 Welcome, everyone. Welcome to our webinar, Getting the Most Out of Symantec Endpoint Protection. You are in luck today. We've got a wonderful speaker, Sheri Nichols from Symantec Corporation. And I am Susan Hope-Bart. I'll be the host and facilitator today. And we also have another co-facilitator, Alicia Kidd. We'll be taking you through this hour-long webinar. I want to familiarize you with the ReadyTalk platform. So bear with me for a few minutes. On the left side of your window you should see a bar, and that is the chat box. So the chat box is used for you to ask questions. You can ask questions at any point in time during the presentation. You do not need to raise your hand. Simply chat your question in. And Alicia and I will queue up your questions for answering at the end of the event. So please be patient. We will queue all those up, and we will get to them towards the end of the event. Your line has been muted. This is so that we can get a clear recording of this event. If you lose your Internet connection, you can simply use the email that was sent to you for confirmation or reminder and reconnect. You can also go to our website where you can see other webinars, and we will chat that link out to you so you can check out some upcoming webinars. In a few hours after the event today, probably no later than 5 p.m. our time on the West Coast, we will be sending you an email. The email will have a link to this recording for this entire event. It will also have the PowerPoint presentation and all of the links that we will both chat out and that Sherry will talk to you about. So don't worry about taking copious notes or trying to remember all of the urls. We will send all of those to you. If you want to follow us on Twitter, you can do that at TechSoup or use hashtag TSWebinars. And I love the fact that folks are already chatting in questions. Excellent. Keep them coming. A couple of other things, audio does play through your computer speakers. So if you have any challenges with the audio coming through your computer, Alicia is chatting out the number that you can use to call in so that you could be on your phone but still view the screen. A little bit about TechSoup. TechSoup is a 501c3 nonprofit. And our headquarters is here in San Francisco, California. I'd love to know where you are joining us from. So take a minute to say what city and state you are joining us from as I talk a little bit about our presenters and hosts. I see folks chatting in. Thank you. So Sherry Nichols will be our primary presenter from Symantec and she is a very savvy and knowledgeable trainer. She does a lot of in-person trainings. I will allow her to introduce herself as she gets started. Alicia Kidd is our online learning specialist here at TechSoup. She joined us fairly recently. She had been in the healthcare industry conducting trainings and webinars as well. And I'm Susan Hope Bard. I'm the Training and Education Manager. So you can always reach out to us if you have any suggestions about events or upcoming webinars. Before I turn it over to Sherry, I do want to take a minute to ask a few questions. We'd like to know a little bit more about you. And this also gives you the opportunity to use our polling tool. And I see folks are here. Some of you are here from California and Georgia, Maine, Virginia, and Arizona. I bet it's pretty hot there right now. So take Yo and Yuma too. Thank you. So we'd like to know what is your role? Are you an SEP administrator? Are you a manager or a director? Do you have another IT role? Or are you just interested in this topic altogether? Are you an interested observer? And I will give you another 5 seconds to answer this poll. 5, 4, you guys are pretty fast. 3, 2, 1. Okay, I'm going to close the poll and show you the results. Wow Sherry, lots of people here are the admins. That's great. It looks like half and half, managers, directors, and SEP administrators. Thank you so much. Thank you so much for that feedback. One more question, and then we will go ahead and turn it over. So let's see. This is a question about what you're currently using. So are you currently using SEP, which is version 12.1? Oh, you guys are already so fast. Wow, 14.0 or a mix of those two? No, but you're planning to install it soon, or no, that you want to learn more. Thanks so much for chatting in if you can't click on the poll in your screen. So I'm going to give you 5, 4, 3, 2, 1. Take a look. So Sherry, it looks again. It's a close tie, very close tie. Looks like a lot of you are on 14.0. Okay, well thank you so much for giving us that information. That will actually help Sherry as she begins to deliver this information. Sherry, I will turn it over to you now and take it away. Thank you Susan, and welcome everyone. Thank you so much for joining us today, and thanks for filling out those polls. It looks like the audience is exactly who I was hoping would be here today. So yay! I'm hoping to share with you some tips and tricks and some ideas that may make your, well, definitely will make your SEP experience more interesting, more enjoyable. You might not know, cybersecurity can be enjoyable, but I hope to share with you some tips and tricks to make your busy lives a little bit easier. I know many of you also wear many hats. So those of you that identified yourself as SEP administrators, I imagine you also perform other functions for your organization. And I just want to take a moment to say I have tremendous respect for the amazing work that you all do every day. So again, my goal for you is to share some knowledge and information that might make things easier for you. I am, my official title is Technical Education Consultant at Symantec Education, which means I'm a full-time instructor. And I do conduct regular courses with the official Symantec Education Courseware for Symantec customers, in theory around the world, but primarily here in North America, I do have other Symantec colleagues in other regions that take care of most of those. So darn it, I can't go to Australia and teach a class next week, but I would love to. So mostly I'm teaching customers with a range of environments from a few hundred machines to a few hundred thousand machines, and everywhere in between. So I put together a custom presentation to really focus on the smaller range of clients because so much of our documentation is geared towards helping folks with larger and very complex environments. And I want to show that it's really not that complicated, or it doesn't need to be, especially