Lumension Endpoint Management and Security Suite. L.E.M.S.S. AntiVirus v8.2. Migration Guide & Frequently Asked Questions



Similar documents
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager

Microsoft IT Increases Security and Streamlines Antimalware Management by Using Microsoft Forefront Endpoint. Protection 2010.

Lumension AntiVirus. Best Practice Implementation Guide

Lumension Endpoint Management and Security Suite Patch and Remediation 7.0 Service Pack 1 Migration Guide

Upgrading Client Security and Policy Manager in 4 easy steps

ESET NOD32 Antivirus 4 for Linux Desktop. Quick Start Guide

Avira and Windows 8/Windows Server 2012

Managed Antivirus Quick Start Guide

Quick Heal Exchange Protection 4.0

ESET NOD32 ANTIVIRUS 9

ESET NOD32 ANTIVIRUS 8

ESET SMART SECURITY 9

Sophos Computer Security Scan startup guide

SonicWALL CDP 5.0 Microsoft Exchange InfoStore Backup and Restore

What is Windows Intune? The Windows Intune Administrator Console. System Overview

VEEAM ONE 8 RELEASE NOTES

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

McAfee Enterprise Edition v Installation & Configuration For Windows 98 and Me

Quick Start - Generic NAS File Archiver

Forefront Endpoint Protection. Jack Cobben

Release Notes for Websense Security v7.2

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

How To Install & Use Metascan With Policy Patrol


Quick Start - NetApp File Archiver

Getting started. Symantec AntiVirus Corporate Edition 8.1 for Workstations and Network Servers

ESET SMART SECURITY 6

Getting started. Symantec AntiVirus Business Pack. About Symantec AntiVirus. Where to find information

COMPRESS Installation Guide

Getting started. Symantec AntiVirus Corporate Edition. About Symantec AntiVirus. How to get started

Kaseya 2. User Guide. Version 1.1

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Sophos for Microsoft SharePoint Help

Kaseya Server Instal ation User Guide June 6, 2008

Acronis Cloud Backup Advanced USER GUIDE

Migrating from Legacy to New Business Solutions

Using Windows Update for Windows Me

Endpoint protection for physical and virtual desktops

F-Secure Client Security. Administrator's Guide

ESET MOBILE SECURITY FOR ANDROID

Desktop and Professional Editions

Cisco Advanced Malware Protection for Endpoints

Patch Management Reference

Tracking Anti-Malware Protection 2015

Acronis Backup & Recovery Online Advanced. User Guide

Sophos Cloud Migration Tool Help. Product version: 1.0

Total Protection Service

Sophos Anti-Virus for NetApp Storage Systems startup guide

Installing Lumension Endpoint Management and Security Suite (L.E.M.S.S.) Using a Remote SQL Server

Installation Guide. NOD32 Typical. Proactive protection against Viruses, Spyware, Worms, Trojans, Rootkits, Adware and Phishing

SPAMfighter Mail Gateway

Help. F-Secure Online Backup

Additionally, you can run LiveUpdate manually to check for the latest definitions directly from Symantec:

SonicOS Enhanced Release Notes TZ 180 Series and TZ 190 Series SonicWALL, Inc. Firmware Release: August 28, 2007

Seqrite Antivirus Server Edition

Enterprise Anti-Virus Protection

Pearl Echo Installation Checklist

Manage the Endpoints. Palo Alto Networks. Advanced Endpoint Protection Administrator s Guide Version 3.1. Copyright Palo Alto Networks

Acronis Backup & Recovery Online Advanced. User Guide

Total Defense Endpoint Premium r12

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

Endpoint Security Client

Using Windows Update for Windows XP

BitDefender Security for Exchange

Sophos for Microsoft SharePoint startup guide

F-Secure Anti-Virus for Windows Servers. Administrator's Guide

Lumension Endpoint Management and Security Suite

Installation and User Guide for Partners and Businesses

Legal Notes. Regarding Trademarks KYOCERA Document Solutions Inc.

