Documente Academic
Documente Profesional
Documente Cultură
Limited Warranty
Norman Safeground guarantees that the enclosed CD/DVD-ROM and documentation do not have produc-
tion flaws. If you report a flaw within 30 days of purchase, Norman Safeground will replace the defective CD/
DVD-ROM and/or documentation at no charge. Proof of purchase must be enclosed with any claim.
This warranty is limited to replacement of the product. Norman Safeground is not liable for any other form
of loss or damage arising from use of the software or documentation or from errors or deficiencies therein,
including but not limited to loss of earnings.
With regard to defects or flaws in the CD/DVD-ROM or documentation, or this licensing agreement, this war-
ranty supersedes any other warranties, expressed or implied, including but not limited to the implied warran-
ties of merchantability and fitness for a particular purpose.
In particular, and without the limitations imposed by the licensing agreement with regard to any special use or
purpose, Norman Safeground will in no event be liable for loss of profits or other commercial damage includ-
ing but not limited to incidental or consequential damages.
The information in this document as well as the functionality of the software is subject to change without
notice. The software may be used in accordance with the terms of the license agreement. The purchaser
may make one copy of the software for backup purposes. No part of this documentation may be reproduced
or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or
information storage and retrieval systems, for any purpose other than the purchaser’s personal use, without
the explicit written permission of Norman Safeground.
Names of products mentioned in this documentation are either trademarks or registered trademarks of their
respective owners. They are mentioned for identification purposes only.
Norman Safeground documentation and software are Copyright © 1990-2014 Norman Safeground AS.
Contents
Contents cont.
About
We provide technical support and consultancy services, and security issues in general. Technical support
also comprises quality assurance of your antivirus installation, including assistance in tailoring the security
software to match your exact needs.
For training or technical support issues please contact your local dealer or a Norman Office.
System requirements
Endpoint Protection and Endpoint Manager are designed to work in IP-based networks. The communica-
tion between the management console servers and the clients applies TCP/IP on port 2868, which has been
reserved and registered by Norman. The Information Exchange (NIX) protocol is used. Both binary traffic and
http-based communication use this port.
The platforms that the Endpoint Protection framework is designed to run on do not have to be servers, but
they must be licensed to allow an unlimited number of IP connections on a given port.
The Endpoint Manager makes extensive use of memory caching for its data handling, and in larg-
er networks, it will perform better with more available RAM.
An overview of supported platforms for installation of Endpoint Protection and Endpoint Managers (manage-
ment consoles) is available at
•• www.norman.com/business/system_requirements
Introduction
Endpoint Protection constitutes the framework for hosting a range of applications that can be installed and
controlled through a common licensing and update system.
Descriptions
•• Endpoint Protection
-- the framework for Endpoint Manager installations.
-- the name of the client security software.
•• Endpoint Manager
-- the management console, with Toplevel and Midlevel Managers.
The concept
A management console installation is a node in a network where the clients’ configuration is managed. This
is done by establishing policies which include product configuration. When a client contacts the management
console to fetch a configuration, the settings for the relevant policy are sent back.
Information about the clients is sent to the management console through the messaging system or through a
separate http-wrapped protocol. A database on the management console contains information about all the
IP-based devices in the network. Clients can be assigned policies and hence managed on the management
console.
A node that is designated the management console is a regular corporate node with additional administrative
functionality. The management console maintains lists in the local database over manageable and unman-
ageable clients and displays status information and network statistics.
One of the management console’s fundamental properties is that nodes and clients in the database are
assigned to logical groups that can be configured. All clients within a group will also share product configu-
rations. Clients in the network will contact their assigned management console level and get configuration
according to the policy that has been established for their specific group. Groups are managed in the man-
agement console GUI.
The management console contains additional functionality to distribute, install, manage, and control many
installations within one organization. Only a few clients/machines are updated in such an environment. Most
of the distribution takes place within the organization over the local network. Read more about updating the
software in “Appendix A: The Update Mechanism” on page 64.
Management console
There is a limit for how many endpoints a single management console can handle. Such limitations are
related to machine performance and/or the size of the product updates that need to be distributed to the
endpoints (sometimes more than 100MB). This has in turn affected bigger installations where thousands of
managed clients all had to communicate with one single management console. To cater for larger installa-
tions the software and virus definition updates was distributed to clients from Windows shares. Endpoints
would however still report status and receive configuration updates from the management consoles, as such
data is not large.
The Toplevel Manager is a permanent logical entity in the managed realm. Additional Midlevel Managers
can be changed and moved. A managed client can be promoted to the role of a Midlevel Manager and later
demoted to an ordinary managed client. You can also move it around within the management console hier-
archy. Policy updates, as well as software and definition file updates are distributed from the toplevel down-
wards throughout midlevels and finally onto the clients.
Establishing a realm with Midlevel Managers is optional. In smaller networks, for example, this
feature may not be a practical solution.
Promoting clients
When the realm is created and the initial management console is installed, the management console will
display clients that are discovered throughout the network.
An online managed client online can be promoted to become a Midlevel Manager. Once promoted, man-
agement groups of clients can then be assigned to this Midlevel Manager, thereby relieving the Toplevel
management console. The Toplevel console will still display the complete network topology, the Midlevel
Managers, as well as status information from every client in the network.
When promoting a client to a Midlevel Manager, try to select a client that is both powerful and is physically
close to the group of clients that will be assigned to it. It may take 3-5 minutes for a promotion to complete.
Messages
Each manager or managed client keeps data about the manager they report to, and about the Toplevel
Manager of the realm.
If a Midlevel Manager malfunctions, the managed clients will still know the path to the Toplevel Manager. If
a Midlevel Manager fails, messages from its clients will not reach the Toplevel Manager until the Midlevel
Manager is up and running again.
Immediate messages (alarms, errors, and warnings) are passed on directly to the Toplevel Manager from the
Midlevel Manager that the affected client is assigned to. Other Midlevel Managers do not receive this infor-
mation.
Less urgent messages with client information like state, operating system and policy information, IP and
MAC address etc. are sent to the client’s manager frequently. Every tenth time a complete update for each
managed client is sent.
Actions
Action buttons (see “Action buttons” on page 27) can be applied to any managed client within the same
network segment, for example by Midlevel Manager’s administrators.
Updating
By default, all Midlevel Managers and their clients receive product and definition files updates and policies
containing configuration data from the Toplevel Manager. In a multilevel realm, client groups may be as-
signed to any management console from which they will update - for load balancing or other practical rea-
sons. See also “Appendix A: The Update Mechanism” on page 64.
More
Read more about features and news at www.norman.com.
Definition of terms
•• Endpoint Manager: This is a management console system in the realm where the network and the
security products can be configured and controlled. It includes configurable, logical group of nodes
and clients in the database that share product configuration and receive updates from their common
Manager.
•• Multilevel: A management console installation where it is possible to introduce several Managers in a
tree-like structure.
•• Toplevel Manager: The first management console to be installed in a network. During install, the
realm credentials package is established (realm name, realm owner name, etc.). The Toplevel
Manager is at the top of the hierarchy. There can only be one Toplevel Manager within a realm.
•• Midlevel Manager: Additional midlevel management console that reports to the Toplevel Manager.
•• Endpoint Protection: Managed client security software, and the framework for installing a manage-
ment console.
•• Realm: The organizational collection of clients that is controlled by a management console, similar to
a domain.
•• NISE (Norman Internet Server Engine): An http server that serves either files, local database resourc-
es, or GUI content. It shares port 2868, the messaging system port.
•• Credentials package: A unique data package identifying a realm. The package contains data that al-
lows clients in a realm to communicate with the management console, and vice versa.
Primary functions
The management console in an Endpoint Protection environment ultimately comprises all relevant products.
Theory of operation
Endpoint Manager is a product that provides management of Endpoint Protection clients. It is comprised of
the following main components:
•• A database that holds managed and unmanaged network clients and their data as well as
product policies.
•• Credentials data that defines the logical realm that is being managed.
•• A client component that is a part of all managed clients.
•• A server component that runs the management processes on the management console.
The management console was designed with scalability in mind. Emphasis has been put on keeping network
traffic low. The management server and the clients are communicating continuously, but in a serialized man-
ner. This means that the network picture during normal operations is not real-time, but is current enough as
long as everything is normal. However, on-demand administrative actions as well as critical messages from
the clients are real-time.
In previous versions, one management console would manage all the clients within the realm. In a large net-
work, the management network traffic to the management console could represent a considerable load. The
(optional) hierarchical management structure introduced in this version alleviates this load.
An alternate update path may be a useful feature in installations where the console manages several hun-
dred machines and setting multilevel managers is not affordable. The alternate path points to a separate
file share where the updates are placed. One sign of a server overload is that you often see ‘Nise too busy!’
messages in the elogger. Another symptom is that the management consoles become sluggish or even unre-
sponsive. Contact local support for help if necessary. See also “Alternate update path” on page 39.
The realm
The term realm denotes the logical collection of networks and network devices that make up the infrastruc-
ture where the software is installed. A network administrator will name the realm and define who will manage
it. The management console will show a map of the devices that are included in the realm. These devices
may or may not be managed. An administrator can include devices into the realm, or they can be auto-dis-
covered.
The realm consists of a set of unique data that is duplicated between the management consoles and the
managed clients. The data provides a way to encode the data communications between the management
consoles and the clients. They also serve as a method to identify which clients are managed or not.
Configuration is changed centrally for the realm, and the clients retrieve the updated settings. Management
of the clients is accomplished through changing the clients’ configuration and by issuing tasks through the
same mechanism. Additionally, some direct commands allow an administrator to ask a client for information
or issue instructions to the client’s Program Manager. These commands can be used to tell a client to refresh
an installation or update itself on demand. See ”Action buttons” on page 27 for details.
The management console has a built-in backup mechanism to save the realm data. This is important in case
the management console is damaged. It will then be possible to install a new management station and con-
tinue the management of all the existing clients without having to reinstall them.
As a result, the Toplevel Manager counts and displays messages from all clients, while a Midlevel Manager
counts and displays messages only from the clients it’s directly responsible for. These include messages
from Midlevel Managers placed under it in the hierarchy, but not their clients.
