The Administrator Software Development Kit (ASDK) is a set of application programming interfaces (APIs) that access the functionality of Notification Server (NS), Task Server and various NS solutions. 

Connect Product page: Altiris Software Development Kit (ASDK)

• Support

Articles

8.5

• SMP - ASDK - 8.5
• SMP - ASDK - 8.5 RU2

• SMP - ASDK - Time Critical Management
• SMP - Patch Management - Disable Bulletins

8.1

• SMP - ASDK - Web Service - Update Resource Target

Earlier

• Workflow - SMP - ASDK - Asset Ownership

Help

[Install Drive]:\Program Files\Altiris\Altiris ASDK\Help

• ASDK##.chm
  • Where ## is the version number i.e. 8.5

To keep track of updates you can compare Web Service Methods using a tool I've written

• https://protirus.github.io/SMPWebServiceDiff/

Documentation

IT Management Suite (ITMS) 8.5 Documentation
https://support.symantec.com/en_US/article.DOC11076.html
DOC11076

Symantec™ IT Management Suite 8.5 RU1 Release Notes
https://support.symantec.com/en_US/article.DOC11313.html
DOC11313

Symantec™ IT Management Suite 8.5 RU2 Release Notes
https://support.symantec.com/en_US/article.DOC11423.html
DOC11423

 What’s New in this release?

• Microsoft Azure Sentinel (Log Anaytics) Forwarder
  
  • Business Value:  Enables customers to forward their events to Microsoft's cloud based SIEM for storage and analytics
• Symantec Threat Hunting Center (Anomali Enterprise) Forwarder
  
  • Business Value:   Forwards observable's  to Symantec Threat Hunting Center  that  is used for  threat hunting in real-time and retrospective
• Installer improvements
• Internal diagnostics tool improved

Download Instructions

https://support.symantec.com/en_US/article.TECH253299.html

We are in the planning stages for our next Dallas Security User Group Meeting!

We are looking for anyone who would be willing to be a Customer Speaker and talk about their own implementation of Symantec Products or Integrations or Tips & Tricks of what you have learned about your experience with Symantec products.  No prior speaking experience required and we do have perks for speakers!

Comment below or reach out directly to me, Kristen Krepich

We are in the planning stages for our next New York DLP User Group Meeting!

We would love to hear your feedback on discussion and speaker topics, please comment below or take our poll HERE

We are also looking for anyone who would be willing to be a Customer Speaker and talk about their own implementation of DLP or Tips & Tricks of what you have learned about your experience with DLP.  No prior speaking experience required and we do have perks for speakers!

Comment below or reach out directly to me, Kristen Krepich

Did you know Symantec has refreshed their Support page https://support.symantec.com ?

It’s cleaner. It’s sleeker looking. It’s simple on your eyes. And, get this, it has its own Enterprise Support Virtual Agent! You ask questions and it will find the answers & resources for you. How cool is this?!

On the front page, you will have instant access to the Current Issue page, where it lists oany known issue with the Symantec products that may impact you.

Then you also have the How-To and Getting Started Guides if you have recently installed a new product and you needed some help/further details.

Underneath these boxes, you also have access to other pages as well, like Documentation, MySymantec, Symantec Status, Contact Support and much more.

Let’s check it out at https://support.symantec.com !

What do you think of the new support pages?

There's times you wish to get data from the SMP but don't have access to the DB.

Instead you could create a Report that contains this data then use the Report Management Web Services to retrieve this data.

One extra option to make the Report more useful is to add parameters so you can pre-filter the data.

I've created a simple report that returns the UserGuid based on a username search.

SELECT 
  [Guid] AS [UserGuid] 
FROM 
  [vUser]
WHERE 
  Name LIKE '%' + '%UserName%' + '%'

We can use the ReportManagement WebService to achieve this.

• http://localhost/altiris/asdk.ns/ReportManagementService.asmx?op=RunRepo...

You can see the SOAP request on the webpage

POST /altiris/asdk.ns/ReportManagementService.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: length
SOAPAction: "http://Altiris.ASDK.NS.com/RunReportWithParameters"

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <RunReportWithParameters xmlns="http://Altiris.ASDK.NS.com">
      <reportItemGuid>string</reportItemGuid>
      <nameValuePairs>string</nameValuePairs>
    </RunReportWithParameters>
  </soap:Body>
</soap:Envelope>

Response

HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: length

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <RunReportWithParametersResponse xmlns="http://Altiris.ASDK.NS.com">
      <RunReportWithParametersResult>xml</RunReportWithParametersResult>
    </RunReportWithParametersResponse>
  </soap:Body>
</soap:Envelope>

If you are on the  SMP server you can test it out.

Get the ReportGuid from your  Report.

Then we need a "Name Value Pair" of our input:

UserName=Alex.Hedley

Output

<?xml version="1.0" encoding="UTF-8"?>
<NewDataSet>
    <xs:schema xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" 
        xmlns:xs="http://www.w3.org/2001/XMLSchema" 
        xmlns="" id="NewDataSet">
        <xs:element msdata:UseCurrentLocale="true" msdata:IsDataSet="true" name="NewDataSet">
            <xs:complexType>-                <xs:choice maxOccurs="unbounded" minOccurs="0">
                    <xs:element name="Table">
                        <xs:complexType>
                            <xs:sequence>
                                <xs:element name="UserGuid" minOccurs="0" type="xs:string" msdata:DataType="System.Guid, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                            </xs:sequence>
                        </xs:complexType>
                    </xs:element>
                </xs:choice>
            </xs:complexType>
        </xs:element>
    </xs:schema>
    <Table>
        <UserGuid>23f904fe-a273-47e1-a48f-2cf08aa6bbc3</UserGuid>
    </Table>
</NewDataSet>

As you can see we get a Table that contains the Rows brought back from the SQL we wrote above.

<Table>
    <UserGuid>23f904fe-a273-47e1-a48f-2cf08aa6bbc3</UserGuid>
</Table>

Now create a script to get this data remotely, lets use PowerShell

Replace the ## with the values you'd need.

$smpServer = "#SERVERNAME#"
$UserName = "#USERNAME#"

$reportItemGuid = '#00000000-0000-0000-0000-000000000000#' #UserInfo
$params = "UserName=$UserName"

$where = "http://$smpServer/altiris/asdk.ns/ReportManagementService.asmx"
            
$ws = New-WebServiceProxy -uri $where -UseDefaultCredential

$wsResult = $ws.RunReportWithParameters($reportItemGuid, $params)
if ($wsResult.Errors.length -gt 0){
    $result = $wsResult.Errors[0]
}
else
{     
    $result = $wsResult.Table
}
$result

And then the output

UserGuid                            
--------                            
00000000-0000-0000-0000-000000000000

And now we have a way to get data from Altiris with any inputs we need.

Aka

How Sales & Marketing Supports IT & Cloud Security

Hello again! This is another episode breakout from our hit whitepaper, How to Implement a Cloud Center of Excellence (or CCoE). Somewhere between requesting a Shadow IT Assessment and running a full-time CCoE there’s a moment where the CASB Administrator or IT/Security Manager needs to sit down and educate the stakeholders – which means assigning cloud application owners outside of IT, Dev, Engineering, etc. Today we’ll look at Marketing.

Let’s say I’m the Chief Marketing Officer of my enterprise, a global security company. I own a budget and manage multiple teams and their managers, including Direct Marketing, Field Marketing, Events teams, and Product Marketing Management. Each one of those teams has their own technology stack, and can include use of central CRM tools, ticketing tools, storage repositories, document sharing and collaboration, project tracking, and more. During my tenure, I’ve let each marketing director determine the tools and cloud services their team needs to do the best job possible – and I’ve never imposed rules or guidelines on which to use because I’ve relied on them to pick the best tools for their teams.

