Endpoint Protection

 View Only

  • 1.  NTP enabled no matter what I do

    Posted Oct 23, 2009 08:10 AM
    It seems no matter what I do, Network Threat Protection is enabled on clients. I've created a new MSI package by right-clicking the latest 32bit Client Install Package and choosing Export. There I have selected our custom Client Install Settings and custom Client Install Feature Set. The feature set is configured to include everything except Network Threat Protection and the Lotus Notes stuff. The result is an MSI that I deploy via group policy.

    However, after deploying the client and letting it reboot and settle down for half an hour or so, when I login and double-click the icon in the systray, Network Threat Protection is enabled. I googled this and found out that I should have a look in setAid.ini. I did and the relevant parts are as follows:

    SAVMain=1
    EMailTools=1
    OutlookSnapin=1
    NotesSnapin=0
    Pop3Smtp=1
    ITPMain=0
    Firewall=0
    PTPMain=1
    COHMain=1
    DCMain=0

    As you can see, the firewall is disabled so it should get installed.

    There is a firewall policy on the server, but it isn't assigned to any groups, so I shouldn't apply. I haven't tried unchecking "Enable this policy" because it doesn't make any sense to do so since it isn't assigned to any groups.

    I don't want NTP to be installed AT ALL on any clients. Anyone?

    Cheers,
    Rickard


  • 2.  RE: NTP enabled no matter what I do

    Posted Oct 23, 2009 08:16 AM
     Is there any package assigned to your groups ? which contains all the features...

    check it in SEPM -Clients-Hightlight the Group-click on Install packages ( on the right hand side)
    check for all the groups..

    If there is any...remove it.


  • 3.  RE: NTP enabled no matter what I do

    Posted Oct 23, 2009 08:28 AM
    Oddly enough, there is one assigned to one of the groups (staff/desktop). However, the package I'm playing with at the moment is in the student group and that group doesn't have any packages. Are you saying removing the package from the other group could affect this?

    Edit: Oh and also. Will removing that package affect existing installed clients?

    Cheers,
    Rickard


  • 4.  RE: NTP enabled no matter what I do

    Posted Oct 23, 2009 08:32 AM
     Removing the package won't affect any clients as the package is only assigned to upgrade the clients once all the clients are upgraded it not needed.
    However removing the package might solve your issue.There might be some policy inheritance..
    Just try it. .. it wont do any bad..


  • 5.  RE: NTP enabled no matter what I do

    Posted Oct 23, 2009 08:39 AM
    PLease create a new test group Move a few affected clients in that group. Now, you can assign an install package to the test group. The attached package will have a feature set that will have only the AV/AS. Then you can check if the changes are reflected in the client or not.

    if they are reflected, you can now assign the original feature set to the package to achieve what you are looking for.

    Best,
    Aniket



  • 6.  RE: NTP enabled no matter what I do

    Posted Oct 23, 2009 09:38 AM
    I tried removing the package as per Vikrams suggestion, but unfortunately, that had no effect.

    I'm not entirely sure what you mean Aniket. I created a new group, assigned an install package that does not containg NTP and moved my test client into that group. I will have to wait for the two hour heartbeat though before the client contacts the server again and realizes that it has been moved. I fail to see how this is different from doing a complete reinstall of the client (which is what I've been trying so far). The whole concept of assigning an install package to a group is very confusing to me. What exactly does that do? We install our clients by creating MSI packages and then deploying them via group policy. What we're after is an MSI that doesn't install the firewall component at all.

    Forgive my impatience, but I'm getting increasingly frustrated with and confused about SEP. The product is very "consultant friendly".


  • 7.  RE: NTP enabled no matter what I do
    Best Answer

    Posted Oct 23, 2009 10:14 AM
    seems like you are not the one.

    check this discussion and make sure you have everythign in place.

    https://www-secure.symantec.com/connect/forums/gpo-msi-install-installs-additional-components

    the msi package what you have created for GP, what happens when you manually run that MSI, does NTP get activated , can you try that on one single test machine....



  • 8.  RE: NTP enabled no matter what I do

    Posted Oct 23, 2009 10:47 AM
    Thank you very much for that information, Rafeeq. This is indeed the bug we are suffering from. In short, when you deploy the SEP client via group policy, any and all settings in setAid.ini are ignored (because the file doesn't get parsed) so it doesn't matter what you check/uncheck in the install feature set.

    A workaround is to either install it via a group policy startup script (not ideal) or create a custom transform for the MSI in Orca. The latter workaround isn't exactly ideal either, but I prefer it to using a startup script. Here's some info in another topic:

    https://www-secure.symantec.com/connect/forums/deploy-clients-group-policy-unable-customise

    Deployment via Group Policy is extremely common in corporate scenarios, so the fact that this is an issue is a bit scary actually.