Additionally, you can run LiveUpdate manually to check for the latest definitions directly from Symantec:

Image not found https://it.ucsf.edu/sites/it.ucsf.edu/themes/custom/it_new/logo.png it.ucsf.edu Published on it.ucsf.edu (https://it.ucsf.edu) Home > SEP for Windows: FAQ SEP for Windows: FAQ vgalvan on March 23, 2016 Updating Security Definitions (AV and IPS) Campus Clients UCSF SEP for Windows clients connected to the campus network will automatically receive updates to security definitions on a regular basis from the central IT SEP Management servers. Additionally, you can run LiveUpdate manually to check for the latest definitions directly from Symantec: 1. Launch the SEP client. Windows 7: double-click on the SEP icon in your taskbar at the lower-right corner of your screen Windows 8 / 8.1 : launch the SEP icon from the Windows 8 user interface formerly known as "Metro" 2. Click on the 'LiveUpdate' button in the Symantec Endpoint Protection window 3. A 'LiveUpdate' window will appear and immediately check online for any updates 4. Once the latest updates have been downloaded and installed, click the OK button to close the window Off Campus Clients Off-campus SEP for Windows clients are also scheduled to automatically receive updates via LiveUpdate on a regular pre-set schedule directly from Symantec. You can also run LiveUpdate manually, as well as, modify the LiveUpdate Schedule. To run Live Update Manually: 1. Launch the SEP client. Windows 7: double-click on the SEP icon in your taskbar at the lower-right corner of your screen Windows 8 / 8.1 : launch the SEP icon from the Windows 8 user interface formerly known as "Metro" 2. Click on the 'LiveUpdate' button in the Symantec Endpoint Protection window

3. A 'LiveUpdate' window will appear and immediately check online for any updates 4. Once the latest updates have been downloaded and installed, click the OK button to close the window To modify the LiveUpdate schedule to better suit your computing needs: 1. Open the SEP client. Windows 7: double-click on the SEP icon in your taskbar at the lower-right corner of your screen Windows 8 / 8.1 : launch the SEP icon from the Windows 8 user interface formerly known as "Metro" 2. On the left hand column, click on the 'Change Settings' button 3. To the right where it says 'Client Management', click on the 'Configure Settings' button

4. At the top of the 'Client Management Settings' window, click on the 'LiveUpdate' tab

5. Modify the 'Frequency' section to your preference Warning: Setting the 'Frequency' to "Continuously" may cause system performance issues. We high recommend against choosing this option A few things to consider: On average, Symantec releases mini-updates four times a day. Choosing an update schedule anywhere from every 8 hours to once a day is generally acceptable. The longer the frequency time, the larger the update which requires a longer time to download and more system resources during the update. Manually updating clients off-line (not connected to the Internet) If you are infected with a new virus that is not being detected properly and have taken your computer off-line (not connected to the Internet) to prevent propagating the virus on your network, you can still update your virus definitions manually. Note: You will need another computer that is connected to the Internet and a removable media device such as a thumbdrive or cd-r. To manually update your definitions off-line: 1. Go to a different machine that is free of viruses and connected to the Internet 2. Using the clean machine, go to Symantec's Download Virus Definitions [1] page 3. Under 'Download Definitions by Product', click on 'Select Product' and choose

4. 5. 6. 7. 8. 9. "'Symantec Endpoint Protection'" Under the 'File-Based Protection' section, click on "Virus Definitions" next to 'Download' Download the appropriate file for your platform onto your removable media For 32-bit Windows Clients, choose the file under the section 'Symantec Endpoint Protection Client Installation on Windows platforms (32-bit)' For 64-bit Windows Clients, choose the file under the section 'Symantec Endpoint Protection Client Installation on Windows platforms (64-bit)' Take your removable media and load it onto the computer you wish to update On the computer you wish to update, double-click on the file you downloaded You will be prompted to update your virus definitions. Click the 'Yes' button. You will be notified after the update is complete. Click the 'Ok' button to complete the process. Upgrading to the latest version What is the latest version for SEP for Windows? The latest version that has been verified for the UCSF environment can always be found at: http://software.ucsf.edu/content/endpoint-protection [2] How do I upgrade to the latest version? Just download and install the latest version by following the SEP for Windows: Install Guide [3] How do I find out what version of SEP is installed?

