) is supported.

Migrations that are supported and unsupported for the Mac client
Table 1-2 displays the products that can be migrated to the Symantec Endpoint Protection for Mac client. Table 1-2 Migration paths from Symantec AntiVirus for Mac to the Symantec Endpoint Protection Mac client Migrate to Supported?

Migrate from
Managed Symantec AntiVirus for Mac client

Managed Symantec Yes Endpoint Protection for Mac client

Unmanaged Symantec AntiVirus Unmanaged Symantec Yes for Mac client Endpoint Protection for Mac client Unmanaged Symantec AntiVirus Managed Symantec Yes for Mac client Endpoint Protection for Mac client

Upgrading or migrating to Symantec Endpoint Protection Deciding which features to install on the client

11

Table 1-2

Migration paths from Symantec AntiVirus for Mac to the Symantec Endpoint Protection Mac client (continued) Migrate to Supported?

Migrate from
Managed Symantec AntiVirus for Mac client

Unmanaged Symantec Yes, but managed client Endpoint Protection for Mac settings are retained. client Managed or unmanaged Symantec Endpoint Protection for Mac client No. Client must uninstall Norton products before installing Symantec Endpoint Protection.

Norton AntiVirus for Mac

Deciding which features to install on the client

When you deploy the client using the Client Deployment Wizard, you must choose the feature set. The feature set includes multiple protection components that are installed on the client. You can select a default feature set or select individual components. Decide which feature set to install based on the role of the computers, and the level of security or performance that the computers need. Table 1-3 lists the protection technologies you should install on client computers based on their role. Table 1-3 Recommended feature set by computer role Recommended feature set
Full Protection for Clients Includes all protection technologies. Appropriate for laptops, workstations, and desktops. Includes the full download protection and mail protocol protection.

Client computer role

Workstations, desktop, and laptop computers

Note: Whenever possible, use Full Protection for

maximum security. Servers Full Protection for Servers Includes all protection technologies except mail protocol protection. Appropriate for any servers that require maximum network security. High-throughput servers Basic Protection for Servers Includes Virus and Spyware Protection and Download Protection. Appropriate for any servers that require maximum network performance.

12

Upgrading or migrating to Symantec Endpoint Protection Feature mapping between 11.x and 12.1 clients

Feature mapping between 11.x and 12.1 clients

When you upgrade clients using the autoupgrade feature, and check the Maintain Existing Features option, the features that are configured in legacy clients are mapped to the new version. The tables in this section depict the feature mapping between previous versions and the new version of Symantec Endpoint Protection for common update scenarios. If you migrate from a previous version, be aware that Antivirus and Antispyware Protection in Symantec Endpoint Protection 11.x is called Virus and Spyware Protection in version 12.1. Table 1-4 compares the default protection technologies between 11.x and 12.1 clients. Table 1-4 11.x to 12.1 default client protection Default 12.1 client protection
Antivirus + SONAR + Download Insight Antivirus + Basic Download Insight Antivirus without SONAR or Download Insight

Default 11.x client protection

Antivirus + TruScan Antivirus Antivirus without Proactive Threat Protection

Table 1-5

11.x to 12.1 full protection 12.1 features installed after Autoupgrade

Virus and Spyware Protection

Existing 11.x features installed

Antivirus and Antispyware Protection

Antivirus and Antispyware Protection

Basic Virus and Spyware Protection Download Insight

Auto-Protect Email Protection

Auto-Protect Email Protection

POP3/SMTP Scanner Microsoft Outlook Scanner Lotus Notes Scanner

POP3/SMTP Scanner Microsoft Outlook Scanner Lotus Notes Scanner

Proactive Threat Protection

Proactive Threat Protection

TruScan proactive threat scan Application and Device Control

SONAR Application and Device Control

Upgrading or migrating to Symantec Endpoint Protection Feature mapping between 11.x and 12.1 clients

13

Table 1-5

11.x to 12.1 full protection (continued) 12.1 features installed after Autoupgrade
Network Threat Protection

Existing 11.x features installed

Network Threat Protection

Network Threat Protection Intrusion Prevention

Network Threat Protection Intrusion Prevention

Table 1-6

11.x to 12.1 AV only 12.1 features installed after Autoupgrade

Virus and Spyware Protection

Existing 11.x features installed

Antivirus and Antispyware Protection

Antivirus and Antispyware Protection

Basic Virus and Spyware Protection

Auto-Protect Email Protection

Auto-Protect Email Protection

POP3/SMTP Scanner Microsoft Outlook Scanner Lotus Notes Scanner

POP3/SMTP Scanner Microsoft Outlook Scanner Lotus Notes Scanner

Table 1-7

11.x to 12.1 AV + Proactive Threat Protection 12.1 features installed after Autoupgrade
Virus and Spyware Protection