in a fairly homogenous and smaller environment. So I'm looking forward to the questions, and we'll definitely make time. I want to make sure that we at least give you references, if not full, and complete answers right here today. All right. So our agenda, the topics I'd like to touch on in this brief session. First, we're going to talk about why we care, why we, in IT and just in the world in general, should care about endpoint security. Then we'll talk about how you get the widest protections with the least amount of effort. I always say work smarter, not harder. And so we'll talk about how SEP gives you a lot of those protections out of the box, automatically, and then give you some ideas of a few things that you might want to customize if it meets your organization's needs. We'll talk about keeping those endpoints up to date, and again, how much of it is taken care of for you. I'll point out some popular reports that administrators tend to find the most useful across, again, across a wide variety and range of customer sizes, implementation sizes. And then last, I want to make sure everyone is aware of the vast array of online training resources from Symantec Corporation that are completely free. And also I would like to do, hopefully if we have time, I'd like to demonstrate a few things in the SEP console itself. So first, why we care about endpoint security. So unfortunately the facts are that our endpoints, the computers that we use every day and we rely on for so much of the work that we do are targets. They are targets of criminals. So don't be deflected by talks of espionage and nation-state stuff. Yeah, there's a lot of that going on, but most of us, we get caught in the crossfire of that stuff. And the sad fact is a lot of criminals actually can pick up and adapt tools that were developed by nation-states to begin with and then can turn around and point them at us. So the types of things that they want to do, they want to compromise the computer to steal credentials and get access into other systems. That's why not reusing passwords across multiple platforms is so important. A lot of times folks will try to break into a particular machine in order to leapfrog into other systems on your network. A lot of times the goal is financial gain. So they can make money off your stuff basically in a lot of different ways. Stealing private data for identity theft is actually a huge problem especially in healthcare where individual healthcare records can sell for as many as $10, well actually even higher depending on who it is and how much juicy details are in there. But the credit cards go for like $1. But yeah, health records are actually worth a lot more because it's easier to impersonate somebody and steal their identity with all that data that's typically stored in healthcare records. Other motivations, you'll see criminals tampering with data or holding it for ransom. I know there was a question about does SEP help protect against ransomware and the answer is yes. And I will talk about briefly about a couple of examples here. And certainly we want to make sure that we are maintaining the privacy of our customer data, the donors that support our various organizations as well as of course our relationship with third parties, vendors and the like. So data breaches are horribly expensive. And it's not just the cost of cleanup and restoring any systems that were damaged although that can be quite high. But also the cost of paying for identity monitoring services for any of those, you know, your employees or anyone else whose private data was stolen. And there can be other reparations as well that ultimately might be court mandated or lawsuit mandated. Loss of reputation, damage to the brand. I mean these are all, it's just a horrifying thing to contemplate. And the sad fact is if you ask anyone in the cybersecurity community, the question isn't if there's going to be an attack, but when, and it's not even if there's going to be a breach, but when and how quickly can we stop some and really, really limit the amount of damage that they can do. And unfortunately the Internet, it is global which makes for a lot of opportunities for good of course, for good uses, but certainly can be leveraged by criminals for very, very bad reasons. And it's important that our users understand as well as ourselves in management or IT roles to understand that users don't have to be actively surfing the Internet to become a target. That their machine can be targeted simply by being on a network that is connected to the Internet. And that certainly should be of concern to home users that routinely have high speed Internet connections that they leave on 24-7. And not understanding that that leaves you, basically it's like leaving the front door of your house pretty much open to say, hey come on in and see what I've got and take what you want. So things like SEP, Symantec Endpoint Protection are really important to put protections and barriers and response capabilities between us and those cyber criminals. One thing, I was on a plane coming back from an in-person training last month and I sat next to a very interesting individual who is a technical person, an IT administrator, but who doesn't work in security and a very smart guy. But he said to me with a straight face, antivirus isn't really necessary. People will only get infected if they go to bad websites. So I took the next, at least half hour to just kind of gently open his eyes to the fact that that is not true. And in fact Symantec is constantly surveying and looking for vulnerabilities in public-facing web servers. And sadly there are many. And that's just the vulnerabilities that we know about. And so perfectly legitimate websites can be compromised through unpatched vulnerabilities. And that will lead the users of those websites to infections through what's called drive-by downloads. No click needed. The user doesn't even know usually that something bad has just tried to launch on their machine. So of course the reason I mentioned it is because you need SEP. You need SEP in there, paying attention and stopping that in its tracks. Also another kind of scary statistic, Bluecoat found 95%, I think it was 95.4% to be exact, of PowerShell scripts were actually malicious. So with malicious intent they were going to do something bad to compromise the system. And this is particularly frightening if you realize that a simple Word document can launch PowerShell automatically or an Excel spreadsheet. So again we have protections