Launch Symantec Endpoint Protection ( Start > All Programs > Symantec Endpoint Protection > Symantec Endpoint Protection ) Click on the 'Help' button (in the upper right corner of the window) Click on 'About...' Running, Pausing, and Delaying Scans The UCSF SEP clients have settings and policies enabled to actively protect your system that require no interaction unless a threat is found. SEP clients are scheduled weekly to run a full system scan in the background and also requires no interaction. Although we try to schedule scans to have as little impact on system resources, it is still sometimes necessary to pause or delay a scan if it impedes with work productivity. If you suspect your computer may have been infected with a virus or other malware, or have had to connect to a questionable network that is prone to attacks, you may want to run a manual scan or schedule scans to occur on a more regular basis. This section covers the following topics to address these issues: Scanning a specific file/folder on-demand

Running a Manual Scan Running and Scheduling a Custom Scan Pausing or Delaying a Scan in Progress Running Scans in Safe Mode Scanning a Specific File or Folder On-Demand 1. Right-click on the file or folder you want to scan 2. In the context menu that appears, click on 'Scan for viruses...' 3. A progress window will appear to report files containing risks, type of risks, and the action it took or recommends taking 4. After the scan has completed and all actions taken, click on the 'Close' button to close the window Running a Manual Scan 1. Under Window 7, open the 'Symantec Endpoint Protection' window by double-clicking on the SEP icon in your taskbar at the bottom-right corner of your screen on Windows 8 / 8.1 double click the SEP icon found on the Windows 8 user interface formerly known as "Metro" 2. On the left side of the window, click on 'Scan for threats' 3. Click on the type of scan you want to run: 'Run Active Scan': will run a scan on commonly infected areas such as the Windows System folders and Temporary Internet Files folders. 'Run Full Scan': will run a scan on your entire computer, except for Network Drives the scan will run and give you a report of anything it finds 4. After clicking on the scan you want to run, a progress window will appear to report files containing risks, type of risks, and the action it took or recommends taking 5. After the scan has completed and all actions taken, click on the 'Close' button to close the window Running a Custom Scan 1. Open the 'Symantec Endpoint Protection' window by double-clicking on the SEP icon in your taskbar at the bottom-right corner of your screen 2. On the left side of the window, click on 'Scan for threats' 3. Click on the 'Create a New Scan' link in the middle of the window 4. Set your options for the scan, then click on the button 'Next' 5. Choose 'On demand', then click on the button 'Next' 6. Type in a name for the scan and a description for the type of scan you are creating 7. Click on the button 'Finish', the main SEP window should now list your scan under the 'Scan Name' 8. Right-click on the scan your just created, and click 'Scan Now'the scan will run and give you a report of anything it finds 9. After the scan has completed and all actions taken, click on the 'Close' button to close the window

Scheduling a Custom Scan 1. Open the 'Symantec Endpoint Protection' window by double-clicking on the SEP icon in your taskbar at the bottom-right corner of your screen 2. On the left side of the window, click on 'Scan for threats' 3. Click on the 'Create a New Scan' link in the middle of the window 4. Choose the 'Custom Scan' radio button then click on the button 'Next'

5. Set your options for the scan, then click on the button 'Next' 6. Choose 'At specified times', then click on the button 'Next'

