Norman Endpoint Protection 11 AdminGuide PDF

Administrator’s Guide
Norman Endpoint Protection

version 11
Features Including appendices for

•• Antivirus • • Norman MailScan for Domino
•• Endpoint Manager • • Norman Exchange Mailbox Scanner
•• Reports & Statistics • • Norman Exchange Transport Scanner
Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Limited Warranty
Limited Warranty
Norman Safeground guarantees that the enclosed CD/DVD-ROM and documentation do not have produc-
tion flaws. If you report a flaw within 30 days of purchase, Norman Safeground will replace the defective CD/
DVD-ROM and/or documentation at no charge. Proof of purchase must be enclosed with any claim.
This warranty is limited to replacement of the product. Norman Safeground is not liable for any other form
of loss or damage arising from use of the software or documentation or from errors or deficiencies therein,
including but not limited to loss of earnings.
With regard to defects or flaws in the CD/DVD-ROM or documentation, or this licensing agreement, this war-
ranty supersedes any other warranties, expressed or implied, including but not limited to the implied warran-
ties of merchantability and fitness for a particular purpose.
In particular, and without the limitations imposed by the licensing agreement with regard to any special use or
purpose, Norman Safeground will in no event be liable for loss of profits or other commercial damage includ-
ing but not limited to incidental or consequential damages.
This warranty expires 30 days after purchase.
The information in this document as well as the functionality of the software is subject to change without
notice. The software may be used in accordance with the terms of the license agreement. The purchaser
may make one copy of the software for backup purposes. No part of this documentation may be reproduced
or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or
information storage and retrieval systems, for any purpose other than the purchaser’s personal use, without
the explicit written permission of Norman Safeground.
Names of products mentioned in this documentation are either trademarks or registered trademarks of their
respective owners. They are mentioned for identification purposes only.
Norman Safeground documentation and software are Copyright © 1990-2014 Norman Safeground AS.
All rights reserved.
Last revised November, 2014.
ii Copyright © 1990-2014 Norman Safeground AS

Administrator’s Guide: Norman Endpoint Manager | Version: 11 |
Contents
Limited Warranty................................ii Clients............................................22

Organizing groups and clients ................ 23
About.............................................. 5 Predefined groups................................. 23
About this version................................... 5 Client/machine information..................... 24
About this manual................................... 5 About status......................................... 25
Help and support..................................... 5 Create or delete a group......................... 25
System requirements............................... 5 Client states......................................... 26
Transitions between states.................. 26
Introduction...................................... 6 Action buttons....................................... 27
Descriptions............................................ 6
The concept............................................ 6 Policies...........................................29
Management console............................... 6 Create a policy...................................... 30
Definition of terms................................... 9 Configure policies.................................. 30
Primary functions.................................... 9 Antivirus & Antispyware...................... 32
Product Manager............................... 38
Installation......................................13 Intrusion Guard................................. 42
Installing.............................................. 13 Assign a policy to a group....................... 46
Step 1: Install Endpoint Protection....... 13
Step 2: Install Endpoint Manager......... 14 Products..........................................47
I am establishing a new realm............. 14 Licenses............................................... 47
I am restoring an existing realm.......... 15 Languages............................................ 48
Uninstalling ......................................... 15 Platforms............................................. 48
Installing on clients................................ 16
Run an installer (msi)......................... 16 Reports...........................................49
Distribute clients using an image......... 16 History................................................. 49
Reports................................................ 50
Getting started.................................17
Support................................................ 17 Settings..........................................51
Risk level bar........................................ 17 Realm administrators............................. 51
Current status....................................... 18 Backup and restore................................ 52
Backup............................................. 52
Home.............................................21 Restore............................................ 53
iii Copyright © 1990-2014 Norman Safeground AS

Administrator’s Guide: Norman Endpoint Manager | Version: 11 |
Contents cont.
Generate installers................................ 54 Appendix D: Exchange Mailbox Scanner.74

Remote access ..................................... 56 Introduction.......................................... 74
Event management................................ 57 How it works..................................... 74
Triggers............................................ 57 Exchange Service Monitor (ESM)......... 74
Email settings................................... 59 System requirements............................. 75
SNMP settings................................... 59 Installation........................................... 75
Syslog settings.................................. 59 Local installation................................ 75
Display name priority............................. 59 Installing from Endpoint Manager........ 76
Topology filters...................................... 60 Updating.............................................. 76
Alternative client filtering.................... 61 Getting started...................................... 77
Supervisor process............................ 62 Configuration........................................ 77
Settings........................................... 77
Appendix A: The Update Mechanism...64
Concept............................................... 64 Appendix E: Exchange Transport Scanner
Components......................................... 64 82
How it works......................................... 65 Introduction.......................................... 82
How it works..................................... 82
Appendix B: Passive discovery............66 Activity log....................................... 82
Technical description.............................. 66 System Requirements............................ 83
Installation........................................... 83
Appendix C: MailScan for Domino.......67 Local installation................................ 83
Introduction.......................................... 67 Installing from Endpoint Manager........ 84
How it works..................................... 67 Updating.............................................. 84
Activity log....................................... 67 Getting started...................................... 85
System Requirements............................ 68 Configuration........................................ 85
Installation........................................... 68 Block/Allow....................................... 86
Local installation................................ 68 Settings........................................... 87
Installing from Endpoint Manager........ 69 Advanced......................................... 88
Updating.............................................. 69
Getting started...................................... 70
Configuration........................................ 70
Block/Allow....................................... 70
Settings........................................... 71
iv Copyright © 1990-2014 Norman Safeground AS

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | About
About
About this version

The current release is available in several languages. New languages are added at irregular intervals. Check
Norman’s web site for details, or contact your local dealer for more information about language versions.
About this manual

This manual presents an overview of features and key functions in Endpoint Manager and how they work
with Endpoint Protection.This guide focuses on Endpoint Manager, and covers configuration options for
Endpoint Protection.
Help and support

We recommend you to read this guide thoroughly and use it for reference during installation. In this guide
you will find instructions on how to install, upgrade and use your licensed software.
We provide technical support and consultancy services, and security issues in general. Technical support
also comprises quality assurance of your antivirus installation, including assistance in tailoring the security
software to match your exact needs.
For training or technical support issues please contact your local dealer or a Norman Office.
Please visit us at www.norman.com/support.
System requirements
Endpoint Protection and Endpoint Manager are designed to work in IP-based networks. The communica-
tion between the management console servers and the clients applies TCP/IP on port 2868, which has been
reserved and registered by Norman. The Information Exchange (NIX) protocol is used. Both binary traffic and
http-based communication use this port.
The platforms that the Endpoint Protection framework is designed to run on do not have to be servers, but
they must be licensed to allow an unlimited number of IP connections on a given port.
The Endpoint Manager makes extensive use of memory caching for its data handling, and in larg-
er networks, it will perform better with more available RAM.
An overview of supported platforms for installation of Endpoint Protection and Endpoint Managers (manage-
ment consoles) is available at
•• www.norman.com/business/system_requirements
5 Copyright © 1990-2014 Norman Safeground AS

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Introduction
Introduction
Endpoint Protection constitutes the framework for hosting a range of applications that can be installed and
controlled through a common licensing and update system.
Descriptions
•• Endpoint Protection
-- the framework for Endpoint Manager installations.
-- the name of the client security software.
•• Endpoint Manager
-- the management console, with Toplevel and Midlevel Managers.
The concept
A management console installation is a node in a network where the clients’ configuration is managed. This
is done by establishing policies which include product configuration. When a client contacts the management
console to fetch a configuration, the settings for the relevant policy are sent back.
Information about the clients is sent to the management console through the messaging system or through a
separate http-wrapped protocol. A database on the management console contains information about all the
IP-based devices in the network. Clients can be assigned policies and hence managed on the management
console.
A node that is designated the management console is a regular corporate node with additional administrative
functionality. The management console maintains lists in the local database over manageable and unman-
ageable clients and displays status information and network statistics.
One of the management console’s fundamental properties is that nodes and clients in the database are
assigned to logical groups that can be configured. All clients within a group will also share product configu-
rations. Clients in the network will contact their assigned management console level and get configuration
according to the policy that has been established for their specific group. Groups are managed in the man-
agement console GUI.
The management console contains additional functionality to distribute, install, manage, and control many
installations within one organization. Only a few clients/machines are updated in such an environment. Most
of the distribution takes place within the organization over the local network. Read more about updating the
software in “Appendix A: The Update Mechanism” on page 64.
Management console
There is a limit for how many endpoints a single management console can handle. Such limitations are
related to machine performance and/or the size of the product updates that need to be distributed to the
endpoints (sometimes more than 100MB). This has in turn affected bigger installations where thousands of
managed clients all had to communicate with one single management console. To cater for larger installa-
tions the software and virus definition updates was distributed to clients from Windows shares. Endpoints
would however still report status and receive configuration updates from the management consoles, as such
data is not large.

Multiple managers, multilevel realm

This version supports multiple management consoles. In a multilevel realm, there will be a Toplevel Manager
and optional additional Midlevel Managers. These can be arranged in a tree-like structure with an arbitrary
number of levels. Managed clients will communicate with the manager they belong to. This is normally the
one located closest to the client. The realm network traffic will spread out and divided on a number of man-
agers, thus providing scalability in larger networks.
The Toplevel Manager is a permanent logical entity in the managed realm. Additional Midlevel Managers
can be changed and moved. A managed client can be promoted to the role of a Midlevel Manager and later
demoted to an ordinary managed client. You can also move it around within the management console hier-
archy. Policy updates, as well as software and definition file updates are distributed from the toplevel down-
wards throughout midlevels and finally onto the clients.
Establishing a realm with Midlevel Managers is optional. In smaller networks, for example, this
feature may not be a practical solution.
Naming the Toplevel Manager

When creating a realm, a DNS name with which the Toplevel Manager is known must be entered. This name
must be globally resolvable within the realm. The managed clients will use this name to update themselves.
In the case of a hierarchical structure of Midlevel management nodes, these will use the name to contact the
Toplevel manager.
Promoting clients
When the realm is created and the initial management console is installed, the management console will
display clients that are discovered throughout the network.

An online managed client online can be promoted to become a Midlevel Manager. Once promoted, man-
agement groups of clients can then be assigned to this Midlevel Manager, thereby relieving the Toplevel
management console. The Toplevel console will still display the complete network topology, the Midlevel
Managers, as well as status information from every client in the network.
When promoting a client to a Midlevel Manager, try to select a client that is both powerful and is physically
close to the group of clients that will be assigned to it. It may take 3-5 minutes for a promotion to complete.
Messages
Each manager or managed client keeps data about the manager they report to, and about the Toplevel
Manager of the realm.
If a Midlevel Manager malfunctions, the managed clients will still know the path to the Toplevel Manager. If
a Midlevel Manager fails, messages from its clients will not reach the Toplevel Manager until the Midlevel
Manager is up and running again.
Immediate messages (alarms, errors, and warnings) are passed on directly to the Toplevel Manager from the
Midlevel Manager that the affected client is assigned to. Other Midlevel Managers do not receive this infor-
mation.
Less urgent messages with client information like state, operating system and policy information, IP and
MAC address etc. are sent to the client’s manager frequently. Every tenth time a complete update for each
managed client is sent.
Actions
Action buttons (see “Action buttons” on page 27) can be applied to any managed client within the same
network segment, for example by Midlevel Manager’s administrators.
Updating
By default, all Midlevel Managers and their clients receive product and definition files updates and policies
containing configuration data from the Toplevel Manager. In a multilevel realm, client groups may be as-
signed to any management console from which they will update - for load balancing or other practical rea-
sons. See also “Appendix A: The Update Mechanism” on page 64.
More
Read more about features and news at www.norman.com.

Definition of terms
•• Endpoint Manager: This is a management console system in the realm where the network and the
security products can be configured and controlled. It includes configurable, logical group of nodes
and clients in the database that share product configuration and receive updates from their common
Manager.
•• Multilevel: A management console installation where it is possible to introduce several Managers in a
tree-like structure.
•• Toplevel Manager: The first management console to be installed in a network. During install, the
realm credentials package is established (realm name, realm owner name, etc.). The Toplevel
Manager is at the top of the hierarchy. There can only be one Toplevel Manager within a realm.
•• Midlevel Manager: Additional midlevel management console that reports to the Toplevel Manager.
•• Endpoint Protection: Managed client security software, and the framework for installing a manage-
ment console.
•• Realm: The organizational collection of clients that is controlled by a management console, similar to
a domain.
•• NISE (Norman Internet Server Engine): An http server that serves either files, local database resourc-
es, or GUI content. It shares port 2868, the messaging system port.
•• Credentials package: A unique data package identifying a realm. The package contains data that al-
lows clients in a realm to communicate with the management console, and vice versa.
Primary functions
The management console in an Endpoint Protection environment ultimately comprises all relevant products.
•• Provides a view of network devices and their status

•• Generates and displays event and status statistics
•• Manages the Toplevel and all Midlevel Managers
•• Manages incoming alarms, warnings, and errors
•• Manages configurations for current and future products
•• Manages policies and assigns them to client groups
•• Manages product installation in a network
•• Manages the Internet Update configuration
•• Generates and exports reports from statistical numbers in the database
•• Provides redundancy for the topology and configuration database, including manual export/import
•• Manages the administrators of the realm
•• Create installers for additional endpoint clients
•• Serves as a distribution point for definition files and software updates
A management console node will receive system messages from clients throughout the network. Data about
network devices is passively collected and qualified by the distributed clients. The topology information is
then reported to the management console. From the management console network map, clients can be ar-
ranged in groups.