in place in SEP. You certainly want to have protections at your web gateway and your email gateway. Those are very, very important portals basically to keep a vigilant eye. But ultimately it's the endpoint where the last stand can be made against attackers. So I do see, oh wonderful, thank you for sharing those web links out. We'll be sharing this presentation, a copy of the presentation with the attendees and I have included quite a bit more information along the notes area for each of these slides. So, oops, I just went backwards. So thankfully with semantic endpoint protection you do receive the widest protection with the least amount of effort. What a lot of folks don't realize is that the SEP product is actually very, very, very similar to the consumer product which is branded Symantec Norton Security. And what's very interesting is we have won the very prestigious Best Protection Award from AV Institute, AV Test Institute, two years running for both the business side and the consumer side. And I won't lie, I've been a fan of Norton for years long before I became a Symantec employee. And it is absolutely wonderful for anyone to use at home. Anytime you don't need centralized management of that technology, just install it and let it run and protect those systems, Norton's your friend. So the business side has those similar capacity, obviously very similar protection features that we'll be talking about here in the next couple slides. But it also gives you that central reporting capability so you as administrators can see the health of your organization in very painless, very easy ways and also can customize the protections if necessary. That's more common to need to do in a business environment. But yeah, we keep winning awards because our products are absolutely industry-leading. So I was so excited to see that so many of you have SEP currently installed and SEP 12.1 continues to be an excellent version of the product, but 14 is of course even better. That is our latest and greatest version of this protection. So if you have installed SEP of either version with the full protection for clients, that's a feature setting that is selected by default. So I imagine that most of you have installed it with that. Then your endpoints or the computers that you protect have automatic protection against network-based attacks where the attacks come across the network, try to target things on the vulnerabilities in browsers or plugins, and the attacks can take place directly in memory or attack the registry without using actual executable files. Certainly you've got automatic protection against file-based attacks that include things like worms that self-propagate, viruses that need some sort of host file, and other types of file-based threats. With 12 you have some protection, but with 14 you have greatly expanded protection against when legitimate programs get hijacked into doing bad things. So there are a number of vulnerability protections that you have in 14 that we just didn't have in 12.1. So I do, Symantec does recommend upgrading as soon as you can to really leverage those new features. You have built-in protections against drive-by-downloads, and you have built-in protections against infected emails, messages, and attachments. Now in addition to that, the full protection feature set for clients includes some optional capabilities. For your Windows clients you can use application control to prevent unwanted applications from running, or preventing users from doing things like accessing system files or changing important configuration files. You can also prevent users from connecting external drives. Those are of course a very popular way of propagating certain kinds of worms and other sorts of nasty infections. I'll see the ability to modify how those drives can be accessed and make them read-only and not allowed to execute or write to them. That capability in 14 has been added for Mac, and we've had it all along for Windows clients. You also have a built-in ability to set up, again these are additional features that require some extra configuration so they're not in there by default. The features are there, but they're basically just waiting for orders is what it comes down to. So you could do things like prevent a machine from getting on your internal network if the virus definitions are too old, or maybe the user has disabled the network threat protection components of SEP, and just not let them on the network until the situation has been remedied. That's our host integrity feature. So just again to give you that quick rundown of what's already built-in, you've got a firewall and intrusion prevention. These are two features that are part of our network threat protection, and that will stop malware as it travels across the network and tries to take up residence on the system. It will stop purely network-based attacks. We have protection against exploits that try to take advantage of unpatched vulnerabilities on the local system. So that's where, with the vulnerability signatures, all of you with 12-1 and later already had protection against WannaCry and the Petia recent, not really ransomware, it's actually turning out to be a wiper, but there's any of those exploits that take advantage of vulnerabilities that allow things like remote code execution, and I'm not expecting you all to memorize these terms or anything, but any of those vulnerabilities that allow attackers to take advantage of the system remotely, Symantec security analysts look at those vulnerabilities and they build signatures that come out through Live Update automatically, which we'll talk about next, and automatically updates those clients so they put protections in place before they're even accessed, before an attacker even comes up with a specific attack. We know what the target is, and we can defend the target without having to know the exact shape of the attack. And then we have our reputation and cloud lookup capabilities that we started with in 12-1, and we've expanded in 14, and that gives excellent protection against things like zero-day threats and emerging malware, not just cutting edge, but you could say bleeding edge, the very latest and worst of the new malware that's coming on the scene. We also have behavioral heuristics built in, so if an executable walks like a duck and quacks like a duck, it's probably a duck, so if we don't want any ducks on our systems because they're malicious, then someone will convict them and quarantine them for us. So it's very, very good at