Norman Endpoint Protectiondownload01.norman.no/...EndpointProtection_910.pdf · Endpoint Protection...

Norman Endpoint Protectionversion 9.10

Administrator’s Guide

Features • Endpoint Manager • Antivirus and Antispyware • Reports • Statistics

Including the appendices • Endpoint Protection for Linux • MailScan for Domino • Exchange Mailbox Scanner • Exchange Transport Scanner

Copyright © 1990-2013 Norman Safeground ASii

Administrator’s Guide: Norman Endpoint Manager | Version: 9.10

Limited WarrantyNorman Safeground guarantees that the enclosed CD/DVD-ROM and documentation do not have production flaws. If you report a flaw within 30 days of purchase, Norman Safeground will replace the defective CD/DVD-ROM and/or documentation at no charge. Proof of purchase must be enclosed with any claim.This warranty is limited to replacement of the product. Norman Safeground is not liable for any other form of loss or damage arising from use of the software or documentation or from errors or deficiencies therein, includ-ing but not limited to loss of earnings.With regard to defects or flaws in the CD/DVD-ROM or documentation, or this licensing agreement, this war-ranty supersedes any other warranties, expressed or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose. In particular, and without the limitations imposed by the licensing agreement with regard to any special use or purpose, Norman Safeground will in no event be liable for loss of profits or other commercial damage including but not limited to incidental or consequential damages.This warranty expires 30 days after purchase.The information in this document as well as the functionality of the software is subject to change without notice. The software may be used in accordance with the terms of the license agreement. The purchaser may make one copy of the software for backup purposes. No part of this documentation may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or information stor-age and retrieval systems, for any purpose other than the purchaser’s personal use, without the explicit written permission of Norman Safeground.Names of products mentioned in this documentation are either trademarks or registered trademarks of their respective owners. They are mentioned for identification purposes only.Norman Safeground documentation and software are Copyright © 1990-2013 Norman Safeground AS.

All rights reserved.

Last revised September, 2013.

Copyright © 1990-2013 Norman Safeground ASiii


ContentsAbout .......................................................................................................................................6

Help and support ........................................................................................................6System requirements ...................................................................................................... 7Introduction..........................................................................................................................8

The concept ..................................................................................................................8Management console ...............................................................................................8Definition of terms ...................................................................................................10Primary functions....................................................................................................... 11

Installation ...........................................................................................................................14Installing .........................................................................................................................14Uninstalling ..................................................................................................................16Installing on clients ................................................................................................... 17

Generate and run an installer (msi) .......................................................... 17Distributing clients using an image ............................................................ 17

Getting started ..................................................................................................................18Support ..........................................................................................................................18Risk level bar.................................................................................................................18Current status .............................................................................................................18

Home ..................................................................................................................................... 21Clients ................................................................................................................................... 22

Organizing groups and clients ........................................................................... 23Predefined groups ................................................................................................... 24Client/machine information ............................................................................... 25About status ...............................................................................................................26Create a new group .................................................................................................26Delete a group ...........................................................................................................26Client states ................................................................................................................ 27Transitions between states ................................................................................. 27Action buttons...........................................................................................................28

Policies .................................................................................................................................30Create a new policy .................................................................................................30Configure policies ..................................................................................................... 31

Antivirus & Antispyware ................................................................................. 32Product Manager ...............................................................................................38Intrusion Guard ...................................................................................................41

Assign a policy to a group .....................................................................................44

Copyright © 1990-2013 Norman Safeground ASiv


Products ..............................................................................................................................45Licenses ........................................................................................................................45Languages ....................................................................................................................46Platforms ......................................................................................................................46

Reports ................................................................................................................................ 47History ........................................................................................................................... 47Reports ..........................................................................................................................48

Settings ................................................................................................................................49Realm administrators ............................................................................................49Backup and restore .................................................................................................49

Backup ....................................................................................................................50Restore .................................................................................................................... 51

Generate installers .................................................................................................. 52Remote access ........................................................................................................54Event management ................................................................................................ 55

Triggers ................................................................................................................... 55Email settings ......................................................................................................56SNMP settings ..................................................................................................... 57Syslog settings .................................................................................................... 57

Display name priority ............................................................................................. 57Topology filters ..........................................................................................................58

Alternative client filtering ...............................................................................59Supervisor process ......................................................................................... 60

Appendix A: Passive discovery.................................................................................62Technical description ............................................................................................62

Appendix B: Endpoint Protection for Linux .......................................................63Introduction ................................................................................................................63System requirements ............................................................................................63Installation ...................................................................................................................63

Setting up the management console .....................................................63Installing Endpoint Protection for Linux .................................................64

Updating .......................................................................................................................65Uninstalling ..................................................................................................................65Use and configuration ...........................................................................................66

Home .......................................................................................................................66Antivirus & Antispyware .................................................................................66Install and Update .............................................................................................68

Copyright © 1990-2013 Norman Safeground ASv


Appendix C: MailScan for Domino ......................................................................... 72Introduction ................................................................................................................ 72

How it works ......................................................................................................... 72Activity log ............................................................................................................. 72

System Requirements ........................................................................................... 73Installation ................................................................................................................... 73

Local installation ................................................................................................ 73Installing from Endpoint Manager ............................................................. 74

Updating ....................................................................................................................... 74Use and configuration ........................................................................................... 75

Block/Allow ........................................................................................................... 75Settings ................................................................................................................... 76

Appendix D: Exchange Mailbox Scanner ............................................................79Introduction ................................................................................................................79

Exchange Service Monitor (ESM) ..............................................................79System requirements ........................................................................................... 80Installation .................................................................................................................. 80Updating ...................................................................................................................... 80Use and configuration ............................................................................................81

Settings ....................................................................................................................81Virus scanning ......................................................................................................81Attachment blocking .......................................................................................83Block list .................................................................................................................84

Appendix E: Exchange Transport Scanner ........................................................85Introduction ................................................................................................................85

How it works .........................................................................................................85Activity log .............................................................................................................85

System Requirements ...........................................................................................86Installation ...................................................................................................................86

Installing .................................................................................................................86Updating ....................................................................................................................... 87Use and configuration ...........................................................................................88

Create a domain user ......................................................................................88Block/Allow ...........................................................................................................89Settings .................................................................................................................. 90

About

About this versionThe current release is available in several languages. New languages are added at irregular intervals. Check Norman’s web sites for details, or contact your local dealer for more information about language versions.

About this manualThis manual presents an overview of features and key functions in Endpoint Manager (the management console) and how they work with Endpoint Protection (the framework for Endpoint Manager installations and the name of the client security software). This guide focuses on the management console, and covers configuration options for Endpoint Protection.

About SandBoxSandbox is a term that describes the technique that is used to check if a file is infected by an unknown virus. The method allows untrusted, possible viral code to play around on the computer in a simulated and restricted area.The sandbox is equipped with everything a virus expects to find in a real computer. This is a playground where it is safe to let a virus replicate, but where every step is carefully monitored and logged. The virus is exposing itself in the sandbox, and because its actions have been recorded, the cure for this new perpetrator can be generated automatically.Today, a new e-mail worm can infect ten thousands of workstations in a matter of seconds. The antivirus vendors are expected to find the cure, update the virus definition files, and distribute these to its customers immediately. The need for speed is imperative, because the nature of today’s malware is such that a piece of viral code can paralyze networks and cause serious damage to an unlimited number of computers.

Help and supportWe recommend you to read this guide thoroughly and use it for reference during installation. In this guide you will find instructions on how to install, upgrade and use your licensed software.We provide technical support and consultancy services, and security issues in general. Technical support also comprises quality assurance of your antivirus installation, including assistance in tailoring the security software to match your exact needs. For training or technical support issues please contact your local dealer or a Norman Office.Please visit us at www.norman.com/support.

Copyright © 1990-2013 Norman Safeground AS6

Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | About

http://www.norman.com/support/

System requirementsEndpoint Protection and Endpoint Manager are designed to work in IP-based networks. The communication between the management console servers (Toplevel and Midlevel Managers) and the clients applies TCP/IP on port 2868, which has been reserved and registered by Norman AS. The Information Exchange (NIX) protocol is used. Both binary traffic and http-based communication use this port.The platforms that the Endpoint Protection framework is designed to run on do not have to be servers, but they must be licensed to allow an unlimited number of IP connections on a given port. The management console pro-cesses make extensive use of memory caching, and the amount of available RAM will influence directly on system performance.This version supports the installation of Endpoint Protection and Endpoint Managers (management consoles) on the following clients and/or servers:

Windows

XP 32-bit SP2/64-bit SP1 (SP3 recommended)Vista 32-bit/64-bit (SP1 recommended)7 32-bit/64-bit (SP1 recommended)8 32-bit/64-bitServer 2003 32-bit SP1/64-bit SP1 (SP2 recommended)Server 2008 32-bit/64-bitServer 2008 R2 64-bitServer 2012 64-bit

In general, we recommend that the latest available Service Pack is always installed for any platform.

Hardware requirementsEndpoint Managers

CPU 1,5 GHzRAM 1 GB (2 GB recommended)Disk space 2 GB for a network with approximately 100 clients, then

10 MB more for another 100 clients, and so on.

Endpoint ClientsCPU 1,5 GHzRAM 512 MBDisk space 1,5 GB

Other requirementsInternet browsers

Mozilla Firefox 4 (or later)Internet Explorer* 7 (or later)Opera 11 (or later)Chrome 12 (or later)

* We do not recommend this browser due to some challenges when working with Java.

In general, the Endpoint Manager makes extensive use of memory caching for its data handling. In larger net-works, the Endpoint Manager will perform better with more available RAM.


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | System requirements

IntroductionEndpoint Protection constitutes the framework for hosting a range of applications that can be installed and con-trolled through a common licensing and update system.

The conceptA management console installation is a node in a network where the clients’ configuration is managed. This is done by establishing policies which include product configuration. When a client contacts the management con-sole to fetch a configuration, the settings for the relevant policy are sent back.Information about the clients is sent to the management console through the messaging system or through a separate http-wrapped protocol. A database on the management console contains information about all the IP-based devices in the network. Clients can be assigned policies and hence managed on the management console.A node that is designated the management console is a regular corporate node with additional administrative functionality. The management console maintains lists in the local database over manageable and unmanageable clients and displays status information and network statistics.One of the management console’s fundamental properties is that nodes and clients in the database are assigned to logical groups that can be configured. All clients within a group will also share product configurations. Clients in the network will contact their assigned management console level and get configuration according to the policy that has been established for their specific group. Groups are managed in the management console GUI.The management console contains additional functionality to distribute, install, manage, and control many installations within one organization. Only a few clients/machines are updated in such an environment. Most of the distribution takes place within the organization over the local network.

Management consoleThere is a limit for how many endpoints a single management console can handle. Such limitations are related to machine performance and/or the size of the product updates that need to be distributed to the endpoints (some-times more than 100MB). This has in turn affected bigger installations where thousands of managed clients all had to communicate with one single management console. To cater for larger installations the software and virus definition updates was distributed to clients from Windows shares. Endpoints would however still report status and receive configuration updates from the management consoles, as such data is not large.

Multiple managers, multilevel realmThis version supports multiple management consoles. In a multilevel realm, there will be a Toplevel Manager and optional additional Midlevel Managers. These can be arranged in a tree-like structure with an arbitrary number of levels. Managed clients will communicate with the manager they belong to. This is normally the one located closest to the client. The realm network traffic will spread out and divided on a number of managers, thus providing scalability in larger networks.


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Introduction

The Toplevel Manager is a permanent logical entity in the managed realm. Additional Midlevel Managers can be changed and moved. A managed client can be promoted to the role of a Midlevel Manager and later demoted to an ordinary managed client. You can also move it around within the management console hierarchy. Policy updates, as well as software and definition file updates are distributed from the toplevel downwards throughout midlevels and finally onto the clients.

TIP Establishing a realm with Midlevel Managers is optional. In smaller networks, for example, this feature may not be a practical solution.

Naming the Toplevel ManagerWhen creating a realm, a DNS name with which the Toplevel Manager is known must be entered. This name must be globally resolvable within the realm. The managed clients will use this name to update themselves. In the case of a hierarchical structure of Midlevel management nodes, these will use the name to contact the Toplevel manager.

Promoting clientsWhen the realm is created and the initial management console is installed, the management console will display clients that are discovered throughout the network.An online managed client online can be promoted to become a Midlevel Manager. Once promoted, management groups of clients can then be assigned to this Midlevel Manager, thereby relieving the Toplevel management console. The Toplevel console will still display the complete network topology, the Midlevel Managers, as well as status information from every client in the network. When promoting a client to a Midlevel Manager, try to select a client that is both powerful and is physically close to the group of clients that will be assigned to it. It may take 3-5 minutes for a promotion to complete.



MessagesEach manager or managed client keeps data about the manager they report to, and about the Toplevel Manager of the realm.If a Midlevel Manager malfunctions, the managed clients will still know the path to the Toplevel Manager. If a Midlevel Manager fails, messages from its clients will not reach the Toplevel Manager until the Midlevel Manager is up and running again.Immediate messages (alarms, errors, and warnings) are passed on directly to the Toplevel Manager from the Midlevel Manager that the affected client is assigned to. Other Midlevel Managers do not receive this informa-tion.Less urgent messages with client information like state, operating system and policy information, IP and MAC address etc. are sent to the client’s manager frequently. Every tenth time a complete update for each managed client is sent.

ActionsAction buttons (see “Action buttons” on page 28) can be applied to any managed client within the same net-work segment, for example by Midlevel Manager’s administrators.

UpdatingBy default, all Midlevel Managers and their clients receive product and definition files updates and policies con-taining configuration data from the Toplevel Manager. In a multilevel realm, client groups may be assigned to any management console from which they will update - for load balancing or other practical reasons.

MoreRead more about features and news at www.norman.com.

Definition of terms • Endpoint Manager: This is a management console system in the realm where the network and the security

products can be configured and controlled. It includes configurable, logical group of nodes and clients in the database that share product configuration and receive updates from their common Manager.

• Multilevel: A management console installation where it is possible to introduce several Managers in a tree-like structure.

• Toplevel Manager: The first management console to be installed in a network. During install, the realm credentials package is established (realm name, realm owner name, etc.). The Toplevel Manager is at the top of the hierarchy. There can only be one Toplevel Manager within a realm.

• Midlevel Manager: Additional midlevel management console that reports to the Toplevel Manager. • Endpoint Protection: Managed client security software, and the framework for installing a management

console. • Realm: The organizational collection of clients that is controlled by a management console, similar to a do-

main. • NISE (Norman Internet Server Engine): An http server that serves either files, local database resources, or

GUI content. It shares port 2868, the messaging system port. • Credentials package: A unique data package identifying a realm. The package contains data that allows

clients in a realm to communicate with the management console, and vice versa.



Primary functionsThe management console in an Endpoint Protection environment ultimately comprises all relevant products.

• Provides a view of network devices and their status • Generates and displays event and status statistics • Manages the Toplevel and all Midlevel Managers • Manages incoming alarms, warnings, and errors • Manages configurations for current and future products • Manages policies and assigns them to client groups • Manages product installation in a network • Manages the Internet Update configuration • Generates and exports reports from statistical numbers in the database • Provides redundancy for the topology and configuration database, including manual export/import • Manages the administrators of the realm • Create installers for additional endpoint clients • Serves as a distribution point for definition files and software updates

A management console node will receive system messages from clients throughout the network. Data about network devices is passively collected and qualified by the distributed clients. The topology information is then reported to the management console. From the management console network map, clients can be arranged in groups.