Theory of operation
Endpoint Manager is a product that provides management of Endpoint Protection clients. It is comprised of
the following main components:
•• A database that holds managed and unmanaged network clients and their data as well as
product policies.
•• Credentials data that defines the logical realm that is being managed.
•• A client component that is a part of all managed clients.
•• A server component that runs the management processes on the management console.
The management console was designed with scalability in mind. Emphasis has been put on keeping network
traffic low. The management server and the clients are communicating continuously, but in a serialized man-
ner. This means that the network picture during normal operations is not real-time, but is current enough as
long as everything is normal. However, on-demand administrative actions as well as critical messages from
the clients are real-time.
Networks with a large number of clients

The management console has been tested to support 15000 clients for policy management and status
reporting, but will vary with the kind of platform it is hosted on. Testing was performed with no distribution of
software updates which are very bandwidth- and CPU-intensive.
In previous versions, one management console would manage all the clients within the realm. In a large net-
work, the management network traffic to the management console could represent a considerable load. The
(optional) hierarchical management structure introduced in this version alleviates this load.
An alternate update path may be a useful feature in installations where the console manages several hun-
dred machines and setting multilevel managers is not affordable. The alternate path points to a separate
file share where the updates are placed. One sign of a server overload is that you often see ‘Nise too busy!’
messages in the elogger. Another symptom is that the management consoles become sluggish or even unre-
sponsive. Contact local support for help if necessary. See also “Alternate update path” on page 39.
The realm
The term realm denotes the logical collection of networks and network devices that make up the infrastruc-
ture where the software is installed. A network administrator will name the realm and define who will manage
it. The management console will show a map of the devices that are included in the realm. These devices
may or may not be managed. An administrator can include devices into the realm, or they can be auto-dis-
covered.
The realm consists of a set of unique data that is duplicated between the management consoles and the
managed clients. The data provides a way to encode the data communications between the management
consoles and the clients. They also serve as a method to identify which clients are managed or not.
Configuration is changed centrally for the realm, and the clients retrieve the updated settings. Management
of the clients is accomplished through changing the clients’ configuration and by issuing tasks through the
same mechanism. Additionally, some direct commands allow an administrator to ask a client for information
or issue instructions to the client’s Program Manager. These commands can be used to tell a client to refresh
an installation or update itself on demand. See ”Action buttons” on page 27 for details.
The management console has a built-in backup mechanism to save the realm data. This is important in case
the management console is damaged. It will then be possible to install a new management station and con-
tinue the management of all the existing clients without having to reinstall them.

Events in the realm

Messages
Managed clients use the messaging system to communicate events on the clients. Events sent as messages
are Alarms, Errors, and Warnings. When messages reach the management console, they are sorted and
stored with the database entry of the associated client.
Messages from Midlevel to Toplevel Manager

All clients, also those within a midlevel hierarchy, send messages about events (alarms, errors, warnings)
directly to the Toplevel Manager. Clients on sublevels to a Midlevel Manager report to this as well. This
Midlevel Manager in turn sends the messages to the Toplevel Manager, but skips possible Midlevels located
in between.
As a result, the Toplevel Manager counts and displays messages from all clients, while a Midlevel Manager
counts and displays messages only from the clients it’s directly responsible for. These include messages
from Midlevel Managers placed under it in the hierarchy, but not their clients.
Example
Headquarter (Toplevel)
- Europe (Midlevel)
- Support (Midlevel)
- Sales (Midlevel)
‘Europe’ (Midlevel) cannot see that there are virus outbreaks on ‘Sales’(Midlevel). This information will only
be visible for ‘Headquarter’ (Toplevel), and on the local Midlevel management console ‘Sales’.
Platform and status messages

A special administration protocol conveys data about the general status of managed clients, the platform it
originates from, and license information.
Topology messages
Managed clients in a realm will frequently collect data about network traffic and compile lists of detected de-
vices. This is used to let the management console add network devices to its topology map using a passive
method rather than active scanning.
Common for the network traffic is that data about online status for the network devices are being kept up to
date in the management console database.
Realm communications
Once the management console has been installed and a realm established, the client security software may
be distributed throughout the network. Nodes in the realm should contact a management console (or a distri-
bution point) to get software and configuration updates. Software updates are distributed as signed packages
fetched by an internal protocol.
The same communication channel is used for configuration and management distribution. A node in the net-
work can replicate settings from remote store resources.
Client status
Each time an event from a particular device reaches the management console, managed or not, a timestamp
is updated in the management console’s database to reflect when the device was last seen. Network devices
can be Online, Stale, and Offline. The status is based on the device’s visibility within a set period of time.
These time thresholds can be adjusted on the management console, but the default values have proven to
generate a good network status map.

If a client has not been seen within this period, the status is set to Stale. Once it is Stale, a separate process
within the management console will attempt to actively contact the client to update its status. Note that as
long as a client is Online, no active communication is carried out from the management console to the client
unless the administrator manually initiates it.
While Stale, the management console will contact the client a certain number of times with a set delay
between each attempt. See “Supervisor process” on page 62. If no connection is obtained within this time
period and no data about the client is reported by the passive discovery mechanism, the client is marked as
Offline. As soon as any information about the client is received, it is immediately marked as Online.
See also the appendix “Appendix B: Passive discovery” on page 66.
Policies
A policy is a collection of product configurations stored on the management console. Managed clients will
frequently contact the management console to get a copy of the product settings. The client does not know
which policy it is getting. Rather, the management console looks up the policy for the requesting client, and
hands back the settings contained in the relevant policy. The administrator can decide whether clients that
belong to a policy are allowed to change their settings locally. If so, the administrator can revoke this right
and enforce settings from the policy at a later time.
The management console displays a logical network map containing groups of clients. A group can be as-
signed a policy or keep the original default policy (see “Assign a policy to a group” on page 46). If there
are groups within groups with different policies, and a group is deleted, any clients within the group and pos-
sible subgroups are moved to the Lost and found group.
Administrative realm
Once a management console has been installed and a realm established, client security software may be
distributed throughout the network. The installer contains information that causes the client software to
contact the management console in the realm. Nodes in the realm should contact a Toplevel or Midlevel
Manager (or other distribution point) to acquire software and configuration updates. Software updates are
distributed as packages and are fetched by an internal protocol and not from file shares as before. See also
“Appendix A: The Update Mechanism” on page 64.

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Installation
Installation
During installation you must complete a regular InstallShield Wizard to install the Endpoint Protection frame-
work, and then the Endpoint Manager Install Wizard to install a management console and establish a realm.
When a management console is initially established, the only administrator in the realm is the realm owner.
The original realm fundamentals established by the realm owner should be unaffected by alternating admin-
istrator regimes, thus you must create one or more administrators first thing after the realm is established.
The administrators you create will perform all future management sessions. The realm owner is not dis-
played on the realm administrators list.
Create one or more realm administrators after the realm has been established. Future manage-
ment sessions will be done as one of the realm administrators, and never as the realm owner.
The realm owner credentials should only be used when a management console is being restored
from a backup.
After the management console has been installed and administrators are added to the realm, the realm own-
er may create and/or import initial client groups, and set up topology filters for discovered network clients.
One particularly important task is to create a client installation package (MSI) to be used for the initial roll-out
of managed clients. This package is unique to the realm and will ensure that the clients establish communi-
cations with the management console and may be managed by policies.
Database auto-restore
Certain situations may result in a corrupt database, like a system power loss or reset. To ensure stability the
auto-restore system will load a previous store, namely the latest working and complete store. This backup
feature is independent of the management console backup system, and it runs on an hourly basis as well as
backing up immediately after setting up the realm.
If you experience situations that may result in a corrupt database, and Endpoint Protection was
installed less than an hour ago, and the realm is not created yet, then the restore point is not com-
plete. You will have to uninstall Endpoint Protection completely before you install it again.
Installing
Make sure you have the Endpoint Protection license key at hand before you start.
Step 1: Install Endpoint Protection

1. Run the Endpoint Protection installer and follow the instructions on the screen. The installer contains all
supported languages.
We recommend that you select Custom rather than Complete installation, and select only the lan-
guage versions that you actually need, to save bandwidth and resources.
2. When the installation is complete, you may be prompted to restart your computer.

Step 2: Install Endpoint Manager

1. From the system tray, right-click the Norman icon and select Norman Endpoint Manager.
2. The Endpoint Manager Install Wizard is launched.
Running the wizard is a necessary and mandatory part of the installation.
3. Read the information on the welcome page, select I have read and understand... and then click
Continue >.
4. Select the option that applies to your network, either I am establishing a new realm or
I am restoring an existing realm:
I am establishing a new realm

All fields are case sensitive.
1. Realm name
Enter a Realm name of length 2-64 characters.
Valid characters are: A-Z, a-z, 0-9 and _ (underscore).
2. Realm owner username / password

Enter an owner username and password of length 5-32 characters.
Valid characters are: A-Z, a-z, 0-9.
The password cannot be reset. Create a password so strong that it is impossible to guess. A pass-
word of at least 16 random characters is recommended. Write it down and keep it in a safe place.
The only way to change the password is to uninstall and reinstall the Endpoint Manager, but then
all management console information and client connectivity are lost too. Restoring a realm from
backup also restores the current owner and password.
3. DNS name
Enter a DNS name of length 2-255 characters.
The machine you’re installing to must have a globally resolvable DNS name to ensure that all cli-
ents and midlevels in the realm use the same values. The address you enter cannot be changed
later. The fields are not editable.
If you are updating from a previous realm where the Endpoint Manager server was set up as an IP ad-
dress, there may be some situations where your clients cannot reach the Toplevel Manager.
4. Overview
A dialog appears, displaying the values you just specified. If you are satisfied, print this page for future
reference and click Continue to proceed with the installation, or click Back to change the values.
Select platforms and languages.
5. Complete
A final dialog appears with a handful of important tips. Click Finish to complete the installation.

6. Log on
In the next dialog, log on the management console with the values you just confirmed, i.e. username and
password.
If you experience problems logging on to the newly created realm, you must restart your machine.
Alternatively, you can access the management console with another browser than IE, for example
Mozilla Firefox, using the address: http://localhost:2868/noc/index.phtml.
The management console is launched. We strongly recommend that you create a realm administrator
before you do anything else. Go to Settings > Realm administrators.
Then select Products and check Licenses, Languages and Platforms.
Then go to Licenses > Update selected products to download the latest versions of all selected compo-
nents. It is important that you select the correct platform of the Endpoint Manager machine in this dialog.
You can also select other platforms that Endpoint Protection will be supporting.
I am restoring an existing realm

Make sure that all products in the Endpoint Manager are updated, before you restore from a back-
up. If the client security software is newer than the software on the management console it may
result in a software crash.
1. Enter the name of the backup file you want to restore or click Browse to find it on your computer. Click
Restore > and follow the instructions.
Uninstalling
To uninstall Endpoint Manager, use the standard procedures offered by your operating system, for example
Start > Control Panel > Add or Remove Programs. A restart is required after uninstalling the Endpoint
Manager.

Installing on clients
The following describes how you install Endpoint Protection in a network.
Run an installer (msi)

1. Generate a Windows installer file (.msi), see “Generate installers” on page 54.
2. Run the installer file (msi) on a client.

When installed on a client, the management console will retrieve, install and set up other products as
defined by the group’s policy.
3. Select and drag a client to a group to assign a specific policy to the client. Hold down the Ctrl or SHIFT
key to select multiple clients.
4. Click OK to confirm.
Please refer to “Client states” on page 26 and “Transitions between states” on page 26 for an explana-
tion of available icons for groups and clients.
Distribute clients using an image

1. Generate a Windows installer file (.msi), see “Generate installers” on page 54.
2. Run the installer file (msi) on the client that will be used to create the image and wait until the client is
done updating itself and is running normally.
3. On the management console
a) Copy the tool noc_enable.exe from ...\norman\noc\bin
2. On the client
a) Save noc_enable.exe to a temporary location.
b) From the command prompt enter njeeves2 /unload to stop the njeeves2 process.
After that you will see a “’Jeeves’ not running” error in the system tray icon, but it will not interfere with the
process and will be automatically solved after creating the image later (when restarted).
3. From the command prompt on the client enter noc_enable.exe /unid

This will remove the unique client identifier from the system that will be used to create the image. The
unique identifier will be automatically recreated on the clients after the image has been distributed to the
clients in the network.
4. Create the distribution image.

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Getting started
Getting started
The web-based administrative GUI is made up from an invariable left hand side status and realm overview,
and to the right variable main pages, like Home, Clients, Policies, Products, Reports and Settings. Clicking
on either tab on the topmost horizontal menu bar brings you directly to the relevant page.
Support
Clicking the support link at the right-hand top corner of the program window will open our web pages for
help and support. The web pages provide information about support issues and support forum, manuals,
installers, system requirements, our offices and distributors, and more.
Risk level bar

Information from the network about the realm is collected and the risk level is displayed on the bar. The
green area indicates a low risk level. The risk is calculated from a weighted analysis of errors, warnings and
alarms within the realm, where the number of clients is part of the evaluation. The risk level bar reflects dy-
namically the activity of all local processes.
The size of the network combined with the selected trigger threshold values (see
“Realm administrators” on page 51) significantly affect the indicator.
Example
Imagine a network of 10 clients and a trigger threshold set to 5%. In this example one client amounts to
10% of the network clients with that status (5% more than the trigger value is). This means that if one client
receive a warning, alarm, or error it will raise the risk level.
The intention is to give a general idea about the network health, rather than an exact indication.

