================================================================================

====
Symantec Endpoint Protection README.TXT Date: December 2007
Copyright (c) 2007 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, LiveUpdate, Sygate, Symantec AntiVirus, Bloodhound,
Confidence Online, Digital Immune System, Norton, and TruScan are trademarks or
registered trademarks of Symantec Corporation or its affiliates in the U.S. and
other countries. Other names may be trademarks of their respective owners.
The Licensed Software and Documentation are deemed to be commercial computer sof
tware as defined in FAR 12.212 and subject to restricted rights€as defined in FAR
Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 2
27.7202, Rights in Commercial Computer Software or Commercial Computer Software D
ocumentation , as applicable, and any successor regulations.€ Any use, modification,
reproduction release, performance, display or disclosure of the Licensed Softwa
re and Documentation by the U.S. Government shall be solely in accordance with t
he terms of this Agreement.
================================================================================
====

================================================================================
====
README FILE
Please review this document in its entirety before you install or roll out Syman
tec Endpoint Protection, or call for technical support. It contains information
that is not included in the Symantec Endpoint Protection documentation or the on
line Help.
================================================================================
====

================================================================================
====
TABLE OF CONTENTS
This document contains the following sections:

* Installation and uninstallation

* Migration
* Symantec Endpoint Protection Manager
* Symantec Endpoint Protection policy
* Symantec Endpoint Protection client
* Documentation
* Third-party
* Symantec License Agreement
================================================================================
====
================================================================================
====

================================================================================
====
INSTALLATION AND UNINSTALLATION
================================================================================
====
--------------------------------------------------------------------------------
----
BEST PRACTICE: Deploy Silent installation packages on computers that run Microso
ft Vista
--------------------------------------------------------------------------------
----
When remotely deploying Symantec client software to Windows Vista, such as with
the Push Deployment Wizard, interactive and some unattended installation types t
rigger Windows Vista user prompts. The first user prompt informs users with "A p
rogram can't display a message on your desktop" with the option to "Show me the
message." To complete the installation, users must select "Show me the message,
" click through the Symantec client installation prompts, and then automatically
log off Vista before installation completes. Upon logging on again, they click
"Show me the message" again and client installation completes.
By choosing the silent installation type for all Vista remote deployments, or by
choosing unattended installation type that does not fail a pre-installation che
ck, these Vista prompts and activity do not appear. Also, deploying unmanaged so
ftware from a client software CD installation directory, which is an interactive
installation type, does not display these prompts and acts as a silent installa
tion type.
The following conditions cause the Vista user prompts to appear:
- Using a Symantec Endpoint Protection Manager exported package marked as Intera
ctive
- Using a Symantec Endpoint Protection Manager or a Migration and Deployment Wiz
ard exported package marked as Unattended AFTER an Interactive package was attem
pted (and stopped or canceled).
- Using the console's AutoUpgrade feature and a pre-installation check failed or
a pending restart is needed.
- Using an incorrect or pre-installation checked and blocked package for the fol
lowing reasons:
-> 64-bit package on 32-bit system
-> 32-bit package on 64-bit system
-> Pending restart needed
-> Symantec Network Access Control during migration from legacy Symantec clien
t software
BEST PRACTICE: Deploy silent client installation packages to Microsoft Vista ope
rating systems.
---------------------------------------------------------------------
Remote Symantec Endpoint Protection Manager Console requires Java 1.5
---------------------------------------------------------------------
The Remote Symantec Endpoint Protection Manager Console runs on Java version 1.5
.0_12. If this version is not on the computer targeted for installation, it is i
nstalled automatically. The Installation Guide for Symantec Endpoint Protection
and Symantec Network Access Control incorrectly lists this version as 1.4.2.
--------------------------------------------------------------------------------
----
Successfully installing Symantec Endpoint Protection Manager on SQL Server 2005
64-bit edition
--------------------------------------------------------------------------------
----
If you install Symantec Endpoint Protection Manager and select to install a data
base on Microsoft SQL Server 2005 64-bit edition, the installer does not correct
ly locate the file named bcp.exe. The Management Server Configuration Wizard loo
ks for bcp.exe in the directory named %SystemDrive?=%\Program Files\Microsoft SQ
L Server\90 \Tools\Binn. This directory is correct for Microsoft SQL Server 2005
32-bit edition, but is incorrect for the 64-bit edition.
The correct directory, which you must manually type, is %SystemDrive%\Program Fi
les\Microsoft+ SQL Server\90\Tools\Binn. For example, C:\Program Files\Microsoft
+ SQL Server \90\Tools\binn.
----------------------------------------------------------------------
Symantec Endpoint Protection Manager requires TCP port 9090 by default
----------------------------------------------------------------------
Symantec Endpoint Protection Manager uses TCP 9090 to display the Symantec Endpo
int Protection Manager Console. If other software is listening on this port, you
cannot log on to the Symantec Endpoint Protection Manager Console. Note that Sy
mantec IM Manager uses TCP port 9090. If you are required to run Symantec Endpoi
nt Protection Manager Console on a computer that also requires other software th
at uses TCP port 9090, you can change the port for Symantec Endpoint Protection
Manager Console.
To change TCP port 9090, edit the following file with WordPad (Notepad does not
correctly show the XML line feeds):
\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml
Search for port=9090 and change 9090 to a different TCP port number. Save the fi
le, and then restart Symantec Endpoint Protection Manager with the Administrativ
e Tools > Services utility. You can then log on to the Symantec Endpoint Protect
ion Manager Console.
Be aware, however, that changing port 9090 partially disables the online Help sy
stem. Every time you use Help, you will have to change 9090 in the URL to the ch
anged port number to display the Help text.
-------------------------------------------------------------------------------
Clearing the file cache after updating the Symantec Endpoint Protection Manager
-------------------------------------------------------------------------------
Symantec Endpoint Protection Manager caches and uses some php files in the tempo
rary Internet files directory. If you update the Symantec Endpoint Protection Ma
nager by installing it over a previous version, these cached files are not refre
shed with potentially new php files. As a result, after the installation is comp
lete, be sure to clear the Internet Explorer Temporary Files folder before loggi
ng onto the Symantec Endpoint Protection Manager. Temporary Internet files can b
e deleted in Internet Explorer 6 by clicking Delete Files under the Temporary In
ternet files group box on the General tab of the Internet Explorer Tools > Inter
net Options menu. In Internet Explorer 7, click Delete under Browsing History.
--------------------------------------------------------------------------------
----
Updating Host Integrity templates with LiveUpdate
--------------------------------------------------------------------------------
----
After upgrading Symantec Endpoint Protection Manager for Symantec Endpoint Prote
ction with Symantec Network Access Control, LiveUpdate does not automatically up
date the Host Integrity templates. To update the templates, you must explicitly
check the Host Integrity templates check box in the Content Types to Download di
alog box in the Symantec Endpoint Protection Manager Console. You can access The
Content Types to Download dialog box from the Admin page. Click a site and then
click Site Properties, click the LiveUpdate tab, and click Change Selection in
the Content Types to Download group box.
-----------------------------------------------------------------------
Symantec Endpoint Protection compatibility with with Norton Confidential
-----------------------------------------------------------------------
Symantec Endpoint Protection does not work properly when Norton Confidential is
on the same computer. If Symantec Endpoint Protection is installed first, Norton
Confidential does not install and is blocked. If Norton Confidential is install
ed first, Symantec Endpoint Protection does install. If you install both softwar
e programs on the same computer, Symantec Endpoint Protection does not properly
process the application Whitelist. The application Whitelist contains signatures
of applications that are permitted to run on computers by Proactive Threat Prot
ection.
--------------------------------------------------------------------------------
----
Lotus Notes and Microsoft Outlook email protection are not installed by default
when using the CD
--------------------------------------------------------------------------------
----
By default, Antivirus and Antispyware email protection for Lotus Notes and Micro
soft Outlook is not installed when you install Symantec Endpoint Protection from
the CD. To install Lotus Notes or Microsoft Outlook email protection, customize
the installation and check the email program that you want to protect. Internet
Email protection is never installed on server operating systems for performance
reasons.
------------------------------------------------
Encryption key, preshared key, and shared secret
------------------------------------------------
The Installation Guide for Symantec Endpoint Protection and Symantec Network Acc
ess Control uses several words for the term encryption key. You created this enc
ryption key during installation, and it is required for disaster recovery and fo
r Enforcer connectivity. The legacy term preshared key in some instances was not
changed to encryption key, and you will also notice some instances of shared se
cret and secret key. All of these terms refer to the encryption key that was cre
ated during installation.
-------------------------------------------------
Antivirus protection installation files for Linux
-------------------------------------------------
Symantec AntiVirus protection installation files for Linux are included on the s
upplementary installation CD. The installation files are in the directory named
SAVFL, which includes installation and user documentation. Symantec AntiVirus fo
r Linux is supported in unmanaged mode only.
-------------------------------------------------------------------------
LiveUpdate Server installation to DBCS-named directories is not supported
-------------------------------------------------------------------------
LiveUpdate Server installation in directories that contain the double-byte chara
cter set (DBCS) is not supported. If you install LiveUpdate Server in a director
y that contains double byte characters, LiveUpdate Server does not work properly
. Installing LiveUpdate Server to a DBCS directory indicates a customized instal
lation path. If you install LiveUpdate Server to the default path on a DBCS oper
ating system, LiveUpdate Server works properly.
-----------------------------------------------------------------
Uninstalling Symantec Endpoint Protection Managers that replicate
-----------------------------------------------------------------
If you attempt to uninstall Symantec Endpoint Protection Manager that is set up
for replication, first disable replication. Then, restart the computer on which
you want to uninstall Symantec Endpoint Protection Manager, and perform the unin
stallation.
If you attempt to uninstall the Symantec Endpoint Protection Manager that was re
plicating and you receive a log file error, cancel the uninstallation, restart t
he computer, and then uninstall the Symantec Endpoint Protection Manager.
--------------------------------------------------------------------------------
----
Uninstalling Symantec Endpoint Protection with Remote Desktop from Vista to Vist
a is not supported
--------------------------------------------------------------------------------
----
Uninstalling Symantec Endpoint Protection with Remote Desktop from a computer th
at runs Windows Vista on a client computer that runs Windows Vista is not suppor
ted and does not work. For example, you cannot start a Remote Desktop session fr
om a computer that runs Microsoft Vista and log on to a computer that runs Micro
soft Vista and Symantec Endpoint Protection, and uninstall Symantec Endpoint Pro
tection.
If you attempt the uninstallation from a computer that runs Microsoft Vista, a M
icrosoft Vista restart prompt appears, due to a pending change. If you restart M
icrosoft Vista, and reattempt to uninstall Symantec Endpoint Protection, the Mic
rosoft Vista restart prompt appears again, due to a pending change.
You can uninstall Symantec Endpoint Protection from a computer that runs Windows
XP. For example, you can start a Remote Desktop session from a computer that ru
ns Windows XP and log on to a computer that runs Microsoft Vista and Symantec En
dpoint Protection, and then uninstall Symantec Endpoint Protection.
--------------------------------------------
Uninstalling Symantec Network Access Control
--------------------------------------------
Before you can correctly uninstall Symantec Network Access Control, you must res
tart the computer on which you installed Symantec Network Access Control at leas
t once. If you do not restart the computer, your uninstallation will fail.
If you attempted to uninstall Symantec Network Access Control without restarting
the computer, your uninstallation process partially completes. To uninstall Sym
antec Network Access Control, you must reinstall Symantec Network Access Control
, restart the computer, and then uninstall Symantec Network Access Control.
--------------------------------------------------------------------------------
----
Upgrading Symantec Endpoint Protection to Release Update 1 (11.0.1000)
--------------------------------------------------------------------------------
----
If the client packages do not install properly on some client computers, try upg
rading the Symantec Endpoint Protection Manager to Release Update 1.
--------------------------------------------------------------------------------
----
Upgrading Symantec Endpoint Protection to Release Update 1 (11.0.1000) to use th
e AutoUpgrade feature
--------------------------------------------------------------------------------
----
If you use the AutoUpgrade feature to upgrade the client installation packages,
you may want to upgrade to the Symantec Endpoint Protection Manager Release Upda
te 1 first.

