Norman Endpoint Protectiondownload01.norman.no/npro/...Endpoint-Protection-11... · The platforms...

Norman Endpoint Protectionversion 11

Administrator’s Guide

Features• Antivirus• EndpointManager• Reports&Statistics

Including appendices for• Norman MailScan for Domino

• Norman Exchange Mailbox Scanner

• Norman Exchange Transport Scanner

Copyright©2015AVGTechnologiesii

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Limited Warranty

Limited WarrantyWe guarantee that CD/DVD-ROM’s containing the software and documentation do not have production flaws. If you report a flaw within 30 days of purchase, we will replace the defective CD/DVD-ROM and/or documentation at no charge. Proof of purchase must be enclosed with any claim.

This warranty is limited to replacement of the product. We are not liable for any other form of loss or dam-age arising from use of the software or documentation or from errors or deficiencies therein, including but not limited to loss of earnings.

With regard to defects or flaws in the CD/DVD-ROM or documentation, or this licensing agreement, this war-ranty supersedes any other warranties, expressed or implied, including but not limited to the implied warran-ties of merchantability and fitness for a particular purpose.

In particular, and without the limitations imposed by the licensing agreement with regard to any special use or purpose, we will in no event be liable for loss of profits or other commercial damage including but not limited to incidental or consequential damages.

This warranty expires 30 days after purchase.

The information in this document as well as the functionality of the software is subject to change without notice. The software may be used in accordance with the terms of the license agreement. The purchaser may make one copy of the software for backup purposes. No part of this documentation may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or information storage and retrieval systems, for any purpose other than the purchaser’s personal use, without the explicit written permission of the owner.

Names of products mentioned in this documentation are either trademarks or registered trademarks of their respective owners. They are mentioned for identification purposes only.

Norman documentation and software are Copyright © 2015 AVG Technologies.

All rights reserved.

Last revised June, 2015

Copyright©2015AVGTechnologiesiii

Administrator’s Guide: Norman Endpoint Manager | Version: 11 |

Contents

LimitedWarranty.............................................ii

About................................................................... 5About this version ............................................... 5

About this manual ............................................... 5

Help and support ................................................ 5

System requirements ......................................... 5

Introduction......................................................6Descriptions ........................................................ 6

The concept ........................................................ 6

Management console ......................................... 6

Definition of terms .............................................. 9

Primary functions ................................................ 9

Installation....................................................... 13Installing ........................................................... 13

Step 1: Install Endpoint Protection ................ 13

Step 2: Install Endpoint Manager .................. 14

I am establishing a new realm ....................... 14

I am restoring an existing realm .................... 15

Uninstalling ...................................................... 15

Installing on clients ........................................... 16

Run an installer (msi) .................................... 16

Distribute clients using an image ................... 16

Gettingstarted................................................. 17Support ............................................................. 17

Risk level bar .................................................... 17

Current status ................................................... 18

Home................................................................. 21

Clients...............................................................22Organizing groups and clients ......................... 23

Predefined groups ............................................ 23

Client/machine information ............................... 24

About status ..................................................... 25

Create or delete a group .................................. 25

Client states ...................................................... 26

Transitions between states ............................ 26

Action buttons ................................................... 27

Policies..............................................................29Create a policy ................................................. 30

Configure policies ............................................. 30

Antivirus & Antispyware ................................. 32

Product Manager ........................................... 38

Intrusion Guard .............................................. 42

Assign a policy to a group ................................ 46

Products............................................................47Licenses ........................................................... 47

Languages ........................................................ 48

Platforms .......................................................... 48

Reports..............................................................49History .............................................................. 49

Reports ............................................................. 50

Settings............................................................. 51Realm administrators ....................................... 51

Backup and restore .......................................... 52

Backup .......................................................... 52

Restore .......................................................... 53

Copyright©2015AVGTechnologiesiv

Administrator’s Guide: Norman Endpoint Manager | Version: 11 |

Contents cont.

Generate installers ........................................... 54

Remote access ................................................ 56

Event management .......................................... 57

Triggers ......................................................... 57

Email settings ................................................ 59

SNMP settings ............................................... 59

Syslog settings .............................................. 59

Display name priority ........................................ 59

Topology filters ................................................. 60

Alternative client filtering ............................... 61

Supervisor process ........................................ 62

AppendixA:TheUpdateMechanism.........64Concept ............................................................ 64

Components ..................................................... 64

How it works ..................................................... 65

AppendixB:Passivediscovery.....................66Technical description ........................................ 66

AppendixC:MailScanforDomino.............67Introduction ....................................................... 67

How it works .................................................. 67

Activity log ..................................................... 67

System Requirements ...................................... 68

Installation ........................................................ 68

Local installation ............................................ 68

Installing from Endpoint Manager .................. 69

Updating ........................................................... 69

Getting started .................................................. 70

Configuration .................................................... 70

Block/Allow .................................................... 70

Settings ......................................................... 71

AppendixD:ExchangeMailboxScanner.. 74Introduction ....................................................... 74

How it works .................................................. 74

Exchange Service Monitor (ESM) ................. 74

System requirements ....................................... 75

Installation ........................................................ 75



Updating ........................................................... 76

Getting started .................................................. 77

Configuration .................................................... 77

Settings ......................................................... 77

AppendixE:ExchangeTransportScanner82Introduction ....................................................... 82

How it works .................................................. 82

Activity log ..................................................... 82

System Requirements ...................................... 83

Installation ........................................................ 83



Updating ........................................................... 84

Getting started .................................................. 85

Configuration .................................................... 85

Block/Allow .................................................... 86

Settings ......................................................... 87

Advanced ...................................................... 88

About

About this versionThe current release is available in several languages. New languages are added at irregular intervals. Check Norman’s web site for details, or contact your local dealer for more information about language versions.

About this manualThis manual presents an overview of features and key functions in Endpoint Manager and how they work with Endpoint Protection.This guide focuses on Endpoint Manager, and covers configuration options for Endpoint Protection.

Help and supportWe recommend you to read this guide thoroughly and use it for reference during installation. In this guide you will find instructions on how to install, upgrade and use your licensed software.

We provide technical support and consultancy services, and security issues in general. Technical support also comprises quality assurance of your antivirus installation, including assistance in tailoring the security software to match your exact needs.

For training or technical support issues please contact your local dealer or a Norman Office.

Please visit us at www.norman.com/support.

System requirementsEndpoint Protection and Endpoint Manager are designed to work in IP-based networks. The communica-tion between the management console servers and the clients applies TCP/IP on port 2868, which has been reserved and registered by Norman. The Information Exchange (NIX) protocol is used. Both binary traffic and http-based communication use this port.

The platforms that the Endpoint Protection framework is designed to run on do not have to be servers, but they must be licensed to allow an unlimited number of IP connections on a given port.

The Endpoint Manager makes extensive use of memory caching for its data handling, and in larg-er networks, it will perform better with more available RAM.

An overview of supported platforms for installation of Endpoint Protection and Endpoint Managers (manage-ment consoles) is available at

• www.norman.com/business/system_requirements

Copyright©2015AVGTechnologies5

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | About

http://www.norman.com/

http://www.norman.com/business/support/

http://www.norman.com/business/system_requirements

IntroductionEndpoint Protection constitutes the framework for hosting a range of applications that can be installed and controlled through a common licensing and update system.

Descriptions• Endpoint Protection

• the framework for Endpoint Manager installations.

• the name of the client security software.

• Endpoint Manager • the management console, with Toplevel and Midlevel Managers.

The conceptA management console installation is a node in a network where the clients’ configuration is managed. This is done by establishing policies which include product configuration. When a client contacts the management console to fetch a configuration, the settings for the relevant policy are sent back.

Information about the clients is sent to the management console through the messaging system or through a separate http-wrapped protocol. A database on the management console contains information about all the IP-based devices in the network. Clients can be assigned policies and hence managed on the management console.

A node that is designated the management console is a regular corporate node with additional administrative functionality. The management console maintains lists in the local database over manageable and unman-ageable clients and displays status information and network statistics.

One of the management console’s fundamental properties is that nodes and clients in the database are assigned to logical groups that can be configured. All clients within a group will also share product configu-rations. Clients in the network will contact their assigned management console level and get configuration according to the policy that has been established for their specific group. Groups are managed in the man-agement console GUI.

The management console contains additional functionality to distribute, install, manage, and control many installations within one organization. Only a few clients/machines are updated in such an environment. Most of the distribution takes place within the organization over the local network. Read more about updating the software in “Appendix A: The Update Mechanism” on page 64.

Management consoleThere is a limit for how many endpoints a single management console can handle. Such limitations are related to machine performance and/or the size of the product updates that need to be distributed to the endpoints (sometimes more than 100MB). This has in turn affected bigger installations where thousands of managed clients all had to communicate with one single management console. To cater for larger installa-tions the software and virus definition updates was distributed to clients from Windows shares. Endpoints would however still report status and receive configuration updates from the management consoles, as such data is not large.


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Introduction

Multiple managers, multilevel realmThis version supports multiple management consoles. In a multilevel realm, there will be a Toplevel Manager and optional additional Midlevel Managers. These can be arranged in a tree-like structure with an arbitrary number of levels. Managed clients will communicate with the manager they belong to. This is normally the one located closest to the client. The realm network traffic will spread out and divided on a number of man-agers, thus providing scalability in larger networks.

The Toplevel Manager is a permanent logical entity in the managed realm. Additional Midlevel Managers can be changed and moved. A managed client can be promoted to the role of a Midlevel Manager and later demoted to an ordinary managed client. You can also move it around within the management console hier-archy. Policy updates, as well as software and definition file updates are distributed from the toplevel down-wards throughout midlevels and finally onto the clients.

Establishing a realm with Midlevel Managers is optional. In smaller networks, for example, this feature may not be a practical solution.

Naming the Toplevel ManagerWhen creating a realm, a DNS name with which the Toplevel Manager is known must be entered. This name must be globally resolvable within the realm. The managed clients will use this name to update themselves. In the case of a hierarchical structure of Midlevel management nodes, these will use the name to contact the Toplevel manager.

Promoting clientsWhen the realm is created and the initial management console is installed, the management console will display clients that are discovered throughout the network.



An online managed client online can be promoted to become a Midlevel Manager. Once promoted, man-agement groups of clients can then be assigned to this Midlevel Manager, thereby relieving the Toplevel management console. The Toplevel console will still display the complete network topology, the Midlevel Managers, as well as status information from every client in the network.

When promoting a client to a Midlevel Manager, try to select a client that is both powerful and is physically close to the group of clients that will be assigned to it. It may take 3-5 minutes for a promotion to complete.

MessagesEach manager or managed client keeps data about the manager they report to, and about the Toplevel Manager of the realm.

If a Midlevel Manager malfunctions, the managed clients will still know the path to the Toplevel Manager. If a Midlevel Manager fails, messages from its clients will not reach the Toplevel Manager until the Midlevel Manager is up and running again.

Immediate messages (alarms, errors, and warnings) are passed on directly to the Toplevel Manager from the Midlevel Manager that the affected client is assigned to. Other Midlevel Managers do not receive this infor-mation.

Less urgent messages with client information like state, operating system and policy information, IP and MAC address etc. are sent to the client’s manager frequently. Every tenth time a complete update for each managed client is sent.

ActionsAction buttons (see “Action buttons” on page 27) can be applied to any managed client within the same network segment, for example by Midlevel Manager’s administrators.

UpdatingBy default, all Midlevel Managers and their clients receive product and definition files updates and policies containing configuration data from the Toplevel Manager. In a multilevel realm, client groups may be as-signed to any management console from which they will update - for load balancing or other practical rea-sons. See also “Appendix A: The Update Mechanism” on page 64.

MoreRead more about features and news at www.norman.com.



Definition of terms• Endpoint Manager: This is a management console system in the realm where the network and the

security products can be configured and controlled. It includes configurable, logical group of nodes and clients in the database that share product configuration and receive updates from their common Manager.

• Multilevel: A management console installation where it is possible to introduce several Managers in a tree-like structure.

• Toplevel Manager: The first management console to be installed in a network. During install, the realm credentials package is established (realm name, realm owner name, etc.). The Toplevel Manager is at the top of the hierarchy. There can only be one Toplevel Manager within a realm.

• Midlevel Manager: Additional midlevel management console that reports to the Toplevel Manager.

• Endpoint Protection: Managed client security software, and the framework for installing a manage-ment console.

• Realm: The organizational collection of clients that is controlled by a management console, similar to a domain.

• NISE (Norman Internet Server Engine): An http server that serves either files, local database resourc-es, or GUI content. It shares port 2868, the messaging system port.

• Credentials package: A unique data package identifying a realm. The package contains data that al-lows clients in a realm to communicate with the management console, and vice versa.

Primary functionsThe management console in an Endpoint Protection environment ultimately comprises all relevant products.

• Provides a view of network devices and their status

• Generates and displays event and status statistics

• Manages the Toplevel and all Midlevel Managers

• Manages incoming alarms, warnings, and errors

• Manages configurations for current and future products

• Manages policies and assigns them to client groups

• Manages product installation in a network

• Manages the Internet Update configuration

• Generates and exports reports from statistical numbers in the database

• Provides redundancy for the topology and configuration database, including manual export/import

• Manages the administrators of the realm

• Create installers for additional endpoint clients

• Serves as a distribution point for definition files and software updates

A management console node will receive system messages from clients throughout the network. Data about network devices is passively collected and qualified by the distributed clients. The topology information is then reported to the management console. From the management console network map, clients can be ar-ranged in groups.



