SEP 11.x vs. SAV 10.x - Differences, Migration Information, and Tips

This document is intended for SAV (Symantec AntiVirus) server administrators and highlights differences between SEP 11.x and SAV 10.x, migration information, and relevant tips. Of note, Symantec Endpoint Protection (SEP) 11.x is a suite of applications, you can choose what to install, that contains the next revision of Symantec's antivirus product. The last full release of the standalone SAV corporate product was SAV 10. The information contained below has all been gleaned from reading the first two .pdf files referenced below.

You cannot manage SAV 10.x, 9.x, etc clients from a SEP 11.x server. Nor can you manage SEP 11.x clients from a SAV 10.x or earlier version of SAV server. If you do not want to migrate all of your SAV 10.x, 9.x clients at one time to SEP 11.x, you will need to run two managed servers in parallel. One SAV 10.x server to manage your SAV 10.x, 9.x, etc clients and one SEP 11.x server to manage your SEP 11.x clients.

Detailed migration information is included in the documentation referenced below.

Tips

Chapter 7 of the "Installation Guide" walks you through a very specific set of testing and planning steps for migrating older client software. Symantec supports migrations from Symantec AntiVirus client and server 9.x and later and Symantec Client Security client and server 2.x and later. It would be wise to follow them to make sure you know what behavior to expect in your environment. Symantec's SEP 11.x FAQ is also a very good resource about the product and about migration.

- Installation Guide

- Administration Guide

- SEP 11.x FAQ (4th section is on Migration to SEP 11 - well-documented)

2. The embedded database (Sybase) is easiest to install and configure but only supports up to 5,000 clients. Please determine whether you will need to use an alternate database (such as Microsoft SQL Server, supports up to 50,000) before installing anything.

Notes:
a. "The use of Microsoft SQL Server also provides additional flexibility for installing additional Symantec Endpoint Protection Managers for failover and load balancing."

b. However, "Replication configurations are supported with both embedded and Microsoft SQL Server databases...If one database fails, you can still manage and control all clients because the other database contains the client information."

3. Symantec Endpoint Protection contains many components that you can select to install or not install. Those components include the following:

- Core files (required)
- Antivirus and Antispyware (optional) -> includes an option for AntiVirus Email Tools
- Proactive Threat Protection (optional) -> includes options for Proactive Threat Scan and Application Control and Device Control
- Network Threat Protection (optional) -> includes an option for Firewall and Intrusion Prevention

Note: "Symantec Endpoint Protection also installs Symantec Network Access Control (NAC) software, but Symantec Network Access Control is not enabled. When you update the Symantec Endpoint Protection Manager Console for Symantec Network Access Control (aka purchase licenses), the client Symantec Network Access Control feature automatically appears in the client user interface."

Licenses for Symantec's NAC software need to be purchased separately. More details about this can be found in Chapter 5 of the Installation Guide.

4. Managed Groups can contain both 32-bit clients and 64-bit clients. However, you must deploy both 32-bit packages and 64-bit packages separately to the clients.

5. The Administration Guide contains complete information about client installation packages (Section 1, Chapter 6). Please note it appears you must install Symantec Endpoint Protection Manager in order to create installation packages.

6. A nicely detailed table of ports for client and server installation and communication can be found in Chapter 3 of the Installation Guide. Other network and system requirements can also be found in that chapter.

7. The SEP 11.x client can be installed via the built-in "Push Deployment Wizard," the built-in "Find Unmanaged Computers," importing a file of IP addresses, Altiris, or various 3rd-party solutions such as (but not limited to) Microsoft Active Directory (GPO), Microsoft SMS, Tivoli, or Novell ZENworks. Details on this information are found in Chapter 5 of the Installation Guide.

8. When you install a Symantec Endpoint Protection Manager (Chapter 4 of the Installation Guide), the installation creates a file named Sylink.xml. Symantec clients read the contents of this file to know which Symantec Endpoint Protection Manager manages the client. If you do not copy this file to the installation files before you install the client software, you will create unmanaged clients.
Note: This information does not apply to packages that are exported with the Symantec Endpoint Protection Manager Console. These packages already contain sylink.xml.

9. You cannot uninstall SEP 11.x clients from the SEP 11.x Manager console. You can, however, uninstall the SEP 11.x client software with the Windows Add and Remove utility or third party solutions such as Altiris or Microsoft SMS to uninstall the client remotely.

10. As previously mentioned, Chapter 7 of the Installation Guide walks you through a very specific set of testing and planning steps for migrating older client software. Symantec supports migrations from Symantec AntiVirus client and server 9.x and later and Symantec Client Security client and server 2.x and later. Before migrating be sure to (via the Symantec System Center console) disable scheduled scans, modify Quarantine purge opitions, delete histories, disable LiveUpdate, disable roaming, unlock server groups, and disable Tamper Protection.

11. If configured properly in the Symantec Endpoint Protection Manager, SEP 11.x clients can now download product updates using LiveUpdate. Details can be found in Appendix B of the Installation Guide.

12. Recommendations for Disaster Recovery can be found in Appendix C of the Installation Guide.

13. The Administrative Guide contains very detailed information on lots of different tasks including organizational structuring, managing administrators, limiting user access, reports, logs, notifications, managing servers, managing databases, replicating data, managing tamper protection, policy management, configuring antivirus, antispyware, network threat and proactive threat protection, and configuring centralized exceptions.

14. Tamper Protection Settings are not migrated. They are part of the client general settings rather than the AntiVirus and AntiSpyware policies.

15. For those planning to migrate clients in stages, while you can install the SEP 11.x Manager console on the same computer running the Symantec System Center (management console for SAV 10.x and below), it is not recommended in order to avoid performance and communicaton problems.

16. If clients are not rebooted after upgrading to SEP 11.x, they will only be protected with the AntiVirus and AntiSpyware pieces. A reboot is required to enable the firewall features.

17. You can run reports while migrating to show progress. See the SEP 11.x FAQ linked in Step 1 (under the migration section).

18. You cannot yet manage Mac Symantec products from the SEP 11.x Manager, but a SEP 11.x client for Mac is on the map and, when released, will be managable from the SEP 11.x Manager console.

19. You can connect to the SEP 11.x Manager console from a browser. Default is http://<ip of SEP 11.x Manager>:9090.

Lastly, there is a Client Guide for your reference, but everything of note should be covered in the two guides listed at the beginning of this document. It is tailored toward configuring the client in non-managed situations, but feel free to browse it.

- Client Guide