Core Protection for Virtual Machines 1

Symantec Mail Security for Domino

Sophos for Microsoft SharePoint Help. Product version: 2.0

AliOffice 2.0 Installation Guide

Net Protector Admin Console

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

Kaspersky PURE User Guide

Avira Small Business Security Suite Avira Endpoint Security. Quick Guide

Getting Started with VMware Fusion

CLOUD SECURITY FOR ENDPOINTS POWERED BY GRAVITYZONE

Windows Server Update Services 3.0 SP2 Step By Step Guide

SecuraLive ULTIMATE SECURITY

Kaseya 2. User Guide. Version 6.1

NetWrix USB Blocker. Version 3.6 Administrator Guide

avast! Endpoint Protection (Plus) and avast! Endpoint Protection Suite (Plus)

Patch Management Reference

Kaspersky Anti-Virus 2012 User Guide

A+ Practical Applications Solution Key

LT Auditor+ for Windows

Things to consider before you do an In-place upgrade to Windows 10. Setup Info. In-place upgrade to Windows 10 Enterprise with SCCM

Ovation Security Center Data Sheet

ESET Mobile Security Business Edition for Windows Mobile

Ovation Security Center Data Sheet

Transcription:

Lumension Endpoint Management and Security Suite L.E.M.S.S. AntiVirus v8.2 Migration Guide & Frequently Asked Questions [FOR INTERNAL USE ONLY - DO NOT DISTRIBUTE] Copyright 2015, Lumension

Introduction L.E.M.S.S. AntiVirus v8.2 introduces a new AV engine to deliver improved malware detection, reduced bandwidth utilization, and improved endpoint performance. L.E.M.S.S. AntiVirus v8.1 (and earlier) endpoints automatically migrate to the new engine when they are upgraded to L.E.M.S.S. v8.2. The upgrade process has been designed to be seamless and the user experience is similar to upgrading any previous L.E.M.S.S. release. This Migration Guide & FAQ provides guidance to help ensure that the migration goes as smoothly as possible. 2

Table of Contents Introduction... 1 Table of Contents... 3 Migration Guide... 5 Server Upgrade... 5 AntiVirus Definition Distribution Delay... 5 Check that Excludes have been applied... 6 Endpoint Upgrade... 7 Initial rollout... 7 Extending to additional endpoints... 8 Frequently Asked Questions... 10 When will the new L.E.M.S.S. AV solution be available?... 10 How much time will I have to migrate to the new L.E.M.S.S. AV solution?... 10 How long will Lumension continue to support the legacy L.E.M.S.S. v7.2 to v8.1 AV solution? 10 What happens if I don t upgrade?... 10 How do I transition to the new L.E.M.S.S. AV solution?... 10 Do I need to switch all of my endpoints at once to the new L.E.M.S.S. AV solution?... 11 Will I need to reboot my endpoints as part of the migration?... 11 Will the new AV solution be backward compatible to work on my current L.E.M.S.S. version? 11 How will the new L.E.M.S.S. AV v8.2 solution differ from the current L.E.M.S.S. AV solution? 11 How will AntiVirus Management change? Will any features change?... 11 How will the AntiVirus policies change?... 12 How will end-user UI change?... 12 Will there be any impact on licensing or renewals?... 12 Will Professional Services be available to support the migration to the new AV solution?... 12 Why did Lumension switch to a new engine?... 12 Are there any new AV features?... 12 What changes have been made to AV definition size and frequency?... 13 How large is the initial endpoint download?... 13 What will be the process to address False Positives if these occur with the new L.E.M.S.S. AV solution and what will the turnaround time be?... 14 What will be the process to address suspicious files that may be malware and what will the turnaround time be?... 14 What operating systems will be supported? Will my XP and Windows 2003 endpoints still be supported?... 14 3

Appendix A... 15 AntiVirus Definition Distribution Delay feature change details... 15 Legacy Implementation... 15 New Implementation... 16 4

