VIPRE Enterprise Best Practice Guide by Advantage Computers Limited

Use of this software is subject to the End User License Agreement found in the product directory (C:\Program Files\Sunbelt Software\SBEAgent\eula.rtf). By installing the software, you agree to accept the terms of the License Agreement. VIPRE® Enterprise (VPE) Copyright © 2009 Sunbelt Software, Inc. All rights reserved. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Information in this document is subject to change without notice. No part of this publication may be reproduced, photocopied, stored in a retrieval system, transmitted, or translated into any language without the prior written permission of Sunbelt Software, Inc.

The guide that follows is a collection of the best installation and configuration practices compiled by Sunbelt Software for use with the VIPRE® Enterprise (VPE) software as of product series 3.1.x. This guide is in no way meant to be all-inclusive to every installation environment but is meant to serve as a general overview of our best suggestions for deployment, configuration and use of VIPRE Enterprise within the scope of our customers unique and diverse I.T. environments. Last Updated: 6/29/2009

http://www.sunbeltsoftware.com/support support@sunbeltsoftware.com

Table of Contents Pre-Installation Checklist............................................................................................................................... 3 Follow all installation requirements and install any necessary updates ....................................................................3 Configure the Agent workstations and VPE server for effective communication.....................................................3 VPE Server and Console Setup.................................................................................................................... 4 Configure the VPE console for database reporting ...................................................................................................4 Optimize the configuration of the VPE server ..........................................................................................................4 Optimize the configuration of agents: .......................................................................................................................5 Suggestions for Agent Policies ..................................................................................................................... 6 Proper Agent Deployment............................................................................................................................. 8 Special Agent Deployments .......................................................................................................................... 9 Frequently Asked Questions ....................................................................................................................... 10 Sunbelt Software Technical Support........................................................................................................... 12 Creating Agent and Server Logs for Sunbelt Software Support..............................................................................12 Generating Agent Logs ...........................................................................................................................................12 Generating Server Logs...........................................................................................................................................13

http://www.sunbeltsoftware.com/support support@sunbeltsoftware.com

Pre-Installation Checklist Follow all installation requirements and install any necessary updates ¾ VIPRE Enterprise (VPE) installs best in a Windows domain environment. ¾ Verify the planned VPE server meets or exceeds the hardware and software requirements. See the Requirements tab on the VIPRE Enterprise website. ¾ VPE requires the install of Microsoft .Net Framework 2.0. See the Microsoft .Net website to download this version. Note: A reboot is required after each .Net install. Configure the Agent workstations and VPE server for effective communication ¾ VPE server capacity: Capacity largely depends on server size and configuration. Each VPE server can typically handle around 10,000 agents. Some clients report having over 12,000 deployed without any issue. Larger enterprises may require the installation of additional VPE servers. There is no limit to the number of VPE servers that can be installed; licensing is controlled by the number of agents deployed. ¾ Agent workstation firewall configurations: In the Windows Firewall, or any other 3rd Party firewall solution, create pass through exceptions for the following ports: Outbound TCP connections on port 18082 to allow agent heartbeat to the VPE server. Inbound TCP connections on port 18082 to allow agent updates from the VPE server. Inbound TCP connections on port 18086 to allow for notifications of updates from the VPE server. Inbound and Outbound TCP connections on ports 135 & 445 for WMI updates. Note: Auto Deploy will NOT work if WMI ports are not added to the firewall exclusions list. ¾ Server firewall configurations: In the Windows Firewall, or any other 3rd Party firewall solution, create pass through exceptions for the following ports: Inbound TCP connections on ports 18082 to allow agent heartbeat to the VPE server Inbound TCP connections of port 18087 to allow a remote management console to connect to the VPE server (if a remote console is installed). Outbound TCP connections on port 18086 to allow the VPE server to distribute agent updates ¾ File sharing: Verify the C$ admin share is accessible on the computers that VPE agents will be deployed to. Disabling simple file sharing via group policy is recommended. If installing VPE in a domain environment, simple file sharing should have been disabled by default. However, some Windows service packs or updates will re-enable simple file sharing. If agent deployment or communication issues are encountered check to ensure simple file sharing is still disabled. See Knowledge Base Article 1861: How to Disable Simple File Sharing Via Group Policy.