Example
Headquarter (Toplevel)
- Europe (Midlevel)
- Support (Midlevel)
- Sales (Midlevel)
‘Europe’ (Midlevel) cannot see that there are virus outbreaks on ‘Sales’(Midlevel). This information will only
be visible for ‘Headquarter’ (Toplevel), and on the local Midlevel management console ‘Sales’.
Topology messages
Managed clients in a realm will frequently collect data about network traffic and compile lists of detected de-
vices. This is used to let the management console add network devices to its topology map using a passive
method rather than active scanning.
Common for the network traffic is that data about online status for the network devices are being kept up to
date in the management console database.
Realm communications
Once the management console has been installed and a realm established, the client security software may
be distributed throughout the network. Nodes in the realm should contact a management console (or a distri-
bution point) to get software and configuration updates. Software updates are distributed as signed packages
fetched by an internal protocol.
The same communication channel is used for configuration and management distribution. A node in the net-
work can replicate settings from remote store resources.
Client status
Each time an event from a particular device reaches the management console, managed or not, a timestamp
is updated in the management console’s database to reflect when the device was last seen. Network devices
can be Online, Stale, and Offline. The status is based on the device’s visibility within a set period of time.
These time thresholds can be adjusted on the management console, but the default values have proven to
generate a good network status map.
If a client has not been seen within this period, the status is set to Stale. Once it is Stale, a separate process
within the management console will attempt to actively contact the client to update its status. Note that as
long as a client is Online, no active communication is carried out from the management console to the client
unless the administrator manually initiates it.
While Stale, the management console will contact the client a certain number of times with a set delay
between each attempt. See “Supervisor process” on page 62. If no connection is obtained within this time
period and no data about the client is reported by the passive discovery mechanism, the client is marked as
Offline. As soon as any information about the client is received, it is immediately marked as Online.
Policies
A policy is a collection of product configurations stored on the management console. Managed clients will
frequently contact the management console to get a copy of the product settings. The client does not know
which policy it is getting. Rather, the management console looks up the policy for the requesting client, and
hands back the settings contained in the relevant policy. The administrator can decide whether clients that
belong to a policy are allowed to change their settings locally. If so, the administrator can revoke this right
and enforce settings from the policy at a later time.
The management console displays a logical network map containing groups of clients. A group can be as-
signed a policy or keep the original default policy (see “Assign a policy to a group” on page 46). If there
are groups within groups with different policies, and a group is deleted, any clients within the group and pos-
sible subgroups are moved to the Lost and found group.
Administrative realm
Once a management console has been installed and a realm established, client security software may be
distributed throughout the network. The installer contains information that causes the client software to
contact the management console in the realm. Nodes in the realm should contact a Toplevel or Midlevel
Manager (or other distribution point) to acquire software and configuration updates. Software updates are
distributed as packages and are fetched by an internal protocol and not from file shares as before. See also
“Appendix A: The Update Mechanism” on page 64.
Installation
During installation you must complete a regular InstallShield Wizard to install the Endpoint Protection frame-
work, and then the Endpoint Manager Install Wizard to install a management console and establish a realm.
When a management console is initially established, the only administrator in the realm is the realm owner.
The original realm fundamentals established by the realm owner should be unaffected by alternating admin-
istrator regimes, thus you must create one or more administrators first thing after the realm is established.
The administrators you create will perform all future management sessions. The realm owner is not dis-
played on the realm administrators list.
Create one or more realm administrators after the realm has been established. Future manage-
ment sessions will be done as one of the realm administrators, and never as the realm owner.
The realm owner credentials should only be used when a management console is being restored
from a backup.
After the management console has been installed and administrators are added to the realm, the realm own-
er may create and/or import initial client groups, and set up topology filters for discovered network clients.
One particularly important task is to create a client installation package (MSI) to be used for the initial roll-out
of managed clients. This package is unique to the realm and will ensure that the clients establish communi-
cations with the management console and may be managed by policies.
Database auto-restore
Certain situations may result in a corrupt database, like a system power loss or reset. To ensure stability the
auto-restore system will load a previous store, namely the latest working and complete store. This backup
feature is independent of the management console backup system, and it runs on an hourly basis as well as
backing up immediately after setting up the realm.
If you experience situations that may result in a corrupt database, and Endpoint Protection was
installed less than an hour ago, and the realm is not created yet, then the restore point is not com-
plete. You will have to uninstall Endpoint Protection completely before you install it again.
Installing
Make sure you have the Endpoint Protection license key at hand before you start.
We recommend that you select Custom rather than Complete installation, and select only the lan-
guage versions that you actually need, to save bandwidth and resources.
2. When the installation is complete, you may be prompted to restart your computer.
3. Read the information on the welcome page, select I have read and understand... and then click
Continue >.
4. Select the option that applies to your network, either I am establishing a new realm or
I am restoring an existing realm:
1. Realm name
Enter a Realm name of length 2-64 characters.
Valid characters are: A-Z, a-z, 0-9 and _ (underscore).
The password cannot be reset. Create a password so strong that it is impossible to guess. A pass-
word of at least 16 random characters is recommended. Write it down and keep it in a safe place.
The only way to change the password is to uninstall and reinstall the Endpoint Manager, but then
all management console information and client connectivity are lost too. Restoring a realm from
backup also restores the current owner and password.
3. DNS name
Enter a DNS name of length 2-255 characters.
The machine you’re installing to must have a globally resolvable DNS name to ensure that all cli-
ents and midlevels in the realm use the same values. The address you enter cannot be changed
later. The fields are not editable.
If you are updating from a previous realm where the Endpoint Manager server was set up as an IP ad-
dress, there may be some situations where your clients cannot reach the Toplevel Manager.
4. Overview
A dialog appears, displaying the values you just specified. If you are satisfied, print this page for future
reference and click Continue to proceed with the installation, or click Back to change the values.
Select platforms and languages.
5. Complete
A final dialog appears with a handful of important tips. Click Finish to complete the installation.
6. Log on
In the next dialog, log on the management console with the values you just confirmed, i.e. username and
password.
If you experience problems logging on to the newly created realm, you must restart your machine.
Alternatively, you can access the management console with another browser than IE, for example
Mozilla Firefox, using the address: http://localhost:2868/noc/index.phtml.
The management console is launched. We strongly recommend that you create a realm administrator
before you do anything else. Go to Settings > Realm administrators.
Then select Products and check Licenses, Languages and Platforms.
Then go to Licenses > Update selected products to download the latest versions of all selected compo-
nents. It is important that you select the correct platform of the Endpoint Manager machine in this dialog.
You can also select other platforms that Endpoint Protection will be supporting.
Uninstalling
To uninstall Endpoint Manager, use the standard procedures offered by your operating system, for example
Start > Control Panel > Add or Remove Programs. A restart is required after uninstalling the Endpoint
Manager.
Installing on clients
The following describes how you install Endpoint Protection in a network.
3. Select and drag a client to a group to assign a specific policy to the client. Hold down the Ctrl or SHIFT
key to select multiple clients.
4. Click OK to confirm.
Please refer to “Client states” on page 26 and “Transitions between states” on page 26 for an explana-
tion of available icons for groups and clients.
2. Run the installer file (msi) on the client that will be used to create the image and wait until the client is
done updating itself and is running normally.
2. On the client
b) From the command prompt enter njeeves2 /unload to stop the njeeves2 process.
After that you will see a “’Jeeves’ not running” error in the system tray icon, but it will not interfere with the
process and will be automatically solved after creating the image later (when restarted).
Getting started
The web-based administrative GUI is made up from an invariable left hand side status and realm overview,
and to the right variable main pages, like Home, Clients, Policies, Products, Reports and Settings. Clicking
on either tab on the topmost horizontal menu bar brings you directly to the relevant page.
Support
Clicking the support link at the right-hand top corner of the program window will open our web pages for
help and support. The web pages provide information about support issues and support forum, manuals,
installers, system requirements, our offices and distributors, and more.
The size of the network combined with the selected trigger threshold values (see
“Realm administrators” on page 51) significantly affect the indicator.
Example
Imagine a network of 10 clients and a trigger threshold set to 5%. In this example one client amounts to
10% of the network clients with that status (5% more than the trigger value is). This means that if one client
receive a warning, alarm, or error it will raise the risk level.
The intention is to give a general idea about the network health, rather than an exact indication.
Current status
The current status displays the absolute numbers that the risk level bar is based on. Click the plus sign under
the risk level bar to expand or collapse the status view.
Click a status link for details about the clients (see also “Alarms” on page 18), or enter name or address in
the search field to look for specific clients, and then on a column heading to sort the entries in the dialog for
that particular event. The numbers are the same as those the risk level bar and the status area are based on.
Guest nodes are clients that have Endpoint Protection installed, but do not belong to this realm. Guest ser-
vices are not available in this version of the management console.
Click the realm name to refresh the current status information, which is available from all the tabbed dialogs.
Alarms
An alarm is an event that requires immediate action, and is posted by a security product.
If an incident occurs in a realm, the involved application will generate event messages that are routed to the
management console. The message details are displayed on the Status page.
Errors
Errors are system anomalies that may or may not require attention. They are typically generated when a cli-
ent application suffers from a malfunction.
Error messages that the management console receive in the realm are defined by the application reporting
the alarm.
Warnings
A warning is typically sent when there is an event that is handled normally but that implies that there is un-
usual activity detected by the client applications. As opposed to alarms and errors, warnings do not require
immediate attention.
This display informs about warning type, the name of the client issuing the warning, and the date and time
when the client was last seen, i.e. the last time the management console detected network activity from this
client.
Not updated
The Not updated message is issued by a client when the client’s program manager detects that the client
software has not received relevant updates. The client will also appear as Not updated when its current
policy has been changed, or when it has been assigned a new one.
Status information under this tab includes type of client, its name, when it was last seen, and when it was last
updated (yyyy.mm.dd and time in 24 hour format).
The information for Not updated clients includes the name, when it was last seen, the operating system,
when the policy was refreshed, and the group name.