Migration Guide Server Upgrade L.E.M.S.S. AntiVirus v8.2 requires the Microsoft Visual C++ 2012 Update 4 Redistributable Package. Though the Lumension Installation Manager installs.net requirements during an upgrade to Lumension AntiVirus v8.2, this specific package must be installed manually before you start the upgrade. It is available for download at: http://www.microsoft.com/enus/download/details.aspx?id=30679. To obtain L.E.M.S.S. v8.2 from within the L.E.M.S.S. console replicate with the Global Subscription Service (GSS). Then download the v8.2 components using the Installation Manager. ANTIVIRUS DEFINITION DISTRIBUTION DELAY If you currently use the AntiVrus Definition Distribution Delay feature in L.E.M.S.S. v8.1 (or earlier), you will need to set the delay for v8.2 endpoints in your agent policy sets following the L.E.M.S.S. server upgrade to v8.2 and before you upgrade your endpoints to v8.2. The feature is used to delay requesting a new AV definitions file from the L.E.M.S.S. Server. This feature can be used, for example, to test definitions before rolling them out to organizational endpoints and servers. After upgrading the server to v8.2, edit your agent policy sets to set the delay for v8.2 endpoints. Scroll down to the AntiVirus Engine & Definition Distribution Settings. You will see that the delay setting for v7.2 to v8.1 endpoints is already populated. If you want to use this same value for v8.2 endpoints, you should update the agent policy set with this value and save this change. Repeat this for all other agent policy sets. IMPORTANT: Note that for L.E.M.S.S. v8.2 AntiVirus agents, the maximum delay that can be applied is 23 hours (compared with 72 hours for v7.2 to v8.1 endpoints). Also, the delay must be less than the AntiVirus polling frequency. To review the polling frequency, select Tools > Subscription Updates, click on Configure and select the AntiVirus tab. Scroll down to review the polling frequency. As in the example below, if the polling frequency is 6 hours, the maximum delay that can be applied for v8.2 endpoints is 5 hours. 5

CHECK THAT EXCLUDES HAVE BEEN APPLIED Before proceeding to upgrade your endpoints, you should check that all of your existing real-time monitoring policies have the correct file and/or directory folder excludes applied to minimize the performance impact on your endpoints. There are no changes to the list of recommended excludes for the new engine so you should already have these in your existing policies but now would be a good time to review and confirm this. The list of recommended excludes are available at https://www.lumension.com/kb/775.aspx. This KB article contains the list of recommended excludes along with XML files for core system exclusions and common application exclusions. If your real-time monitoring policies do not already have these in place, you can simply download and import these XML files via the policy wizard. However, if these are already implemented, do not import them again as this will result in unnecessary duplication in the policy. 6

Endpoint Upgrade Once the server has been upgraded and the agent policy sets have been updated to set the AntiVirus Definition Distribution Delay setting for v8.2 endpoints (if this feature is used), you can proceed to upgrade your endpoints. The introduction of a new Lumension AntiVirus engine requires the installation of a new set of AV definitions (approximately 130MB to 200MB in size) on each endpoint. In addition, the new engine will have different malware detection characteristics to the previous engine which may result in some additional detections post upgrade. INITIAL ROLLOUT Start with a small number of endpoints and upgrade them to v8.2. Once the upgrade has completed, conduct a Scan Now of these endpoints. For this initial scan, select the option to Perform no action when a virus is detected. By selecting this option, when a scan is executed, if the engine detects possible malware, it will generate an alert but take no further action such as quarantining files. This enables you to review any alerts and determine whether these are likely to be malicious or whether they are possibly false positives. If you believe the endpoint is falsely detecting legitimate files as malware, you should submit these to Lumension Support for analysis. Pack the file(s) into a single.zip or.rar archive and protect the archive with the password infected and send to support@lumension.com. While waiting for this to be addressed, you can exclude this file from being scanned by adding an exclusion in your AntiVirus policies or you can just hold off on rolling out to additional endpoints until the AV definitions have been updated to address the false positive. If the initial scan has identified malware, you can repeat this scan but change the action to Attempt to clean then quarantine. Alternatively, you can just wait until the regular recurring scan cleans it up. The malware will be detected and the files will be quarantined by the real time monitoring policy if the user attempts to access these files. 7

