Installation of Symantec Endpoint Protection 12.1 RU1 Rev.

3 23/August/12

Introduction
The assumption is that you are going to install this package on a series of maxSTATIONs, with one of
them designated as the Endpoint Protection Manager, and the rest of the stations as its clients. In a
maxDNA system, there can be multiple endpoint protection managers, with each manager responsible for
different clients. For instance, if there are multiple generating Units, there may be a manager per Unit,
with all of the maxSTATIONs supporting a Unit assigned to that manager. Each manager would have its
own Groups and separate password.

The Manager and the Clients can be maxSTATION Version 4.x on Windows XP, or maxSTATION 6.x
on Windows 7. This Symantec product does not work with Windows 2000, so it cannot be used with
maxSTATION Version 3.x.

In maxSTATIONs, this package has been tested with Windows XP Service Packs 2 and 3, and Windows
7 x64 Service Pack 1.

NOTE: for the remainder of this document, Symantec Endpoint Protection will be referred to as SEP;
Symantec Endpoint Protection Manager will be referred to as SEPM; the manager computer will be
referred to as the Manager; and a client computer will be referred to as a Client.

Contents
Prerequisites ........................................................................................................................... 2
Obtaining a Symantec License File ........................................................................................ 4
Maintaining your Symantec Licenses .................................................................................... 7
Consideration for the assignment of the Manager ............................................................... 7
Part I: Activities Prior to beginning Installation ................................................................. 8
Part II: Enabling Administrator Account on Windows 7 stations ....................................... 9
Part III: Enabling Network Discovery on Windows 7 stations ............................................ 9
Part IV: Installing the SEP Manager on one maxSTATION ................................................. 9
Part V: Preparation of the SEP Manager ............................................................................ 14
Part VI: Client Installation ................................................................................................... 22
Part VII: Enabling the Symantec Shield ............................................................................. 28
Part VIII: Enabling Viewing of the Definitions Date .......................................................... 29
Part IX: Updating the Virus Definition files ........................................................................ 31
Appendix A Allowing Network Access Sharing ................................................................ 34
Appendix B Re-enabling Windows Features .................................................................... 35
Appendix C Removal of Previously-installed Symantec Security Software ..................... 36
Appendix D Documenting Important Information .......................................................... 37
Appendix E SEP AntiVirus Definition Updates Performed ............................................... 38

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 1

Prerequisites
In order for this package to be used, the following items must be dealt with before installation can begin.

1. The Manager must have 4GB of RAM, minimum, must have at least a 2.5GHz processor, and
must have a DVD drive. While modern computers often meet those needs, if you are trying to
install the SEP Manager package on an older computer, it must meet those requirements. The
drive doesnt have to write DVDs, but the installation media is a DVD.

2. The Clients need at least 512MB of RAM, minimum. The package has been tested on
maxSTATION clients whose CPU is as slow as 1.7GHz, but the faster the CPU is, the better. The
Clients do not need a DVD drive, since they are installed from the Manager.

3. The Manager must have Internet Explorer version 8 installed. The clients do not have this
requirement. The Metso-supplied Symantec Endpoint Protection DVD has a copy of the Internet
Explorer 8 installation program. This is necessary only if the Manager computer runs on
Windows XP. If the Manager runs on Windows 7, IE8 is already included. On Windows XP, you
must have Service Pack 3 installed in the Manager in order to install Internet Explorer 8.

4. The Manager computer name must not contain underscores. While Microsofts networking
software permits underscores in a computer name, the published standard for TCP networking
(RFC 952) states that only alphabetic, numeric, or the dash (hyphen) characters are permitted in a
host name. This means that, before you can install this package, you will have to make sure that
the Managers name does not have an underscore character. The Client names can contain an
underscore. If the Manager is an existing maxSTATION in the control system, here are the
necessary steps to be followed:

a) Modify wks.ini to change the name of the Manager; you can do this with Notepad, replacing
any underscores with the dash character

b) Copy the replacement wks.ini to every maxSTATION

c) Log on as Administrator at the Manager maxSTATION to edit its name

d) Correct any customized maxSTATION name references, used by the Software Backplane, for
the Manager. Examples include:

i. StartupConfig: Other station name for maxSTORIAN backup

ii. StartupConfig: Other station name for Event Sync
iii. MCS Registry entries containing the name of a maxSTATION:
1. Annunciator Silence Station 1, 2, and 3
2. Default Logger
3. Name of Engineer Station
4. Station Name of Report Server
iv. maxSCRIPTs with a station name (example: LOGO.mn specifies display
behavior based on station name)
v. maxFileSync: maxSTATION name in FileSync.ini
vi. Mergealm.ini and EvtColl.ini that may contain a Manager maxSTATION name

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 2

5. After each maxSTATION is rebooted, it will use the new name, the new wks.ini file, and any
changes made in StartupConfig.

NOTE that performing a Security Download to DPU4Fs is not necessary, since the DPU4Fs use
the IP address, not the name, of maxSTATIONs in the security list.

6. The last step is to edit any graphic displays that include the name of the Manager maxSTATION
in them. Examples include the Network Status display; the Remote SBP display; an Alarm
Summary pointing to the Manager maxSTATION.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 3

Obtaining a Symantec License File
Symantec permits product registry in two ways. The first way assumes that the Manager has Internet
access but the Manager in this application does not, so that way cannot be used.

The second way is to download a license file from Symantec, using the information provided in the
Symantec License document that you were given. Here are the instructions for the use of that method.

Go to https://licensing.symantec.com.

You will be redirected to the following page.

Click on the button, Go to My Symantec. The page looks like this.

You have to have an account with them. If you do not, then you can create one by following the
instructions below the Sign in with your SymAccount box.

After you have an account, the next page appears.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 4

If you have already registered your license, then proceed to View All licenses. If you have not, then
click on New and Renewal Purchase.

You will see the following page.

Enter your Serial Number, and press SUBMIT. The serial number that you need to enter is shown on
your Symantec license paperwork, in the left-most column.

Now you can view all licenses. The page looks like this:

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 5

Notice that, on the sample page at the bottom, there is an entry for Symantec Endpoint Protection 12.1.
On the right, click on View Details.

From this page, you can click on Download License Key File (xxxxx.slf). Once you have downloaded
the file, store it on a USB thumb drive or a CD-R in order to apply it later in the Instructions (Part V,
below).

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 6

Maintaining your Symantec Licenses
It is very important that you maintain your Symantec licenses for SEP 12. The licenses that you initially
purchased or that were supplied by Metso have an expiration date (the expiration date is shown on your
Symantec license paperwork). After that date, you are given a grace period of 30 days; after that grace
period, the Manager will no longer function properly. In addition, if the Manager computers hard drive
fails, and you are forced into re-installing the Manager, it will not accept an expired license in order to
operate; you have to have a current, active license.

Be proactive know when your licenses will expire, and start your purchase request for your license
renewal perhaps a month before the older license is expected to expire, so that you will be able to install
the renewal Symantec License File just before your previous license file expires.

Consideration for the assignment of the Manager

When the Manager is given an Antivirus Definition update, you should be aware of what is likely to
happen, if the Manager is a Windows XP computer. During update processing in the Manager, before
dissemination to the Clients, for up to two minutes, there may be intermittent disruption of the
maxTRANSPORT task in the Manager. Then the Clients will gradually obtain and install the definitions
without any disruption. This period of disruption may lead to display striping at the Manager as well as
loss of subscriptions both from the Manager station and from Client stations that want Software
Backplane data from the Manager.

Because of the above scenario, you should plan to assign the Manager duties to a station that is not 24x7
mission-critical; for example, the secondary maxSTORIAN, or a second engineering station.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 7

Part I: Activities Prior to beginning Installation
Perform the following steps at the Manager and each Client before beginning the install process.

1. Before you begin the installation, you must disable automatic logon after reboot. The reason
for this: after an install is complete, it is expected that the station will be rebooted before the
installation really is complete; it is also expected that after the station is rebooted, you will
immediately log in as Administrator in order to complete the installation. If the station first logs
in as another user, such as operator, the installation will not be completed correctly. So: if
automatic login has been applied to a maxSTATION, disable it, complete all of the installation
steps below, and then re-enable auto login again.