Offline
The clients marked as Offline have not been heard from or contacted within a certain period of time. The
clients may or may not be managed clients.
A Managed client employs policy settings. An Unmanaged client has no policy or no client software, or it is
another type of device than a workstation, like a printer, a hub, etc.
Online
Whenever an event from a particular device, managed or not, reaches the management console a time-
stamp is updated in the management console’s database to reflect when the device was last seen and to
determine status based on that information.
As soon as information about a client is received, it is marked as Online. The status is based on the device’s
visibility within a set period of time. Time thresholds can be adjusted.
As long as a client is online, no active communication is done from the management console to
the client unless the administrator manually initiates it.
Stale
When the management console is unable to establish contact with a client after repeated attempts, and it
has not been seen for a longer period of time, the status is changed to Stale. A separate process will actively
try to rediscover a stale client before it appears in the Offline folder, which happens after 1 or 2 hours (default
for managed/unmanaged clients, respectively).
Managed
A client that has been assigned a policy is a managed client. It receives all configuration settings from the
policy it fetches from the management console. Information about all the IP-based devices in the network is
stored in a database on the management console.
Home
An RSS feed at the top of the Home page informs you about upcoming updates, restarts, and other impor-
tant information.
To monitor these bulletins you add the URL as a favorite RSS client on your computer, cell phone and so
forth. You can also click the View message log link and follow the instructions to subscribe to this service.
The Home page features also a graphical representation of the realm’s clients. You can click the Norman
logo at the top of the page to reload Home from any page.
Clients
This page presents details about the entire realm with the management consoles, groups, and clients. All
machines are members of a group. Each group reports to a management console (Toplevel or Midlevel).
You can filter clients by Machine type, Online state and Operating System. Click the realm name link or
the Managed link from the status area at the left-hand top corner to view the filtering bar.
All newly discovered machines will automatically be assigned to the predefined Lost and found group, un-
less otherwise filtered. Machines can be moved between groups manually or automatically.
Click a group name and the machine/client members will appear in the right-hand part of the page.
Double-click a group or a client to configure it, or highlight the client/machine you wish to edit and select the
relevant action from the action buttons bar (see “Action buttons” on page 27).
You can create, edit, filter, drag and drop, and view groups and clients in a Windows Explorer-like environ-
ment. On managed clients, a mouse over will display basic information like scanner engine version, definition
file dates, operating system, and logged-in user.
The links Policy: and Reports to: display the client’s current policy and the manager it reports to. Click the
links to select other policies and managers (on Toplevel or Midlevel).
The names of the group’s policy and manager it reports to appears just above the action buttons (see
“Action buttons” on page 27). Click the Policy or Reports to: link to select another policy or manager from
the drop-down list.
If you move a group to another level, for example to a Midlevel Manager, it may take several min-
utes before it is visible in its new location and starts reporting to and receiving updates from the
new manager.
Predefined groups
The Lost and found and the Unmanaged group are mandatory groups in the Clients view. When a realm is
created a folder for each group is created and placed in the lower left-hand part of the screen.
Unmanaged
The group Unmanaged is a container for network devices that cannot be managed by the console, like
printers. When the administrator drags devices into the Unmanaged group, they will no longer be contacted
or counted to maintain their status and statistics. It is, however, necessary to maintain a list of deleted de-
vices, since they will still show up in the network topology reports from the clients and will be added to the
Lost and found at each rediscovery. It is therefore not possible to delete devices completely from the topol-
ogy database.
Client/machine information
Click a group name link to view the group’s clients/machines. Double-click a client to configure it directly.
Select the relevant action from the client information dialog that appears. Alternatively, from the Clients page
click to highlight the client and select the relevant icon from the action buttons bar. The action buttons be-
come selectable only when you highlight one or more clients/machines.
Details
This tab provides information about scanner version, definition file updates, etc.
Installed Products
This tab lists the installed products and components, and their status.
Log
This tab lists information messages and reported errors, warnings, and alarms for the client, including the
names of the components that reported the incidents.
About status
Every time an event from a particular device reaches the management console, managed or not, a time-
stamp is updated in the management console database to reflect when the device was last seen. Network
devices can have three online states: Online, Stale, and Offline. When a device has been seen within a set
period (default 1 hour for managed and 2 hours for unmanaged clients), its status remains Online. These
time thresholds can be adjusted on the management console, but the defaults have proved to generate a
good network status map.
If a client has not been seen within this period, the status is changed to Stale. Once it is Stale, a separate
process within the management console will attempt to actively contact the client to update its status. Note
that as long as a client is Online, no active communication is done from the management console to the cli-
ent unless the administrator manually initiates it.
While Stale, the management console will contact the client a set number of times with a set delay between
each attempt. The default is 5 attempts once an hour, but this is adjustable. These settings can be config-
ured from Settings > Supervisor process (see “Supervisor process” on page 62).
If no connection is obtained within this time period and no data about the client is reported by the passive
discovery mechanism, the client is marked as Offline. As soon as any information about the client is re-
ceived, it will immediately be marked as Online.
Create
Click Create new group. Enter a group name, select an Endpoint Manager, a policy, and optionally type in a
note for this group. Click OK to confirm and save the new group.
To add a new sub group point to a group name and click the create new group icon (folder with a plus sign).
‘NEM’, ‘Lost and Found’, and ‘Deleted’, or any translated versions of the two latter names, are
restricted and cannot be used as top level group names. They can, however, be used as subgroup
names.
Delete
To delete a group point to a group name and click the delete group icon (folder with a trash can). You are
prompted to confirm the delete. If you delete a group, any members or sub-groups are automatically moved
to the Lost and found group.
For a new client to be discovered and maintained in the client view, an IP or MAC address or a
DNS name must be given.
Client states
A client can take on several states in the client view, like online, stale, or offline, and it can be managed or
unmanaged. Icons indicate what type of network device the client is, and is either set to a question mark
(unknown) or a screen (workstation) upon installation. An administrator can edit the type in the client details
window and in this way change the icon. The device type icon is a management aid for administrators and
does not indicate any of the following status situations.
Online
A client is online with a green computer icon when it has been seen or heard from within the time period
defined as stale delay, which is 1 or 2 hours per default depending on if the client is managed or not. Any
device in the network is regarded as a client regardless of whether it has Endpoint Protection installed.
Stale
A client is stale with a gray computer icon when it has not been heard from within the time period mentioned
above. When a client is marked stale, it means that the management console will try to establish contact with
the client a set number of times with a set time interval. This differs from a normal situation where clients are
reported as online when they submit status information or are seen by other clients.
Offline
A client is offline with a gray computer and red mark-out icon when it has not been reported by anyone and
the attempts to contact it have failed. The client will remain offline until it reports itself to the management
console, or it has been seen by another client that reports the network topology.
Managed
A client is managed when it has Endpoint Protection installed and is a member of the realm that the Endpoint
Manager has established. The client becomes managed as soon as Endpoint Protection is installed and the
client reports its platform and status information to the management console. A client with an online icon and
a green ball next to it is online, managed and without errors or warnings. It can be managed or unmanaged
regardless of its online status.
Unmanaged
Any device that is not managed, is unmanaged. An administrator can choose to keep the unmanaged de-
vices visible in the network topology map, or drag those devices into the pre-defined Unmanaged group to
keep them out of sight.
Action buttons
Select a client from Clients, or open the details window for a specific client, to view the Action buttons.
Depending on the client status, one or more of the buttons may be disabled.
Edit client
Click Edit client or double-click a client, to open the client details window. You can change the type
(icon) of the client, edit its alias name, move it to another group, and/or enter notes about the client.
Update client
Click Update client to tell a managed client to check for updates and to replicate its policy immedi-
ately. Normally, the client will check for updates every hour and check for policy changes every 10
minutes. See also “Appendix A: The Update Mechanism” on page 64.
Click Promote client to promote an online, managed client into a Midlevel Manager. See also
“Promoting clients” on page 7.
Click Demote client to reverse a promotion and demote a management console into a managed
client. Other management consoles reporting to it must be removed first.
Request status
Click Request status to force a managed client to submit its status information. This is normally
done when the client checks for policy changes.
Rediscover client
Click Rediscover client to initiate manual rediscovery of any device, regardless of status or if it is
managed or not. When a client is stale, the management console will actively attempt to discover the
client.
Repair client
Click Repair client to tell the client’s program manager to re-install all products if a managed client
experiences consistent problems. The entire client software will then be re-installed.
The action to repair a client is quite drastic and should only be used as a last resort.
Restart client
Click Restart client to force a restart of a managed client, for example after it has been updated.
Remote command
Click Remote command to help a client user with a specific issue, or to perform actions that are not
covered by the action buttons.
You can only execute software that is located below the Norman root. An administrator can issue a console
command directly to any Norman program component on a managed client.
Before issuing a remote command, keep in mind what the state of the remote client might be (no user logged
on, several users logged on, etc.).
The remote process will run with system privileges in the context of the njeeves2.exe process. However, if
the process requires a graphical user interface, it may not show up on the remote client unless the adminis-
trator is logged on and has the desktop open (for example on a Vista client).
Delete client
Click Delete client to remove a client and move it to the Unmanaged group. Alternatively, you can
drag it there. The client will no longer be updated or discovered by the management console.
Policies
A policy is product configurations that governs the client behavior in a group, and it holds information about
which products to install at the member clients. Clients always use the policy assigned to its group.
A default policy should always be present in the local database, and it will provide default configuration
values for all licensed products. The predefined Default policy is automatically assigned to all groups. You
can chose another default policy, like the Midlevel Manager policy or the Toplevel Manager policy. The
administrator can edit the default policies, but not delete them.
The Default policy is mandatory. This is the policy that is assigned to all new groups by default. It
is good practice to leave it unchanged or to only make small changes to it.
You are not allowed to delete a policy containing clients. Before you delete a policy you must remove the
clients or assign them to another policy. If there are clients assigned to the policy an error message will occur
when you try to delete it.
The users’ access to edit the various configuration values locally at their workstation is governed by the
administrator through the policy. These access rights are granted on a per product basis, and can be either
write access or read-only.