Current status
The current status displays the absolute numbers that the risk level bar is based on. Click the plus sign under
the risk level bar to expand or collapse the status view.
Click a status link for details about the clients (see also “Alarms” on page 18), or enter name or address in
the search field to look for specific clients, and then on a column heading to sort the entries in the dialog for
that particular event. The numbers are the same as those the risk level bar and the status area are based on.
Guest nodes are clients that have Endpoint Protection installed, but do not belong to this realm. Guest ser-
vices are not available in this version of the management console.
Click the realm name to refresh the current status information, which is available from all the tabbed dialogs.
Alarms
An alarm is an event that requires immediate action, and is posted by a security product.
If an incident occurs in a realm, the involved application will generate event messages that are routed to the
management console. The message details are displayed on the Status page.
Type Specifies which type of device it is (workstation, server, printer, etc.)

Client name See “Clients” on page 22.
Alarm type The error type message appears as descriptive text, like ‘Cannot remove
detected virus’.
Alarm description Event details as defined by the reporting application.
Detected The date and time the error was detected. (yyyy.mm.dd and 24 hour format).
Policy Name of the client’s policy. See “Policies” on page 29.

Errors
Errors are system anomalies that may or may not require attention. They are typically generated when a cli-
ent application suffers from a malfunction.
Error messages that the management console receive in the realm are defined by the application reporting
the alarm.
Type Specifies which type of device it is (workstation, server, printer, etc.)

Client name See “Clients” on page 22.
Error type The error type message appears as descriptive text, like ‘Could not install’.
Error description Event details as defined by the reporting application, also as descriptive text
like ‘Access denied’’.
Detected The date and time the error was reported (yyyy.mm.dd and 24 hour format).
Policy Name of the client’s policy. See “Policies” on page 29.
Warnings
A warning is typically sent when there is an event that is handled normally but that implies that there is un-
usual activity detected by the client applications. As opposed to alarms and errors, warnings do not require
immediate attention.
This display informs about warning type, the name of the client issuing the warning, and the date and time
when the client was last seen, i.e. the last time the management console detected network activity from this
client.
An example of a warning type is ‘Virus detected’.
Not updated
The Not updated message is issued by a client when the client’s program manager detects that the client
software has not received relevant updates. The client will also appear as Not updated when its current
policy has been changed, or when it has been assigned a new one.
Status information under this tab includes type of client, its name, when it was last seen, and when it was last
updated (yyyy.mm.dd and time in 24 hour format).
The information for Not updated clients includes the name, when it was last seen, the operating system,
when the policy was refreshed, and the group name.
Offline
The clients marked as Offline have not been heard from or contacted within a certain period of time. The
clients may or may not be managed clients.
A Managed client employs policy settings. An Unmanaged client has no policy or no client software, or it is
another type of device than a workstation, like a printer, a hub, etc.

Online
Whenever an event from a particular device, managed or not, reaches the management console a time-
stamp is updated in the management console’s database to reflect when the device was last seen and to
determine status based on that information.
As soon as information about a client is received, it is marked as Online. The status is based on the device’s
visibility within a set period of time. Time thresholds can be adjusted.
As long as a client is online, no active communication is done from the management console to
the client unless the administrator manually initiates it.
Stale
When the management console is unable to establish contact with a client after repeated attempts, and it
has not been seen for a longer period of time, the status is changed to Stale. A separate process will actively
try to rediscover a stale client before it appears in the Offline folder, which happens after 1 or 2 hours (default
for managed/unmanaged clients, respectively).
Managed
A client that has been assigned a policy is a managed client. It receives all configuration settings from the
policy it fetches from the management console. Information about all the IP-based devices in the network is
stored in a database on the management console.
See also “Client states” on page 26.

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Home
Home
An RSS feed at the top of the Home page informs you about upcoming updates, restarts, and other impor-
tant information.
To monitor these bulletins you add the URL as a favorite RSS client on your computer, cell phone and so
forth. You can also click the View message log link and follow the instructions to subscribe to this service.
We use the following URL:

http://newton.norman.com/rss_npro?v=11
The Home page features also a graphical representation of the realm’s clients. You can click the Norman
logo at the top of the page to reload Home from any page.

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Clients
Clients
This page presents details about the entire realm with the management consoles, groups, and clients. All
machines are members of a group. Each group reports to a management console (Toplevel or Midlevel).
You can filter clients by Machine type, Online state and Operating System. Click the realm name link or
the Managed link from the status area at the left-hand top corner to view the filtering bar.
All newly discovered machines will automatically be assigned to the predefined Lost and found group, un-
less otherwise filtered. Machines can be moved between groups manually or automatically.
Click a group name and the machine/client members will appear in the right-hand part of the page.
Double-click a group or a client to configure it, or highlight the client/machine you wish to edit and select the
relevant action from the action buttons bar (see “Action buttons” on page 27).
You can create, edit, filter, drag and drop, and view groups and clients in a Windows Explorer-like environ-
ment. On managed clients, a mouse over will display basic information like scanner engine version, definition
file dates, operating system, and logged-in user.
The links Policy: and Reports to: display the client’s current policy and the manager it reports to. Click the
links to select other policies and managers (on Toplevel or Midlevel).

Organizing groups and clients

Click Endpoint Managers to view the structure of the realm presented on the right-hand side of the screen.
Click a Toplevel or Midlevel Manager (the levels below Endpoint Managers) to view groups and clients for
that level.
Click a group name link to view the member clients.
The names of the group’s policy and manager it reports to appears just above the action buttons (see
“Action buttons” on page 27). Click the Policy or Reports to: link to select another policy or manager from
the drop-down list.
If you move a group to another level, for example to a Midlevel Manager, it may take several min-
utes before it is visible in its new location and starts reporting to and receiving updates from the
new manager.
Predefined groups
The Lost and found and the Unmanaged group are mandatory groups in the Clients view. When a realm is
created a folder for each group is created and placed in the lower left-hand part of the screen.
Lost and found

Any discovered network device is placed in the Lost and found group unless a predefined filter rule places it
elsewhere. The clients in this default group are given the default policy. Typically, the administrator will look in
the Lost and found group to find new clients and then drag them to other groups where they are assigned a
relevant policy and represent a logical view of the managed network.
Unmanaged
The group Unmanaged is a container for network devices that cannot be managed by the console, like
printers. When the administrator drags devices into the Unmanaged group, they will no longer be contacted
or counted to maintain their status and statistics. It is, however, necessary to maintain a list of deleted de-
vices, since they will still show up in the network topology reports from the clients and will be added to the
Lost and found at each rediscovery. It is therefore not possible to delete devices completely from the topol-
ogy database.

Client/machine information
Click a group name link to view the group’s clients/machines. Double-click a client to configure it directly.
Select the relevant action from the client information dialog that appears. Alternatively, from the Clients page
click to highlight the client and select the relevant icon from the action buttons bar. The action buttons be-
come selectable only when you highlight one or more clients/machines.
Details
This tab provides information about scanner version, definition file updates, etc.
Installed Products
This tab lists the installed products and components, and their status.
Log
This tab lists information messages and reported errors, warnings, and alarms for the client, including the
names of the components that reported the incidents.

About status
Every time an event from a particular device reaches the management console, managed or not, a time-
stamp is updated in the management console database to reflect when the device was last seen. Network
devices can have three online states: Online, Stale, and Offline. When a device has been seen within a set
period (default 1 hour for managed and 2 hours for unmanaged clients), its status remains Online. These
time thresholds can be adjusted on the management console, but the defaults have proved to generate a
good network status map.
If a client has not been seen within this period, the status is changed to Stale. Once it is Stale, a separate
process within the management console will attempt to actively contact the client to update its status. Note
that as long as a client is Online, no active communication is done from the management console to the cli-
ent unless the administrator manually initiates it.
While Stale, the management console will contact the client a set number of times with a set delay between
each attempt. The default is 5 attempts once an hour, but this is adjustable. These settings can be config-
ured from Settings > Supervisor process (see “Supervisor process” on page 62).
If no connection is obtained within this time period and no data about the client is reported by the passive
discovery mechanism, the client is marked as Offline. As soon as any information about the client is re-
ceived, it will immediately be marked as Online.
Create or delete a group
Create
Click Create new group. Enter a group name, select an Endpoint Manager, a policy, and optionally type in a
note for this group. Click OK to confirm and save the new group.
To add a new sub group point to a group name and click the create new group icon (folder with a plus sign).
‘NEM’, ‘Lost and Found’, and ‘Deleted’, or any translated versions of the two latter names, are
restricted and cannot be used as top level group names. They can, however, be used as subgroup
names.
Delete
To delete a group point to a group name and click the delete group icon (folder with a trash can). You are
prompted to confirm the delete. If you delete a group, any members or sub-groups are automatically moved
to the Lost and found group.
For a new client to be discovered and maintained in the client view, an IP or MAC address or a
DNS name must be given.

Client states
A client can take on several states in the client view, like online, stale, or offline, and it can be managed or
unmanaged. Icons indicate what type of network device the client is, and is either set to a question mark
(unknown) or a screen (workstation) upon installation. An administrator can edit the type in the client details
window and in this way change the icon. The device type icon is a management aid for administrators and
does not indicate any of the following status situations.
Online
A client is online with a green computer icon when it has been seen or heard from within the time period
defined as stale delay, which is 1 or 2 hours per default depending on if the client is managed or not. Any
device in the network is regarded as a client regardless of whether it has Endpoint Protection installed.
Stale
A client is stale with a gray computer icon when it has not been heard from within the time period mentioned
above. When a client is marked stale, it means that the management console will try to establish contact with
the client a set number of times with a set time interval. This differs from a normal situation where clients are
reported as online when they submit status information or are seen by other clients.
Offline
A client is offline with a gray computer and red mark-out icon when it has not been reported by anyone and
the attempts to contact it have failed. The client will remain offline until it reports itself to the management
console, or it has been seen by another client that reports the network topology.
Managed
A client is managed when it has Endpoint Protection installed and is a member of the realm that the Endpoint
Manager has established. The client becomes managed as soon as Endpoint Protection is installed and the
client reports its platform and status information to the management console. A client with an online icon and
a green ball next to it is online, managed and without errors or warnings. It can be managed or unmanaged
regardless of its online status.
Unmanaged
Any device that is not managed, is unmanaged. An administrator can choose to keep the unmanaged de-
vices visible in the network topology map, or drag those devices into the pre-defined Unmanaged group to
keep them out of sight.
Transitions between states

Clients will change states automatically between Online, Stale, and Offline. Managed clients will automati-
cally show up with a green ball, indicating that they are managed. If a client is uninstalled, the green ball
will go away after a period of time. It is normally not necessary for the administrator to take any action to
maintain the network status picture. If, however, the administrator decides to force any kind of action in the
network, a set of action buttons are available in the client windows or in the group overviews.

Action buttons
Select a client from Clients, or open the details window for a specific client, to view the Action buttons.
Depending on the client status, one or more of the buttons may be disabled.
Edit client
Click Edit client or double-click a client, to open the client details window. You can change the type
(icon) of the client, edit its alias name, move it to another group, and/or enter notes about the client.
Update client
Click Update client to tell a managed client to check for updates and to replicate its policy immedi-
ately. Normally, the client will check for updates every hour and check for policy changes every 10
minutes. See also “Appendix A: The Update Mechanism” on page 64.
Promote or Demote client

This button toggles between Promote client and Demote client. Completing the operation to promote or de-
mote a client may take 3-5 minutes.
Click Promote client to promote an online, managed client into a Midlevel Manager. See also
“Promoting clients” on page 7.
Click Demote client to reverse a promotion and demote a management console into a managed
client. Other management consoles reporting to it must be removed first.
Request status
Click Request status to force a managed client to submit its status information. This is normally
done when the client checks for policy changes.
Rediscover client
Click Rediscover client to initiate manual rediscovery of any device, regardless of status or if it is
managed or not. When a client is stale, the management console will actively attempt to discover the
client.
Repair client
Click Repair client to tell the client’s program manager to re-install all products if a managed client
experiences consistent problems. The entire client software will then be re-installed.
The action to repair a client is quite drastic and should only be used as a last resort.
Restart client
Click Restart client to force a restart of a managed client, for example after it has been updated.

Remote command
Click Remote command to help a client user with a specific issue, or to perform actions that are not
covered by the action buttons.
You can only execute software that is located below the Norman root. An administrator can issue a console
command directly to any Norman program component on a managed client.
Before issuing a remote command, keep in mind what the state of the remote client might be (no user logged
on, several users logged on, etc.).
The remote process will run with system privileges in the context of the njeeves2.exe process. However, if
the process requires a graphical user interface, it may not show up on the remote client unless the adminis-
trator is logged on and has the desktop open (for example on a Vista client).
Delete client
Click Delete client to remove a client and move it to the Unmanaged group. Alternatively, you can
drag it there. The client will no longer be updated or discovered by the management console.

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Policies
Policies
A policy is product configurations that governs the client behavior in a group, and it holds information about
which products to install at the member clients. Clients always use the policy assigned to its group.
A default policy should always be present in the local database, and it will provide default configuration
values for all licensed products. The predefined Default policy is automatically assigned to all groups. You
can chose another default policy, like the Midlevel Manager policy or the Toplevel Manager policy. The
administrator can edit the default policies, but not delete them.
The Default policy is mandatory. This is the policy that is assigned to all new groups by default. It
is good practice to leave it unchanged or to only make small changes to it.
You are not allowed to delete a policy containing clients. Before you delete a policy you must remove the
clients or assign them to another policy. If there are clients assigned to the policy an error message will occur
when you try to delete it.
The users’ access to edit the various configuration values locally at their workstation is governed by the
administrator through the policy. These access rights are granted on a per product basis, and can be either
write access or read-only.
Click a Policy name to view or change settings for that policy.
When you click a digit in the Subscribing groups column, a dialog with the subscribing groups for this policy
appears. Click either of the listed groups to go view more details about group members, etc.
Access type states whether users can install/uninstall products under this policy, or if it is read-only.
The default update frequency for policies from the store is every 10 minutes.