Many enterprises don’t realize how large their marketing stack is – or maybe the first inkling of the stack size and content was when the legal team sat down and worked with marketing for GDPR compliance, and reviewed contracts for each vendor to determine which could hold EU customer data. Sometimes this, too, can be delegated to the managers underneath the CMO. But marketing has been summoned to be part of the CCoE for our organization, and to represent as owners for Marketing cloud apps and services. That’s why I’m a stakeholder in the CCoE.

The two primary concerns I usually have are budget (can I consolidate and reduce cost by eliminating redundancy?) and business continuity (can my people still perform their jobs effectively?) in support of building pipeline and sales enablement. I’m therefore interested in looking at categories of tools found by my cloud access security broker’s Shadow IT report.

In the RACI matrix of responsibilities, I am the Functional Manager for Marketing. This means I will be consulted on reviews and policies, and responsible for our marketing stack ownership and responses. Exhibit A here for where Functional Managers sit:

According to the Shadow IT report I have been shown (in this hypothetical exercise), my team uses the following Project Management tools:

I can see right away that this needs attention and a decision – this could be a prime time to migrate all of my teams to the same project management tool to save money. (Especially if we have licensed multiple versions in different parts of my organization.) Or, if there are necessary features missing in the tool with the highest business readiness rating (BRR), I will still ask the CASB Administrator to mark Sanctioned vs Unsanctioned/Provisionally Approved. I can also request a list of users and assign their manager the task of determining which alternatives are going to be our official tool. Or, better yet, investigate other online project tools.

If the teams start a trial with a new project management service/app, I’ll get that vendor’s BRR in next month’s meeting to determine if it’s a more secure option along with a report on features and usefulness by the entire marketing department.

For the next category "File Sharing" which my team uses, there is a shorter list from our CloudSOC Shadow IT Audit report:

Citrix is the clear winner for BRR security scoring, and the most-used app on my team. I ask the CASB Administrator about who is using the other two services. They tell me that these are not being used by my team at all, and haven't been used recently by engineering, either.

I’ll tell the CASB Admin to go ahead and block the other two options in 3 weeks – after I send out my next team communication and add a note to the All Hands communication our executives are planning. It’s always important to give at least two-weeks’ warning before shutting off access to any service. That gives the team time to pull their files down and migrate to a better system – just in case they were using the apps in coordination with another part of the organization.

Communication is the key here.

In terms of time, I’ll attend the CCoE meeting once a month to get started, moving to once a quarter after the first six months; an hour is not too much time to dedicate to shutting down services we are not using, possibly saving money that can go back into my budget. In the end, if someone on the marketing team causes a breach, it will come back to my doorstep. Participation on the CCoE keeps me informed and aware of what IT and Security messages need to come back to my part of the organization.

Your turn!

Many Corporate environments have a security setup on the local network. One of the frequently used deployment scenarios includes Proxy Server on the way to the internet to control, or monitor, outbound traffic.

Traffic secured by Secure Access Cloud has no essential reason to pass through SWGs or Proxy Servers, since the auditing done by Secure Access Cloud itself. Consequently, passing this data through the organizational proxy will not gain additional security value but will increase the resource requirements on the proxy server itself.

An additional reason to avoid passing Secure Access Cloud traffic through a Proxy is certificate-based trust. In order to keep the commination secured the SWGs or Proxy Servers will have to be authenticated with their own certificate. This will prevent Secure Access Cloud to authenticate connectors placed behind the Proxy with its unique certificate to guarantee the connector identification.

Getting a more detailed look on a topology, it would be recommended to allow connectors a direct outbound connection to Secure Access Cloud Front End URLs specified below by defining relevant Firewall rules:

• US tenants: https://download.us-west-2.luminatesec.com/public-ips
• EU tenants: https://download.eu-west-1.luminatesec.com/public-ips

Note: In some cases, the IP addresses of the Secure Access Cloud may change, hence its recommended to use URLs for the firewall rules.

However, due to the different constraints & considerations (such as the inability to configure Firewall exclusions), some organizations prefer to keep the Proxy Server for the whole organization’s traffic.

The example in the picture below describes the scenario where one application (app1.tenant.com) secured by Secure Access Cloud & Firewall is assumed to provide connectivity from the Proxy Server only:

Symantec Secure Access Cloud fully supports this topology, by setting Proxy parameters as part of the Site Provisioning process.

Configuration steps for Proxy Use Case

Proxy Server configurations placed on a Site level and applied to all Site connectors once saved.

1. As a first step switch the “Use a Proxy Server for outbound connection” toggle button to “On” state
2. Proxy Server URI should be set
3. Set Proxy username and password (if needed)

Note 1:

The Proxy configuration support requires 2.6.3 connector version and up. Please upgrade your connector appropriately to allow the functionality.

Note 2:

Proxy configuration takes effect as part of connectors provisioning process only. Such in case any Proxy configuration (including on/off) need to be changed, you will be asked to re-deploy connectors, while you can keep the other Site configurations

When you have connectors, which weren’t deployed with the new configuration, you will have the following indicative warning:

    Advanced threat protection levels represent a fundamental role in securing the volume of information in companies in such a competitive market businesses are constantly looking to improve security by implementing New strategies which are just and necessary even if the goal is to be aware of cyber attacks that are recorded daily with new malicious elements. It is more than clear that one of the most sought after targets for threats are the endpoints that somehow or other keep these remote attacks as best as possible or neutralizes momentarily.

    The objective of this article has the technical and specific purpose of explaining how Symantec Endpoint Detection and response should be used to avoid activating the blocking of new threats and neutralising them in real time.

    ¿Is it possible to stop the attack of these threats? Symantec's advanced threat protection products are the solution to increase the control status of all suspicious activities to stop them on time and in this way to ensure success, these are the procedures that must be achieved to obtain the expected result.

                                                                                  Procedures

1. Start the search for threats, alerts, in a pane of more visibility after the automated responses a diagnosis begins and as a result a report to evaluate the situation and together a decision to treat the threat.
2. Revision and control of all the devices in search of additional threats that are part of a weak point and cause of the data leakage so it will be allowed to give a value more accurate to the weaknesses or vulnerablilidades with which the volume data are committed.
3. Continuous supervision of how the application maintains its behavior or if it generates some unexpected alteration outside the established parameters.
4. Each suspicious activity diagnosis must be carried out separately with the objective of elaborating a concrete report of the threats of each affected sector and then totaling a percentage of threats to the system by reinforcing security with extra tools that allow an immediate response to the problem.

    After having successfully performed the visualization, supervision, revision and control of all the devices that may be being infected by the thre ats is proceed to run SymantecEndPoint Detection, it is important to have the latest version because the upgrades have a higher response capacity and 3 times higher throughput.

                                                   It is advisable to run the attacks from the following order:

1. Elimination of threats in the cloud, here is the most information of the company therefore it is essential to execute the attack from the cloud.
2. Elimination of threats in devices, emails, and all vulnerable and infected areas.
3. Elimination of gaps that are the cause of infections as other endpoints and devices related to the problem.
4. Apply debugging throughout the system especially in the affected areas.

    The threats always are to the order of the day in indefinite hours so it is advisable to create a unit of backup of all the data of the different areas of the company and to replenish the loss of information that could have been cause of leakage or infection In addition to carry out a daily analysis after having executed the elimination of threats this will allow to make a more accurate forecast for the implementation of more Symantec tools that allow to make the process easier in the next threats and the Advanced Symantec Threat Protection system stands firm in eliminating all kinds of threats that put information and devices at risk.