================================================================================
====
MIGRATION
================================================================================
====
---------------------------------------------
Web site for the latest migration information
---------------------------------------------
You can find the latest information about migration at the following Web site:
http://www.symantec.com/endpointsecurity/migrate
--------------------------------------------------------------------------------
----
Migrating legacy Symantec AntiVirus servers to Symantec Endpoint Protection clie
nts does not unshare the VPHOME directory
--------------------------------------------------------------------------------
----
Legacy Symantec AntiVirus and Symantec Client Security servers create and use a
shared directory. The location of the shared directory is \\Program Files\SAV. T
he name of the share is VPHOME. In some instances, after migration to Symantec E
ndpoint Protection client, this directory and share is retained with read-only p
ermission.
To delete the VPHOME share:
1. Right-click the \\Program Files\SAV directory.
2. Click Properties.
3. In the SAV Properties dialog box, on the Sharing tab, click Do Not Share This
Folder, if it is enabled.
--------------------------------------------------------------------------------
----
Upgrading Symantec Network Access Control unmanaged client to Symantec Endpoint
Protection unmanaged client requires a restart
--------------------------------------------------------------------------------
----
If you install a Symantec Network Access Control unmanaged client on a computer,
and then install a Symantec Endpoint Protection client as an upgrade on the sam
e computer, you must manually restart the computer. No restart prompt appears. T
he Symantec Endpoint Protection client status is colored red until this restart
occurs.

================================================================================
====
SYMANTEC ENDPOINT PROTECTION MANAGER
================================================================================
====
------------------------------------------------------------
Uni-lingual Support for Symantec Endpoint Protection Manager
------------------------------------------------------------
The Symantec Endpoint Protection Manager server supports a uni-lingual user inte
rface. This means that a specific language operating system can only install and
run that same language on the Symantec Endpoint Protection Manager Console. The
end user must configure the user locale to be the same as the operating system
language when running the Symantec Endpoint Protection Manager Console.
- A specific language Symantec Endpoint Protection Manager server only supports
the Symantec Endpoint Protection Manager console that is in English language or
in the same specific language as the server.
- The Symantec Endpoint Protection Manager server and the Symantec Endpoint Prot
ection Manager console must both be configured to use a user locale that is the
same as the operating system language.
---------------------------
Internationalization
---------------------------
Symantec Endpoint Protection Manager internationalization (I18N) limitations inc
lude the following:
- Computer names, domain names, and work group names in non-English characters a
re supported with the following limitations.
- Network audit may not work for those names that use either a double-byte chara
cter set or a hi-Ascii character set. These names include host names, domain nam
es, and user names.
- Double-byte character set names or hi-Ascii character set names may not displa
y properly on the Symantec Endpoint Protection Manager Console or on the Symante
c Endpoint Protection Manager client user interface.
- Long double-byte or hi-Ascii character set host names cannot be longer than wh
at the NETBIOS allows. If the host name is longer than what the NETBIOS allows,
the Home, Monitors, and Reports pages do not appear on the Symantec Endpoint Pro
tection Manager Console.
- A client computer that is named with a double-byte or hi-Ascii character name
does not work as a Group Update Provider.
Use only English characters in the export path when you:
- Export a client package.
- Define the server data folder on the second page of the Symantec Endpoint Prot
ection Manager Server Configuration Wizard.
- Define the installation path for the Symantec Endpoint Protection Manager.
- Define the credentials when you deploy the client to a remote computer.
- Define a group name. You can create a client package for those groups whose na
mes contain non-English characters. However, you may not be able to deploy the c
lient package using the Push Deployment Wizard when the group name contains non-
English characters.
- Some non-English characters that are generated on the server side may not appe
ar properly on the client user interface. For example, a double-byte character s
et location name does not appear properly on non-double byte character set named
client computers.
English text usage in the User Information dialog box:
- Do not use double-byte or hi-Ascii characters when providing feedback in the U
ser Information client computer dialog after you install the exported package.
Enabling I18n support in SQL 2000
- Double-byte, hi-Ascii, or mixed language environments using a SQL 2000 databas
e are required to enable batch mode processing.
To enable I18n support in SQL 2000:
1. On the Symantec Endpoint Protection Manager, open the following file:
c:\...\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties
2. Edit the file to add the following line:
scm.log.batchmode=1
3. Restart the Symantec Endpoint Protection Manager service.
--------------------------------------------------------------------------------
----
Logging into the Symantec Endpoint Protection Manager console via Internet Brows
er fails if the name of an administrator is added by using a double-byte charact
er set
--------------------------------------------------------------------------------
----
If you add the name of an administrator by using double-byte characters in the S
ymantec Endpoint Protection Manager, then the administrator can no longer log in
to the Symantec Endpoint Protection Manager console with an Internet browser. Th
e attempt to log into the Symantec Endpoint Protection Manager console fails.
However, the administrator can still log into the Symantec Endpoint Protection M
anager Java console directly rather than using an Internet browser.
--------------------------------------------------------------------
Symantec Endpoint Protection Manager fails to log in after repairing
--------------------------------------------------------------------
If you repaired the Symantec Endpoint Protection Manager through the 'Support In
formation' window in Add or Remove Programs, you cannot log in to the Symantec E
ndpoint Protection Manager again.
To correct this:
1. Launch Add or Remove Programs, select the Symantec Endpoint Protection Manage
r, and click Change.
2. In the Symantec Endpoint Protection Manager wizard, click Next, click Repair,
 and follow the instructions.
3. When asked, enter the password you specified earlier for the MS SQL database.
4. When you complete the repair process, launch and log in to the Symantec Endpo
int Protection Manager Console.
--------------------------------------------------------------------------------
----
Internet configuration settings needed to view the reporting functions in the Sy
mantec Endpoint Protection Manager console
--------------------------------------------------------------------------------
----
To view the information on the Home page, Monitors page, and Reports page in the
Symantec Endpoint Protection Manager console when using Internet Explorer, you
must have some minimum Internet Options settings enabled. Click "Custom Level" o
n the Security tab of the Tools > Internet Options menu to find these settings.
The following settings must be enabled when using Internet Explorer 6:
- Under ActiveX controls and plug-ins: Initialize and script ActiveX controls no
t marked as safe
- Under Miscellaneous: Submit nonencrypted form data
- Under Miscellaneous: User data persistence
- Under Scripting: Active scripting
The following settings must be enabled when using Internet Explorer 7:
- Under Miscellaneous: Submit non-encrypted form data
- Under Scripting: Active Scripting
- Under Scripting: Allow status bar updates via script
----------------------------------------------------------------
Email reports sent to Microsoft Outlook may not format correctly
----------------------------------------------------------------
A scheduled email report that is generated and then sent to Microsoft Outlook ma
y not be formatted correctly. The report may contain missing line feeds behind t
he different sections.
This issue occurs only when the recipient's Microsoft Outlook software has a set
ting enabled. In the E-mail Options pane, uncheck the "Remove extra line breaks
in plain text messages" checkbox. When this option is turned off, the email mess
age that is sent with the report is formatted correctly.
The following text shows the content of an email that contains the formatting is
sue:
=============================================
Report scheduled by: admin
Report generated on: 2007-04-04 21:31:19 Report type: System Report Report
description: Test description
=============================================