Theory of operationEndpoint Manager is a product that provides management of Endpoint Protection clients. It is comprised of the following main components:

• A database that holds managed and unmanaged network clients and their data as well as product policies.

• Credentials data that defines the logical realm that is being managed.

• A client component that is a part of all managed clients.

• A server component that runs the management processes on the management console.

The management console was designed with scalability in mind. Emphasis has been put on keeping network traffic low. The management server and the clients are communicating continuously, but in a serialized manner. This means that the network picture during normal operations is not real-time, but is current enough as long as everything is normal. However, on-demand administrative actions as well as critical messages from the clients are real-time.

Networks with a large number of clientsThe management console has been tested to support 15000 clients for policy management and status reporting, but will vary with the kind of platform it is hosted on. Testing was performed with no distribution of software updates which are very bandwidth- and CPU-intensive.In previous versions, one management console would manage all the clients within the realm. In a large network, the management network traffic to the management console could represent a considerable load. The (optional) hierarchical management structure introduced in this version alleviates this load.An alternate update path may be a useful feature in installations where the console manages several hundred ma-chines and setting multilevel managers is not affordable. The alternate path points to a separate file share where the updates are placed. One sign of a server overload is that you often see ‘Nise too busy!’ messages in the elogger. Another symptom is that the management consoles become sluggish or even unresponsive. Contact local support for help if necessary. See also “Alternate update path” on page 39.



The realmThe term realm denotes the logical collection of networks and network devices that make up the infrastructure where the software is installed. A network administrator will name the realm and define who will manage it. The management console will show a map of the devices that are included in the realm. These devices may or may not be managed. An administrator can include devices into the realm, or they can be auto-discovered.The realm consists of a set of unique data that is duplicated between the management consoles and the managed clients. The data provides a way to encode the data communications between the management consoles and the clients. They also serve as a method to identify which clients are managed or not.Configuration is changed centrally for the realm, and the clients retrieve the updated settings. Management of the clients is accomplished through changing the clients’ configuration and by issuing tasks through the same mechanism. Additionally, some direct commands allow an administrator to ask a client for information or issue instructions to the client’s Program Manager. These commands can be used to tell a client to refresh an installa-tion or update itself on demand. See ”Action buttons” on page 28 for details.The management console has a built-in backup mechanism to save the realm data. This is important in case the management console is damaged. It will then be possible to install a new management station and continue the management of all the existing clients without having to reinstall them.

Events in the realm

MessagesManaged clients use the messaging system to communicate events on the clients. Events sent as messages are Alarms, Errors, and Warnings. When messages reach the management console, they are sorted and stored with the database entry of the associated client.

Messages from Midlevel to Toplevel ManagerAll clients, also those within a midlevel hierarchy, send messages about events (alarms, errors, warnings) di-rectly to the Toplevel Manager. Clients on sublevels to a Midlevel Manager report to this as well. This Midlevel Manager in turn sends the messages to the Toplevel Manager, but skips possible Midlevels located in between.As a result, the Toplevel Manager counts and displays messages from all clients, while a Midlevel Manager counts and displays messages only from the clients it’s directly responsible for. These include messages from Midlevel Managers placed under it in the hierarchy, but not their clients.

EXAMPLE Headquarter (Toplevel) - Europe (Midlevel) - Support (Midlevel) - Sales (Midlevel) ‘Europe’ (Midlevel) cannot see that there are virus outbreaks on ‘Sales’(Midlevel). This information will only be visible for ‘Headquarter’ (Toplevel), and on the local Midlevel management console ‘Sales’.

Platform and status messagesA special administration protocol conveys data about the general status of managed clients, the platform it origi-nates from, and license information.

Topology messagesManaged clients in a realm will frequently collect data about network traffic and compile lists of detected de-vices. This is used to let the management console add network devices to its topology map using a passive method rather than active scanning.Common for the network traffic is that data about online status for the network devices are being kept up to date in the management console database.



Realm communicationsOnce the management console has been installed and a realm established, the client security software may be distributed throughout the network. Nodes in the realm should contact a management console (or a distribution point) to get software and configuration updates. Software updates are distributed as signed packages fetched by an internal protocol.The same communication channel is used for configuration and management distribution. A node in the network can replicate settings from remote store resources.

Client statusEach time an event from a particular device reaches the management console, managed or not, a timestamp is updated in the management console’s database to reflect when the device was last seen. Network devices can be Online, Stale, and Offline. The status is based on the device’s visibility within a set period of time. These time thresholds can be adjusted on the management console, but the default values have proven to generate a good network status map. If a client has not been seen within this period, the status is set to Stale. Once it is Stale, a separate process within the management console will attempt to actively contact the client to update its status. Note that as long as a client is Online, no active communication is carried out from the management console to the client unless the administrator manually initiates it.While Stale, the management console will contact the client a certain number of times with a set delay between each attempt. See “Supervisor process” on page 60. If no connection is obtained within this time period and no data about the client is reported by the passive discovery mechanism, the client is marked as Offline. As soon as any information about the client is received, it is immediately marked as Online.See also the appendix “Appendix A: Passive discovery” on page 62.

PoliciesA policy is a collection of product configurations stored on the management console. Managed clients will fre-quently contact the management console to get a copy of the product settings. The client does not know which policy it is getting. Rather, the management console looks up the policy for the requesting client, and hands back the settings contained in the relevant policy. The administrator can decide whether clients that belong to a policy are allowed to change their settings locally. If so, the administrator can revoke this right and enforce settings from the policy at a later time.The management console displays a logical network map containing groups of clients. A group can be assigned a policy or keep the original default policy (see “Assign a policy to a group” on page 44). If there are groups within groups with different policies, and a group is deleted, any clients within the group and possible subgroups are moved to the Lost and found group.

Administrative realmOnce a management console has been installed and a realm established, client security software may be distrib-uted throughout the network. The installer contains information that causes the client software to contact the management console in the realm. Nodes in the realm should contact a Toplevel or Midlevel Manager (or other distribution point) to acquire software and configuration updates. Software updates are distributed as packages and are fetched by an internal protocol and not from file shares as before.



InstallationDuring installation you must complete a regular InstallShield Wizard to install the Endpoint Protection frame-work, and then the Endpoint Manager Install Wizard to install a management console and establish a realm. When a management console is initially established, the only administrator in the realm is the realm owner. The original realm fundamentals established by the realm owner should be unaffected by alternating administrator regimes. The realm owner is not displayed on the realm administrators list.

NOTE You must create one or more realm administrators after the realm has been established. Future management sessions will be done as one of the realm administrators, and never as the realm owner. The realm owner creden-tials should only be used when a management console is being restored from a backup.

After the management console has been installed and administrators are added to the realm, the realm owner may create and/or import initial client groups, and set up topology filters for discovered network clients. One particularly important task is to create a client installation package (MSI) to be used for the initial roll-out of managed clients. This package is unique to the realm and will ensure that the clients establish communications with the management console and may be managed by policies.

Database auto-restoreCertain situations may result in a corrupt database, like a system power loss or reset. To ensure stability the auto-restore system will load a previous store, namely the latest working and complete store. This backup feature is independent of the management console backup system, and it runs on an hourly basis as well as backing up immediately after setting up the realm.

NOTE If you experience situations that may result in a corrupt database, and Endpoint Protection was installed less than an hour ago, and the realm is not created yet, then the restore point is not complete. You will have to uninstall Endpoint Protection completely before you install it again.

InstallingMake sure you have the Endpoint Protection license key at hand before you start.

Step 1: Install Endpoint Protection1. Run the Endpoint Protection installer and follow the instructions on the screen. The installer contains all

supported languages.

NOTE We recommend that you select Custom rather than Complete installation, and select only the language ver-sions that you actually need, to save bandwidth and resources.

2. When the installation is complete, you may be prompted to restart your computer.

Step 2: Install Endpoint Manager1. When the Norman icon appears in the system tray, right-click it and select Norman Endpoint Manager. The

Endpoint Manager Install Wizard is launched. Running the wizard is a necessary and mandatory part of the installation.

2. Read the information on the welcome page, select I have read and understand... and then click Continue >.

3. Select the option that applies to your network, either I am establishing a new realm or I am restoring an existing realm:


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Installation

I am establishing a new realm

NOTE All fields are case sensitive.

1. Realm nameEnter a Realm name of length 2-64 characters.Valid characters are: A-Z, a-z, 0-9 and _ (underscore).

2. Realm owner username / passwordEnter an owner username and password of length 5-32 characters.Valid characters are: A-Z, a-z, 0-9.

NOTE The password cannot be reset. Create a password so strong that it is impossible to guess. A password of at least 16 random characters is recommended. Write it down and keep it in a safe place. The only way to change the password is to uninstall and reinstall the Endpoint Manager, but then all management console information and client connectivity are lost too. Restoring a realm from backup also restores the current owner and password.

3. DNS nameEnter a DNS name of length 2-255 characters.

NOTE The machine you’re installing to must have a globally resolvable DNS name to ensure that all clients and midlev-els in the realm use the same values. The address you enter cannot be changed later. The fields are not editable.

If you are updating from a previous realm where the Endpoint Manager server was set up as an IP address, there may be some situations where your clients cannot reach the Toplevel Manager.

4. OverviewA dialog appears, displaying the values you just specified. If you are satisfied, print this page for future refer-ence and click Continue to proceed with the installation, or click Back to change the values.

5. CompleteA final dialog appears with a handful of important tips. Click Finish to complete the installation.

6. Log onIn the next dialog, log on the management console with the values you just confirmed, i.e. username and pass-word.

NOTE If you experience problems logging on to the newly created realm, you must restart your machine. Alternatively, you can access the management console with another browser than IE, for example Mozilla Firefox, using the address: http://localhost:2868/noc/index.phtml.

The management console is launched. We strongly recommend that you create a realm administrator before you do anything else. Go to Settings > Realm administrators. Then select Products and check Licenses, Languages and Platforms.Then go to Licenses > Update selected products to download the latest versions of all selected compo-nents. It is important that you select the correct platform of the Endpoint Manager machine in this dialog. You can also select other platforms that Endpoint Protection will be supporting.



I am restoring an existing realm

NOTE Make sure that all products in the Endpoint Manager are updated, before you restore from a backup. If the client security software is newer than the software on the management console it may result in a software crash.1. Enter the name of the backup file you want to restore or click Browse to find it on your computer. Click

Restore > and follow the instructions.

Uninstalling To uninstall Endpoint Manager, use the standard procedures offered by your operating system, for example Start > Control Panel > Add or Remove Programs. A restart is required after uninstalling the Endpoint Manager.



Installing on clients

Generate and run an installer (msi)The following describes how you install Endpoint Protection in a network.1. Generate a Windows Installer file (.msi). See “Generate installers” on page 52.2. Run the installer file on a client.

When installed on a client, the management console will retrieve, install and set up other products as defined by the group’s policy.

3. Select and drag a client to a group to assign a specific policy to the client. Hold down the Ctrl or SHIFT key to select multiple clients.

4. Click OK to confirm.

Please refer to “Client states” on page 27 and “Transitions between states” on page 27 for an explanation of available icons for groups and clients.

Distributing clients using an imageEndpoint Protection clients can be distributed as part of a client image.1. Generate a Windows Installer file (.msi). See “Generate installers” on page 52.2. Install the MSI on the client that will be used to create the image. Wait until the client is done updating itself

and is running normally.3. On the management console

Copy the tool noc_enable.exe from ...\norman\noc\bin.4. On the client

Save the noc_enable.exe to a temporary location.Stop the njeeves process by typing njeeves /unload from the command prompt.After that you will see a “’Jeeves’ not running” error in the system tray icon, but it will not interfere with the process and will be automatically solved after creating the image later (when restarted).

5. From the command prompt on the client run noc_enable.exe /unid.This will remove the unique client identifier from the system that will be used to create the image. The unique identifier will be automatically recreated on the clients after the image has been distributed to the clients in the network.

6. Create the distribution image.



Getting startedThe web-based administrative GUI is made up from an invariable left hand side status and realm overview, and to the right variable main pages, like Home, Clients, Policies, Products, Reports and Settings. Clicking on either tab on the topmost horizontal menu bar brings you directly to the relevant page.

SupportClicking the support link at the right-hand top corner of the program window will open Norman’s web pages for help and support. The support pages provide information about available services, Norman offices and local dealers/distributors, and technical support issues, including Knowledge bases and Frequently Asked Questions pages.

Risk level bar

Information from the network about the realm is collected and the risk level is displayed on the bar. The green area indicates a low risk level. The risk is calculated from a weighted analysis of errors, warnings and alarms within the realm, where the number of clients is part of the evaluation. The risk level bar reflects dynamically the activity of all local processes.

NOTE The size of the network combined with the selected trigger threshold values (see “Realm administrators” on page 49) significantly affect the indicator.

EXAMPLE In a network of 10 clients where the trigger threshold is set to 5% will raise the risk level if a couple of clients receive a warning, alarm, or error. Just one client with one of those statuses means that 10% of all clients have that status (5% more than the trigger value is).

NOTE The intention is to give a general idea about the network health, rather than an exact indication.

Current statusThe current status displays the absolute numbers that the risk level bar is based on. Click the plus sign under the risk level bar to expand or collapse the status view. The plus sign toggles between + (expand) and - (collapse).


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Getting started

Click a status link for details about the clients (see also “Alarms” on page 19), or enter name or address in the search field to look for specific clients, and then on a column heading to sort the entries in the dialog for that par-ticular event. The numbers are the same as those the risk level bar and the status area are based on.Guest nodes are clients that have Endpoint Protection installed, but do not belong to this realm. Guest services are not available in this version of the management console.Click the realm name (for example ‘Headquarter’) to refresh the current status information, which is available from all the tabbed dialogs.

AlarmsAn alarm is an event that requires immediate action, and is posted by a security product.If an incident occurs in a realm, the involved application will generate event messages that are routed to the man-agement console. The message details are displayed on the Status page.

Type: Specifies which type of device it is (workstation, server, printer, etc.)Client name: See “Clients” on page 22.Alarm type: The error type message appears as descriptive text, like ‘Cannot remove detected virus’. Alarm description: Event details as defined by the reporting application.Detected: The date and time the error was detected. (yyyy.mm.dd and 24 hour format).Policy: Name of the client’s policy. See “Policies” on page 30.

ErrorsErrors are system anomalies that may or may not require attention. They are typically generated when a client application suffers from a malfunction.Error messages that the management console receive in the realm are defined by the application reporting the alarm.

Type: Specifies which type of device it is (workstation, server, printer, etc.)Client name: See “Clients” on page 22.Error type: The error type message appears as descriptive text, like ‘Could not install’. Error description: Event details as defined by the reporting application, also as descriptive text like ‘Access

denied’’. Detected: The date and time the error was reported (yyyy.mm.dd and 24 hour format).Policy: Name of the client’s policy. See “Policies” on page 30.