2. Log on as Administrator; go to (Start | All Programs | MAX Administrative Tools |

StartupConfig); uncheck the entry Run As Service next to Core SBP Functions at the top of
the window; perform a Save and Exit, and confirm that you want to save the change. This will
prevent the maxDNA services from starting up during the installation.

Next, use Windows Explorer to navigate to c:\MCS\SBP\ServicesStop.exe. Double-click on that

program to run it, and confirm that you want to shut down the services. Click Exit to complete
this. NOTE that, if a station is a member of a backup pair of maxSTATIONs (maxSTORIAN,
maxLINKS), be sure that you shut down services on the inactive member of the pair first; then
shut down those of the active member.

AFTER all of the installation steps have been performed completely, log on as Administrator, run
StartupConfig again, re-check the same entry (Run As Service next to Core SBP Functions),
save and exit, then reboot again to re-enable the maxDNA services.

3. For all maxSTATIONs, it is assumed that you will install maxSTATION software prior to
performing these steps. If you have not yet installed maxSTATION, please see Appendix A,
Allowing Network Access Sharing, before continuing.

4. If any maxSTATIONs have previously had the Microsoft Windows Hardening steps performed
on them, then their Default Shares and Remote Registry have been disabled. If that is the case,
SEP cannot be installed until those features have been re-enabled. See Appendix B, Re-enabling
Windows Features, before continuing.

5. If any maxSTATIONs have previously had Symantec security software installed on them (might
be Symantec AntiVirus Corporate Edition, or a previous SEP installation), then that software
must be removed prior to performing this installation. See Appendix C, Removal of Previously-
installed Symantec Security Software, before continuing.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 8

Part II: Enabling Administrator Account on Windows 7 stations
Before you begin, you will need to enable the Administrator account on all Windows 7 maxSTATIONs
(this is not an issue for Windows XP-based stations). SEP cannot be installed unless the maxSTATION
is logged in as user Administrator, but in Windows 7, that account is disabled by default for security
reasons.

When you enable Administrator, give that user the same password that you gave to user maxDNAAdmin.

The Windows XP Start button has been replaced by the Windows 7 Start Orb in the left side of the
toolbar. When the instructions state to go to the Start Orb, they mean to go where the Start button used to
be.

As user maxDNAAdmin, Go to Start Orb | Control Panel. You will see it set to View by: Category.
Change the view to Small icons. Now you can select Administrative Tools | Computer Management |
Local Users and groups | Users. Change the Properties of the Administrator account to enabled.
Change the password as mentioned above. Log off as user maxDNAAdmin.

Part III: Enabling Network Discovery on Windows 7 stations

If any maxSTATION is Windows 7, perform this Part; if it is Windows XP, go to Part IV.

By default, on all Windows 7 computers, Network Discovery is disabled. SEP Manager needs that
capability when it creates a list of client stations during deployment.

1. As user Administrator, open Windows Explorer. On the left, you will see four selections:
Favorites, Libraries, Computer, and Network. Click on Network.

2. You will see the message, Network discovery and file sharing are turned off Click to
change Click on that message.

3. When you Click to change, youll see a popup menu, Turn on network discovery and file
sharing. Click on that entry.

4. Click on No, make the network that I am connected to be a private network.

5. Windows will search maxNET for other computers, and display them as it finds them.

This completes Part III. Close out Windows Explorer.

Part IV: Installing the SEP Manager on one maxSTATION

Before you begin, see Appendix D, Documenting Important Information. Write down the information,
and then use that information when called for in subsequent parts of this procedure.

At the maxSTATION designated as the Manager:

1. Log in as Administrator.

2. Insert the SEP 12.1 RU1 DVD.

If the Manager is Windows 7, you will see the Autoplay window; click Run setup.exe to initiate the
program. On the screen, youll see the SEP window. The first window looks like this:

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 9

3. Select Install Symantec Endpoint Protection.

4. Select Install Symantec Endpoint Protection Manager.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 10

5. Click Next> to begin installation.

6. Click I accept the terms of the license agreement; then click Next>.

7. Click Next> to accept the destination folder.

8. Click Install> to begin installation. The next window is labeled Installing Symantec Endpoint
Protection Manager. It takes a while to install.