http://www.sunbeltsoftware.com/support support@sunbeltsoftware.com

VPE Server and Console Setup Configure the VPE console for database reporting Database reporting changes can be made from the “Report Database Settings” tab of the “Configuration” sub-menu. ¾ MS Access database: The MS Access database is intended for using VPE during its trial, NOT for deployment over your network. The Access database has only a 2GB size limit; if the limit is reached the performance of VPE could be negatively impacted. You can use the Access database if your enterprise can handle the size limit. ¾ MS SQL database: The MS SQL database allows for faster database reporting. VPE is compatible with any version of SQL, SQL Express, or MSDE. If database migration is needed, see the Sunbelt Software Support KB Article 1814: Migrating VIPRE from Access to SQL. Create a SQL user that is the only owner of the VPE database and use this account for SQL authentication. The SA account should NOT be used as a proper database authentication account. Note: The SA account is the default SQL administrator account. Use of this account opens potential security vulnerabilities. For more information see this Microsoft MSDN article on working with SQL Administrator Logins. Create a separate Windows service account. Note: this account does NOT need domain admin rights. Although possible to authenticate with regular administrative credentials, this is not recommended as an error in reporting will occur on the next password change. Create a separate SQL database for each VPE policy server if installing in an environment that will use more than one VPE server. This simplifies upgrading VPE. Optimize the configuration of the VPE server The following changes can be made to the VPE server on the “advanced settings” tab of the “Configuration” sub menu. ¾ Set the server logging level to “Verbose.” When troubleshooting issues with Sunbelt Software Support, logging on the VPE server will need to be set to “Verbose.” This can be done from the Configuration tab by clicking on Advanced, Logger Management Level, and changing the drop down to “Verbose.” Once this is changed, the issues will need to be reproduced and the Support Info Tool will need to be run again. Verbose logging ensures that Sunbelt Support has the required log information in order to troubleshoot issues. ¾ Enable automatic updates from Sunbelt Software with an interval of 4 hours (default). ¾ If using a Proxy Server, use the Fully Qualified Domain Name of the proxy server. The proxy settings will not work properly with IP address input; always use the FQDN of the proxy server. ¾ When configuring Email Server Settings, use a “From:” address within your domain to make VPE notification emails appear as internal email.

http://www.sunbeltsoftware.com/support support@sunbeltsoftware.com

¾ Do not decrease the Memory Management settings below their default values. A decrease may cause high CPU usage and prevent agents from updating. ¾ Enable both Report Database Management options to prevent the VPE database from growing indefinitely: “Delete data older than” “Delete data from non-existent agents every 24 hours” ¾ Disable the “Archive agent event files” setting. Use care when enabling this setting, as it should be for trouble-shooting purposes only. When enabled, it can fill the available disk space on the VPE server if left enabled, consequentially causing performance issues when full. It is strongly recommended to uncheck this option when the troubleshooting is complete. ¾ “Mark agents as inactive after no contact of” should be set to three times the highest agent heartbeat interval. Heartbeat intervals are configured per policy. Optimize the configuration of agents: ¾ Agents should always be assigned to a policy. Remove agents from the catalog if they are no longer in use. ¾ After all policies are configured, use Auto Deploy for a more efficient way of deploying agents.

http://www.sunbeltsoftware.com/support support@sunbeltsoftware.com

Suggestions for Agent Policies The following changes can be made to the VPE agents from the “Policies” menu by selecting either the default or any custom created policy and making your changes within the respective policies. ¾ Default policy: Configure this policy “template” to create additional policies based on this template. The Default policy is not connected to policies that you create from it; so, you can go back to the Default policy and make any changes to base additional policies from. ¾ Set the Agent logging level to “Verbose.” When troubleshooting issues with Sunbelt Software Support, logging on the affected agents will need to be set to “Verbose” in the agent policy, the issues reproduced, and the log snapshot utility will need to be run again. Verbose logging ensures that Sunbelt Support has the required log information in order to troubleshoot issues. ¾ Agent Active Protection™ (AP): AP can scan files when they are opened, copied, executed or when certain areas of the system are accessed. The “Check files when they are opened or changed” and “Check ALL files…” options: For typical use, these options should be disabled. These options should only be checked in the event that a malware outbreak is suspected or has occurred. Selecting these options may result in slower system performance. These options offer complete protection with AP to any file on the agent workstation. When enabled, files are scanned when they are copied onto the computer or touched. “Touching files” can include when a file is highlighted in Windows Explorer, copied by a backup program, or inspected during a start-up process by Windows Desktop or a firewall, and other means.

