Last night I started upgrading Symantec Endpoint Protection 11.0.4 to 11.0.5. I’ve been doing these upgrades since 7.0.1 and they rarely go smoothly this one did not disappoint. As with most of these debacles, the development server upgraded without an issue.
The production server looked like it installed cleanly until I went to start the SEPM service after the install. The service exited immediately after installing. I searched symantec.com/connect and symantec.com/techsupp (support forums and knowledgebase). I got some logs to check and things to verify, I did a repair install multiple times. Ultimately I didn’t see a solution.
Initiated the disaster recovery procedures documented in the knowledgebase (and in a corporate document I wrote). First I made sure that my backed up keys and passwords were still good. Then I uninstalled SEPM, and reinstalled it. As it was approaching 3:30 AM I decided to let the database restore run while I slept.
The next day I continued the DR procedures and found the GUI wouldn’t allow me to use what I thought the database password was. I unnecessarily went down the road to change the password through ODBC. It turned out I was using the wrong password. (which happened to use characters the GUI would not allow)
Once the database password was found, I had a new problem. I was restoring from a backup of the database. Of course the database has an old schema. I tried a couple things to get it to upgarde. I believe it was a upgrade.cmd file that did the trick.
At that point I was able to log into SEPM, I verified that my configuration was still there and my clients were able to report in.
The (hopefully) last little piece of this stuggle was finding 11.0.5 missing under client install packages. I believe the database restore was what caused that to go missing. I found instructions to manually import.
Posts tagged ‘Disaster Recovery’
SEPM Upgrade Travails
Symantec Steps into software as a service
I thought this article was interesting, Symantec Steps into Software as a Service.
The Cupertino, Calif.-based company said that the launch of its Online Backup Service, which provides outsourced data storage and disaster recovery services to SMB customers, is merely the first piece in a wider set of offerings it will introduce dubbed Symantec Protection Network, which will eventually include a full range of hosted security tools.
Unplanned Business Continuity Drill
As I was getting ready to leave for work this morning, I got a voicemail message from my manager indicating our corporate headquarters is closing today at 8:30 am due to a A/C failure and that I should work from home.
Normally, this wouldn’t be a problem. However, yesterday I left work at 9:15 pm and didn’t bring my laptop or my computer glasses home. I figured, I wasn’t going to do any more work that evening so why bother. We’re supposed to bring the laptop home every day for disaster recovery purposes.
SAV 10- What’s New
The SAV Installation Guide (savinst.pdf in the docs directory or check the support site) lists what is new in this release.
Security Risk Detection and Removal
This is Symantec’s code for spyware, adware and assorted security risks. In this version Symantec can now detect spyware via autoprotect. This is an important improvement from SAV 9 which could only scan for this stuff during manual and scheduled scans.
We also now have the ability to have exception lists. Unfortunately rather than being able to add an EXE to ignore, we must ignore the entire spyware detection. Usually this is ok. For example with SAV 9, I have users who are constantly getting a virus detection for aports or Radmin. If I determine that is ok, then I would just whitelist it and never be bothered again.
Quickscan
Taking a page from the anti-spyware vendors, Symantec now has a quickscan that checks common hooks in the operating systems using by viruses and crap ware to autostart.
By default, the quickscan runs at every boot. Some people are finding this uses a lot of resources at logon. You can disable this behavior with a .reg file you can find at the Symantec support site.
You can run a quickscan at the beginning of a full system scan also if so desired.
Kill Kill Kill
No, that’s not the voices in your head. Symantec now has the ability to kill processes or stop services. So all those times, Symantec couldn’t remove a file because it was a currently running process…that’s in the past. This sounds like a huge improvement.
Tamper Protection
We’ve all seen it. When a virus slips by an antivirus product, the first thing it does is disable the antivirus. Or perhaps it wasn’t a virus, just a user deciding they didn’t need to conform to company policy so they figure out how to disable it. Tamper Protection watch for this sort of thing.
The problem with Tamper Protection is that it cannot be used if you have any other real time security software. There are also reports of SMS causing many alerts.
I think the manual also says that Tamper Protection will remove the ability of non-administrative users to run liveupdate (assuming you allow anyone to manually run live update in your environment).
Test it in your environment, but it sounds to me like this is not ready for prime time.
Role Based Accounts
Instead of having one password giving access to the SSC, you can now create role based accounts to provide read only, administrator, Central Quarantine and gateway security accounts.
These are separate accounts and cannot use Active Directory accounts.
SSL
SSL is now used to secure the communications between management consoles (SSC), the parent server, and the clients.
This adds some complexity for disaster recovery and server migration. Make sure you read the manual on this area.
Alternative Data Streams
Now supports scanning for viruses in alternate data streams. I dont know of any viruses using this. But the virus researchers have been agitating for vendors to add support for this.
64 bit amd support
We’ve been waiting for this. I dont think we’ve installed it yet so I cant comment. I did see in the readme that updates are through liveupdate only, no VDTM.
IPXSPX Support is gone
Other
I notice that under server tuning, you need to check a bot to support downlevel clients.
I have only installed the server. Not having installed it on the clients yet, I cannot review the product. Just passing on a few notes from what I’ve seen and read thus far. Looks l like a solid step forward. McAfee still seems to be better about stopping web exploits and I dont see anything in this release that will change that.
Strong Process Controls bring Security
Gene Kim, the CTO of Tripwire did a study of hundreds of organizations in late 2002 and early 2003. He found that many organizations were struggling with patch management and with system administrator to server ratios of 1 administrator to 5 or 6 servers. Other organizations were humming along with ratios that had one administrator to a hundred servers. The 1:100 organization had strong security. The difference he found between the organizations is policy and controls in place.
The tripwire website has an article goes along with this. What is needed is a prevailing culture of change management, rigorous configuration management practices, and a heavy reliance on release management.
At work, there is an initiative to implement IT Service Management. Administrators have responded with reticence. There are fears that the sys admins job will be nothing more than updating knowledge base articles and disaster recovery plans. The feeling is that System Administration is a dark art rather than a science. From the reports of Gene Kim it sounds like there is a lot of improvement if the process can be implemented correctly.
Sorry for the delay in posting
Normally right after I apologize for a delay in posting, I follow that up by not posting for an even longer period. So I’ll try to avoid that trend this time.
Over the weekend we had a test of our disaster recovery procedures. The SAN containing our mail data, desktop backups and file server went south and we spent a bit of time recovering from that.
Here’s some thoughts (not all of it had to be learned the hard way)
1. Alerting is always good. You want to find out about these things as early as possible. I had a page from Unicenter that I interpreted as being about disk size but apparently it was trying to say “disk gone”. If I hadn’t wondered through work, I wonder how long that would have gone unnoticed.
2. You need a hard copy of your disaster recovery plan, or at least some people’s home phone numbers. Its not good for it to be on the server that is down. (apparently there was some concern at providing us low level people with everyone’s home information because we might go egg their houses. We’re all in I.T.. We can probably figure out where you live already.)
3. Plan for the worst case scenario. It could happen.
4. Backup software is worthless if it cant restore the entire server.
5. In time of a disaster, everyone is needed. Sometimes even if you don’t have knowledge about specific software, you can be a sounding board, or just run out for donuts.