Theory of operationEndpoint Manager is a product that provides management of Endpoint Protection clients. It is comprised of the following main components:

• A database that holds managed and unmanaged network clients and their data as well as product policies.

• Credentials data that defines the logical realm that is being managed.

• A client component that is a part of all managed clients.

• A server component that runs the management processes on the management console.

The management console was designed with scalability in mind. Emphasis has been put on keeping network traffic low. The management server and the clients are communicating continuously, but in a serialized man-ner. This means that the network picture during normal operations is not real-time, but is current enough as long as everything is normal. However, on-demand administrative actions as well as critical messages from the clients are real-time.

Networks with a large number of clientsThe management console has been tested to support 15000 clients for policy management and status reporting, but will vary with the kind of platform it is hosted on. Testing was performed with no distribution of software updates which are very bandwidth- and CPU-intensive.

In previous versions, one management console would manage all the clients within the realm. In a large net-work, the management network traffic to the management console could represent a considerable load. The (optional) hierarchical management structure introduced in this version alleviates this load.

An alternate update path may be a useful feature in installations where the console manages several hun-dred machines and setting multilevel managers is not affordable. The alternate path points to a separate file share where the updates are placed. One sign of a server overload is that you often see ‘Nise too busy!’ messages in the elogger. Another symptom is that the management consoles become sluggish or even unre-sponsive. Contact local support for help if necessary. See also “Alternate update path” on page 39.

The realmThe term realm denotes the logical collection of networks and network devices that make up the infrastruc-ture where the software is installed. A network administrator will name the realm and define who will manage it. The management console will show a map of the devices that are included in the realm. These devices may or may not be managed. An administrator can include devices into the realm, or they can be auto-dis-covered.

The realm consists of a set of unique data that is duplicated between the management consoles and the managed clients. The data provides a way to encode the data communications between the management consoles and the clients. They also serve as a method to identify which clients are managed or not.

Configuration is changed centrally for the realm, and the clients retrieve the updated settings. Management of the clients is accomplished through changing the clients’ configuration and by issuing tasks through the same mechanism. Additionally, some direct commands allow an administrator to ask a client for information or issue instructions to the client’s Program Manager. These commands can be used to tell a client to refresh an installation or update itself on demand. See ”Action buttons” on page 27 for details.

The management console has a built-in backup mechanism to save the realm data. This is important in case the management console is damaged. It will then be possible to install a new management station and con-tinue the management of all the existing clients without having to reinstall them.



Events in the realm

MessagesManaged clients use the messaging system to communicate events on the clients. Events sent as messages are Alarms, Errors, and Warnings. When messages reach the management console, they are sorted and stored with the database entry of the associated client.

Messages from Midlevel to Toplevel ManagerAll clients, also those within a midlevel hierarchy, send messages about events (alarms, errors, warnings) directly to the Toplevel Manager. Clients on sublevels to a Midlevel Manager report to this as well. This Midlevel Manager in turn sends the messages to the Toplevel Manager, but skips possible Midlevels located in between.

As a result, the Toplevel Manager counts and displays messages from all clients, while a Midlevel Manager counts and displays messages only from the clients it’s directly responsible for. These include messages from Midlevel Managers placed under it in the hierarchy, but not their clients.

Example Headquarter (Toplevel) - Europe (Midlevel) - Support (Midlevel) - Sales (Midlevel) ‘Europe’ (Midlevel) cannot see that there are virus outbreaks on ‘Sales’(Midlevel). This information will only be visible for ‘Headquarter’ (Toplevel), and on the local Midlevel management console ‘Sales’.

Platform and status messagesA special administration protocol conveys data about the general status of managed clients, the platform it originates from, and license information.

Topology messagesManaged clients in a realm will frequently collect data about network traffic and compile lists of detected de-vices. This is used to let the management console add network devices to its topology map using a passive method rather than active scanning.

Common for the network traffic is that data about online status for the network devices are being kept up to date in the management console database.

Realm communicationsOnce the management console has been installed and a realm established, the client security software may be distributed throughout the network. Nodes in the realm should contact a management console (or a distri-bution point) to get software and configuration updates. Software updates are distributed as signed packages fetched by an internal protocol.

The same communication channel is used for configuration and management distribution. A node in the net-work can replicate settings from remote store resources.

Client statusEach time an event from a particular device reaches the management console, managed or not, a timestamp is updated in the management console’s database to reflect when the device was last seen. Network devices can be Online, Stale, and Offline. The status is based on the device’s visibility within a set period of time. These time thresholds can be adjusted on the management console, but the default values have proven to generate a good network status map.



If a client has not been seen within this period, the status is set to Stale. Once it is Stale, a separate process within the management console will attempt to actively contact the client to update its status. Note that as long as a client is Online, no active communication is carried out from the management console to the client unless the administrator manually initiates it.

While Stale, the management console will contact the client a certain number of times with a set delay between each attempt. See “Supervisor process” on page 62. If no connection is obtained within this time period and no data about the client is reported by the passive discovery mechanism, the client is marked as Offline. As soon as any information about the client is received, it is immediately marked as Online.

See also the appendix “Appendix B: Passive discovery” on page 66.

PoliciesA policy is a collection of product configurations stored on the management console. Managed clients will frequently contact the management console to get a copy of the product settings. The client does not know which policy it is getting. Rather, the management console looks up the policy for the requesting client, and hands back the settings contained in the relevant policy. The administrator can decide whether clients that belong to a policy are allowed to change their settings locally. If so, the administrator can revoke this right and enforce settings from the policy at a later time.

The management console displays a logical network map containing groups of clients. A group can be as-signed a policy or keep the original default policy (see “Assign a policy to a group” on page 46). If there are groups within groups with different policies, and a group is deleted, any clients within the group and pos-sible subgroups are moved to the Lost and found group.

Administrative realmOnce a management console has been installed and a realm established, client security software may be distributed throughout the network. The installer contains information that causes the client software to contact the management console in the realm. Nodes in the realm should contact a Toplevel or Midlevel Manager (or other distribution point) to acquire software and configuration updates. Software updates are distributed as packages and are fetched by an internal protocol and not from file shares as before. See also “Appendix A: The Update Mechanism” on page 64.



InstallationDuring installation you must complete a regular InstallShield Wizard to install the Endpoint Protection frame-work, and then the Endpoint Manager Install Wizard to install a management console and establish a realm.

When a management console is initially established, the only administrator in the realm is the realm owner. The original realm fundamentals established by the realm owner should be unaffected by alternating admin-istrator regimes, thus you must create one or more administrators first thing after the realm is established. The administrators you create will perform all future management sessions. The realm owner is not dis-played on the realm administrators list.

Create one or more realm administrators after the realm has been established. Future manage-ment sessions will be done as one of the realm administrators, and never as the realm owner. The realm owner credentials should only be used when a management console is being restored from a backup.

After the management console has been installed and administrators are added to the realm, the realm own-er may create and/or import initial client groups, and set up topology filters for discovered network clients. One particularly important task is to create a client installation package (MSI) to be used for the initial roll-out of managed clients. This package is unique to the realm and will ensure that the clients establish communi-cations with the management console and may be managed by policies.

Database auto-restoreCertain situations may result in a corrupt database, like a system power loss or reset. To ensure stability the auto-restore system will load a previous store, namely the latest working and complete store. This backup feature is independent of the management console backup system, and it runs on an hourly basis as well as backing up immediately after setting up the realm.

If you experience situations that may result in a corrupt database, and Endpoint Protection was installed less than an hour ago, and the realm is not created yet, then the restore point is not com-plete. You will have to uninstall Endpoint Protection completely before you install it again.

InstallingMake sure you have the Endpoint Protection license key at hand before you start.

Step 1: Install Endpoint Protection1. Run the Endpoint Protection installer and follow the instructions on the screen. The installer contains all

supported languages.

We recommend that you select Custom rather than Complete installation, and select only the lan-guage versions that you actually need, to save bandwidth and resources.

2. When the installation is complete, you may be prompted to restart your computer.


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Installation

Step 2: Install Endpoint Manager1. From the system tray, right-click the Norman icon and select Norman Endpoint Manager.

2. The Endpoint Manager Install Wizard is launched. Running the wizard is a necessary and mandatory part of the installation.

3. Read the information on the welcome page, select I have read and understand... and then click Continue >.

4. Select the option that applies to your network, either I am establishing a new realm or I am restoring an existing realm:

I am establishing a new realm

Allfieldsarecasesensitive.

1. Realm nameEnter a Realm name of length 2-64 characters.

Valid characters are: A-Z, a-z, 0-9 and _ (underscore).

2. Realm owner username / passwordEnter an owner username and password of length 5-32 characters.

Valid characters are: A-Z, a-z, 0-9.

The password cannot be reset. Create a password so strong that it is impossible to guess. A pass-word of at least 16 random characters is recommended. Write it down and keep it in a safe place. The only way to change the password is to uninstall and reinstall the Endpoint Manager, but then all management console information and client connectivity are lost too. Restoring a realm from backup also restores the current owner and password.

3. DNS nameEnter a DNS name of length 2-255 characters.

The machine you’re installing to must have a globally resolvable DNS name to ensure that all cli-ents and midlevels in the realm use the same values. The address you enter cannot be changed later.Thefieldsarenoteditable.

If you are updating from a previous realm where the Endpoint Manager server was set up as an IP ad-dress, there may be some situations where your clients cannot reach the Toplevel Manager.

4. OverviewA dialog appears, displaying the values you just specified. If you are satisfied, print this page for future reference and click Continue to proceed with the installation, or click Back to change the values.

Select platforms and languages.

5. CompleteA final dialog appears with a handful of important tips. Click Finish to complete the installation.



6. Log onIn the next dialog, log on the management console with the values you just confirmed, i.e. username and password.

If you experience problems logging on to the newly created realm, you must restart your machine. Alternatively, you can access the management console with another browser than IE, for example Mozilla Firefox, using the address: http://localhost:2868/noc/index.phtml.

The management console is launched. We strongly recommend that you create a realm administrator before you do anything else. Go to Settings > Realm administrators.

Then select Products and check Licenses, Languages and Platforms.

Then go to Licenses > Update selected products to download the latest versions of all selected compo-nents. It is important that you select the correct platform of the Endpoint Manager machine in this dialog. You can also select other platforms that Endpoint Protection will be supporting.

I am restoring an existing realm Make sure that all products in the Endpoint Manager are updated, before you restore from a back-up. If the client security software is newer than the software on the management console it may result in a software crash.

1. Enter the name of the backup file you want to restore or click Browse to find it on your computer. Click Restore > and follow the instructions.

Uninstalling To uninstall Endpoint Manager, use the standard procedures offered by your operating system, for example Start > Control Panel > Add or Remove Programs. A restart is required after uninstalling the Endpoint Manager.



Installing on clientsThe following describes how you install Endpoint Protection in a network.

Run an installer (msi)1. Generate a Windows installer file (.msi), see “Generate installers” on page 54.

2. Run the installer file (msi) on a client.

When installed on a client, the management console will retrieve, install and set up other products as defined by the group’s policy.

3. Select and drag a client to a group to assign a specific policy to the client. Hold down the Ctrl or SHIFT key to select multiple clients.

4. Click OK to confirm.

Please refer to “Client states” on page 26 and “Transitions between states” on page 26 for an explana-tion of available icons for groups and clients.

Distribute clients using an image1. Generate a Windows installer file (.msi), see “Generate installers” on page 54.

2. Run the installer file (msi) on the client that will be used to create the image and wait until the client is done updating itself and is running normally.

3. On the management console

a) Copy the tool noc_enable.exe from ...\norman\noc\bin

2. On the client

a) Save noc_enable.exe to a temporary location.

b) From the command prompt enter njeeves2 /unload to stop the njeeves2 process.

After that you will see a “’Jeeves’ not running” error in the system tray icon, but it will not interfere with the process and will be automatically solved after creating the image later (when restarted).

3. From the command prompt on the client enter noc_enable.exe /unid

This will remove the unique client identifier from the system that will be used to create the image. The unique identifier will be automatically recreated on the clients after the image has been distributed to the clients in the network.

4. Create the distribution image.



Getting startedThe web-based administrative GUI is made up from an invariable left hand side status and realm overview, and to the right variable main pages, like Home, Clients, Policies, Products, Reports and Settings. Clicking on either tab on the topmost horizontal menu bar brings you directly to the relevant page.

SupportClicking the support link at the right-hand top corner of the program window will open our web pages for help and support. The web pages provide information about support issues and support forum, manuals, installers, system requirements, our offices and distributors, and more.

Risk level barInformation from the network about the realm is collected and the risk level is displayed on the bar. The green area indicates a low risk level. The risk is calculated from a weighted analysis of errors, warnings and alarms within the realm, where the number of clients is part of the evaluation. The risk level bar reflects dy-namically the activity of all local processes.

The size of the network combined with the selected trigger threshold values (see “Realm administrators” on page 51)significantlyaffecttheindicator.

ExampleImagine a network of 10 clients and a trigger threshold set to 5%. In this example one client amounts to 10% of the network clients with that status (5% more than the trigger value is). This means that if one client receive a warning, alarm, or error it will raise the risk level.

The intention is to give a general idea about the network health, rather than an exact indication.


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Getting started

http://www.norman.com/business/support

Current statusThe current status displays the absolute numbers that the risk level bar is based on. Click the plus sign under the risk level bar to expand or collapse the status view.