The AP threat monitor level should generally be left at “Default” unless otherwise directed by Sunbelt Software Support. Moving Active Protection Security Monitors into “Aggressive” or “Paranoid” mode or changing any of the default threat actions to “Prompt” can be risky for the following reasons: o Microsoft’s Windows updates are released to the public at the same time they are released to Microsoft’s partners. Therefore Sunbelt’s threat definitions may not have been updated and deployed to the Agent machines before those Agent machines get the MS update. o Inexperienced or inattentive users may click “block” when prompted, blocking vital OS files from running. Therefore, greater care must be taken to not block necessary programs and files.

Server Recommendations: o Enable AP on a server. o Disable “Check files when they are opened or changed” since the amount of server traffic can be extremely high and enabling this feature could slow down the machine due to the volume of traffic. o Scheduling daily quick and/or deep scans, when feasible, is also recommended for servers to ensure any dormant threats not automatically detected by AP are discovered

http://www.sunbeltsoftware.com/support support@sunbeltsoftware.com

In the event that Active Protection needs to be turned off on a server, scheduling more scans is recommended. Quick scans are fast, covering only the critical areas and can be done throughout the day. Schedule a deep scan during off-hours to scan the entire disk. ¾ Configure Agents for Windows Security Center: These changes can be made within the Agent Settings tab within each policy. Allow Integrate into Windows Security Center. Disabling Windows Defender will reduce the resource load on agents and eliminate conflicts. o

¾ Change agent heartbeat times and reduce server load: Change “Agent status heartbeat every” using the following formula: # agents (assigned to server) / 120 = Agent heartbeat time. Use a minimum of 5 minutes. Increase the minute value to 10 minutes if the server supports more than 2500 agents. ¾ Increase “Throttle updates from local server by XX milliseconds” for lower bandwidth connections: A 60 millisecond throttle setting will add approx. one minute of delay to each full definition download. 1mbs network – 1000ms 10mbs network – 200ms 100mbs network – 50ms ¾ Set “Randomize scheduled scan start times by [x] minutes” accordingly: This setting is best used in conjunction with setting your agents to check for threat definition updates before a scan starts. Use of this setting will spread out the load of definition updates when agents require a threat definition update and should take the throttling interval into account. The larger you make this value, the less impact upon your network. For policies with several hundred agents or more that check for threat definition updates before starting a scan, the randomized start time should be anywhere from one-half to twice the time it will take for the agent to download a threat definition update. This setting depends on how sensitive your network is to bursts of data. ¾ Set “Update threat definitions every” to 3 hours (default). ¾ Definition downloads via the internet should only be enabled for mobile agents that will not be able to contact the server. Using this internally will cause extra strain on the WAN. ¾ Agent scan intervals: Schedule quick scans to run at least once daily. Schedule a deep scan to run each night during non business hours, when possible, and after nightly backups for least possible impact. If an after hours scan is not possible, set the deep scan to run at a low priority during working hours. Regardless, deep scans should be run daily.

http://www.sunbeltsoftware.com/support support@sunbeltsoftware.com

Proper Agent Deployment ¾ Create a policy for each organizational unit or group of organizational units. This allows VPE to deploy agents based off of AD queries. ¾ Create one or more separate policies for Laptop/Remote users. See our Support KB Article 1750 for detailed information on how to better deploy agents across the internet. Set laptop/remote agents to check for updates over the internet. Increase heartbeat after failure time for up to 360 days, or for however long remote users may be unable to contact the VPE policy server. ¾ Deploy test agents for each policy and perform a deep scan. Keep the initial scan actions set to “Report Only.” Add any needed exclusions for business software. Make sure to change threat actions back to “Quarantine” after completion of the initial scan. ¾ Configure Auto Deployment for each policy. Use Active Directory queries to quickly populate the agent list in the catalog. Set Auto Deployment to run at off-peak hours to avoid disturbing end users. Enable Auto Deploy in policies only when ready to deploy to those specific groups. ¾ Enable scheduled deployment to run daily. This is configured from the Auto Deploy Settings tab of the Configuration sub-menu. Agents will be deployed as new machines are added to the catalog. For large deployments and initial agent roll-outs, consider deployment during off-peak hours. ¾ Add “Admin defined good” file exclusions to each policy before deploying agents. All file exclusions listed in Microsoft KB Article 822158 should be added to the “Admin defined good” tab. In VPE v.4.0 these will be included automatically. Other exclusions: VPE’s Threat Action by default is set to “Report Only” so that an initial scan of agent machines can be run to determine what is reported back as possible threats. After the initial scan, the decision can be made by the administrator on how to handle software reported as possible risks that might have legitimate uses within certain organizations. For example: Software such as VNC is used by many companies for legitimate purposes; however, VNC has also been used maliciously and is listed in the VIPRE threat database as a low risk threat. Based on information from the initial deep scan report, companies that use VNC would know to add it to the “Admin defined good” list.