The following text shows the correct formatting of the email content:
=============================================
Report scheduled by: admin
Report generated on: 2007-04- 04 21:31:19
Report type: System Report
Report description: Test description
=============================================
--------------------------------------------------------------------------------
----
The reporting-related Web pages do not load when you have a database server with
a long DBCS host name
--------------------------------------------------------------------------------
----
The Home page, Monitors page, and Reports page do not load on computers where th
e database server has a DBCS name that is too long. In this case, ODBC does not
register the database correctly, so it does not load the reporting-related pages
. If possible, keep names to 15 characters or less. If a shorter name is not pos
sible, to work around this, you can use the Start menu > Symantec Endpoint Prote
ction Manager > Management Server Configuration Wizard and use an IP address for
the database server instead of the DBCS host name.
--------------------------------------------------------------------------------
----
When logging on through a Web browser, reporting tabs may not appear if the Inte
rnet Explorer cache is full
--------------------------------------------------------------------------------
----
If the tabs across the top of the page do not appear when logged onto the Symant
ec Endpoint Protection Manager reporting functions through a Web browser, try cl
earing the Internet Explorer temporary files cache. Delete temporary Internet fi
les in Internet Explorer 6 by clicking "Delete Files" under the Temporary Intern
et files group box on the General tab of the Internet Explorer Tools> Internet O
ptions menu. In Internet Explorer 7, click Delete under Browsing History.
-----------------------------------------
Printing the background colors in reports
-----------------------------------------
If you want to print the background colors when you print a report, you must ope
n the Internet Explorer Tools > Internet Options menu and check the "Print backg
round colors and images" check box on the Advanced tab.
--------------------------------------------------------------------------------
----
Site Status report display of memory use on Windows 2000 Server SP3
--------------------------------------------------------------------------------
----
On computers that run Windows 2000 Server, Service Pack 3, the Site Status repor
t always shows 0% memory usage. This error also occurs if you access the Site S
tatus information by clicking Health Status under Site Status on the Symantec En
dpoint Protection Manager Console. When you use Symantec Endpoint Protection, t
his information is located on the Summary tab; if you use only Symantec Network
Access Control, this information is located on the Home page. The information d
isplays correctly if the computer is updated to run Service Pack 4.
--------------------------------------------------------------------------------
----
In a few instances, log entries from an existing 5.x Symantec Sygate Enterprise
Protection database may display the wrong details
--------------------------------------------------------------------------------
----
If an existing Symantec Sygate Enterprise Protection 5.x database is upgraded to
this release, in rare cases the wrong details information may display. This pr
oblem only occurs if a great many client log entries were generated in the datab
ase in a very short span of time.
----------------------------------------------------------
Changes in database maintenance options do not take effect
----------------------------------------------------------
After you configure database maintenance options from the Admin > Servers page,
on the Database tab of the Site Properties dialog box in the Symantec Endpoint P
rotection Manager Console, the new options are not picked up by the database mai
ntenance task. To have the options take effect, you can stop and start the data
base maintenance task by typing the following URLs in this order from a web brow
ser located on the Symantec Endpoint Protection Manager server:
https://localhost:8443/servlet/ConsoleServlet?ActionType=ConfigServer&action=Sto
pTask&task=AgentSweepingTask
https://localhost:8443/servlet/ConsoleServlet?ActionType=ConfigServer&action=Sta
rtTask&task=AgentSweepingTask
Alternatively, you can log out of the console and restart the Symantec Endpoint
Protection Manager service from the Task Manager.