Click a status link for details about the clients (see also “Alarms” on page 18), or enter name or address in the search field to look for specific clients, and then on a column heading to sort the entries in the dialog for that particular event. The numbers are the same as those the risk level bar and the status area are based on.

Guest nodes are clients that have Endpoint Protection installed, but do not belong to this realm. Guest ser-vices are not available in this version of the management console.

Click the realm name to refresh the current status information, which is available from all the tabbed dialogs.

AlarmsAn alarm is an event that requires immediate action, and is posted by a security product.

If an incident occurs in a realm, the involved application will generate event messages that are routed to the management console. The message details are displayed on the Status page.

Type Specifies which type of device it is (workstation, server, printer, etc.)Client name See “Clients” on page 22.Alarm type The error type message appears as descriptive text, like ‘Cannot remove

detected virus’. Alarm description Event details as defined by the reporting application.Detected The date and time the error was detected. (yyyy.mm.dd and 24 hour format).Policy Name of the client’s policy. See “Policies” on page 29.



ErrorsErrors are system anomalies that may or may not require attention. They are typically generated when a cli-ent application suffers from a malfunction.

Error messages that the management console receive in the realm are defined by the application reporting the alarm.

Type Specifies which type of device it is (workstation, server, printer, etc.)Client name See “Clients” on page 22.Error type The error type message appears as descriptive text, like ‘Could not install’. Error description Event details as defined by the reporting application, also as descriptive text

like ‘Access denied’’. Detected The date and time the error was reported (yyyy.mm.dd and 24 hour format).Policy Name of the client’s policy. See “Policies” on page 29.

WarningsA warning is typically sent when there is an event that is handled normally but that implies that there is un-usual activity detected by the client applications. As opposed to alarms and errors, warnings do not require immediate attention.

This display informs about warning type, the name of the client issuing the warning, and the date and time when the client was last seen, i.e. the last time the management console detected network activity from this client.

An example of a warning type is ‘Virus detected’.

Not updatedThe Not updated message is issued by a client when the client’s program manager detects that the client software has not received relevant updates. The client will also appear as Not updated when its current policy has been changed, or when it has been assigned a new one.

Status information under this tab includes type of client, its name, when it was last seen, and when it was last updated (yyyy.mm.dd and time in 24 hour format).

The information for Not updated clients includes the name, when it was last seen, the operating system, when the policy was refreshed, and the group name.

OfflineThe clients marked as Offline have not been heard from or contacted within a certain period of time. The clients may or may not be managed clients.

A Managed client employs policy settings. An Unmanaged client has no policy or no client software, or it is another type of device than a workstation, like a printer, a hub, etc.



OnlineWhenever an event from a particular device, managed or not, reaches the management console a time-stamp is updated in the management console’s database to reflect when the device was last seen and to determine status based on that information.

As soon as information about a client is received, it is marked as Online. The status is based on the device’s visibility within a set period of time. Time thresholds can be adjusted.

As long as a client is online, no active communication is done from the management console to the client unless the administrator manually initiates it.

StaleWhen the management console is unable to establish contact with a client after repeated attempts, and it has not been seen for a longer period of time, the status is changed to Stale. A separate process will actively try to rediscover a stale client before it appears in the Offline folder, which happens after 1 or 2 hours (default for managed/unmanaged clients, respectively).

ManagedA client that has been assigned a policy is a managed client. It receives all configuration settings from the policy it fetches from the management console. Information about all the IP-based devices in the network is stored in a database on the management console.

See also “Client states” on page 26.



HomeAn RSS feed at the top of the Home page informs you about upcoming updates, restarts, and other impor-tant information.

To monitor these bulletins you add the URL as a favorite RSS client on your computer, cell phone and so forth. You can also click the View message log link and follow the instructions to subscribe to this service.

We use the following URL: http://newton.norman.com/rss_npro?v=11

The Home page features also a graphical representation of the realm’s clients. You can click the Norman logo at the top of the page to reload Home from any page.


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Home

ClientsThis page presents details about the entire realm with the management consoles, groups, and clients. All machines are members of a group. Each group reports to a management console (Toplevel or Midlevel).

You can filter clients by Machine type, Online state and Operating System. Click the realm name link or the Managed link from the status area at the left-hand top corner to view the filtering bar.

All newly discovered machines will automatically be assigned to the predefined Lost and found group, un-less otherwise filtered. Machines can be moved between groups manually or automatically.

Click a group name and the machine/client members will appear in the right-hand part of the page. Double-click a group or a client to configure it, or highlight the client/machine you wish to edit and select the relevant action from the action buttons bar (see “Action buttons” on page 27).

You can create, edit, filter, drag and drop, and view groups and clients in a Windows Explorer-like environ-ment. On managed clients, a mouse over will display basic information like scanner engine version, definition file dates, operating system, and logged-in user.

The links Policy: and Reports to: display the client’s current policy and the manager it reports to. Click the links to select other policies and managers (on Toplevel or Midlevel).


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Clients

Organizing groups and clients Click Endpoint Managers to view the structure of the realm presented on the right-hand side of the screen. Click a Toplevel or Midlevel Manager (the levels below Endpoint Managers) to view groups and clients for that level.

Click a group name link to view the member clients.

The names of the group’s policy and manager it reports to appears just above the action buttons (see “Action buttons” on page 27). Click the Policy or Reports to: link to select another policy or manager from the drop-down list.

If you move a group to another level, for example to a Midlevel Manager, it may take several min-utes before it is visible in its new location and starts reporting to and receiving updates from the new manager.

Predefined groupsThe Lost and found and the Unmanaged group are mandatory groups in the Clients view. When a realm is created a folder for each group is created and placed in the lower left-hand part of the screen.

Lost and foundAny discovered network device is placed in the Lost and found group unless a predefined filter rule places it elsewhere. The clients in this default group are given the default policy. Typically, the administrator will look in the Lost and found group to find new clients and then drag them to other groups where they are assigned a relevant policy and represent a logical view of the managed network.

Unmanaged The group Unmanaged is a container for network devices that cannot be managed by the console, like printers. When the administrator drags devices into the Unmanaged group, they will no longer be contacted or counted to maintain their status and statistics. It is, however, necessary to maintain a list of deleted de-vices, since they will still show up in the network topology reports from the clients and will be added to the Lost and found at each rediscovery. It is therefore not possible to delete devices completely from the topol-ogy database.



Client/machine informationClick a group name link to view the group’s clients/machines. Double-click a client to configure it directly. Select the relevant action from the client information dialog that appears. Alternatively, from the Clients page click to highlight the client and select the relevant icon from the action buttons bar. The action buttons be-come selectable only when you highlight one or more clients/machines.

DetailsThis tab provides information about scanner version, definition file updates, etc.

Installed ProductsThis tab lists the installed products and components, and their status.

LogThis tab lists information messages and reported errors, warnings, and alarms for the client, including the names of the components that reported the incidents.



About statusEvery time an event from a particular device reaches the management console, managed or not, a time-stamp is updated in the management console database to reflect when the device was last seen. Network devices can have three online states: Online, Stale, and Offline. When a device has been seen within a set period (default 1 hour for managed and 2 hours for unmanaged clients), its status remains Online. These time thresholds can be adjusted on the management console, but the defaults have proved to generate a good network status map.

If a client has not been seen within this period, the status is changed to Stale. Once it is Stale, a separate process within the management console will attempt to actively contact the client to update its status. Note that as long as a client is Online, no active communication is done from the management console to the cli-ent unless the administrator manually initiates it.

While Stale, the management console will contact the client a set number of times with a set delay between each attempt. The default is 5 attempts once an hour, but this is adjustable. These settings can be config-ured from Settings > Supervisor process (see “Supervisor process” on page 62).

If no connection is obtained within this time period and no data about the client is reported by the passive discovery mechanism, the client is marked as Offline. As soon as any information about the client is re-ceived, it will immediately be marked as Online.

Create or delete a group

CreateClick Create new group. Enter a group name, select an Endpoint Manager, a policy, and optionally type in a note for this group. Click OK to confirm and save the new group.

To add a new sub group point to a group name and click the create new group icon (folder with a plus sign).

‘NEM’, ‘Lost and Found’, and ‘Deleted’, or any translated versions of the two latter names, are restricted and cannot be used as top level group names. They can, however, be used as subgroup names.

DeleteTo delete a group point to a group name and click the delete group icon (folder with a trash can). You are prompted to confirm the delete. If you delete a group, any members or sub-groups are automatically moved to the Lost and found group.

For a new client to be discovered and maintained in the client view, an IP or MAC address or a DNS name must be given.



Client statesA client can take on several states in the client view, like online, stale, or offline, and it can be managed or unmanaged. Icons indicate what type of network device the client is, and is either set to a question mark (unknown) or a screen (workstation) upon installation. An administrator can edit the type in the client details window and in this way change the icon. The device type icon is a management aid for administrators and does not indicate any of the following status situations.

OnlineA client is online with a green computer icon when it has been seen or heard from within the time period defined as stale delay, which is 1 or 2 hours per default depending on if the client is managed or not. Any device in the network is regarded as a client regardless of whether it has Endpoint Protection installed.

StaleA client is stale with a gray computer icon when it has not been heard from within the time period mentioned above. When a client is marked stale, it means that the management console will try to establish contact with the client a set number of times with a set time interval. This differs from a normal situation where clients are reported as online when they submit status information or are seen by other clients.

OfflineA client is offline with a gray computer and red mark-out icon when it has not been reported by anyone and the attempts to contact it have failed. The client will remain offline until it reports itself to the management console, or it has been seen by another client that reports the network topology.

ManagedA client is managed when it has Endpoint Protection installed and is a member of the realm that the Endpoint Manager has established. The client becomes managed as soon as Endpoint Protection is installed and the client reports its platform and status information to the management console. A client with an online icon and a green ball next to it is online, managed and without errors or warnings. It can be managed or unmanaged regardless of its online status.

UnmanagedAny device that is not managed, is unmanaged. An administrator can choose to keep the unmanaged de-vices visible in the network topology map, or drag those devices into the pre-defined Unmanaged group to keep them out of sight.

Transitions between statesClients will change states automatically between Online, Stale, and Offline. Managed clients will automati-cally show up with a green ball, indicating that they are managed. If a client is uninstalled, the green ball will go away after a period of time. It is normally not necessary for the administrator to take any action to maintain the network status picture. If, however, the administrator decides to force any kind of action in the network, a set of action buttons are available in the client windows or in the group overviews.



Action buttonsSelect a client from Clients, or open the details window for a specific client, to view the Action buttons. Depending on the client status, one or more of the buttons may be disabled.

Edit clientClick Edit client or double-click a client, to open the client details window. You can change the type (icon) of the client, edit its alias name, move it to another group, and/or enter notes about the client.

Update clientClick Update client to tell a managed client to check for updates and to replicate its policy immedi-ately. Normally, the client will check for updates every hour and check for policy changes every 10 minutes. See also “Appendix A: The Update Mechanism” on page 64.

Promote or Demote clientThis button toggles between Promote client and Demote client. Completing the operation to promote or de-mote a client may take 3-5 minutes.

Click Promote client to promote an online, managed client into a Midlevel Manager. See also “Promoting clients” on page 7.

Click Demote client to reverse a promotion and demote a management console into a managed client. Other management consoles reporting to it must be removed first.

Request statusClick Request status to force a managed client to submit its status information. This is normally done when the client checks for policy changes.

Rediscover clientClick Rediscover client to initiate manual rediscovery of any device, regardless of status or if it is managed or not. When a client is stale, the management console will actively attempt to discover the client.

Repair clientClick Repair client to tell the client’s program manager to re-install all products if a managed client experiences consistent problems. The entire client software will then be re-installed.

The action to repair a client is quite drastic and should only be used as a last resort.

Restart clientClick Restart client to force a restart of a managed client, for example after it has been updated.



Remote commandClick Remote command to help a client user with a specific issue, or to perform actions that are not covered by the action buttons.

You can only execute software that is located below the Norman root. An administrator can issue a console command directly to any Norman program component on a managed client.

Before issuing a remote command, keep in mind what the state of the remote client might be (no user logged on, several users logged on, etc.).

The remote process will run with system privileges in the context of the njeeves2.exe process. However, if the process requires a graphical user interface, it may not show up on the remote client unless the adminis-trator is logged on and has the desktop open (for example on a Vista client).

Delete clientClick Delete client to remove a client and move it to the Unmanaged group. Alternatively, you can drag it there. The client will no longer be updated or discovered by the management console.



PoliciesA policy is product configurations that governs the client behavior in a group, and it holds information about which products to install at the member clients. Clients always use the policy assigned to its group.

A default policy should always be present in the local database, and it will provide default configuration values for all licensed products. The predefined Default policy is automatically assigned to all groups. You can chose another default policy, like the Midlevel Manager policy or the Toplevel Manager policy. The administrator can edit the default policies, but not delete them.

The Default policy is mandatory. This is the policy that is assigned to all new groups by default. It is good practice to leave it unchanged or to only make small changes to it.

You are not allowed to delete a policy containing clients. Before you delete a policy you must remove the clients or assign them to another policy. If there are clients assigned to the policy an error message will occur when you try to delete it.

The users’ access to edit the various configuration values locally at their workstation is governed by the administrator through the policy. These access rights are granted on a per product basis, and can be either write access or read-only.

Click a Policy name to view or change settings for that policy.

