Endpoint Protection

Hi Everyone, I was hoping to get some guidance about how various OS versions and SEP versions work together.

- Our existing SEP server is v12.x running on Windows 2003
- I installed a new SEP server v14.x running on Windows 2016
- I began migrating clients by updating the sylink.xml (most are windows 2012 and 2016)

We have afew windows 2003/2008 with SEP clients v11.x. These servers still run legacy applications and we cannot really upgrade the OS nor the SEP client. The only thing we can do with them is allowing them to run their course until their decom day.

I'd like to only migrate these clients v11.x to the SEP 14.x server and only obtain the signature updates. Will this still work? I know they don't have compatiblity. If this does work, how would I manually migrate them? They don't seem to have the usual sylink.xml file like version 12.x does.

I found the SyLink.xml file for windows 2003 in a different location (same as binaries).
But the trouble is the server won't let me update this file because it's in use.

There's no possible way to temporarily stop the smc.
The command exists, shows no error but does not actually stop the smc.
Tried to kill the smcgui.exe process but it immediately starts a new one.

Would appreciate any assistance guys :)

Hi Kevin.
Obviously I'm going to start out and recommend updating both your OS and SEP clients but I do understand that they are legacy.
The old versions of SEP client can still communicate with the newer SEPManagers. It has been a long time since I dealt with the SAV11 clients so I do not remember the exact path to click on.  But, the process you will want to do is go into the SEPM and navigate to the group that you want to legacy machine to be added to.  Export a communications package for that group.  This contains the sylink, certificate, and group information that the client will need to talk to the new SEPM.  Copy that file to the client.
On the client, in the Help>Troubleshooting section (forgive me if they are named differently) there should be an "Import Communications" button.  Use that and point to the communications package file that you copied over.  This may require you to disable tamper protection if you have that enabled and/or require your password to update the communication settings.  (That all depends on your configurations.)
Once that is done, the client should now reach out to the new SEPM with the credentials in the communications package and add itself to the proper group.

Disclaimer:
I do not have any SAV11 clients to test this on and cannot remember the correct buttons to click on.  So you may need to adjust what to click on and/or the client may not have this option.  I can't remember if that version had that capability, for sure.  Same concept as the sylink drop tool but built in to the client.
I strongly recommend upgrading SEP client and OS to reduce vulnerabilities and utilize the newer features.

Let me know if this does or doesn't work for you.  There are other options to accomplish this as well but require a little more work.

------------------------------
Lance Ghramm
DSE
Broadcom/Symantec Enterprise Division
United States
------------------------------

Original Message:
Sent: 07-06-2020 12:14 PM
From: Kevin Pham
Subject: Compatibility

I found the SyLink.xml file for windows 2003 in a different location (same as binaries).
But the trouble is the server won't let me update this file because it's in use.

There's no possible way to temporarily stop the smc.
The command exists, shows no error but does not actually stop the smc.
Tried to kill the smcgui.exe process but it immediately starts a new one.

Would appreciate any assistance guys :)

Hey Lance,


Thanks for your thorough post! This is much appreciated.

I did in fact do what you mentioned for all of our SEP12.x clients and they report to the new SEPM quite nicely. My original plan for this was:
- smc  stop
- replace sylink.xml
- smc start

But your instructions actually got me through much more quickly because the file path is long. Typing/clicking through them is painful enough when I have a few hundred VMs to deal with.

My issue still remains with the Windows 2003 clients: Clicking the import button for communications settings won't work with the error "This operation is not supported for a managed client". While the same action works with all the v12.x.

That's why I tried to go with manually replacing the SyLink.xml file but it's always protected by an in use process. I don't have the luxury to boot the server into safe mode to get access to it. The anti tampering mechanism is preventing this I believe.
Original Message:
Sent: 07-07-2020 09:52 AM
From: Lance Ghramm
Subject: Compatibility

Hi Kevin.
Obviously I'm going to start out and recommend updating both your OS and SEP clients but I do understand that they are legacy.
The old versions of SEP client can still communicate with the newer SEPManagers. It has been a long time since I dealt with the SAV11 clients so I do not remember the exact path to click on.  But, the process you will want to do is go into the SEPM and navigate to the group that you want to legacy machine to be added to.  Export a communications package for that group.  This contains the sylink, certificate, and group information that the client will need to talk to the new SEPM.  Copy that file to the client.
On the client, in the Help>Troubleshooting section (forgive me if they are named differently) there should be an "Import Communications" button.  Use that and point to the communications package file that you copied over.  This may require you to disable tamper protection if you have that enabled and/or require your password to update the communication settings.  (That all depends on your configurations.)
Once that is done, the client should now reach out to the new SEPM with the credentials in the communications package and add itself to the proper group.