When you click a digit in the Subscribing groups column, a dialog with the subscribing groups for this policy
appears. Click either of the listed groups to go view more details about group members, etc.
Access type states whether users can install/uninstall products under this policy, or if it is read-only.
The default update frequency for policies from the store is every 10 minutes.
Create a policy
1. From Policies click New policy.
2. Enter a mandatory Policy name and an optional note for this policy.
3. Click Create to save the new policy name and to enter the configuration for this policy.
Configure policies
When you have created a policy, it appears on the Policies list and the configuration dialog for the new
policy is opened.
Install/uninstall
Select one or more products and/or components to install for this policy’s subscribers. Available products
are licensed products. By default, all products are selected. Products which are mandatory or not eligible for
install/uninstall are grayed out.
Configure
Click the configure icon to modify the configuration for this particular product within this policy. All managed
clients assigned to this policy will apply the configuration changes that you make. Clients that belong to other
policies will not be affected.
Real-time Scanner
The Real-time Scanner works in the background and offers automatic protection of your system.
Cleaning options
An infected file is sent to quarantine, and from this option you can select how to handle the quarantined files.
Access to an infected file is denied if repair fails.
For security reasons the exclude list for the real-time scanner is limited to 50 entries. In addition to the risk
the exclude list represents, it also increases the use of system resources. The more entries in the list, the
more resources will be used by the real-time scanner.
Network drives
Excluding files on network drives from scanning is selected by default. Deselect this option if you want to
scan shares that you have access to on remote computers.
The Real-time Scanner’s behavior will depend on the user rights of the logged on user when scanning files
residing on network drives. When the Real-time Scanner sees a file that is opened from a network drive, it
will scan the file as usual. However, it will not be able to repair or remove an infected file, unless the logged
on user has write access to the directory/file in question. Still, access to the infected file will be denied.
Real-time scanning in networks is intended for a situation where servers do not run antivirus software, simply
to avoid that the same files are scanned twice—once on the server and then again when they are opened
on the client. The consequences of such double scanning could be that network logons and backup become
slower. However, the system administrator must make the final decision where security on one hand, and
network operation on the other are two major factors to consider.
When the Real-time Scanner detects viruses or other malware on network drives, it will display the locations
as UNC paths (e.g. \\Server\Share\InfectedFile) and not as mapped network drives (e.g. X:\Infected file).
Exclude List
Specify paths or extensions that you do not want the antivirus application to scan. The exclude list supports
different types of patterns.
Path This pattern will match any files in or below the path: C:\Program Files\Joker\
Extension This pattern will match any file with the specified file exten- *.db
sion. Note that the asterisk (*) must be used as wildcard:
Enter a path, a file extension, drive letter or an environment variable and click Add to list.
Recommendations
•• Make sure that your antivirus installation is up-to-date. This is the best protection against virus attacks—to
stop viruses before they enter the system.
•• Install antivirus software on email servers and gateways.
•• Restrict user rights on shares as much as possible, for example by setting read-only attribute where ap-
plicable on files that are not frequently changed.
•• Back up your files regularly.
Exclude lists should be handled with great care, as they represent a potential security risk. We
recommend that you scan the exclude list manually on a regular basis and include these paths or
file extensions in scheduled scans.
Manual scanner
You can use the manual scanner to perform periodic scans of selected areas of your computer. Use the Task
Editor to schedule a scan (see “Task editor” on page 35).
Scan archives
Antivirus is configured to always scan archives. If an infected file is detected within an archive, Antivirus will
try to repair first. If repair is not possible, the infected file is deleted from the archive, and the original file is
quarantined. The following formats are currently supported: 7zip, ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio,
SIS, gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk image, TNEF, UIF, Z, ZIP and installers
like INNO, Installshield, NSIS, SFX, VISE and WISE.
Cleaning options
If you enabled the option to automatically remove detected viruses, an infected file will automatically be sent
to quarantine. From the cleaning options you can select how to handle the files that the antivirus application
detects as infected.
Do nothing
Select this option to do nothing about files that the antivirus application detects as infected. This also means
that the files will not be sent to quarantine.
Logging
Create log file
Creates a log file whenever you run a manual scan. If you deselect this option, no log file is generated for
manual scans.
Detailed logging
Extensive logging that generates a very detailed report, specifying each file that was scanned, scanning time
per file, status, etc.
Task editor
Create task files and view or modify scheduled events. Administrators can create task files and distribute
them to all workstations in the network to ensure consistent checking of areas that require special attention.
Allow a task file some 10 minutes before it is replicated to all clients.
Create a task
Click New from the Task Editor dialog and enter a task name. Make your selections and click Create to
confirm and save your task.
Tasks are displayed as a list in the Task Editor dialog. Click a task name to edit, or click the trash can at the
end of the task line to delete that task.
Enable
By default, the task is set to enabled. Remove the check mark to disable it.
Custom scan
Select this option if you want to customize the area to scan.
The options Select files and folders, Scan boot sectors, Scan archives and Scan memory are
only available when Custom scan is selected.
Examples
•• C:\
•• D:\*.pdf
•• E:\foldername
Scan archives
Select this option to include archived files in the scan. The following formats are currently supported: 7zip,
ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk
image, TNEF, UIF, Z, ZIP and installers like INNO, Installshield, NSIS, SFX, VISE and WISE.
Scan memory
When you scan the memory area, the antivirus application looks for resident viruses. You should always
make sure that no viruses exist in memory.
Start
Select date and time to run the scan. The suggested date and time is the current (according to your system
information).
Schedule
Select a schedule for when to run the scan, daily, weekly or monthly.
Product Manager
Click a policy name that you want to configure the product manager for, and then click the Product Manager
configure icon.
Product language
Select language from the drop-down list. The list is subject to change as new language versions may be
added. A change from English (default) to another language will take effect after the next update. You can
also run a manual update for the changes to take effect immediately.
The LAN product update frequency setting should always be set to Never for the
Toplevel Manager policy as the management console should always update from the Internet.
Selecting another setting may result in your installation never being updated.
A LAN update uses the http protocol and port 2868 to connect to the management console machine.
Internet Update
This option defines when and how often a client should connect to Internet servers in order to check for
necessary updates. Time before using Internet update defines how long time a client can operate without
management console contact - and consequently without being updated - before it is permitted to check for
updates on the Internet. Update intervals defines how often a client should then check for updates via the
net. See also “Appendix A: The Update Mechanism” on page 64.
One solution is to create a script that copies all files from \distrib\download on the management console
server to \\servername\<share_folder>\distrib\download.
If this software is installed at the alternate distribution point, any\distrib\download folder is automatically
updated.
Set up a scheduled task that runs the script once every hour.
The script must be run with the necessary user privileges to access the share, so that it can run
even if no users are logged on. It may be wise to check the option to kill the process if it has run
for more than two hours.
Proxy settings
Proxy servers may require user authentication. If you use the proxy server options in this dialog, you must
enter the same information for proxy server log on and authentication as configured on the proxy.
Authentication
Log on to proxy server
This option is only relevant if your proxy server requires authentication.
User name
Enter a valid user name.
Password
Enter the password.
Domain
Enter the domain name. If the field is left blank, the machine name is used. This field is not intended for
proxy servers using basic authentication. The two prevalent authentication schemes are: basic, and
Windows NT challenge/response aka NTLM.
Popup settings
Configure popups
From the drop-down menu you can decide if the clients should or should not display popup messages, for
example, from a malware detection.
Your choice affects all clients that are assigned the selected policy. If the policy allows local user configura-
tion (see “Policies” on page 29), it is possible to edit the individual client to make exceptions from the
established policy settings.
Even though the popups are blocked, the management console continues to receive information
from the clients.
Intrusion Guard
Click a policy name that you want to configure the Intrusion Guard product for, and then click the Intrusion
Guard configure icon.
This product is a host-based intrusion prevention system (HIPS) that can stop malicious applications from
taking over control of your machine. The application offers a powerful reporting tool and protects processes,
drivers, browsers and the hosts file. It is a platform for proactive thread protection intended for experienced
users. High risk events that are rarely used by legitimate applications are blocked by default.
There are two malicious techniques to achieve the same privileges as drivers get. Both of these techniques
circumvent the security mechanisms of the operating system. It is highly recommended to keep the settings
for both as Deny.
Prompt
You will be asked each time an attempt is made.
Allow
Attempts will only be logged.
Deny
No application, legitimate or malicious, will be able to install kernel level drivers.
Processes
When an application, legitimate or malicious, is installed on your computer, it will most often want to start
automatically each time your computer is started. A program that wants to start automatically can instruct
the operating system to auto-start itself with the same privileges as the current user, or it can install a back-
ground service that will run with elevated privileges. The intrusion prevention application can stop attempts of
this nature.
Prompt
You will be asked each time an attempt is made.
Allow
You will never be prompted.
Deny
No application, legitimate or malicious, will be able to install itself to automatically start when the computer is
started.
A program can also inject code into other processes running on your machine, and it can hijack processes
by other means. This is common behavior for malicious applications, but some legitimate programs also use
such techniques, for example to extend the user’s desktop, or to offer other advanced features to the oper-
ating system or third party applications. You can configure the application to deny or prompt each time an
attempt like this is made.
Network
By adding filters to network modules in your operating system, malicious applications can steal personal
data, such as social security numbers, credit card details, and passwords. Adware can modify network data
sent trough those filters. It can change results in search engines and show unwanted advertisement on your
desktop and embedded in web pages you visit.
Prompt
You will be asked each time an event occurs.
Allow
You will never be prompted.
Deny
Stops all attempts to modify your system or install a BHO.
LSP Prevention
An LSP (Layered Service Provider) is a generic filter in the network stack in Windows. It has full control over
all network traffic on your computer.
Prompt
You will be asked each time an event occurs.
Allow
You will never be prompted.
Deny
Stops all attempts to modify your system or install an LSP.
Prompt
You will be asked each time an event occurs.
Allow
You will never be prompted.
Deny
Stops all attempts to modify your system or hosts file.