================================================================================
====
SYMANTEC ENDPOINT PROTECTION MANAGER POLICY
================================================================================
====
--------------------------------------------------------------------------------
----
Importing policies with names longer than 255 characters results in empty policy
names on the console
--------------------------------------------------------------------------------
----
If you import a policy, provide a name that is no longer than 255 characters. Us
ing a longer name results in an empty policy name.
------------------------------------------------------------------------------
More than one LiveUpdate session is required to obtain all the content updates
------------------------------------------------------------------------------
Some content may not be downloaded to the Symantec Endpoint Protection Manager c
omputer during the first LiveUpdate session.
To download the missing content, re-run the following command: LUALL
-------------------------------------------------------------------------
Disk full message erroneously appears when downloading LiveUpdate updates
-------------------------------------------------------------------------
If your network environment already supports the proxy servers that are complian
t with the HTTP 1.1 protocol or later, you can disregard this entry.
After you have tried to download LiveUpdate for the first time, the following me
ssage may appear:
"LU1863: Insufficient free disk space
There is not enough free disk space for LiveUpdate to operate properly. Please f
ree up disk space on your computer and run
LiveUpdate again."
You may have insufficient disk space. However, it is much more probable that thi
s message appears in error because the proxy server is unable to send the correc
t Contents-Length header field.
This error message may appear on Symantec Endpoint Protection Manager, a Symante
c Endpoint Protection client, or a Symantec Network Access Control client.
You may want to verify that the disk drive to which you downloaded LiveUpdate ha
s sufficient disk space. If you verified that the disk drive has sufficient spac
e, then most likely a proxy server caused the problem.
If a proxy server receives an HTTP reply that does not include a Content-Length
header field, then the above-listed message erroneously appears. The erroneous m
essage appears on the computer on which the LiveUpdate has been downloaded.
The proxy servers that are compliant with HTTP 1.1 protocols automatically inclu
de Content-Length header-entity fields. The proxy servers that are compliant wit
h HTTP 1.0 protocols do not automatically include Content-Length header-entity f
ields.
You may want to ensure that the proxy servers in your network are compliant with
the HTTP 1.1. protocol.
See the documentation that accompanies the proxy server for more information on
how to make a proxy server compliant with HTTP 1.1 protocols.
-------------------------------------------
Replicating LiveUpdate settings
-------------------------------------------
LiveUpdate site settings are not replicated. These settings affect what Symantec
Endpoint Protection Manager downloads and then distributes to clients. These se
ttings include the following:
- Download Schedule for LiveUpdate
- Download Type Setting for LiveUpdate
- Download languages
- LiveUpdate Server Configuration
As a result, if you use replication, manually set LiveUpdate site settings so th
at they match on each replicating server.
-----------------------------------------------
Setting the retry interval in the LiveUpdate policy
-----------------------------------------------
LiveUpdate Settings policies contain a LiveUpdate Retry Interval feature that do
es not work. With a LiveUpdate Settings policy, you can schedule how often clien
ts run LiveUpdate to check for updates from LiveUpdate servers. As part of this
scheduling, you can specify a Retry Interval. If a client does not successfully
run LiveUpdate at the scheduled time, the Retry Interval tells the client to kee
p trying to run LiveUpdate for a specified amount of time. If this feature is im
portant to you, the workaround is to update the scheduled frequency with which c
lients run LiveUpdate with the LiveUpdate Settings policy.
--------------------------------------------------------------------------------
----
Disabling all managed client content update methods results in no warning to the
user of out-of-date content
--------------------------------------------------------------------------------
----
If a managed client s antivirus and antisypware definitions or Intrusion Preventio
n signatures are out-of-date and you have disabled all update methods for manage
d clients in the Symantec Endpoint Protection Manager, then the managed client d
oes not report out-of-date content to the user. Managed client users are not war
ned in any way that their content is out of date.
---------------------------------------------------------
Syntax check on custom Intrusion Prevention signatures
---------------------------------------------------------
There is no syntax check when you create custom IPS signatures in the management
console. If the syntax is incorrect, the following message generated by the cli
ent appears in the message console on the client:
"FATAL: failed to apply a new IPS Library"
The following error also appears in the client system logs:
"Failed to apply IPS policy."
When you create custom IPS signatures, make sure that you follow the syntax rule
s in the context-sensitive help. A best practice is to create the rules and then
run them in a test environment before you apply them to a production environmen
t.
------------------------------------------------------------------------------
Assignment dialog box for Intrusion Prevention includes incorrect text strings
------------------------------------------------------------------------------
In the management console, when you create a custom Intrusion Prevention signatu
re and elect to assign the signature, the Assign Intrusion Prevention Policy dia
log box appears. In that dialog box, references to "Policy" should be "signature
."
--------------------------------------------------------------------------------
----
Custom IPS variables can be deleted even if an IPS signature still uses the vari
able
--------------------------------------------------------------------------------
----
The Symantec Endpoint Protection Manager lets you delete a custom IPS variable w
ithout a warning, even if a signature still uses the variable.
Before you delete a variable, make sure you have removed it from the content of
all signatures in a signature group.
--------------------------------------------------------------------------------
----
TruScan Proactive Threat Scan Technology detects a process that runs from a netwo
rk or mapped drive but the process does not appear in the list of detected proce
sses for centralized exceptions
--------------------------------------------------------------------------------
----
When a proactive threat scan detects a process that runs from a network or a map
ped drive, the event appears in the log on the client computer. However, the man
agement server does not register this event, so the event does not appear in the
 logs in the management console. You also cannot create an exception for the pro
cess because it does not appear in the list of detected processes for centralize
d exceptions.
-----------------------------------------------------------------------
Setting exclusions for volumes that have mount points and drive letters
-----------------------------------------------------------------------
On-demand scans
---------------
If you create a security risk exception for folders and files on a Windows mount
point or drive, the on-demand scans do not exclude these folders and files when
the client scans the volume content on that mount point or drive.
For example, suppose that drive E:\ is mounted to C:\Mount and you create an exc
eption for C:\Mount\Foo\. If the client scans E:\Foo\ or C:\Mount\Foo\, the on-d
emand scan does not exclude the folder content. And if you create an exception
for E:\Foo\ and the client scans C:\Mount\Foo\, the folder content does not get
excluded. However, if the client scans E:\Foo\, the on-demand scan does exclude
the folder content.
Auto Protect scans
------------------
If you create a security risk exception for folders and files on a Windows mount
point or drive, the Auto-Protect scans do not exclude the folders and files whe
n the client browses the volume content on that mount point or drive.
For example, if drive E:\ is mounted to C:\Mount and you create an exception for
C:\Mount\Foo\, the Auto - Protect scans do not exclude the E:\Foo\ or the C:\Mo
unt\Foo\ folder content.
If an excluded folder or file is a mount point, such as C:\Mount\Foo\, you must
manually add the alternate path with the drive letter (such as E:\Foo\) to the C
entralized Exceptions policy.
Exchange Server exceptions
-------------------------------------------------------
To find the paths for Exchange Server folder and file exceptions, refer to the f
ollowing registry locations:
On a 32-bit operating system: HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endp
oint Protection\AV\Exclusions
On a 64-bit operating system: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Symantec\S
ymantec Endpoint Protection\AV\Exclusions
For more information, refer to the Knowledge Base article at the Technical Suppo
rt Web site, located at the following URL: www.symantec.com/techsupp/
--------------------------------------------------------------------------------
----
Using Regedit.exe with Application Control
--------------------------------------------------------------------------------
----
Application and Device Control policies let you create Application Control rules
. Application Control rules let you block registry keys from being created on cl
ient computers. If you create an Application Control rule that blocks all access
to HKEY_LOCAL_MACHINE (HKLM) registry entries, and if a user uses Regedit.exe t
o create a registry entry under HKLM, Redit.exe crashes. This crash happens only
on Windows Vista.
--------------------------------------------------------------------------------
----
Blocking storage volumes with Application and Device Control on 32-bit operating
systems
--------------------------------------------------------------------------------
----
The Application and Device Control Policy blocks storage volumes on Windows XP o
nly and not on the Windows 2000 or Windows Vista operating systems.
----------------------------------------------------------
Blocking PS2 devices by using the setting Human interface Device
----------------------------------------------------------
The Application and Device Control Policy does not block human interface devices
(HIDs) such as PS2 devices. This functionality is by design.
The human interface device blocking functionality works as follows:
- USB block = The USB block blocks a USB mouse. However, a USB keyboard is not b
locked.
- HID block = The HID block blocks a mouse. However, a HID keyboard is not block
ed.
- If the device has a PS2 connection, nothing is blocked.
--------------------------------------------------------------------------------
----
Blocking Virtual CD/DVD drives with Application and Device Control policies
--------------------------------------------------------------------------------
----
If you configure a rule in an Application and Device Control Policy to block CD/
DVD drives, the rule only blocks hardware CD/DVD drives. It does not block virtu
al CD/DVD drives. The policy blocks the hardware CD/DVD drives by using a GUID.
Virtual drives do not have GUIDs.
--------------------------------------------------------------------------------
-
Using Application and Device Control Policies with Microsoft Vista symlinks
--------------------------------------------------------------------------------
-
Symbolic links, junctions, or hardware links (available in Windows Vista) cannot
be blocked or triggered using Application Control and Device Control protection
. This issue affects Symantec Endpoint Protection users who try to create Applic
ation and Device Control Policies which are applied to symbolic links to files,
folders, or applications on Windows Vista 32-bit platforms. You will know if thi
s problem has occurred if your rules do not trigger.
Do not use symbolic links for clients that run on Vista. Apply Application and D
evice Control Policy rules directly to a partition or a path.

================================================================================
====
SYMANTEC ENDPOINT PROTECTION CLIENT
================================================================================
====
-------------------------------------------------
Control Log on 64-bit clients
-------------------------------------------------
Because Application and Device Control protection is not available on 64-bit com
puters, the client Control Log on 64-bit clients contains no data. If you select
the Control Log from the View menu on the client, the last log you viewed appea
rs instead of the Control Log.
--------------------------------------------------------------
Default port number may not appear correctly on the System Log
--------------------------------------------------------------
A LiveUpdate policy that is created and then assigned to a group may display the
incorrect default port number. The default port number is 2967. This default po
rt number may appear as 0 in the System Log on the client computer.
----------------------------------------------------------------
Changing the LiveUpdate schedule prior to a restart on unmanaged clients
----------------------------------------------------------------
If the schedule is changed for how often LiveUpdate runs on unmanaged clients, t
he change does not take effect until the smc process is restarted, or until the
computer is restarted. For example, if the schedule is set for LiveUpdate to run
weekly, and if the schedule is changed to run daily, you must restart the proce
ss or computer.
To restart the process:
1. Display a command prompt.
2. Use the CD command to move to the \Symantec\Symantec Endpoint Protection dire
ctory.
3. Execute smc -stop
4. Execute smc -start
-----------------------------------------------------
Setting the LiveUpdate Missed Event Option on the client
-----------------------------------------------------
The Advanced options for Scheduled Updates contain a feature called Missed Updat
e Options that does not work. The Scheduled Updates feature lets Symantec Endpoi
nt Protection users specify how often to run LiveUpdate to check for updates fro
m LiveUpdate servers. As part of the Scheduling, you can set a retry interval wi
th the Missed Event Options. If a client does not successfully run LiveUpdate at
the scheduled time, the retry interval tells the client to keep trying to run L
iveUpdate for a specified amount of time. If this feature is important to you, t
he workaround is to update the scheduled frequency with which clients run LiveUp
date. This setting is located at Change Settings > Client Management Configure S
ettings > Scheduled Updates (tab) > Advanced.