Create a policy
1. From Policies click New policy.
2. Enter a mandatory Policy name and an optional note for this policy.
3. Click Create to save the new policy name and to enter the configuration for this policy.
Configure policies
When you have created a policy, it appears on the Policies list and the configuration dialog for the new
policy is opened.
Allow users to (un)install products

We do not recommend that you allow users to uninstall products. Select this option only if you have good
reasons to do so. Leaving this check box empty will give the policy access type read-only.

Install/uninstall
Select one or more products and/or components to install for this policy’s subscribers. Available products
are licensed products. By default, all products are selected. Products which are mandatory or not eligible for
install/uninstall are grayed out.
Configure
Click the configure icon to modify the configuration for this particular product within this policy. All managed
clients assigned to this policy will apply the configuration changes that you make. Clients that belong to other
policies will not be affected.
Allow user to configure product

Allowing user’s to configure products includes all sub-products or components that belong to the product.
Such changes are implemented locally on the individual client and will not affect the policy itself or other sub-
scribers. If you leave this check box empty the policy configuration will overwrite the local user’s settings.

Antivirus & Antispyware

Click a policy name that you want to configure the antivirus product for, and then click the Antivirus &
Antispyware configure icon.
Real-time Scanner
The Real-time Scanner works in the background and offers automatic protection of your system.
This is an essential antivirus component and should be enabled at all times.
Enable Real-time Scanner

The Real-time scanner is by default enabled. Selecting/deselecting this option starts and stops the the real-
time scanner. Real-time scanning is an ongoing process that monitors critical activities on your system. This
involves file access and copy/move to other drives or directories. Whenever a file is accessed in a read/write
operation or a program is executed, the real-time scanner is notified and scans the file on the fly. If you dis-
able the real-time scanner, a warning appears in the system tray.
Scan for potentially unwanted programs

A potentially unwanted program is software that generally is not malicious, but still can be considered un-
wanted by the user. The potential unwanted properties can include certain features that resemble malicious
and/or privacy-invasive software such as spyware, adware, and content hijacking programs.
Cleaning options
An infected file is sent to quarantine, and from this option you can select how to handle the quarantined files.
Access to an infected file is denied if repair fails.
A file is deleted altoghether if it contains nothing but malware.
Quarantine and clean infected files

Select this option to move an infected file to quarantine and clean it automatically. A copy of the infected file
will be sent to quarantine, while a cleaned version is kept in its original location.

Move infected files to quarantine

Select this option to move an infected file to quarantine without attempting to clean it. The infected file will be
removed from its original location.
Block access to infected files

Select this option to copy an infected file to quarantine and block access to the original version of the file.
Exclude paths or extensions from scanning

Paths and extensions on the exclude list are not scanned. Since excluding is a decision at the expense of
security we recommend that you schedule and run regularly scans of items on the exclude list.
For security reasons the exclude list for the real-time scanner is limited to 50 entries. In addition to the risk
the exclude list represents, it also increases the use of system resources. The more entries in the list, the
more resources will be used by the real-time scanner.
Use the exclude list

Select this option to exclude items you enter on the exclude list.
Network drives
Excluding files on network drives from scanning is selected by default. Deselect this option if you want to
scan shares that you have access to on remote computers.
The Real-time Scanner’s behavior will depend on the user rights of the logged on user when scanning files
residing on network drives. When the Real-time Scanner sees a file that is opened from a network drive, it
will scan the file as usual. However, it will not be able to repair or remove an infected file, unless the logged
on user has write access to the directory/file in question. Still, access to the infected file will be denied.
Real-time scanning in networks is intended for a situation where servers do not run antivirus software, simply
to avoid that the same files are scanned twice—once on the server and then again when they are opened
on the client. The consequences of such double scanning could be that network logons and backup become
slower. However, the system administrator must make the final decision where security on one hand, and
network operation on the other are two major factors to consider.
When the Real-time Scanner detects viruses or other malware on network drives, it will display the locations
as UNC paths (e.g. \\Server\Share\InfectedFile) and not as mapped network drives (e.g. X:\Infected file).
Exclude List
Specify paths or extensions that you do not want the antivirus application to scan. The exclude list supports
different types of patterns.
Path This pattern will match any files in or below the path: C:\Program Files\Joker\
Extension This pattern will match any file with the specified file exten- *.db
sion. Note that the asterisk (*) must be used as wildcard:
Enter a path, a file extension, drive letter or an environment variable and click Add to list.

Recommendations
•• Make sure that your antivirus installation is up-to-date. This is the best protection against virus attacks—to
stop viruses before they enter the system.
•• Install antivirus software on email servers and gateways.
•• Restrict user rights on shares as much as possible, for example by setting read-only attribute where ap-
plicable on files that are not frequently changed.
•• Back up your files regularly.
Exclude lists should be handled with great care, as they represent a potential security risk. We
recommend that you scan the exclude list manually on a regular basis and include these paths or
file extensions in scheduled scans.
Manual scanner
You can use the manual scanner to perform periodic scans of selected areas of your computer. Use the Task
Editor to schedule a scan (see “Task editor” on page 35).
Scan archives
Antivirus is configured to always scan archives. If an infected file is detected within an archive, Antivirus will
try to repair first. If repair is not possible, the infected file is deleted from the archive, and the original file is
quarantined. The following formats are currently supported: 7zip, ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio,
SIS, gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk image, TNEF, UIF, Z, ZIP and installers
like INNO, Installshield, NSIS, SFX, VISE and WISE.

Scan for potentially unwanted programs

See the Real-time Scanner and “Scan for potentially unwanted programs” on page 32.
Cleaning options
If you enabled the option to automatically remove detected viruses, an infected file will automatically be sent
to quarantine. From the cleaning options you can select how to handle the files that the antivirus application
detects as infected.
During cleaning, a file is deleted altoghether if it contains nothing but malware.
Quarantine and clean infected files

Select this option to move an infected file to quarantine and clean it automatically. A copy of the infected file
will be sent to quarantine, while a cleaned version is kept in its original location.
Move infected files to quarantine

Select this option to move an infected file to quarantine without attempting to clean it. The infected file will be
removed from its original location.
Do nothing
Select this option to do nothing about files that the antivirus application detects as infected. This also means
that the files will not be sent to quarantine.
Logging
Create log file
Creates a log file whenever you run a manual scan. If you deselect this option, no log file is generated for
manual scans.
Detailed logging
Extensive logging that generates a very detailed report, specifying each file that was scanned, scanning time
per file, status, etc.
Exclude paths or extensions from scanning

Refer to the Real-time Scanner and “Exclude paths or extensions from scanning” on page 33.
Task editor
Create task files and view or modify scheduled events. Administrators can create task files and distribute
them to all workstations in the network to ensure consistent checking of areas that require special attention.
Allow a task file some 10 minutes before it is replicated to all clients.
Create a task
Click New from the Task Editor dialog and enter a task name. Make your selections and click Create to
confirm and save your task.
Tasks are displayed as a list in the Task Editor dialog. Click a task name to edit, or click the trash can at the
end of the task line to delete that task.

Enable
By default, the task is set to enabled. Remove the check mark to disable it.
Scan entire computer

Select this option if you simply want to scan the entire computer.
Custom scan
Select this option if you want to customize the area to scan.
The options Select files and folders, Scan boot sectors, Scan archives and Scan memory are
only available when Custom scan is selected.
Select files and folders

Enter a path and/or a filename and click Add to list. The wildcard asterisk (*) is supported.
Examples
•• C:\
•• D:\*.pdf
•• E:\foldername
Scan boot sectors

When you select this option, Antivirus will check the boot sector of the area(s) that are being scanned.

Scan archives
Select this option to include archived files in the scan. The following formats are currently supported: 7zip,
ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk
image, TNEF, UIF, Z, ZIP and installers like INNO, Installshield, NSIS, SFX, VISE and WISE.
Scan memory
When you scan the memory area, the antivirus application looks for resident viruses. You should always
make sure that no viruses exist in memory.
Start
Select date and time to run the scan. The suggested date and time is the current (according to your system
information).
Schedule
Select a schedule for when to run the scan, daily, weekly or monthly.

Product Manager
Click a policy name that you want to configure the product manager for, and then click the Product Manager
configure icon.
Product language
Select language from the drop-down list. The list is subject to change as new language versions may be
added. A change from English (default) to another language will take effect after the next update. You can
also run a manual update for the changes to take effect immediately.
Select update method
See also “Appendix A: The Update Mechanism” on page 64.

LAN product update frequency

This option defines how often a client should check for updates from LAN, i.e. the management console
installation. The management console downloads all files for all products, platforms and languages selected
on the Products page in the management console GUI. See “Products” on page 47. The default update
frequency is 1 hour.
The LAN product update frequency setting should always be set to Never for the
Toplevel Manager policy as the management console should always update from the Internet.
Selecting another setting may result in your installation never being updated.
A LAN update uses the http protocol and port 2868 to connect to the management console machine.
Internet Update
This option defines when and how often a client should connect to Internet servers in order to check for
necessary updates. Time before using Internet update defines how long time a client can operate without
management console contact - and consequently without being updated - before it is permitted to check for
updates on the Internet. Update intervals defines how often a client should then check for updates via the
net. See also “Appendix A: The Update Mechanism” on page 64.
Alternate update path

This is an important feature in installations where the console manages several hundred machines and
setting multilevel managers is not affordable (contact local support for help if necessary). It uses the CIFS
protocol (Windows sharing) to allow clients to connect to shares where they can retrieve updated files. It is
important to set up a synchronization between the \distrib\download\ folder on the management console ma-
chine and the alternative share folder in order to copy all new files downloaded by the management console
to the alternative share folder.
One solution is to create a script that copies all files from \distrib\download on the management console
server to \\servername\<share_folder>\distrib\download.
If this software is installed at the alternate distribution point, any\distrib\download folder is automatically
updated.
distrib\download is a mandatory part of the path and cannot be changed.
Set up a scheduled task that runs the script once every hour.
The script must be run with the necessary user privileges to access the share, so that it can run
even if no users are logged on. It may be wise to check the option to kill the process if it has run
for more than two hours.
The script needs to handle the following situations:
•• Verify that Internet Update is not currently running.

•• Copy all files from \distrib\download on the management console server to
\\servername\<share_folder>\distrib\download.
•• If a sharing violation occurs during file copy, wait a short while and try again.
Refer to our support pages for a complete procedure and a script you can download, edit and run See also
“Networks with a large number of clients” on page 10.

Proxy settings
Proxy servers may require user authentication. If you use the proxy server options in this dialog, you must
enter the same information for proxy server log on and authentication as configured on the proxy.
Use proxy server

Enter the Proxy address and Proxy port for the firewall’s HTTP proxy. If you have specified information for
HTTP proxy in your browser, you should enter exactly the same values here.
Authentication
Log on to proxy server
This option is only relevant if your proxy server requires authentication.
User name
Enter a valid user name.
Password
Enter the password.
Domain
Enter the domain name. If the field is left blank, the machine name is used. This field is not intended for
proxy servers using basic authentication. The two prevalent authentication schemes are: basic, and
Windows NT challenge/response aka NTLM.

Popup settings
Configure popups
From the drop-down menu you can decide if the clients should or should not display popup messages, for
example, from a malware detection.
Your choice affects all clients that are assigned the selected policy. If the policy allows local user configura-
tion (see “Policies” on page 29), it is possible to edit the individual client to make exceptions from the
established policy settings.
Display common popups

Select this option to allow display of notification popups.
Suppress all errors and warnings

Select this option to prevent notification popups from the system or software, including popups concerning
computer restart.
Even though the popups are blocked, the management console continues to receive information
from the clients.

Intrusion Guard
Click a policy name that you want to configure the Intrusion Guard product for, and then click the Intrusion
Guard configure icon.
This product is a host-based intrusion prevention system (HIPS) that can stop malicious applications from
taking over control of your machine. The application offers a powerful reporting tool and protects processes,
drivers, browsers and the hosts file. It is a platform for proactive thread protection intended for experienced
users. High risk events that are rarely used by legitimate applications are blocked by default.
Drivers & Memory

Drivers are computer programs that operate on a low level; the kernel level. Drivers are typically written to
access and control hardware, such as your display monitor, keyboard, printer and network card. In order to
access hardware connected to your computer, the drivers need full system access. For this reason the same
techniques are used when writing malicious applications. You can modify the driver installation configuration
to control which applications should be allowed to install drivers on your computer.
There are two malicious techniques to achieve the same privileges as drivers get. Both of these techniques
circumvent the security mechanisms of the operating system. It is highly recommended to keep the settings
for both as Deny.
Prompt
You will be asked each time an attempt is made.
Allow
Attempts will only be logged.
Deny
No application, legitimate or malicious, will be able to install kernel level drivers.

Processes
When an application, legitimate or malicious, is installed on your computer, it will most often want to start
automatically each time your computer is started. A program that wants to start automatically can instruct
the operating system to auto-start itself with the same privileges as the current user, or it can install a back-
ground service that will run with elevated privileges. The intrusion prevention application can stop attempts of
this nature.
Prompt
You will be asked each time an attempt is made.
Allow
You will never be prompted.
Deny
No application, legitimate or malicious, will be able to install itself to automatically start when the computer is
started.
A program can also inject code into other processes running on your machine, and it can hijack processes
by other means. This is common behavior for malicious applications, but some legitimate programs also use
such techniques, for example to extend the user’s desktop, or to offer other advanced features to the oper-
ating system or third party applications. You can configure the application to deny or prompt each time an
attempt like this is made.