9. The screen returns to the window above, with Configure the management server in bold type. Click
Next>.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 11

10. Leave Default configuration checked. Leave Use a recovery file unchecked. Click Next>.

11. You must provide a password (the one you created in Appendix D) and an email address, even if the
email address is fake (schmoe@schmoe.com). Click Next>.

12. Youll see a window with The management server uses these settings Leave that blank. When
you are asked about sending a test email, click No. Click Next>.

13. You will be asked about Data Collection. Uncheck Yes, because this manager does not have
Internet access. Click Next>.

14. You will see a screen that looks like the following one.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 12

15. You could print your screen if you have an attached printer, or capture the screen as a JPG file to
remember it. Click Next>. This is not necessary, though.

16. The next step includes the message, The database is being created and initialized. This step will
take a long time (tens of minutes).

17. The Management Server Configuration Wizard is completed. Leave Run the Migration Wizard
unchecked. Uncheck Launch the Symantec Endpoint Protection Manager; you are not ready to use
it, yet, because you have to set up the Clients. Click Finish.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 13

18. This completes the installation of the Symantec Endpoint Protection Manager. Remove the DVD, and
reboot the Manager station.

Part V: Preparation of the SEP Manager

At the maxSTATION designated as the Manager:

1. Log in as Administrator.

2. Go to Start | All Programs | Symantec Endpoint Protection Manager | Symantec Endpoint

Protection Manager. Log in to SEPM with the admin user name and the password that you
created and documented in Appendix D.

You will see the following:

3. At first, you may get a warning, Windows Security Alert.

If the Manager is Windows XP, check Unblock; the window will disappear.
If the Manager is Windows 7, check Private networks Uncheck Public networks Then
click Allow access. The window will disappear.

4. Under License Status, click on Activate your product. You cannot use the option, I have a
serial number; you must use the slf file that you downloaded from Symantec.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 14

5. Open Windows Explorer, and put your thumb drive with your slf file in a USB port. Copy the file
to c:\Program Files\Symantec [in Win7, c:\Program Files (x86)\Symantec]. Close Windows
Explorer, and eject your USB thumb drive.

6. Click Next> in the window shown above. Click on Add File. From the Symantec Open
window, navigate to the slf file, select it, and click Open. The file is now listed in the Upload
a Symantec License file (.slf) window. Click Next>.

7. You will now see New Serial Numbers, with your file listed. Click Next>.

8. You will now see 1 new license has been successfully activated. Click Finish.

This completes the license installation.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 15

9. From this Admin tab, on the lower left, select Install Packages.

You will see the following window:

10. At the upper left, click on Client Install Feature Set, and then click on Add Client Install
Feature Set in the middle on the left.

11. In the Name box, type in maxDNA Basic Protection (without the quotes).

12. In the checkboxes below:

Leave Virus, Spyware Checked
Uncheck POP3/SMTP Scanner; just acknowledge the warning
Uncheck Proactive Threat Protection
Uncheck Network Threat Protection

The reason for unchecking these options is that, with no Internet access for the Manager, the
Manager cannot get updates from Symantec for these features (only anti-virus definitions can be
downloaded and replaced manually).

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 16

 Here is what the window should look like. Click OK to complete.

13. In the main Symantec Endpoint Protection Manager window, click on the Clients tab (at the
middle left).

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 17

14. Select My Company, which is a Group. Below My Company in the middle, select the
Policies tab.

15. Under Settings, on the right-middle, select Communications Settings.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 18

16. Under the Download section, select Pull Mode. Click on OK.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 19

17. Under Settings, select External Communications Settings.

Uncheck Let computers automatically forward

Uncheck Allow Insight hookups Confirm that you want that setting. Click OK.

The reason for changing these settings is that the Manager lacks Internet access.