Enhanced Console Views

The name has changed over time, initially being called the “Activity Center”. For ease of use I will refer to the Silverlight interface as ECV (Enhanced Console Views). This interface provides a fast, easy to use console that is reminiscent of Outlook®. It allows a user to quickly jump between common areas in the console, such as Policies, Computer lists, Software lists, Tasks and Jobs, etc. Due to the Silverlight technology, these sections are cached locally and take virtually no time to switch between after the initial load.

This console can be accessed via the following methods:

• Manage > Computers
• Manage > Software
• Manage > Jobs and Tasks
• Manage > Policies

There is one other method, but it will also open the Software Catalog interface within the Activity Center:

• Manage > Software Catalog

The following screenshot shows the layout, with the section Software selected:

Each of the sections highlighted above are also targeted using the Manage tab, but once you have the ECV loaded it is quicker to switch using the large buttons, and will keep each session active once loaded.

Each of the sections has its own features and options in the 3 main panes within the activity center. As this guide covers Software Management, I will focus on the Software section as shown in the above screenshot.

Software Categories

In the left-most pane a tree is split into categories. This allows ease of management and quick filtering. When a category is expanded on the left and a filter selected, the middle pane will list the applicable software. You can further filter the results using the search field at the top. Beyond that you see additional information or actions in the right pane, depending on what category on the left is chosen.

The following example shows a flow using this interface to interact with software that is configured to be rolled out via Software Management.

1. In the Symantec Management Console go to Manage > Software, or, if already in the ECV, click on the Software link in the lower left.
2. In the left pane select All Software Releases. This contains all deliverable software resources that are not of the types Update or Service Pack.
3. In the middle pane type “inventory plug-in for windows”. This should bring up the Inventory software component.
4. Now click on the Software Releases category. The difference is these will only display releases that a user has created, and not components provided out of box.
5. After clicking on one of your created software releases there are several items of details you can review from the right pane.
   1. Basic details – This provides you basic details about the software. Note that this is a flip-book pane and you can switch to other details, such as Packages and Command Lines.
   2. Computers with software installed – This lists all computers that have reported this software either through the Software Discovery process (Windows Add Remove Programs options shown in any Inventory Policy), or a Targeted Software Inventory Policy.

Where is my software?

There is a catch-all view to see all software components, regardless of state. This is under the All Software folder, listed as All Software Components. This should show all components, regardless of state, source, or any other filterable criteria.

Software Catalog

One area to view many of your Software Components is the Software Catalog. This can be accessed by going to Manage > Software Catalog. This opens an inset pane over the main Activity Center interface, as shown in this screenshot:

The left-hand side does not show all software. It shows software that is not either part of as Product listed on the right, or has not been manually assigned to the Unmanaged Software section. Software components will not be placed in Unmanaged Software except by manual steps completed by a user.

Drag and Drop

The Activity Center gives the option to use drag and drop. This works well for quick one-off deployments, enabling an administrator to drag a particular Software Component to a single computer. This also works dragging software to a predefined filter. The filters must show under User Created Resources within the All Computer Views section under Computers. There are some caveats to be aware of when using drag and drop with Software Management. Also there are some methods suggested when rolling out software in this manner.

The following walkthrough takes you through the process:

1. In the Symantec Management Console browse under Manage > Computers.
2. In the All Computers view, use the Search field to filter out until you have the computer desired.
3. Now click on the Software section to switch over to the Software section.
4. Highlight the Software Releases section in the left pane so all software that is deliverable is shown.
5. Use the search field to filter down until you select the software desired.
6. Once the software is highlighted, left-click and hold down on the icon to the left of the name.
7. The last computer view you had selected under the Computers section will fly out, as shown in this screenshot:
   
8. When you let go of the selected Software on top of the desired computer, you will get prompted for how you want to deliver the software, as shown:
   
9. The first option will deliver the software via a Managed Software Delivery Policy, while the second option will use a Quick Delivery Task.
10. As an alternative, if you wish to target a filter, instead of dragging the option to the computer list, drag the icon down to the section header for Software. Holding the pointer over this section will expand it, then allowing you to navigate through the User Created Resources. Hovering allows you to open subsections, etc.
11. Drop the software on the desired filter to complete the process.

NOTE! When you use this method a single Managed Software Delivery Policy is generated, along with a target for that one system. If this method is used a lot, the system will begin to be flooded with these one-off policy requests. This issue will be addressed in 7.1 SP2 where it will look for an already existing Managed Delivery Policy to service the request to avoid excessive duplicates.

Troubleshooting

This section covers troubleshooting for the Activity Center and functions surrounding it.

Cannot find Software

For this issue you can work around any filtering the activity center is doing by browsing to the following target in the console.

1. Load the Symantec Management Console under Manage > Software.
2. Browse under All Software > and select All Software Components.
3. Now use the search field to find the component you are looking for.

You can also use the Resources view that shows the organizational groups used by the Notification Server.

1. Load the Symantec Management Console under Manage > All Resources.
2. Browse under Default > All Resources > and select Software Component.
3. The search function can be used here to find the resource you want.

If the Software Component section doesn’t show up, click on the Default node and use the Edit function to add it to the list. This can be done for any organizational group that is filtered out of this view by default.

Managing Software Products

The emphasis on Software Components in 7.0 created some logistical or management nightmares when it came to tracking what software was out in the environment. By taking a step back to the Product level, most of these issues have been made moot. Software Components, whether captured during Inventory or created manually by an administrator, will now by manually or dynamically assigned to a Product. This removes any need to reconcile duplicate resources as the Product rules will automatically assign them to the correct Product.

Reviewing known Products

You can view Products under the Resources screens. The following provides the full steps of how to review Software Products:

1. 1. To view what Products are available, in the Symantec Management Console browse under Manage > All Resources > and select the “Default” node. The following steps will add the category if it is not already available in the tree list.
   2. In the right pane click the Filter… button.
   3. In the list, find the entry for Software Product and ensure it is checked, as shown in this screenshot:
      
2. 1. Click OK to add the category.
   2. In the resulting left-hand tree, browse under Default > All Resources > and select Software Product.
   3. You can now search through what Software Products are available.

Note that you cannot edit Products from this location. You can open Resource Manager, which will give you additional information than what is displayed in the grid. Products can be created and managed through Asset Management, or through the Software Catalog. Since not everyone will necessarily have Asset, I will focus on the Software Catalog.

To access the Software Catalog, in the Symantec Management Console browse under Manage > and select the Software Catalog. This will load the Catalog interface as a pop up window. Note that all active Products will be shown in the upper right pane, as shown in this screenshot:

From here you can assign, create, or edit Software Products using a simple UI provided by the Software Management Framework.

First, you can search for existing Software Products using the search field.

You will notice that not all Software Products are shown in this list. Only manageable Software Products will show. For a Product to be managed it needs to be associated with a Software Component.

Creating Software Products \ Identify Inventory

The Identify Inventory section provides you the filtering and parameters of what software will be included in the product. Each field will limit what is shown, so you must work through the values reported by inventory to find the optimized parameters. For example by putting 10.5, you will not include versions 10.4 or 10.6, only 10.5. If you want all 10 versions to be in the filter, only put version 10 in. The same goes for the Name and Company, so as you go through the steps below, be aware of the limiting function of any values put into the fields.

To create a Software Product, follow these steps. These steps can also be observed when editing a Software Product.