Existing 11.x features installed

Antivirus and Antispyware Protection

Antivirus and Antispyware Protection

Basic Virus and Spyware Protection Download Insight

Auto-Protect Email Protection

Auto-Protect Email Protection

POP3/SMTP Scanner Microsoft Outlook Scanner Lotus Notes Scanner

POP3/SMTP Scanner Microsoft Outlook Scanner Lotus Notes Scanner

Proactive Threat Protection

Proactive Threat Protection

TruScan proactive threat scan Application and Device Control

SONAR Application and Device Control

Network Threat Protection

Network Threat Protection

Intrusion Prevention System

Intrusion Prevention System

14

Upgrading or migrating to Symantec Endpoint Protection Feature mapping between 11.x and 12.1 clients

Table 1-8

11.x to 12.1 (full version) firewall only 12.1 features installed after Autoupgrade
Auto-Protect Email Protection

Existing 11.x features installed

Auto-Protect Email Protection

POP3/SMTP Scanner Microsoft Outlook Scanner Lotus Notes Scanner

POP3/SMTP Scanner Microsoft Outlook Scanner Lotus Notes Scanner

Proactive Threat Protection

Proactive Threat Protection

Application and Device Control

Application and Device Control

Network Threat Protection

Network Threat Protection

Network Threat Protection

Network Threat Protection

Note: The 12.1 version only includes the

firewall

Table 1-9

12.0 Small Business Edition to 12.1 (full version) 12.1 features installed after Autoupgrade
Virus and Spyware Protection

Existing 12.0 Small Business Edition features installed

Virus and Spyware Protection

Virus and Spyware Protection

Basic Virus and Spyware Protection Download Insight

Auto-Protect Email Protection

Auto-Protect Email Protection

POP3/SMTP Scanner Microsoft Outlook Scanner

POP3/SMTP Scanner Microsoft Outlook Scanner

Proactive Threat Protection

Proactive Threat Protection

TruScan proactive threat scan

SONAR Application and Device Control

Network Threat Protection

Network Threat Protection

Firewall and Intrusion Prevention

Network Threat Protection Intrusion Prevention

Upgrading or migrating to Symantec Endpoint Protection Client protection features by platform

15

Client protection features by platform

Table 1-10 explains the differences in the protection features that are available on the different client computer platforms. Table 1-10 Client feature Windows XP (SP2), Windows Vista, Windows 7, 32-bit
Yes Yes Yes

Symantec Endpoint Protection client protection Windows XP (SP2), Windows Vista, Windows 7, 64-bit
Yes Yes Yes

Windows Server 2003, Windows Server 2008, 32-bit

Yes Yes Yes

Windows Mac Server 2003, Windows Server 2008, 64-bit

Yes Yes Yes Yes Yes Yes

Linux

Scheduled scans On-demand scans Auto-Protect for the file system

Yes Yes Yes

Internet Email Auto-Protect Yes Microsoft Outlook Auto-Protect Lotus Notes Auto-Protect SONAR Firewall Intrusion Prevention Application and Device Control Host Integrity Tamper Protection Yes

No Yes

No Yes

No Yes

No No

No No

Yes Yes Yes Yes Yes

Yes Yes Yes Yes Yes

Yes Yes Yes Yes Yes

Yes Yes Yes Yes Yes

No No No No No

No No No No No

Yes Yes

Yes Yes, with limitations

Yes Yes

Yes Yes, with limitations

No No

No No

See Management features by platform on page 16. See Virus and Spyware Protection policy settings available for Windows and Mac on page 17. See LiveUpdate policy settings available for Windows and Mac on page 18.

16

Upgrading or migrating to Symantec Endpoint Protection Management features by platform

Management features by platform

Table 1-11 explains the management features that are available for the Windows and Mac client platforms. Table 1-11 Comparison between Symantec Endpoint Protection Manager features for Windows and Mac Mac
No

Feature
Deploy client remotely from Symantec Endpoint Protection Manager Manage client from Symantec Endpoint Protection Manager

Windows
Yes

Yes

Yes

Update virus definitions and Yes product from management server Run commands from management server

No

Scan Update Content Update Content and Scan Restart Client Computers Enable Auto-Protect Restart Client Computers Enable Auto-Protect

Scan Update Content Update Content and Scan Restart Client Computers Enable Auto-Protect Restart Client Computers Enable Auto-Protect

Enable Network Threat Protection Disable Network Threat Protection Provide updates by using Group Update Providers Run Intelligent Updater Package updates for third-party tools in management server Set randomized scans Set randomized updates Yes No

Yes Yes

Yes No*

Yes Yes

No Yes

*You can run Intelligent Updater to get Mac content updates. You can then push the updates to Mac clients by using a third-party tool such as Apple Remote Desktop.