When you click a digit in the Subscribing groups column, a dialog with the subscribing groups for this policy appears. Click either of the listed groups to go view more details about group members, etc.

Access type states whether users can install/uninstall products under this policy, or if it is read-only.

The default update frequency for policies from the store is every 10 minutes.


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Policies

Create a policy1. From Policies click New policy.

2. Enter a mandatory Policy name and an optional note for this policy.

3. Click Create to save the new policy name and to enter the configuration for this policy.

Configure policiesWhen you have created a policy, it appears on the Policies list and the configuration dialog for the new policy is opened.

Allow users to (un)install productsWe do not recommend that you allow users to uninstall products. Select this option only if you have good reasons to do so. Leaving this check box empty will give the policy access type read-only.



Install/uninstallSelect one or more products and/or components to install for this policy’s subscribers. Available products are licensed products. By default, all products are selected. Products which are mandatory or not eligible for install/uninstall are grayed out.

ConfigureClick the configure icon to modify the configuration for this particular product within this policy. All managed clients assigned to this policy will apply the configuration changes that you make. Clients that belong to other policies will not be affected.

Allow user to configure productAllowing user’s to configure products includes all sub-products or components that belong to the product. Such changes are implemented locally on the individual client and will not affect the policy itself or other sub-scribers. If you leave this check box empty the policy configuration will overwrite the local user’s settings.



Antivirus & AntispywareClick a policy name that you want to configure the antivirus product for, and then click the Antivirus & Antispyware configure icon.

Real-time ScannerThe Real-time Scanner works in the background and offers automatic protection of your system.

This is an essential antivirus component and should be enabled at all times.

Enable Real-time ScannerThe Real-time scanner is by default enabled. Selecting/deselecting this option starts and stops the the real-time scanner. Real-time scanning is an ongoing process that monitors critical activities on your system. This involves file access and copy/move to other drives or directories. Whenever a file is accessed in a read/write operation or a program is executed, the real-time scanner is notified and scans the file on the fly. If you dis-able the real-time scanner, a warning appears in the system tray.

Scan for potentially unwanted programsA potentially unwanted program is software that generally is not malicious, but still can be considered un-wanted by the user. The potential unwanted properties can include certain features that resemble malicious and/or privacy-invasive software such as spyware, adware, and content hijacking programs.

Cleaning optionsAn infected file is sent to quarantine, and from this option you can select how to handle the quarantined files. Access to an infected file is denied if repair fails.

Afileisdeletedaltoghetherifitcontainsnothingbutmalware.

Quarantine and clean infected filesSelect this option to move an infected file to quarantine and clean it automatically. A copy of the infected file will be sent to quarantine, while a cleaned version is kept in its original location.



Move infected files to quarantineSelect this option to move an infected file to quarantine without attempting to clean it. The infected file will be removed from its original location.

Block access to infected filesSelect this option to copy an infected file to quarantine and block access to the original version of the file.

Exclude paths or extensions from scanningPaths and extensions on the exclude list are not scanned. Since excluding items is a decision at the expense of security we recommend that you schedule and run regularly scans of items on the exclude list.

For security reasons the exclude list for the real-time scanner is limited to 50 entries. In addition to the risk the exclude list represents, it also increases the use of system resources. The more entries in the list, the more resources will be used by the real-time scanner.

Use the exclude listSelect this option to exclude items you enter on the exclude list.

Network drivesExcluding files on network drives from scanning is selected by default. Deselect this option if you want to scan shares that you have access to on remote computers.

The Real-time Scanner’s behavior will depend on the user rights of the logged on user when scanning files on network drives. When the Real-time Scanner sees a file that is opened from a network drive, it will scan the file as usual. However, it will not be able to repair or remove an infected file, unless the logged on user has write access to the directory/file in question. Still, access to the infected file will be denied.

Real-time scanning in networks is intended for a situation where servers do not run antivirus software, simply to avoid that the same files are scanned twice—once on the server and then again when they are opened on the client. The consequences of such double scanning could be that network logons and backup become slower. However, the system administrator must make the final decision where security on one hand, and network operation on the other are two major factors to consider.

When the Real-time Scanner detects viruses or other malware on network drives, it will display the locations as UNC paths (e.g. \\Server\Share\InfectedFile) and not as mapped network drives (e.g. X:\Infected file).

Exclude ListSpecify paths or extensions that you do not want the antivirus application to scan. The exclude list supports different types of patterns.

Path This pattern will match any files in or below the path C:\Folder\Joker\

Extension This pattern will match any file with the specified file extension. Note that the asterisk (*) must be used as wildcard

*.db

Enter a path, a file extension, drive letter or an environment variable and click Add to list.



Recommendations• Make sure that your antivirus installation is up-to-date. This is the best protection against virus attacks—to

stop viruses before they enter the system.

• Install antivirus software on email servers and gateways.

• Restrict user rights on shares as much as possible, for example by setting read-only attribute where ap-plicable on files that are not frequently changed.

• Back up your files regularly.

Exclude lists should be handled with great care, as they represent a potential security risk. We recommend that you scan the exclude list manually on a regular basis and include these paths or extensions in scheduled scans.

Manual scannerYou can use the manual scanner to perform periodic scans of selected areas of your computer. Use the Task Editor to schedule a scan (see “Task editor” on page 35).

Scan archivesAntivirus is configured to always scan archives. If an infected file is detected within an archive, Antivirus will try to repair first. If repair is not possible, the infected file is deleted from the archive, and the original file is quarantined. The following formats are currently supported: 7zip, ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk image, TNEF, UIF, Z, ZIP and installers like INNO, Installshield, NSIS, SFX, VISE and WISE.



Scan for potentially unwanted programsSee the Real-time Scanner and “Scan for potentially unwanted programs” on page 32.

Cleaning optionsIf you enabled the option to automatically remove detected viruses, an infected file will automatically be sent to quarantine. From the cleaning options you can select how to handle the files that the antivirus application detects as infected.

Duringcleaning,afileisdeletedaltoghetherifitcontainsnothingbutmalware.

Quarantine and clean infected filesSelect this option to move an infected file to quarantine and clean it automatically. A copy of the infected file will be sent to quarantine, while a cleaned version is kept in its original location.

Move infected files to quarantineSelect this option to move an infected file to quarantine without attempting to clean it. The infected file will be removed from its original location.

Do nothingSelect this option to do nothing about files that the antivirus application detects as infected. This also means that the files will not be sent to quarantine.

Logging

Create log fileCreates a log file whenever you run a manual scan. If you deselect this option, no log file is generated for manual scans.

Detailed loggingExtensive logging that generates a very detailed report, specifying each file that was scanned, scanning time per file, status, etc.

Exclude paths or extensions from scanningRefer to the Real-time Scanner and “Exclude paths or extensions from scanning” on page 33.

Task editorCreate task files and view or modify scheduled events. Administrators can create task files and distribute them to all workstations in the network to ensure consistent checking of areas that require special attention. Allow a task file some 10 minutes before it is replicated to all clients.

Create a taskClick New from the Task Editor dialog and enter a task name. Make your selections and click Create to confirm and save your task.

Tasks are displayed as a list in the Task Editor dialog. Click a task name to edit, or click the trash can at the end of the task line to delete that task.



EnableBy default, the task is set to enabled. Remove the check mark to disable it.

Scan entire computerSelect this option if you simply want to scan the entire computer.

Custom scanSelect this option if you want to customize the area to scan.

The options Select files and folders, Scan boot sectors, Scan archives and Scan memory are only available when Custom scan is selected.

Select files and foldersEnter a path and/or a filename and click Add to list. The wildcard asterisk (*) is supported.

Examples

• C:\

• D:\*.pdf

• E:\foldername

Scan boot sectorsWhen you select this option, Antivirus will check the boot sector of the area(s) that are being scanned.



Scan archivesSelect this option to include archived files in the scan. The following formats are currently supported: 7zip, ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk image, TNEF, UIF, Z, ZIP and installers like INNO, Installshield, NSIS, SFX, VISE and WISE.

Scan memoryWhen you scan the memory area, the antivirus application looks for resident viruses. You should always make sure that no viruses exist in memory.

StartSelect date and time to run the scan. The suggested date and time is the current (according to your system information).

ScheduleSelect a schedule for when to run the scan, daily, weekly or monthly.



Product ManagerClick a policy name that you want to configure the product manager for, and then click the Product Manager configure icon.

Product language

Select language from the drop-down list. The list is subject to change as new language versions may be added. A change from English (default) to another language will take effect after the next update. You can also run a manual update for the changes to take effect immediately.

Select update method

See also “Appendix A: The Update Mechanism” on page 64.



LAN product update frequency This option defines how often a client should check for updates from LAN, i.e. the management console installation. The management console downloads all files for all products, platforms and languages selected on the Products page in the management console GUI. See “Products” on page 47. The default update frequency is 1 hour.

The LAN product update frequency setting should always be set to Never for the Toplevel Manager policy as the management console should always update from the Internet. Selecting another setting may result in your installation never being updated.

A LAN update uses the http protocol and port 2868 to connect to the management console machine.

Internet UpdateThis option defines when and how often a client should connect to Internet servers in order to check for necessary updates. Time before using Internet update defines how long time a client can operate without management console contact - and consequently without being updated - before it is permitted to check for updates on the Internet. Update intervals defines how often a client should then check for updates via the net. See also “Appendix A: The Update Mechanism” on page 64.

Alternate update pathThis is an important feature in installations where the console manages several hundred machines and setting multilevel managers is not affordable (contact local support for help if necessary). It uses the CIFS protocol (Windows sharing) to allow clients to connect to shares where they can retrieve updated files. It is important to set up a synchronization between the \distrib\download\ folder on the management console ma-chine and the alternative share folder in order to copy all new files downloaded by the management console to the alternative share folder.

One solution is to create a script that copies all files from \distrib\download on the management console server to \\servername\<share_folder>\distrib\download.

If this software is installed at the alternate distribution point, any\distrib\download folder is automatically updated.

distrib\download is a mandatory part of the path and cannot be changed.

Set up a scheduled task that runs the script once every hour.

The script must be run with the necessary user privileges to access the share, so that it can run even if no users are logged on. It may be wise to check the option to kill the process if it has run for more than two hours.

The script needs to handle the following situations:

• Verify that Internet Update is not currently running.

• Copy all files from \distrib\download on the management console server to \\servername\<share_folder>\distrib\download.

• If a sharing violation occurs during file copy, wait a short while and try again.

Refer to our support pages for a complete procedure and a script you can download, edit and run See also “Networks with a large number of clients” on page 10.



http://www.norman.com/business/support/

Proxy settingsProxy servers may require user authentication. If you use the proxy server options in this dialog, you must enter the same information for proxy server log on and authentication as configured on the proxy.

Use proxy serverEnter the Proxy address and Proxy port for the firewall’s HTTP proxy. If you have specified information for HTTP proxy in your browser, you should enter exactly the same values here.

Authentication

Log on to proxy serverThis option is only relevant if your proxy server requires authentication.

User nameEnter a valid user name.

PasswordEnter the password.

DomainEnter the domain name. If the field is left blank, the machine name is used. This field is not intended for proxy servers using basic authentication. The two prevalent authentication schemes are: basic, and Windows NT challenge/response aka NTLM.



Popup settings

Configure popupsFrom the drop-down menu you can decide if the clients should or should not display popup messages, for example, from a malware detection.

Your choice affects all clients that are assigned the selected policy. If the policy allows local user configura-tion (see “Policies” on page 29), it is possible to edit the individual client to make exceptions from the established policy settings.

Display common popups Select this option to allow display of notification popups.

Suppress all errors and warnings Select this option to prevent notification popups from the system or software, including popups concerning computer restart.

Even though the popups are blocked, the management console continues to receive information from the clients.



Intrusion GuardClick a policy name that you want to configure the Intrusion Guard product for, and then click the Intrusion Guard configure icon.

This product is a host-based intrusion prevention system (HIPS) that can stop malicious applications from taking over control of your machine. The application offers a powerful reporting tool and protects processes, drivers, browsers and the hosts file. It is a platform for proactive thread protection intended for experienced users. High risk events that are rarely used by legitimate applications are blocked by default.

Drivers & MemoryDrivers are computer programs that operate on a low level; the kernel level. Drivers are typically written to access and control hardware, such as your display monitor, keyboard, printer and network card. In order to access hardware connected to your computer, the drivers need full system access. For this reason the same techniques are used when writing malicious applications. You can modify the driver installation configuration to control which applications should be allowed to install drivers on your computer.

There are two malicious techniques to achieve the same privileges as drivers get. Both of these techniques circumvent the security mechanisms of the operating system. It is highly recommended to keep the settings for both as Deny.

PromptYou will be asked each time an attempt is made.

AllowAttempts will only be logged.

DenyNo application, legitimate or malicious, will be able to install kernel level drivers.



ProcessesWhen an application, legitimate or malicious, is installed on your computer, it will most often want to start automatically each time your computer is started. A program that wants to start automatically can instruct the operating system to auto-start itself with the same privileges as the current user, or it can install a back-ground service that will run with elevated privileges. The intrusion prevention application can stop attempts of this nature.

PromptYou will be asked each time an attempt is made.

AllowYou will never be prompted.

DenyNo application, legitimate or malicious, will be able to install itself to automatically start when the computer is started.