1. In the Symantec Management Console browse under Manage > and select Software Catalog.
2. When the Manage Software Catalog window appears, click on the Add Product button.
3. The top section of the dialog is for labeling and identification purposes. It will not be used when calculating or auto-assigning Software Components to the Product. Provide your Product’s details, as shown for an example in this screenshot:
   
4. Provide one or more values in the provided three fields. This will automatically search for Software Components that match the criteria, as shown in this example:
   
5. Note that it found one match based off the criteria I provided.
6. Check the box “Include components associated with other products” to ensure you are not missing components based on previous associations (whether made manually or automatically).
7. You should fine-tune the values so it includes, and excludes, the software resources you want. Review these examples:
   1. In the above example, if I only wanted the ActiveX components and not the actual flash player, I could change the Software name to: Adobe Flash Player 10 ActiveX.
   2. If I only wanted the 10.2 versions of the ActiveX to be associated here, I would change the Version value to 10.2, thus excluding any other 10.x versions.
   3. If Adobe had a release of this software that had a misspelling in the Company name (i.e. Addobe) I could remove the Company designation altogether, if I trust the other two criteria/values.
8. Click OK to make the change.
9. Note that the associations will be made immediately for the software that shows up in the lower list. When new software comes in that matches the criteria, the association is made during the following Scheduled Task:
   1. NS.Nightly schedule to associate Software components to software product…
10. Done!

Software "Identify Inventory" Filter.

Additional information on using the Identify Inventory filter fields:

Quotation marks limit your search to an exact match.

"Adobe Acrobat" =  EXACTMATCHAdobe Acrobat.

Omitting quotation marks allows for matching search text anywhere in a string.

Adobe Acrobat = LIKE Adobe Acrobat anywhere in the name.
You can use the following search operators to express various arguments:

OR
Use the Pipe ( | ) sign
This operator does not require leading spaces.
Adobe|Microsoft= software manufacturer LIKE Adobe ORLIKE Microsoft

AND
Use the Plus ( + ) sign
This operator requires a leading space.
Adobe+Microsoft= software manufacturer LIKE Adobe AND Microsoft

NOT
Use the Minus ( - ) sign
This operator requires a leading space.
-Adobe -Microsoft = software manufacturer NOT LIKE Adobe and NOT LIKE Microsoft

Once you have made the associations you are done as far as assigning Products go.

NOTE: It has been noted that only certain Products are displayed in this user interface. If a Product does not show up, it can only be modified if Asset is installed. If it doesn’t show in the list, it does not have enough criteria and a new one should be generated.

Software Inventory

In the Software Catalog Add Product interface the default tab is Identify inventory. The Inventory that this ties into is the Software Discovery module. This is captured during the Software Inventory Policies. The specific option within the Inventory Policy interface is shown in the screenshot below, namely Software – Windows Add/Remove Programs and UNIX/Linux/Mac software packages:

This is the process that provides the Inventory needed to make the associations between Software Components and Products.

Application Metering, Usage

The second tab in the Product field is for Application Metering or product usage. Follow these steps to enable this tracking based on the Inventory done:

Enable usage tracking option for the managed software product installed with an MSI-based installer

1. On the Meter / track usage tab, you can see that the Inventory Solution has already performed its 2-step software identification process. At least one software component in the software product has the association with a proper key program file under Programs. You need only to check Turn on metering / usage tracking for this software product.
   
2.  In the Count software as used if run in the last ... days box, type the number of days that meets your needs. Standard monitoring is for 90 days.
3. Click OK.

Enable usage tracking option for the managed software product at the component/version level

1. On the Meter / track usage tab, locate the software component that you want to meter and click Add Program.
   
2. In the Add Program dialog box, perform the following steps:
   1. Under Available programs, type in the name of the program file to filter the results.
   2. Select the correctprogram file and versionfrom the Available programs list.
   3. Click the arrow to move the selected program file to the Associated programs list.
   4. Click OK.
      
3. On the Meter / track usage tab, check Turn on metering / usage tracking for this software product.
   
4. In the Count software as used if run in the last ... days box, type the number of days that meets your needs. Standard monitoring is for 90 days.
5. Click OK.

Enable usage tracking option for the managed software product at the product level

1. On the Meter / track usage tab, locate the software component that you want to meter and click Add Program.
   
2. On the resulting window, locate the executable which is associated with this software component. In the Add Program dialog box, perform the following steps:
   1. Under Available programs, type in the name of the program file to filter the results.
   2. View all available program files that can be associated with the software component.
      
3. Because in this method we track usage at the product level, select all correct program files with all versions that you want to associate with the product version. In this case, all 9.x.x versions should be selected and associated as the product has version 9 in the Software Catalog. Use the arrow to move each selected program file to the Associated programs list. Click OK.
   
4. On the Meter / track usage tab, you can see that only one component has associations with program files.
   
5. This method lets you track usage of all the software components that are associated with the software product as long as at least one component has associations with all the correct versions of program files for the product version.
   
6. In the Count software as used if run in the last ... days box, type the number of days that meets your needs. Standard monitoring is for 90 days.
7. Click OK.

Troubleshooting

This section covers troubleshooting for the Software Products and functions surrounding it.

Software Components Missing

In the Inventory tab known software components are not showing in the list when they should be. The criteria matches for them to be included, but they do not show up.

Possible resolutions:

1. Check the box “Include components associated with other products” to ensure you are not missing components based on previous associations (whether made manually or automatically).
   
2. The component is considered “Hidden”.
   1. We key off of the following registry key:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{053ACA98-6B07-4DD0-9DB3-F51E3EB1780C} (GUID will differ based on MSI Product code)
      VALUE: SystemComponent = anything not 0. Typically Windows will reserve this for OS related updates, and we filter these by default.
   2. Our value where we pick this up is in the dataclass:
      Inv_AddRemoveProgram – Column Hidden = 1.
   3. A background task will look for this and set the Inv_Software_Component_State column IsManaged to 0. This filters the software from the view.
   4. The best solution is to find out why the install is setting that key, and if it has been repackaged, change it so it does not set the SystemComponent registry key to anything other than 0.
3. The component does not contain Inventory. Any component that does not have inventory from at least one computer will not show up in the list. This includes components that once had inventory but no longer do. Also software releases created by Admins to roll software out may not have inventory relating to it, and may have a separate inventory-based component that the clients are reporting to.

Application Metering Finding the Right EXE

MSI based imports of Software Resources, and the inventory from MSI based installs are the easiest for us to automatically make EXE references for Application Metering to use. If this is not an option, it is best to include as many of the EXEs that we know about. Use this process to implement:

1. Edit the Software Resource (double-click or right-click, Actions > Edit Software Resource).
2. Under the file Inventory tab, click the Add button.
3. Click the Add dropdown button and select Server File…
   
4. Search for the file name. Use multi-select to select all of them. Note that these files are files that have been captured by Inventory, so should include all files of that name in your environment, at least from managed systems.
5. In this view you cannot select a version, but after you add all the files and click OK, you can see the size, as shown here:
   
6. If in doubt, add them all. We will be able to select which ones to use later.
7. Click OK to save the changes to the Software Resource.
8. Now go into the Software Product you wish to use (that contains the Software Component you edited). This can be done under Managed > Software Catalog.
9. Under the Metering tab, click on the Add Program link. The resulting window will show you the files you added, including the version (if applicable).
   
10. Add the files you need and click OK. These files will now be tracked as part of Usage Tracking.

General Configuration

For effective use of Software Management, it’s important to set all the general settings as needed for your environment. Though some of these settings won’t be known until later, I’ll cover all general settings for reference.

Software Library

The Software Library is a location where all Packages are stored (when Software Library is selected as the Package Source). The Software Library has two requirements before it can be used successfully. One is a one-time only setting, and the other is required on any system that needs to run the Console in conjunction with the Software Library.

