As a prospective customer for Symantec Advanced Threat Protection (ATP) Platform, you seek to raise a test environment before you receive a POC visit from Symantec Sales or a Symantec partner.
What is an ATP Endpoint only test environment?
In early stages of developing ATP, ATP Endpoint was originally a separate codebase and had a separate beta program from ATP:Network. Starting with ATP Platform 2.0, ATP Endpoint and ATP Network are integrated as ATP Platform. To implement ATP Platform with only ATP Endpoint functions, deploy ATP Platform in its "Management Server" role. As an ATP Endpoint only implementation, ATP Platform can...
- permit an administrator to practice associating the linkage between ATP Platform 3.2.0 and SEPM 14.2, including handling certificates and deployment of the Log Collection Platform onto the SEPM machine.
- function as an Insight Proxy or Insight Shared Cache for Symantec Endpoint Protection (SEP) 14.2 clients. This feature permits ATP to whitelist or blacklist SHA-256 hashes when SEP clients send Insight queries to ATP Management Server or ATP AllInOne.
- blacklist files by MD5 hashes through sending a blacklist command to Symantec Endpoint Protection Manager (SEPM), which relays the blacklist entry to SEP clients.
- request a suspicious file from a SEP endpoint via SEPM, then submit the suspicious file to the third party VirusTotal site for a quick crosscheck, to the Cynic sandbox service for execution on physical hardware, or to a local CAS/MA appliance for sandbox analysis.
- isolate SEP clients from the network by sending an isolate command to the client via SEPM. The Isolate feature requires Host Integrity policy within SEPM, and IPS enabled on the target SEP client.
- correlate SEP client detection events. Correlating events typically requires configuring one or more connections to SEPM databases. In a full-scale POC or test environment, enabling the EDR 2.0 feature to permit ATP to collect detailed event data directly from SEP clients requires adding an additional virtual drive with 1.0-2.0 TB of free space.
What are the steps for implementing ATP Platform as an ATP Endpoint only configuration?
- Download the ATP Platform 2.0 software from the ATP trial ware site as both OVA and ISO. You'll need the ISO later once you progress past the POC stage and implement on actual hardware. The trial ware location for downloading ATP Platform is here: https://www4.symantec.com/Vrt/offer?a_id=196760
- When you receive the Trial ware license via email, save the archive containing the Trial ware license to a local filesystem
- Extract the Trial ware license from the archive.
- Confirm integrity of the downloaded OVA and ISO file by checking the file attributes (filename, MD5 hash, and file size in bytes).
- Within vSphere client (aka the vic), deploy the OVA as a guest machine.
- Start the ATP guest virtual machine.
- Open the virtual console for the ATP guest virtual machine.
- At the virtual console of the ATP guest machine, login with admin / symantec credentials and set a new password for the admin account.
- Complete the initial bootstrap process by selecting the "Management server" role and specifying networking information appropriate to your dev environment.
- With a web browser client, navigate to the user interface of ATP and login with the setup / symantec credentials.
- When inserting the license, remember to use the extracted Trial ware license and not the .zip container you received it in via email.
- Complete the initial setup wizard.
- Login with admin credentials.
- Create another ATP account with administrator credentials.
- In the Global settings of the ATP UI, enable Synapse correlation for SEPM.
- Configure a SEPM Database source. (See "About integrating ATP with Symantec Endpoint Protection" in the ATP 3.2 Administration Guide, here)
- Configure a SEPM Controller.
- (OPTIONAL) Apply certificates. (See HOWTO124427 for steps)
- Point one or more SEP clients to the ATP Management Server as a Shared Insight cache. (See HOWTO81121 for steps)
- Test by navigating to http://test.symantecatp.com using an internet browser client on one of the SEP clients and downloading one or more sample files. Note that the hash for cloudcar.exe changes each time you download it, permitting test of Cynic submission process.
What issues are commonly encountered during a setup of this type?
- Issue: ATP rejects the Trial ware license when inserting the .zip file
Solution: Extract it first
- Issue: After deploying ATP VE, bootstrap fails to raise the management interface
Solution: Download the Trial ware OVA again and confirm the file attributes of the file received.
- Issue: While deploying the OVA, ESX reports that all three interfaces are on the same network
Solution: Place the management interface on a network that can communicate with both the internet and the SEPM server. Place the other interfaces on a network with no other connectivity. Continue to deploy, ignoring further warnings from ESX that the other two interfaces are on the same network.
What other Frequently Asked Questions (FAQs) have occurred with this sort of setup?