--------------------------------------------------------------------------------
----
Using the firewall with a bridged connection
--------------------------------------------------------------------------------
----
A client computer that uses two network cards and that connects to the same netw
ork switch may not be able to communicate if the network uses a bridged connecti
on. When traffic passes through the firewall, the firewall can cause a packet st
orm so that the network cannot broadcast traffic. If a client computer uses two
NIC cards, uses a bridged connection, and cannot communicate, you may need to un
bridge the connection.
--------------------------------------------------------------------------------
----
Notification does not appear on a managed client computer when a proactive threa
t scan makes a detection and uses an action of "log only"
--------------------------------------------------------------------------------
----
If you configure proactive threat scan detection notifications to appear on clie
nt computers, and if the action for a proactive threat detection is log only, wh
en the scan makes the detection, a popup notification does not appear on a manag
ed client computer. If any other action is configured for the detection, a popup
notification always appears on the client computer. In either case, the user ca
n always view the detection information in the Proactive Threat Protection log.
--------------------------------------------------------------------------------
---
TruScan proactive threat scan status appears red on the client before LiveUpdate
runs
--------------------------------------------------------------------------------
---
When you install the client, the TruScan proactive threat scans use LiveUpdate t
o get its latest content. The Proactive Threat Protection status appears green w
hile the client waits to get its content updates from LiveUpdate. If you run a p
roactive threat scan before LiveUpdate downloads the latest proactive threat sca
n content, the TruScan status appears red.
--------------------------------------------
Pop-up blocker not appearing as expected
--------------------------------------------
The pop-up blocker that notifies you of a blocked application might not always a
ppear after each occurrence of a blocked application. This absence of a pop-up m
ight occur in the following situations:
- If you run one application multiple times within a short period.
- If you run the same application multiple times.
--------------------------------------------------------------------------------
----
Debug log settings apply to Antivirus and Antispyware Protection and Proactive T
hreat Protection scans
--------------------------------------------------------------------------------
----
In the Troubleshooting dialog, the debug log settings under the heading "Symante
c Endpoint Protection" apply only to Antivirus and Antispyware Protection and Pr
oactive Threat Protection scans.
--------------------------------------------------------------------------------
----
Tamper Protection user interface setting does not reflect the default on unmanag
ed clients
--------------------------------------------------------------------------------
----
By default, on unmanaged clients, Tamper Protection is set to block tampering at
tempts. When installed on unmanaged clients, the Tamper Protection user interfac
e erroneously shows that Tamper Protection is set to Log only for tampering atte
mpts. If you want Tamper Protection to Log only, click "Change settings" and the
n beside Client Management, click "Configure Settings." On the Tamper Protection
tab, click "OK."
--------------------------------------------------------------------------------
----
If the user attempts to block a protocol driver from the View Network Activity o
r Application List dialog boxes, the firewall still allows the driver
--------------------------------------------------------------------------------
----
If the client runs a protocol driver, the driver appears in the Network Activity
dialog box and the Application List dialog box. If the user then tries to block
the driver from these dialog boxes, the firewall ignores the block action and c
ontinues to allow the driver. To work around the problem, the user can create a
firewall rule that blocks traffic from the protocol driver.
--------------------------------------------------------------------------------
----
The Windows Security Center status for Symantec Endpoint Protection Network Thre
at Protection
--------------------------------------------------------------------------------
----
If you type the smc -stop command to disable the client, the Windows Security Ce
nter (WSC) incorrectly states that "Windows detects that your computer is not cu
rrently protected by a firewall." The WSC should state that the firewall is disa
bled, or off.
--------------------------------------------------------------------------------
----
The Network Access Control-enabled Symantec Endpoint Protection client on Micros
oft Vista does not allow access the to a remote server
--------------------------------------------------------------------------------
----
If the Symantec Endpoint Protection client with Network Access Control is instal
led, the client does not allow the client access to a remote network server. The
refore, if you have Symantec Endpoint Protection clients with Network Access Con
trol that run on Microsoft Vista, you must create a firewall rule on the Symante
c Endpoint Protection Manager that allows access to remote servers.
To create the rule:
1. In the Symantec Endpoint Protection Manager Console, click Policies.
2. Under View Policies, click Firewall.
3. Choose the Firewall policy you want to edit.
4. In the Tasks pane, click Edit the Policy.
5. On the Firewall Policy page, click Rules.
6. Click Add Rule.
7. On the Add Firewall Rule Wizard page, click Next.
8. In the Select Rule Type pane, click Network Service and then click Next.
9. In the Specify Trusted Network Services pane, beside Network Neighborhood Bro
wsing, click the Enabled check box and then click Finish.
10. On the Firewall Policy page, click OK.
--------------------------------------------------------------------------------
----
If the user or a script runs the password-protected smc command and the supplied
password is incorrect, the client incorrectly returns a value of 0
--------------------------------------------------------------------------------
----
The administrator may require a password for the -stop, -importconfig, -exportco
nfig parameters for the smc command. When a user or a script runs the password-p
rotected smc command and the supplied password is wrong, the smc command incorre
ctly returns an error code of 0, which states that the password was successful.
Use a method other than the smc return value to check if the command was success
ful.
-----------------------------------------------------------------
Red "X" on Status page may indicate limited access to the product
-----------------------------------------------------------------
Restricted users cannot access all aspects of the product. Usually, those items
are grayed out, but sometimes they appear with a red X. This does not indicate a
problem, but rather limited privileges.
---------------------------------------------------
System standby does not occur after designated time
---------------------------------------------------
You can set up system standby on your computer to occur after a designated time.
However, system standby never occurs on the computer on which you installed the
client despite the setting being enabled.
See the documentation that has been shipped with your operating system for more
information on how to enable system standby.
This problem may occur on all supported platforms on which you can install the c
lient.
If you want to correct this problem on the computer on which you installed the c
lient, you need to manually enable system standby. You can manually enable Stand
by in the Shutdown Windows dialog box.
See the documentation that has been shipped with your operating system for more
information on how to manually enable Standby.
--------------------------------------------------------------------------------
----
Client can no longer communicate with the DHCP server after a client s MAC address
has been deleted from the Trusted MAC list on the Symantec Endpoint Protection
Manager
--------------------------------------------------------------------------------
----
If you delete a client s MAC address from the "Trusted MAC" list in the Symantec E
ndpoint Protection Manager, a DHCP Enforcer s lease prevents a client from connect
ing to the network.
Therefore, the client can no longer communicate with the network until the DHCP
server s lease expires or the user executes the following command:
ipconfig /renew
If you want the user to wait for a DHCP server s lease to expire, the user may hav
e to wait for a long time. Administrators may have reset the default setting for
lease expiration on a DHCP server from minutes to hours due to bandwidth issues
.

================================================================================
====
DOCUMENTATION
================================================================================
====
---------------------------------------------------------------------------
ADMINISTRATION GUIDE
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Configuring the Symantec Endpoint Protection Manager to use RSA SecurID Authenti
cation
--------------------------------------------------------------------------------
-----
If you plan to authenticate administrators who use RSA SecurID, then the softwar
e for the RSA ACE Agent must be installed on the same computer on which the Syma
ntec Endpoint Protection Manager is installed. The Symantec Endpoint Protection
Manager also referred to as the management server. You also need to configure RS
A SecurID authentication on the management server.
The following sections replace the instructions in Chapter 19, Managing RSA Serve
rs of the Administration Guide for Symantec Endpoint Protection and Symantec Netw
ork Access Control.
- The About Prerequisites section in this README supersedes the About Prerequisites
section in Chapter 19 of the Administration Guide for Symantec Endpoint Protecti
on and Symantec Network Access Control.
- The Configuring RSA SecurID Authentication on the Symantec Endpoint Protection
Manager section in this README supersedes the Configuring an RSA ACE client section
in Chapter 19 of the Administration Guide for Symantec Endpoint Protection and
Symantec Network Access Control.
- The Creating SecurID Authentication user on the Symantec Endpoint Protection Ma
nager section has been added to this README and is not included in the Administra
tion Guide for Symantec Endpoint Protection and Symantec Network Access Control.

About Prerequisites
--------------------
If you want to authenticate administrators that use the Symantec Endpoint Protec
tion Manager with RSA SecurID, you need to enable encrypted authentication by ru
nning the RSA installation wizard.
Before you run the wizard, make sure that:
- You have an RSA ACE server installed
- The computer on which you installed the Symantec Endpoint Protection Manager i
s registered as a valid host on the RSA ACE server
- Create the Node Secret file for the same host
- The sdconf.rec file on the RSA ACE server is accessible on the network
- A synchronized SecurID card or key fob has been assigned to a Symantec Endpoin
t Protection Manager account. The logon name must be activated on the RSA ACE se
rver.
- The administrator has the RSA PIN or password available
- Symantec supports the following types of RSA logons:
- RSA SecurID token (not software RSA tokens)
- RSA SecurID card
- RSA keypad card (not RSA smart cards)
To log on to the Symantec Endpoint Protection Manager with the RSA SecurID, an a
dministrator needs a logon name, the token (hardware), and a pin number.

Configuring RSA SecurID authentication on the Symantec Endpoint Protection Manag

er
--------------------------------------------------------------------------------
--
If your corporate network includes an RSA server, you need to install the softwa
re for an RSA ACE Agent on the computer on which you installed the Symantec Endp
oint Protection Manager and configure it as SecurID Authentication client
To configure RSA SecurID authentication on the Symantec Endpoint Protection Mana
ger
1. Install the software for the RSA ACE Agent on the same machine on which you i
nstalled the Symantec Endpoint Protection Manager by running the RSA ACE Agent f
or Windows.msi file for that is located on the RSA Authentication Agent CD.
2. Copy the nodesecret.rec, sdconf.rec and agent_nsload.exe files from the RSA A
CE server to the computer on which you installed the Symantec Endpoint Protectio
n Manager.
3. At the command prompt type agent_nsload f nodesecret.rec p <password for the no
desecret file> to run agent_nsload.
The nodesecret file is now loaded.
4. In the Symantec Endpoint Protection Manager console, click Admin.
5. In the Admin page, under Tasks, click Servers.
6. In the Admin page, under View Servers, select the Symantec Endpoint Protectio
n Manager to which you want to connect an RSA server.
7. In the Admin page, under Tasks, click Configure SecurID authentication.
8. In the Welcome to the Configure SecurID Authentication Wizard panel, click Ne
xt.
9. In the Qualification panel of the Configure SecurID Authentication Wizard pan
el, read the prerequisites so that you can meet all the requirements.
10. Click Next.
11. In the Upload RSA File panel of the Configure SecurID Authentication Wizard
panel, browse for the folder in which the sdconf.rec file resides.
You can also type the path name.
12. Click Next.
13. Click Test to test your configuration.
14. In the Test Configuration dialog box, type the user name and password for yo
ur SecurID, and then click Test.
It now authenticates successfully.
Creating SecurID Authentication user on the Symantec Endpoint Protection Manager
--------------------------------------------------------------------------------
To create SecurID authentication user on the Symantec Endpoint Protection Manage
r
1. Log into Symantec Endpoint Protection Manager console.
2. In the Symantec Endpoint Protection Manager console, click Admin.
3. In the Admin page, under Tasks, click Administrators.
4. In the Administrators page, under Tasks, click Add Administrator.
5. In the Add Administrator dialog box, type the name of the user that you previ
ously configured for the RSA ACE client.
6. Click Change next to Authentication Type.
7. Select Authentication Type as RSA SecurID Authentication. Click Ok.
8. Log into Symantec Endpoint Protection Manager console by using this username
and tokencode as password.