A program can also inject code into other processes running on your machine, and it can hijack processes by other means. This is common behavior for malicious applications, but some legitimate programs also use such techniques, for example to extend the user’s desktop, or to offer other advanced features to the oper-ating system or third party applications. You can configure the application to deny or prompt each time an attempt like this is made.



NetworkBy adding filters to network modules in your operating system, malicious applications can steal personal data, such as social security numbers, credit card details, and passwords. Adware can modify network data sent trough those filters. It can change results in search engines and show unwanted advertisement on your desktop and embedded in web pages you visit.

Plugin Prevention (Internet Explorer only)A BHO (Browser Helper Object) is an extension to Microsoft’s Internet Explorer. This and other Internet Explorer plug-ins, like toolbars, have full control over network traffic to and from Internet Explorer, and they can interact with the user interface.

PromptYou will be asked each time an event occurs.


DenyStops all attempts to modify your system or install a BHO.

LSP PreventionAn LSP (Layered Service Provider) is a generic filter in the network stack in Windows. It has full control over all network traffic on your computer.

Prompt You will be asked each time an event occurs.


DenyStops all attempts to modify your system or install an LSP.



Hosts file protectionWhen you access a website through its name (web address) it is translated into an IP address. Then the data is sent to and from the remote server. Your computer will first look for the name in your hosts file. This means that hosts file entries overrides any IP address that the name resolves to. Malicious applications may change your hosts file and thus redirect the network traffic to a malicious website (so called Pharming).

Prompt You will be asked each time an event occurs.

Allow You will never be prompted.

Deny Stops all attempts to modify your system or hosts file.



Assign a policy to a group1. From the realm overview on the left-hand side click the group you wish to assign the policy to.

2. From the Clients page click the Policy: field and select policy from the drop-down menu.

3. Click the Save icon next to the policy name to confirm your changes.



ProductsAll licensed products that the management console administers in the realm are listed on this page. These are the products available on the machine where the management console is installed—the distribution point. When a product within a policy or on a client is configured for scheduled updates, it fetches the update from this distribution point. The clients are updated in accordance with their policy.

See “Configurepolicies”onpage30onhowtoconfigureaproduct.

LicensesIn useAn approximate number of managed clients with this product installed.

SeatsThe number of seats that your license covers, for this product. If the In use is larger than Seats, this is an indication that you should check if your license covers your actual needs.

ExpiresThe date when the license for the product expires. The date format is YYYYMMDD.


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Products

Scheduled updateSelect this option if you want to schedule updates for a product. For each product, you may select/deselect the Scheduled update option. When the scheduler initiates an update, only products with this option select-ed will be updated. Products not selected will not receive updates.

Save fewer definition file versions...This option enables saving fewer definition file versions to keep the download size at a minimum. It will increase the traffic between the BDmirror machine and endpoints updating to it, while reduce the traffic from the BDmirror machine to the Internet. We recommend that you select this option if you have Internet band-width or traffic constraints. See also Appendix A about “BDmirror” on page 64.

Update selected productsTo update manually, select one or more products and click Update selected products.

LanguagesA number of different product languages are available, and new language versions are added at irregular in-tervals. The default language is English and cannot be deselected. You can choose to download one or more language versions if they are covered by your license. These languages will be available to the clients in the managed network.

The download packages may be large, so in order to reduce bandwidth use, you should be selec-tive when you pick language versions.

PlatformsA wide range of platforms are supported, including most Windows and NetWare versions. Please refer to “System requirements” on page 5 for details.

Select the platforms which are represented in your network and click Save. The selections are valid for both manual and automatic update via Internet Update.


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Products

Reports

HistorySelect History for a report that include incidents covering the entire period since the realm was created. There are several ways of filtering the report.

Use the drop-down menus to select how you wish to filter the messages: Component (Internet Update, Product Manager, etc.), Message type (alarms, warnings, errors, etc.), Year, Month, and Group. The report’s content and available filtering options depend on factors like how many different operating systems are installed on the clients in the network, when the realm was created, the type of messages reported in the entire period. I.e., you cannot sort on Operating System if all clients run on the same platform, on year if the realm was created in the current year, or on type if only one or two message types have been reported.

There is a limitation of 1,000 messages per report. Therefore it is important that you specify relevant and precise search criteria in the Search field, from where you can search through all messages generated since the realm was established. You can, for example, search for machine names, IP addresses, or virus names to avoid irrelevant messages with the risk of exceeding the 1,000 limit.


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Reports

ReportsThe management console maintains statistics for the realm around the clock. The reports cover the topology status and incidents. As a supplement to the graphical representation of statistics on the home page, you can generate your own, detailed reports that identify all clients in the network.

Generated reports are based on all discovered devices in the network, also those that are not managed. However, devices that have been moved to the Unmanaged group are not included. You may filter which clients to include in the report by their online status and/or whether a status flag has been set.

Select the details and the machines you want to include in the report and click Generate. You can filter ma-chines by selecting clients with only one or two particular status types or select all types to include all clients (default). The default setting for the report details is also all. Choose between commas or semicolons as CSV (comma separated value) separator, depending on the report format you prefer.

The report is generated as a CSV file to be opened in most spreadsheet applications and saved as any other file.


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Reports

SettingsThese pages contain configuration options as well as maintenance tasks, which are performed regularly, like administrator management and general occasional tasks. Certain settings and parameters of a nature that don’t require frequent attention or are likely to be performed just once are also located on these pages.

Realm administratorsThis option applies to the Toplevel Manager only. For more information about realm owner and realm admin-istrator, please refer to “Installation” on page 13.

The realm owner credentials should only be used when a management console is being restored from a backup. When first running the Endpoint Manager after it has been installed, it is an essential task to com-plete the creation of one or more realm administrators.

All users with administrator’s privileges in the realm are listed on this page, with information about access type etc.

Click an Administrators name link to view more information about the administrator.

To add a new administrative user, click Create administrator.


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Settings

Backup and restoreThis option applies to the Toplevel Manager only. The management console and the network realm rely on certain basic data stored in the local database, also referred to as the store. It is strongly recommended that you back up these data systematically. The backup will include vital information like network topology, realm credentials and operation center settings.

BackupWhen a managed realm is set up, we recommend that you back it up on an external storage device.

The most recent backup file is named NEM_backup_00000.nbk, and for each backup the number 00000 is incremented until the selected Max number is reached. Hence, the backup file with the highest number is the oldest one.

The file cannot be opened/viewed by any application since the sole purpose of the backup is to provide a possibility to restore a managed network realm on a management console in the case of hardware loss etc. Without a backup, the loss of the management console would require new credentials to be distributed throughout the network. The logical network structure would also have to be recreated. The backup/restore functionality is also used if you want to upgrade or replace a functioning management console. First, back up the existing management console to an external media, then restore the backup file as part of the install wiz-ard procedure on the new management console. The size of the file depends on your network—the bigger it is, the bigger the backup file.

DestinationEnter a path for the backup file directory where NEM_backup_0000x.nbk will be stored. The default location is C:\Program Files\Norman\backups\noc. Alternatively click Browse to select a location from the Windows Explorer view.

Max number of backupsEnter the number of backup files that will represent the maximum before the management console starts to delete the oldest of the existing files. Since businesses, networks and routines are diverse we have no recommended number. However, you should keep this number high enough to maintain a usable backup history, and at the same time limit the number to avoid consuming more disk space than necessary. If you reduce the number at a later point, old backups will not be deleted unless you do it manually.



Enable scheduled backupsWhen you select this option, the Start time fields are enabled for specifying the time backup should run.

Select days of the week belowStarting with Monday, each weekday is listed and selected by default.

Start timeEnter hour and minute when you want the backup to start. Backup will start at the specified time for all se-lected weekdays.

Backup nowClick Backup now for an immediate backup of the management console database, or Save to store your settings. If the management console is down when backup should be performed, backup is executed as soon management console becomes operational again.

RestoreIn the current version, the management console’s DNS name cannot be changed. Therefore a backup of a realm must be restored on a machine resolved with the same DNS name that was used during the realm creation.

Alternatively, you can create a new realm and after finishing all processes and updates from the Internet, generate new MSI installers from the management console. Copy the file mig2nss7.nts created on the same destination folder into the \norman\config folders of the existing clients. Please keep in mind that by doing this you are using a new/blank topology tree, and the clients will be assigned automatically to the Lost and found group. Maybe you should consider to create policies, groups, and topology filters and/or move clients manually to specific folders before you copy that file onto the clients.

It is important that you run an Internet Update before restoring a backup.

Restore fromEnter the path for the backup file directory where NEM_backup_0000x.nbk is stored. The default location is c:\Program Files\Norman\backups\noc. Alternatively click Browse to select a location from the Windows Explorer view.

Restore strategySelect what parts of the backup to restore. The settings part of the database contains the realm credentials and settings. The topology part is a map of known machines in the network, as presented in the Clients view, including the group names and assigned policies.



Keep most recent valuesSelecting this option will keep the most recent values during restoration of a backup when a value exists both in the backup and in the current database.

Keeping the most recent value may in some cases result in duplicate topology entries if you have chosen to restore the topology.

Generate installersThe management console provides creation and distribution of an MSI package (Windows Installer file .msi) for rapid deployment of software on client machines.

This is a trouble-free method for installing on a client, as the administrator only needs to initiate and distribute the MSI installer to clients. Once started, the installation of the MSI package will open up port 2868 on the cli-ent machine and complete the full installation of Endpoint Protection. The clients then retrieves their policies, as described in previous steps.

The MSI package and Endpoint Protection automatically opens port 2868 on Norman’s and Windows’firewallsonly.Ifyouareusinganotherfirewall,youmustmanuallyopenthisport.

Distribution of the MSI package can be performed in different ways, for example:• using a startup script

• sending the package via email to the clients

• copying the package using an USB stick or a similar medium

• employing a 3rd party tool

• distributing via Active Directory

1. Enter a valid path, and a name that you want the MSI file name to start with. You do not need to enter a file extension (e.g. .msi) since the system will add this for you automatically.

Syntax: [drive]:\[path]\[name]

Alternatively, you can Browse to select a folder where you want to save the file, but you will still have to write a name after the selected path.



2. Click Generate (or press Enter).The management console generates the following installer files:

• [drive]:\[path]\[name]_x64.msi (64-bit version)

• [drive]:\[path]\[name]_x86.msi (32-bit version)

• [drive]:\[path]\mig2nss7.nts * (For manual migration)

Themig2nss7.ntsfilenameisallsystemmadeandyoucannotaddtothisfilename.

3. The MSI installer files should now be saved to the location you specified.

Example

C:\Distribution\Clients\Installer

This example path and name will generate the following installer files:

• C:\Distribution\Clients\Installer_x64.msi

• C:\Distribution\Clients\Installer_x86.msi

• C:\Distribution\Clients\mig2nss7.nts

The generated files hold information about the location of the relevant management console, and the cre-dentials to access it. You can use these files to install the security software on eligible clients, auto-run it on a domain, distributing it through email, USB stick or in any other suitable way.

Keep in mind that all new clients will be placed in the Lost and Found group, unless they are previously dis-covered and assigned to a group. The default policy will apply for those. You can create topology filters (see “Topology filters” on page 60) that will move clients to certain groups as they are discovered. Then clients will use the policy for that particular group rather than the default policy.

We recommend that you create new MSI installers, when adding clients at a later stage, if they are older than one month, and always if there have been any software updates in the meantime. This is because the installer may have been updated with new files since the last time you generated an MSI installer, and a new installer will avoid unnecessary restarting of clients.

It is a good idea to test the MSI package on a couple of clients before rolling it out in your network, in order to identify any problem with the given management console’s DNS name or credentials.



Remote access The management console can be accessed remotely. By default, remote access is not permitted. Remote access is only permitted from the locations specified below. You can remove and/or add access to manage-ment console from a remote location.

Remote locations currently permitted to access the management console are listed in the upper part of the screen, identified by IP address, Netmask and Description (optional).

Just type in the IP address and Description when you set up permissions for remote access in the management console. A blank netmask is not allowed. Enter 255.255.255.255 as Netmask to allowremoteaccessforaspecificIPaddressonly.

You should be careful admitting remote browsers access to the management console, as there are some obvious security issues. To enable remote access, you must select Allow remote access. In addition, you have to specify the IP addresses that should be allowed to log on to the management console. You may grant access either to a specific IP address or to a whole subnet, depending on the netmask.

ExampleAddress 172.17.0.0 with netmask 255.255.0.0 will give access to clients from the entire 172.17 segment. Again—remote access should in general be limited to as few clients as possible.



Event managementThis option applies to the Toplevel Manager only. The event management system is used to create mes-sages based on the situation in your managed realm. The system is connected to the status indicators in the far left column, triggering a notification event when a preset threshold is reached. The system triggers on the number of alarms, errors and warnings in a network. You can set threshold values for the absolute percent-age of reported alarms, errors and warnings. Delta threshold values are specified for the change rate of the same over a reporting period. Reports can also be made periodically or if a management console error oc-curs. See “Reports” on page 49.

TriggersYou can set threshold values for events, and determine if the event should be communicated as email, SNMP trap, via the syslog or event log. Configuration for each message type is located under the related tab (Email settings, SNMP settings and Syslog settings).

When you specify one or more methods to send messages (email, SMS, etc.), do not forget to configuretheselectedtransmissionmechanism(s).Similarly,youdon’tneedtoconfiguredevicesnotselected.Nomessageswillbesentifthereareanyerrorsinthisconfiguration.