2. From the Clients page click the Policy: field and select policy from the drop-down menu.
3. Click the Save icon next to the policy name to confirm your changes.
Products
All licensed products that the management console administers in the realm are listed on this page. These
are the products available on the machine where the management console is installed—the distribution
point. When a product within a policy or on a client is configured for scheduled updates, it fetches the update
from this distribution point. The clients are updated in accordance with their policy.
Licenses
In use
An approximate number of managed clients with this product installed.
Seats
The number of seats that your license covers, for this product. If the In use is larger than Seats, this is an
indication that you should check if your license covers your actual needs.
Expires
The date when the license for the product expires. The date format is YYYYMMDD.
Scheduled update
Select this option if you want to schedule updates for a product. For each product, you may select/deselect
the Scheduled update option. When the scheduler initiates an update, only products with this option select-
ed will be updated. Products not selected will not receive updates.
Languages
A number of different product languages are available, and new language versions are added at irregular in-
tervals. The default language is English and cannot be deselected. You can choose to download one or more
language versions if they are covered by your license. These languages will be available to the clients in the
managed network.
The download packages may be large, so in order to reduce bandwidth use, you should be selec-
tive when you pick language versions.
Platforms
A wide range of platforms are supported, including most Windows and NetWare versions. Please refer to
“System requirements” on page 5 for details.
Select the platforms which are represented in your network and click Save. The selections are valid for both
manual and automatic update via Internet Update.
Reports
History
Select History for a report that include incidents covering the entire period since the realm was created.
There are several ways of filtering the report.
Use the drop-down menus to select how you wish to filter the messages: Component (Internet Update,
Product Manager, etc.), Message type (alarms, warnings, errors, etc.), Year, Month, and Group. The
report’s content and available filtering options depend on factors like how many different operating systems
are installed on the clients in the network, when the realm was created, the type of messages reported in the
entire period. I.e., you cannot sort on Operating System if all clients run on the same platform, on year if the
realm was created in the current year, or on type if only one or two message types have been reported.
There is a limitation of 1,000 messages per report. Therefore it is important that you specify relevant and
precise search criteria in the Search field, from where you can search through all messages generated since
the realm was established. You can, for example, search for machine names, IP addresses, or virus names
to avoid irrelevant messages with the risk of exceeding the 1,000 limit.
Reports
The management console maintains statistics for the realm around the clock. The reports cover the topology
status and incidents. As a supplement to the graphical representation of statistics on the home page, you can
generate your own, detailed reports that identify all clients in the network.
Generated reports are based on all discovered devices in the network, also those that are not managed.
However, devices that have been moved to the Unmanaged group are not included. You may filter which
clients to include in the report by their online status and/or whether a status flag has been set.
Select the details and the machines you want to include in the report and click Generate. You can filter ma-
chines by selecting clients with only one or two particular status types or select all types to include all clients
(default). The default setting for the report details is also all. Choose between commas or semicolons as
CSV (comma separated value) separator, depending on the report format you prefer.
The report is generated as a CSV file to be opened in most spreadsheet applications and saved as any other
file.
Settings
These pages contain configuration options as well as maintenance tasks, which are performed regularly, like
administrator management and general occasional tasks. Certain settings and parameters of a nature that
don’t require frequent attention or are likely to be performed just once are also located on these pages.
Realm administrators
This option applies to the Toplevel Manager only. For more information about realm owner and realm admin-
istrator, please refer to “Installation” on page 13.
The realm owner credentials should only be used when a management console is being restored from a
backup. When first running the Endpoint Manager after it has been installed, it is an essential task to com-
plete the creation of one or more realm administrators.
All users with administrator’s privileges in the realm are listed on this page, with information about access
type etc.
Click an Administrators name link to view more information about the administrator.
Backup
When a managed realm is set up, we recommend that you back it up on an external storage device.
The most recent backup file is named NEM_backup_00000.nbk, and for each backup the number 00000 is
incremented until the selected Max number is reached. Hence, the backup file with the highest number is
the oldest one.
The file cannot be opened/viewed by any application since the sole purpose of the backup is to provide
a possibility to restore a managed network realm on a management console in the case of hardware loss
etc. Without a backup, the loss of the management console would require new credentials to be distributed
throughout the network. The logical network structure would also have to be recreated. The backup/restore
functionality is also used if you want to upgrade or replace a functioning management console. First, back up
the existing management console to an external media, then restore the backup file as part of the install wiz-
ard procedure on the new management console. The size of the file depends on your network—the bigger it
is, the bigger the backup file.
Destination
Enter a path for the backup file directory where NEM_backup_0000x.nbk will be stored. The default location
is C:\Program Files\Norman\backups\noc. Alternatively click Browse to select a location from the Windows
Explorer view.
Start time
Enter hour and minute when you want the backup to start. Backup will start at the specified time for all se-
lected weekdays.
Backup now
Click Backup now for an immediate backup of the management console database, or Save to store your
settings. If the management console is down when backup should be performed, backup is executed as
soon management console becomes operational again.
Restore
In the current version, the management console’s DNS name cannot be changed. Therefore a backup of a
realm must be restored on a machine resolved with the same DNS name that was used during the realm
creation.
Alternatively, you can create a new realm and after finishing all processes and updates from the Internet,
generate new MSI installers from the management console. Copy the file mig2nss7.nts created on the
same destination folder into the \norman\config folders of the existing clients. Please keep in mind that by
doing this you are using a new/blank topology tree, and the clients will be assigned automatically to the
Lost and found group. Maybe you should consider to create policies, groups, and topology filters and/or
move clients manually to specific folders before you copy that file onto the clients.
Restore from
Enter the path for the backup file directory where NEM_backup_0000x.nbk is stored. The default location
is c:\Program Files\Norman\backups\noc. Alternatively click Browse to select a location from the Windows
Explorer view.
Restore strategy
Select what parts of the backup to restore. The settings part of the database contains the realm credentials
and settings. The topology part is a map of known machines in the network, as presented in the Clients
view, including the group names and assigned policies.
Keeping the most recent value may in some cases result in duplicate topology entries if you have
chosen to restore the topology.
Generate installers
The management console provides creation and distribution of an MSI package (Windows Installer file .msi)
for rapid deployment of software on client machines.
This is a trouble-free method for installing on a client, as the administrator only needs to initiate and distribute
the MSI installer to clients. Once started, the installation of the MSI package will open up port 2868 on the cli-
ent machine and complete the full installation of Endpoint Protection. The clients then retrieves their policies,
as described in previous steps.
The MSI package and Endpoint Protection automatically opens port 2868 on Norman’s and
Windows’ firewalls only. If you are using another firewall, you must manually open this port.
Distribution of the MSI package can be performed in different ways, for example:
•• using a startup script
•• sending the package via email to the clients
•• copying the package using an USB stick or a similar medium
•• employing a 3rd party tool
•• distributing via Active Directory
1. Enter a valid path, and a name that you want the MSI file name to start with. You do not need to enter a
file extension (e.g. .msi) since the system will add this for you automatically.
Syntax: [drive]:\[path]\[name]
Alternatively, you can Browse to select a folder where you want to save the file, but you will still have to
write a name after the selected path.
The mig2nss7.nts filename is all system made and you cannot add to this filename.
3. The MSI installer files should now be saved to the location you specified.
Example
C:\Distribution\Clients\Installer
This example path and name will generate the following installer files:
•• C:\Distribution\Clients\Installer_x64.msi
•• C:\Distribution\Clients\Installer_x86.msi
•• C:\Distribution\Clients\mig2nss7.nts
The generated files hold information about the location of the relevant management console, and the cre-
dentials to access it. You can use these files to install the security software on eligible clients, auto-run it on a
domain, distributing it through email, USB stick or in any other suitable way.
Keep in mind that all new clients will be placed in the Lost and Found group, unless they are previously dis-
covered and assigned to a group. The default policy will apply for those. You can create topology filters (see
“Topology filters” on page 60) that will move clients to certain groups as they are discovered. Then clients
will use the policy for that particular group rather than the default policy.
We recommend that you create new MSI installers, when adding clients at a later stage, if they are older
than one month, and always if there have been any software updates in the meantime. This is because the
installer may have been updated with new files since the last time you generated an MSI installer, and a new
installer will avoid unnecessary restarting of clients.
It is a good idea to test the MSI package on a couple of clients before rolling it out in your network,
in order to identify any problem with the given management console’s DNS name or credentials.
Remote access
The management console can be accessed remotely. By default, remote access is not permitted. Remote
access is only permitted from the locations specified below. You can remove and/or add access to manage-
ment console from a remote location.
Remote locations currently permitted to access the management console are listed in the upper part of the
screen, identified by IP address, Netmask and Description (optional).
Just type in the IP address and Description when you set up permissions for remote access in
the management console. A blank netmask is not allowed. Enter 255.255.255.255 as Netmask to
allow remote access for a specific IP address only.
You should be careful admitting remote browsers access to the management console, as there are some
obvious security issues. To enable remote access, you must select Allow remote access. In addition, you
have to specify the IP addresses that should be allowed to log on to the management console. You may
grant access either to a specific IP address or to a whole subnet, depending on the netmask.
Example
Address 172.17.0.0 with netmask 255.255.0.0 will give access to clients from the entire 172.17 segment.
Again—remote access should in general be limited to as few clients as possible.
Event management
This option applies to the Toplevel Manager only. The event management system is used to create mes-
sages based on the situation in your managed realm. The system is connected to the status indicators in the
far left column, triggering a notification event when a preset threshold is reached. The system triggers on the
number of alarms, errors and warnings in a network. You can set threshold values for the absolute percent-
age of reported alarms, errors and warnings. Delta threshold values are specified for the change rate of the
same over a reporting period. Reports can also be made periodically or if a management console error oc-
curs. See “Reports” on page 49.
Triggers
You can set threshold values for events, and determine if the event should be communicated as email,
SNMP trap, via the syslog or event log. Configuration for each message type is located under the related tab
(Email settings, SNMP settings and Syslog settings).