EXTENDING TO ADDITIONAL ENDPOINTS Once you are satisfied that the initial endpoint upgrades have completed successfully and the scan has not resulted in any False Positive detections, you can now extend the migration to additional endpoints. For the upgrade to v8.2, the endpoint pulls down the full antimalware database for the new AV engine from the L.E.M.S.S. server. The total size of this download is approximately 130MB to 200MB in size and each endpoint needs to download the database during the upgrade process. To minimize the impact on your network bandwidth and to minimize the protection gap on the endpoints during the upgrade process, you should implement a phased upgrade of the endpoints in your network. For remote locations, you should upgrade a couple of endpoints at each location initially to seed the proxies at those locations. Subsequent upgrades at those locations will then retrieve the files locally from the proxy rather than each endpoint trying to pull the files across the network from the L.E.M.S.S. server, reducing the impact on your network bandwidth and time to upgrade. With each phase in the rollout, conduct a Scan Now using the Perform no action setting in the scan options and review the results to identify any potential False Positives. If users complain of performance impacts during this scan, reduce the CPU utilization setting to Medium or Low for subsequent phases during your migration. 8

By following these steps you should be able to successfully upgrade all of your v7.2 to v8.1 LAV endpoints to L.E.M.S.S. v8.2 AV. Refer to the FAQ below for additional information during the upgrade process. If you have any additional questions, please contact support@lumension.com. 9

Frequently Asked Questions When will the new L.E.M.S.S. AV solution be available? The new L.E.M.S.S. AV solution will be available with L.E.M.S.S. v8.2, which is being released on 03/March/2015. How much time will I have to migrate to the new L.E.M.S.S. AV solution? Legacy AV definitions for L.E.M.S.S. v7.2 to v8.1 endpoints will end on 31/July/2015. Any endpoints that are still using the legacy engine and AV definitions will stop receiving updated definition files on that date and might be vulnerable to new malware. How long will Lumension continue to support the legacy L.E.M.S.S. v7.2 to v8.1 AV solution? Legacy AV definitions will end on 31/July/2015. What happens if I don t upgrade? Any endpoints which have not migrated to the new AV solution by 31/July/2015 will no longer receive AV definition updates after that date and might be vulnerable to new malware. How do I transition to the new L.E.M.S.S. AV solution? The new AV solution will be available with L.E.M.S.S. v8.2. You will need to upgrade both the server and the agents to L.E.M.S.S. v8.2 to obtain the new solution. Step one is to upgrade the server to L.E.M.S.S. v8.2. The L.E.M.S.S. v8.2 server can be used to manage both v8.2 and legacy (v7.2 to v8.1) endpoints. It will distribute the legacy AV definitions to the legacy endpoints and will distribute the new AV definitions to the v8.2 endpoints. This will enable you to complete a phased rollout of the agent upgrade. Step two is to upgrade the agents to L.E.M.S.S. v8.2. Endpoints are automatically migrated to the new AV solution following the upgrade to the L.E.M.S.S. v8.2 agent. The legacy engine and AV definitions are removed and the new engine and AV definitions installed. Existing LAV policies are applied to the new AV solution and endpoints continue to be protected. The endpoint upgrade 10