finding malware based on malicious and suspicious behavior. And then, of course, we have our traditional signature-based scanning, but we also now in 14 have what's called the Advanced Machine Learning Engine, and it is so incredibly smart. It's a little creepy. I feel like we're in the future, but each of your sub-clients is actually learning about executables that are good versus executables that are bad, and so it's able to make judgments against brand new malware from new malware families that have never been seen before. And some of the semantic researchers have done, like I like to call them time travel tests, where they took models that were around six months before a new threat family was even invented, and they threw the new threat, examples of the new threat at the sub-client with the older model set, and gosh, it's just amazing. The Advanced Machine Learning Agent caught the new malware each and every time. So anyway, it's predictive. And all this is to say, you've got a lot of protections just automatically built in out of the box. You do have those additional capabilities, as I mentioned, some optional capabilities. So above and beyond the default protection features, you have the ability to do more aggressive repairs. You can do that straight from the Set Management Console and initiate a power eraser scan against any machine that seems to have a persistent infection, or indications that there may be a root kit. Power eraser is a way of scanning much more deeply and getting to some of those more deeply rooted malware infections. And then with our compliance options, you can add, again, some controls around the applications that users are allowed to even run, much less what kinds of files they can change and things like that. And with our host integrity, we can put compliance requirements so that, again, a system isn't even allowed on the network if it's not meeting those basic security requirements. So those compliance options are the type of thing that you really do want to take advanced training on before using. But there are some pre-built policies that you can use relatively easily. Again, we'll make sure by the end that you've got access to a lot of training recordings and resources to educate yourselves on these extra functions and options if you're interested in having that kind of time. So the endpoints do need to be kept up to date. Aside from those advanced machine learning models, which don't have to change very often because the agent itself is actually essentially a living thing. It's that you've got a little artificial intelligence on that endpoint there. So it's learning on its own, just with the models that it's got. Those models, by the way, caught WannaCry for those semantic customers that they weren't using IPS. Everybody that was running IPS, though, the intrusion prevention engine had protection. Again, they just did not have any issues from WannaCry and Petia if IPS was running. Again, those protections don't need to be updated very rarely. Vulnerability signatures are added, of course, when there are new vulnerabilities that are published that, of course, indicate potential misuse from remote attackers. But there are more frequent updates that you need to be aware of. Fires and Spireware definitions, which basically are like America's most wanted, newest, and most virulent threats, those signatures, those definitions, or ways of identifying and blocking that malware, those are updated about three times a day. And then for IPS attack signatures, which are specific types of malicious activity that occur across the network, you'll usually see about three updates on that about three a week. And then our sonar heuristics and rule sets that can catch malicious programs by how they behave, those updates are more like three per quarter. So again, there are many technologies that will protect without any type of update, but it's still important to have all of these features. We talk about security being important to do in layers. And definitely the more you keep your client up to date, the more up to date those defenses are. So thankfully, your SEP environment will download the content updates automatically. And it's something that you normally don't have to worry about at all. Your SEP manager wants to check the Symantec Live Update web server every four hours by default to see if there's any new content, whether it's IPS signatures or Fires definitions. And it will automatically download any new content and it will process it to distribute to clients. The default settings for environments of 500 clients or fewer include keeping 21 revisions of each of the types of Live Update content. And for virus-inspired protection, that's about a week's worth. If there's three a day, 21 revisions is about a week's worth. The reason that's important is we want our SEP clients to be able to download just what has changed since their last download of virus-inspired definitions or IPS signatures or what have you. And so they can receive just those Delta files as long as they talk to their SEP manager before their local definitions are more than a week out of date because it has to do with how many revisions the SEP manager has because he won't be able to know what's changed if he doesn't have something to compare it with. And the other thing is that those endpoint clients can always get Delta's from Symantec Live Update as long as the definitions are within a year. So obviously much, much bigger back-end on those public servers. And Windows machines again prefer to download their content directly from the SEP manager and they will do that automatically The default configuration again for 500 clients or fewer means that those clients will usually get their content within 5 minutes of it being available on the SEP manager. And then your Mac clients are out of the box going to automatically know they should go to Symantec Live Update directly. So let's talk a bit about laptops. And actually do you see there's a question in the Q&A perfect because this is something that comes up quite a bit. So those roaming users, so again here's the default Live Update Settings policy. It's going to tell those Mac clients to check with Symantec Live Update every 4 hours which is perfect, no matter where they are they're going to get content. Windows clients normally get their new content from the SEP manager again within 5 minutes of it being available on the SEP manager. And Windows clients with the default settings will only check the Symantec Live Update