1. Software Library Location – This should be a location that has a lot of storage, or at least sufficient storage for all packages to be managed within the infrastructure. To set the location, follow these steps:
   1. At the desired location where you wish to store the packages within the Software Library create a base folder. When packages are added they will be added to this folder as subfolders.
   2. The folder requires a share that the Application Identity can access (preferably all administrators on the system should have access). It is recommended to keep the share name short for ease of configuration.
   3. In the Symantec Management Console, browse under Settings > All Settings > Software > Software Catalog and Software Library Settings > Software Library Configuration, as shown below:
      
   4. Set the location as a UNC path to the desired location.
   5. Click Validate to ensure the path is set correctly. Reasons it may fail are:
      1. The Altiris Application ID, or the Account associated with NS, may not have rights to the UNC specified
      2. The UNC is not a valid share
      3. The UNC cannot be reached (DNS or other related network issues)

   6. Click Save changes to commit the settings once validated.

Note the timeout value set here. For very large packages we have seen instances where this value should be increased beyond the default 600. Also note that very large files can also reach the timeout value when importing into the library.

If your Software Library resides on the same disk as a Package Source, the files will be duplicated into the Software Library share, taking twice the necessary disk space. If the package is local to the Software Library, you can use a UNC Package Source as the source instead of the Software Library, or mount the package in another location to use as a source. The benefit for having a separate source outside of the library is for package integrity.

1. Importing many files and folders – The file picker does not allow to import more than one file at a time. To handle the import of many files and folders, compress the contents of the package into a single archive ZIP file. When importing into the Software Library, select the ZIP file and it will extract the contents into the Software Library.
2. Permissions – By default, we use the Application Identity credentials to access and manage the location of the Software Library. However, if the setting to use the Agent Connectivity Credentials is set, we will then use that account. The setting is found at Settings > Agents/Plug-ins > Symantec Management Agent > Settings > and select Global Agent Settings. Under the Authentication tab you can set a different user. This is the user that will be used by the SMP and agents to access package locations, including managing the Software Library. This account needs FULL access to the share that is the Software Library.

Software Management Plug-ins

There are four Plug-ins for Software Management. The first and second ones are automatically installed as part of the Symantec Management Agent. The first is called the Software Management Framework Plug-in (SMFAgent.dll). This one is used closely with the second plug-in, which is the base Software Management Agent. This allows all Solutions and the NS itself to make use of the Software deployment and management capabilities for the distribution of packages, policies, and certain task types.

To extend the functionality for use within the Software Management Solution, the Software Management Solution Plug-in needs to be installed. The last “Plug-in” is the configuration of the Software Portal interface.

The following procedure walks through configuring and pushing out the Software Management Solution Plug-in and the Software Portal Plug-in Policy:

1. In the Symantec Management Console, go to Settings > All Settings > Software > Software Portal Settings > and select Software Portal Settings.
2. You can change the background of the Portal, and change the logo used under the UI Settings.
3. Under the Publishing Settings, you have the option to disable the ability for users to request unlisted software. Many companies do not have someone review these, so disabling the option makes sense.
4. NOTE: The option “Allow software publishing across the following trusted domains:” is an essential option to use properly to avoid long portal load times. It is recommended to check the option and select the radial “Specific trusted domains”. Add a list of domains separated by commas, such as: Symantec, Altiris.
   
5. Under Delivery Settings, set a task timeout. This will be used for software that is directly published to the portal (not via a policy). Typically the timeout won’t have to be used, but just in case…
6. Use the E-mail notifications settings as needed.
7. In the Symantec Management Console, go to Settings > Agents and Plug-ins > All Agents and Plug-ins > Software > Software Management > Windows > and select Software Management Solution Agent for Windows – Install.
8. Normally the default filter suffices, but this can be changed at this time if required, as well as the schedule.
9. This Policy controls the rollout to ALL platforms, including Windows, Mac, Linux, and UNIX. If you wish to control the Plug-in rollout separately, the Filter needs to be changed to reflect which platform to target. You can clone the Policy and configure for another platform, etc.
   1. NOTE: It is not recommended to try and edit the existing filter, since that filter is used in other places. If you wish something different, create your own filter and add that as the target.
10. Enable the Policy and Save changes.
11. In the same folder, now select the Software Portal Client Access. This screenshot shows the policy:
    
12. Select the options for where you want the link for the Software Portal to appear. Options to consider are:
    1. If your Symantec Management Agent tray icon is hidden, uncheck the option for “Show link for Software Portal in Symantec Management Agent’s context menu”.
    2. The Start Menu is a popular choice as it’s out of the way but easily understood by typical end-users.
13. It is recommended to keep the current target as that enables the Software Portal on all Managed Systems.
14. Done! The Agent will now be deployed as the target computers check in for a new Configuration. As this is policy based it may take a number of hours for all machines to run the policy and install the Plug-in.

Licensing

Protection against unauthorized use is required for any Software Company. Licensing ensures that only authorized organizations (AKA those who have purchased) can use the software, and that they only use it within the scope of their license. While required in some form or another, it is not desired that licensing get in the way of successfully using the software if properly licensed. For the Software Management Framework, no license is required. For the Software Management Solution, a valid license must be installed in order to use it.

Software Management Solution counts licenses by the number of computers that have the Software Management Solution Plug-in installed. The count is figured off of the table Inv_AeX_AC_Client_Agent which Basic Inventory populates. The count is based off of the Agent Name: Software Management Solution Agent and the corresponding Agent Count column.

Keep a tab on how many computers have the Software Management Solution Plug-in installed. Visit SIM in the Licensing section, and ensure you don’t roll the Plug-in out to too many systems. If you need more licenses ensure you receive them and install them before you roll additional Plug-ins out. Note that licenses need to be combined as only one can be applied at any given time.

If your Software Management Solution license has been exceeded, the following action can be taken to free up licenses.

1. In the Symantec Management Console, go to Manage > Filters > Software Filters > Agent and Plug-in Filters > and select All Windows Computers with Software Management Solution Agent Installed.
2. Click Update membership to ensure the Filter is up to date.
3. In the list of computers, find those computers you wish to remove a Software Management License from. Make a list of these computers
   NOTE: If you wish to make a dynamic filter, then it is unnecessary to create a list.
4. In the Symantec Management Console, go to Settings > All Settings > Agents/Plug-ins > All Agents/Plug-ins > Software > Software Management > Windows > Software Management Solution Agent for Windows – Uninstall.
5. Under the Applied to section remove the default Filter by selecting it and clicking the red X delete button.
6. Now add the filter of the systems you wish to remove the Plug-in from. If it is a dynamic filter you’ve created, even better.
7. If you wish to use the list you acquired in step 3, follow these steps:
   1. Click Apply to > Targets.
   2. Click New > Target.
   3. Click Add Rule.
   4. Change Then to Exclude computers not in, and the next field to Computer List.
   5. Click the ellipses <…> at the end of the row to open the computer selection dialog.
   6. From the left-hand pane select the computers to remove the Plug-in from. Note that you can use the filter to find systems if you have a large list.
8. Add your selects by clicking the > button (or if you have filtered down to the list you wish, use the >> button). See this screenshot for a sample:
   
9. Click OK to apply the new filter.
10. Enable the policy, aka turn the policy to the ON status.
11. Click Save changes to save the application of the new filter.
12. Done!

13. As the targeted computers update their configuration, they will receive the new uninstall policy and remove the Plug-in. It then requires those targets to send an updated Basic Inventory. To finalize the process, the License Refresh must occur. The entire process can take time to propagate to all targeted systems.

Software Catalog

There are a number of other settings/configurations that can be utilized by the Software Catalog. The following items are available and can be used as desired. For most general use they do not necessarily require configuration beyond the defaults. To locate these items, in the Symantec Management Console go to Settings > All Settings > Software > Software Catalog and Software Library Settings.

Clean up File Resources – This is an automatic process that reconciles data captured from multiple computers to synchronize file resources, if needed.

Best Practices!: The results of Software Discovery, called Add Remove Programs data or Installed Software, may show incomplete data after machines have reported Inventory. If this occurs, manually run the Clean File Resources task to correct the problem.