http://www.sunbeltsoftware.com/support support@sunbeltsoftware.com

Special Agent Deployments ¾ Domain Controllers: Create a separate policy for Agent Deployment and management of domain controllers. Add “Admin defined good” exclusions for the items listed in Microsoft KB Article 822158 ¾ Email Servers: Create a separate policy for agent deployment and management. Disable Email Scanning on the email server agents. Add “Admin defined good” folder exclusions for the Exchange Store and Temp folders to prevent Active Protection from scanning them; failure to do so will drastically affect resources on the email server. Add “Admin defined good” exclusions to anything listed in Microsoft KB Article 245822 Agents deployed to email servers are designed to protect the server, not to provide active email scanning. Use NINJA Email Security for an email scanning solution to protect all mail within an Enterprise environment. ¾ Terminal Servers such as CITRIX or VMware: Create a separate policy for agent deployment and management. Do not attempt to “Auto Deploy” to servers of this type using a “push-pull” method. Create a separate MSI package and install on the Terminal Server using “add/remove programs.” This will cause the VPE Agent to protect any sessions that are running on that server and not just the Terminal Server itself. Initial deployment of VPE Agents to all sessions should be done with the CITRIX terminal server in install mode. For further information on CITRIX installs please see this CITRIX install guide from Methodology in a Box. ¾ Low bandwidth agents: Create a separate policy for management of agents that are at a location which experiences low bandwidth, or is at a physical locale far from the central VPE management server. Change the definition update timeout value. This change can be made to the VPE server within the “advanced settings” tab of the “Configuration” sub menu and changing the value of “Mark agents as inactive after no contact of: XX minutes” Set this value between 5-7 minutes. Set agents to pull updates from the internet, similar to laptop users, or create a local update server in geographic proximity to the agents. See Support KB Article 1859: Remote Updates Server Setup Instructions for complete directions on how to create a remote updates server. ¾ SQL Database Servers: Create a separate policy for Agent Deployment and management. Add “Admin defined good” folder exclusions for the SQL Database folder such as: “C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS” See Microsoft KB Article 309422 for more information on SQL exceptions. ¾ Microsoft SharePoint Servers: Create a separate policy for Agent Deployment and management. Add “Admin define good” folder exclusions for the items listed in Microsoft KB Article 952167.

http://www.sunbeltsoftware.com/support support@sunbeltsoftware.com

Frequently Asked Questions ¾ How do I submit threats and false positives to Sunbelt Software? Threats and false positives can be emailed to response@sunbeltsoftware.com. Please zip the file(s) and add the password “infected.” Sunbelt Software needs new false positive files to continue to improve detection abilities as viruses and malware become increasingly complex. ¾ Can I use another AV or antispyware program alongside with VPE? It is highly recommended that VPE is NOT run alongside another AV or antispyware product. This can cause conflicts between AV products, resulting in poor performance or system instability. It is recommended that all other AV or antispyware products are FULLY uninstalled using an uninstall wizard such as those found on the Sunbelt AV Agent Uninstallers page. This ensures full removal of any residual .dll files or registry entries. Should the decision be made to run more than one AV or Antispam solution, it is highly recommended to have on-access scanning enabled on only ONE program. ¾ Is there a problem with Dell Embassy Trust Suite? Many Dell computers and laptops come with a preloaded encryption program called “Embassy Trust Suite” which contains a program flaw that interferes with VPE agents. VPE will be modified in an upcoming version to prevent interference from this flaw. If Embassy Trust Suite is not specifically needed, Sunbelt Support highly recommends uninstalling it. Please see this Embassy Trust Suite Uninstall Guide. ¾ What if I run backup software on agent machines? If Active Protection is turned on and “Check files when they are opened or changed” is enabled, running backup software will result in slow downs, as AP is inspecting every file during the backup process. Some files such as archives and large files may take more time to scan. Sunbelt Software Support recommends the following: do not enable “Check files when they are opened or copied” on the server, or add a rule to stop the SBAMSvc.exe service right before the backup starts and another rule to start the service again after the backup has completed. This could be executed through the creation of a backup script. ¾ What about virtualization software & VPE? VPE is not able to scan drives without a logical drive letter, as is often encountered in VMware or other virtualization suites. Sunbelt Software is looking to providing support for this functionality in a future version of VPE. ¾ What about updates on laptops running VPE agents? The default settings for laptops running the VPE Agent require that the laptop be powered by AC power (not battery) in order for the VPE Agent to properly receive updates. This feature is incorporated to ensure the agent software can complete the update cycle which could be interrupted due to an unexpected loss of power from a depleted laptop battery. Sunbelt Support recommends that Power Saving Mode be turned off in the laptop agent policy during the initial deploy of an agent to a laptop. Re-enable Power Saving Mode once the VPE agent is set up and configured properly on the laptop.