experience to L.E.M.S.S. v8.2 will effectively be the same as with previous L.E.M.S.S. agent upgrades. New installations of L.E.M.S.S. v8.2 will simply use the new AV solution. Do I need to switch all of my endpoints at once to the new L.E.M.S.S. AV solution? No. The L.E.M.S.S. v8.2 server can be used to manage both new and legacy AV endpoints during the transition period. This enables you to upgrade a number of endpoints to v8.2 and conduct whatever testing is required before extending the rollout to the remaining endpoints before the 31/July/2015 deadline. Will I need to reboot my endpoints as part of the migration? No. Endpoints will not need to be rebooted to complete the migration to the new AV solution. Will the new AV solution be backward compatible to work on my current L.E.M.S.S. version? No. The new solution is not backward compatible to current L.E.M.S.S. versions. Both server and endpoints must be upgraded to L.E.M.S.S. v8.2 to migrate to the new AV solution. How will the new L.E.M.S.S. AV v8.2 solution differ from the current L.E.M.S.S. AV solution? By switching to using the new AV engine and definitions, endpoint users should experience better protection and reduced performance impact on the endpoint as compared with the legacy engine. In addition, as the AV definitions for the new engine are smaller and more frequent than the definitions for the legacy engine, the impact on network bandwidth will be significantly reduced. How will AntiVirus Management change? Will any features change? From a feature perspective, the goal for the initial release of the new engine is to provide feature parity with the legacy AV implementation so that the transition to the new solution is as seamless as possible. While the underlying AV engine and definitions will be changed, from a feature implementation perspective, your experience on both the server and endpoint will be mostly unchanged. 11

The main exception to this is for the AV definition delay feature which requires a different implementation with the new engine. Refer to Appendix A for a more detailed overview of the changes but the key change is that a maximum delay of 23 hours can be achieved with the new engine as compared with a maximum delay of 72 hours with the legacy engine. How will the AntiVirus policies change? The L.E.M.S.S. Real-time Monitoring and Recurring Virus and Malware Scan policy definitions will not change. You do not need to take any action for these policies; your existing antivirus detection policies will continue to be enforced with no disruption. If you use the AV definition delay feature, you will need to update your agent policy sets to set the delay for v8.2 endpoints. Refer to the migration guide above for more information. How will end-user UI change? There will be one slight difference from an end-user experience. The endpoint notification which pops up when new AV definitions have been downloaded will not be used with the new AV solution due to the increased frequency of definition updates. Will there be any impact on licensing or renewals? No, there will be no impact on licensing or renewals. The new AV solution will simply use the existing AV licenses. Will Professional Services be available to support the migration to the new AV solution? You should not require Professional Services to migrate to the new AV solution. All that is required is to upgrade your AV endpoints to L.E.M.S.S. v8.2. You can contact Support in the event that you encounter any issues during the upgrade. Why did Lumension switch to a new engine? The AV engine has been changed to deliver improved malware detection, reduced bandwidth utilization and improved endpoint performance. Are there any new AV features? There will not be any new AV features as part of the initial release of the new engine. If there are feature enhancements that you need for your AV implementation, you should submit these via the 12

Product Feature Request Form on the Lumension Support Page (https://www.lumension.com/customers/product-feature-request.aspx). What changes have been made to AV definition size and frequency? The legacy engine definitions consist of a base definition file (nvcbin) and an increment file (nvcincr). The increment file starts out as 0MB but grows larger with each increment. Typically there are two increments per day. Once the increment file grows to about15mb, it gets absorbed into the base definition file which then grows larger and the increment file is reduced again to 0MB and the cycle starts over again. With the ever increasing growth in malware, the base definition file is now approaching 0.5GB and gets redistributed once a month which can have a significant impact on network bandwidth. The new engine provides smaller definition updates more frequently. The number of updates per day varies but the average would be 18 updates per day. The following are indicative figures for the expected size of updates per endpoint: Single update download size: 414 bytes minimum, 854.42Kb maximum, 19.74Kb median Once-a-day-update download size: 149.21Kb minimum, 1.33Mb maximum, 333.63Kb median While approximately 18 updates are provided per day, you can still use the AV polling frequency on the Tools > Subscription Updates page to limit the number of times that definition updates get distributed each day. How large is the initial endpoint download? Installing the new engine requires that the full antimalware database for the new AV engine be downloaded from the L.E.M.S.S. server. The total size of this download is approximately 130MB to 200MB in size (depending on Operating System). Each endpoint needs to download the database during the upgrade or installation process. To minimize the impact on your network, you should use caching proxies for remote locations and implement a phased rollout across your environment. Note that endpoints require 1.3GB of available disk space to support the new AV engine. This space is required to support the antimalware database and database backup, space for extracting files from archives during an AV scan, as well as temporary storage during AV definition updates. 13