WarningsA warning is typically sent when there is an event that is handled normally but that implies that there is unusual activity detected by the client applications. As opposed to alarms and errors, warnings do not require immediate attention.This display informs about warning type, the name of the client issuing the warning, and the date and time when the client was last seen, i.e. the last time the management console detected network activity from this client.An example of a warning type is ‘Virus detected’.

Not updatedThe Not updated message is issued by a client when the client’s program manager detects that the client soft-ware has not received relevant updates. The client will also appear as Not updated when its current policy has been changed, or when it has been assigned a new one.Status information under this tab includes type of client, its name, when it was last seen, and when it was last updated (yyyy.mm.dd and time in 24 hour format).



The information for Not updated clients includes the name, when it was last seen, the operating system, when the policy was refreshed, and the group name.

OfflineThe clients marked as Offline have not been heard from or contacted within a certain period of time. The clients may or may not be managed clients.A Managed client employs policy settings. An Unmanaged client has no policy or no client software, or it is another type of device than a workstation, like a printer, a hub, etc.

OnlineWhenever an event from a particular device, managed or not, reaches the management console a timestamp is updated in the management console’s database to reflect when the device was last seen and to determine status based on that information.As soon as information about a client is received, it is marked as Online. The status is based on the device’s vis-ibility within a set period of time. Time thresholds can be adjusted.

NOTE As long as a client is online, no active communication is done from the management console to the client unless the administrator manually initiates it.

StaleWhen the management console is unable to establish contact with a client after repeated attempts, and it has not been seen for a longer period of time, the status is changed to Stale. A separate process will actively try to redis-cover a stale client before it appears in the Offline folder, which happens after 1 or 2 hours (default for managed/unmanaged clients, respectively).

ManagedA client that has been assigned a policy is a managed client. It receives all configuration settings from the policy it fetches from the management console. Information about all the IP-based devices in the network is stored in a database on the management console.See also “Client states” on page 27.



HomeAt the top of the Home page, an RSS feed may inform you about upcoming updates, restarts, and other important information.

To monitor these bulletins you add the URL as a favorite RSS client on your computer, cell phone and so forth. You can also click the View message log link and follow the instructions to subscribe to this service. We use the following URL: http://www.norman.com/support/product_feeds/messages_npro.rss

The Home page features also a graphical representation of the realm’s clients. Click the Norman logo at the top of the page to reload Home from any page.


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Home

ClientsThis page presents details about the entire realm with the management consoles, groups, and clients. All ma-chines are members of a group. Each group reports to a management console (Toplevel or Midlevel).

You can filter clients by Machine type, Online state and Operating System. Click the realm name link or the Managed link from the status area at the left-hand top corner to view the filtering bar.All newly discovered machines will automatically be assigned to the predefined Lost and found group, unless otherwise filtered. Machines can be moved between groups manually or automatically. Click a group name and the machine/client members will appear in the right-hand part of the page. Double-click a group or a client to configure it, or highlight the client/machine you wish to edit and select the relevant action from the action buttons bar (see “Action buttons” on page 28).

You can create, edit, filter, drag and drop, and view groups and clients in a Windows Explorer-like environment. On managed clients, a mouse over will display basic information like scanner engine version, definition file dates, operating system, and logged-in user.

The links Policy: and Reports to: display the client’s current policy and the manager it reports to. Click the links to select other policies and managers (on Toplevel or Midlevel).


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Clients

Organizing groups and clients Click Endpoint Managers to view the structure of the realm presented on the right-hand side of the screen. Click a Toplevel or Midlevel Manager (the levels below Endpoint Managers) to view groups and clients for that level.

Click a group name link to view the member clients.

The names of the group’s policy and manager it reports to appears just above the action buttons (see “Action buttons” on page 28). Click the Policy or Reports to: link to select another policy or manager from the drop-down list.

NOTE If you move a group to another level, for example to a Midlevel Manager, it may take several minutes before it is vis-ible in its new location and starts reporting to and receiving updates from the new manager.



Predefined groupsThe Lost and found and the Unmanaged group are mandatory groups in the Clients view. When a realm is cre-ated a folder for each group is created and placed in the lower left-hand part of the screen.

Lost and foundAny discovered network device is placed in the Lost and found group unless a predefined filter rule places it elsewhere. The clients in this default group are given the default policy. Typically, the administrator will look in the Lost and found group to find new clients and then drag them to other groups where they are assigned a relevant policy and represent a logical view of the managed network.

Unmanaged The group Unmanaged is a container for network devices that cannot be managed by the console, like printers. When the administrator drags devices into the Unmanaged group, they will no longer be contacted or counted to maintain their status and statistics. It is, however, necessary to maintain a list of deleted devices, since they will still show up in the network topology reports from the clients and will be added to the Lost and found at each rediscovery. It is therefore not possible to delete devices completely from the topology database.



Client/machine informationClick a group name link to view the group’s clients/machines. Double-click a client to configure it directly. Select the relevant action from the client information dialog that appears. Alternatively, from the Clients page click to highlight the client and select the relevant icon from the action buttons bar. The action buttons become select-able only when you highlight one or more clients/machines.

DetailsThis tab provides information about scanner version, definition file updates, etc.

Installed ProductsThis tab lists the installed products and components, and their status.

LogThis tab lists information messages and reported errors, warnings, and alarms for the client, including the names of the components that reported the incidents.



About statusEvery time an event from a particular device reaches the management console, managed or not, a timestamp is updated in the management console database to reflect when the device was last seen. Network devices can have three online states: Online, Stale, and Offline. When a device has been seen within a set period (default 1 hour for managed and 2 hours for unmanaged clients), its status remains Online. These time thresholds can be adjusted on the management console, but the defaults have proved to generate a good network status map. If a client has not been seen within this period, the status is changed to Stale. Once it is Stale, a separate process within the management console will attempt to actively contact the client to update its status. Note that as long as a client is Online, no active communication is done from the management console to the client unless the administrator manually initiates it.While Stale, the management console will contact the client a set number of times with a set delay between each attempt. The default is 5 attempts once an hour, but this is adjustable. These settings can be configured from Settings > Supervisor process (see “Supervisor process” on page 60). If no connection is obtained within this time period and no data about the client is reported by the passive dis-covery mechanism, the client is marked as Offline. As soon as any information about the client is received, it will immediately be marked as Online.

Create a new groupClick the Create new group icon . Enter a group name, select an Endpoint Manager, a policy, and optionally type in a note for this group. Click OK to confirm and save the new group.

NOTE ‘NEM’, ‘Lost and Found’, and ‘Deleted’, or any translated versions of the two latter names, are restricted and can-not be used as top level group names. They can, however, be used as subgroup names.

Delete a groupOn mouse-over you can click the Delete group icon for a group. You are prompted to confirm the delete. If you delete a group, any members or sub-groups are automatically moved to the Lost and found group.

NOTE For a new client to be discovered and maintained in the client view, an IP or MAC address or a DNS name must be given.



Client statesA client can take on several states in the client view; online, stale, or offline. Additionally, it can be managed or unmanaged. The icons themselves indicate what type of network device the client is, and is either set to a ques-tion mark (unknown) or a screen (workstation) upon installation. An administrator can change the icon by edit-ing the client type in the client details window. The device type icon is a management aid for administrators and does not indicate any of the following status situations.

OnlineA client is online with a green computer icon when it has been seen or heard from within the time period defined as stale delay, which is 1 or 2 hours per default depending on if the client is managed or not. Any device in the network is regarded as a client regardless of whether it has Endpoint Protection installed.

StaleA client is stale with a gray computer icon when it has not been heard from within the time period mentioned above. When a client is marked stale, it means that the management console will try to establish contact with the client a set number of times with a set time interval. This differs from a normal situation where clients are reported as online when they submit status information or are seen by other clients.

OfflineA client is offline with a gray computer and red mark-out icon when it has not been reported by anyone and the attempts to contact it have failed. The client will remain offline until it reports itself to the management console, or it has been seen by another client that reports the network topology.

ManagedA client is managed when it has Endpoint Protection installed and is a member of the realm that the Endpoint Manager has established. The client becomes managed as soon as Endpoint Protection is installed and the client reports its platform and status information to the management console. A client with an online icon and a green ball next to it is online, managed and without errors or warnings. It can be managed or unmanaged regard-less of its online status.

UnmanagedAny device that is not managed, is unmanaged. An administrator can choose to keep the unmanaged devices vis-ible in the network topology map, or he/she can drag those devices into the pre-defined Unmanaged group to keep them out of sight.

Transitions between statesClients will change states automatically between Online, Stale, and Offline. Managed clients will automati-cally show up with a green ball, indicating that they are managed. If a client is uninstalled, the green ball will go away after a period of time. It is normally not necessary for the administrator to take any action to maintain the network status picture. If, however, the administrator decides to force any kind of action in the network, a set of action buttons are available in the client windows or in the group overviews.



Action buttonsSelect a client from Clients, or open the details window for a specific client, to view the Action buttons. Depending on the client status, one or more of the buttons may be disabled.

Edit Update Promote Request Rediscover Repair Restart Remote Delete (Demote) status command

Edit clientClick Edit client or double-click a client, to open the client details window. You can change the type (icon) of the client, edit its alias name, move it to another group, and/or enter notes about the client.

Update clientClick Update client to tell a managed client to check for updates and to replicate its policy immediately. Normally, the client will check for updates every hour and check for policy changes every 10 minutes.

Promote (Demote) clientThis button toggles between Promote client and Demote client. Click Promote client to promote an online, managed client into a Midlevel Manager. This may take 3-5 minutes. See “Promoting clients” on page 9.

Demote clientThis button toggles between Promote client and Demote client. Click Demote client to reverse a promotion and demote a management console into a managed client. Other management consoles reporting to it must be removed first. It may take take 3-5 minutes to complete the operation.

Request statusClick Request status to force a managed client to submit its status information. This is normally done when the client checks for policy changes.

Rediscover clientClick Rediscover client to initiate manual rediscovery of any device, regardless of status or if it is managed or not. When a client is stale, the management console will actively attempt to discover the client.

Repair clientClick Repair client to tell the client’s program manager to re-install all products if a managed client experiences consistent problems. The entire client software will then be re-installed. This action is quite drastic and should only be used as a last resort.

Restart clientClick Restart client to force a restart of a managed client, for example after it has been updated.



Remote commandClick Remote command to help a client user with a specific issue, or to perform actions that are not covered by the action buttons. You can only execute software that is located below the Norman root. An administrator can issue a console command directly to any Norman program component on a managed

client. Before issuing a remote command, keep in mind what the state of the remote client might be (no user logged on, several users logged on, etc.). The remote process will run with system privileges in the context of the njeeves.exe process. However, if the process requires a graphical user interface, it may not show up on the re-mote client unless the administrator is logged on and has the desktop open (for example on a Vista client).

Delete clientClick Delete client to remove a client and move it to the Unmanaged group. Alternatively, you can drag it there. The client will no longer be updated or discovered by the management console.



PoliciesA policy is a collection of specific product configurations that governs the behavior of the clients in a group. Each policy is given a name by the administrator. The policy also holds information about which products to install at the member clients.Clients always use the policy assigned to its group. A default policy should always be present in the local database, and it will provide default configuration values for all licensed products. The predefined Default policy is auto-matically assigned to all groups. You can chose another default policy, like the Midlevel Manager policy or the Toplevel Manager policy. The administrator can edit the default policies, but not delete them.

NOTE The Default policy is mandatory. This is the policy that is assigned to all new groups by default. It is good practice to leave it unchanged or to only make small changes to it.

You are not allowed to delete a policy containing clients. Unless you remove the clients before you delete a policy, an error message occurs.The users’ access to edit the various configuration values locally at their workstation is governed by the adminis-trator through the policy. These access rights are granted on a per product basis, and can be either write access or read-only.

Click a policy name to view or change settings for that policy. When you click a digit in the Subscribing groups column, a dialog with the subscribing groups for this policy appears. Access type states whether the policy can be edited or is read only.The default update frequency for policies from the store is every 10 minutes.

Create a new policy1. From Policies click New policy.

2. Enter a Policy name (mandatory) and a Policy notes (optional) for this policy.3. Click Create to save the new policy name and to enter the configuration for this policy.


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Policies

Configure policiesWhen you have created a policy, it appears on the Policies list and the configuration dialog for the new policy is opened.

Allow users to (un)install productsWe do not recommend that you allow users to uninstall products at their own discretion, so be careful not to select this option unless you have good reasons to do otherwise. Leaving this check box empty will give the policy access type read-only.

Install/uninstallSelect one or more products and/or components to install for this policy’s subscribers. Available products are licensed products. By default, all products are selected. Products which are mandatory or not eligible for install/uninstall are grayed out.

ConfigureClick the configure icon to modify the configuration for this particular product within this policy. All managed clients assigned to this policy will apply the configuration changes that you make. Clients that belong to other policies will not be affected.

NOTE If you have installed one or more managed email servers, for example, these products are documented in appen-dixes to this manual or in separate administrator’s guides.

Allow user to configure productYou can also select Allow user to change configuration per product, which includes all sub-products/com-ponents that belong to the product. Such changes are implemented locally on the individual client and will not affect the policy itself or other subscribers. If you don’t select Allow user to change configuration, the local user’s settings are overwritten by the policy.



Antivirus & AntispywareClick a policy name and then the Antivirus & Antispyware configure icon .

SandboxThe Antivirus application employs the sandbox functionality to detect new, unknown viruses. The Sandbox is particularly tuned to find new email-, network- / peer-to-peer worms, and file viruses, and will also react to un-known security threats. Sandbox is enabled at all times.

Automatic scanner

Enable Automatic scannerThis option is by default on. Automatic scanning is an ongoing process that monitors critical activities on your system. Depending on your configuration, this can involve file access and copy/move to other drives or direc-tories. Whenever a file is accessed in a read/write operation or a program is executed, the Automatic scanner is notified and scans the file on the fly. We don’t recommend disabling of the Automatic scanner, and if you do, a warning appears in the system tray.

Automatically remove detected virusesThis option is by default on. When the scanner detects a virus, it will try to clean the infected file before it’s de-leted or quarantined. Sometimes cleaning equals deletion, for example trojans, where the entire file makes up the malware.

NOTE A copy of the deleted or blocked file is quarantined by default.

Scan for potentially unwanted programsA potentially unwanted program is software that generally is not malicious, but still can be considered unwanted by the user. The potential unwanted properties can include certain features that resemble malicious and/or privacy-invasive software such as spyware, adware, and content hijacking programs.

Local userUnder normal circumstances, a workstation runs in Local user mode, while a server runs in the Remote users mode. The default settings provide sufficient protection for most situations, and we do not recommend that you change them unless you are fully aware of the effect.Antivirus control for a logged on user, which includes everything that the user does on the local machine. If the user is logged off or the machine acts like a server, the Remote users mode applies.



Scan on read/executeInstructs the Automatic scanner to scan files before they are used. For example, when a user double-clicks a .doc file, the Automatic scanner checks the file as well as the application which is being launched (in this instance, MS Word).

Scan on read/writeInstructs the Automatic scanner to scan files that are opened for write, for example when a user download a file from the internet. If you selected Scan on read/execute, it is possible to download and save an infected file to disk. However, the Automatic scanner will detect the virus when you try to open the file.

NOTE More specifically, scanning on write means that new or changed files are scanned on close. Suppose you have an unprotected client computer, which is infected with a virus that spreads across network shares. Whenever this virus infects a file on a server, where the Automatic scanner is configured to scan on both read and write, the Automatic scanner detects and removes the virus.