Network
By adding filters to network modules in your operating system, malicious applications can steal personal
data, such as social security numbers, credit card details, and passwords. Adware can modify network data
sent trough those filters. It can change results in search engines and show unwanted advertisement on your
desktop and embedded in web pages you visit.
Plugin Prevention (Internet Explorer only)

A BHO (Browser Helper Object) is an extension to Microsoft’s Internet Explorer. This and other Internet
Explorer plug-ins, like toolbars, have full control over network traffic to and from Internet Explorer, and they
can interact with the user interface.
Prompt
You will be asked each time an event occurs.
Allow
Deny
Stops all attempts to modify your system or install a BHO.
LSP Prevention
An LSP (Layered Service Provider) is a generic filter in the network stack in Windows. It has full control over
all network traffic on your computer.
Prompt
Allow
Deny
Stops all attempts to modify your system or install an LSP.

Hosts file protection

When you access a website through its name (web address) it is translated into an IP address. Then the data
is sent to and from the remote server. Your computer will first look for the name in your hosts file. This means
that hosts file entries overrides any IP address that the name resolves to. Malicious applications may change
your hosts file and thus redirect the network traffic to a malicious website (so called Pharming).
Prompt
Allow
Deny
Stops all attempts to modify your system or hosts file.

Assign a policy to a group

1. From the realm overview on the left-hand side click the group you wish to assign the policy to.
2. From the Clients page click the Policy: field and select policy from the drop-down menu.
3. Click the Save icon next to the policy name to confirm your changes.

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Products
Products
All licensed products that the management console administers in the realm are listed on this page. These
are the products available on the machine where the management console is installed—the distribution
point. When a product within a policy or on a client is configured for scheduled updates, it fetches the update
from this distribution point. The clients are updated in accordance with their policy.
See “Configure policies” on page 30 on how to configure a product.
Licenses
In use
An approximate number of managed clients with this product installed.
Seats
The number of seats that your license covers, for this product. If the In use is larger than Seats, this is an
indication that you should check if your license covers your actual needs.
Expires
The date when the license for the product expires. The date format is YYYYMMDD.
Scheduled update
Select this option if you want to schedule updates for a product. For each product, you may select/deselect
the Scheduled update option. When the scheduler initiates an update, only products with this option select-
ed will be updated. Products not selected will not receive updates.
Update selected products

To update manually, select one or more products and click Update selected products.

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Products
Languages
A number of different product languages are available, and new language versions are added at irregular in-
tervals. The default language is English and cannot be deselected. You can choose to download one or more
language versions if they are covered by your license. These languages will be available to the clients in the
managed network.
The download packages may be large, so in order to reduce bandwidth use, you should be selec-
tive when you pick language versions.
Platforms
A wide range of platforms are supported, including most Windows and NetWare versions. Please refer to
“System requirements” on page 5 for details.
Select the platforms which are represented in your network and click Save. The selections are valid for both
manual and automatic update via Internet Update.

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Reports
Reports
History
Select History for a report that include incidents covering the entire period since the realm was created.
There are several ways of filtering the report.
Use the drop-down menus to select how you wish to filter the messages: Component (Internet Update,
Product Manager, etc.), Message type (alarms, warnings, errors, etc.), Year, Month, and Group. The
report’s content and available filtering options depend on factors like how many different operating systems
are installed on the clients in the network, when the realm was created, the type of messages reported in the
entire period. I.e., you cannot sort on Operating System if all clients run on the same platform, on year if the
realm was created in the current year, or on type if only one or two message types have been reported.
There is a limitation of 1,000 messages per report. Therefore it is important that you specify relevant and
precise search criteria in the Search field, from where you can search through all messages generated since
the realm was established. You can, for example, search for machine names, IP addresses, or virus names
to avoid irrelevant messages with the risk of exceeding the 1,000 limit.

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Reports
Reports
The management console maintains statistics for the realm around the clock. The reports cover the topology
status and incidents. As a supplement to the graphical representation of statistics on the home page, you can
generate your own, detailed reports that identify all clients in the network.
Generated reports are based on all discovered devices in the network, also those that are not managed.
However, devices that have been moved to the Unmanaged group are not included. You may filter which
clients to include in the report by their online status and/or whether a status flag has been set.
Select the details and the machines you want to include in the report and click Generate. You can filter ma-
chines by selecting clients with only one or two particular status types or select all types to include all clients
(default). The default setting for the report details is also all. Choose between commas or semicolons as
CSV (comma separated value) separator, depending on the report format you prefer.
The report is generated as a CSV file to be opened in most spreadsheet applications and saved as any other
file.

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Settings
Settings
These pages contain configuration options as well as maintenance tasks, which are performed regularly, like
administrator management and general occasional tasks. Certain settings and parameters of a nature that
don’t require frequent attention or are likely to be performed just once are also located on these pages.
Realm administrators
This option applies to the Toplevel Manager only. For more information about realm owner and realm admin-
istrator, please refer to “Installation” on page 13.
The realm owner credentials should only be used when a management console is being restored from a
backup. When first running the Endpoint Manager after it has been installed, it is an essential task to com-
plete the creation of one or more realm administrators.
All users with administrator’s privileges in the realm are listed on this page, with information about access
type etc.
Click an Administrators name link to view more information about the administrator.
To add a new administrative user, click Create administrator.

Backup and restore

This option applies to the Toplevel Manager only. The management console and the network realm rely on
certain basic data stored in the local database, also referred to as the store. It is strongly recommended that
you back up these data systematically. The backup will include vital information like network topology, realm
credentials and operation center settings.
Backup
When a managed realm is set up, we recommend that you back it up on an external storage device.
The most recent backup file is named NEM_backup_00000.nbk, and for each backup the number 00000 is
incremented until the selected Max number is reached. Hence, the backup file with the highest number is
the oldest one.
The file cannot be opened/viewed by any application since the sole purpose of the backup is to provide
a possibility to restore a managed network realm on a management console in the case of hardware loss
etc. Without a backup, the loss of the management console would require new credentials to be distributed
throughout the network. The logical network structure would also have to be recreated. The backup/restore
functionality is also used if you want to upgrade or replace a functioning management console. First, back up
the existing management console to an external media, then restore the backup file as part of the install wiz-
ard procedure on the new management console. The size of the file depends on your network—the bigger it
is, the bigger the backup file.
Destination
Enter a path for the backup file directory where NEM_backup_0000x.nbk will be stored. The default location
is C:\Program Files\Norman\backups\noc. Alternatively click Browse to select a location from the Windows
Explorer view.
Max number of backups

Enter the number of backup files that will represent the maximum before the management console starts
to delete the oldest of the existing files. Since businesses, networks and routines are diverse we have no
recommended number. However, you should keep this number high enough to maintain a usable backup
history, and at the same time limit the number to avoid consuming more disk space than necessary. If you
reduce the number at a later point, old backups will not be deleted unless you do it manually.

Enable scheduled backups

When you select this option, the Start time fields are enabled for specifying the time backup should run.
Select days of the week below

Starting with Monday, each weekday is listed and selected by default.
Start time
Enter hour and minute when you want the backup to start. Backup will start at the specified time for all se-
lected weekdays.
Backup now
Click Backup now for an immediate backup of the management console database, or Save to store your
settings. If the management console is down when backup should be performed, backup is executed as
soon management console becomes operational again.
Restore
In the current version, the management console’s DNS name cannot be changed. Therefore a backup of a
realm must be restored on a machine resolved with the same DNS name that was used during the realm
creation.
Alternatively, you can create a new realm and after finishing all processes and updates from the Internet,
generate new MSI installers from the management console. Copy the file mig2nss7.nts created on the
same destination folder into the \norman\config folders of the existing clients. Please keep in mind that by
doing this you are using a new/blank topology tree, and the clients will be assigned automatically to the
Lost and found group. Maybe you should consider to create policies, groups, and topology filters and/or
move clients manually to specific folders before you copy that file onto the clients.
It is important that you run an Internet Update before restoring a backup.
Restore from
Enter the path for the backup file directory where NEM_backup_0000x.nbk is stored. The default location
is c:\Program Files\Norman\backups\noc. Alternatively click Browse to select a location from the Windows
Explorer view.
Restore strategy
Select what parts of the backup to restore. The settings part of the database contains the realm credentials
and settings. The topology part is a map of known machines in the network, as presented in the Clients
view, including the group names and assigned policies.

Keep most recent values

Selecting this option will keep the most recent values during restoration of a backup when a value exists both
in the backup and in the current database.
Keeping the most recent value may in some cases result in duplicate topology entries if you have
chosen to restore the topology.
Generate installers
The management console provides creation and distribution of an MSI package (Windows Installer file .msi)
for rapid deployment of software on client machines.
This is a trouble-free method for installing on a client, as the administrator only needs to initiate and distribute
the MSI installer to clients. Once started, the installation of the MSI package will open up port 2868 on the cli-
ent machine and complete the full installation of Endpoint Protection. The clients then retrieves their policies,
as described in previous steps.
The MSI package and Endpoint Protection automatically opens port 2868 on Norman’s and
Windows’ firewalls only. If you are using another firewall, you must manually open this port.
Distribution of the MSI package can be performed in different ways, for example:
•• using a startup script
•• sending the package via email to the clients
•• copying the package using an USB stick or a similar medium
•• employing a 3rd party tool
•• distributing via Active Directory
1. Enter a valid path, and a name that you want the MSI file name to start with. You do not need to enter a
file extension (e.g. .msi) since the system will add this for you automatically.
Syntax: [drive]:\[path]\[name]
Alternatively, you can Browse to select a folder where you want to save the file, but you will still have to
write a name after the selected path.

2. Click Generate (or press Enter).

The management console generates the following installer files:
•• [drive]:\[path]\[name]_x64.msi (64-bit version)
•• [drive]:\[path]\[name]_x86.msi (32-bit version)
•• [drive]:\[path]\mig2nss7.nts * (For manual migration)
The mig2nss7.nts filename is all system made and you cannot add to this filename.
3. The MSI installer files should now be saved to the location you specified.
Example
C:\Distribution\Clients\Installer
This example path and name will generate the following installer files:
•• C:\Distribution\Clients\Installer_x64.msi
•• C:\Distribution\Clients\Installer_x86.msi
•• C:\Distribution\Clients\mig2nss7.nts
The generated files hold information about the location of the relevant management console, and the cre-
dentials to access it. You can use these files to install the security software on eligible clients, auto-run it on a
domain, distributing it through email, USB stick or in any other suitable way.
Keep in mind that all new clients will be placed in the Lost and Found group, unless they are previously dis-
covered and assigned to a group. The default policy will apply for those. You can create topology filters (see
“Topology filters” on page 60) that will move clients to certain groups as they are discovered. Then clients
will use the policy for that particular group rather than the default policy.
We recommend that you create new MSI installers, when adding clients at a later stage, if they are older
than one month, and always if there have been any software updates in the meantime. This is because the
installer may have been updated with new files since the last time you generated an MSI installer, and a new
installer will avoid unnecessary restarting of clients.
It is a good idea to test the MSI package on a couple of clients before rolling it out in your network,
in order to identify any problem with the given management console’s DNS name or credentials.

Remote access
The management console can be accessed remotely. By default, remote access is not permitted. Remote
access is only permitted from the locations specified below. You can remove and/or add access to manage-
ment console from a remote location.
Remote locations currently permitted to access the management console are listed in the upper part of the
screen, identified by IP address, Netmask and Description (optional).
Just type in the IP address and Description when you set up permissions for remote access in
the management console. A blank netmask is not allowed. Enter 255.255.255.255 as Netmask to
allow remote access for a specific IP address only.
You should be careful admitting remote browsers access to the management console, as there are some
obvious security issues. To enable remote access, you must select Allow remote access. In addition, you
have to specify the IP addresses that should be allowed to log on to the management console. You may
grant access either to a specific IP address or to a whole subnet, depending on the netmask.
Example
Address 172.17.0.0 with netmask 255.255.0.0 will give access to clients from the entire 172.17 segment.
Again—remote access should in general be limited to as few clients as possible.

Event management
This option applies to the Toplevel Manager only. The event management system is used to create mes-
sages based on the situation in your managed realm. The system is connected to the status indicators in the
far left column, triggering a notification event when a preset threshold is reached. The system triggers on the
number of alarms, errors and warnings in a network. You can set threshold values for the absolute percent-
age of reported alarms, errors and warnings. Delta threshold values are specified for the change rate of the
same over a reporting period. Reports can also be made periodically or if a management console error oc-
curs. See “Reports” on page 49.
Triggers
You can set threshold values for events, and determine if the event should be communicated as email,
SNMP trap, via the syslog or event log. Configuration for each message type is located under the related tab
(Email settings, SNMP settings and Syslog settings).
When you specify one or more methods to send messages (email, SMS, etc.), do not forget to
configure the selected transmission mechanism(s). Similarly, you don’t need to configure devices
not selected. No messages will be sent if there are any errors in this configuration.
Alarms
If the alarms threshold is set to 3, an alarm is triggered when 3% of the network nodes trigger alarms. The
alarm is passed on in one or more of the selected manners (Email, SNMP, etc.).
An alarm is an event that requires immediate action. It is issued by a product in Norman Endpoint
Protection on a managed client.