Installation Error Code Descriptions – There is a large default list (600+ entries). Only if you wish to clarify specific errors or add your own should you use this feature. It can be nice is large environments where the IT professionals working on issues may benefit from more verbose error messages.

Known As – This allows catalog information to be correlated from Company Name to a corresponding resource. This also allows multiple versions of a company’s name to map to the same resource. For example:

• Microsoft > Microsoft
• Microsoft Inc. > Microsoft
• Microsoft Corp > Microsoft
• Microsoft Corporation > Microsoft

Also note that there is a Wildcard section to catch potential exceptions. Use “Microsoft” in the search field to see a list of those items already mapped.

Software Discovery – Software Discovery is executed by the Software Management Framework Agent (SMFAgent.dll), but is executed by Inventory Solution. Please see the Inventory Solution section of this document for more information. As a general rule, this built-in policy should be left disabled.

Troubleshooting

This section covers troubleshooting for the General Configuration Items and functions surrounding it.

Software Library Move

There may be a time when you need to move your Software Library. There are two ways to do this. The first is the built-in, easy way.

1. In the Symantec Management Console, browse under Settings > All Settings > Software > Software Catalog and Software Library Settings > Software Library Configuration.
2. In the field for the share, type in the new location you wish to move the Software Library to. Note that this share should have the same rights assignment as the existing one.
3. Click OK. You will receive a prompt on how you’d like to proceed.
   
4. Choose to Migrate existing packages. It is recommended not to select the option “Automatically delete old package files after migration” so that you have a backup should anything go amiss. You can delete the packages after you’ve manually inspected the move.
5. Click OK to begin the process:
   
6. When finished it will return to the main section with the message: Migration process completed successfully.

The second option is to manually move the packages to the new location (keeping the same folder structure as the previous share). Instead of choosing the top option, choose to “Change existing packages”. All packages from the previous location need to exist in the new location before this is done to ensure the process completes successfully.

Software Management Plug-in not upgrading

This is generally caused by the upgrading having run before, whether it was successful or not. You can solve this with one of the following ways:

• Add a repeating schedule (daily) to the upgrade policy. Clients who successfully upgrade will not try to rerun the policy as they will drop out of the filter and target, but this ensures if anyone ends up needing the upgrade again it will run.
• Clone the plug-in upgrade policy and target the systems that are not upgrading. If there is a target problem this will resolve it.

Component or Association missing

An issue after an install or upgrade appears when agents are not installing or upgrading their Inventory Plugins. This happens due to a condition where a configuration item gets dropped during the install / upgrade process. This might be the entire package configuration, or an association to it. In the logs the following error or one similar will appear when clients request their configuration:

"2/25/2011 11:01:16 AM","Unable to generate policy XML for item: 8592325b-1b4a-4cf4-8c46-c17a0ba564a2 **CEDUrlStart** :http://entced.symantec.com/entt?product=SMP&version=7.1.6797.0&language=en&module=qlub65YMYgWeGGssRthgvN1WHJjANnIAgZtUStOHQto=&error=862971658&build=**CEDUrlEnd** ( Exception Details: Altiris.NS.Exceptions.AeXException: Unable to build the client configuration XML for advertisement with guid {8592325b-1b4a-4cf4-8c46-c17a0ba564a2}. Reason: Did not get a row for Software Delivery Advertisement ""Inventory Plug-in - Install"", Guid = {8592325b-1b4a-4cf4-8c46-c17a0ba564a2} from the SWD tables. ---> Altiris.NS.Exceptions.AeXException: Did not get a row for Software Delivery Advertisement ""Inventory Plug-in - Install"", Guid = {8592325b-1b4a-4cf4-8c46-c17a0ba564a2} from the SWD tables. at Altiris.NS.StandardItems.SoftwareDelivery.AdvertisementItem.OnBuildClientConfigXml2(Guid workstationGuid, XmlNode requestDocumentElement, XmlTextWriter xmlBuilder) --- End of inner exception stack trace --- at Altiris.NS.StandardItems.SoftwareDelivery.AdvertisementItem.OnBuildClientConfigXml2(Guid workstationGuid, XmlNode requestDocumentElement, XmlTextWriter xmlBuilder) at Altiris.NS.StandardItems.Policies.ClientConfigPolicy.GetConfigXml(Guid resourceGuid, String requestXml) at Altiris.NS.AgentManagement.PolicyRequest.<>c__DisplayClass4.<LoadItemPolicy>b__0(IDatabaseContext ctx) at Altiris.Database.DatabaseContext`1.PerformWithDeadlockRetryHelper(Int32 retries, Boolean inTransaction, Getter`1 getContext, Action`1 action, Action`1 retry) at Altiris.Database.DatabaseContext`1.PerformWithDeadlockRetry(Int32 retries, Boolean startNewTransaction, IsolationLevel isolationLevel, Boolean independentContext, Action`1 action, Action`1 retry) at Altiris.Database.DatabaseContext`1.PerformWithDeadlockRetry(Int32 retries, Boolean startNewTransaction, Action`1 action, Action`1 retry) at Altiris.NS.ContextManagement.DatabaseContext.PerformWithDeadlockRetry(Int32 retries, Action`1 action, Action`1 retry) at Altiris.NS.AgentManagement.PolicyRequest.LoadItemPolicy(String request, Guid requestGuid, Guid resourceGuid, Guid hostGuid, Guid policyGuid, String& policy, String& policyHash, Guid& category, Int32& priority, Boolean& canCache, ISet`1& requiredPermissions, ISet`1& filterCollections) ) ( Exception logged from: at Altiris.Diagnostics.Logging.EventLog.ReportException(Int32 severity, String strMessage, String category, Exception exception) at Altiris.NS.Logging.EventLog.ReportException(Int32 severity, String strMessage, String category, Exception exception) at Altiris.NS.AgentManagement.PolicyRequest.LoadItemPolicy(String request, Guid requestGuid, Guid resourceGuid, Guid hostGuid, Guid policyGuid, String& policy, String& policyHash, Guid& category, Int32& priority, Boolean& canCache, ISet`1& requiredPermissions, ISet`1& filterCollections) at Altiris.NS.AgentManagement.PolicyRequest.LoadItemPolicies(String request, String configVers, Guid hostGuid, List`1 idents, SortedDictionary`2& policies, SortedDictionary`2& hashes) at Altiris.NS.AgentManagement.PolicyRequest.GetPolicies(String request) at Altiris.Web.NS.Agent.GetClientPolicies.ProcessRequest(String& request, Byte[]& clientConfigData, String& clientConfigXml, Boolean& compress) at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks) at System.Delegate.DynamicInvokeImpl(Object[] args) at Altiris.Common.Threading.LocalThreadPool.InvokeCallback(Object state) at Altiris.Common.Threading.LocalThreadPool.ExecuteUserWorkItem(UserWorkItem workItem)

at Altiris.NS.Threading.NSThreadPool.ExecuteUserWorkItem(UserWorkItem workItem) at System.Threading.ExecutionContext.runTryCode(Object userData) at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at Altiris.Common.Threading.LocalThreadPool.ExecuteUserWorkItemInContext(UserWorkItem workItem) at Altiris.Common.Threading.LocalThreadPool.ThreadPoolProc(Object threadStartParameter) at System.Threading.ThreadHelper.ThreadStart(Object obj) ) ( Extra Details: Type=Altiris.NS.Exceptions.AeXException Src=Altiris.NS.StandardItems Inner Extra Details: Type=Altiris.NS.Exceptions.AeXException Src=Altiris.NS.StandardItems )","Altiris.NS.AgentManagement.PolicyRequest.LoadItemPolicy","w3wp","37"

There are 3 ways to resolve this issue. Each subsequent method involves more work, so it is recommended to go through the easiest first, and only proceed if it does not work.