AlarmsIf the alarms threshold is set to 3, an alarm is triggered when 3% of the network nodes trigger alarms. The alarm is passed on in one or more of the selected manners (Email, SNMP, etc.).

An alarm is an event that requires immediate action. It is issued by a product in Norman Endpoint Protection on a managed client.



ErrorsIf the errors threshold is set to 5, an error is triggered when 5% of the network nodes trigger errors. The error is passed on in one or more of the selected manners (Email, SNMP, etc.).

Errors are system abnomalities that require immediate attention.

WarningsIf the warnings threshold is set to 10, a warning is triggered when 10% of the network nodes trigger warn-ings. The error is passed on in one or more of the selected manners (Email, SNMP, etc.).

Warnings are information about events that are suspicious and that may require administrator attention.

Alarms deltaFor changes in the amount of network nodes that have an alarm.

Upon completion of a topology thread walkthrough, the management console compares the results with the findings from the previous walkthrough and calculates delta values. If the delta threshold (percentage) is reached, a message is sent via all selected channels (email, SNMP etc.).

The delta threshold value is not related to the threshold value for alarms, which is based on a percentage of an absolute number of managed clients. A delta value change, however, is based on the findings from the to-pology thread walkthrough looking for events in the entire network of managed clients, and which is running perpetually. Delta messages may therefore be sent long before an (absolute) alarm threshold is reached, if configured in that way.

For example, if the alarm delta is set to 1% and the alarm threshold to 5%, delta messages are sent when there is a 1% increase in alarm numbers, while a threshold message is only sent when a total of 5% of the network has an alarm.

See also “Supervisor process” on page 62. A walkthrough of the network takes about 15 minutes and is referred to as a management period.

Errors deltaSee Alarms delta, for changes in the amount of network nodes that have an error.

Warnings deltaSee Alarms delta, for changes in the amount of network nodes that have a warning.

Endpoint Manager errorsVarious errors related to the operation and running of the management console and its processes.

Periodic status reportsAggregated reports on the status of the network (errors, alarms, warnings). If you want to receive status reports, select this option and specify the desired frequency.



Email settingsEnter the address that recipients of notifications can reply to under Reply-to address. In the Recipients address(es) field, enter the email address of notification recipients, separated by commas. There are two text fields, for Subject and Appended text (optional). Finally, you must enter an SMTP server and an IP Port number, or leave blank for default port 25.

SNMP settingsEnter hostname or address of the system(s) that should receive the messages under Trap recipient(s), separated by commas. You can also specify a Subject for the message (optional). Under Community, type in an SNMP community name or leave blank for “public”. This field is case sensitive.

A .mib (Management Information Base) file called Sec_Traps.mib is included in the Endpoint Protection installation. It’s located in [drive]:\[programroot]\NOC\Bin.

Syslog settingsEnter name and address for the Syslog servers that you want to send events to. Comma is the only valid separator. In the optional fields Prefix and Port you can enter a short text to append all syslog entries from the management console, and a port number if you’re not using the default 514. Facility classification can be set to any of the locally defined values (16 through 23 in the Facility drop-down menu), or select Default for user level messages.

Display name priorityWhen you are looking at any list of nodes, each one is identified by a symbol (see “Client states” on page 26) and a name. You can choose how the client name is presented by rearranging the order of available names.

If you have selected an order as in the example above, Local alias will appear as the clients’ name provided that a local alias is available. If not, the next name on the list (Hostname) will be used, and so on.



Topology filtersThis section is for the Toplevel Manager and describes how you can filter clients. Discovered network devices can automatically be filtered to pre-defined topology groups. Filters are handled from top to bottom. Once a computer match a rule no more filters will be automatically applied.

ThetopologyfilteringdoesnotaffectEndpointManagers.Afilterconditiontomoveadiscovereddevice to a certain group may match an Endpoint Manager, however, the Endpoint Manager will not be moved.

Syntax: IF [attribute] EQUALS/NOT EQUAL [value] THEN move to group [groupname].

Attribute is a pull-down list of attributes identifying a device, like a name or an IP address. The operator is either EQUALS (=) or NOT EQUAL (!=). The value is a complete or partial string to match the attribute against. If partial, a wildcard character can be placed in front of or at the end of the string. The filters are ap-plied top-down. If a client matches more than one rule, only the first rule will be applied. Click the plus sign to create rules where several conditions have to be met.

Example IF [IP address] EQUALS [172.17*] THEN move to group [London]. IF [Name] EQUALS [*srv] THEN move to group [London].

When specifying what to test against in a rule, the value IP address reflects any of the IP addresses regis-tered with a client. Likewise, MAC address means any of the MAC addresses associated with the network interfaces for a client.

The value Name is the common name of a client as reported by passive discovery (NetBIOS name), or the name that the client itself responds to. The value DNS name, on the other hand, is the machine name asso-ciated with the DNS entry of the client in the management console database. If the DNS entry in the client’s network differ from the one resolved by the management console, the management console entry is used.

Details about a client are displayed in this order: Alias (set by the administrator), NetBIOS name, DNS name, IP address.

The NetBIOS names are reported by the passive discovery component. If a client is only known by its IP address (as a result of an incorrect manual entry, for example), it will be displayed with its IP address until a reverse DNS lookup has been done (if enabled). At any time, a topology report containing the NetBIOS name of the client will be stored and displayed in the clients list. A managed client will also report its NetBIOS name if available, causing it to be displayed instead of the DNS name.

The DNS name is always available in the client details window.



Alternative client filteringExcept from the topology filtering, you can sort clients automatically based on a registry key or environ-ment variables being set on the clients themselves. This can be done through existing log-in scripts or other already available tools in the network.

Group requests based on the environment variable takes precedence over the topology filters. Clients that request a group will not be filtered, even if you select Reapply all filters.

Onlyclients(currentorfuture)thatreporttoaToplevelManagercanbefilteredusingthisregistrykey or environment variable mechanism.

A client can be manually moved elsewhere from the management console, after it has been automatically moved to a group using this mechanism. If its environment variable is changed to another group, it will be moved again according to the new value, even if it has been manually moved in the meantime. However, if the variable is not changed, the client will never be moved back.

If a group does not already exist in the Endpoint Manager topology, it will be created. Automatically created groups will be assigned the default policy.

Use the full stop (.) delimiter if you want to use subgroups.

ExampleServers.Mail.SNMP resolves the group Servers > Mail > SNMP and moves the client to the SNMP subgroup.

Registry key1. Create a new String Value key named ’join_group’ in Registry Editor under

\\HKEY_LOCAL_MACHINE\SOFTWARE\Norman Data Defense Systems\

2. Specify the group name that you want the client to be moved to in the Value data: field.

Environment variables1. From your computer’s System Properties go to Advanced > Environment Variables. Create a new

system variable with the Variable name: join_group.

2. Specify the group name that you want the client to be moved to in the Variable value: field.

On some operating system versions the client must be restarted before a new environment variable be-comes available to the client.



Supervisor processThese settings are used to fine-tune the management console working threads. Normally, the default settings are adequate. However, certain local networking properties may require changes to some of the settings to ensure optimal performance. See also “About status” on page 25.

Topology thread delayRegulates the pace of the topology picture updating thread, walking through the entire network tree. The lower the number, the faster the speed. Increase this value if you experience peaking CPU/networking load.

Discovery thread delayRegulates the pace of the active discovery thread dispatcher. The lower the number, the faster the speed. Increase this value if you experience peaking CPU/networking load.

Discovery attemptsSets the maximum attempts of discovering a Stale client before it is marked as Offline. Increasing this value will increase the stale period of offline clients since the formula is discovery attempts times rediscovery inter-val for rediscovering stale clients.

Max. discovery threadsSets the upper allowable limit of parallel active discovery processes. Reduce this value if you have a large network, and the network load generated by the management console is too high.

Rediscovery intervalSets the interval between active rediscovery attempts. Increasing this value will increase the stale period of offline clients since the formula is discovery attempts times rediscovery interval for rediscovering stale clients.

Auto-acknowledge - errorsSometimes the management console receives errors, alarms, and warnings. These messages are visible until they are removed manually using the edit function on the client. You can use the slider to set a period of time after which the specific messages are removed automatically. If the problem persists, the error/alarm/warning messages reappear after an auto-acknowledgement of the message(s).



Auto-acknowledge - alarmsSee Auto-acknowledge - errors.

Auto-acknowledge - warningsSee Auto-acknowledge - errors.

Stale delay for managed clientsSets the maximum time without communication from a managed client before it is marked as Stale.

Stale delay for unmanaged clientsSets the maximum time without communication from an unmanaged client before it is marked as Stale.

Enable discovery reverse DNSThe discovery process should attempt to resolve addresses into names through reverse DNS. This option is by default Off.

Enable discovery ICMPThe discovery process should use ICMP to actively chart lost clients using ping. This option is by default Off.

Enable passive discovery Devices that are discovered passively in the network are added to the database. This option is by default Off. Please refer to the appendix “Appendix B: Passive discovery” on page 66 for more information on passive discovery.



Appendix A: The Update Mechanism

ConceptThe update mechanism consists of two categories; the program update, and the engine and definition files update. All endpoints in a configuration have the update components installed. This ensures that they are updated even if the Endpoint Manager is unavailable.

Program updateThis update applies to the Internet Update component. A program update includes modifications to the software, e.g. the Real-time scanner, and the user interface. These updates are released periodically and usually about once a week.

Engine and definition files updateThis update applies to the BDmirror and Nseupdatesvc components. An engine and definition files update is released several times per day.

ComponentsInternet UpdateThis component checks for and downloads program updates via the Internet. The default frequency for this update is every second hour. Norman Internet Update uses the port 80 (http).

BDmirrorThis component checks for and downloads engine and definition files update on the Endpoint Managers only. The check for update for a Top Level Manager is done via the Internet, while the check for a Midlevel Manager is done via the parent Endpoint Manager. The default frequency for the update is every 20 minutes.

Please note that the Internet update configuration influences on the BDmirror component. This means that if the Internet update is set to update manually, it will only run when the Internet Update feature is launched manually. Bdmirror uses the port 80 (http).

Bdmirror can save several generations of malware definition file updates. As a result of this endpoints re-trieve smaller updates in a normal operation, reducing traffic between the Bdmirror machine and the end-points updating from it. On the other hand, this increases traffic between the Bdmirror machine and Internet (several hundreds megabytes daily).

If you select Save fewer definition file versions... under Products in the management console, only one generation will be saved. As a result endpoints that have not been updated for a while will retrieve more updates the first time in order to become up-to-date, increasing traffic between the Bdmirror machine and endpoints updating from it. On the other hand, this drastically reduces traffic between the Bdmirror machine and Internet.

If there are Internet bandwidth or traffic limitations in your network, we strongly recommend that you select this option in order to minimize the Internet traffic.

See also “Save fewer definition file versions...” on page 48.


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Appendix A: The Update Mechanism

NseupdatesvcThis component checks for and downloads engine and definition files update on all the endpoints, clients and Endpoint Managers. The check for update is done via the immediate Endpoint Mananger’s repository for endpoint clients, or via the local repository for Endpoint Managers. The default frequency for the update is every 20 minutes. Nseupdatesvc uses the port 2868 (npep).

How it worksThe following describes how the Internet update works in a default configuration setup.

Top level Endpoint ManagerThe Endpoint Manager uses the Internet Update component to check for program updates via the Internet. You can configure Internet Update to run manually or scheduled. Once the update is completed, the BDmirror component is launched to update the local repository and avail updates for the endpoint clients and Midlevel Managers. And once Bdmirror is finished, it will call the Nseupdatesvc component to check for updates in the local repository that was updated.

Midlevel Endpoint ManagersIn a default configuration, the Midlevel Managers will check for program updates via the parent Endpoint Manager in the LAN/WAN, at a default interval of 60 minutes. The BDmirror component is scheduled to update the local repository via the parent Endpoint Manager, and will connect to the Internet if there has not been any communication with the server for a certain period of time (default 3 days). After BDmirror is finished, Nseupdatesvc will follow and update via the local repository.

Endpoint ClientsIn a default configuration, the clients use the internal mechanism to fetch a program update from the parent Endpoint Manager (uses port 2868), and will use Nseupdatesvc every 20 minutes for engine and definition files update.

In case there has been no communication with the server for a certain period of time (default 3 days), both the Internet Update and the Nseupdatesvc components will connect to the Internet to download the program and engine and definition files update.


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Appendix A: The Update Mechanism

Appendix B: Passive discovery

Technical descriptionEndpoint Protection (framework or client software) and Endpoint Manager (the management console) employ a mechanism to map out devices in a network and report them to the management console. This mechanism resides as a driver that is visible in the network configuration as Norman Network Security.

The Network Security driver is currently used for mapping the network topology. In the future, the driver may be involved in other network security tasks, like actively looking for malicious traffic in and out of the ma-chine.

The management console depends on information about clients in the network to produce a useful picture of the net. Clients make their presence known through their communications with the management console. Network devices that do not have Endpoint Protection installed are discovered using the network security driver.

A management component on the client interrogates the security driver regularly to ask for network devices that have generated traffic. After polling the driver a topology list is generated and submitted to the manage-ment console. The management console will then sift through the list and update the online statuses of the network devices that it keeps track of.

The first topology report will be submitted a few minutes after client boot-up. The client will first tell the driver to listen to network traffic for a minute. Then it creates a list of devices containing their NetBIOS names, MAC addresses, and IP addresses. A MAC address will always be found, but the name and IP may or may not be included. The client will compare the discovered devices with a local cache and create a topology report that is sent to the management console.