18. You are returned to the My Company Policies tab. Under Location-specific Policies and Settings
| Location-Specific Policies:

19. Find Firewall policy [shared]. Click on Tasks on the right. Under Tasks, click on
Withdraw Policy. You will be asked for confirmation. Answer Yes. The Firewall Policy will
be deleted from the list.

20. Find Intrusion Prevention policy [shared]. Click on Tasks on the right. Click on Withdraw
Policy. You will be asked for confirmation. Answer Yes. The Intrusion Prevention policy will
be deleted from the list.

21. Find Application and Device Control policy [shared]. Click on Tasks. Click on Withdraw
Policy and click Yes to confirm. The policy will be deleted.

You will keep the three policies: Virus and Spyware Protection, Live Update Settings, and
Exceptions.

22. Next, click on Exceptions Policy [shared]. A popup, Edit Policy, comes up. Click on Edit
Shared.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 20

23. A new window, Exceptions Policy, is displayed. Select Exceptions on the left.

24. Under Exceptions, click Add . Select Windows Exceptions . Click on Extensions.

25. For each file extension, click in the text box to the left of Add. Enter an extension as 2 or 3
characters, then click Add. The extensions to be added are:

4E 4F mxs mn mxo evt hdf hed hrf

Now click on OK to complete.

All of the policies that you just set up will be inherited by all Groups that you define that are
subgroups of My Company. Click on OK to close the Exceptions Policy window.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 21

 26. On the left in the main window, right-click on the group My Company. Select Add a group.
For the Group Name, enter Win XP Clients, but without the quotes.

27. Again, right-click on the group My Company. Select Add a group. For the Group Name,
enter Win7 Clients, but without the quotes.

This completes the preparation of Symantec Endpoint Protection Manager. At the beginning of Part VI,
you can proceed to step 3; the first two steps are listed there because you might want to go back to install
more clients after SEPM is already set up.

Part VI: Client Installation

At the maxSTATION designated as the Manager:

1. Log in as Administrator.

2. Go to Start Orb | All Programs | Symantec Endpoint Manager | Symantec Endpoint Manager. Log
in to SEPM with the admin user name and the password that you created and documented in
Appendix D. Then click on the tab on the left, Clients.

3. Click on the Clients tab under the words, My Company. Below is the view you will see.

4. Click on the Win XP Clients group on the left. On the lower left, click on Add a client.
You will see the following window.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 22

5. New Package Deployment is already selected. Click Next>.

6. In this window,

a. The Install Packages: selection does not need to be changed; SEPM will automatically select
the correct package.

b. The Install Feature Sets: selection must be changed to maxDNA Basic Protection, the set
that you created in Part V.

c. The Install Settings: selection remains at Default Client Installation Settings.

d. Under Content Options: select Basic content.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 23
 e. Under Preferred Mode: leave the selection at Computer mode. Click Next>.

7. The next window appears. If it is not already selected, select Remote Push and click Next>.

8. Now you will need to select the computer(s) to which you will deploy SEP. The Computer
Selection window shows a Browse Network window. Expand Microsoft Windows Network to
reach your Workgroup, to show a list of all of the maxSTATIONs within the Workgroup. The
list is built by Windows Networking.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 24

9. Using the CTRL key to select each Windows XP maxSTATION, including the Manager
computer itself. When all of the computers that you intend to deploy have been selected, push the
>> button.

10. Experience has shown that not all of the client stations may show up in the client list in the left
pane, due to a bug either in Windows or in Symantec Manager. If you know that a client is
missing from the list, you can search for it individually. To do this, press the Search Network
button. Initially, no computers will be listed.

11. Click the Find Computers button. The Find Computers window will appear.

12. The window can be used one of two ways. You can either enter an address range, such as
172.16.160.1 to 172.16.160.20, representing the IP addresses of the client computers; or you can
enter the name of the client computer that you are attempting to reach. The IP address range can
be used to force Symantec to use whichever network (maxNET A, maxNET B, or a third
network if you have one installed) you wish to use for Symantec traffic alone.