What will be the process to address False Positives if these occur with the new L.E.M.S.S. AV solution and what will the turnaround time be? The process for submitting suspected false positives to Lumension for analysis will be unchanged. You should contact Lumension Support and submit the suspect file in a password protected archive file with the password = infected. The turnaround time for analyzing and addressing false positives will also be similar. Analyzing files takes an average of 4 to 8 hours following which AV definitions are updated to eliminate the false positive, once it has been confirmed. What will be the process to address suspicious files that may be malware and what will the turnaround time be? The process for submitting suspicious files to Lumension will be unchanged. You should contact Lumension Support and submit the suspect file in a password protected archive file with password = infected. Analyzing files takes an average of 4 to 8 hours following which an update will be provided outlining the malware details and associated remediation instructions. What operating systems will be supported? Will my Windows XP and Server 2003 endpoints still be supported? Both Windows XP and Server 2003 endpoints will be supported on L.E.M.S.S. v8.2. The operating systems supported for the new AV solution will be the same as for the other modules and will include the following: Microsoft Windows 8.1 Microsoft Windows 8 Microsoft Windows Server 2012 R2 Microsoft Windows Server 2012 Microsoft Windows Storage Server 2012 Microsoft Windows 7 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows 2003 SP1+ Microsoft Windows XP SP2+ 14

Appendix A AntiVirus Definition Distribution Delay feature change details The AntiVirus Definition Distribution Delay feature will function differently in the L.E.M.S.S. AV v8.2 implementation compared with the legacy v7.2 to v8.1 implementation and a maximum delay of 23 hours will be possible as compared with a maximum delay of 72 hours (3 days) at present. LEGACY IMPLEMENTATION There are two (2) controls which determine when AV definition updates are delivered to endpoints. The first of these is the polling frequency which determines how frequently or when the L.E.M.S.S. server checks for a definition update. The polling frequency determines when the latest definitions are downloaded to the L.E.M.S.S. server. The second control is the Delay AV definition distribution by, which can be defined via the agent policy sets and assigned to a group of endpoints so that those endpoints will not receive the latest definitions until the delay has elapsed. The delay is in hours and can be between 0 and 72 hours from the time that the definitions are downloaded onto the server. You could use this feature, for example, to distribute AV definitions to a test group of endpoints immediately (0 hours), to the general population after 4 hours and to critical servers after 24 hours. By using the feature in this way, you significantly reduce the risk of a false-positive incident having a widespread impact in their environment. The legacy engine issues two (2) AV definition updates per day; so, by storing six (6) definition versions on the server, support can be provided for a 72 hour (3 day) delay. 15

NEW IMPLEMENTATION The same two (2) controls are still used, although the time options are changed. As there are much more frequent updates with the new engine (as frequently as once per hour), it would be impractical to store multiple sets of AV definitions on the L.E.M.S.S. server. For the new engine, only one set of definitions will be stored on the L.E.M.S.S. server at any time. The maximum polling frequency will continue to be 24 hours (as at present), but the maximum definition distribution delay that can be implemented will be 23 hours instead of 72 hours. By combining the polling frequency with the AV definition delay you can delay the distribution of the latest set of definitions up to the time that a new set of definitions are downloaded. For example, if the polling frequency is set to 4 hours, it means that a new set of definitions will be downloaded every 4 hours and you then have the possibility to delay the distribution of those definitions for 0, 1, 2 or 3 hours. You will need to ensure that the AV definition delay is always set to less than the polling frequency. If the definition delay is set to be equal to or greater than the polling frequency, the delay will be reduced to 1 hour less than the polling frequency. For example, if the polling frequency is 4 hours and you set the definition delay to 8 hours, the actual delay applied will be 3 hours. Note that the longer the time between the availability of the latest AV definitions and these definitions being updated on an endpoint, the greater the security risk. Therefore, this feature should only be used if you have specific change control policies that are being adhered to. End of Document 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information