http://www.sunbeltsoftware.com/support support@sunbeltsoftware.com

¾ What are good update start and interval times? The default start time for updates is when the computer first boots up. For example, if the computer boots up at 7:43am and checks for updates every 4 hours, it will check at 11:43 am, 3:43 pm, 7:43 pm, 11:43 pm, and so on. ¾ Any suggestions on quick and deep scan times? If computers are always powered on, the scheduled scans should be run as follows: o Quick scans 6 days per week during non business operational hours. o A deep scan to run each night during non business hours, when possible, and after nightly backups for least possible impact.

For environments where computers can only be scanned during working hours the scheduled scans should be run as follows: o Quick scans daily during lunch time. o A deep scan during lunch time on one or more days that scanning least impacts employee productivity. Set the deep scan to run at a low priority during working hours.

One Final Suggestion:

Register and post to the Sunbelt Software Support Discussion Forums to communicate with other systems administrators running VPE. Since Sunbelt Software Support also monitors these forums daily, they will provide assistance to customers as needed. Note: These forums are open to postings by the general public; please consider these forums like first level triage for issues.

http://www.sunbeltsoftware.com/support support@sunbeltsoftware.com

Sunbelt Software Technical Support Sunbelt Software offers a range of support options for VPE: Global Technical Support Contact Information

http://www.sunbeltsoftware.com/Support/ Email

Technical Support: support@sunbeltsoftware.com International Sales: Intlsales@sunbeltsoftware.com Phone

Toll Free: +1 877-673-1153 Worldwide: +1 727-562-0101 Address

Sunbelt Software, Inc. 33 North Garden Avenue, Suite 1200 Clearwater, Florida 33755 USA While working with Sunbelt Software Support, it may become necessary to access special tools, discussed in the next two sections. Creating Agent and Server Logs for Sunbelt Software Support The agent and server log collection utilities allows the administrator to work with Sunbelt Software Technical Support to create the necessary error logs files to resolve certain issues. VPE does not log any personal usage information; it only logs application diagnostic information with the one exception being registration information. These logs are maintained within the "All Users" directory of the computer where VPE is installed (for example, C:\Documents and Settings\All Users\Application Data\Sunbelt\AntiMalware\Logs). This information exists for troubleshooting purposes only. Note: For more information, see Sunbelt Software's privacy policy at sunbeltsoftware.com.

Generating Agent Logs The SBAgent Diagnostic Tool allows the administrator to work with Sunbelt Software Technical Support to create the necessary diagnostic files to resolve certain issues with VPE Agents. Note: It is recommended that the SBAgent Diagnostic Tool be run after contacting Sunbelt Software Technical Support as a Support Ticket Number will be requested by the utility.

1. Go to an agent machine having that issue and run C:\Program Files\Sunbelt Software\SBEAgent\SBAgentDiagnosticTool.exe. 2. Enter the Sunbelt Software Support ticket number. 3. Enter 'Y' to send results to Sunbelt Software Support.

http://www.sunbeltsoftware.com/support support@sunbeltsoftware.com

Generating Server Logs The Support Info Tool dialog box allows the administrator to work with Sunbelt Software Technical Support to create the necessary diagnostic files to resolve certain issues with the VPE Server and console. Note: It is recommended that the Support Info Tool be run after contacting Sunbelt Software Technical Support as a Support Ticket Number will be requested by the utility.

1. Select Start Menu>All Programs>Sunbelt Software>Enterprise>Support Info Tool. If unable to locate this menu option, navigate to the VIPRE install directory (typically located at: \Program Files\Sunbelt Software\SVE\) and double-click the file called “InfoServer.” 2. Fill out the required information starting with the Sunbelt Software Support ticket number. 3. On Upload to Sunbelt FTP, choose Yes. 4. Select all four boxes to send all additional data to Sunbelt Software Support. 5. Click Send, and then Exit.

http://www.sunbeltsoftware.com/support support@sunbeltsoftware.com