Remote usersUnder normal circumstances, a workstation runs in Local user mode, while a server runs in the Remote users mode. The default settings provide sufficient protection for most situations, and we do not recommend that you change them unless you are fully aware of the effect.In this component you select whether you want to scan files before they are used and/or when new files are creat-ed, or when existing files are changed. In other words, you select a strategy for the automatic scanning that takes effect when other computers write files to your computer/server. You may think of these options as ‘server’ settings.The typical scenario is that Remote users activity takes place on the server. However, if someone physically logs on the server, the Local user mode applies.

Scan on writeInstructs the Automatic scanner to scan files that are saved to disk, for example when a user is saving a file on a server. In this case, the Automatic scanner on the server will scan the file.

Scan on read/writeThis is hopefully an option you won’t need to use. A scenario where this is a useful option is if a server has become infected, as a result of a missing scanner update, for example. Scan on both read and write in such a situation will prevent the infection from spreading further throughout the network.

Exclude files from scanningYou may want to speed up the scanning process by excluding certain files from scanning. Note that excluding files or areas from scanning is a decision at the expense of security.

Use the exclude listSelect this option to exclude the files you enter on the exclude list.

Network drivesThis option is enabled by default, so files accessed from network drives will not be scanned. Disable this op-tion if you want to scan shares that you have access to on remote computers. The Automatic scanner’s behavior will depend on the user rights of the logged on user when scanning files residing on network drives. When the Automatic scanner sees a file that is opened from a network drive, it will scan the file as usual. However, it will not be able to repair, remove, or quarantine an infected file, unless the logged on user has write access to the direc-tory/file in question. Still, access to the infected file will be denied.



Automatic scanning in networks is intended for a situation where servers don’t run antivirus software, simply to avoid that the same files are scanned twice—once on the server and then again when they are opened on the client. The consequences of such double scanning could be that network logons and backup become slower. However, the system administrator must make the final decision where security on one hand, and network op-eration on the other are two major factors to consider.When the Automatic scanner detects viruses or other malware on network drives, it will display the locations as UNC paths—not as mapped drives. Many users know network drives as X, Y, Z etc. The pop-up alerts from the Automatic scanner will for example display \\Server\Share\InfectedFile instead of X:\Infected file.

Exclude ListSpecify files, directories, or entire drives that you don’t want Antivirus to scan. The exclude list supports different modes of operation or types of patterns.

Full path and file name This pattern will match a specific file in a specific path and nothing else.Example: C:\Program Files\Joker\foo.log

File name only This pattern will match the file name regardless of the file’s path.Example: foo.log

Path only This pattern will match any files in or below the path .Example: C:\Program Files\Joker\

WildcardsRegardless of the mode of operation the matching algorithm will look for wildcards in the pattern. A wildcard character is a special character that substitutes other characters in the file name. Wildcards can only appear after the last path separator. i.e. in the file name.The asterisk (*) is the only supported wildcard character. It substitutes zero or more characters (non-greedy), but it does not substitute path separators.Enter a file name, folder, drive letter or an environment variable and click Add to list.

EXAMPLES

C:\folder Excludes all files in this folder, including subfolders. *.xyz Excludes all files with this extension.filename.* Excludes all files with this name regardless of its extension.filename.exe Excludes the specified file regardless of its location.C:\folder\filename.xyz Excludes this particular file.

NOTE Do not use apostrophe (‘) or quotation mark (“), when you specify items for exclusion.

Items on the Exclude list are not scanned. The most obvious reason for not scanning certain files is that they in-terfere seriously with certain applications when they are scanned. At any rate we recommend that you scan files on the exclude list regularly by running scheduled or manual scans.For security reasons the exclude list for the Automatic scanner is limited to 50 entries. In addition to the risk the exclude list represents, it also increases the use of system resources. The more entries in the list, the more resources will be used by the Automatic scanner.



Recommendations • Make sure that your Antivirus installation is up-to-date. This is the best protection against virus attacks—to

stop viruses before they enter the system. • Install antivirus software on email servers and gateways. • Restrict user rights on shares as much as possible, for example by setting read-only attribute where appli-

cable on files that are not frequently changed. • Back up your files regularly.

NOTE Exclude lists should be handled with great care, as they represent a potential security risk. We recommend that you scan the Exclude list manually (using the Manual scanner) on a regular basis, and also include these files or areas in scheduled scans.



Manual scannerYou can use the Manual scanner to perform periodic scans of selected areas of your computer. If you are using the task scheduler (see “Task editor” on page 37), you need to install the Manual scanner.

Automatically remove detected virusesPlease refer to the Automatic scanner (same option).

Scan archivesAntivirus is configured to always scan archives. If an infected file is detected within an archive, Antivirus will try to repair first. If repair is not possible, the infected file is deleted from the archive, and the original file is quar-antined. The following formats are currently supported: TAR, GZ, BZIP2, ARJ, ACE, RAR, RAR3, ZIP, MAIL, SFXZIP, CAB, LZH, APPLE_SINGLE, and 7Z.

Scan for potentially unwanted programsPlease refer to the Automatic scanner (same option).

Logging

Create log fileCreates a log file whenever you run a manual scan. If you deselect this option, no log file is generated for manual scans.

Detailed loggingExtensive logging that generates a very detailed report, specifying each file that was scanned, scanning time per file, status, etc.

Exclude files from scanningPlease refer to the Automatic scanner (same option).

NOTE Exclude lists should be handled with great care, as they represent a potential security risk. We recommend that you scan the Exclude list manually (using the Manual scanner) on a regular basis, and also include these files or areas in scheduled scans.



Task editorCreate task files and view or modify scheduled events. Administrators can create task files and distribute them to all workstations in the network to ensure consistent checking of areas that require special attention. Allow a task file some 10 minutes before it is replicated to all clients.

Create a taskClick New from the Task Editor dialog. Enter a task name and make your selections. Click Create to confirm and save your task. Tasks are displayed as a list in the Task Editor dialog.

EnableBy default, the task is set to enabled. You can remove the check mark to disable it.

Scan entire computerSelect this option if you simply want to scan the entire computer.

Custom scanSelect this option if you want to customize the area to scan.

NOTE The option Select files and folders and the scan options appears if you selected Custom scan.

Select files and foldersEnter a path and/or a filename and click Add to list. Wildcard (apostrophe ‘ or asterisk *) is supported.

EXAMPLES C:\ or D:\*.pdf or E:\foldername

Scan boot sectorsWhen you select this option, Antivirus will check the boot sector of the area(s) that are being scanned.

Scan archivesSelect this option to include archived files in the scan. The following formats are currently supported: ACE, ACE SFX, APPLE_SINGLE, ARJ, BZIP2, CAB, CAB SFX, CHM/ITSF, GZ, Inno Setup (Installer) LZH, MAIL/MIME, MSI, NULLSOFT (Installer), RAR2, RAR3, TAR, WISE SFX, ZIP, ZIP SFX and 7ZIP.

Scan memoryWhen you scan the memory area, the antivirus application looks for resident viruses. You should always make sure that no viruses exist in memory.



Start at/ScheduleSelect frequency, date and time to run the scan. The suggested date and time is the current (according to your system information). You can select another date and time.

System impactSelect the level for use of system resources when running this task; Normal, Reduced or Low.

Product Manager

Product languageClick a policy name and then the Product Manager’s configure icon .

Select language from the drop-down list. The list is subject to change as new language versions may be added. A change from English (default) to another language will take effect after the next update. You can also run a manual update for the changes to take effect immediately.

Select update method

LAN product update frequency This option defines how often a client should check for updates from LAN, i.e. the management console instal-lation. The management console downloads all files for all products, platforms and languages selected on the Products page in the management console GUI. See “Products” on page 45. The default update frequency is 1 hour.

NOTE This setting should always be set to Never for managed clients as the management console should always update from the Internet. The default policy takes this into consideration. Changing the default setting may result in your installation never being updated.

A LAN update uses the http protocol and port 2868 to connect to the management console machine.



Internet UpdateThis option defines when and how often a client should connect to Internet servers in order to check for neces-sary updates. Time before using Internet update defines how long time a client can operate without manage-ment console contact - and consequently without being updated - before it is permitted to check for updates on the Internet. Update intervals defines how often a client should then check for updates via the net.

Alternate update pathThis is an important feature in installations where the console manages several hundred machines and setting multilevel managers is not affordable (contact local support for help if necessary). It uses the CIFS protocol (Windows sharing) to allow clients to connect to shares where they can retrieve updated files. It is important to set up a synchronization between the \distrib\download\ folder on the management console machine and the alternative share folder in order to copy all new files downloaded by the management console to the alternative share folder.One solution is to create a script that copies all files from \distrib\download on the management console server to \\servername\<share_folder>\distrib\download. If this software is installed at the alternate distribution point, any\distrib\download folder is automatically up-dated.

NOTE distrib\download is a mandatory part of the path and cannot be changed.

Set up a scheduled task that runs the script once every hour.

NOTE The script must be run with the necessary user privileges to access the share, so that it can run even if no users are logged on. It may be wise to check the option to kill the process if it has run for more than two hours.

The script needs to handle the following situations: • Verify that Internet Update is not currently running. • Copy all files from \distrib\download on the management console server to

\\servername\<share_folder>\distrib\download. • If a sharing violation occurs during file copy, wait a short while and try again.

Refer to our support pages for a complete procedure and a script you can download, edit and run See also “Networks with a large number of clients” on page 11.

Proxy settingsProxy servers may require user authentication. If you use the proxy server options in this dialog, you must enter the same information for proxy server log on and authentication as configured on the proxy.



http://www.norman.com/support

Use proxy serverEnter the Proxy address and Proxy port for the firewall’s HTTP proxy. If you have specified information for HTTP proxy in your browser, you should enter exactly the same values here.

Authentication

Log on to proxy serverThis option is only relevant if your proxy server requires authentication.

User nameEnter a valid user name.

PasswordEnter the password.

DomainEnter the domain name. If the field is left blank, the machine name is used. This field is not intended for proxy servers using basic authentication. The two prevalent authentication schemes are: basic, and Windows NT challenge/response aka NTLM.

Popup settings

Configure popupFrom the drop-down menu you can decide which type of popup messages the clients should receive from the management console. Your choice affects all clients that are assigned the selected policy. If the policy allows local user configuration (see “Policies” on page 30), it’s possible to edit the individual client to make exceptions from the established policy settings.

Display common popup Select this option to display all popups from the management console.

Suppress all errors and warnings Select this option to block all popups, including popups regarding restart and the Norman splash screen. Note that even though the popups are blocked, the management console continues to receive information from the clients.



Intrusion GuardThis is a host-based intrusion prevention system (HIPS) that can stop malicious applications from taking over control of your machine. The application offers a powerful reporting tool and protects processes, drivers, brows-ers and the hosts file. It is a platform for proactive thread protection intended for experienced users. High risk events that are rarely used by legitimate applications are blocked by default.

Drivers & MemoryDrivers are computer programs that operate on a low level; the kernel level. Drivers are typically written to ac-cess and control hardware, such as your display monitor, keyboard, printer and network card. In order to access hardware connected to your computer, the drivers need full system access. For this reason the same techniques are used when writing malicious applications. You can modify the driver installation configuration to control which applications should be allowed to install drivers on your computer.

There are two malicious techniques to achieve the same privileges as drivers get. Both of these techniques circumvent the security mechanisms of the operating system. It is highly recommended to keep the settings for both as Deny.

• PromptYou will be asked each time an attempt is made.

• AllowAttempts will only be logged.

• DenyNo application, legitimate or malicious, will be able to install kernel level drivers.

ProcessesWhen an application, legitimate or malicious, is installed on your computer, it will most often want to start auto-matically each time your computer is started. A program that wants to start automatically can instruct the oper-ating system to auto-start itself with the same privileges as the current user, or it can install a background service that will run with elevated privileges. The intrusion prevention application can stop attempts of this nature.



• PromptYou will be asked each time an attempt is made.

• AllowYou will never be prompted.

• DenyNo application, legitimate or malicious, will be able to install itself to automatically start when the computer is started.

A program can also inject code into other processes running on your machine, and it can hijack processes by other means. This is common behavior for malicious applications, but some legitimate programs also use such techniques, for example to extend the user’s desktop, or to offer other advanced features to the operating system or third party applications. You can configure the application to deny or prompt each time an attempt like this is made.

NetworkBy adding filters to network modules in your operating system, malicious applications can steal personal data, such as social security numbers, credit card details, and passwords. Adware can modify network data sent trough those filters. It can change results in search engines and show unwanted advertisement on your desktop and embedded in web pages you visit.



Plugin Prevention (Internet Explorer only)A BHO (Browser Helper Object) is an extension to Microsoft’s Internet Explorer. This and other Internet Explorer plug-ins, like toolbars, have full control over network traffic to and from Internet Explorer, and they can interact with the user interface.

• PromptYou will be asked each time an event occurs.


• DenyStops all attempts to modify your system or install a BHO.

LSP PreventionAn LSP (Layered Service Provider) is a generic filter in the network stack in Windows. It has full control over all network traffic on your computer.

• Prompt You will be asked each time an event occurs.


• DenyStops all attempts to modify your system or install an LSP.

Hosts file protectionWhen you access a website through its name (web address) it is translated into an IP address. Then the data is sent to and from the remote server. Your computer will first look for the name in your hosts file. This means that hosts file entries overrides any IP address that the name resolves to. Malicious applications may change your hosts file and thus redirect the network traffic to a malicious website (so called Pharming).

• Prompt You will be asked each time an event occurs.

• Allow You will never be prompted.

• Deny Stops all attempts to modify your system or hosts file.



Assign a policy to a group1. From the realm overview on the left-hand side click the group you wish to assign the policy to.

2. From the Clients page click the Policy: field and select policy from the drop-down menu.3. Click the Save icon next to the policy name to confirm your changes.



ProductsAll licensed products that the management console administers in the realm are listed on this page. These are the products available on the machine where the management console is installed—the distribution point. When a product within a policy or on a client is configured for scheduled updates, it fetches the update from this distribu-tion point. The clients are updated in accordance with their policy.

NOTE See “Configure policies” on page 31 on how to configure a product.

Licenses

In useAn approximate number of managed clients with this product installed.

SeatsThe number of seats that your license covers, for this product. If the In use is larger than Seats, this is an indica-tion that you should check if your license covers your actual needs.

ExpiresThe date when the license for the product expires. The date format is YYYYMMDD.

Scheduled updateSelect this option if you want to schedule updates for a product. For each product, you may select/deselect the Scheduled update option. When the scheduler initiates an update, only products with this option selected will be updated. Products not selected will not receive updates.

Update selected productsTo update manually, select one or more products and click Update selected products.


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Products

LanguagesA number of different product languages are available, and new language versions are added at irregular inter-vals. The default language is English and cannot be deselected. You can choose to download one or more lan-guage versions if they are covered by your license. These languages will be available to the clients in the managed network.

TIP The download packages may be large, so in order to reduce bandwidth use, you should be selective when you pick language versions.

PlatformsA wide range of platforms are supported, including most Windows and NetWare versions. Please refer to “System requirements” on page 7 for details.Select the platforms which are represented in your network and click Save. The selections are valid for both manual and automatic updates via Internet Update.