First Method

This method requires a working environment. Support can supply a working package to complete these steps.

1. In the Symantec Management Console browse under Manage > All Resources.
2. Browse in the right-hand pane under Default > All Resources > Package > Software Package.
3. In the search field in the right-pane, found in the upper right, type: Software Management
4. Find the Software Management Plug-in for Windows Package, right-click, and choose Export.
5. Save the file, and transport it to the Notification Server that is having the issue.
6. At the same location above, right-click on Software Package and select Import.
7. Browse to the file that was copied over in step 5.
8. Done! In many cases this resolves the issue.

Second Method

The second method does not require a working environment, but requires additional steps. It is recommended to take a backup for your database before using the second or third methods to resolve this issue. This is only a precaution, and I have not had issues with these methods in the past.

1. In the Symantec Management Console, browse under Settings > Console > Views.
2. In the left-hand pane browse under Software and select the Software Catalog.
3. In the search field in the right pane, located in the upper right, type Software Management
4. In this list, locate all versions for the Software Management Plug-in for Windows.
5. For any entry that shows a disk for the icon (seen in the screenshot for step 10) right-click and choose Delete.
6. Right-click on the resource that contain packages, shown as a different icon, and choose Properties.
7. Copy out the GUID listed for this resource.
8. Run the following query against the database, using the GUID found from step 7.
   UPDATE RM_ResourceSoftware_Release

SET Attributes = '0'

WHERE [Guid] = '80328534-9d5c-4343-bcad-bda7ecf9621f'

1. Reload the Symantec Management Console and browse back to the Software Catalog, using the search filter.
2. Right-click on the Software Resource for the Software Management Plug-in for Windows and choose Delete.
3. Make sure no Inventory (disk) or Release (computer with disk) plug-in items remain.
4. Open a command window (right-click, Run ad Administrator).
5. Browse to the following location where the platform is installed: \Program Files\Notification Server\Bin\
6. Now run the following command-line, NOTE that locations will need to be set to your install directories: C:\Program Files\Notification Server\Bin\AeXConfig.exe /configure “C:\Program Files\Altiris\SoftwareManagementSolution\Config\SoftwareManagementSolution.config”
7. To review the progress, open Log View and filter on “AeXConfig”. This will allow you to see the entries as the reconfigure is occurring.
8. Done! If this does not resolve the issue, the logs gathered during the reconfiguration are vital.

Third Method

The third method uses a more messy, dramatic approach. It also requires the steps used in the previous approach.

1. Walk through steps 1 through 11 of the Second method.
2. From the logs gathered during steps 12 through 16 of the second method, you’ll find an import error. This will include reference to the GUID found in step 8 of the second method. The key to this error is finding the other GUID in the error that causes the import to fail. Once that GUID is found, proceed. Message will state: “Unable to import resource (ref), a duplicate resource (ref) already exists”
3. Open the following URL, which is a search query to use: www.symantec.com/docs/HowTo1191
4. Paste the query into SQL Enterprise Manager. Change the GUID to the one found in the message to the location marked
   /* Enter Search Guid here */ /*

Last Revision: 3 August 2012

*/

set transaction isolation level read uncommitted

/* Declare variables */

declare @strSql nvarchar(max),

@searchguid uniqueidentifier,

@lowrow smallint,

@SrchEvtTables bit,

@SrchCharTypes bit,

@SrchTextTypes bit,

@CharTypeColName varchar(200)

/* Enter Search Guid here */

set @searchguid = ltrim(rtrim('3e71856b-aadb-48d8-8264-0b36d1aac224'))

/* Search Event Tables: If you wish to disable searching the event tables then set

@SrchEvtTables to 0. This option was added since the event tables can get quite large

and many of the guid columns in them are not indexed. Disabling this will speed up the

query in such cases (at the cost of not searching those tables).

(Enabled: 1, Disabled: 0) */

set @SrchEvtTables = 1

/* Search Character Type Columns: There are some columns in the database that hold GUIDs,

but the column is not a uniqueidentifier type (they have the GUID as a character string

instead). If you want to search character column types (char, nchar, varchar, and nvarchar) then you must set the @SrchCharTypes value to 1.

1. The results may take a minute or longer to complete. The last column contains Select statements. Select the entire column by clicking on the column header, and copy the data.
2. Paste the data into a new query window.
3. Hit Ctrl + H to bring up the find and replace window.
4. Search for: SELECT *
5. Replace with: DELETE
6. Once done, run the query to delete this object from the database’s tables.
7. Now run through steps 12 through 15 of the second method.
8. Done!

If the problem persists, please contact Symantec Support for assistance.

In the Security Analytics Central Manager, you can use Labels as a great way to tag, organize, and create useful groups of Security Analytics sensors for easier management and investigation.

Here’s an example. A multi-national company with multiple sensors around the world wants to group their Security Analytics sensors by geographic location. They have 10 sensors in Asia, 15 in the US, and 7 in Europe. With minimal work, Asia, US, and Europe labels can be added to the appropriate sensors to simplify management. By filtering on those labels, reporting, threat hunting, and sensor management is a breeze. Here are some quick steps to set it up:

1. From the Central Management Console (CMC), go to the Sensors tab and use the Actions menu.

2. Add one or more labels to any number of sensors. This allows easy and arbitrary groupings.

3. Once labeled, sensors can be filtered from the CMC menu or from the Advanced Filter

Additional documentation on CMC Labels is found under View Multiple Sensors.

https://origin-symwisedownload.symantec.com/resources/webguides/security_analytics/ENG/80/Content/_CMC/multiple-sensor_environment.htm#View_Multiple_Sensors

All labels can be accessed via the API as well. This allows for quick labeling of many sensors.

https://origin-symwisedownload.symantec.com/resources/webguides/security_analytics/ENG/80/Content/_Reference/api/apis/central-mgr-api.htm

Security Analytics systems are constantly monitoring for possible hardware problems. There is a daemon which provides an interface between the software side of the application and the hardware. When the hardware experiences a problem, the ‘hald’ daemon receives the message and passes it along to syslog. Syslog records it to /var/log/messages as well as sends the notification out to any

subscriptions that have been made, like communication to email or a syslog server. Be sure those notifications get to the right place because you want to know as quickly as possible if there is a hardware problem so it can be corrected.

One of those subscribers is our application, which updates the user interface with a short message in a pink banner at the top of the screen. The more recent releases of Security Analytics have a link in that pink banner to gather the pertinent logs and current software and hardware configuration so we may quickly diagnose the problem and get the right parts out to your site. As part of that dialogue, there is a chance to include the best shipping address. Please include the name of the company receiving the part and the best address, along with a contact name and phone number. Most data centers do not have a name on the outside of the building or do not match your company name. The contact name and number help get the part to the right person. The more accurate the information, the higher the success rate of getting the part to you in a timely fashion. Also, be sure to let us know if you desire to have a field technician replace the part, if included with your support contract. Most parts can be swapped while the hardware is up and running without interrupting your packet capture.

After installing Symantec Information Centric Analytics, there are several configuration settings that should be set to allow the product to perform optimally. Follow the best practices below just after you install the platform, and before you begin configuring integrations, to ensure you get the most out of Information Centric Analytics.