7. Verify there is a check next to the 'Enable' checkbox 8. Choose your 'Scan Schedule', then click on the button 'Next'

9. Type in a name for the scan and a description for the type of scan you are creating

10. Click on the button 'Finish', the main SEP window should now list your scan under the 'Scan Name' Pausing and Delaying Scans Although we try to schedule scans to have as little impact on system resources, it is still sometimes necessary to pause or delay a scan if it impedes with work productivity. By default, the general UCSF SEP settings allow this functionality. If you do not see this feature on your client, please check with your department's IT support staff. To pause a scan you initiated, just click on the 'Pause Scan' button found in the scan dialogue box. When you are ready to resume the scan, just click the 'Resume Scan' button and the scan will continue where it left off. To pause a scheduled scan: 1. For Windows 7 double-click the SEP client icon, yellow shield, in the system tray (bottom right corner where the clock is). On Windws 8 / 8.1 open the SEP application from the Windows 8 user interface formerly known as "Metro" 2. In the upper right corner just to the left of the help button, there should be a link to indicate either a scan is in progress or schedule to begin soon. Click this link and follow the on-screen instructions to either pause or delay the scan.

1. If the link is absent or missing, no scan is in progress or scheduled for the next hour. Running Scans in Windows SafeMode Sometimes it is necessary to run a scan while in Windows SafeMode to prevent malware from loading that may interfere with antivirus programs. This procedure requires the use of special utility by Symantec called "SymHelp with Symantec Power Eraser". Booting into 'SafeMode

with Networking' may also be required to carry out this scan. Note: The SymHelp utility should be downloaded whenever possible while in Windows normal mode. The easiest way to accomplish this task is through the SEP client interface. If the SEP client cannot be launched, or if your computer can only boot into SafeMode, the SymHelp utility can also be downloaded at: http://www.symantec.com/business/support/index?page=content&id=tech170752 [4]. First, download and install SymHelp Utility 1. Open the SEP interface (double-click on the SEP icon in the systray) 2. On the rupper right of the window, click the Help menu and choose "Download Support Tool... 3. follow the prompts to install the SymHelp utility Then, once the application has been downloaded and installed, you can perform a scan by: 1. Run the SymHelp Utility -- Run Threat Analysis Scan 2. Check the box "Basic scan - 5 min." Remove any other check marks.

3. Click the Scan button to begin the scan of the hard drive Note: If a Rootkit is believed to be causing the problem, check the box "Include a rootkit..." to enable this feature. A reboot is required, and you will be prompted to reboot, hit the "yes" button. 4. When the scan completes, note what files were identified (some legitimate files may be identified) and select any suspicious programs you wish to remove and click Fix (this will cause the system to reboot). You may wish to select to save a copy of the log records to the desktop.

Additional instructions on how to use the SymHelp utility can be found in Symantec's Knowledge Base Article TECH203683 [5] and TECH215519 [6] Creating Scan Exceptions By default, the UCSF SEP client policies are set to give applications priority to system resources over the SEP processes. Creating exceptions (or exclusions) for processes, files, or directories can negatively hinder the security posture of your computer and is not recommended for most cases. However, there are certain applications that will recommend creating exception (or exclusion) policies to assist with system performance issues caused by the application's interaction with anti-virus/anti-malware scanners. Typically these applications deal with large data files, or lots of rapidly changing data files, with no executable code in those files. These recommendations can typically found in the "Best Practices Guide" of such applications. Before proceeding with creating a scan exception/exclusion, please consult with your IT support staff. User-Defined Exceptions There are a number of Exceptions that users are allowed to configure in the UCSF SEP client. The two types we will concentrate on are 1) File/Folder exclusions and 2) Process exclusions. Excluding Files/Folders To prevent special files or folders from being scanned, you will need to create a "Security Risk Exception" and a "SONAR Exception" 1. Double-click on SEP client Icon found in systray (bottom-right of the screen) 2. On the left side of the SEP window, click "Change Settings" 3. On the right side of the SEP window next to 'Exceptions', click on the button labeled "Configure Settings" 4. In the 'Exceptions' window, click on the button "Add..." found in the 'User-defined Exceptions' tab 5. Then select 'Security Risk Exception' and choose "Folder" (or "File") 6. Find the Folder (or File) you wish to exclude and select it by clicking on it (the folder should become highlighted and the "Folder" field will change to match your selection). 7. Under 'Exception Type:', select "Auto-Protect" For best security practice, you will still want to scan these files for malicious code during the normal weekly scheduled scans. Selecting "Auto-Protect" will prevent scanning/monitoring of this folder/file while it is being used by its application. 8. Click the button, "OK" 9. In the 'Exceptions' window, click on the button "Add..." found in the 'User-defined Exceptions' tab 10. Then select 'SONAR Exception' and choose "Folder" 11. Find the Folder you wish to exclude and select it by clicking on it (the folder should become highlighted and the "Folder" field will change to match your selection).