Upgrading or migrating to Symantec Endpoint Protection Virus and Spyware Protection policy settings available for Windows and Mac

17

See Virus and Spyware Protection policy settings available for Windows and Mac on page 17. See LiveUpdate policy settings available for Windows and Mac on page 18. See Client protection features by platform on page 15.

Virus and Spyware Protection policy settings available for Windows and Mac
Table 1-12 displays the differences in the policy settings that are available for Windows clients and Mac clients. Table 1-12 Virus and Spyware Protection policy settings (Windows and Mac only) Mac
You can specify either of the following actions:

Policy setting
Define actions for scans

Windows
You can specify first and second actions when different types of virus or risk are found. You can specify the following actions:

Automatically repair infected files Quarantine files that cannot be repaired

Clean Quarantine Delete Leave alone

Specify remediation if a virus You can specify the following remediation Remediation is automatically associated or a risk is found actions: with actions.

Back up files before repair Terminate processes Stop services Custom only No No

Set scan type Retry scheduled scans

Active, Full, Custom Yes

Set scans to check additional Yes locations (scan enhancement) Configure storage migration Yes scans Configure scan exceptions Yes

No

Yes

18

Upgrading or migrating to Symantec Endpoint Protection LiveUpdate policy settings available for Windows and Mac

See Management features by platform on page 16. See LiveUpdate policy settings available for Windows and Mac on page 18. See Client protection features by platform on page 15.

LiveUpdate policy settings available for Windows and Mac

Table 1-13 displays the LiveUpdate Settings policy options that the Windows client and the Mac client support. Table 1-13 Policy setting
Use the default management server Use a LiveUpdate server (internal or external) Use a Group Update Provider Enable third-party content management

LiveUpdate policy settings (Windows and Mac only) Windows

Yes Yes

Mac
No Yes

Yes Yes

No No You can, however, run Intelligent Updater to get Mac content updates. You can then push the updates to Mac clients by using a third-party tool such as Apple Remote Desktop.

LiveUpdate Proxy Configuration

Yes

Yes, but it is not configured in the LiveUpdate policy. It is configured from the External Communications settings. Yes, for Frequency and Download Randomization options; no for all other scheduling options No Yes No

LiveUpdate Scheduling

Yes

User Settings Product Update Settings HTTP Headers

Yes Yes Yes

See Management features by platform on page 16.

Upgrading or migrating to Symantec Endpoint Protection Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1

19

See Virus and Spyware Protection policy settings available for Windows and Mac on page 17. See Client protection features by platform on page 15.

Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1
The Symantec Endpoint Protection Manager version 12.1 requires a minimum of 5 GB of available disk space. Make sure that any legacy servers or new hardware meet the minimum hardware requirements. Note: Make a backup of the database before making configuration changes. Table 1-14 lists ways you can make more disk space available for the upgrade. Table 1-14 Task Tasks to increase disk space on the management server Description
Go to Admin > Servers and right-click on Local Site. Select Edit Properties. On the LiveUpdate tab, uncheck Store client packages unzipped to provide better network performance for upgrades On the LiveUpdate tab, reduce the number of content revisions to keep. The optimum value is 30 revisions but a lower setting uses less disk space. For the upgrade, you can lower the setting to 10, and then after the upgrade, return the setting to 30. Go to Admin > Servers and right-click on Local Site. Select Edit Properties On the Database tab, make sure that Delete unused virus definitions is checked.

Change the LiveUpdate settings 1 to reduce space requirements.

Make sure unused virus definitions are deleted from the Symantec Endpoint Protection Manager database.

1 2

20

Upgrading or migrating to Symantec Endpoint Protection Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1

Table 1-14 Task

Tasks to increase disk space on the management server (continued) Description

If other programs are installed on the same computer with the Symantec Endpoint Protection Manager, consider relocating them to another server. Unused programs can be removed. If the Symantec Endpoint Protection Manager shares the computer with other storage intensive applications, consider dedicating a computer to support only the Symantec Endpoint Protection Manager. Remove temporary Symantec Endpoint Protection files. For a list of temporary files that you can remove, see the knowledge base article, Symantec Endpoint Protection Manager directories contain many .TMP folders consuming large amounts of disk space.

Relocate or remove co-existing programs and files

Note: Defragment the hard drive after removing

programs and files. Use an external database If the Symantec Endpoint Protection database resides on the same computer with the Symantec Endpoint Protection Manager, consider installing a Microsoft SQL database on another computer. Significant disk space is saved and in most cases, performance is improved.

Note: Make sure that the client computers also have enough disk space before an upgrade. Check the system requirements and as needed, remove unnecessary programs and files, and then defragment the client computer hard drive.