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Products

Reports

HistorySelect History for a report that include incidents covering the entire period since the realm was created. There are several ways of filtering the report.

Use the drop-down menus to select how you wish to filter the messages: Component (Internet Update, Product Manager, etc.), Message type (alarms, warnings, errors, etc.), Year, Month, and Group. The report’s content and available filtering options depend on factors like how many different operating systems are installed on the clients in the network, when the realm was created, the type of messages reported in the entire period. I.e., you cannot sort on Operating System if all clients run on the same platform, on year if the realm was created in the current year, or on type if only one or two message types have been reported.There is a limitation of 1,000 messages per report. Therefore it is important that you specify relevant and precise search criteria in the Search field, from where you can search through all messages generated since the realm was established. You can, for example, search for machine names, IP addresses, or virus names to avoid irrelevant messages with the risk of exceeding the 1,000 limit.


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Reports

ReportsThe management console maintains statistics for the realm around the clock. The reports cover the topology status and incidents. As a supplement to the graphical representation of statistics on the home page, you can generate your own, detailed reports that identify all clients in the network.Generated reports are based on all discovered devices in the network, also those that are not managed. However, devices that have been moved to the Unmanaged group are not included. You may filter which clients to include in the report by their online status and/or whether a status flag has been set.

Select the details and the machines you want to include in the report and click Generate. You can filter machines by selecting clients with only one or two particular status types or select all types to include all clients (default). The default setting for the report details is also all. Choose between commas or semicolons as CSV (comma sepa-rated value) separator, depending on the report format you prefer.The report is generated as a CSV file to be opened in most spreadsheet applications and saved as any other file.


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Reports

SettingsThese pages contain configuration options as well as maintenance tasks, which are performed regularly, like administrator management and general occasional tasks. Certain settings and parameters of a nature that don’t require frequent attention or are likely to be performed just once are also located on these pages.

Realm administratorsThis option applies to the Toplevel Manager only. For more information about realm owner and realm adminis-trator, please refer to “Installation” on page 14. The realm owner credentials should only be used when a management console is being restored from a backup. When first running the Endpoint Manager after it has been installed, it is an essential task to complete the cre-ation of one or more realm administrators.

All users with administrator’s privileges in the realm are listed on this page, with information about access type etc. Click an Administrators name link to view more information about the administrator.To add a new administrative user, click Create administrator.

Backup and restoreThis option applies to the Toplevel Manager only. The management console and the network realm rely on cer-tain basic data stored in the local database, also referred to as the store. It is strongly recommended that you back up these data systematically. The backup will include vital information like network topology, realm credentials and operation center settings.


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Settings

BackupWhen a managed realm is set up, we recommend that you back it up on an external storage device.The most recent backup file is named NEM_backup_00000.nbk, and for each backup the number 00000 is incre-mented until the selected Max number is reached. Hence, the backup file with the highest number is the oldest one.The file cannot be opened/viewed by any application since the sole purpose of the backup is to provide a pos-sibility to restore a managed network realm on a management console in the case of hardware loss etc. Without a backup, the loss of the management console would require new credentials to be distributed throughout the network. The logical network structure would also have to be recreated. The backup/restore functionality is also used if you want to upgrade or replace a functioning management console. First, back up the existing manage-ment console to an external media, then restore the backup file as part of the install wizard procedure on the new management console. The size of the file depends on your network—the bigger it is, the bigger the backup file.

DestinationEnter a path for the backup file directory where NEM_backup_0000x.nbk will be stored. The default location is C:\Program Files\Norman\backups\noc. Alternatively click Browse to select a location from the Windows Explorer view.

Max number of backupsEnter the number of backup files that will represent the maximum before the management console starts to delete the oldest of the existing files. Since businesses, networks and routines are diverse we have no recom-mended number. However, you should keep this number high enough to maintain a usable backup history, and at the same time limit the number to avoid consuming more disk space than necessary. If you reduce the number at a later point, old backups will not be deleted unless you do it manually.

Enable scheduled backupsWhen you select this option, the Start time fields are enabled for specifying the time backup should run.

Select days of the week belowStarting with Monday, each weekday is listed and selected by default.

Start timeEnter hour and minute when you want the backup to start. Backup will start at the specified time for all selected weekdays.



Backup nowClick Backup now for an immediate backup of the management console database, or Save to store your set-tings. If the management console is down when backup should be performed, backup is executed as soon man-agement console becomes operational again.

RestoreIn the current version, the management console’s DNS name cannot be changed. Therefore a backup of a realm must be restored on a machine resolved with the same DNS name that was used during the realm creation. Alternatively, you can create a new realm and after finishing all processes and updates from the Internet, gener-ate new MSI installers from the management console. Copy the file mig2nss7.nts created on the same destina-tion folder into the \norman\config folders of the existing clients. Please keep in mind that by doing this you are using a new/blank topology tree, and the clients will be assigned automatically to the Lost and found group. Maybe you should consider to create policies, groups, and topology filters and/or move clients manually to spe-cific folders before you copy that file onto the clients. It is important that you run an Internet Update before restoring a backup.

Restore fromEnter the path for the backup file directory where NEM_backup_0000x.nbk is stored. The default location is c:\Program Files\Norman\backups\noc. Alternatively click Browse to select a location from the Windows Explorer view.

Restore strategySelect what parts of the backup to restore. The settings part of the database contains the realm credentials and settings. The topology part is a map of known machines in the network, as presented in the Clients view, includ-ing the group names and assigned policies.

Keep most recent valuesSelecting this option will keep the most recent values during restoration of a backup when a value exists both in the backup and in the current database.

NOTE Keeping the most recent value may in some cases result in duplicate topology entries if you have chosen to restore the topology.



Generate installersThe management console provides creation and distribution of an MSI package (Windows Installer file .msi) for rapid deployment of software on client machines.This is a trouble-free method for installing on a client, as the administrator only needs to initiate and distribute the MSI installer to clients. Once started, the installation of the MSI package will open up port 2868 on the client machine and complete the full installation of Endpoint Protection. The clients then retrieves their policies, as described in previous steps.

NOTE The MSI package and Endpoint Protection automatically opens port 2868 on Norman’s and Windows’ firewalls only. If you are using another firewall, you must manually open this port.

Distribution of the MSI package can be performed in different ways, for example: • by a startup script • emailing the package to the clients • copying the package using an USB stick or a similar medium • by employing a 3rd party tool • distributing via Active Directory

1. Enter a valid path, and a name that you want the MSI file name to start with. You do not need to enter a file extension (e.g. .msi) since the system will add this for you automatically.Syntax: [drive]:\[path]\[name]Alternatively, you can Browse to select a folder where you want to save the file, but you will still have to write a name after the selected path.

2. Click Generate (or press Enter).The management console generates the following installer files:

• [drive]:\[path]\[name]_linux_multiarch.sh (Linux version) • [drive]:\[path]\[name]_x64.msi (64-bit version) • [drive]:\[path]\[name]_x86.msi (32-bit version) • [drive]:\[path]\mig2nss7.nts * (For manual migration)

* The mig2nss7.nts filename is all system made and you cannot add a name to this file.For Linux installations, see also the appendix “Appendix B: Endpoint Protection for Linux” on page 63.

3. The MSI installer files should now be saved to the location you specified.



EXAMPLE C:\Distribution\Clients\Installer

This example path and name will generate the following installer files: • C:\Distribution\Clients\Installer_linux_multiarch.sh • C:\Distribution\Clients\Installer_x64.msi • C:\Distribution\Clients\Installer_x86.msi • C:\Distribution\Clients\mig2nss7.nts

The generated files hold information about the location of the relevant management console, and the credentials to access it. You can use these files to install the security software on eligible clients, auto-run it on a domain, distributing it through email, USB stick or in any other suitable way.Keep in mind that all new clients will be placed in the Lost and Found group, unless they are previously dis-covered and assigned to a group. The default policy will apply for those. You can create topology filters (see “Topology filters” on page 58) that will move clients to certain groups as they are discovered. Then clients will use the policy for that particular group rather than the default policy.We recommend that you create new MSI installers, when adding clients at a later stage, if they are older than one month, and always if there have been any software updates in the meantime. This is because the installer may have been updated with new files since the last time you generated an MSI installer, and a new installer will avoid unnecessary restarting of clients.

NOTE It is a good idea to test the MSI package on a couple of clients before rolling it out in your network, in order to identify any problem with the given management console’s DNS name or credentials.



Remote access The management console can be accessed remotely. By default, remote access is not permitted. Remote access is only permitted from the locations specified below. You can remove and/or add access to management console from a remote location.

Remote locations currently permitted to access the management console are listed in the upper part of the screen, identified by IP address, Netmask and Description (optional).

NOTE Just type in the IP address and Description when you set up permissions for remote access in the management console. A blank netmask is not allowed. Enter 255.255.255.255 as Netmask to allow remote access for a specific IP address only.

You should be careful admitting remote browsers access to the management console, as there are some obvious security issues. To enable remote access, you must select Allow remote access. In addition, you have to specify the IP addresses that should be allowed to log on to the management console. You may grant access either to a specific IP address or to a whole subnet, depending on the netmask.

EXAMPLE Address 172.17.0.0 with netmask 255.255.0.0 will give access to clients from the entire 172.17 segment. Again—remote access should in general be limited to as few clients as possible.



Event managementThis option applies to the Toplevel Manager only. The event management system is used to create messages based on the situation in your managed realm. The system is connected to the status indicators in the far left column, triggering a notification event when a preset threshold is reached. The system triggers on the number of alarms, errors and warnings in a network. You can set threshold values for the absolute percentage of reported alarms, errors and warnings. Delta threshold values are specified for the change rate of the same over a reporting period. Reports can also be made periodically or if a management console error occurs. See “Reports” on page 47.

TriggersYou can set threshold values for events, and determine if the event should be communicated as email, SNMP trap, via the syslog or event log. Configuration for each message type is located under the related tab (Email settings, SNMP settings and Syslog settings).

NOTE When you specify one or more methods to send messages (email, SMS, etc.), do not forget to configure the select-ed transmission mechanism(s). Similarly, you don’t need to configure devices not selected. No messages will be sent if there are any errors in this configuration.

AlarmsIf the alarms threshold is set to 3, an alarm is triggered when 3% of the network nodes trigger alarms. The alarm is passed on in one or more of the selected manners (Email, SNMP, etc.).

NOTE An alarm is an event that requires immediate action. It is issued by a product in Norman Endpoint Protection on a managed client.



ErrorsIf the errors threshold is set to 5, an error is triggered when 5% of the network nodes trigger errors. The error is passed on in one or more of the selected manners (Email, SNMP, etc.).

NOTE Errors are system abnomalities that require immediate attention.

WarningsIf the warnings threshold is set to 10, a warning is triggered when 10% of the network nodes trigger warnings. The error is passed on in one or more of the selected manners (Email, SNMP, etc.).

NOTE Warnings are information about events that are suspicious and that may require administrator attention.

Alarms deltaFor changes in the amount of network nodes that have an alarm.Upon completion of a topology thread walkthrough, the management console compares the results with the find-ings from the previous walkthrough and calculates delta values. If the delta threshold (percentage) is reached, a message is sent via all selected channels (email, SNMP etc.).The delta threshold value is not related to the threshold value for alarms, which is based on a percentage of an absolute number of managed clients. A delta value change, however, is based on the findings from the topology thread walkthrough looking for events in the entire network of managed clients, and which is running perpetu-ally. Delta messages may therefore be sent long before an (absolute) alarm threshold is reached, if configured in that way.For example, if the alarm delta is set to 1% and the alarm threshold to 5%, delta messages are sent when there is a 1% increase in alarm numbers, while a threshold message is only sent when a total of 5% of the network has an alarm. See also “Supervisor process” on page 60. A walkthrough of the network takes about 15 minutes and is referred to as a management period.

Errors deltaSee Alarms delta, for changes in the amount of network nodes that have an error.

Warnings deltaSee Alarms delta, for changes in the amount of network nodes that have a warning.

Endpoint Manager errorsVarious errors related to the operation and running of the management console and its processes.

Periodic status reportsAggregated reports on the status of the network (errors, alarms, warnings). If you want to receive status reports, select this option and specify the desired frequency.

Email settingsEnter the address that recipients of notifications can reply to under Reply-to address. In the Recipients address(es) field, enter the email address of notification recipients, separated by commas. There are two text fields, for Subject and Appended text (optional). Finally, you must enter an SMTP server and an IP Port number, or leave blank for default port 25.



SNMP settingsEnter hostname or address of the system(s) that should receive the messages under Trap recipient(s), separated by commas. You can also specify a Subject for the message (optional). Under Community, type in an SNMP community name or leave blank for “public”. This field is case sensitive.A .mib (Management Information Base) file called Sec_Traps.mib is included in the Endpoint Protection instal-lation. It’s located in [drive]:\[programroot]\NOC\Bin.

Syslog settingsEnter name and address for the Syslog servers that you want to send events to. Comma is the only valid separa-tor. In the optional fields Prefix and Port you can enter a short text to append all syslog entries from the manage-ment console, and a port number if you’re not using the default 514. Facility classification can be set to any of the locally defined values (16 through 23 in the Facility drop-down menu), or select Default for user level messages.

Display name priorityWhen you are looking at any list of nodes, each one is identified by a symbol (see “Client states” on page 27) and a name. You can choose how the client name is presented by rearranging the order of available names.

If you have selected an order as in the example above, Local alias will appear as the clients’ name provided that a local alias is available. If not, the next name on the list (Hostname) will be used, and so on.



Topology filtersThis section is for the Toplevel Manager and describes how you can filter clients. Discovered network devices can automatically be filtered to pre-defined topology groups. Filters are handled from top to bottom. Once a com-puter match a rule no more filters will be automatically applied.

NOTE: The topology filtering does not affect Endpoint Managers. A filter condition to move a discovered device to a certain group may match an Endpoint Manager, however, the Endpoint Manager will not be moved.

Syntax: IF [attribute] EQUALS/NOT EQUAL [value] THEN move to group [groupname].Attribute is a pull-down list of attributes identifying a device, like a name or an IP address. The operator is ei-ther EQUALS (=) or NOT EQUAL (!=). The value is a complete or partial string to match the attribute against. If partial, a wildcard character can be placed in front of or at the end of the string. The filters are applied top-down. If a client matches more than one rule, only the first rule will be applied. Click the plus sign to create rules where several conditions have to be met.

EXAMPLE IF [IP address] EQUALS [172.17*] THEN move to group [London]. IF [Name] EQUALS [*srv] THEN move to group [London].

When specifying what to test against in a rule, the value IP address reflects any of the IP addresses registered with a client. Likewise, MAC address means any of the MAC addresses associated with the network interfaces for a client.The value Name is the common name of a client as reported by passive discovery (NetBIOS name), or the name that the client itself responds to. The value DNS name, on the other hand, is the machine name associated with the DNS entry of the client in the management console database. If the DNS entry in the client’s network differ from the one resolved by the management console, the management console entry is used. Details about a client are displayed in this order: Alias (set by the administrator), NetBIOS name, DNS name, IP address.The NetBIOS names are reported by the passive discovery component. If a client is only known by its IP address (as a result of an incorrect manual entry, for example), it will be displayed with its IP address until a reverse DNS lookup has been done (if enabled). At any time, a topology report containing the NetBIOS name of the client will be stored and displayed in the clients list. A managed client will also report its NetBIOS name if available, causing it to be displayed instead of the DNS name.