A client will send a second report about five minutes after the first. It will then taper off and wait about 30 minutes before the third report, two hours before the fourth and so on, up to a maximum of four hours. If the client is restarted, it will start over. The reporting aggressiveness is also decreased as the reports grow larger. The reason for this is that, statistically, a network containing a high number of clients will have a higher number of clients reporting the topology.

The information reported is only basic information pulled from the Ethernet headers and the NetBIOS proto-col header. No protocol content is ever collected.

The Network Security Driver is designed for:

• Windows XP 32-bit

• Windows Server 2003 32-bit

• Windows Vista 32-bit

• Windows Server 2008 32-bit

• Windows 7 32-bit

• Windows 7 32-bit

• Windows Server 2008 R2 32-bit


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Appendix B: Passive discovery

Appendix C: MailScan for Domino

IntroductionMailScan for Domino is an Endpoint Protection plug-in that offers virus protection. It is fully compatible with the IBM Lotus Domino Server. Scanning is performed on the Endpoint Protection server and no software is needed on the IBM Lotus Domino clients. MailScan for Domino scans incoming email attachments guarding the main virus entry point in a Lotus Domino environment.

How it worksA folder dom is created at the Norman root folder when MailScan for Domino is installed. The MailScan for Domino path is %systemdrive%\Program Files\Norman\dom

Files are copied into the dom directory during installation\bin\nvcd_install.exe MailScan for Domino installer\bin\zlh_dom.dll Communicates with the Endpoint Protection client \bin\nvcd_load.dll * MailScan plugin loader for Domino\bin\nvcd_oa.dll * MailScan scanner engine for Domino\res\dom.nts Configuration database element\bin\release_notes.txt Release Notes

* These dlls are also copied to the IBM Lotus Domino server directory: %systemdrive%\Program Files\IBM\Lotus\Domino

MailScan for Domino adds the entry NVCd_load.dll to the setting EXTMGR_ADDINS in the notes.ini file to install itself. When the Domino server starts, MailScan for Domino will analyze incoming emails, and scan any file attachments for malware. You can disable MailScan for Domino manually. Remove NVCd_load.dll in notes.ini and restart the Domino server.

The MailScan for Domino plugin is configured in the standard Endpoint Protection configuration panel. It appears as a separate module in the configuration editor and gives access to MailScan for Domino specific settings, while messaging, updating etc. is configured in the common settings.

Activity logMailScan for Domino offers a comprehensive and robust malware incident activity log on the Lotus Domino server console and optionally in the Domino server log, the Windows Event log, and in the Endpoint Protection log file:

• Malware name (if known)

• Name of attachment

• Subject

• Creation time and date

• Name and address of originator

• Name of recipient(s)

• Action taken (cleaned, removed, quarantined)

From the Endpoint Protection module’s Support Center > Message handling you can view incidents from MailScan for Domino


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Appendix C: MailScan for Domino

System RequirementsMailScan for Domino requires that an Endpoint Protection 11.x client is installed on the IBM Lotus Domino server.

Supported versions

IBM Lotus Domino 8.0.1-8.5.3

Windows Server 2003

Windows Server 2008 and 2008 R2

Antivirus products from other vendors may be incompatible with Endpoint Protection. You should uninstall other antivirus programs before installing Endpoint Protection.

MailScan for Domino must be installed on the Windows server where the IBM Lotus Domino Server is in-stalled.

You must be logged in to the system with administrator privileges in order to install the program.

A 64-bit operating system requires a 64-bit IBM Lotus Domino version. If one of them have 32-bit and the other 64-bit, the emails will pass through without being scanned.

InstallationYou can install MailScan for Domino on the local server or from the Endpoint Manager central management console.

If you terminate the setup program during installation, the files that are already copied to your hard drive must be removed manually.

Local installation1. Download and install Endpoint Protection 11.x on your Domino server

The license key must include MailScan for Domino.

When the program is installed an N-icon will appear in the system tray menu.

2. Right-click the N-icon and select Endpoint Protection to open the program.

3. Go to Endpoint Protection > Install and Update.

4. From the Licensed Products list select Not installed for MailScan for Domino.

5. Click Install from the popup dialog that appears.

Please wait while the program is installed and updates are downloaded. You may be required to restart the Domino server when the installation is complete.

A MailScan for Domino entry is added to the left-hand side menu.

6. Go to MailScan for Domino.



Installing from Endpoint Manager Endpoint Protection 11.x must already be installed and managed by an Endpoint Manager on the designated IBM Lotus Domino Servers.

1. Go to Endpoint Manager > Policies. (See “Policies” on page 29)

2. Create a new policy.

Enter a name and optionally a note and click Create.

The policy is created and the configuration for this policy is opened.

3. Select Install/Uninstall next to the MailScan for Domino product.

4. If necessary, edit the newly created policy’s default configuration.

5. Create a group.

To install the product on servers you must create a group in the Endpoint Manager console.

Add the newly created policy to that group.

6. When these tasks have been completed, you can start dragging servers to this group.

MailScan for Domino will be installed to all servers or computers in this group.

UpdatingObtaining frequently updates is critical to maintain a secure computing environment. You should configure automatic update of your MailScan for Domino installation (unless you update from CD only). In addition to the scanner engine components, the Internet update feature provides updates to the Endpoint Protection, program updates inclusive.

MailScan for Domino updates itself dynamically. A few minutes after new virus definitions are installed, MailScan for Domino will start to scan using the updated files.

Note that if nvcd_load.dll is updated you will have to restart the Lotus Domino server software.

Automatic updateInstall and update settings are by default set to automatically update every second hour. To edit the update method go to Install and Update > Settings > Select update method. Select Automatically every and frequency from the drop-down menu. Click Save.



Getting startedOnce installed, the MailScan for Domino server plug-in entry appears on the Endpoint Protection’s left-hand side menu.

The Total and Today columns display today’s numbers and the accumulated numbers since the plug-in was installed.

ConfigurationNote that after changing your configuration, it will take a couple of minutes for the new settings to take effect.

ThefollowingconfigurationoptionsareidenticaltotheoptionsavailablefromPolicies in the Endpoint Manager console. See “Configurepolicies”onpage30.

Block/AllowClick Block/Allow from the main menu to configure attachment blocking and email blocking/allowing for the scanner.

Block attachments

Specify file names that should be blocked. Wildcard (*) is accepted for blocking of specific extensions. Only wildcard for filename is allowed, i.e. *.vbs. To the average user, file types like .vbs, .pif or .lnk are hardly criti-cal. You should also consider to block extensions or file types like .exe, .com and .bat as these also repre-sent a potential risk for virus infections.



In this field you can also block specific attachments with names known to contain viruses, such as AnnaKournikova.jpg.vbs. This may be useful if you need to block a virus before updated malware definition files are available.

Block/Allow email

Specify email addresses that should be blocked (senders) or allowed (senders/receivers). The asterisk (*) is accepted as wildcard.

Use with caution: Attachments from email addresses in the allow list will not be scanned for malware.

SettingsClick Settings from the main menu to configure general and advanced settings for the scanner.

General

Enable MailScan for DominoSelect this option to enable email scanning. If you disable this option, no emails will be scanned.

Malware handling

Attempt to clean infected attachmentsSelect this option if you want MailScan for Domino to attempt to clean infected attachments.



Quarantine infected attachmentsSelect this option to quarantine infected attachments.

Delete infected attachmentsSelect this option to delete infected attachments.

Advanced

Email server

Protect users from mass mailersMass-mailers like Netsky and Bagle distribute themselves as emails. The email carrying the malware is the virus in itself, as the email is illegitimate with the sender missing. If you select this option, the entire email is marked as DEAD, rather than only removing the infected attachment.

This feature will only work for mass-mailers that carry a flag from the scanner engine that they are mass-mailers. Most mass-mailers that appeared in March 2004 and later carry this flag.

The Lotus Domino database MAIL.BOX containing emails marked DEAD may grow substantially with this option enabled. You may therefore need to delete the content of this database more fre-quently than if this option is not enabled.

Scan archivesWhen this option is selected, MailScan for Domino will scan recursively inside archive files for all sup-ported formats. Formats currently supported are 7zip, ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk image, TNEF, UIF, Z, ZIP and installers like INNO, Installshield, NSIS, SFX, VISE and WISE.

This will take more time and may consume more memory, but it’s the safest option to ensure that your server is absolutely virus free.

Log to Domino ConsoleIn addition to logging to the Endpoint Protection messaging system, important events are also logged to the IBM Lotus Domino Server Console.



Attachment blockingBlocking email attachments is an effective measure to stop viruses from entering your system. Blocking af-fects new emails only.

Incorrect use of the blocking utility may cause loss of data.

Block all attachmentsAll attachments are blocked. See also the paragraph above.

Block attachments with double extensionsMany worms and email viruses apply a technique where an additional extension is added, for example <filename>.jpg.vbs. Most email clients will hide the last extension so that the attachment appears to only have the extension .jpg. However, this feature is not only used by viruses; nexscan.hlp.zip and todolist 20.dec.doc are both treated as double extensions.

Block attachments with CLSID extensionsSome worms and email viruses apply a CLSID technique in an attempt to fool email scanners and blocking software. They take advantage of a feature in Windows which makes it possible to replace an .exe extension with a {...} extension and thus evade blocking of .exe files. Since there is no reason for legal attachments to use this type of extension, this behavior is blocked by default.

Block encrypted archivesAnother technique that worms apply is to distribute themselves as encrypted archive files, trying to trick the user into decrypting and running the file. One example is the Bagle worms, which are sending themselves attached as encrypted archives.

Legitimatefilesmaybesentusingthesamemethod.Ifyouselectthisoption,allencryptedarchiveformats known to the antivirus application will be blocked. Unknown archive formats will also be blocked.

The application recognizes most archive formats. The following formats are currently supported: 7zip, ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk im-age, TNEF, UIF, Z, ZIP and installers like INNO, Installshield, NSIS, SFX, VISE and WISE.

Unsupported archives are also blocked.

Quarantine blocked attachmentsBlocked attachment will be sent to the quarantine

Delete blocked attachmentsBlocked attachments will be deleted



Appendix D: Exchange Mailbox Scanner

IntroductionExchange Mailbox Scanner is an Endpoint Protection plug-in that offers virus protection. It is fully compatible with the Microsoft Exchange Server. Scanning is performed on the Endpoint Protection server and no soft-ware is needed on the Microsoft Exchange clients. Exchange Mailbox Scanner scans incoming email attach-ments guarding the main virus entry point in an Exchange environment.

How it worksA folder msx is created at the Norman root folder when Exchange Mailbox Scanner is installed. The Exchange Mailbox Scanner path is %systemdrive%\Program Files\Norman\msx.

Exchange Mailbox Scanner uses an VSAPI 2.0/2.5/2.6 plug-in, which connects to the Exchange Information Store on the MS Exchange server for access to emails and attachments. It becomes an integrated part of MS Exchange itself and is controlled by MS Exchange.

All incoming and outgoing emails are scanned on access in both private and public information stores. Access is only granted to virus-free items or when a present virus has been removed. If scanning of an attachment fails, access to the item is denied until it’s successfully scanned to ensure that a program error does not bring along leakage.

Exchange Service Monitor (ESM)When Exchange Mailbox Scanner is installed on your system, the Exchange Service Monitor will be config-ured to monitor the Information Store component of Exchange. This ensures better control over Exchange on the server and notifies the administrator if something is wrong.

The installation routine will set up ESM to monitor Exchange Information Store. If a crash occurs (either due to a crash in NEP – when a crash dialog is displayed on the server, or due to a crash inside Exchange itself – when normally no information is given to the user at all) the Exchange Service Monitor dialog is displayed.

In this case all the command buttons are enabled. However, certain components monitored by ESM will not enable the Restart Service button. The dia-log contains information about which services that stopped responding and which program is affected.

In addition, an error message is sent through the Program Manager to alert the administrator of such an event.

Note that if there are dependent services these will not be restarted. If ESM is activated because of a pro-gram crash in Exchange Mailbox Scanner or Exchange itself, this does not represent a problem. However, if the administrator has deliberately shut down the Information Store on the server, Exchange Mailbox Scanner will detect this and call ESM to alert that the requested service was not active. In this case services which are dependent on the Information Store are also stopped, but are not started by ESM.


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Appendix D: Exchange Mailbox Scanner

System requirementsExchange Mailbox Scanner requires that an Endpoint Protection 11.x client is installed on the Microsoft Exchange server.

Supported versions MS Exchange 2010 SP1 and previous


Exchange Mailbox Scanner should be installed locally on the server(s) running Exchange and must be installed on each server running Exchange separately. The Endpoint Protection installation, however, should be kept distributed as this will ensure distributed engine updates and virus definition files. This way the con-figuration window for Exchange Mailbox Scanner will only appear on the server(s) running Exchange.

To install Exchange Mailbox Scanner you need a license that covers the management of Exchange, i.e. a license key that allows you to install Endpoint Protection as a basis for the Exchange plug-in.

InstallationYou can install Exchange Mailbox Scanner on the local server or from the Endpoint Manager central man-agement console.

Local installation1. Download and install Endpoint Protection 11.x on your MS Exchange server

The license key must include Exchange Mailbox Scanner.




4. From the Licensed Products list select Not installed for Exchange Mailbox Scanner.


Please wait while the program is installed and updates are downloaded. You may be required to restart the MS Exchange server when the installation is complete.