servers if the user clicks the Live Update link in that client GUI, the client window if they open it up, double click on that shield in the system tray, or if definitions are more than 2 days out of date and the client hasn't communicated with the SEP manager for more than 8 hours. Now that's in there because a lot of organizations prefer their Windows clients to get their content from the SEP manager directly and not use that external link to the Internet unless it's absolutely necessary. So that is good. That is actually a very, very good configuration for your desktops and your servers and honestly for laptops that are on your internal network regularly whether physically or through a VPN. But as was brought up in Q&A, what about those folks that don't connect in very frequently? Well, my concern is those laptops are routinely going to be 2 days out of date then because they're not going to know that they're allowed to go talk to Symantec until they've been out of the office for at least 8 hours and their definitions are 2 days out of date. So my recommendation, and this is just as applicable to small environments as medium environments as large, as very large that you can uncheck. There's a setting called Idle Detection because it'll actually try to put off Live Update even though content is getting more and more out of date. If this option remains checked, which is the default, it'll wait until the machine is idle in order to do the Live Update connection and download new content. And unfortunately that's a problem for laptops because as you know laptops are rarely idle if they're actually on and not sleeping. So I always recommend uncheck that for laptops. And then you can either totally disable the Preventive Configuration, Live Update runs only if definitions are older than, just take that out of the equation, or modify the time frame to something more reasonable like 12 hours. And then either uncheck Live Update runs only if client is disconnected from the sepum, 8 hours, and just uncheck that entirely to disable it, or modify the time frame down to something like 30 minutes. If you are using one policy for all of your machines, then I recommend just modifying the times, those time frames, because that's okay if you tell desktops and servers they can go to Live Update if sepum isn't answering for 30 minutes because your default configuration is they're going to be in communication every 5 minutes so it's not a problem. And then again 12 hours, it would be very unusual for those internal clients to be 12 hours out of date with that on-network connection with the sepum. But if you have the ability to put a completely custom policy on laptops then I would actually uncheck all three of those. So I'll show you where that is, or I hope to in a demonstration if I talk a little faster. I've got a couple more slides, but I intend to show you how to create a separate group for your laptops, how to create a custom policy, and how to assign that to that laptop's group. And oh, I just saw a comment. This is the Managed On-Prem version, yes. I actually haven't worked with the Cod-based version to be honest. So yeah, that's a very good point. Yes, this is the On-Premise version. So reports made easy. There are a number of pre-fined reports that are super easy to schedule and then have emailed out to yourself regularly and anyone else that you feel would be interested or has requested that kind of information, popular reports to run each day include the Administrator Daily Summary Report that is a default report that gets sent out to all Semantic Input Protection System Administrators. And then also really popular is the Infected Now Risk Computers Report and also the Site Status Report. The Site Status Report is especially important so that you stay on top of the health of your SEP Manager server itself. That report, I've had lots of feedback from SEP Admins over the years that that report has helped them identify an issue with failing hardware and other things of course that can happen to servers long before it became a problem. So nice to have that capability. So super easy to set up, super easy to run on demand, and also you can have it scheduled to send to yourself each day. Popular Weekly Reports, the Executive Weekly Summary Report that is set up by default. What I like about that is it's not just an overview of the health of your environment which is important but also helps you keep track of your licensing. So you'll be able to see pretty quickly if you're approaching the limit of the number of licenses that you have or you're getting close to when they're going to expire, any of that crucial information is in there as well in that Weekly Report. Also a lot of times Admins like to stand top of computers that didn't run scans, and also the Comprehensive Risk Report which really gives all possible information about any risky software or actual infections that have been identified and blocked in your environment. All right, so before I go into the demonstration portion which I hope I have a few minutes, there's just one last thing again I wanted to make sure that you're aware. Symantec has a number of excellent online training resources that you can access completely for free. So Symantec Security Response, that's where you can educate yourself about the latest threats. Symantec Support has all of the product guides and lots and lots of KB articles, knowledge-based articles which are of course rather technical but can give you all the details you've ever wanted to know about various features of SAP and various ways of dealing with different sorts of custom scenarios. Symantec Connect, that's our user forums and also Symantec employees and support folks also contribute articles there. We have our Symantec blogs there as well. But I like to encourage everyone who works with the product don't be afraid of going in the forums. I do recommend doing a search first to do a keyword search. In fact, I'll probably demonstrate that here in a little bit. But there's a lot of very useful information right there in the forums and I encourage everyone as well to ask questions. There are so many helpful people in these forums. It's a very helpful community and so you'll have peers of yours, other folks that have used SAP for years. I've been using it for nine years but I don't pretend to know everything. I haven't lived in every possible scenario but on our forums you can see representation about a lot of different situations and how people approached it. So great place