When you specify one or more methods to send messages (email, SMS, etc.), do not forget to
configure the selected transmission mechanism(s). Similarly, you don’t need to configure devices
not selected. No messages will be sent if there are any errors in this configuration.
Alarms
If the alarms threshold is set to 3, an alarm is triggered when 3% of the network nodes trigger alarms. The
alarm is passed on in one or more of the selected manners (Email, SNMP, etc.).
An alarm is an event that requires immediate action. It is issued by a product in Norman Endpoint
Protection on a managed client.
Errors
If the errors threshold is set to 5, an error is triggered when 5% of the network nodes trigger errors. The error
is passed on in one or more of the selected manners (Email, SNMP, etc.).
Warnings
If the warnings threshold is set to 10, a warning is triggered when 10% of the network nodes trigger warn-
ings. The error is passed on in one or more of the selected manners (Email, SNMP, etc.).
Warnings are information about events that are suspicious and that may require administrator
attention.
Alarms delta
For changes in the amount of network nodes that have an alarm.
Upon completion of a topology thread walkthrough, the management console compares the results with the
findings from the previous walkthrough and calculates delta values. If the delta threshold (percentage) is
reached, a message is sent via all selected channels (email, SNMP etc.).
The delta threshold value is not related to the threshold value for alarms, which is based on a percentage of
an absolute number of managed clients. A delta value change, however, is based on the findings from the to-
pology thread walkthrough looking for events in the entire network of managed clients, and which is running
perpetually. Delta messages may therefore be sent long before an (absolute) alarm threshold is reached, if
configured in that way.
For example, if the alarm delta is set to 1% and the alarm threshold to 5%, delta messages are sent when
there is a 1% increase in alarm numbers, while a threshold message is only sent when a total of 5% of the
network has an alarm.
See also “Supervisor process” on page 62. A walkthrough of the network takes about 15 minutes and is
referred to as a management period.
Errors delta
See Alarms delta, for changes in the amount of network nodes that have an error.
Warnings delta
See Alarms delta, for changes in the amount of network nodes that have a warning.
Email settings
Enter the address that recipients of notifications can reply to under Reply-to address. In the
Recipients address(es) field, enter the email address of notification recipients, separated by commas.
There are two text fields, for Subject and Appended text (optional). Finally, you must enter an SMTP server
and an IP Port number, or leave blank for default port 25.
SNMP settings
Enter hostname or address of the system(s) that should receive the messages under Trap recipient(s),
separated by commas. You can also specify a Subject for the message (optional). Under Community, type
in an SNMP community name or leave blank for “public”. This field is case sensitive.
A .mib (Management Information Base) file called Sec_Traps.mib is included in the Endpoint Protection
installation. It’s located in [drive]:\[programroot]\NOC\Bin.
Syslog settings
Enter name and address for the Syslog servers that you want to send events to. Comma is the only valid
separator. In the optional fields Prefix and Port you can enter a short text to append all syslog entries from
the management console, and a port number if you’re not using the default 514. Facility classification can be
set to any of the locally defined values (16 through 23 in the Facility drop-down menu), or select Default for
user level messages.
If you have selected an order as in the example above, Local alias will appear as the clients’ name provided
that a local alias is available. If not, the next name on the list (Hostname) will be used, and so on.
Topology filters
This section is for the Toplevel Manager and describes how you can filter clients. Discovered network
devices can automatically be filtered to pre-defined topology groups. Filters are handled from top to bottom.
Once a computer match a rule no more filters will be automatically applied.
The topology filtering does not affect Endpoint Managers. A filter condition to move a discovered
device to a certain group may match an Endpoint Manager, however, the Endpoint Manager will
not be moved.
Attribute is a pull-down list of attributes identifying a device, like a name or an IP address. The operator
is either EQUALS (=) or NOT EQUAL (!=). The value is a complete or partial string to match the attribute
against. If partial, a wildcard character can be placed in front of or at the end of the string. The filters are ap-
plied top-down. If a client matches more than one rule, only the first rule will be applied. Click the plus sign to
create rules where several conditions have to be met.
Example
IF [IP address] EQUALS [172.17*] THEN move to group [London].
IF [Name] EQUALS [*srv] THEN move to group [London].
When specifying what to test against in a rule, the value IP address reflects any of the IP addresses regis-
tered with a client. Likewise, MAC address means any of the MAC addresses associated with the network
interfaces for a client.
The value Name is the common name of a client as reported by passive discovery (NetBIOS name), or the
name that the client itself responds to. The value DNS name, on the other hand, is the machine name asso-
ciated with the DNS entry of the client in the management console database. If the DNS entry in the client’s
network differ from the one resolved by the management console, the management console entry is used.
Details about a client are displayed in this order: Alias (set by the administrator), NetBIOS name, DNS name,
IP address.
The NetBIOS names are reported by the passive discovery component. If a client is only known by its IP
address (as a result of an incorrect manual entry, for example), it will be displayed with its IP address until a
reverse DNS lookup has been done (if enabled). At any time, a topology report containing the NetBIOS name
of the client will be stored and displayed in the clients list. A managed client will also report its NetBIOS name
if available, causing it to be displayed instead of the DNS name.
Group requests based on the environment variable takes precedence over the topology filters. Clients that
request a group will not be filtered, even if you select Reapply all filters.
Only clients (current or future) that report to a Toplevel Manager can be filtered using this registry
key or environment variable mechanism.
A client can be manually moved elsewhere from the management console, after it has been automatically
moved to a group using this mechanism. If its environment variable is changed to another group, it will be
moved again according to the new value, even if it has been manually moved in the meantime. However, if
the variable is not changed, the client will never be moved back.
If a group does not already exist in the Endpoint Manager topology, it will be created. Automatically created
groups will be assigned the default policy.
Use the full stop (.) delimiter if you want to use subgroups.
Example
Servers.Mail.SNMP resolves the group Servers > Mail > SNMP and moves the client to the SNMP subgroup.
Registry key
1. Create a new String Value key named ’join_group’ in Registry Editor under
\\HKEY_LOCAL_MACHINE\SOFTWARE\Norman Data Defense Systems\
2. Specify the group name that you want the client to be moved to in the Value data: field.
Environment variables
1. From your computer’s System Properties go to Advanced > Environment Variables. Create a new
system variable with the Variable name: join_group.
2. Specify the group name that you want the client to be moved to in the Variable value: field.
On some operating system versions the client must be restarted before a new environment variable be-
comes available to the client.
Supervisor process
These settings are used to fine-tune the management console working threads. Normally, the default settings
are adequate. However, certain local networking properties may require changes to some of the settings to
ensure optimal performance. See also “About status” on page 25.
Discovery attempts
Sets the maximum attempts of discovering a Stale client before it is marked as Offline. Increasing this value
will increase the stale period of offline clients since the formula is discovery attempts times rediscovery inter-
val for rediscovering stale clients.
Rediscovery interval
Sets the interval between active rediscovery attempts. Increasing this value will increase the stale period
of offline clients since the formula is discovery attempts times rediscovery interval for rediscovering stale
clients.
Auto-acknowledge - errors
Sometimes the management console receives errors, alarms, and warnings. These messages are visible
until they are removed manually using the edit function on the client. You can use the slider to set a period of
time after which the specific messages are removed automatically. If the problem persists, the error/alarm/
warning messages reappear after an auto-acknowledgement of the message(s).
Auto-acknowledge - alarms
See Auto-acknowledge - errors.
Auto-acknowledge - warnings
See Auto-acknowledge - errors.
Concept
The update mechanism consists of two categories; the program update, and the engine and definition files
update. All endpoints in a configuration have the update components installed. This ensures that they are
updated even if the Endpoint Manager is unavailable.
Program update
This update applies to the Internet Update component. A program update includes modifications to the
software, e.g. the Real-time scanner, and the user interface. These updates are released periodically and
usually about once a week.
Components
Internet Update
This component checks for and downloads program updates via the Internet. The default frequency for this
update is every second hour. Norman Internet Update uses the port 80 (http).
BDmirror
This component checks for and downloads engine and definition files update on the Endpoint Managers
only. The check for update for a Top Level Manager is done via the Internet, while the check for a Midlevel
Manager is done via the parent Endpoint Manager. The default frequency for the update is every 20 minutes.
Please note that the Internet update configuration influences on the BDmirror component. This means that
if the Internet update is set to update manually, it will only run when the Internet Update feature is launched
manually. Bdmirror uses the port 80 (http).
Nseupdatesvc
This component checks for and downloads engine and definition files update on all the endpoints, clients
and Endpoint Managers. The check for update is done via the immediate Endpoint Mananger’s repository for
endpoint clients, or via the local repository for Endpoint Managers. The default frequency for the update is
every 20 minutes. Nseupdatesvc uses the port 2868 (npep).
How it works
The following describes how the Internet update works in a default configuration setup.
Endpoint Clients
In a default configuration, the clients use the internal mechanism to fetch a program update from the parent
Endpoint Manager (uses port 2868), and will use Nseupdatesvc every 20 minutes for engine and definition
files update.
In case there has been no communication with the server for a certain period of time (default 3 days), both
the Internet Update and the Nseupdatesvc components will connect to the Internet to download the program
and engine and definition files update.
Technical description
Endpoint Protection (framework or client software) and Endpoint Manager (the management console)
employ a mechanism to map out devices in a network and report them to the management console. This
mechanism resides as a driver that is visible in the network configuration as Norman Network Security.
The Network Security driver is currently used for mapping the network topology. In the future, the driver may
be involved in other network security tasks, like actively looking for malicious traffic in and out of the ma-
chine.
The management console depends on information about clients in the network to produce a useful picture
of the net. Clients make their presence known through their communications with the management console.
Network devices that do not have Endpoint Protection installed are discovered using the network security
driver.
A management component on the client interrogates the security driver regularly to ask for network devices
that have generated traffic. After polling the driver a topology list is generated and submitted to the manage-
ment console. The management console will then sift through the list and update the online statuses of the
network devices that it keeps track of.