---------------------------------------------------------------------------
Enforcer documentation
---------------------------------------------------------------------------
The latest Enforcer documentation includes the following documents:
- Administration Guide for Symantec Enterprise Protection and Symantec Network A
ccess Control
This document explains how to configure the management server to work with the E
nforcers. It also provides overviews of the Enforcers and how to set up Host Int
egrity Policies that run on the client computer.
- Symantec Network Access Control Enforcer Implementation Guide
This document explains how to install and configure the Enforcer software on an
Enforcer appliance. The Enforcer appliance works with Symantec Endpoint Protecti
on and Symantec Network Access Control.
You can locate this document at the following Symantec Technical Support web sit
e:
http://www.symantec.com/enterprise/support/documentation.jsp?pid=52788
- Symantec Network Access Control Enforcer Supplement to the Administration Guid
e for Symantec Endpoint Protection and Symantec Network Access Control
This document explains how to install and configure the Enforcer software on the
Symantec Endpoint Protection Manager. In addition, this document also describes
how to install, configure, and administer the Symantec Integrated Enforcer that
is installed and configured on a Microsoft (TM) DHCP server.
You can locate this document at the following Symantec Technical Support Web sit
es:
http://www.symantec.com/enterprise/support/documentation.jsp?pid=52788
http://www.symantec.com/enterprise/support/documentation.jsp?pid=54619
---------------------------------------------------------------------------
References to Policy Manager should be Symantec Endpoint Protection Manager
---------------------------------------------------------------------------
The Administration Guide sometimes refers incorrectly to the Symantec Endpoint P
rotection Manager as the Policy Manager.

==============================================================================
THIRD-PARTY ISSUES
==============================================================================
------------------------------------------------------------------------------
Symantec Endpoint Protection or Symantec Network Access Control client and a Nor
tel VPN client both fail to start when installed at the same time with Nortel VP
N AutoConnect enabled
------------------------------------------------------------------------------
If a Nortel VPN client and a Symantec Endpoint Protection or Symantec Network Ac
cess Control client are installed at the same time and the Nortel AutoConnect fe
ature is enabled, then when the computer is restarted, neither client starts and
neither system tray icon appears.
Restarting the computer may resolve the issue. If it does not, then as a workaro
und, disabling Nortel AutoConnect allows the Symantec Endpoint Protection or Sym
antec Network Access Control client to start. Because the AutoConnect feature ca
n be enabled by the VPN server, the user may need to disable the AutoConnect fea
ture after every VPN connection.
----------------------------------------------------------
Trend Micro OfficeScan 7.3 conflicts and installation order
----------------------------------------------------------
If you want to run Trend Micro OfficeScan 7.3 with Symantec client software, you
must install Trend Micro OfficeScan first, and then install Symantec client sof
tware. Otherwise, when the Trend Micro OfficeScan installer detects LiveUpdate,
it attempts to uninstall it, fails, and exits.
------------------------------------------------------------------------
The firewall does not work with Google Web Accelerator and Internet Explorer
------------------------------------------------------------------------
The firewall does not work with Google Web Accelerator in combination with Inter
net Explorer. This issue affects any Symantec Enterprise Protection client that
has both Internet Explorer and Google Web Accelerator installed.
The issue occurs when the client computer tries to use a firewall rule to block
access to a remote Web site. All platforms are affected.
Symantec Corporation recommends that you avoid using Internet Explorer, Google W
eb Accelerator, and firewall combinations. No workaround exists for this issue.

---------------------------------------------------------------------------
INSTALLATION GUIDE
---------------------------------------------------------------------------
--------------------------------------------------------------------------------
----
Memory requirements incorrect for 64-bit Symantec Endpoint Protection and Symant
ec Network Access Control
--------------------------------------------------------------------------------
----
The Memory requirements listed in Table 3-6 Symantec Endpoint Protection and Tab
le 3-7 Symantec Network Access Control should be 256 MB instead of 256 GB for th
e 64-bit versions.