SONAR is the heuristic monitoring engine for SEP that prevents zero-day attacks by monitoring behaviour of processes as they interact with files/folders on the system. Creating a 'SONAR Exception' will exclude a specific folder from being examined during this process. 12. In the 'Exceptions' window, click the "Close" button Excluding Applications/Processes To prevent an application (or process) from being scanned by the SEP's auto-protect and SONAR features, you will need to create an "Application Exception". Note: Creating an Application Exception puts your computer at great risk and is not recommended for most applications! 1. Double-click on SEP client Icon found in systray (bottom-right of the screen) 2. On the left side of the SEP window, click "Change Settings" 3. On the right side of the SEP window next to 'Exceptions', click on the button labeled "Configure Settings" 4. In the 'Exceptions' window, click on the button "Add..." found in the 'User-defined Exceptions' tab 5. Then click on "Application Exception" 6. Find the Application (exe) you wish to exclude and select it by clicking on it (the application/file should become highlighted and the "File" field will change to match your selection) 7. Make sure the 'Action:' field is set to "Ignore" 8. Click the button "OK" 9. In the 'Exceptions' window, click the "Close" button System Tray Icons

Checking what version of SEP is installed There have been several versions of SEP introduced at UCSF. It is always recommended to run the latest release to ensure the most up-to-date protection for your system. The installers found at the software@ucsf site [7], can always be downloaded and installed on top of your current version to ensure that you have the latest of SEP. Alternatively, you can check the version currently installed on your system by following these steps: 1. Launch the SEP for Windows client. Windows 7: double-click on the SEP icon in your taskbar at the lower-right corner of your screen Windows 8 / 8.1 : launch the SEP icon from the Windows 8 user interface formerly known as "Metro" 2. Click on the "Help" button found in the upper right corner of the SEP window. 3. Select the "About" menu item to display the current version of the client. Uninstalling Though uninstalling SEP is not recommended, you can uninstall the UCSF SEP client at anytime. Please note that the UCSF SEP client does not require subscription renewal and should be installed on your system to be compliant with UCSF policies, as well as provide your system adequate protection against malware and other network-related risks. To uninstall SEP for Windows, please follow the appropriate set of instructions depending on your Operating System. Windows XP, 2000, 2003 1. Open 'Control Panel' 2. Select 'Add/Remove Programs' 3. Select 'Symantec Endpoint Protection', click 'Add/Remove', and follow the instructions on the screen Manual uninstall procedures for SEP 11.x can be found on Symantec's Knowledge Base Article TECH102261 [8] Manual uninstall procedures for SEP 12.x can be found on Symantec's Knowledge Base Article TECH163585 [9]