Disclaimer:
I do not have any SAV11 clients to test this on and cannot remember the correct buttons to click on.  So you may need to adjust what to click on and/or the client may not have this option.  I can't remember if that version had that capability, for sure.  Same concept as the sylink drop tool but built in to the client.
I strongly recommend upgrading SEP client and OS to reduce vulnerabilities and utilize the newer features.

Let me know if this does or doesn't work for you.  There are other options to accomplish this as well but require a little more work.

------------------------------
Lance Ghramm
DSE
Broadcom/Symantec Enterprise Division
United States

Original Message:
Sent: 07-06-2020 12:14 PM
From: Kevin Pham
Subject: Compatibility

I found the SyLink.xml file for windows 2003 in a different location (same as binaries).
But the trouble is the server won't let me update this file because it's in use.

There's no possible way to temporarily stop the smc.
The command exists, shows no error but does not actually stop the smc.
Tried to kill the smcgui.exe process but it immediately starts a new one.

Would appreciate any assistance guys :)

Kevin,
To verify if Tamper Protection is blocking it, check the logs on the client after attempting to do the import.  One of the logs should have the event.  I'm not sure which one it writes to, though.  It should mention Tamper Protection blocking the communications import.
The easiest way to get around that would be to log into the old SEP Manager and go to the group that the 2003 clients are in.  Update the policy to remove Tamper Protection.  Should be under General or Communications setting. 
Once the clients check in and get the new policy, it'll turn off Tamper Protection on the clients and then you'll be able to run the import for the communications package.

------------------------------
Lance Ghramm
DSE
Broadcom/Symantec Enterprise Division
United States
------------------------------

Original Message:
Sent: 07-08-2020 05:34 PM
From: Kevin Pham
Subject: Compatibility

Hey Lance,


Thanks for your thorough post! This is much appreciated.

I did in fact do what you mentioned for all of our SEP12.x clients and they report to the new SEPM quite nicely. My original plan for this was:
- smc  stop
- replace sylink.xml
- smc start

But your instructions actually got me through much more quickly because the file path is long. Typing/clicking through them is painful enough when I have a few hundred VMs to deal with.

My issue still remains with the Windows 2003 clients: Clicking the import button for communications settings won't work with the error "This operation is not supported for a managed client". While the same action works with all the v12.x.

That's why I tried to go with manually replacing the SyLink.xml file but it's always protected by an in use process. I don't have the luxury to boot the server into safe mode to get access to it. The anti tampering mechanism is preventing this I believe.
Original Message:
Sent: 07-07-2020 09:52 AM
From: Lance Ghramm
Subject: Compatibility

Hi Kevin.
Obviously I'm going to start out and recommend updating both your OS and SEP clients but I do understand that they are legacy.
The old versions of SEP client can still communicate with the newer SEPManagers. It has been a long time since I dealt with the SAV11 clients so I do not remember the exact path to click on.  But, the process you will want to do is go into the SEPM and navigate to the group that you want to legacy machine to be added to.  Export a communications package for that group.  This contains the sylink, certificate, and group information that the client will need to talk to the new SEPM.  Copy that file to the client.
On the client, in the Help>Troubleshooting section (forgive me if they are named differently) there should be an "Import Communications" button.  Use that and point to the communications package file that you copied over.  This may require you to disable tamper protection if you have that enabled and/or require your password to update the communication settings.  (That all depends on your configurations.)
Once that is done, the client should now reach out to the new SEPM with the credentials in the communications package and add itself to the proper group.

Disclaimer:
I do not have any SAV11 clients to test this on and cannot remember the correct buttons to click on.  So you may need to adjust what to click on and/or the client may not have this option.  I can't remember if that version had that capability, for sure.  Same concept as the sylink drop tool but built in to the client.
I strongly recommend upgrading SEP client and OS to reduce vulnerabilities and utilize the newer features.

Let me know if this does or doesn't work for you.  There are other options to accomplish this as well but require a little more work.

------------------------------
Lance Ghramm
DSE
Broadcom/Symantec Enterprise Division
United States

Original Message:
Sent: 07-06-2020 12:14 PM
From: Kevin Pham
Subject: Compatibility

I found the SyLink.xml file for windows 2003 in a different location (same as binaries).
But the trouble is the server won't let me update this file because it's in use.

There's no possible way to temporarily stop the smc.
The command exists, shows no error but does not actually stop the smc.
Tried to kill the smcgui.exe process but it immediately starts a new one.

Would appreciate any assistance guys :)