Errors
If the errors threshold is set to 5, an error is triggered when 5% of the network nodes trigger errors. The error
is passed on in one or more of the selected manners (Email, SNMP, etc.).
Errors are system abnomalities that require immediate attention.
Warnings
If the warnings threshold is set to 10, a warning is triggered when 10% of the network nodes trigger warn-
ings. The error is passed on in one or more of the selected manners (Email, SNMP, etc.).
Warnings are information about events that are suspicious and that may require administrator
attention.
Alarms delta
For changes in the amount of network nodes that have an alarm.
Upon completion of a topology thread walkthrough, the management console compares the results with the
findings from the previous walkthrough and calculates delta values. If the delta threshold (percentage) is
reached, a message is sent via all selected channels (email, SNMP etc.).
The delta threshold value is not related to the threshold value for alarms, which is based on a percentage of
an absolute number of managed clients. A delta value change, however, is based on the findings from the to-
pology thread walkthrough looking for events in the entire network of managed clients, and which is running
perpetually. Delta messages may therefore be sent long before an (absolute) alarm threshold is reached, if
configured in that way.
For example, if the alarm delta is set to 1% and the alarm threshold to 5%, delta messages are sent when
there is a 1% increase in alarm numbers, while a threshold message is only sent when a total of 5% of the
network has an alarm.
See also “Supervisor process” on page 62. A walkthrough of the network takes about 15 minutes and is
referred to as a management period.
Errors delta
See Alarms delta, for changes in the amount of network nodes that have an error.
Warnings delta
See Alarms delta, for changes in the amount of network nodes that have a warning.
Endpoint Manager errors

Various errors related to the operation and running of the management console and its processes.
Periodic status reports

Aggregated reports on the status of the network (errors, alarms, warnings). If you want to receive status
reports, select this option and specify the desired frequency.

Email settings
Enter the address that recipients of notifications can reply to under Reply-to address. In the
Recipients address(es) field, enter the email address of notification recipients, separated by commas.
There are two text fields, for Subject and Appended text (optional). Finally, you must enter an SMTP server
and an IP Port number, or leave blank for default port 25.
SNMP settings
Enter hostname or address of the system(s) that should receive the messages under Trap recipient(s),
separated by commas. You can also specify a Subject for the message (optional). Under Community, type
in an SNMP community name or leave blank for “public”. This field is case sensitive.
A .mib (Management Information Base) file called Sec_Traps.mib is included in the Endpoint Protection
installation. It’s located in [drive]:\[programroot]\NOC\Bin.
Syslog settings
Enter name and address for the Syslog servers that you want to send events to. Comma is the only valid
separator. In the optional fields Prefix and Port you can enter a short text to append all syslog entries from
the management console, and a port number if you’re not using the default 514. Facility classification can be
set to any of the locally defined values (16 through 23 in the Facility drop-down menu), or select Default for
user level messages.
Display name priority

When you are looking at any list of nodes, each one is identified by a symbol (see
“Client states” on page 26) and a name. You can choose how the client name is presented by rearranging
the order of available names.
If you have selected an order as in the example above, Local alias will appear as the clients’ name provided
that a local alias is available. If not, the next name on the list (Hostname) will be used, and so on.

Topology filters
This section is for the Toplevel Manager and describes how you can filter clients. Discovered network
devices can automatically be filtered to pre-defined topology groups. Filters are handled from top to bottom.
Once a computer match a rule no more filters will be automatically applied.
The topology filtering does not affect Endpoint Managers. A filter condition to move a discovered
device to a certain group may match an Endpoint Manager, however, the Endpoint Manager will
not be moved.
Syntax: IF [attribute] EQUALS/NOT EQUAL [value] THEN move to group [groupname].
Attribute is a pull-down list of attributes identifying a device, like a name or an IP address. The operator
is either EQUALS (=) or NOT EQUAL (!=). The value is a complete or partial string to match the attribute
against. If partial, a wildcard character can be placed in front of or at the end of the string. The filters are ap-
plied top-down. If a client matches more than one rule, only the first rule will be applied. Click the plus sign to
create rules where several conditions have to be met.
Example
IF [IP address] EQUALS [172.17*] THEN move to group [London].
IF [Name] EQUALS [*srv] THEN move to group [London].
When specifying what to test against in a rule, the value IP address reflects any of the IP addresses regis-
tered with a client. Likewise, MAC address means any of the MAC addresses associated with the network
interfaces for a client.
The value Name is the common name of a client as reported by passive discovery (NetBIOS name), or the
name that the client itself responds to. The value DNS name, on the other hand, is the machine name asso-
ciated with the DNS entry of the client in the management console database. If the DNS entry in the client’s
network differ from the one resolved by the management console, the management console entry is used.
Details about a client are displayed in this order: Alias (set by the administrator), NetBIOS name, DNS name,
IP address.
The NetBIOS names are reported by the passive discovery component. If a client is only known by its IP
address (as a result of an incorrect manual entry, for example), it will be displayed with its IP address until a
reverse DNS lookup has been done (if enabled). At any time, a topology report containing the NetBIOS name
of the client will be stored and displayed in the clients list. A managed client will also report its NetBIOS name
if available, causing it to be displayed instead of the DNS name.
The DNS name is always available in the client details window.

Alternative client filtering

Except from the topology filtering, you can sort clients automatically based on a registry key or environ-
ment variables being set on the clients themselves. This can be done through existing log-in scripts or other
already available tools in the network.
Group requests based on the environment variable takes precedence over the topology filters. Clients that
request a group will not be filtered, even if you select Reapply all filters.
Only clients (current or future) that report to a Toplevel Manager can be filtered using this registry
key or environment variable mechanism.
A client can be manually moved elsewhere from the management console, after it has been automatically
moved to a group using this mechanism. If its environment variable is changed to another group, it will be
moved again according to the new value, even if it has been manually moved in the meantime. However, if
the variable is not changed, the client will never be moved back.
If a group does not already exist in the Endpoint Manager topology, it will be created. Automatically created
groups will be assigned the default policy.
Use the full stop (.) delimiter if you want to use subgroups.
Example
Servers.Mail.SNMP resolves the group Servers > Mail > SNMP and moves the client to the SNMP subgroup.
Registry key
1. Create a new String Value key named ’join_group’ in Registry Editor under
\\HKEY_LOCAL_MACHINE\SOFTWARE\Norman Data Defense Systems\
2. Specify the group name that you want the client to be moved to in the Value data: field.
Environment variables
1. From your computer’s System Properties go to Advanced > Environment Variables. Create a new
system variable with the Variable name: join_group.
2. Specify the group name that you want the client to be moved to in the Variable value: field.
On some operating system versions the client must be restarted before a new environment variable be-
comes available to the client.

Supervisor process
These settings are used to fine-tune the management console working threads. Normally, the default settings
are adequate. However, certain local networking properties may require changes to some of the settings to
ensure optimal performance. See also “About status” on page 25.
Topology thread delay

Regulates the pace of the topology picture updating thread, walking through the entire network tree. The
lower the number, the faster the speed. Increase this value if you experience peaking CPU/networking load.
Discovery thread delay

Regulates the pace of the active discovery thread dispatcher. The lower the number, the faster the speed.
Increase this value if you experience peaking CPU/networking load.
Discovery attempts
Sets the maximum attempts of discovering a Stale client before it is marked as Offline. Increasing this value
will increase the stale period of offline clients since the formula is discovery attempts times rediscovery inter-
val for rediscovering stale clients.
Max. discovery threads

Sets the upper allowable limit of parallel active discovery processes. Reduce this value if you have a large
network, and the network load generated by the management console is too high.
Rediscovery interval
Sets the interval between active rediscovery attempts. Increasing this value will increase the stale period
of offline clients since the formula is discovery attempts times rediscovery interval for rediscovering stale
clients.
Auto-acknowledge - errors
Sometimes the management console receives errors, alarms, and warnings. These messages are visible
until they are removed manually using the edit function on the client. You can use the slider to set a period of
time after which the specific messages are removed automatically. If the problem persists, the error/alarm/
warning messages reappear after an auto-acknowledgement of the message(s).

Auto-acknowledge - alarms
See Auto-acknowledge - errors.
Auto-acknowledge - warnings
See Auto-acknowledge - errors.
Stale delay for managed clients

Sets the maximum time without communication from a managed client before it is marked as Stale.
Stale delay for unmanaged clients

Sets the maximum time without communication from an unmanaged client before it is marked as Stale.
Enable discovery reverse DNS

The discovery process should attempt to resolve addresses into names through reverse DNS. This option is
by default Off.
Enable discovery ICMP

The discovery process should use ICMP to actively chart lost clients using ping. This option is by default Off.
Enable passive discovery

Devices that are discovered passively in the network are added to the database. This option is by default
Off. Please refer to the appendix “Appendix B: Passive discovery” on page 66 for more information on
passive discovery.

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Appendix A: The Update Mechanism
Appendix A: The Update Mechanism
Concept
The update mechanism consists of two categories; the program update, and the engine and definition files
update. All endpoints in a configuration have the update components installed. This ensures that they are
updated even if the Endpoint Manager is unavailable.
Program update
This update applies to the Internet Update component. A program update includes modifications to the
software, e.g. the Real-time scanner, and the user interface. These updates are released periodically and
usually about once a week.
Engine and definition files update

This update applies to the BDmirror and Nseupdatesvc components. An engine and definition files update is
released several times per day.
Components
Internet Update
This component checks for and downloads program updates via the Internet. The default frequency for this
update is every second hour. Norman Internet Update uses the port 80 (http).
BDmirror
This component checks for and downloads engine and definition files update on the Endpoint Managers
only. The check for update for a Top Level Manager is done via the Internet, while the check for a Midlevel
Manager is done via the parent Endpoint Manager. The default frequency for the update is every 20 minutes.
Please note that the Internet update configuration influences on the BDmirror component. This means that
if the Internet update is set to update manually, it will only run when the Internet Update feature is launched
manually. Bdmirror uses the port 80 (http).
Nseupdatesvc
This component checks for and downloads engine and definition files update on all the endpoints, clients
and Endpoint Managers. The check for update is done via the immediate Endpoint Mananger’s repository for
endpoint clients, or via the local repository for Endpoint Managers. The default frequency for the update is
every 20 minutes. Nseupdatesvc uses the port 2868 (npep).

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Appendix A: The Update Mechanism
How it works
The following describes how the Internet update works in a default configuration setup.
Top level Endpoint Manager

The Endpoint Manager uses the Internet Update component to check for program updates via the Internet.
You can configure Internet Update to run manually or scheduled. Once the update is completed, the
BDmirror component is launched to update the local repository and avail updates for the endpoint clients
and Midlevel Managers. And once Bdmirror is finished, it will call the Nseupdatesvc component to check for
updates in the local repository that was updated.
Midlevel Endpoint Managers

In a default configuration, the Midlevel Managers will check for program updates via the parent Endpoint
Manager in the LAN/WAN, at a default interval of 60 minutes. The BDmirror component is scheduled to
update the local repository via the parent Endpoint Manager, and will connect to the Internet if there has
not been any communication with the server for a certain period of time (default 3 days). After BDmirror is
finished, Nseupdatesvc will follow and update via the local repository.
Endpoint Clients
In a default configuration, the clients use the internal mechanism to fetch a program update from the parent
Endpoint Manager (uses port 2868), and will use Nseupdatesvc every 20 minutes for engine and definition
files update.
In case there has been no communication with the server for a certain period of time (default 3 days), both
the Internet Update and the Nseupdatesvc components will connect to the Internet to download the program
and engine and definition files update.

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Appendix B: Passive discovery
Appendix B: Passive discovery
Technical description
Endpoint Protection (framework or client software) and Endpoint Manager (the management console)
employ a mechanism to map out devices in a network and report them to the management console. This
mechanism resides as a driver that is visible in the network configuration as Norman Network Security.
The Network Security driver is currently used for mapping the network topology. In the future, the driver may
be involved in other network security tasks, like actively looking for malicious traffic in and out of the ma-
chine.
The management console depends on information about clients in the network to produce a useful picture
of the net. Clients make their presence known through their communications with the management console.
Network devices that do not have Endpoint Protection installed are discovered using the network security
driver.
A management component on the client interrogates the security driver regularly to ask for network devices
that have generated traffic. After polling the driver a topology list is generated and submitted to the manage-
ment console. The management console will then sift through the list and update the online statuses of the
network devices that it keeps track of.
The first topology report will be submitted a few minutes after client boot-up. The client will first tell the driver
to listen to network traffic for a minute. Then it creates a list of devices containing their NetBIOS names,
MAC addresses, and IP addresses. A MAC address will always be found, but the name and IP may or may
not be included. The client will compare the discovered devices with a local cache and create a topology
report that is sent to the management console.
A client will send a second report about five minutes after the first. It will then taper off and wait about 30
minutes before the third report, two hours before the fourth and so on, up to a maximum of four hours. If
the client is restarted, it will start over. The reporting aggressiveness is also decreased as the reports grow
larger. The reason for this is that, statistically, a network containing a high number of clients will have a
higher number of clients reporting the topology.
The information reported is only basic information pulled from the Ethernet headers and the NetBIOS proto-
col header. No protocol content is ever collected.
The Network Security Driver is designed for:
•• Windows XP 32-bit
•• Windows Server 2003 32-bit
•• Windows Vista 32-bit
•• Windows Server 2008 32-bit
•• Windows 7 32-bit
•• Windows 7 32-bit
•• Windows Server 2008 R2 32-bit

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Appendix C: MailScan for Domino
Appendix C: MailScan for Domino
Introduction
MailScan for Domino is an Endpoint Protection plug-in that offers virus protection. It is fully compatible with
the IBM Lotus Domino Server. Scanning is performed on the Endpoint Protection server and no software is
needed on the IBM Lotus Domino clients. MailScan for Domino scans incoming email attachments guarding
the main virus entry point in a Lotus Domino environment.
How it works
A folder dom is created at the Norman root folder when MailScan for Domino is installed. The MailScan for
Domino path is %systemdrive%\Program Files\Norman\dom
Files are copied into the dom directory during installation