Windows Vista, 7, 2008, 2008R2 1. Open 'Control Panel' 2. Select 'Programs and Features' 3. Select 'Symantec Endpoint Protection', click 'Uninstall', and follow the instructions on the screen Manual uninstall procedures for 32-bit clients of SEP 11.x can be found on Symantec's Knowledge Base Article TECH102286 [10] Manual uninstall procedures for 64-bit clients of SEP 11.x can be found on Symantec's Knowledge Base Article TECH91038 [11] Manual uninstall procedures for SEP 12.x can be found on Symantec's Knowledge Base Article TECH161956 [12] Common Warning Messages and Client Behaviour I keep getting a warning message saying that svchost.exe has been blocked. Isn't svchost.exe a valid Windows process? Svchost.exe is used to run a number of services on newer versions of Windows, most of them are legitimate but some are not. SEP has detected malicious behavior with a particular service and has blocked it for your protection. Typically, this alert is related to remote desktop. The default UCSF SEP client firewall policies prohibits non-ucsf Internet connections from remotely controlling (via RDP, VNC, Timbuktu, etc) computers connected to the University network. If you look at the traffic logs in the SEP client (SEP -> View Logs -> Network Threat Protection -> View Logs -> Traffic Logs) you will see which firewall rule caused the block. Remote Desktop stopped working after I installed SEP, how do I connect from offcampus to my computer at UCSF with SEP installed? Remote access applications (such as MS Remote Desktop, VNC, and Timbuktu) poses unnecessary security risks to the university network and increases your computer's potential for being hacked. For increased security, the default UCSF SEP firewall policies block all remote access from non-ucsf IP addresses to your UCSF computer. If you have enabled these remote desktop services/applications, you can still connect to you computer from off-campus by securely signing into the vpn@ucsf [13] system before attempting to remotely control your machine. I keep getting messages saying a number of tmp files (DWH*.tmp) are infected and SEP keeps quarantining them. How do I fix this issue?

This was a known bug in the first version of SEP that UCSF deployed. To fix the issue: 1. Download and install the latest version of SEP for Windows, available on the software@ucsf site [2]. 2. reboot your computer 3. delete all DWH*.tmp files in your quarantine folder 4. delete all DWH*.tmp in the temp folder (Start -> Run -> "%temp%") Every time I open up a PDF file or open Acrobat, I get an error saying "Adobe Reader cannot open in Protected Mode due to a problem with your system configuration..." Adobe's site says this may be an issue with older versions of SEP. When will UCSF get the newer version that is compatible with Acrobat's Protected Mode feature? The latest version of UCSF's SEP client should now be compatible with Acrobat's Protected Mode feature. Please visit the software@ucsf [2] site to download the updater for Windows to SEP. I keep getting a lot of pop-up messages saying e-mail messages can't be sent, even when I'm not trying to send out messages. How do I fix this? The SEP client is most likely doing its job and preventing an undetected threat from turning your computer into a spam relay station. You should run a full scan to make sure your computer is not infected. More information can be found at: http://www.symantec.com/business/support/index?page=content&id=tech122425 [14] Why has the default home page of my web browser been changed to " http://www.symantec.com/security_response/[15]"? The SEP for Windows client has the ability to combat web browser hijackers [16]. When the homepage of a SEP client's browser has been redirected to an undesired site by a malicious infection, SEP will change the homepage as part of its remediation. As there is no way of determining what the computers original homepage was, a default of http://www.symantec.com/security_response/ [15] You should run a full scan to make sure your computer is not infected other malware. Please contact your Computer Support Coordinator or the IT Help Desk for further assistance. My computer is behaving weirdly, how do i determine if SEP is affecting my computer adversely? Please review the SEP for Windows Troubleshooting documentation [17]. Other Frequently Asked Questions Who can use SEP and how much does it cost?