13. Below is an example. There is a maxSTATION, HIST4, at address 172.16.160.47. Pushing

OK starts the search. Searching can take a long time; thus its a good idea to limit the range of
addresses to search.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 25

14. When HIST4 is found, the Computer Selection screen now looks like the following:

15. After you have selected the computer(s) that will be deployed, click Next>.

16. The Credentials popup will appear.

17. Enter the Administrator password that is used by all of your maxSTATIONs, then press OK. If
any computer cannot be reached, push CANCEL, and keep going. As each computer is
contacted and credentialed, it will be added to the list, and its Operating System type, either 32-
bit or 64-bit, will be shown.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 26

18. Click Next> to initiate install to all of the Clients on the list. You may be asked for
confirmation that you want to send client software to the list. Click Send.

19. The progress for each Client will be shown. The following window summarizes all of the Client
installs.

20. After all of the Client maxSTATIONs have been deployed, you can click Next>. You will see
the message, Client Deployment Wizard Complete. Click Finish.

21. Check the screen of each Client computer to which you deployed SEP. You will see the Live
Update Status appear. Click Close to complete the installation at each Client.

Once installation has been initiated at a client maxSTATION, it can take minutes to reach
completion. You can expect that, upon completion of the installation, you will see a notice that
Copyright 2012 by Metso Automation USA Inc. All rights reserved. 27
 the anti-virus definition files are out of date. Just click Close. You will be updating them later.
You can expect to see the SEP shield in the System Tray.

The following window may appear only on the SEP Manager, after SEP is installed in the
Manager.

22. Exit from the SEP Manager (log off, then press Exit). Then command the Manager to Restart
Now. After restart, log in as Administrator again.

23. Restart each Client maxSTATION, then log in as Administrator again.

24. If you have Windows 7 64-bit Clients, and / or the Manager is a Windows 7 computer, repeat all
of the steps above (Part VI Steps 1 to 17), but at Step 4, select the Win 7 Group, and at Step
9, select the Windows 7 clients.

25. Restart the Manager and all Clients.

Part VII: Enabling the Symantec Shield

For the Windows 7 Clients alone, the Symantec Shield does not automatically appear on the System Tray
for users that can access the Desktop. The following procedure is not needed for Windows XP clients,
only Windows 7 clients.

For each user (usually just those users that are members of the Administrators group or the Engineers
group), perform the following steps.

1. On the System Tray, click on the () symbol. This will call up a window showing all of the
hidden icons, of which one will be the Symantec shield.

2. Below the icons, you will see the entry, Customized. Select that.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 28

 3. In the list (shown above) that appears in the window, find Symantec Service Framework, and
use the pull down to select the entry Show icon and notifications.

4. Click OK. The shield will now appear on the System Tray.

This Part is completed once you have done this for each Desktop-enabled user for each Windows 7 client
station.

This completes the installation of SEP to the Manager and to the Clients. Did you remember to re-enable
auto logon if the station had it previously? Did you remember to re-enable the maxDNA services from
StartupConfig? See Part I, Activities Prior to beginning Installation, for reminders. Do this for the SEP
Manager as well as for all of the Client stations.

Part VIII: Enabling Viewing of the Definitions Date

For the Windows XP Clients alone, SEP 12.1 introduced a bug that prevents all users except for
Administrators from seeing the version of Definitions that have been installed (the other users see only
Waiting for updates). This is not an issue with Windows 7 Clients, so you can skip this Part if you have
no Windows XP clients.

1. Log in as Administrator.

2. Open Symantec Endpoint Protection.

3. Select Change Settings on the left.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 29

4. Under Client Management, select Configure Settings.

5. In the Client Management Settings window, select the tab Tamper Protection.

6. At the top, uncheck Protect Symantec security software from being tampered with

7. Click OK to apply and close.

8. Open Windows Explorer. Navigate to C:\Documents and Settings\All Users\Application

Data\Symantec\Symantec Endpoint Protection.