==============================================================================
SYMANTEC SOFTWARE LICENSE AGREEMENT
==============================================================================
SYMANTEC SOFTWARE LICENSE AGREEMENT
SYMANTEC CORPORATION AND/OR ITS AFFILIATES ( SYMANTEC ) IS WILLING TO LICENSE THE LI
CENSED SOFTWARE TO YOU AS THE INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT
WILL BE UTILIZING THE LICENSED SOFTWARE (REFERENCED BELOW AS YOU OR YOUR ) ONLY ON TH
E CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT ( LICENSE A
GREEMENT ). READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFO
RE USING THE LICENSED SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN
YOU AND SYMANTEC. BY OPENING THE LICENSED SOFTWARE PACKAGE, BREAKING THE LICENS
ED SOFTWARE SEAL, CLICKING THE I AGREE OR YES BUTTON, OR OTHERWISE INDICATING ASSENT
ELECTRONICALLY, OR LOADING THE LICENSED SOFTWARE OR OTHERWISE USING THE LICENSE
D SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. IF
YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK THE I DO NOT AGREE OR NO BUTTO
N OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE LICENSED SOFTWARE
. UNLESS OTHERWISE DEFINED HEREIN, CAPITALIZED TERMS WILL HAVE THE MEANING GIVEN
IN THE DEFINITIONS SECTION OF THIS LICENSE AGREEMENT AND SUCH CAPITALIZED TERMS M
AY BE USED IN THE SINGULAR OR IN THE PLURAL, AS THE CONTEXT REQUIRES.
1. DEFINITIONS.
Content Updates means content used by certain Symantec products which is updated f
rom time to time, including but not limited to: updated anti-spyware definitions
for anti-spyware products; updated antispam rules for antispam products; update
d virus definitions for antivirus and crimeware products; updated URL lists for
content filtering and antiphishing products; updated firewall rules for firewall
products; updated intrusion detection data for intrusion detection products; up
dated lists of authenticated web pages for website authentication products; upda
ted policy compliance rules for policy compliance products; and updated vulnerab
ility signatures for vulnerability assessment products.
Documentation means the user documentation Symantec provides with the Licensed Sof
tware.
License Instrument means one or more of the following applicable documents which f
urther defines Your license rights to the Licensed Software: a Symantec license
certificate or a similar license document issued by Symantec, or a written agree
ment between You and Symantec, that accompanies, precedes or follows this Licens
e Agreement.
Licensed Software means the Symantec software product, in object code form, accomp
anying this License Agreement, including any Documentation included in, or provi
ded for use with, such software or that accompanies this License Agreement.
Support Certificate means the certificate sent by Symantec confirming Your purchas
e of the applicable Symantec maintenance/support for the Licensed Software.
Upgrade means any version of the Licensed Software that has been released to the p
ublic and which replaces the prior version of the Licensed Software on Symantec s
price list pursuant to Symantec s then-current upgrade policies.
 Use Level means the license use meter or model (which may include operating system
, hardware system, application or machine tier limitations, if applicable) by wh
ich Symantec measures, prices and licenses the right to use the Licensed Softwar
e, in effect at the time an order is placed for such Licensed Software, as indic
ated in this License Agreement and the applicable License Instrument.
2. LICENSE GRANT. Subject to Your compliance with the terms and conditions
of this License Agreement, Symantec grants to You the following rights: (i) a no
n-exclusive, non-transferable (except as stated otherwise in Section 16.1) licen
se to use the Licensed Software solely in support of Your internal business oper
ations in the quantities and at the Use Levels described in this License Agreeme
nt and the applicable License Instrument; and (ii) the right to make a single un
installed copy of the Licensed Software for archival purposes which You may use
and install for disaster-recovery purposes (i.e. where the primary installation
of the Licensed Software becomes unavailable for use).
2.1 TERM. The term of the Licensed Software license granted under this Licen
se Agreement shall be perpetual (subject to Section 14) unless stated otherwise
in Section 17 or unless You have obtained the Licensed Software on a non-perpetu
al basis, such as, under a subscription or term-based license for the period of
time indicated on the applicable License Instrument. If You have obtained the Li
censed Software on a non-perpetual basis, Your rights to use such Licensed Softw
are shall end on the applicable end date as indicated on the applicable License
Instrument and You shall cease use of the Licensed Software as of such applicabl
e end date.
3. LICENSE RESTRICTIONS. You may not, without Symantec s prior written consen
t, conduct, cause or permit the: (i) use, copying, modification, rental, lease,
sublease, sublicense, or transfer of the Licensed Software except as expressly p
rovided in this License Agreement; (ii) creation of any derivative works based o
n the Licensed Software; (iii) reverse engineering, disassembly, or decompiling
of the Licensed Software (except that You may decompile the Licensed Software fo
r the purposes of interoperability only to the extent permitted by and subject t
o strict compliance under applicable law); (iv) use of the Licensed Software in
connection with service bureau, facility management, timeshare, service provider
or like activity whereby You operate or use the Licensed Software for the benef
it of a third party; (v) use of the Licensed Software by any party other than Yo
u; (vi) use of a later version of the Licensed Software other than the version t
hat accompanies this License Agreement unless You have separately acquired the r
ight to use such later version through a License Instrument or Support Certifica
te; nor (vii) use of the Licensed Software above the quantity and Use Level that
have been licensed to You under this License Agreement or the applicable Licens
e Instrument.
4. OWNERSHIP/TITLE. The Licensed Software is the proprietary property of Sy
mantec or its licensors and is protected by copyright law. Symantec and its lice
nsors retain any and all rights, title and interest in and to the Licensed Softw
are, including in all copies, improvements, enhancements, modifications and deri
vative works of the Licensed Software. Your rights to use the Licensed Software
shall be limited to those expressly granted in this License Agreement. All right
s not expressly granted to You are retained by Symantec and/or its licensors.
5. CONTENT UPDATES. If You purchase a Symantec maintenance/support offering
consisting of or including Content Updates, as indicated on Your Support Certif
icate, You are granted the right to use, as part of the Licensed Software, such
Content Updates as and when they are made generally available to Symantec s end us
er customers who have purchased such maintenance/support offering and for such p
eriod of time as indicated on the face of the applicable Support Certificate. Th
is License Agreement does not otherwise permit You to obtain and use Content Upd
ates.
6. UPGRADES/CROSS-GRADES. Symantec reserves the right to require that any u
pgrades (if any) of the Licensed Software may only be obtained in a quantity equ
al to the number indicated on the applicable License Instrument. An upgrade to a
n existing license shall not be deemed to increase the number of licenses which
You are authorized to use. Additionally, if You upgrade a Licensed Software lice
nse, or purchase a Licensed Software license listed on the applicable License In
strument to cross-grade an existing license (i.e. to increase its functionality,
and/or transfer it to a new operating system, hardware tier or licensing meter)
, then Symantec issues the applicable Licensed Instrument based on the understan
ding that You agree to cease using the original license. Any such license upgrad
e or cross-grade is provided under Symantec's policies in effect at the time of
order. This License Agreement does not separately license You for additional lic
enses beyond those which You have purchased, and which have been authorized by S
ymantec as indicated on the applicable License Instrument.
7. LIMITED WARRANTY.
7.1. MEDIA WARRANTY. If Symantec provides the Licensed Software to You on tan
gible media, Symantec warrants that the magnetic media upon which the Licensed S
oftware is recorded will not be defective under normal use, for a period of nine
ty (90) days from delivery. Symantec will replace any defective media returned t
o Symantec within the warranty period at no charge to You. The above warranty is
inapplicable in the event the Licensed Software media becomes defective due to
unauthorized use of the Licensed Software. THE FOREGOING IS YOUR SOLE AND EXCLUS
IVE REMEDY FOR SYMANTEC S BREACH OF THIS WARRANTY.
7.2. PERFORMANCE WARRANTY. Symantec warrants that the Licensed Software, as d
elivered by Symantec and when used in accordance with the Documentation, will su
bstantially conform to the Documentation for a period of ninety (90) days from d
elivery. If the Licensed Software does not comply with this warranty and such no
n-compliance is reported by You to Symantec within the ninety (90) day warranty
period, Symantec will do one of the following, selected at Symantec s reasonable d
iscretion: either (i) repair the Licensed Software, (ii) replace the Licensed So
ftware with software of substantially the same functionality, or (iii) terminate
this License Agreement and refund the relevant license fees paid for such non-c
ompliant Licensed Software. The above warranty specifically excludes defects res
ulting from accident, abuse, unauthorized repair, modifications or enhancements,
or misapplication. THE FOREGOING IS YOUR SOLE AND EXCLUSIVE REMEDY FOR SYMANTEC S
BREACH OF THIS WARRANTY.
8. WARRANTY DISCLAIMERS. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW,
THE WARRANTIES SET FORTH IN SECTIONS 7.1 AND 7.2 ARE YOUR EXCLUSIVE WARRANTIES
AND ARE IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUAL
ITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF INTELLECTUAL PROPE
RTY RIGHTS. SYMANTEC MAKES NO WARRANTIES OR REPRESENTATIONS THAT THE LICENSED SO
FTWARE, CONTENT UPDATES OR UPGRADES WILL MEET YOUR REQUIREMENTS OR THAT OPERATIO
N OR USE OF THE LICENSED SOFTWARE, CONTENT UPDATES, AND UPGRADES WILL BE UNINTER
RUPTED OR ERROR-FREE. YOU MAY HAVE OTHER WARRANTY RIGHTS, WHICH MAY VARY FROM ST
ATE TO STATE AND COUNTRY TO COUNTRY.
9. LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE L
AW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL
PURPOSE, IN NO EVENT WILL SYMANTEC OR ITS LICENSORS, RESELLERS, SUPPLIERS OR AGE
NTS BE LIABLE TO YOU FOR (i) ANY COSTS OF PROCUREMENT OF SUBSTITUTE OR REPLACEME
NT GOODS AND SERVICES, LOSS OF PROFITS, LOSS OF USE, LOSS OF OR CORRUPTION TO DA
TA, BUSINESS INTERRUPTION, LOSS OF PRODUCTION, LOSS OF REVENUES, LOSS OF CONTRAC
TS, LOSS OF GOODWILL, OR ANTICIPATED SAVINGS OR WASTED MANAGEMENT AND STAFF TIME
; OR (ii) ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES WHETHER ARI
SING DIRECTLY OR INDIRECTLY OUT OF THIS LICENSE AGREEMENT, EVEN IF SYMANTEC OR I
TS LICENSORS, RESELLERS, SUPPLIERS OR AGENTS HAS BEEN ADVISED SUCH DAMAGES MIGHT
OCCUR. IN NO CASE SHALL SYMANTEC S LIABILITY EXCEED THE FEES YOU PAID FOR THE LIC
ENSED SOFTWARE GIVING RISE TO THE CLAIM. NOTHING IN THIS AGREEMENT SHALL OPERATE
SO AS TO EXCLUDE OR LIMIT SYMANTEC S LIABILITY TO YOU FOR DEATH OR PERSONAL INJUR
Y ARISING OUT OF NEGLIGENCE OR FOR ANY OTHER LIABILITY WHICH CANNOT BE EXCLUDED
OR LIMITED BY LAW. THE DISCLAIMERS AND LIMITATIONS SET FORTH ABOVE WILL APPLY RE
GARDLESS OF WHETHER OR NOT YOU ACCEPT THE LICENSED SOFTWARE, CONTENT UPDATES OR
UPGRADES.
10. MAINTENANCE/SUPPORT. Symantec has no obligation under this Licen
se Agreement to provide maintenance/support for the Licensed Software. Any maint
enance/support purchased for the Licensed Software is subject to Symantec s then-c
urrent maintenance/support policies.
11. SOFTWARE EVALUATION. If the Licensed Software is provided to You for eva
luation purposes and You have an evaluation agreement with Symantec for the Lice
nsed Software, Your rights to evaluate the Licensed Software will be pursuant to
the terms of such evaluation agreement. If You do not have an evaluation agreem
ent with Symantec for the Licensed Software and if You are provided the Licensed
Software for evaluation purposes, the following terms and conditions shall appl