to spend some time asking questions and seeing what other answers are already in there. And then the Symantec eLibrary, this is our official source for recorded trainings. And many of the courses that I teach, the full retail price, I don't even know what it is exactly, but let's say it's like $1,000 a day. I mean these are not cheap trainings and of course there's a lot of benefit of course to having a live instructor and access to a hands-on lab environment and we do have an excellent lab environment. But the amazing thing is that most of the courses, most of the materials have been recorded. So at least the presentation portion has been recorded and is accessible for free through the Symantec eLibrary. So I put the link that will direct you to information. Our eLibrary actually moved but you'll get the most information about how to access the new location by using that link there. And if you want to see a detailed description of all of the eLibrary recordings and more detailed information about the topics that are covered in each recording for SEPs specifically, please check out this new web page that a dear colleague of mine put on there a few weeks ago, info 4360. And then you might not be aware but Symantec has our own channel at YouTube and you can subscribe to that and find out about the latest. We have all kinds of great recordings from amazing engineers and product managers across all of our product portfolio. So I hope you have a chance to check that out. So that's actually the end of my official presentation. There's my contact information, sherry underscore nickels at Symantec.com. I absolutely love helping people get the very most out of their Symantec products. And I love this product. Like I said, I've been working with it for 9 years now and I'm always open for questions. I want to help anyway that I can. So don't hesitate to reach out to me directly if you have a question. So would this be a good spot then to switch over? I think to the demonstration. I think I have a few minutes, maybe 5 minutes. Absolutely. So I will share my, click the right box. And again, I just think it's so important to show the relatively straightforward things like creating a new group. For those of you that haven't seen it before, this is your Symantec Empire Protection Manager console. That first home page gives you a nice overview of the overall health status. And what you want to see is that friendly green check mark that everything is good. And if you see anything that says it's not good, you can click View Details and find out why. What is it that's failing? Now in my very small little demo environment, I only have three end points. But thankfully all three of them are up-to-date and I can see the latest revision of definitions available at Symantec and then I can see that my SUPUM has the latest and greatest. I also have links I can go directly to Symantec Security Response. I can go to a link for the latest security news and again, lots of great information there. So what I wanted to start out showing folks though, every Symantec customer anywhere who installs on-premise SUP has this My Company level at the top and then Default Group. And the thing about SUP clients is the configuration is completely determined by the SEP groups that they're in. And a client can only be in one group. So this means that all three of my clients currently have identical configurations because they're in that same Default Group. And if I want to see what the configurations are, I can simply click on that Policies tab on the right side. And I can see the names of the virus and spiral protection policy which is the balanced policy, the spiral policy and so on. And all of these are the actual default policies that are installed automatically out of the box. I wanted to show you this because you can go in to individual policies by clicking on the name and looking at them. And you'll see things like the schedule options that I talked about, idle detection is set, and live update which means going and contacting the Symantec live update server on the Internet. Again, that's restricted from running until the client is disconnected from SEP and for more than eight hours and so on. Well, you'll notice I can't edit the policy on this page. And there's two reasons for that. One is that this group is inheriting its configuration from the level above it which in this case is my company. So if I wanted to customize the configuration, I would have to first uncheck the box. Normally though we leave the default group with that vanilla default policies. So if we wanted to, like I said, let's say my Client Workstation 1 is a laptop, notice I could change the view and see more information about the machines. So client system information, that's where I can see operating system. So let's say my, this Workstation 1 is a laptop and I want to give it a different configuration. So today even when it's sitting in the coffee shop, I can add a new group. I'm going to call it Laptops. Honestly, make those names as useful as possible. And notice that it has the exact same configuration. And so I've created a new group. There's no clients in it yet. It's really smart to do your configuration before you move the clients into the group. So the thing I want to customize is a policy. I'm going to do that from the policies page. And I'm going to select the Live Update Policy Type. And there's one in there. Now from here we could change it. We could edit it for everyone. And if you're not sure who's going to be affected, click the View tab. And I'll show you a trick here. I really like the List View. For me this is easier to read and understand than that Tree View for some reason. Maybe that's just me. But I really like that List View. So any changes I make to this policy will affect everyone in the default group and the Laptops group because this policy is assigned to both. So I don't actually want to do that. What I want to do is copy this and use this as my starting point. And I did that by right-clicking and selecting Copy. But you also can use the task. And I could right-click and say Paste, or I can use the task Paste a Policy. And now notice on the right-hand side, Location Use 0. It's not assigned to anybody yet. I can double-click or right-click Edit. And I can modify it now. And so this one is the policy I intend to assign to my Laptops. And so it's a really smart idea to add that information in the description field and or make sure that the policy name is really clear. And then I'll leave the server