9. Right-click the folder name, and select Properties; Select Security.

10. Add two groups: Engineers and Operators. Their rights can be the default rights.

11. Go to Advanced.

12. Check the box next to Replace permission entries on all child objects

13. Click OK. An are you sure message box will come up. Click Yes.

14. Close out the Properties window.

15. Close out Windows Explorer.

16. Go back to Symantec Endpoint Protection, and re-enable the Tamper Protection using the same path
listed above.

17. Close out Symantec Endpoint Protection.

This completes the actions for one Windows XP client; repeat these steps for each of the XP clients.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 30

Part IX: Updating the Virus Definition files
As was previously discussed, since a maxSTATION is not connected to the Internet, there isnt a way to
use Live Update to get the latest virus definition files. Instead, you will use the Intelligent Updater to get
the latest virus definition files. The easiest way to perform this step is to use an Internet-connected
computer to download the packed file; store the file on a thumb drive; and then load the file from the
thumb drive on to the Manager. The packed file can vary in size from 120MB to 170MB.

The assumption is that you have a thumb drive that can attach via USB to both a computer with Internet
access and to the maxSTATION that is acting as the SEP Manager. Be sure to set that up, if you have not
done so yet.

At the computer with Internet access, perform the following steps. In most of the steps, the result of the
step will be to call up a new page.

1. Point your web browser to www.symantec.com. You will see the following page, or something
similar (Symantecs opening page gets improved just when you think that you know it).

2. At the top, hover over the Security Response area. A popup will appear. On the left, underneath
STAY SECURE, you will see Updates and Virus Definitions and Security Updates. Select that
option.

3. The Virus Definitions & Security Updates page will appear.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 31

4. The Select product default entry is Symantec Endpoint Protection 12.1. Change the entry to that
version if the default is some other version.

5. The entry below is File-Based Protection (Traditional Antivirus). Select Download: Virus
Definitions.

6. The Symantec Endpoint Protection | Symantec Corporate Edition page appears. Scroll down the
page to the entry labeled Manager Installations on Windows platforms (32-bit). Underneath that
you will find Symantec Endpoint Protection Manager installations on Windows platforms (32-bit).
The fact that it says 32-bit even when you have Windows 7 clients that are 64-bit is OK the file
for 32-bit and 64-bit Managers and clients is the same.

7. Click on the name of the file with the jdb suffix. You want to Save it to the computer. When you
click on Save, you will be shown a Save As dialog box. Click on Save to initiate the download and to
store the file on the PC.

8. The file that you just downloaded will be called (name).zip. You have to manually rename the file to
use the suffix .jdb, because that is the correct suffix that will be recognized by the SEPM.
Copyright 2012 by Metso Automation USA Inc. All rights reserved. 32
9. At the PC, plug in the thumb drive, copy the .jdb file to the drive, and then remove the drive.

10. At the station that is the SEP Manager, you must log in as either Administrator or Engineer. You
cannot log in as Operator, because you will not be able to access the Start Menu in order to run
Windows Explorer.

11. Plug the thumb drive into the SEP Manager.

12. Where you copy the .jdb file depends on whether the Manager is running Windows XP or Windows
7.

If the Manager is Windows XP, copy the jdb file to C:\Program Files\Symantec
\Symantec Endpoint Protection Manager\data\inbox\content \incoming.

If the Manager is Windows 7, copy the jdb file to C:\Program Files (x86)\Symantec
\Symantec Endpoint Protection Manager\data\inbox\content\incoming.

13. Remove the thumb drive from the maxSTATION. Use Appendix Es form to document the date and
the person who performed the update. Close out Windows Explorer.

The Symantec software on the Manager will automatically discover the .jdb file that you just copied there,
and process it. After the file has been processed, it will automatically be sent to all of the client
maxSTATIONs that are managed by this Manager. This entire process can take several minutes.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 33

Appendix A Allowing Network Access Sharing
The following steps need to be performed ONLY if you have not installed maxSTATION software in a
Windows XP-based maxSTATION, yet.

In order for SEP to be installed at the client stations, you must make a security change to each client
station. Since this change is already performed during installation of maxSTATION software, this change
need be done only if you are installing SEP before you are installing maxSTATION software.