The first topology report will be submitted a few minutes after client boot-up. The client will first tell the driver
to listen to network traffic for a minute. Then it creates a list of devices containing their NetBIOS names,
MAC addresses, and IP addresses. A MAC address will always be found, but the name and IP may or may
not be included. The client will compare the discovered devices with a local cache and create a topology
report that is sent to the management console.
A client will send a second report about five minutes after the first. It will then taper off and wait about 30
minutes before the third report, two hours before the fourth and so on, up to a maximum of four hours. If
the client is restarted, it will start over. The reporting aggressiveness is also decreased as the reports grow
larger. The reason for this is that, statistically, a network containing a high number of clients will have a
higher number of clients reporting the topology.
The information reported is only basic information pulled from the Ethernet headers and the NetBIOS proto-
col header. No protocol content is ever collected.
•• Windows XP 32-bit
•• Windows Server 2003 32-bit
•• Windows Vista 32-bit
•• Windows Server 2008 32-bit
•• Windows 7 32-bit
•• Windows 7 32-bit
•• Windows Server 2008 R2 32-bit
Introduction
MailScan for Domino is an Endpoint Protection plug-in that offers virus protection. It is fully compatible with
the IBM Lotus Domino Server. Scanning is performed on the Endpoint Protection server and no software is
needed on the IBM Lotus Domino clients. MailScan for Domino scans incoming email attachments guarding
the main virus entry point in a Lotus Domino environment.
How it works
A folder dom is created at the Norman root folder when MailScan for Domino is installed. The MailScan for
Domino path is %systemdrive%\Program Files\Norman\dom
MailScan for Domino adds the entry NVCd_load.dll to the setting EXTMGR_ADDINS in the notes.ini file to
install itself. When the Domino server starts, MailScan for Domino will analyze incoming emails, and scan
any file attachments for malware. You can disable MailScan for Domino manually. Remove NVCd_load.dll
in notes.ini and restart the Domino server.
The MailScan for Domino plugin is configured in the standard Endpoint Protection configuration panel. It
appears as a separate module in the configuration editor and gives access to MailScan for Domino specific
settings, while messaging, updating etc. is configured in the common settings.
Activity log
MailScan for Domino offers a comprehensive and robust malware incident activity log on the Lotus Domino
server console and optionally in the Domino server log, the Windows Event log, and in the Endpoint
Protection log file:
System Requirements
MailScan for Domino requires that an Endpoint Protection 11.x client is installed on the IBM Lotus Domino
server.
Antivirus products from other vendors may be incompatible with Endpoint Protection. You should
uninstall other antivirus programs before installing Endpoint Protection.
MailScan for Domino must be installed on the Windows server where the IBM Lotus Domino Server is in-
stalled.
You must be logged in to the system with administrator privileges in order to install the program.
A 64-bit operating system requires a 64-bit IBM Lotus Domino version. If one of them have 32-bit
and the other 64-bit, the emails will pass through without being scanned.
Installation
You can install MailScan for Domino on the local server or from the Endpoint Manager central management
console.
If you terminate the setup program during installation, the files that are already copied to your hard drive
must be removed manually.
Local installation
1. Download and install Endpoint Protection 11.x on your Domino server
When the program is installed an N-icon will appear in the system tray menu.
2. Right-click the N-icon and select Endpoint Protection to open the program.
4. From the Licensed Products list select Not installed for MailScan for Domino.
5. Create a group.
To install the product on servers you must create a group in the Endpoint Manager console.
Add the newly created policy to that group.
6. When these tasks have been completed, you can start dragging servers to this group.
MailScan for Domino will be installed to all servers or computers in this group.
Updating
Obtaining frequently updates is critical to maintain a secure computing environment. You should configure
automatic update of your MailScan for Domino installation (unless you update from CD only). In addition to
the scanner engine components, the Internet update feature provides updates to the Endpoint Protection,
program updates inclusive.
MailScan for Domino updates itself dynamically. A few minutes after new virus definitions are installed,
MailScan for Domino will start to scan using the updated files.
Note that if nvcd_load.dll is updated you will have to restart the Lotus Domino server software.
Automatic update
Install and update settings are by default set to automatically update every second hour. To edit the update
method go to Install and Update > Settings > Select update method. Select Automatically every and
frequency from the drop-down menu. Click Save.
Getting started
Once installed, the MailScan for Domino server plug-in entry appears on the Endpoint Protection’s left-hand
side menu.
The Total and Today columns display today’s numbers and the accumulated numbers since the plug-in was
installed.
Configuration
Note that after changing your configuration, it will take a couple of minutes for the new settings to take effect.
The following configuration options are identical to the options available from Policies in the
Endpoint Manager console. See “Configure policies” on page 30.
Block/Allow
Click Block/Allow from the main menu to configure attachment blocking and email blocking/allowing for the
scanner.
Block attachments
Specify file names that should be blocked. Wildcard (*) is accepted for blocking of specific extensions. Only
wildcard for filename is allowed, i.e. *.vbs. To the average user, file types like .vbs, .pif or .lnk are hardly criti-
cal. You should also consider to block extensions or file types like .exe, .com and .bat as these also repre-
sent a potential risk for virus infections.
In this field you can also block specific attachments with names known to contain viruses, such as
AnnaKournikova.jpg.vbs. This may be useful if you need to block a virus before updated malware definition
files are available.
Block/Allow email
Specify email addresses that should be blocked (senders) or allowed (senders/receivers). The asterisk (*) is
accepted as wildcard.
Settings
Click Settings from the main menu to configure general and advanced settings for the scanner.
General
Malware handling
Attempt to clean infected attachments
Select this option if you want MailScan for Domino to attempt to clean infected attachments.
Advanced
Email server
Protect users from mass mailers
Mass-mailers like Netsky and Bagle distribute themselves as emails. The email carrying the malware is the
virus in itself, as the email is illegitimate with the sender missing. If you select this option, the entire email is
marked as DEAD, rather than only removing the infected attachment.
This feature will only work for mass-mailers that carry a flag from the scanner engine that they are mass-
mailers. Most mass-mailers that appeared in March 2004 and later carry this flag.
The Lotus Domino database MAIL.BOX containing emails marked DEAD may grow substantially
with this option enabled. You may therefore need to delete the content of this database more fre-
quently than if this option is not enabled.
Scan archives
When this option is selected, MailScan for Domino will scan recursively inside archive files for all sup-
ported formats. Formats currently supported are 7zip, ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip,
IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk image, TNEF, UIF, Z, ZIP and installers like INNO,
Installshield, NSIS, SFX, VISE and WISE.
This will take more time and may consume more memory, but it’s the safest option to ensure that your server
is absolutely virus free.
Attachment blocking
Blocking email attachments is an effective measure to stop viruses from entering your system. Blocking af-
fects new emails only.
Legitimate files may be sent using the same method. If you select this option, all encrypted archive
formats known to the antivirus application will be blocked. Unknown archive formats will also be
blocked.
The application recognizes most archive formats. The following formats are currently supported: 7zip, ACE,
ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk im-
age, TNEF, UIF, Z, ZIP and installers like INNO, Installshield, NSIS, SFX, VISE and WISE.
Introduction
Exchange Mailbox Scanner is an Endpoint Protection plug-in that offers virus protection. It is fully compatible
with the Microsoft Exchange Server. Scanning is performed on the Endpoint Protection server and no soft-
ware is needed on the Microsoft Exchange clients. Exchange Mailbox Scanner scans incoming email attach-
ments guarding the main virus entry point in an Exchange environment.
How it works
A folder msx is created at the Norman root folder when Exchange Mailbox Scanner is installed. The
Exchange Mailbox Scanner path is %systemdrive%\Program Files\Norman\msx.
Exchange Mailbox Scanner uses an VSAPI 2.0/2.5/2.6 plug-in, which connects to the Exchange Information
Store on the MS Exchange server for access to emails and attachments. It becomes an integrated part of
MS Exchange itself and is controlled by MS Exchange.
All incoming and outgoing emails are scanned on access in both private and public information stores.
Access is only granted to virus-free items or when a present virus has been removed. If scanning of an
attachment fails, access to the item is denied until it’s successfully scanned to ensure that a program error
does not bring along leakage.
In addition, an error message is sent through the Program Manager to alert the administrator of such an
event.
Note that if there are dependent services these will not be restarted. If ESM is activated because of a pro-
gram crash in Exchange Mailbox Scanner or Exchange itself, this does not represent a problem. However, if
the administrator has deliberately shut down the Information Store on the server, Exchange Mailbox Scanner
will detect this and call ESM to alert that the requested service was not active. In this case services which
are dependent on the Information Store are also stopped, but are not started by ESM.
System requirements
Exchange Mailbox Scanner requires that an Endpoint Protection 11.x client is installed on the Microsoft
Exchange server.
Antivirus products from other vendors may be incompatible with Endpoint Protection. You should
uninstall other antivirus programs before installing Endpoint Protection.
Exchange Mailbox Scanner should be installed locally on the server(s) running Exchange and must be
installed on each server running Exchange separately. The Endpoint Protection installation, however, should
be kept distributed as this will ensure distributed engine updates and virus definition files. This way the con-
figuration window for Exchange Mailbox Scanner will only appear on the server(s) running Exchange.
To install Exchange Mailbox Scanner you need a license that covers the management of Exchange, i.e. a
license key that allows you to install Endpoint Protection as a basis for the Exchange plug-in.
Installation
You can install Exchange Mailbox Scanner on the local server or from the Endpoint Manager central man-
agement console.
Local installation
1. Download and install Endpoint Protection 11.x on your MS Exchange server
When the program is installed an N-icon will appear in the system tray menu.
2. Right-click the N-icon and select Endpoint Protection to open the program.
4. From the Licensed Products list select Not installed for Exchange Mailbox Scanner.
5. Create a group.
To install the product on servers you must create a group in the Endpoint Manager console.
Add the newly created policy to that group.
6. When these tasks have been completed, you can start dragging servers to this group.
Exchange Mailbox Scanner will be installed to all servers or computers in this group.
Updating
Obtaining frequently updates is critical to maintain a secure computing environment. You should config-
ure automatic update of your Exchange Mailbox Scanner installation (unless you update from CD only). In
addition to the scanner engine components, the Internet update feature provides updates to the Endpoint
Protection, program updates inclusive.