\bin\nvcd_install.exe MailScan for Domino installer
\bin\zlh_dom.dll Communicates with the Endpoint Protection client
\bin\nvcd_load.dll * MailScan plugin loader for Domino
\bin\nvcd_oa.dll * MailScan scanner engine for Domino
\res\dom.nts Configuration database element
\bin\release_notes.txt Release Notes
* These dlls are also copied to the IBM Lotus Domino server directory:
%systemdrive%\Program Files\IBM\Lotus\Domino
MailScan for Domino adds the entry NVCd_load.dll to the setting EXTMGR_ADDINS in the notes.ini file to
install itself. When the Domino server starts, MailScan for Domino will analyze incoming emails, and scan
any file attachments for malware. You can disable MailScan for Domino manually. Remove NVCd_load.dll
in notes.ini and restart the Domino server.
The MailScan for Domino plugin is configured in the standard Endpoint Protection configuration panel. It
appears as a separate module in the configuration editor and gives access to MailScan for Domino specific
settings, while messaging, updating etc. is configured in the common settings.
Activity log
MailScan for Domino offers a comprehensive and robust malware incident activity log on the Lotus Domino
server console and optionally in the Domino server log, the Windows Event log, and in the Endpoint
Protection log file:
•• Malware name (if known)

•• Name of attachment
•• Subject
•• Creation time and date
•• Name and address of originator
•• Name of recipient(s)
•• Action taken (cleaned, removed, quarantined)
From the Endpoint Protection module’s Support Center > Message handling you can view incidents from
MailScan for Domino

System Requirements
MailScan for Domino requires that an Endpoint Protection 11.x client is installed on the IBM Lotus Domino
server.
IBM Lotus Domino 8.0.1-8.5.3
Supported versions Windows Server 2003
Windows Server 2008 and 2008 R2
Antivirus products from other vendors may be incompatible with Endpoint Protection. You should
uninstall other antivirus programs before installing Endpoint Protection.
MailScan for Domino must be installed on the Windows server where the IBM Lotus Domino Server is in-
stalled.
You must be logged in to the system with administrator privileges in order to install the program.
A 64-bit operating system requires a 64-bit IBM Lotus Domino version. If one of them have 32-bit
and the other 64-bit, the emails will pass through without being scanned.
Installation
You can install MailScan for Domino on the local server or from the Endpoint Manager central management
console.
If you terminate the setup program during installation, the files that are already copied to your hard drive
must be removed manually.
Local installation
1. Download and install Endpoint Protection 11.x on your Domino server
The license key must include MailScan for Domino.
When the program is installed an N-icon will appear in the system tray menu.
2. Right-click the N-icon and select Endpoint Protection to open the program.
3. Go to Endpoint Protection > Install and Update.
4. From the Licensed Products list select Not installed for MailScan for Domino.
5. Click Install from the popup dialog that appears.

Please wait while the program is installed and updates are downloaded. You may be required to restart
the Domino server when the installation is complete.
A MailScan for Domino entry is added to the left-hand side menu.
6. Go to MailScan for Domino.

Installing from Endpoint Manager

Endpoint Protection 11.x must already be installed and managed by an Endpoint Manager on the
designated IBM Lotus Domino Servers.
1. Go to Endpoint Manager > Policies. (See “Policies” on page 29)
2. Create a new policy.

Enter a name and optionally a note and click Create.
The policy is created and the configuration for this policy is opened.
3. Select Install/Uninstall next to the MailScan for Domino product.
4. If necessary, edit the newly created policy’s default configuration.
5. Create a group.
To install the product on servers you must create a group in the Endpoint Manager console.
Add the newly created policy to that group.
6. When these tasks have been completed, you can start dragging servers to this group.
MailScan for Domino will be installed to all servers or computers in this group.
Updating
Obtaining frequently updates is critical to maintain a secure computing environment. You should configure
automatic update of your MailScan for Domino installation (unless you update from CD only). In addition to
the scanner engine components, the Internet update feature provides updates to the Endpoint Protection,
program updates inclusive.
MailScan for Domino updates itself dynamically. A few minutes after new virus definitions are installed,
MailScan for Domino will start to scan using the updated files.
Note that if nvcd_load.dll is updated you will have to restart the Lotus Domino server software.
Automatic update
Install and update settings are by default set to automatically update every second hour. To edit the update
method go to Install and Update > Settings > Select update method. Select Automatically every and
frequency from the drop-down menu. Click Save.

Getting started
Once installed, the MailScan for Domino server plug-in entry appears on the Endpoint Protection’s left-hand
side menu.
The Total and Today columns display today’s numbers and the accumulated numbers since the plug-in was
installed.
Configuration
Note that after changing your configuration, it will take a couple of minutes for the new settings to take effect.
The following configuration options are identical to the options available from Policies in the
Endpoint Manager console. See “Configure policies” on page 30.
Block/Allow
Click Block/Allow from the main menu to configure attachment blocking and email blocking/allowing for the
scanner.
Block attachments
Specify file names that should be blocked. Wildcard (*) is accepted for blocking of specific extensions. Only
wildcard for filename is allowed, i.e. *.vbs. To the average user, file types like .vbs, .pif or .lnk are hardly criti-
cal. You should also consider to block extensions or file types like .exe, .com and .bat as these also repre-
sent a potential risk for virus infections.

In this field you can also block specific attachments with names known to contain viruses, such as
AnnaKournikova.jpg.vbs. This may be useful if you need to block a virus before updated malware definition
files are available.
Block/Allow email
Specify email addresses that should be blocked (senders) or allowed (senders/receivers). The asterisk (*) is
accepted as wildcard.
Use with caution:

Attachments from email addresses in the allow list will not be scanned for malware.
Settings
Click Settings from the main menu to configure general and advanced settings for the scanner.
General
Enable MailScan for Domino

Select this option to enable email scanning. If you disable this option, no emails will be scanned.
Malware handling
Attempt to clean infected attachments
Select this option if you want MailScan for Domino to attempt to clean infected attachments.

Quarantine infected attachments

Select this option to quarantine infected attachments.
Delete infected attachments

Select this option to delete infected attachments.
Advanced
Email server
Protect users from mass mailers
Mass-mailers like Netsky and Bagle distribute themselves as emails. The email carrying the malware is the
virus in itself, as the email is illegitimate with the sender missing. If you select this option, the entire email is
marked as DEAD, rather than only removing the infected attachment.
This feature will only work for mass-mailers that carry a flag from the scanner engine that they are mass-
mailers. Most mass-mailers that appeared in March 2004 and later carry this flag.
The Lotus Domino database MAIL.BOX containing emails marked DEAD may grow substantially
with this option enabled. You may therefore need to delete the content of this database more fre-
quently than if this option is not enabled.
Scan archives
When this option is selected, MailScan for Domino will scan recursively inside archive files for all sup-
ported formats. Formats currently supported are 7zip, ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip,
IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk image, TNEF, UIF, Z, ZIP and installers like INNO,
Installshield, NSIS, SFX, VISE and WISE.
This will take more time and may consume more memory, but it’s the safest option to ensure that your server
is absolutely virus free.
Log to Domino Console

In addition to logging to the Endpoint Protection messaging system, important events are also logged to the
IBM Lotus Domino Server Console.

Attachment blocking
Blocking email attachments is an effective measure to stop viruses from entering your system. Blocking af-
fects new emails only.
Incorrect use of the blocking utility may cause loss of data.
Block all attachments

All attachments are blocked. See also the paragraph above.
Block attachments with double extensions

Many worms and email viruses apply a technique where an additional extension is added, for example
<filename>.jpg.vbs. Most email clients will hide the last extension so that the attachment appears to
only have the extension .jpg. However, this feature is not only used by viruses; nexscan.hlp.zip and
todolist 20.dec.doc are both treated as double extensions.
Block attachments with CLSID extensions

Some worms and email viruses apply a CLSID technique in an attempt to fool email scanners and blocking
software. They take advantage of a feature in Windows which makes it possible to replace an .exe extension
with a {...} extension and thus evade blocking of .exe files. Since there is no reason for legal attachments to
use this type of extension, this behavior is blocked by default.
Block encrypted archives

Another technique that worms apply is to distribute themselves as encrypted archive files, trying to trick the
user into decrypting and running the file. One example is the Bagle worms, which are sending themselves
attached as encrypted archives.
Legitimate files may be sent using the same method. If you select this option, all encrypted archive
formats known to the antivirus application will be blocked. Unknown archive formats will also be
blocked.
The application recognizes most archive formats. The following formats are currently supported: 7zip, ACE,
ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk im-
age, TNEF, UIF, Z, ZIP and installers like INNO, Installshield, NSIS, SFX, VISE and WISE.
Unsupported archives are also blocked.
Quarantine blocked attachments

Blocked attachment will be sent to the quarantine
Delete blocked attachments

Blocked attachments will be deleted

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Appendix D: Exchange Mailbox Scanner
Appendix D: Exchange Mailbox Scanner
Introduction
Exchange Mailbox Scanner is an Endpoint Protection plug-in that offers virus protection. It is fully compatible
with the Microsoft Exchange Server. Scanning is performed on the Endpoint Protection server and no soft-
ware is needed on the Microsoft Exchange clients. Exchange Mailbox Scanner scans incoming email attach-
ments guarding the main virus entry point in an Exchange environment.
How it works
A folder msx is created at the Norman root folder when Exchange Mailbox Scanner is installed. The
Exchange Mailbox Scanner path is %systemdrive%\Program Files\Norman\msx.
Exchange Mailbox Scanner uses an VSAPI 2.0/2.5/2.6 plug-in, which connects to the Exchange Information
Store on the MS Exchange server for access to emails and attachments. It becomes an integrated part of
MS Exchange itself and is controlled by MS Exchange.
All incoming and outgoing emails are scanned on access in both private and public information stores.
Access is only granted to virus-free items or when a present virus has been removed. If scanning of an
attachment fails, access to the item is denied until it’s successfully scanned to ensure that a program error
does not bring along leakage.
Exchange Service Monitor (ESM)

When Exchange Mailbox Scanner is installed on your system, the Exchange Service Monitor will be config-
ured to monitor the Information Store component of Exchange. This ensures better control over Exchange on
the server and notifies the administrator if something is wrong.
The installation routine will set up ESM to monitor

Exchange Information Store. If a crash occurs
(either due to a crash in NEP – when a crash dialog
is displayed on the server, or due to a crash inside
Exchange itself – when normally no information is
given to the user at all) the Exchange Service
Monitor dialog is displayed.
In this case all the command buttons are enabled.

However, certain components monitored by ESM will
not enable the Restart Service button. The dia-
log contains information about which services that
stopped responding and which program is affected.
In addition, an error message is sent through the Program Manager to alert the administrator of such an
event.
Note that if there are dependent services these will not be restarted. If ESM is activated because of a pro-
gram crash in Exchange Mailbox Scanner or Exchange itself, this does not represent a problem. However, if
the administrator has deliberately shut down the Information Store on the server, Exchange Mailbox Scanner
will detect this and call ESM to alert that the requested service was not active. In this case services which
are dependent on the Information Store are also stopped, but are not started by ESM.

System requirements
Exchange Mailbox Scanner requires that an Endpoint Protection 11.x client is installed on the Microsoft
Exchange server.
Supported versions MS Exchange 2010 SP1 and previous
Exchange Mailbox Scanner should be installed locally on the server(s) running Exchange and must be
installed on each server running Exchange separately. The Endpoint Protection installation, however, should
be kept distributed as this will ensure distributed engine updates and virus definition files. This way the con-
figuration window for Exchange Mailbox Scanner will only appear on the server(s) running Exchange.
To install Exchange Mailbox Scanner you need a license that covers the management of Exchange, i.e. a
license key that allows you to install Endpoint Protection as a basis for the Exchange plug-in.
Installation
You can install Exchange Mailbox Scanner on the local server or from the Endpoint Manager central man-
agement console.
Local installation
1. Download and install Endpoint Protection 11.x on your MS Exchange server
The license key must include Exchange Mailbox Scanner.
4. From the Licensed Products list select Not installed for Exchange Mailbox Scanner.

the MS Exchange server when the installation is complete.
A Exchange Mailbox Scanner entry is added to the left-hand side menu.
6. Go to Exchange Mailbox Scanner.


designated MS Exchange Servers.

3. Select Install/Uninstall next to the Exchange Mailbox Scanner product.
5. Create a group.
Exchange Mailbox Scanner will be installed to all servers or computers in this group.
Updating
Obtaining frequently updates is critical to maintain a secure computing environment. You should config-
ure automatic update of your Exchange Mailbox Scanner installation (unless you update from CD only). In
addition to the scanner engine components, the Internet update feature provides updates to the Endpoint
Protection, program updates inclusive.
Exchange Mailbox Scanner updates itself dynamically. A few minutes after new virus definitions are installed,
Exchange Mailbox Scanner will start to scan using the updated files.
Automatic update
The scanner will adapt its version number so that previously scanned emails will be scanned
again with updated files on next access. This is provided that you have selected the option
Scan mailboxes at startup/update (see “Virus scanning” on page 78).