NOTE: The DNS name is always available in the client details window.



Alternative client filteringExcept from the topology filtering, you can sort clients automatically based on a registry key or environment variables being set on the clients themselves. This can be done through existing log-in scripts or other already available tools in the network.Group requests based on the environment variable takes precedence over the topology filters. Clients that re-quest a group will not be filtered, even if you select Reapply all filters.

NOTE Only clients (current or future) that report to a Toplevel Manager can be filtered using this registry key or environ-ment variable mechanism.

A client can be manually moved elsewhere from the management console, after it has been automatically moved to a group using this mechanism. If its environment variable is changed to another group, it will be moved again according to the new value, even if it has been manually moved in the meantime. However, if the variable is not changed, the client will never be moved back.If a group does not already exist in the Endpoint Manager topology, it will be created. Automatically created groups will be assigned the default policy.Use the full stop (.) delimiter if you want to use subgroups.

EXAMPLE Servers.Mail.SNMP resolves the group Servers > Mail > SNMP and moves the client to the SNMP subgroup.

Registry key1. Create a new String Value key named ’join_group’ in Registry Editor under

\\HKEY_LOCAL_MACHINE\SOFTWARE\Norman Data Defense Systems\2. Specify the group name that you want the client to be moved to in the Value data: field.

Environment variables1. Go to System Properties > Advanced > Environment Variables and create an Environment Variables

called ’join_group’.2. Specify the group name that you want the client to be moved to in the Variable value: field.

EXAMPLE join_group=RnD will move this client a group called RnD.



On some operating system versions the client must be restarted before a new environment variable becomes available to the client.

Supervisor processThese settings are used to fine-tune the management console working threads. Normally, the default settings are adequate. However, certain local networking properties may require changes to some of the settings to ensure optimal performance. See also “About status” on page 26.

Topology thread delayRegulates the pace of the topology picture updating thread, walking through the entire network tree. The lower the number, the faster the speed. Increase this value if you experience peaking CPU/networking load.

Discovery thread delayRegulates the pace of the active discovery thread dispatcher. The lower the number, the faster the speed. Increase this value if you experience peaking CPU/networking load.

Discovery attemptsSets the maximum attempts of discovering a Stale client before it is marked as Offline. Increasing this value will increase the stale period of offline clients since the formula is discovery attempts times rediscovery interval for rediscovering stale clients.

Max. discovery threadsSets the upper allowable limit of parallel active discovery processes. Reduce this value if you have a large net-work, and the network load generated by the management console is too high.



Rediscovery intervalSets the interval between active rediscovery attempts. Increasing this value will increase the stale period of of-fline clients since the formula is discovery attempts times rediscovery interval for rediscovering stale clients.

Auto-acknowledge - errorsSometimes the management console receives errors, alarms, and warnings. These messages are visible until they are removed manually using the edit function on the client. You can use the slider to set a period of time after which the specific messages are removed automatically. If the problem persists, the error/alarm/warning mes-sages reappear after an auto-acknowledgement of the message(s).

Auto-acknowledge - alarmsSee Auto-acknowledge - errors.

Auto-acknowledge - warningsSee Auto-acknowledge - errors.

Stale delay for managed clientsSets the maximum time without communication from a managed client before it is marked as Stale.

Stale delay for unmanaged clientsSets the maximum time without communication from an unmanaged client before it is marked as Stale.

Enable discovery reverse DNSThe discovery process should attempt to resolve addresses into names through reverse DNS. This option is by default Off.

Enable discovery ICMPThe discovery process should use ICMP to actively chart lost clients using ping. This option is by default Off.

Enable passive discovery Devices that are discovered passively in the network are added to the database. This option is by default Off. Please refer to the appendix “Appendix A: Passive discovery” on page 62 for more information on passive discovery.



Appendix A: Passive discovery

Technical descriptionEndpoint Protection (framework or client software) and Endpoint Manager (the management console) employ a mechanism to map out devices in a network and report them to the management console. This mechanism resides as a driver that is visible in the network configuration as Norman Network Security.The Network Security driver is currently used for mapping the network topology. In the future, the driver may be involved in other network security tasks, like actively looking for malicious traffic in and out of the machine.The management console depends on information about clients in the network to produce a useful picture of the net. Clients make their presence known through their communications with the management console. Network devices that do not have Endpoint Protection installed are discovered using the network security driver.A management component on the client interrogates the security driver regularly to ask for network devices that have generated traffic. After polling the driver a topology list is generated and submitted to the management console. The management console will then sift through the list and update the online statuses of the network devices that it keeps track of.The first topology report will be submitted a few minutes after client boot-up. The client will first tell the driver to listen to network traffic for a minute. Then it creates a list of devices containing their NetBIOS names, MAC addresses, and IP addresses. A MAC address will always be found, but the name and IP may or may not be in-cluded. The client will compare the discovered devices with a local cache and create a topology report that is sent to the management console.A client will send a second report about five minutes after the first. It will then taper off and wait about 30 min-utes before the third report, two hours before the fourth and so on, up to a maximum of four hours. If the client is restarted, it will start over. The reporting aggressiveness is also decreased as the reports grow larger. The reason for this is that, statistically, a network containing a high number of clients will have a higher number of clients reporting the topology.The information reported is only basic information pulled from the Ethernet headers and the NetBIOS protocol header. No protocol content is ever collected.The Network Security Driver is designed for:

• Windows XP 32-bit • Windows Server 2003 32-bit • Windows Vista 32-bit • Windows Server 2008 32-bit • Windows 7 32-bit • Windows 7 32-bit • Windows Server 2008 R2 32-bit


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Appendix A: Passive discovery

Appendix B: Endpoint Protection for Linux

IntroductionNorman Endpoint Protection for Linux is an antivirus program for Linux-operated servers and workstations. The program can be run as a separate client version, or be managed by Endpoint Manager installed on a Windows computer.

System requirementsOperating system SUSE Linux Enterprise Server 11 or higher, 32-/64-bit

OpenSUSE 11.3 or higher, 32-/64-bit Ubuntu 10.04 or higher, 32-/64-bit Debian 5 or higher, 32-/64-bit Red Hat Enterprise Linux 6 or higherOther distributions may be eligible, please contact support for assistance.

Endpoint Manager Refer to “System requirements” on page 7.

Requirements for the computer are the same as for the Linux distribution operating system.

InstallationTo install Endpoint Protection on Linux you need to run a supported Linux distribution. For distribution and central management of Linux clients you will also need Endpoint Manager.

NOTE The Linux software must be installed with root privileges.

Setting up the management consoleThis setup applies to the computer on which you have installed Endpoint Manager.Assuming you have already installed the Endpoint Protection framework, created an Endpoint Manager realm and discovered all clients in your network, the following describes what to do next.1. Go to the Policies view

a) Create a New policy, for example “Linux”. See “Create a new policy” on page 30.b) Configure the new policy. See “Configure policies” on page 31.

3. Go to the Clients view.a) Create a new subgroup, for example “Linux”. See “Create a new group” on page 26.

Select the newly created “Linux” policy. Read more about “Policies” on page 30.b) Add a client to the group. Add a client with Linux installed to the new subgroup. See “Clients” on page

22.3. Go to the Products view.

a) Select Linux 32-bit and/or Linux 64-bit from the Platforms list, b) Select Antivirus & Antispyware from the Licenses product list.c) Select Update selected products to run an Internet update.d) Generate an installer for the Linux client installation. See “Generate installers” on page 52.


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Appendix B: Endpoint Protection for Linux

Installing Endpoint Protection for LinuxYou can download the installer from www.norman.com. Install the program using Linux’ command line interface.For an Endpoint Manager administrated installation you will need an installer from the Endpoint Manager. See step 3 d) above. A stand-alone installation also requires a valid license key.Depending on the type of installation (stand-alone or Endpoint Manager administered), Endpoint Manager for Linux can be installed either interactively or non-interactively.This installation applies to the computer where Linux is installed.

Interactive installationOpen the Linux command line interface and locate the installer file.1. Run the installer provided with root privileges.

Managed$ sh ./_linux_multiarch.sh

Stand-alone$ sh ./npro_9.1_installer-42377-20120720-FULL.bin

2. Read the license agreement and accept it to continue the installation.3. Enter your license key (5x5 characters) in order to install the software and receive updates.4. Enter your user credentials for remote administration. Enter a username and password and confirm the pass-

word. This is the username and password that is used to manage your installation through a web browser.5. Please wait while the installation files are unpacked and installed.6. Optionally, enter the proxy address and port. Leave these fields empty if you do not use a proxy.7. Please wait while the installation files are downloaded and unpacked. The installer will quit and the installa-

tion will continue and finish in the background.8. Run the following script to open the software console (nconsole):

$ /opt/norman/npm/bin/nconsole

KDE users should use nconsole-kde instead of nconsole.Alternatively, if you do not have a graphical console, you can access the program using a web browser for remote administration (ipaddress:2868).

NOTE It might take some time before the web interfaces become available.

The first time you open the program after installation is finished, it will soon start to update itself automatically. This may take a few minutes to complete. When your installation is up to date the program is ready for use.



http://www.norman.com

Non-interactive installationOpen the Linux’ command line interface and run the installer, using the parameters applicable for the installa-tion: license key, username, and password (stand-alone installations only).-y YES Accept the end user license agreement-l LICENCE KEY The license key for stand-alone installations-u USERNAME The username for remote administration-p PASSWORD The password for remove administration

Endpoint Manager administrated installation$ sh ./[name]_linux_multiarch.sh -u myuser -p mypassword

[name] equals any name you specified when you generated installers from the management console. See “Gen-erate installers” on page 52.

Stand-alone$ sh ./npro_9.1_installer-42377-20120720-FULL.bin -l xxxxx-xxxxx-xxxxx-xxxxx-xxxxx -u myuser -p mypassword

The license key is a combination of 5x5 characters; letters and numbers.

UpdatingThe Update Manager is developed especially for Linux. Otherwise it has the same function as the Internet Up-date for Windows systems. The Update Manager handles the updating of virus definition files, scanner engine, or program modules of your Endpoint Protection installation. If the program does not update itself automatically after installation, you can start update manually from the Install and Update page by clicking Update all products.When updates are available for downloading, the Update Manager automatically downloads, updates, and installs necessary components. If you configure the Update Manager to download updates once a day, for example, your antivirus installation is automatically kept up-to-date.See also “Install and Update” on page 68.

UninstallingRun the uninstall script from the command line interface to uninstall Endpoint Protection for Linux. The script’s location in the installation is:# sh /opt/norman/npm/bin/uninstall.sh



Use and configurationIf the Endpoint Protection for Linux installation is submitted to administration by a management console, the client configuration options will be limited by policy configurations.Opening the nconsole for the first time after installation takes you to the Home page of the program’s graphical user interface. When updating is complete, you can start using the program and configure it. Scan your computer from the nconsole graphical user interface, or from your command line interface.

HomeThe program opens in the Home page from where you can view status and update all products.

Antivirus & AntispywareThis is the program’s antivirus and antispyware feature. Quarantine infected files, schedule scanning tasks, ex-clude files and folders from scanning, and configure scanner settings.Two different scanners search your computer for viruses, the Automatic scanner and the Manual scanner. In ad-dition, the Command line scanner is an alternative to the GUI-based Manual scanner. The default location of the scanners is /opt/norman/nvc/bin/

Automatic scannerThis scanner works in the background and offers automatic protection of your system. It is an essential virus control component and should therefore be enabled at all times.

Manual scannerUse the Manual scanner to scan selected areas of your computer and to create scheduled scans to run at specified intervals. The graphical user interface scanner (nvcod) and the Command line scanner (nvcc) are both easy to use as you can access them directly from your command line interface.

nvccTo start a scan you simply enter the location and name of the scanner from your command line interface, add ap-plicable parameters and/or a path to scan, and press Enter:

/opt/norman/nvc/bin/nvcc parameter /path(s)/to/scan

Example (scan the entire file system):

/opt/norman/nvc/bin/nvcc --s+ /

nvcodEnter the location and name of the scanner from your command line interface and the manual scanner dialog ap-pears. Browse for areas to scan, select area, and click to start scanning. The Manual scanner starts scanning the specified areas and displays a status of the scan when finished.To view more scanning details or the log click Advanced >>.



ParametersHelp option parameters give you an overview of supported arguments to use with the scanners. You can view the parameters by entering the path to a scanner and then enter --help or --?.

EXAMPLE /opt/norman/nvc/bin/nvcc --help

--? Show this help--net+ Enable scanning of network drives (net- to disable)--s+ Enable scanning of subdirectories (s- to disable)--cl+ Enable cleaning of infected files (cl- to disable)--qtn+ Use quarantine (qtn- to disable)--sb+ Use sandbox (sb- to disable)--del- Do not delete infected files, if they could not be repaired--c+ Enable scanning inside archives (c- to disable)--yh Abort when infection found--low Scan with low priority--sc Only use single cpu core--x: Exclude files from scan (e.g x:”*.zip|*.arc”)--lf: Specify fully qualified log file name (overrides ld and lg)--lg: Specify number of logfile generations--ld: Specify directory for log files--l- Do not write log file--q Quiet mode (No stdout output)--v Verbose mode--temp: Override environments TEMP/TMP--bp: Specify breakpoint file to store scan position (e.g. /bp:/tmp/lastscan.log)



Install and UpdateFrequent updates are provided for the virus definitions and the program files. Update is done via the Internet or the internal network. Once Internet Update has downloaded a package, the actual update will be installed auto-matically. After an update, the program may prompt you to restart your computer.

Update all productsClick Update all products once to update the program.

Update your licenseThis option is not available if your computer is assigned to a management console policy. With this Linux-specific update feature you can check your license and update your installation. Enter your license key and click Update to validate the key and update the program. You will be notified If the license key is not valid. See also “Updating” on page 65.

SettingsThe settings mode changes when configuration is locked by a management console policy. In that case you can-not edit settings. The policy will manage updates and scanning of your client installation.

Select update methodYou can choose between manual and automatic updating. We recommend the automatic update method, as it is of the utmost importance to keep the software updated at all times.

Update manuallySelect this option if you prefer to start Internet update manually. You can start it from the Install and Update main page (Update all products) or from the system tray menu.

NOTE This option requires a forced start of the Internet update function. The system is NOT updated automatically. Updating manually is not a recommended method as executing the update may be forgotten.

Automatically at every (6 hours/12 hours/24 hours)Select this option to make the program take care of downloading and updating automatically. Select a suitable time interval. This option requires a permanent connection to the Internet.

NOTE This is the recommended update method. If Internet Update has not been run for 24 hours, the program automati-cally checks for updates at start-up.



Wait for dial-up connectionIf you use a modem to connect to the Internet, select this option for daily checks for updates. Access the Internet like you normally do, and the program will figure out if updates are available. The update mechanism checks for updates the first time you connect and only once a day. If you connect to the Internet once a week, for example, the program will check once as soon as you’re connected.