Exchange Mailbox Scanner updates itself dynamically. A few minutes after new virus definitions are installed,
Exchange Mailbox Scanner will start to scan using the updated files.
Automatic update
Install and update settings are by default set to automatically update every second hour. To edit the update
method go to Install and Update > Settings > Select update method. Select Automatically every and
frequency from the drop-down menu. Click Save.
The scanner will adapt its version number so that previously scanned emails will be scanned
again with updated files on next access. This is provided that you have selected the option
Scan mailboxes at startup/update (see “Virus scanning” on page 78).
Getting started
Configuration can be done from Endpoint Manager or on the client locally. Once installed, the Exchange
Mailbox Scanner server plug-in entry appears on the Endpoint Protection’s left-hand side menu.
The Total and Today columns display today’s numbers and the accumulated numbers since the plug-in was
installed.
Configuration
Note that after changing your configuration, it will take a couple of minutes for the new settings to take effect.
The following configuration options are identical to the options available from the Policies page on
the Endpoint Manager console. Please refer to “Configure policies” on page 30.
Settings
Virus scanning
This option is useful in a situation with the following scenarios: 1) Mailboxes on the server are already in-
fected, and 2) The administrator downloads new virus definition files each Friday after working hours. This
setting will ensure that all email is scanned during the weekend with updated antivirus tools.
Note that when this option may generate unnecessary workload on the server. In most cases the real-time
scanner is sufficient.
This will take more time and may consume more memory, but it’s the safest option to ensure that your server
is absolutely virus free.
Virus handling
These settings decide how infected emails are managed.
Quarantine
In this section you decide the handling of files that Exchange Mailbox Scanner has identified as infected or
in other ways suspicious. If you don’t clean or delete such files, we recommended that you isolate them in a
designated area, a quarantine.
As more Norman products are added to your existing installation, they will share the quarantine function and
use the same options as specified here. Thus you can maintain a consistent quarantine strategy. From the
drop-down list, these options are available:
Disabled
No files are quarantined.
Attachment blocking
Blocking email attachments is an effective measure to stop viruses from entering your system. Blocking
affects new emails as well as old mails already stored when these are accessed or scanned with different
configuration settings.
Incorrect use of the blocking utility may cause loss of data: In addition to delete all new, incoming
attachments, old email attachments may be deleted too as a result of background or real-time
scanning. A visible warning appears when you select this option, and you should be aware of the
possible consequences.
Legitimate files may be sent using the same method. If you select this option, all encrypted archive
files of a format known to the antivirus application will be blocked.
The application recognizes most archive formats. The following formats are currently supported: 7zip, ACE,
ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk im-
age, TNEF, UIF, Z, ZIP and installers like INNO, Installshield, NSIS, SFX, VISE and WISE.
Block list
Specify file names that should be blocked. Wildcard (*) is accepted for blocking of specified extensions. Only
wildcard for file names is allowed, i.e. *.vbs. To the average user, file types like .vbs, .pif or .lnk are hardly
critical. You should also consider to block extensions/file types like .exe, .com and .bat as these also repre-
sent a potential risk for virus infections.
In this field you can also block specific attachments with names known to contain viruses, such as
AnnaKournikova.jpg.vbs. This may be useful if you need to block a virus before updated virus definition files
are available.
Introduction
Exchange Transport Scanner is an Endpoint Protection plug-in that offers virus protection. It is fully compat-
ible with the Microsoft Exchange Server. Scanning is performed on the Endpoint Protection server and no
software is needed on the Microsoft Exchange clients. Exchange Transport Scanner scans incoming email
attachments guarding the main virus entry point in an Exchange environment.
How it works
A folder mx2 is created at the Norman root folder when Exchange Transport Scanner is installed. The
Exchange Transport Scanner path is %systemdrive%\Program Files\Norman\mx2.
Exchange Transport Scanner uses a Transport Agent on the HubTransport server to access all emails and
attachments sent to and from the Exchange system. When the Exchange server starts, Exchange Transport
Scanner will analyze incoming emails and scan any file attachments for malware. Attachments containing
malware is removed before delivering the email to it destination.
The Exchange Transport Scanner plugin is configured in the standard Endpoint Protection configuration
panel. It appears as a separate module in the configuration editor and gives access to Exchange Transport
Scanner specific settings, while messaging, updating etc. is configured in the common settings.
Activity log
Exchange Transport Scanner offers a comprehensive and robust malware incident activity log in the
Windows Event log and in the Endpoint Protection log file:
System Requirements
Exchange Transport Scanner requires that an Endpoint Protection 11.x client is installed on the Microsoft
Exchange server.
Antivirus products from other vendors may be incompatible with Endpoint Protection. You should
uninstall other antivirus programs before installing Endpoint Protection.
Exchange Transport Scanner must be installed on the Windows server where the MS Exchange Server is
installed.
You must be logged in to the system with administrator privileges in order to install the program.
Installation
Exchange Transport Scanner must be installed on the Windows server where the HubTransport role of the
Microsoft Exchange Server is installed.
If you terminate the setup program during installation, the files that are already copied to your hard drive
must be removed manually.
Local installation
1. Download and install Endpoint Protection 11.x on your MS Exchange server
When the program is installed an N-icon will appear in the system tray menu.
2. Right-click the N-icon and select Endpoint Protection to open the program.
4. From the Licensed Products list select Not installed for Exchange Transport Scanner.
5. Create a group.
To install the product on servers you must create a group in the Endpoint Manager console.
Add the newly created policy to that group.
6. When these tasks have been completed, you can start dragging servers to this group.
Exchange Transport Scanner will be installed to all servers or computers in this group.
Updating
Obtaining frequently updates is critical to maintain a secure computing environment. You should configure
automatic update of your Exchange Transport Scanner installation (unless you update from CD only). In
addition to the scanner engine components, the Internet update feature provides updates to the Endpoint
Protection, program updates inclusive.
Exchange Transport Scanner updates itself dynamically. A few minutes after new virus definitions are in-
stalled, Exchange Transport Scanner will start to scan using the updated files.
Automatic update
Install and update settings are by default set to automatically update every second hour. To edit the update
method go to Install and Update > Settings > Select update method. Select Automatically every and
frequency from the drop-down menu. Click Save.
Getting started
Once installed, the Exchange Transport Scanner server plug-in entry appears on the Endpoint Protection’s
left-hand side menu.
The entry appears with a warning triangle. This is to notify that you need to create a domain user before you
can start using the program.
To start using the program you must create a unique domain user.
Only Administrators or users with Administrator privileges can create a domain user. When creat-
ing a domain user you will be prompted to login as Administrator unless you have the privileges to
create a domain user.
The Total and Today columns display today’s numbers and the accumulated numbers since the plug-in was
installed.
Configuration
Note that after changing your configuration, it will take a couple of minutes for the new settings to take effect.
The following configuration options are identical to the options available from Policies in the
Endpoint Manager console. See “Configure policies” on page 30.
Block/Allow
Click Block/Allow from the main menu to configure attachment blocking and email blocking/allowing for the
scanner.
Block attachments
Specify filenames that should be blocked. Wildcard (*) is accepted for blocking of specific extensions. Only
wildcard for filename is allowed, i.e. *.vbs. To the average user, file types like .vbs, .pif or .lnk are hardly criti-
cal. You should also consider to block extensions or file types like .exe, .com and .bat as these also repre-
sent a potential risk for virus infections.
In this field you can also block specific attachments with names known to contain viruses, such as
AnnaKournikova.jpg.vbs. This may be useful if you need to block a virus before updated malware definition
files are available.
Block/Allow email
Specify email addresses that should be blocked (senders) or allowed (senders/receivers). The asterisk (*) is
accepted as wildcard.
Settings
Click Settings from the main menu to configure general and advanced settings for the scanner.
General
Malware handling
Attempt to clean infected attachments
Select this option if you want Exchange Transport Scanner to attempt to clean infected attachments.
Domain User
This information displays the current domain and username.
Advanced
Email server
Protect users from mass mailers
Mass-mailers like Netsky and Bagle distribute themselves as emails. The email carrying the malware is the
virus in itself, as the email is illegitimate with the sender missing. If you select this option, the entire email is
deleted, rather than only removing the infected attachment.
This feature will only work for mass-mailers that carry a flag from the scanner engine that they are mass-
mailers. Most mass-mailers that appeared in March 2004 and later carry this flag.
Scan archives
When this option is selected, Exchange Transport Scanner will scan recursively inside archive files for all
supported formats. Formats currently supported are 7zip, ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS,
gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk image, TNEF, UIF, Z, ZIP and installers like
INNO, Installshield, NSIS, SFX, VISE and WISE.
This will take more time and may consume more memory, but it’s the safest option to ensure that your server
is absolutely virus free.
Attachment blocking
Blocking email attachments is an effective measure to stop viruses from entering your system. Blocking af-
fects new emails only.
Legitimate files may be sent using the same method. If you select this option, all encrypted archive
formats known to the antivirus application will be blocked. Unknown archive formats will also be
blocked.
The application recognizes most archive formats. The following formats are currently supported: 7zip, ACE,
ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk im-
age, TNEF, UIF, Z, ZIP and installers like INNO, Installshield, NSIS, SFX, VISE and WISE.
Offices
Denmark www.norman.com/dk
France www.norman.com/fr
Germany www.norman.com/de
Italy www.norman.com/it
Netherlands www.norman.com/nl
Norway www.norman.com/no
Spain www.norman.com/es
Sweden www.norman.com/sv
Switzerland www.norman.com/ch
United Kingdom www.norman.com/uk
International
Switzerland www.norman.com/ch
Norman Safeground AS is a wholly owned subsidiary of Norway’s only IT security company – Norman AS - established in 1984.
Norman Safeground is a global company and has customers in more than 180 countries. Our mission is to offer businesses and
home users premium protection from Internet threats through easy to use software – offering you peace of mind while we take care
of your security. We strive to understand and solve our customers’ and partners’ challenges and are passionate about providing
high quality personal service.