Getting started
Configuration can be done from Endpoint Manager or on the client locally. Once installed, the Exchange
Mailbox Scanner server plug-in entry appears on the Endpoint Protection’s left-hand side menu.
installed.
Configuration
The following configuration options are identical to the options available from the Policies page on
the Endpoint Manager console. Please refer to “Configure policies” on page 30.
Settings

Virus scanning
Enable Real-time Scanner

Scan mailboxes at startup/update

Select this option if you want Exchange to scan all mailboxes on the server. A scan is performed each time
the server is restarted or the scanner is reloaded. All emails are scanned if new virus definition files are add-
ed since the last scan. Mailboxes on the local computers will not be scanned when this option is on, because
this option applies to emails not yet downloaded from the user’s mailbox on the server.
This option is useful in a situation with the following scenarios: 1) Mailboxes on the server are already in-
fected, and 2) The administrator downloads new virus definition files each Friday after working hours. This
setting will ensure that all email is scanned during the weekend with updated antivirus tools.
Note that when this option may generate unnecessary workload on the server. In most cases the real-time
scanner is sufficient.
Scan archive files

When this option is selected, Exchange Mailbox Scanner will scan recursively inside archive files for all sup-
ported formats. Formats currently supported are 7zip, ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS, gzip,
IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk image, TNEF, UIF, Z, ZIP and installers like INNO,
Installshield, NSIS, SFX, VISE and WISE.
Temporarily deny access if unable to scan

If an error occurs during the scanning of an attachment, access to the email is blocked. Such errors may
occur when the server is under heavy workload. The attachment will be scanned correctly the next time it’s
accessed. However, this may also affect damaged files, and access to damaged attachments is blocked. If
there are damaged emails and attachments on the server, you should deselect this option. Note the potential
risk of letting infected files pass uncleaned.

Virus handling
These settings decide how infected emails are managed.
Remove infected attachments

All infected attachments will be removed.
Clean infected attachments

All virus infected attachments will be cleaned. When the entire file is the actual virus, like trojan horses and
worms, the file is cleaned by deletion.
Remove attachment if not cleaned

If an error occurs during the cleaning of an attachment, it will be removed. If an archive file contains an in-
fected file, and cleaning within archives of that format is not possible, the archive file will be removed.
Quarantine
In this section you decide the handling of files that Exchange Mailbox Scanner has identified as infected or
in other ways suspicious. If you don’t clean or delete such files, we recommended that you isolate them in a
designated area, a quarantine.
As more Norman products are added to your existing installation, they will share the quarantine function and
use the same options as specified here. Thus you can maintain a consistent quarantine strategy. From the
drop-down list, these options are available:
Disabled
No files are quarantined.

Quarantine only if deleted

Only deleted attachments are sent to quarantine.
Delete mass mailers from server

deleted, rather than only removing the infected attachment.

Attachment blocking
Blocking email attachments is an effective measure to stop viruses from entering your system. Blocking
affects new emails as well as old mails already stored when these are accessed or scanned with different
configuration settings.
Incorrect use of the blocking utility may cause loss of data: In addition to delete all new, incoming
attachments, old email attachments may be deleted too as a result of background or real-time
scanning. A visible warning appears when you select this option, and you should be aware of the
possible consequences.

All attachments are blocked.

only have the extension .jpg. However, this feature is not only used by viruses: nexscan.hlp.zip and


files of a format known to the antivirus application will be blocked.

Block list
Specify file names that should be blocked. Wildcard (*) is accepted for blocking of specified extensions. Only
wildcard for file names is allowed, i.e. *.vbs. To the average user, file types like .vbs, .pif or .lnk are hardly
critical. You should also consider to block extensions/file types like .exe, .com and .bat as these also repre-
AnnaKournikova.jpg.vbs. This may be useful if you need to block a virus before updated virus definition files
are available.

Administrator’s Guide: Norman Endpoint Manager | Version: 11 | Appendix E: Exchange Transport Scanner
Appendix E: Exchange Transport Scanner
Introduction
Exchange Transport Scanner is an Endpoint Protection plug-in that offers virus protection. It is fully compat-
ible with the Microsoft Exchange Server. Scanning is performed on the Endpoint Protection server and no
software is needed on the Microsoft Exchange clients. Exchange Transport Scanner scans incoming email
attachments guarding the main virus entry point in an Exchange environment.
How it works
A folder mx2 is created at the Norman root folder when Exchange Transport Scanner is installed. The
Exchange Transport Scanner path is %systemdrive%\Program Files\Norman\mx2.
Files are copied into the mx2 directory during installation

\bin\nx2agent.dll Transport agent that communicates with the service
\bin\nx2installer.exe Exchange Transport Scanner installer
\bin\nx2svc.exe Exchange scanner service
\bin\release_notes.txt Release Notes
\res\mx2.nts Configuration database element
Exchange Transport Scanner uses a Transport Agent on the HubTransport server to access all emails and
attachments sent to and from the Exchange system. When the Exchange server starts, Exchange Transport
Scanner will analyze incoming emails and scan any file attachments for malware. Attachments containing
malware is removed before delivering the email to it destination.
The Exchange Transport Scanner plugin is configured in the standard Endpoint Protection configuration
panel. It appears as a separate module in the configuration editor and gives access to Exchange Transport
Scanner specific settings, while messaging, updating etc. is configured in the common settings.
Activity log
Exchange Transport Scanner offers a comprehensive and robust malware incident activity log in the
Windows Event log and in the Endpoint Protection log file:
•• Malware name (if known)

•• Name of attachment
•• Subject
•• Creation time and date
•• Name and address of originator
•• Name of recipient(s)
•• Action taken (cleaned, removed, quarantined)
From the Endpoint Protection module’s Support Center > Messaging Log Viewer you can view incidents
from Exchange Transport Scanner

System Requirements
Exchange Transport Scanner requires that an Endpoint Protection 11.x client is installed on the Microsoft
Exchange server.
Supported versions MS Exchange from 2010 SP2 to 2013 CU4/SP1
Exchange Transport Scanner must be installed on the Windows server where the MS Exchange Server is
installed.
You must be logged in to the system with administrator privileges in order to install the program.
Installation
Exchange Transport Scanner must be installed on the Windows server where the HubTransport role of the
Microsoft Exchange Server is installed.
If you terminate the setup program during installation, the files that are already copied to your hard drive
must be removed manually.
Local installation
1. Download and install Endpoint Protection 11.x on your MS Exchange server
The license key must include Exchange Transport Scanner.
4. From the Licensed Products list select Not installed for Exchange Transport Scanner.

the MS Exchange server when the installation is complete.
A Exchange Transport Scanner entry is added to the left-hand side menu.
6. Go to Exchange Transport Scanner.


designated MS Exchange Servers.

3. Select Install/Uninstall next to the Exchange Transport Scanner product.
5. Create a group.
Exchange Transport Scanner will be installed to all servers or computers in this group.
Updating
Obtaining frequently updates is critical to maintain a secure computing environment. You should configure
automatic update of your Exchange Transport Scanner installation (unless you update from CD only). In
addition to the scanner engine components, the Internet update feature provides updates to the Endpoint
Protection, program updates inclusive.
Exchange Transport Scanner updates itself dynamically. A few minutes after new virus definitions are in-
stalled, Exchange Transport Scanner will start to scan using the updated files.
Automatic update

Getting started
Once installed, the Exchange Transport Scanner server plug-in entry appears on the Endpoint Protection’s
left-hand side menu.
The entry appears with a warning triangle. This is to notify that you need to create a domain user before you
can start using the program.
To start using the program you must create a unique domain user.
Create a domain user

1. Enter domain, username and password and click Create.
Only Administrators or users with Administrator privileges can create a domain user. When creat-
ing a domain user you will be prompted to login as Administrator unless you have the privileges to
create a domain user.
installed.
Configuration
The following configuration options are identical to the options available from Policies in the
Endpoint Manager console. See “Configure policies” on page 30.

Block/Allow
Click Block/Allow from the main menu to configure attachment blocking and email blocking/allowing for the
scanner.
Block attachments
Specify filenames that should be blocked. Wildcard (*) is accepted for blocking of specific extensions. Only
wildcard for filename is allowed, i.e. *.vbs. To the average user, file types like .vbs, .pif or .lnk are hardly criti-
cal. You should also consider to block extensions or file types like .exe, .com and .bat as these also repre-
AnnaKournikova.jpg.vbs. This may be useful if you need to block a virus before updated malware definition
files are available.
Block/Allow email
Specify email addresses that should be blocked (senders) or allowed (senders/receivers). The asterisk (*) is
accepted as wildcard.
Use with caution:

Attachments from email addresses in the allow list will not be scanned for malware.

Settings
Click Settings from the main menu to configure general and advanced settings for the scanner.
General
Enable Exchange Transport Scanner

Malware handling
Attempt to clean infected attachments
Select this option if you want Exchange Transport Scanner to attempt to clean infected attachments.

Delete infected attachments

Select this option to delete infected attachments.
Domain User
This information displays the current domain and username.
Reset Domain User

To edit the domain and/or username click Reset Domain User and enter the new information.

Advanced
Email server
Protect users from mass mailers
deleted, rather than only removing the infected attachment.
This feature will only work for mass-mailers that carry a flag from the scanner engine that they are mass-
mailers. Most mass-mailers that appeared in March 2004 and later carry this flag.
Scan archives
When this option is selected, Exchange Transport Scanner will scan recursively inside archive files for all
supported formats. Formats currently supported are 7zip, ACE, ALZ, ARJ, BZIP2, CAB, CHM, cpio, SIS,
gzip, IMP, Instyler, ISO, LHA, MSO, RAR, rpm, TAR, Teledisk image, TNEF, UIF, Z, ZIP and installers like
INNO, Installshield, NSIS, SFX, VISE and WISE.
Attachment blocking
Blocking email attachments is an effective measure to stop viruses from entering your system. Blocking af-
fects new emails only.
Incorrect use of the blocking utility may cause loss of data.

All attachments are blocked. See also the paragraph above.

only have the extension .jpg. However, this feature is not only used by viruses; nexscan.hlp.zip and



formats known to the antivirus application will be blocked. Unknown archive formats will also be
blocked.
Unsupported archives are also blocked.
Quarantine blocked attachments

Blocked attachment will be sent to the quarantine
Delete blocked attachments

Blocked attachments will be deleted

Headquarter
Norway www.norman.com
Offices
Denmark www.norman.com/dk
France www.norman.com/fr
Germany www.norman.com/de
Italy www.norman.com/it
Netherlands www.norman.com/nl
Norway www.norman.com/no
Spain www.norman.com/es
Sweden www.norman.com/sv
Switzerland www.norman.com/ch
United Kingdom www.norman.com/uk
International
Switzerland www.norman.com/ch
NORMAN CONTACT DETAILS

Norman Safeground AS | PO box 43, 1324 Lysaker, Norway | Office address: Strandveien 37, Lysaker
Tel: 67 10 97 00 | E-mail: norman@norman.com | www.norman.com
Norman Safeground AS is a wholly owned subsidiary of Norway’s only IT security company – Norman AS - established in 1984.
Norman Safeground is a global company and has customers in more than 180 countries. Our mission is to offer businesses and
home users premium protection from Internet threats through easy to use software – offering you peace of mind while we take care
of your security. We strive to understand and solve our customers’ and partners’ challenges and are passionate about providing
high quality personal service.
Copyright © 1990-2014 Norman Safeground AS

Norman Endpoint Protection 11 AdminGuide PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Norman Endpoint Protection 11 AdminGuide PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Administrator’s Guide

Norman Endpoint Protection

Features Including appendices for

This warranty expires 30 days after purchase.

All rights reserved.

Last revised November, 2014.

ii Copyright © 1990-2014 Norman Safeground AS

Limited Warranty................................ii Clients............................................22

iii Copyright © 1990-2014 Norman Safeground AS

Generate installers................................ 54 Appendix D: Exchange Mailbox Scanner.74

iv Copyright © 1990-2014 Norman Safeground AS

About this version

About this manual

Help and support

Please visit us at www.norman.com/support.

5 Copyright © 1990-2014 Norman Safeground AS

6 Copyright © 1990-2014 Norman Safeground AS

Multiple managers, multilevel realm

Naming the Toplevel Manager

7 Copyright © 1990-2014 Norman Safeground AS

8 Copyright © 1990-2014 Norman Safeground AS

•• Provides a view of network devices and their status

9 Copyright © 1990-2014 Norman Safeground AS

Networks with a large number of clients

10 Copyright © 1990-2014 Norman Safeground AS

Events in the realm

Messages from Midlevel to Toplevel Manager

Platform and status messages

11 Copyright © 1990-2014 Norman Safeground AS

See also the appendix “Appendix B: Passive discovery” on page 66.

12 Copyright © 1990-2014 Norman Safeground AS

Step 1: Install Endpoint Protection

13 Copyright © 1990-2014 Norman Safeground AS

Step 2: Install Endpoint Manager

2. The Endpoint Manager Install Wizard is launched.

Running the wizard is a necessary and mandatory part of the installation.

I am establishing a new realm

2. Realm owner username / password

14 Copyright © 1990-2014 Norman Safeground AS

I am restoring an existing realm

15 Copyright © 1990-2014 Norman Safeground AS

Run an installer (msi)

2. Run the installer file (msi) on a client.

Distribute clients using an image

3. On the management console

a) Copy the tool noc_enable.exe from ...\norman\noc\bin

a) Save noc_enable.exe to a temporary location.

3. From the command prompt on the client enter noc_enable.exe /unid

4. Create the distribution image.

16 Copyright © 1990-2014 Norman Safeground AS

Risk level bar

17 Copyright © 1990-2014 Norman Safeground AS

Type Specifies which type of device it is (workstation, server, printer, etc.)

18 Copyright © 1990-2014 Norman Safeground AS

Type Specifies which type of device it is (workstation, server, printer, etc.)

An example of a warning type is ‘Virus detected’.

19 Copyright © 1990-2014 Norman Safeground AS

See also “Client states” on page 26.

20 Copyright © 1990-2014 Norman Safeground AS

We use the following URL:

21 Copyright © 1990-2014 Norman Safeground AS

22 Copyright © 1990-2014 Norman Safeground AS

Organizing groups and clients