settings where they are. The default settings are great. But under Scheduling, I'm going to uncheck that idle detection, because Laptops are not idle usually, otherwise they are sleeping or hibernating. And then the options for skipping live update, I'm actually going to change this. So it's not going to wait regarding how out of date the definitions are. But I will have it wait and only run if the client has been disconnected from the stepum for let's say 30 minutes. And that will be enough to, there we go. That will be enough to make sure that Laptops that happen to be on the VPN or actually at the office won't use the Internet. They can just pull directly from their step manager. But after 30 minutes of being off the internal network, then they'll know they're able to go out to live update. And by default, they're going to go at this top, the frequency here, they're going to go out every 4 hours. So that's what you want. That's what you want your Laptop users to be able to do. So now we just need to assign it. And I recommend assigning policies actually from the client's page. There's two ways to do it. For the policies page, I could highlight that policy and I could say assign it. And then I get this tree and I could try checking on things. But you'll notice I try to check on Laptops. It won't let me. That's because there's this box, inherit policies from my company. And that means that everything here is locked to the same settings as my company. I could change the stuff at my company, but that would change it for everybody. So it's better to uncheck this box. Now you can customize. Nothing has changed actually except now I have the ability to change a setting if I want to. And the one thing that I want to change for sure is I want to replace the LiveUpdateSettings policy here. And I want to use the Laptops policy instead. So I just say replace, select from the dropdown, the policy that I just created, and I say okay. So step 3 then is I got to make sure that the clients know that they're supposed to enforce the laptop configuration now. So I'll find them, whatever method you use. Sometimes it's a naming convention, sometimes it's other things. But you can actually just right-click the client and say move, select the new group, and say okay. And then within 5 minutes by default in these smaller environments, 500 clients and fewer, within 5 minutes this client will receive the information that his configuration has changed. And so it will no longer be in danger of being 2 days out of date for no good reason. Great. I just want to give you another minute to wrap this up because we have got a lot of questions folks are so engaged. Excellent. I'll give you another minute to wrap that up. That's good. I was just going to say this is where I could leave the demonstration window open or should I just go back and so I can read the chat. Let me see what would be the best way to answer questions. I'm just wondering if some of the answers might be faster in the demo. So Sherry, I'm actually going to look through the chat for the questions. Thank you for that amazing presentation. So now I'm going to go through the questions. We only probably have time for about three or so questions. So the first question that is proposed in the chat states, will cement tech protect against ransomware? Yes. Yes, absolutely. Now there are numerous kinds of threats and criminals are getting sneakier all the time. But we have a lot of different technologies that work against ransomware. And again those links to get details about the protection against the WannaCry ransomware attack and the Petia attacks, I think we're distributing those links and people can read up more about it. We even have a white paper about protecting against ransomware on our white paper site. Okay, great. The next question is, this is a little bit of a complex question. It states, does the AV authenticate the AV license from the manager or directly from the web? So for example, in a case of a subscription renews, how does the client know? Okay, yep. So the license, let me show that in the interface. So on the admin page, you select the Licenses blade at the bottom there. That's where you can see where your official licensing is. Like in my demo environment, I'm just using a trial license and there's this warning it's going to expire at 9.22. And part of that weekly executive status report will let people know are they running out of time? Are they over deployed? They only have a license for 50 and they're trying to install 51 or 52, two more clients. So what happens is the client receives what's called a client authentication token when it talks with the SEP. And when the licenses expire for enterprise like this in SEP, you actually do have a grace period. So those clients will still be able to get live update content. But if you over deploy, those clients won't. They won't get their content updates. So they won't receive that client authentication token. So what you can do is you can, and if it's a trial license like this, they will just stop. They won't go beyond the expiration date. So what you can do is just click on Activate License and then use a serial number if you have that from your rep or a semantic license file and you can import that. And that will activate the licenses again for a certain license count and a certain licensing period. And then the clients will, when they check it with SEPM, they'll receive a refreshed client authentication token to update themselves. Okay, great. Another question that I have here in the chat is, it states, is there an easy way to export the list of protected computers? Oh yes, that's a great question. On the Reports page, under Quick Reports, there is, let me see if I can remember, sometimes I have to poke around too. So I think that one's under Computer Status. It's something like client list. It might be client inventory details. Let's take a look at it. Create Report. Yep, that's your list. Computer Name, Health, Version, Definition Date. Okay, great. Thank you for that excellent demo. The next question I have is, what is PowerShell Scripts? Oh, PowerShell Scripts, great question. So it's one of those things. They're frequently used for legitimate administrative work for IT administration, but they're built into Windows operating systems is what it comes down to. And they're very, very powerful. PowerShell is a really powerful scripting language that can be used, again, for beneficial reasons by legitimate users like IT administrators that can also be