Proxy settingsA proxy server is an intermediary computer residing between the user’s computer and the Internet. It can be used to log Internet usage and block access to a web site. The firewall at the proxy server may also be used to block access to certain web sites or web pages. If a firewall or proxy server protects your computer, you must enter the required proxy information.1. Select Use proxy server and enter a proxy address and port.2. Select Log on to proxy server and enter username, password and domain (for Windows NT Challenge/Re-

sponses), if applicable. • Windows Challenge/Response Authentication is the format used for connecting to either Windows 2000

Server or Exchange. • The user account has the following format: [NT/2000domainname]\[accountname]

Join a realmYou can join an Endpoint Manager realm with a stand-alone Endpoint Protection client installation. This requires that you add a credentials package to your installation. The package contains all information that the Endpoint Manager needs to recognize your computer in the network. In the following we assume that you have administrator rights to the Endpoint Manager.

On the Endpoint Manager1. See “Setting up the management console” on page 63.

• The MSI credentials package is for Windows intallations. For a Linux installation you will need the NTS format package for manual distribution.

On the Linux stand-alone computer1. Copy the credentials package mig2nss7.nts to /opt/norman/resources/

2. The continuously operative feature (zelda) discovers shortly after the new NTS credentials package, inter-prets it and informs the Endpoint Manager of the computer’s presence.

• All your settings may be overwritten by policies configured in Endpoint Manager.3. Your computer will be discovered by Endpoint Manager through the network.



Remote accessThe GUI can be accessed remotely. By default, remote access is not permitted. Remote access is only permitted from specified locations. You can remove and/or add access to the GUI from a remote location.Remote access should only be used on secure internal networks and by system administrators only.

NOTE If you delete the last entry on the remote access list, remote access will not be permitted anymore. Remote access to the GUI is disabled until you add a new entry to the remote access list.

NOTE If you specify 0.0.0.0 for both netmask and IP address, your computer will be accessible to anyone, which in turn causes a potential security risk.

See also “Remote access” on page 54.

nconfigWith nconfig youonfigure the remote access for Endpoint Protection using a command line interface.

Commands

help View a help messagedoc View the complete documentationremote-status View remote access status.remote-list Display a list of remote access entries.remote-add Add an entry in the remote access list.remote-remove Remove an entry from the remote access list.



Options

remote-add -i/--ip <ip> The IP address from where to allow remote access (enter 0.0.0.0 to allow any)

-n/--netmask <netmask> The netmask from where to allow remote access (enter 0.0.0.0 to allow any)

remote-remove -I/--id <id> The ID to remove. Retrieved using the command list-remote

Examples

Check remote access status nconfig remote-statusList allowed IP/Netmask pairs nconfig remote-listAdd an IP/netmask pair nconfig remote-add -i 192.168.10.1 -n 255.255.255.255Remove allowed IP/netmask pair nconfig remote-remove -I 1



Appendix C: MailScan for Domino

IntroductionMailScan for Domino is a plug-in for Endpoint Protection that offers virus protection. It is fully compatible with the IBM Lotus Domino Server. Scanning is performed on the Endpoint Protection server and no software is needed on the IBM Lotus Domino clients. MailScan for Domino scans incoming email attachments guarding the main virus entry point in a Lotus Domino environment.

How it worksA folder dom is created at the Norman root folder when MailScan for Domino is installed. The Mailscan for Domino path is %systemdrive%\Program Files\Norman\dom

These files are copied into the dom directory during installation:\bin\nvcd_install.exe MailScan for Domino installer\bin\zlh_dom.dll Communicates with the Endpoint Protection client \bin\nvcd_load.dll * MailScan plugin loader for Domino\bin\nvcd_oa.dll * MailScan scanner engine for Domino\res\dom.nts Configuration database element\bin\release_notes.txt Release Notes

* This .dll is also copied to the IBM Lotus Domino server directory: %systemdrive%\Program Files\IBM\Lotus\Domino

MailScan for Domino adds the entry NVCd_load.dll to the setting EXTMGR_ADDINS in the notes.ini file to install itself. When the Domino server starts, MailScan for Domino will analyze incoming emails, and scan any file attachments for malware. You can disable MailScan for Domino manually. Remove NVCd_load.dll in notes.ini and restart the Domino server.The MailScan for Domino plugin is configured in the standard Endpoint Protection configuration panel. It ap-pears as a separate module in the configuration editor and gives access to MailScan for Domino specific settings, while messaging, updating etc. is configured in the common settings.

Activity logMailScan for Domino offers a comprehensive and robust malware incident activity log on the Lotus Domino server console and optionally in the Domino server log, the Windows Event log, and in the Endpoint Protection log file:

• Malware name (if known) • Name of attachment • Subject • Creation time and date • Name and address of originator • Name of recipient(s) • Action taken (cleaned, removed, quarantined)

From the Endpoint Protection module’s Support Center > Message handling you can view incidents from MailS-can for Domino


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Appendix C: MailScan for Domino

System RequirementsMailScan for Domino requires that an Endpoint Protection 9.x client is installed on the IBM Lotus Domino server.

Supported versions

IBM Lotus Domino 8.0.1-8.5.3Windows Server 2003Windows Server 2008 and 2008 R2

NOTE Antivirus products from other vendors may be incompatible with Endpoint Protection. You should uninstall other antivirus programs before installing Endpoint Protection.

If you terminate the setup program during installation, the files that are already copied to your hard drive must be removed manually.MailScan for Domino must be installed on the Windows server where the IBM Lotus Domino Server is installed. You must be logged in to the system with administrator privileges in order to install the program.

InstallationYou can install MailScan for Domino on the local server or from the Endpoint Manager central management console.

Local installation1. Download and install Endpoint Protection 9.x on your Domino server

NOTE The license key must include MailScan for Domino.

When the program is installed an N-icon will appear in the system tray menu.2. Right-click the N-icon and select Endpoint Protection to open the program.3. Go to Endpoint Protection > Install and Update.4. From the Licensed Products list select Not installed for MailScan for Domino.5. Click Install from the popup dialog that appears.

Please wait while the program is installed and updates are downloaded. You may be required to restart the Domino server when the installation is complete.A MailScan for Domino entry is added to the left-hand side menu.

6. Go to MailScan for Domino.



Installing from Endpoint Manager

NOTE Endpoint Protection 9.x must already be installed and managed by an Endpoint Manager on the designated IBM Lotus Domino Servers.

1. Go to Endpoint Manager > Policies. (See “Policies” on page 30)2. Create a new policy.

Enter a name and optionally a note and click Create.The policy is created and the configuration for this policy is opened.

3. Select Install/Uninstall next to the Mailscan for Domino product.4. If necessary, edit the newly created policy’s default configuration.5. Create a group.

To install the product on servers you must create a group in the Endpoint Manager console. Add the newly created policy to that group.

6. When these tasks have been completed, you can start dragging servers to this group.

NOTE MailScan for Domino will be installed to all servers or computers in this group.

UpdatingA malware scanner is only as effective as its most recent update of virus definitions, so obtaining frequently up-dates is critical to maintain a secure computing environment. You should configure Internet Update to automatic updating of your MailScan for Domino installation. In addition to the scanner engine components, the Internet Update feature provides updates to the Endpoint Protection, program updates inclusive.If you configure Internet Update to download updates on a daily basis, for example, MailScan for Domino is auto-matically kept up-to-date. Only a few minutes after new virus definitions are installed, MailScan for Domino will start to scan using the updated files. If nvcd_load.dll is updated you will have to restart the Lotus Domino server software.



Use and configurationOnce installed, the MailScan for Domino server plug-in appears in the Endpoint Protection’s left-hand side menu.

The Total and Today columns represent today’s numbers and the accumulated numbers since the plug-in was installed.

NOTE The following configuration options are identical to the options available from Policies in the Endpoint Manager con-sole. Please refer to Configure policy products in the Endpoint Manager Administrator’s Guide (www.norman.com/support/user_manuals).

Block/AllowClick Block/Allow under the MailScan for Domino menu. From here you can configure attachment blocking and email blocking/allowing for the scanner.

Block attachments

Block listIn this field you can specify filenames to be blocked. Wildcard (*) is accepted for blocking of specific extensions. Only wildcard for filename is allowed, i.e. *.vbs. To the average user, file types like .vbs, .pif or .lnk are hardly criti-cal. You should also consider to block extensions or file types like .exe, .com and .bat as these also represent a potential risk for virus infections.You can also block specific attachments with names known to contain viruses, such as AnnaKournikova.jpg.vbs. Theoretically, you may block a virus before updated malware definition files are available.



Block/Allow email

Block allow listEnter a specific name or use wildcard (*) to identify email addresses to block (senders) or allow (senders/receiv-ers).

NOTE Use with caution: Attachments from email addresses in the allow list will not be scanned for malware.

SettingsClick Settings under the MailScan for Domino menu. From here you can configure general and advanced settings for the scanner.

General

Enable MailScan for DominoSelect this option to enable email scanning. If you disable this option, no emails will be scanned.

Malware handling

Attempt to clean infected attachmentsSelect this option if you want MailScan for Domino to attempt to clean infected attachments.

Quarantine infected attachmentsSelect this option to quarantine infected attachments.



Delete infected attachmentsSelect this option to delete infected attachments.

Advanced

Email server

Protect users from mass mailersMass-mailers like Netsky and Bagle distribute themselves as emails. The email carrying the malware is the virus per se, as the email is illegitimate with the sender missing. If you select this option, the entire email is marked as DEAD, rather than only removing the infected attachment.This feature will only work for mass-mailers that carry a flag from Norman’s scanner engine that they are mass-mailers. Most mass-mailers that appeared in March 2004 and later carry this flag.

NOTE The Lotus Domino database MAIL.BOX containing emails marked DEAD may grow substantially with this option enabled. You may therefore need to delete the content of this database more frequently than if this option is not enabled.

Scan archivesWhen this option is selected, MailScan for Domino will scan recursively inside archive files for all supported formats. The following formats are currently supported: 7Z, ACE, APPLE_SINGLE, ARJ, BZIP2, CAB, GZ, LZH, MAIL, RAR, RAR3, SFXZIP, TAR and ZIP.This will take more time and may consume more memory, but it’s the safest option to ensure that your server is absolutely virus free.

Log to Domino ConsoleIn addition to logging to the Endpoint Protection messaging system, important events are also logged to the IBM Lotus Domino Server Console.



Attachment blockingBlocking email attachments is an effective measure to stop viruses from entering your system. Blocking affects new emails only.

NOTE Incorrect use of the blocking utility may cause loss of data.

Block all attachmentsAll attachments are blocked. See also the paragraph above.

Block attachments with double extensionsMany worms and email viruses apply a technique where an additional extension is added, for example <filename>.jpg.vbs. Most email clients will hide the last extension so that the attachment appears to only have the extension .jpg. However, this feature is not only used by viruses; nexscan.hlp.zip and todolist 20.dec.doc are both treated as double extensions.

Block attachments with CLSID extensionsSome worms and email viruses apply a CLSID technique in an attempt to fool email scanners and blocking soft-ware. They take advantage of a feature in Windows which makes it possible to replace an .exe extension with a {...} extension and thus evade blocking of .exe files. Since there is no reason for legal attachments to use this type of extension, this behavior is blocked by default.

Block encrypted archivesAnother technique that worms apply is to distribute themselves as encrypted archive files, trying to trick the user into decrypting and running the file. One example is the Bagle worms, which are sending themselves attached as encrypted archives.

NOTE Legitimate files may be sent using the same method. If you select this option, all encrypted archive formats known to the antivirus application will be blocked. Unknown archive formats will also be blocked.

The application recognizes most archive formats. The following formats are currently supported: 7Z, ACE, APPLE_SINGLE, ARJ, BZIP2, CAB, GZ, LZH, MAIL, RAR, RAR3, SFXZIP, TAR and ZIP.Unsupported archives are also blocked.

Quarantine blocked attachmentsBlocked attachment will be sent to the quarantine

Delete blocked attachmentsBlocked attachments will be deleted

SandboxThis program employs the sandbox functionality to detect new, unknown viruses. The Sandbox is particularly tuned to find new email-, network- / peer-to-peer worms, and file viruses, and will also react to unknown security threats. Sandbox is enabled at all times.Read more about Sandbox in the section “About SandBox” on page 6.



Appendix D: Exchange Mailbox Scanner

IntroductionExchange Mailbox Scanner is an Endpoint Protection plug-in for Microsoft Exchange email server. It uses an VSAPI 2.0/2.5/2.6 plug-in, which connects to the Exchange Information Store on the server for access to emails and attachments. Exchange Mailbox Scanner becomes an integrated part of Exchange itself and is controlled by MS Exchange.All incoming and outgoing emails are scanned on access in both private and public information stores. Access is only granted to virus-free items or when a present virus has been removed. If scanning of an attachment fails, access to the item is denied until it’s successfully scanned to ensure that a program error does not bring along leakage.

Exchange Service Monitor (ESM)When Exchange Mailbox Scanner is installed on your system, the Exchange Service Monitor will be configured to monitor the Information Store component of Exchange. This ensures better control over Exchange on the server and notifies the administrator if something is wrong.The installation routine will set up ESM to monitor Exchange Information Store. If a crash occurs (either due to a crash in NEP – when a crash dialog is displayed on the server, or due to a crash inside Exchange itself – when normally no information is given to the user at all) the Exchange Service Monitor dialog is displayed.

In this case all the command buttons are enabled. However, certain components monitored by ESM will not en-able the Restart Service button. The dialog contains information about which services that stopped responding and which program is affected.In addition, an error message is sent through the Program Manager to alert the administrator of such an event.Note that if there are dependent services these will not be restarted. If ESM is activated because of a program crash in Exchange Mailbox Scanner or Exchange itself, this does not represent a problem. However, if the admin-istrator has deliberately shut down the Information Store on the server, Exchange Mailbox Scanner will detect this and call ESM to alert that the requested service was not active. In this case services which are dependent on the Information Store are also stopped, but are not started by ESM.


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Appendix D: Exchange Mailbox Scanner

System requirementsExchange Mailbox Scanner supports MS Exchange 2010 SP1 and previous.

InstallationExchange Mailbox Scanner should be installed locally on the server(s) running Exchange and must be installed on each server running Exchange separately. The Endpoint Protection installation, however, should be kept distributed as this will ensure distributed engine updates and virus definition files. This way the configuration window for Exchange Mailbox Scanner will only appear on the server(s) running Exchange.To install Exchange Mailbox Scanner you need a license that covers the management of Exchange, i.e. a license key that allows you to install Endpoint Protection as a basis for the Exchange plug-in.If you have already installed Endpoint Protection client on your Exchange server and it belongs to a policy with Exchange Mailbox Scanner, you may skip the first 6 steps in the procedure below.Follow this procedure:1. Create a new group (See “Create a new group” on page 26), for example “Exchange”.2. Add a client with MS Exchange installed to the new group or subgroup.3. Create a new policy (see “Create a new policy” on page 30), for example “Exchange”.4. Select Exchange Mailbox Scanner from the product list.5. Add the new policy to the “Exchange” subgroup.6. Generate a Windows Installer file - .msi - (see “Generate installers” on page 52) and run it on the Ex-

change client. After the installer has finished, you must wait until the client appears in the Endpoint Protec-tion console, approximately 10 minutes. Running the command zanda /updatenow after the installer has finished will speed up the process significantly.