A Exchange Mailbox Scanner entry is added to the left-hand side menu.

6. Go to Exchange Mailbox Scanner.



Installing from Endpoint Manager Endpoint Protection 11.x must already be installed and managed by an Endpoint Manager on the designated MS Exchange Servers.





3. Select Install/Uninstall next to the Exchange Mailbox Scanner product.


5. Create a group.




Exchange Mailbox Scanner will be installed to all servers or computers in this group.

UpdatingObtaining frequently updates is critical to maintain a secure computing environment. You should config-ure automatic update of your Exchange Mailbox Scanner installation (unless you update from CD only). In addition to the scanner engine components, the Internet update feature provides updates to the Endpoint Protection, program updates inclusive.

Exchange Mailbox Scanner updates itself dynamically. A few minutes after new virus definitions are installed, Exchange Mailbox Scanner will start to scan using the updated files.


The scanner will adapt its version number so that previously scanned emails will be scanned again with updated files on next access. This is provided that you have selected the option Scan mailboxes at startup/update (see “Virus scanning” on page 78).



Getting startedConfiguration can be done from Endpoint Manager or on the client locally. Once installed, the Exchange Mailbox Scanner server plug-in entry appears on the Endpoint Protection’s left-hand side menu.



ThefollowingconfigurationoptionsareidenticaltotheoptionsavailablefromthePolicies page on the Endpoint Manager console. Please refer to “Configurepolicies”onpage30.

Settings



Virus scanning

Enable Real-time ScannerSelect this option to enable email scanning. If you disable this option, no emails will be scanned.

Scan mailboxes at startup/updateSelect this option if you want Exchange to scan all mailboxes on the server. A scan is performed each time the server is restarted or the scanner is reloaded. All emails are scanned if new virus definition files are add-ed since the last scan. Mailboxes on the local computers will not be scanned when this option is on, because this option applies to emails not yet downloaded from the user’s mailbox on the server.

This option is useful in a situation with the following scenarios: 1) Mailboxes on the server are already in-fected, and 2) The administrator downloads new virus definition files each Friday after working hours. This setting will ensure that all email is scanned during the weekend with updated antivirus tools.

Note that when this option may generate unnecessary workload on the server. In most cases the real-time scanner is sufficient.

Scan archive filesWhen this option is selected, Exchange Mailbox Scanner will scan recursively inside archive files for all sup-ported formats. Formats currently supported are 7zip, ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk image, TNEF, UIF, Z, ZIP and installers like INNO, Installshield, NSIS, SFX, VISE and WISE.


Temporarily deny access if unable to scanIf an error occurs during the scanning of an attachment, access to the email is blocked. Such errors may occur when the server is under heavy workload. The attachment will be scanned correctly the next time it’s accessed. However, this may also affect damaged files, and access to damaged attachments is blocked. If there are damaged emails and attachments on the server, you should deselect this option. Note the potential risk of letting infected files pass uncleaned.



Virus handlingThese settings decide how infected emails are managed.

Remove infected attachmentsAll infected attachments will be removed.

Clean infected attachmentsAll virus infected attachments will be cleaned. When the entire file is the actual virus, like trojan horses and worms, the file is cleaned by deletion.

Remove attachment if not cleanedIf an error occurs during the cleaning of an attachment, it will be removed. If an archive file contains an in-fected file, and cleaning within archives of that format is not possible, the archive file will be removed.

QuarantineIn this section you decide the handling of files that Exchange Mailbox Scanner has identified as infected or in other ways suspicious. If you don’t clean or delete such files, we recommended that you isolate them in a designated area, a quarantine.

As more Norman products are added to your existing installation, they will share the quarantine function and use the same options as specified here. Thus you can maintain a consistent quarantine strategy. From the drop-down list, these options are available:

DisabledNo files are quarantined.


Quarantine only if deletedOnly deleted attachments are sent to quarantine.

Delete mass mailers from serverMass-mailers like Netsky and Bagle distribute themselves as emails. The email carrying the malware is the virus in itself, as the email is illegitimate with the sender missing. If you select this option, the entire email is deleted, rather than only removing the infected attachment.



Attachment blocking

Blocking email attachments is an effective measure to stop viruses from entering your system. Blocking affects new emails as well as old mails already stored when these are accessed or scanned with different configuration settings.

Incorrect use of the blocking utility may cause loss of data: In addition to delete all new, incoming attachments, old email attachments may be deleted too as a result of background or real-time scanning. A visible warning appears when you select this option, and you should be aware of the possible consequences.

Block all attachmentsAll attachments are blocked.

Block attachments with double extensionsMany worms and email viruses apply a technique where an additional extension is added, for example <filename>.jpg.vbs. Most email clients will hide the last extension so that the attachment appears to only have the extension .jpg. However, this feature is not only used by viruses: nexscan.hlp.zip and todolist 20.dec.doc are both treated as double extensions.



Legitimatefilesmaybesentusingthesamemethod.Ifyouselectthisoption,allencryptedarchivefilesofaformatknowntotheantivirusapplicationwillbeblocked.




Block list

Specify file names that should be blocked. Wildcard (*) is accepted for blocking of specified extensions. Only wildcard for file names is allowed, i.e. *.vbs. To the average user, file types like .vbs, .pif or .lnk are hardly critical. You should also consider to block extensions/file types like .exe, .com and .bat as these also repre-sent a potential risk for virus infections.

In this field you can also block specific attachments with names known to contain viruses, such as AnnaKournikova.jpg.vbs. This may be useful if you need to block a virus before updated virus definition files are available.



Appendix E: Exchange Transport Scanner

IntroductionExchange Transport Scanner is an Endpoint Protection plug-in that offers virus protection. It is fully compat-ible with the Microsoft Exchange Server. Scanning is performed on the Endpoint Protection server and no software is needed on the Microsoft Exchange clients. Exchange Transport Scanner scans incoming email attachments guarding the main virus entry point in an Exchange environment.

How it worksA folder mx2 is created at the Norman root folder when Exchange Transport Scanner is installed. The Exchange Transport Scanner path is %systemdrive%\Program Files\Norman\mx2.

Files are copied into the mx2 directory during installation\bin\nx2agent.dll Transport agent that communicates with the service\bin\nx2installer.exe Exchange Transport Scanner installer\bin\nx2svc.exe Exchange scanner service\bin\release_notes.txt Release Notes\res\mx2.nts Configuration database element

Exchange Transport Scanner uses a Transport Agent on the HubTransport server to access all emails and attachments sent to and from the Exchange system. When the Exchange server starts, Exchange Transport Scanner will analyze incoming emails and scan any file attachments for malware. Attachments containing malware is removed before delivering the email to it destination.

The Exchange Transport Scanner plugin is configured in the standard Endpoint Protection configuration panel. It appears as a separate module in the configuration editor and gives access to Exchange Transport Scanner specific settings, while messaging, updating etc. is configured in the common settings.

Activity logExchange Transport Scanner offers a comprehensive and robust malware incident activity log in the Windows Event log and in the Endpoint Protection log file:

• Malware name (if known)

• Name of attachment

• Subject

• Creation time and date

• Name and address of originator

• Name of recipient(s)

• Action taken (cleaned, removed, quarantined)

From the Endpoint Protection module’s Support Center > Messaging Log Viewer you can view incidents from Exchange Transport Scanner


Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Appendix E: Exchange Transport Scanner

System RequirementsExchange Transport Scanner requires that an Endpoint Protection 11.x client is installed on the Microsoft Exchange server.

Supported versions MS Exchange from 2010 SP2 to 2013 CU4/SP1


Exchange Transport Scanner must be installed on the Windows server where the MS Exchange Server is installed.

You must be logged in to the system with administrator privileges in order to install the program.

InstallationExchange Transport Scanner must be installed on the Windows server where the HubTransport role of the Microsoft Exchange Server is installed.

If you terminate the setup program during installation, the files that are already copied to your hard drive must be removed manually.

Local installation1. Download and install Endpoint Protection 11.x on your MS Exchange server

The license key must include Exchange Transport Scanner.




4. From the Licensed Products list select Not installed for Exchange Transport Scanner.


Please wait while the program is installed and updates are downloaded. You may be required to restart the MS Exchange server when the installation is complete.

A Exchange Transport Scanner entry is added to the left-hand side menu.

6. Go to Exchange Transport Scanner.



Installing from Endpoint Manager Endpoint Protection 11.x must already be installed and managed by an Endpoint Manager on the designated MS Exchange Servers.





3. Select Install/Uninstall next to the Exchange Transport Scanner product.


5. Create a group.




Exchange Transport Scanner will be installed to all servers or computers in this group.

UpdatingObtaining frequently updates is critical to maintain a secure computing environment. You should configure automatic update of your Exchange Transport Scanner installation (unless you update from CD only). In addition to the scanner engine components, the Internet update feature provides updates to the Endpoint Protection, program updates inclusive.

Exchange Transport Scanner updates itself dynamically. A few minutes after new virus definitions are in-stalled, Exchange Transport Scanner will start to scan using the updated files.




Getting startedOnce installed, the Exchange Transport Scanner server plug-in entry appears on the Endpoint Protection’s left-hand side menu.

The entry appears with a warning triangle. This is to notify that you need to create a domain user before you can start using the program.

To start using the program you must create a unique domain user.

Create a domain user1. Enter domain, username and password and click Create.

Only Administrators or users with Administrator privileges can create a domain user. When creat-ing a domain user you will be prompted to login as Administrator unless you have the privileges to create a domain user.



ThefollowingconfigurationoptionsareidenticaltotheoptionsavailablefromPolicies in the Endpoint Manager console. See “Configurepolicies”onpage30.



Block/AllowClick Block/Allow from the main menu to configure attachment blocking and email blocking/allowing for the scanner.

Block attachments

Specify filenames that should be blocked. Wildcard (*) is accepted for blocking of specific extensions. Only wildcard for filename is allowed, i.e. *.vbs. To the average user, file types like .vbs, .pif or .lnk are hardly criti-cal. You should also consider to block extensions or file types like .exe, .com and .bat as these also repre-sent a potential risk for virus infections.

In this field you can also block specific attachments with names known to contain viruses, such as AnnaKournikova.jpg.vbs. This may be useful if you need to block a virus before updated malware definition files are available.

Block/Allow email

Specify email addresses that should be blocked (senders) or allowed (senders/receivers). The asterisk (*) is accepted as wildcard.

Use with caution: Attachments from email addresses in the allow list will not be scanned for malware.



SettingsClick Settings from the main menu to configure general and advanced settings for the scanner.

General

Enable Exchange Transport ScannerSelect this option to enable email scanning. If you disable this option, no emails will be scanned.

Malware handling

Attempt to clean infected attachmentsSelect this option if you want Exchange Transport Scanner to attempt to clean infected attachments.


Delete infected attachmentsSelect this option to delete infected attachments.

Domain UserThis information displays the current domain and username.

Reset Domain UserTo edit the domain and/or username click Reset Domain User and enter the new information.



Advanced

Email server

Protect users from mass mailersMass-mailers like Netsky and Bagle distribute themselves as emails. The email carrying the malware is the virus in itself, as the email is illegitimate with the sender missing. If you select this option, the entire email is deleted, rather than only removing the infected attachment.

This feature will only work for mass-mailers that carry a flag from the scanner engine that they are mass-mailers. Most mass-mailers that appeared in March 2004 and later carry this flag.

Scan archivesWhen this option is selected, Exchange Transport Scanner will scan recursively inside archive files for all supported formats. Formats currently supported are 7zip, ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk image, TNEF, UIF, Z, ZIP and installers like INNO, Installshield, NSIS, SFX, VISE and WISE.


Attachment blockingBlocking email attachments is an effective measure to stop viruses from entering your system. Blocking af-fects new emails only.

Incorrect use of the blocking utility may cause loss of data.

Block all attachmentsAll attachments are blocked. See also the paragraph above.

Block attachments with double extensionsMany worms and email viruses apply a technique where an additional extension is added, for example <filename>.jpg.vbs. Most email clients will hide the last extension so that the attachment appears to only have the extension .jpg. However, this feature is not only used by viruses; nexscan.hlp.zip and todolist 20.dec.doc are both treated as double extensions.





Legitimatefilesmaybesentusingthesamemethod.Ifyouselectthisoption,allencryptedarchiveformats known to the antivirus application will be blocked. Unknown archive formats will also be blocked.


Unsupported archives are also blocked.

Quarantine blocked attachmentsBlocked attachment will be sent to the quarantine

Delete blocked attachmentsBlocked attachments will be deleted



Copyright © 2015 AVG Technologies

November2014NormanwasaquiredbyAVGTechnologies.Wehaveteameduptodevelopthebestsecuritysoftwareforbusinessesandconsumers.

noRMAn ConTACT DETAILSNormanSafegroundAS|PObox43,1324Lysaker,Norway|Officeaddress:Strandveien37,Lysaker

Tel:67109700|E-mail:[email protected]|www.norman.com

OfficesNorway www.norman.comDenmark www.norman.com/dkFrance www.norman.com/frGermany www.norman.com/deItaly www.norman.com/itNetherlands www.norman.com/nlNorway www.norman.com/noSpain www.norman.com/esSweden www.norman.com/svSwitzerland www.norman.com/chUnitedKingdom www.norman.com/uk

Date post:	06-Oct-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Norman Endpoint Protectiondownload01.norman.no/npro/...Endpoint-Protection-11... · The platforms...

Documents