At each client station:

1. Log on as Administrator.

2. Go to Start | Control Panel | Administrative Tools.

3. Double-click on Local Security Policy.

4. Under the Local Policies section of the tree, select Security Options.

5. Scroll down to Network Access: Sharing and Security Model for local accounts.

6. Right-click on that entry, then select Properties.

7. By default, the entry will be Guest only local users authenticate as Guest. Change the setting
to Classic local users authenticate as themselves.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 34

Appendix B Re-enabling Windows Features
The following steps need to be performed ONLY if the Windows XP-based maxSTATIONs have had the
Windows Hardening steps #4 (disabling services) and #10 (disabling default shares) performed on them
due to a previous Initial Protection procedure. SEP requires that, for installation, the Remote Registry
Service and the (hidden) default shares must be enabled at the Manager station as well as any Client
stations.

These features can be enabled via the following procedure.

Only if the maxSTATION is running Windows XP, do the following:

1. As user Administrator, navigate to Control Panel |Administrative Tools | Services. Find the
service called Remote Registry. It should have been disabled. Change it to Automatic.

2. As user Administrator, navigate to Control Panel | Administrative Tools | Services. Find the
Remote Registry Service. Set it to Automatic, and start it.

3. As user Administrator, navigate to the Cyber Security Gold Program CDs MSWindows
Hardening folder. The CD should be stored in a sleeve in the Site Security Log binder.

4. In the folder, double-click on the file called Enable_Default_Shares.reg to install the Registry
fix.

After the above steps are completed, the maxSTATION must be rebooted before the changes will take
effect.

Upon completion of this entire installation procedure, the Remote Registry Service and default shares
should be disabled again. Follow the instructions in the MS Windows Hardening document steps #4 and
#10.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 35

Appendix C Removal of Previously-installed Symantec Security Software
The following steps need to be performed ONLY if the maxSTATIONs have any other Symantec security
product currently installed in them. This step is necessary in order to install SEP correctly. You must do
this to the Manager as well as all of the Clients, regardless of the Operating System.

Obtain the ZIP file CleanWipe CleanWipe-v12.1.1000.157.zip. It can be found on the Metso-supplied
Symantec Endpoint Protection DVD.

1. Be sure that auto-login is disabled on the computer; you must log in as Administrator each time
that CleanWipe wants to reboot, and you cant log in as another user first.

2. Log in as Administrator.

3. Run StartupConfig to disable all maxSTATION services from running while the removal of the
Symantec software is underway. You should also, before running this package, stop all of the
maxSTATION services (run c:\mcs\sbp\ServicesStop.exe).

4. Copy the CleanWipe ZIP file to c:\.

5. Open the file, and copy its contents to c:\. When this is done, there will be a file called
CleanWipeStub.exe and a folder called app in the root directory of C:\.

6. Double-click on CleanWipeStub.exe. This will start up the CleanWipe facility.

7. Every time you are asked a question, click on Yes or OK, the defaults.

8. CleanWipe will tell you that it needs to reboot the maxSTATION twice. Each time that this
happens, you should allow the reboot, and then log in as Administrator.

9. After the second reboot, CleanWipe will tell you that it has completed. The computer is now
ready for installing SEP.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 36

Appendix D Documenting Important Information

Write down the date of installation and password assignment _____________________________.

Write down the name of the customer plant _______________________________.

Write down the Unit Number, if there is a Manager per Unit ______________________________.

Write down the name of the SEP Manager PC _______________________________.

Write down the log-in password for the Manager _______________________________.

Dont forget the password rules:

a) Password should be at least 8 characters long.

b) Password should contain alpha, numeric, and special characters (such as ! # $ % & / \ < > ).

c) Password should not spell any English word.

Passwords formed from Passphrases are easier to remember. You might substitute an occasional
vowel with a special character.

Example: MS287PMS&M is easier to remember as My Server number 287 Protects My System

and Me.

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 37

Appendix E SEP AntiVirus Definition Updates Performed

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 38
Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Date ______________ Name _______________________________

Copyright 2012 by Metso Automation USA Inc. All rights reserved. 39