y. Symantec grants to You a nonexclusive, temporary, royalty-free, non-assignabl
e license to use the Licensed Software solely for internal non-production evalua
tion. Such evaluation license shall terminate (i) on the end date of the pre-det
ermined evaluation period, if an evaluation period is pre-determined in the Lice
nsed Software or (ii) sixty (60) days from the date of Your initial installation
of the Licensed Software, if no such evaluation period is pre-determined in the
Licensed Software ( Evaluation Period ). The Licensed Software may not be transferr
ed and is provided AS IS without warranty of any kind. You are solely responsible
to take appropriate measures to back up Your system and take other measures to p
revent any loss of files or data. The Licensed Software may contain an automatic
disabling mechanism that prevents its use after a certain period of time. Upon
expiration of the Licensed Software Evaluation Period, You will cease use of the
Licensed Software and destroy all copies of the Licensed Software. All other te
rms and conditions of this License Agreement shall otherwise apply to Your evalu
ation of the Licensed Software as permitted herein.
12. U.S. GOVERNMENT RESTRICTED RIGHTS. The Licensed Software is deemed to be
commercial computer software as defined in FAR 12.212 and subject to restricted
rights as defined in FAR Section 52.227-19 "Commercial Computer Licensed Softwa
re - Restricted Rights" and DFARS 227.7202, Rights in Commercial Computer License
d Software or Commercial Computer Licensed Software Documentation , as applicable,
and any successor regulations. Any use, modification, reproduction release, per
formance, display or disclosure of the Licensed Software by the U.S. Government
shall be solely in accordance with the terms of this License Agreement.
13. EXPORT REGULATION. You acknowledge that the Licensed Software and relate
d technical data and services (collectively "Controlled Technology") are subject
to the import and export laws of the United States, specifically the U.S. Expor
t Administration Regulations (EAR), and the laws of any country where Controlled
Technology is imported or re-exported. You agree to comply with all relevant la
ws and will not to export any Controlled Technology in contravention to U.S. law
nor to any prohibited country, entity, or person for which an export license or
other governmental approval is required. All Symantec products, including the C
ontrolled Technology are prohibited for export or re-export to Cuba, North Korea
, Iran, Syria and Sudan and to any country subject to relevant trade sanctions.
You hereby agree that You will not export or sell any Controlled Technology for
use in connection with chemical, biological, or nuclear weapons, or missiles, dr
ones or space launch vehicles capable of delivering such weapons.
14. TERMINATION. This License Agreement shall terminate upon Your breach of
any term contained herein. Upon termination, You shall immediately stop using an
d destroy all copies of the Licensed Software.
15. SURVIVAL. The following provisions of this License Agreement survive ter
mination of this License Agreement: Definitions, License Restrictions and any ot
her restrictions on use of intellectual property, Ownership/Title, Warranty Disc
laimers, Limitation of Liability, U.S. Government Restricted Rights, Export Regu
lation, Survival, and General.
16. GENERAL.
16.1. ASSIGNMENT. You may not assign the rights granted hereunder or this Lice
nse Agreement, in whole or in part and whether by operation of contract, law or
otherwise, without Symantec s prior express written consent.
16.2. COMPLIANCE WITH APPLICABLE LAW. You are solely responsible for Your comp
liance with, and You agree to comply with, all applicable laws, rules, and regul
ations in connection with Your use of the Licensed Software.
16.3. AUDIT. An auditor, selected by Symantec and reasonably acceptable to You
, may, upon reasonable notice and during normal business hours, but not more oft
en than once each year, inspect Your records and deployment in order to confirm
that Your use of the Licensed Software complies with this License Agreement and
the applicable License Instrument. Symantec shall bear the costs of any such aud
it, except where the audit demonstrates that the Manufacturer s Suggested Reseller
Price (MSRP) value of Your non-compliant usage exceeds five percent (5%) of the
MSRP value of Your compliant deployments. In such case, in addition to purchasi
ng appropriate licenses for any over-deployed Licensed Software, You shall reimb
urse Symantec for the auditor s reasonable actual fees for such audit.
16.4. GOVERNING LAW; SEVERABILITY; WAIVER. If You are located in North America
or Latin America, this License Agreement will be governed by the laws of the St
ate of California, United States of America. If you are located in China, this L
icense Agreement will be governed by the laws of the Peoples Republic of China.
Otherwise, this License Agreement will be governed by the laws of England. Such
governing laws are exclusive of any provisions of the United Nations Convention
on Contracts for Sale of Goods, including any amendments thereto, and without re
gard to principles of conflicts of law. If any provision of this License Agreeme
nt is found partly or wholly illegal or unenforceable, such provision shall be e
nforced to the maximum extent permissible, and remaining provisions of this Lice
nse Agreement shall remain in full force and effect. A waiver of any breach or d
efault under this License Agreement shall not constitute a waiver of any other s
ubsequent breach or default.
16.5. THIRD PARTY PROGRAMS. This Licensed Software may contain third party sof
tware programs ( Third Party Programs ) that are available under open source or free
software licenses. This License Agreement does not alter any rights or obligati
ons You may have under those open source or free software licenses. Notwithstand
ing anything to the contrary contained in such licenses, the disclaimer of warra
nties and the limitation of liability provisions in this License Agreement shall
apply to such Third Party Programs.
16.6. CUSTOMER SERVICE. Should You have any questions concerning this License
Agreement, or if You desire to contact Symantec for any reason, please write to:
(i) Symantec Enterprise Customer Care, 555 International Way, Springfield, Oreg
on 97477, U.S.A., (ii) Symantec Enterprise Customer Care Center, PO BOX 5689, Du
blin 15, Ireland, or (iii) Symantec Enterprise Customer Care, 1 Julius Ave, Nort
h Ryde, NSW 2113, Australia.
16.7. ENTIRE AGREEMENT. This License Agreement and any related License Instrum
ent are the complete and exclusive agreement between You and Symantec relating t
o the Licensed Software and supersede any previous or contemporaneous oral or wr
itten communications, proposals, and representations with respect to its subject
matter. This License Agreement prevails over any conflicting or additional term
s of any purchase order, ordering document, acknowledgement or confirmation or o
ther document issued by You, even if signed and returned. This License Agreement
may only be modified by a License Instrument that accompanies or follows this L
icense Agreement.
17. ADDITIONAL TERMS AND CONDITIONS. Your use of the Licensed Software is su
bject to the terms and conditions below in addition to those stated above.
17.1. You may use the Licensed Software for the number of licensed User(s) and
at the Use Levels as have been licensed to You by Symantec herein and as indica
ted in the applicable License Instrument. Your License Instrument shall constitu
te proof of Your right to make and use such copies. For purposes of this License
Agreement, User(s) means an individual person and/or device authorized by You to
use and/or benefits from the use of the Licensed Software, or is the person and/
or device who actually uses any portion of the Licensed Software.
17.2. Notwithstanding anything to the contrary contained in this License Agree
ment, if the Licensed Software is Symantec Endpoint Protection, each running ins
tance (physical and/or virtual) of such Software must be licensed. You create an
instance of software by executing the software s setup or install procedure. You al
so create an instance of software by duplicating an existing instance. References
to software include instances of the software. You run an instance of software by lo
ading it into memory and executing one or more of its instructions. Once running
, an instance is considered to be running (whether or not its instructions conti
nue to execute) until it is removed from memory.
17.3. Privacy; Data Protection. From time to time, the Licensed Software may c
ollect certain information from the device on which it is installed, which may i
nclude:
(i) Information regarding installation of the Licensed Software. This infor
mation indicates to Symantec whether installation of the Licensed Software was s
uccessfully completed and is collected by Symantec for the purpose of evaluating
and improving Symantec s product installation success rate. This information wil
l not be correlated with any personally identifiable information.
(ii) Information on potential security risks as well as URLs of websites visi
ted that the Licensed Software deems potentially fraudulent. This information i
s collected by Symantec for the purpose of evaluating and improving the ability
of Symantec s products to detect malicious behavior, potentially fraudulent websit
es and other Internet security risks. This information will not be correlated w
ith any personally identifiable information.
(iii) Portable executable files that are identified as malware. These files a
re submitted to Symantec using the Licensed Software s automatic submission functi
on. The collected files could contain personally identifiable information that
has been obtained by the malware without your permission. Files of this type ar
e being collected by Symantec only for the purpose of improving the ability of S
ymantec s products to detect malicious behavior. Symantec will not correlate thes
e files with any personally identifiable information. Such automatic submission
function may be deactivated after installation by following the instructions in
the Documentation for applicable products.
(iv) The name given during initial setup to the device on which the Licensed
Software is being installed. If collected, the name will be used by Symantec as
 an account name for such device under which you may elect to receive additional
services and/or under which you may use certain features of the Licensed Softwa
re. You may change the account name at any time after installation of the Licen
sed Software (recommended).
(v) The International Mobile Equipment Identity (IMEI) and International Mob
ile Subscriber Identity (IMSI) for the mobile telecommunications device used wit
h the Licensed Software. This information is being collected for the purpose of
being able to identify the telecommunications device eligible to receive Conten
t Updates for the Licensed Software. This information will not be correlated wi
th any other personally identifiable information.
(vi) Other information used for purposes of analyzing and improving the funct
ionality of Symantec s products. This information will not be correlated with any
personally identifiable information.
The collected information as set out above is necessary for the purpose of optim
izing the functionality of Symantec s products and may be transferred to the Syman
tec group in the United States or other countries that may have less protective
data protection standards than the region in which You are situated (including t
he European Union), but Symantec has taken steps so that the collected informati
on, if transferred, receives an adequate level of protection. Symantec may discl
ose the collected information if asked to do so by a law enforcement official as
required or permitted by law or in response to a subpoena or other legal proces
s. In order to promote awareness, detection and prevention of Internet security
risks, Symantec may share certain information with research organizations and o
ther security software vendors. Symantec may also use statistics derived from t
he information to track and publish reports on security risk trends. By using th
e Licensed Software, you acknowledge and agree that Symantec may collect, transm
it, store, disclose and analyze such information for these purposes.
================================================================================
====
END OF FILE
================================================================================
====