SEP is provided free to the UCSF community and can be used on computers of Faculty, Staff, Student or Affiliate working on UCSF business; both University-owned and home (personal) systems. Can our department use the UCSF license to manage our own clients, including policies, settings, and reporting? The UCSF SEP service is managed centrally by ITS and licenses are only distributed through this service offering. ITS does offer SEP group administration through its SEP server cluster to allow groups/departments to manage their own set of clients allowing your department/group to: Centrally manage your clients Set policies specific to your group Create automated reports Without the neeed to run individual servers To request SEP group administration, please submit a ticket to the help desk with the contact information of the IT Manager and the MSO or Director of your group/department. Do I have to manually update the SEP client? As mentioned earlier, UCSF SEP for Windows clients will automatically receive security definition (anti-virus and IPS) updates from the central servers. Manual update instructions can be found in the previous section. Updates to the client itself, may also be sent from the central UCSF SEP servers if you are connected to the campus network (ethernet, ucsfwpa, or vpn@ucsf [18]). The move up-todate client versions are also available on the software@ucsf download site [2] and can always be used to update your client to the latest version. What if my computer is unable to reach the UCSF SEP server; will it still get updates? Yes, if your computer has access to the Internet but is unable to reach the central UCSF SEP server, it will receive definition updates directly from the Symantec Corporate LiveUpdate server. What ports do we need to allow in our hardware firewalls so SEP clients can get updates automatically and correctly communicate with the management servers? The UCSF SEP client uses standard http and https ports to communicate with the central SEP servers. If you restrict Port 80 or Port 443 on your network, please contact the ITS Customer Service Desk to receive a list of SEP servers to put in your firewall rules. I'm already running an anti-virus and host-based firewall program. Can I install SEP for additional protection?

Running multiple anti-virus and firewall programs will degrade your system's performance and may cause a number of issues. We highly recommend removing other anti-virus, antimalware, and host-based firewall programs before installing SEP. More information can be found in the Symantec KB Article TECH104806 [19] Do I have to disable the Windows firewall before installing SEP? No. SEP works with Microsoft Windows security components and will take care of the Windows firewall settings during its install. How do I find the quarantine and delete infected files if necessary? Launch the application by double clicking the shield icon located near the Windows clock. Alternatively it can also be launched from the icon on the Windows metro tile or found by navigating through "all programs". On the main window click on the option to "View Quarantine" from the left side of the main Symantec window. The ability to delete or restore the file if the file is known to not be malware infected can be performed from this screen. Does SEP support Windows Internet Connection Sharing (ICS)? No. More informaton can be found at http://www.symantec.com/business/support/index?page=content&id=tech199311 [20] Required Service Information Symantec Endpoint Protection (SEP) [21] Images

GET IT HELP. Contact the Service Desk online, or phone 415.514.4100 Site Login Site Index Suggest an IT Improvement UC Regents Source URL: https://it.ucsf.edu/services/symantec-endpoint-protection-sep/tutorial/sep-windows-faq Links: [1] https://www.symantec.com/security_response/definitions.jsp [2] http://software.ucsf.edu/content/endpoint-protection [3] http://it.ucsf.edu/services/symantec-endpoint-protection-sep/tutorial/sep-windows-install-guide [4] https://support.symantec.com/business/support/index?page=content&id=tech170752 [5] https://support.symantec.com/business/support/index?page=content&id=tech203683 [6] https://support.symantec.com/business/support/index?page=content&id=tech215519 [7] https://software.ucsf.edu/content/endpoint-protection [8] https://support.symantec.com/business/support/index?page=content&id=tech102261

[9] https://support.symantec.com/business/support/index?page=content&id=tech163585 [10] https://support.symantec.com/business/support/index?page=content&id=tech102286 [11] https://support.symantec.com/business/support/index?page=content&id=tech91038 [12] https://support.symantec.com/business/support/index?page=content&id=tech161956 [13] https://vpn.ucsf.edu [14] https://support.symantec.com/business/support/index?page=content&id=tech122425 [15] http://www.symantec.com/security_response/ [16] https://en.wikipedia.org/wiki/browser_hijacking [17] https://it.ucsf.edu/services/symantec-endpoint-protection-sep/tutorial/sep-windows-troubleshooting [18] mailto:vpn@ucsf [19] https://support.symantec.com/business/support/index?page=content&id=tech104806 [20] https://support.symantec.com/business/support/index?page=content&id=tech199311 [21] https://it.ucsf.edu/services/symantec-endpoint-protection-sep