Symantec Protection Suite Enterprise Edition Hands-on Lab . - Veritas

Symantec Protection Suite Enterprise Edition hands-on lab: Implementing the top areas of savings from Forrester’s Protection Suite ROI study Hands-On Lab Description Forrester’s research outlined the top technical reasons Protection Suite customers can achieve 152% ROI over 3 years: reduction in security incidents with Endpoint and Messaging security, improved productivity with Workflow, and technology standardization that simplifies management and reporting. Attend this hands-on lab and learn how you can achieve these results and gain further understanding on how Symantec effectively protects your physical and virtual environments from the everevolving Advanced Persistent Threats, including a demonstration of some upcoming tools Symantec is introducing, presented by the Product Management team. This lab assumes a prerequisite knowledge of basic Microsoft networking skills/experience. At the end of this lab, you should be able to Understand how Protection Center can be used to manage multiple products in the Symantec Protection Suite Enterprise Edition Configure products in Protection Center Review the Protection Center dashboard to determine the top issues affecting products in the Protection Suite Access integrated product consoles for products in the Protection Suite from the Protection Center user interface Use Protection Center reports to view cross-product information and initiate workflows for products in the Protection Suite

Notes A brief presentation will introduce this lab session and discuss key concepts. The lab will be directed and provide you with step-by-step walkthroughs of key features. Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace. Be sure to ask your instructor any questions you may have. Thank you for coming to our lab session. Virtual Machine Configuration VM Installed software IP Config Login IP address: 169.254.64.100 vm-SPC Protection Center 2.1 Mask: 255.255.255.0 Username: SPC Admin Gateway: 169.254.64.2 Password: Symc4now! Primary DNS: 169.254.64.2 vm-SEP121-m Windows Server 2003 SP2 IP address: 169.254.64.120 Endpoint Protection Manager 12.1 Mask: 255.255.255.0 Username: admin Gateway: 169.254.64.2 Password: Symc4now! ArGoSoft Mail Server .NET Primary DNS: 169.254.64.2 Eth1: 169.254.64.40 Eth2: 169.254.64.41 vm-SMG95 Messaging Gateway 9.5 Mask: 255.255.255.0 Gateway: 169.254.64.2 Username: admin Password: Symc4now! Primary DNS: 169.254.64.2 Logging into Protection Center For the majority of this lab we will use the vm-SEP121-m (Windows Server 2003 running SEP 12.1 Server) virtual machine. 1. If it is not turned on, power on vm-SEP121-m and log in with the following credentials: Username: admin 2 of 18

Password: Symc4now! 2. Open Internet Explorer using the shortcut on the desktop. The browser should automatically go to x. If it does not, type that into the address bar and hit Enter. 3 of 18

3. Log in using the following credentials: Username: SPC Admin Password: Symc4now! 4 of 18

Viewing the Protection Center Dashboard Now let’s look at the elements of the Protection Center landing page to get a better understanding of how a centralized console can help reduce the time it takes to resolve issues. 5 of 18

1. Note the options that are available on the Initial Setup screen. Once you are ready, click the checkbox next to Don’t show this dialog again. 2. This is the Protection Center landing page. Note the three columns within the dashboard. The left column provides data gathered from the Protection Center appliance and the products that are sending data to it The right column shows information collected from Symantec, including a data feed from the Symantec Global Intelligence Network. The center column is the notification feed. This is where administrators can quickly see important events and news from Symantec. 6 of 18

Viewing Integrated Product Management Consoles in Symantec Protection Center 1. Click the Symantec Protection Center drop-down in the upper-left side of the screen. 2. Mouse over Symantec Endpoint Protection, and then click the selection that appears (100.254.64.120). 3. The tabs will change and you will see the Symantec Endpoint Protection management console initializing. 7 of 18

Once it finishes initializing, you will now have access to the Symantec Endpoint Protection management interface. 8 of 18

4. Take a few moments to view the data in the console. Once you are finished there, click the Symantec Protection Center dropdown in the upper-left corner of the screen, mouse over Symantec Messaging Gateway, and select the available option (169.254.64.40). 5. You may see a screen that says the content was blocked, click the yellow bar at the top of Internet Explorer and choose Display Blocked Content. Otherwise, the console will load. Take a few minutes to explore the Symantec Messaging Gateway console. 9 of 18

Generating data To begin, we need to generate some data in Protection Center. The following steps will generate the data we need in order to work through various use cases with Protection Center. 1. On vm-SEP121-m, open the folder Test Files on the desktop The files in this folder are for testing purposes only. They are not harmful to computers but are not to be used outside of this lab environment. 2. Right-click on Defanged.zip and choose Extract All. When prompted, enter pdrpass1 as the password (this is also located in the readme). Endpoint Protection’s AutoProtect should take action when the files are extracted. This is expected behavior. 10 of 18

3. After a few minutes, Protection Center will pull the event data from Endpoint Protection Manager. Accessing Reports in Symantec Protection Center 1. Click the Reports tab and select the Blocked Malware Summary. 2. Now select 30 Days from View the last: 11 of 18

3. Click the orange data feed on the Malware Blocked by Product graph. 4. Click one of the malware names on the list to drill down to the Specific Malware report. You will not see Malware Statistics; this is expected behavior due to the nature of the test files. 12 of 18

13 of 18

Generating data for use in cross-product reports 1. On vm-SEP121-m, open the folder Test Messages (not Test Files) folder on the desktop and double-click Replay.exe. 2. Enter the following into Replay: RCPT TO: demo@example.com MAIL FROM: test@fake.com Check Append Domain and type fake.com into the text box Destination Host: 169.254.64.40 Iterations: 10 Block Size: 4096 Check AutoSend 3. While still in Replay.exe, click File Open and browse to C:\Documents and Settings\admin\Desktop\Test Messages (it may open Test Messages by default) and double-click suspect virus.eml. 4. Wait for Replay.exe to finish sending suspect virus.eml, then repeat the process outlined in step 6 for clean.eml 5. Make sure Iterations is set to between 10 and 50. It may revert back to 100 whenever Replay.exe is opened. 14 of 18

6. Close Replay.exe and close the Test Messages folder. Viewing cross-product reporting 1. Open Internet Explorer using the shortcut on the desktop. The browser should automatically go to x. If it does not, type that into the address bar and hit Enter. 2. Log in using the following credentials: Username: SPC Admin Password: Symc4now! 3. Click the Reports tab 4. Click the Blocked Malware Summary. Note that we now see data from both Symantec Endpoint Protection and Symantec Messaging Gateway. This allows us to quickly see the status of our protection in the environment. 15 of 18

Working with automation 1. Scroll the Specific Malware report over to the right if necessary. Select one of the Affected Endpoints – in this case, they should all say “VM-SEP121-M”– and click the arrow next to Actions in the right corner. 16 of 18

2. Select Quarantine Using SEP from the drop-down list. This will start the automated process to quarantine the endpoint using Symantec Endpoint Protection. A new window will open. 3. Select Quarantine from SPC Group, choose Demo from the Assign to User drop-down, and click Add. 17 of 18

4. Click Submit. Once the task has been submitted, close this window. You have now successfully initiated a workflow. In a production environment, this task can be assigned to other users who, on login, will be notified that an outstanding task is waiting for their input. 18 of 18

Symantec Protection Center 1. Click the Symantec Protection Center drop-down in the upper-left side of the screen. 2. Mouse over Symantec Endpoint Protection, and then click the selection that appears (100.254.64.120). 3. The tabs will change and you will see the Symantec Endpoint Protection management console initializing.