used by cyber criminals to steal things and infect computers. And the Blue Coat Sandbox, you probably wear Semantic and Blue Coat merged last year, actually almost exactly this time last year. And they found in their Praxis G and probably actually additional products now that they think about it, the Blue Coat Sandbox, they found that 95% of the scripts that were trying to execute PowerShell across the network were actually malicious. So again, it's kind of like the Command Prompt if you remember that, like the DOS prompt. PowerShell is actually slated to replace that Command Window entirely in the next couple of years from what I've read. Okay, well I have time for one more question. The last question is, how are your laptops connecting to FEPM? Okay, so the laptops, again, for the on-prem installation, meaning that the Set Manager is on your internal network, those laptops are only going to connect to the SEPM when they actually connect to your network. So the user has to sign in with VPN or actually be in the office and plug in that Ethernet connection, that RJ45 cable into a port in the wall, or use Wi-Fi to be on the internal network. That's usually when those laptops check in with our on-prem. That's one of the benefits actually to our SEP Cloud is that it gives more visibility to those laptops that don't come onto the internal network very often because they can check in with SEPM on the Internet. Great. I guess we do have time for more questions. Also, here's another question. Can I monitor remote computers that are not normally connected to the corporate LAN, LAN? Yeah, so I do get that question quite a bit, not directly. So I actually also work with the Altairus product line, AT Management Suite, powered by Altairus, which has been a Symantec product for 10 years now. And we do have with that, we do have cloud monitoring, cloud connection capabilities, so we can monitor endpoints through that. But SEP itself doesn't have that with those on-prem installations. So again, that's where a hybrid kind of install where you use SEP Cloud can help you monitor those endpoints that just don't check in with your internal server very often. Great. And the questions just keep rolling in. The next question is, and it's a statement and a question, all I see is live date policy for Windows is schedule, no server setting or event. Okay. So let's just open up that default policy. So under Windows Settings, you just see schedule, no server settings are advanced. That's a new one on me. I'll be honest. I don't know what would cause that actually. And if it's in the SEP Manager console, if you have the ability to look at the policy, you should have the ability to see all those pages. So yeah, that's a puzzle. That's a puzzle to me. I don't have an answer for that. And we'll take that offline if we need to figure out more information for that customer. So the final question is SEP or SEP, what now people call machine learning antivirus? Yes, with 14 we do have machine learning built into the client as well as all kinds of amazing machine learning techniques that have been used by Symantec Labs actually for years in the cloud. So we have both ends. We've had the massive analysis of big data from something like 175 million endpoints around the globe send their data feeds to Symantec and it all gets analyzed. So we have it on the cloud side and also now with 14 advanced machine learning capabilities on the endpoint itself directly. So it can identify completely new malware that's never been invented before based on its characteristics and attributes. And it's hard to explain, but I like to, real quick explanation, I like to think of it as you're teaching the robot in your house, you're teaching the robot how to distinguish a skunk from the cats and dogs that are supposed to be in there because we want to remove that skunk before it can do any harm or spray things and make things bad, smell bad and everything else. So advanced machine learning has lots and lots of examples of legitimate cats and dogs as well as lots of examples of skunks and it actually teaches itself over time. So even if there's a new breed of skunk it's going to find it and give it the boot. Great, thanks so much. And thank you so much for having me. This has been fun. I hope it's been helpful for everyone. And the other thing is we still have a few more questions and I'm going to chat out your email for folks to connect with you directly so that if they have questions that we haven't been able to answer that you would be able to receive those. And we have about exactly 60 seconds left so very quickly. There's a lot I learned, first of all, how to sep them, you know, or sep. That's amazing. Now I will say I'm knowledgeable when I use that term, so thanks for that. And everyone else, chat in one thing that you learned or that you're going to share as I go through our end slides. Because I can tell you I could probably fill up that chat box with things I learned today. Amazing. We do have courses and lots of things that you can look at. We have some free courses online at our TechSoup courses. We will chat out that link to you so you can check out those courses. Also, we've got lots of upcoming events. We do want to let you know we have a special library event from Archive It. And it's about saving our site. There's a special grant, an IMLS grant that they're going to be talking about. We'll also have a TechSoup tour and also Excel for the very beginner. So join us back in August. We hope you do. And I also wanted to say, Cheri, amazing job. Like I said, I learned so much in addition to being able to pronounce all of these things properly. And I really think this is a great start. And we would of course love to hear more. You've been amazing to work with. And thank you so much for your time in preparing this preparation and dedicating the time today. Also a huge thanks to Alicia on the back end for chatting out things and also queuing the questions for Cheri to answer. Allison, thanks so much for being on the back end to answer TechSoup product questions. And most importantly, I want to thank everyone that's on this call. You've spent an hour with us. We know how valuable that your time is in nonprofit and library land. So Cheri, thank you so much. We hope that we can host you again on another event. Everyone loved your voice and loved your presentation. Well, I would love to come back. So thank you so much for the invite. Great. And again, thanks to ReadyTalk for our sponsor. Have a great day, everyone.