7. Run the Exchange installer on the client. After a few minutes the Exchange plug-in will be installed. When the files are copied, the components will be installed and registered. This may take several minutes. During this phase your Exchange service will be restarted to accommodate the new settings. A restart of the service is not necessary.

UpdatingObtaining frequent updates is critical. You should configure Internet Update to automatically update your instal-lation (unless you update from CD only). In addition to the scanner engine components, the Internet Update feature provides updates to the Endpoint Protection, program updates inclusive.Exchange Mailbox Scanner updates itself dynamically and without any user interaction. A few minutes after new virus definitions are installed, Exchange Mailbox Scanner will start to scan using the updated files. It will adapt its version number so that previously scanned emails will be scanned again with updated files on next access. This is provided that you have selected the option Scan mailboxes at startup/update (see “Virus scanning” on page 81).



Use and configurationConfiguration can be done from Endpoint Manager or on the client locally. Once installed, Exchange Mailbox Scanner will appear as a separate menu entry in the client software. Note that after changing your configuration, it will take a couple of minutes before the new settings take effect.

The numbers in the columns Today and Total represent today’s and the accumulated numbers since the plug-in was installed.

NOTE The following configuration options are identical to the options available from the Policies page on the Endpoint Manager. Please refer to “Configure policies” on page 31.

SettingsConfigure the virus scanning and attachment blocking options, and create a block list.

Virus scanning



Enable Automatic scannerYou must select this option if you want to use the virus scanner at all. No email scanning will take place if you don’t select this option.

Scan mailboxes at startup/updateSelect this option if you want Exchange to scan all mailboxes on the server. A scan is performed each time the server is restarted or the scanner is reloaded. All emails are scanned if new virus definition files are added since the last scan. Mailboxes on the local computers will not be scanned when this option is on, because this option applies to emails not yet downloaded from the user’s mailbox on the server.This option is useful in a situation with the following scenarios: 1) Mailboxes on the server are already infected, and 2) The administrator downloads new virus definition files each Friday after working hours. This setting will ensure that all email is scanned during the weekend with updated antivirus tools.Note that when this option may generate unnecessary workload on the server. In most cases the automatic scan-ner (on-access component) is sufficient.

Scan archive filesWhen this option is selected, Exchange Mailbox Scanner will scan recursively inside archive files for all support-ed formats. The following formats are currently supported: TAR, GZ, BZIP2, ARJ, ACE, RAR, RAR3, ZIP, MAIL, SFXZIP, CAB, LZH, APPLE_SINGLE, and 7Z. This will take more time and may consume more memory, but it’s the safest option to ensure that your server is absolutely virus free.

Temporarily deny access if unable to scanIf an error occurs during the scanning of an attachment, access to the email is blocked. Such errors may occur when the server is under heavy workload. The attachment will be scanned correctly the next time it’s accessed. However, this may also affect damaged files, and access to damaged attachments is blocked. If there are damaged emails and attachments on the server, you should deselect this option. Note the potential risk of letting infected files pass uncleaned.


Virus handlingThese settings decide how infected emails are managed.

Remove infected attachmentsAll infected attachments will be removed.

Clean infected attachmentsAll virus infected attachments will be cleaned. When the entire file is the actual virus, like trojan horses and worms, the file is cleaned by deletion.

Remove attachment if not cleanedIf an error occurs during the cleaning of an attachment, it will be removed. If an archive file contains an infected file, and cleaning within archives of that format is not possible, the archive file will be removed.



QuarantineIn this section you decide the handling of files that Exchange Mailbox Scanner has identified as infected or in oth-er ways suspicious. If you don’t clean or delete such files, we recommended that you isolate them in a designated area, a quarantine.As more Norman products are added to your existing installation, they will share the quarantine function and use the same options as specified here. Thus you can maintain a consistent quarantine strategy. From the drop-down list, these options are available:

DisabledNo files are quarantined.

Quarantine infected attachmentsAll infected attachments are quarantined.

Quarantine only if deletedOnly deleted attachments are sent to quarantine.

Delete mass mailers from serverMassmailers like Netsky and Bagle are distributing themselves as emails, where the email that carries the mal-ware is the virus per se as the email is illegitimate with the sender missing. If you select this option, the entire email(s) are removed from the server, rather than only removing the infected attachment.

Attachment blocking

Blocking email attachments is an effective measure to stop viruses from entering your system. Blocking affects new emails as well as old mails already stored when these are accessed or scanned with different configuration settings.

NOTE ncorrect use of the blocking utility may cause loss of data: In addition to delete all new, incoming attachments, old email attachments may be deleted too as a result of background or automatic (on-access) scanning. A visible warn-ing appears when you select this option, and you should be aware of the possible consequences.



Block all attachmentsAll attachments are blocked.

Block attachments with double extensionsMany worms and email viruses apply a technique where an additional extension is added, for example <filename>.jpg.vbs. Most email clients will hide the last extension so that the attachment appears to only have the extension .jpg. However, this feature is not only used by viruses: nexscan.hlp.zip and todolist 20.dec.doc are both treated as double extensions.


Block encrypted archivesAnother technique that worms apply is to distribute themselves as encrypted archive files, trying to trick the user into decrypting and running the file. One example is the Bagle worms, which are sending themselves attached as encrypted archives. Note that legitimate files may be sent using the same method. If you select this option, all encrypted archive files of a format known to the Antivirus application are blocked. The application recognizes most archive formats. The following formats are currently supported: TAR, GZ, BZIP2, ARJ, ACE, RAR, RAR3, ZIP, MAIL, SFXZIP, CAB, LZH, APPLE_SINGLE, and 7Z.

Block listIn this field you can specify file names that should be blocked. Wildcard (*) is accepted for blocking of specified extensions. For obvious reasons, only wildcard for file names is allowed, i.e. *.vbs. To the average user, file types like .vbs, .pif or .lnk are hardly critical. You should also consider to block extensions/file types like .exe, .com and .bat as these also represent a potential risk for virus infections.

In this field you can also block specific attachments with names known to contain viruses, such as AnnaKournikova.jpg.vbs. Theoretically, you may block a virus before updated virus definition files are available.



Appendix E: Exchange Transport Scanner

IntroductionExchange Transport Scanner is a plug-in for Endpoint Protection that offers virus protection. It is fully com-patible with the Microsoft Exchange Server. Scanning is performed on the Endpoint Protection server and no software is needed on the Microsoft Exchange clients. Exchange Transport Scanner scans incoming email attach-ments guarding the main virus entry point in an Exchange environment.

How it worksA folder mx2 is created at the Norman root folder when Exchange Transport Scanner is installed. The Exchange Transport Scanner path is

• %systemdrive%\Program Files\Norman\mx2

These files are copied into the mx2 directory during installation:

\bin\nx2agent.dll Transport agent that communicates with the service\bin\nx2installer.exe Exchange Transport Scanner installer\bin\nx2svc.exe Exchange scanner service\bin\release_notes.txt Release Notes\res\mx2.nts Configuration database element

Exchange Transport Scanner uses a Transport Agent on the HubTransport server to access all emails and attach-ments sent to and from the Exchange system. When the Exchange server starts, Exchange Transport Scanner will analyze incoming emails and scan any file attachments for malware. Attachments containing malware is removed before delivering the email to it destination.The Exchange Transport Scanner plugin is configured in the standard Endpoint Protection configuration panel. It appears as a separate module in the configuration editor and gives access to Exchange Transport Scanner spe-cific settings, while messaging, updating etc. is configured in the common settings. Note that after changing your configuration, it will take a couple of minutes for the new settings to take effect.

Activity logExchange Transport Scanner offers a comprehensive and robust malware incident activity log in the Windows Event log and in the Endpoint Protection log file:

• Malware name (if known) • Name of attachment • Subject • Creation time and date • Name and address of originator • Name of recipient(s) • Action taken (cleaned, removed, quarantined)

From the Endpoint Protection module’s Support Center > Messaging Log Viewer you can view incidents from Exchange Transport Scanner


Administrator’s Guide: Norman Endpoint Manager | Version: 9.10 | Appendix E: Exchange Transport Scanner

System RequirementsExchange Transport Scanner supports MS Exchange 2010 SP2.Exchange Transport Scanner requires that an Endpoint Protection 9.x client is installed on the Microsoft Ex-change server.


Exchange Transport Scanner should be installed locally on the server(s) running Exchange and must be installed on each server running Exchange separately. The Endpoint Protection installation, however, should be kept distributed as this will ensure engine updates and virus definition files on all servers. This way the configuration window for Exchange Transport Scanner will only appear on the servers running Exchange.

InstallationExchange Transport Scanner must be installed on the Windows server where the HubTransport role of the Mi-crosoft Exchange Server is installed. You must be logged in to the system with administrator privileges in order to install the program.If you terminate the setup program during installation, the files that are already copied to your hard drive will not be automatically removed.


Installing1. Download and install Endpoint Protection 9.10 on your Exchange Server.

NOTE The license key must include Exchange Transport Scanner.

When the program is installed an N-icon will appear in the system tray menu.2. Right-click the N-icon and select Endpoint Protection to open the program.3. Go to Endpoint Protection > Install and Update.4. From the Licensed Products list select Not installed for Exchange Transport Scanner.5. Click Install from the popup dialog that appears.

Please wait while the program is installed and updates are downloaded. You may be required to restart the Exchange server when the installation is complete.A Exchange Transport Scanner entry is added to the left-hand side menu.

6. Go to Exchange Transport Scanner.



UpdatingObtaining frequent updates is critical. You should configure Internet Update to automatically update your instal-lation (unless you update from CD only). In addition to the scanner engine components, the Internet Update feature provides updates to the Endpoint Protection, program updates inclusive.Exchange Transport Scanner updates itself dynamically and without any user interaction. A few minutes after new virus definitions are installed, Exchange Transport Scanner will start to scan using the updated files.1. Go to Install and Update > Settings > Select update method.2. Select Automatically every and click the drop-down menu to select frequency.3. Click Save.



Use and configuration

Create a domain userOnce installed, the Exchange Transport Scanner server plug-in entry appears on the Endpoint Protection’s left-hand side menu with a warning triangle. This is to notify that you need to create a domain user before you can start using the program.

NOTE To start using the program you must create a unique domain user.

1. Enter domain, username and password and click Create.

NOTE Only Administrators or users with Administrator privileges can create a domain user. When creating a domain user you will be prompted to login as Administrator unless you have the privileges to create a domain user.

2. The main program page appears.

The Total and Today columns represent today’s numbers and the accumulated numbers since the plug-in was installed.



Block/AllowClick Block/Allow under the Exchange Transport Scanner menu. From here you can configure attachment block-ing and email blocking/allowing for the scanner.

Block attachments

In this field you can specify filenames to be blocked. Wildcard (*) is accepted for blocking of specific extensions. Only wildcard for filename is allowed, i.e. *.vbs. To the average user, file types like .vbs, .pif or .lnk are hardly criti-cal. You should also consider to block extensions or file types like .exe, .com and .bat as these also represent a potential risk for virus infections.You can also block specific attachments with names known to contain viruses, such as AnnaKournikova.jpg.vbs. This may be useful if you need to block a virus before updated malware definition files are available.

Block/Allow email

Enter a specific name or use wildcard (*) to identify email addresses to block (senders) or allow (senders/receiv-ers).

NOTE Use with caution: Attachments from email addresses in the allow list will not be scanned for malware.



SettingsClick Settings under the Exchange Transport Scanner menu. From here you can configure general and advanced settings for the scanner.

General

Enable Exchange Transport ScannerSelect this option to enable email scanning. If you disable this option, no emails will be scanned.

Malware handling

Attempt to clean infected attachmentsSelect this option if you want Exchange Transport Scanner to attempt to clean infected attachments.

Quarantine infected attachmentsSelect this option to quarantine infected attachments.

Delete infected attachmentsSelect this option to delete infected attachments.

Domain UserThis information displays the current domain and username.

Reset Domain UserTo edit the domain and/or username click Reset Domain User and enter the new information.



Advanced

Email server

Protect users from mass mailersMass-mailers like Netsky and Bagle distribute themselves as emails. The email carrying the malware is the virus in itself, as the email is illegitimate with the sender missing. If you select this option, the entire email is deleted, rather than only removing the infected attachment.This feature will only work for mass-mailers that carry a flag from Norman’s scanner engine that they are mass-mailers. Most mass-mailers that appeared in March 2004 and later carry this flag.

Scan archivesWhen this option is selected, Exchange Transport Scanner will scan recursively inside archive files for all sup-ported formats. The following formats are currently supported: 7Z, ACE, APPLE_SINGLE, ARJ, BZIP2, CAB, GZ, LZH, MAIL, RAR, RAR3, SFXZIP, TAR and ZIP.This will take more time and may consume more memory, but it’s the safest option to ensure that your server is absolutely virus free.

Attachment blockingBlocking email attachments is an effective measure to stop viruses from entering your system. Blocking affects new emails only.

NOTE Incorrect use of the blocking utility may cause loss of data.

Block all attachmentsAll attachments are blocked. See also the paragraph above.

Block attachments with double extensionsMany worms and email viruses apply a technique where an additional extension is added, for example <filename>.jpg.vbs. Most email clients will hide the last extension so that the attachment appears to only have the extension .jpg. However, this feature is not only used by viruses; nexscan.hlp.zip and todolist 20.dec.doc are both treated as double extensions.




Block encrypted archivesAnother technique that worms apply is to distribute themselves as encrypted archive files, trying to trick the user into decrypting and running the file. One example is the Bagle worms, which are sending themselves attached as encrypted archives.

NOTE Legitimate files may be sent using the same method. If you select this option, all encrypted archive formats known to the antivirus application will be blocked. Unknown archive formats will also be blocked.

The application recognizes most archive formats. The following formats are currently supported: 7Z, ACE, APPLE_SINGLE, ARJ, BZIP2, CAB, GZ, LZH, MAIL, RAR, RAR3, SFXZIP, TAR and ZIP.Unsupported archives are also blocked.

Quarantine blocked attachmentsBlocked attachment will be sent to the quarantine

Delete blocked attachmentsBlocked attachments will be deleted




Copyright © 1990-2013 Norman Safeground AS

Norman Safeground AS is a wholly owned subsidiary of Norway’s only IT security company – Norman AS - established in 1984. Norman Safeground is a global company and has customers in more than 180 countries. Our mission is to offer businesses and home users premium protection from Internet threats through easy to use software – offering you peace of mind while we take care of your security. We strive to understand and solve our customers’ and partners’ challenges and are passionate about providing high quality personal service.

NORMAN CONTACT DETAILSNorman Safeground AS | PO box 43, 1324 Lysaker, Norway | Office address: Strandveien 37, Lysaker

Tel: 67 10 97 00 | E-mail: [email protected] | www.norman.com

HeadquarterNorway www.norman.com/no www.norman.com/en

OfficesDenmark www.norman.com/dkGermany www.norman.com/deSpain www.norman.com/esFrance www.norman.com/frItaly www.norman.com/itNetherlands www.norman.com/nlSweden www.norman.com/svSwitzerland www.norman.com/chUnited Kingdom www.norman.com/ukUnited States www.norman.com/us

Norman Endpoint Protectiondownload01.norman.no/...EndpointProtection_910.pdf · Endpoint Protection...

Documents

Transcript of Norman Endpoint Protectiondownload01.norman.no/...EndpointProtection_910.pdf · Endpoint Protection...