Analysis Services Database Configuration

There are some additional SQL Server Analysis Services setting that may help improve the performance of ICA.  Below are recommended configuration modifications:

1. Log in to Microsoft SQL Server Management Studio and connect to the Analysis Services database and ensure the following settings are configured within the General Settings properties (make sure that the Show Advanced option is selected in order to see all options listed below):

SQL Server Settings

There are some additional SQL Server settings that may help improve the performance of ICA.  Below are recommended configuration modifications:

Remote Server Connections

1. Open SQL Management Studio

2. Connect to the ICA database server using SQL Management Studio

3. Right-click on the SQL server on SQL Management Studio and select Properties

4. Select the Connections page

5. Check Allow remote connections to this server and set the Remote query timeout value to 0 (no timeout)

6. Click OK to save changes

Server Memory Options

The minimum and maximum server memory is used to configure the amount of memory, in megabytes to establish upper and lower limits of memory used by the buffer pool on the Microsoft SQL Server. SQL Server Engine starts with only the memory required to initialize. As the workload increases, it keeps acquiring the memory required to support the workload, and never acquires more than the level specified in max server memory. The default setting for min server memory is 0, and the default setting for max server memory is 2147483647 MB.  A general rule of thumb is to leave the operating system 20% of the memory. 

1. Open SQL Management Studio

2. Connect to the ICA database server using SQL Management Studio

3. Right-click on the SQL server on SQL Management Studio and select Properties

4. Select the Memory page

5. Enter the appropriate memory size under Maximum server memory (in MB)

6. Click OK to save changes

Increasing SQL Server Agent Job History Retention

By Default, the history retention for the SQL Server Agent Jobs is only a few days or the last few runs of ALL SQL Server Jobs on the SQL Server.  Depending on server setup, there could be multiple jobs setup.  Each job will be “fighting” for a part of the job history log.  The SQL Agent Job History retention settings are for the SQL Server instance and not specific to any one job. By default, SQL Server Agent Job History is setup to purge all SQL Agent History records once the history log reaches a certain number of rows. Use the following steps to disable the size limit specified by the SQL Server Agent Properties.

1. Open an instance of SQL Server Management Studio (SSMS)

2. Connect to the ICA database server

3. In Object Explorer, expand the database server

4. Right Click on the SQL Server Agent and click on Properties

5. In the SQL Server Agent Properties window, select History

You have the following options:

1. (Not recommended) Limit size of job history log:

• Maximum job history rows per job: specifies how my rows are retained for each job
• Maximum job history log size (in rows): specifies how many rows are retained in the history log

2. (Recommended) Remove Agent History, Older than: specifies a cap on how long the SQL Server Agent Job History is retained.

For more best practice articles on Symantec Information Centric Analytics see the following posts:

• Information Centric Analytics Best Practices - Enabling Email Alerts
• Information Centric Analytics Best Practices - Configuring Organizational Information
• Information Centric Analytics Best Practices - Risk Vectors
• Information Centric Analytics Best Practices - Using the Integration Wizard
• Information Centric Analytics Best Practices - Integration Wizard Troubleshooting
• Information Centric Analytics Best Practices - Risk Optimization

It is recommended that the Symantec Information Centric Analytics Administrator(s) be notified proactively of job failures. Using the default functionality within SQL Server Management Studio, email notifications can be enabled, and an email sent out in the event of any job failures, instead of manually checking the job status (es) daily. Note that Database Mail must be functional in order to enable email notifications.

1. On the SQL Database Server, open SQL Server Management Studio

2. Connect to the Database Engine that hosts ICA

3. Expand SQL Server Agent, Operators

4. Right Click and select New Operator

5. Define Operator Name and Email Name, ensure the Operator is enabled and click OK

6. Expand the Jobs folder, right click on the job to be monitored and select Properties

7. Click Notifications

8. Place a checkmark in E-mail, Select the RF Operator from the first dropdown list, and When the job fails from the second dropdown list, click OK

10. An alert will be received when the job fails.

For more best practice articles on Symantec Information Centric Analytics see the following posts:

• Information Centric Analytics Best Practices - Post Configuration Tasks
• Information Centric Analytics Best Practices - Configuring Organizational Information
• Information Centric Analytics Best Practices - Risk Vectors
• Information Centric Analytics Best Practices - Using the Integration Wizard
• Information Centric Analytics Best Practices - Integration Wizard Troubleshooting
• Information Centric Analytics Best Practices - Risk Optimization

Once Symantec Information Centric Analytics (ICA) is installed and integrated with the various data sources within the environment, there are some additional configurations which should be completed to maximize the capabilities of the tool. While most features in Symantec ICA will be functional automatically simply by importing data, as highlighted in the previous sections, every customer will have different environments and processes that should be accounted for to ensure a successful implementation. This starts with ensuring the organizational data in ICA is updated and accurately reflects the organization hierarchy for the business.

Creating Organizations, Countries, Regions Manually

Once ICA has been installed, you can leverage the same user interface to begin defining the Countries, Regions and Users that you will be used in your implementation.  Alternatively, you can use SQL to populate organizations (see the optional configuration section at the end of this document).

1. Navigate to Admin -> Settings -> Organizations & Regions to review the data stored for Organizations, Regions and Countries. 

2. The region Other cannot be removed via the user interface as the Other region is used to associate Countries that do not have a defined region. 

3. To create a new organization, click on the button New Organization. 

4. When creating a new Organization, you will be required to provide a value for Organization, Abbreviation and Sub Organization.  In this scenario for Organization we provided the value Human Resources, for Abbreviation provide the value for HR and for Sub Organization we provide the value for Payroll. 

5. Once the top-level organization is defined, sub Organizations can be added by right-clicking on the organization and selecting the option Add Sub Organization. 

6. When adding a Sub Organization to an Organization all that is required is to provide a value for Sub Organization.  The Sub Organization will inherent the abbreviation defined for the top-level organization. 

7. After adding Organizations to ICA, the next step in the process will be to create Regions and associate Countries to these Regions.  Click on the New Region button to define a region,

8. When defining a Region, the Region Name and the Abbreviation are required.  In this case we will provide the value North America for the Region creating an abbreviation entitled NAMER to represent North America. 

9. When adding a country to a region, right click on the region and select the option Add Country. 

10. When adding the country, you will be required to provide the country name and abbreviation.  In this case the country will be United States of America and the Abbreviation is USA. 

Creating and Associating Organizations, Countries, Regions through the Integration Wizard

After creating organization and country information via the ICA user interface this information can now be associated to the other entities like Computer Endpoints and Users.  When associating a country to entity you will be required to provide the Country Abbreviation.  Providing the country abbreviation to the entity enables ICA to create and associate Countries to the record being loaded via the Integration Wizard.  

Conversely to associate an Organization to an entity you will need to provide an OrganizationName and OrganizationSubOrgName to the record when loading the data.  Providing this information via the integration wizard will effectively create a relationship between an organization and the entity being loaded via the Integration Wizard.  

There are corner cases where there is a requirement to load bulk Organizations, Regions and Countries.  This can be done via the Integration Wizard

Using the Integration Wizard to Load Organizations, Countries, and Regions

We will now focus our attention loading Organization information via the Integration Wizard using the Organization Entity.  To do this we will need to create a new data source, data source query and an integration mapping to properly configure the Integration Wizard.  This document will guide you through this process.

1. Launch the ICA user interface and Navigate to the Admin menu, under the Admin menu select the Integration Application.

2. After the Integration Application loads, you will need to navigate to the Data Sources tab to create a new data source.  This can be done by clicking on the Create Data Source tab and then selecting the Create Data Source button. 

3. In this scenario we will create a new data source that will establish a connection between the ICA application and the ICA database through the Integration Wizard.  The ICA database was chosen due to the fact that we have staged the Organization, Country and Region information within this database to load this information.    After clicking save you will be re-directed back to the Data Sources tab.

4. After creating the Data Source, right click on the data source and select Create Query.  This will allow you to create and associate the query to the data source created in the previous step.  The Integration Wizard will support the ability to associate many data source queries to a data source.  In order to create the data source query, right click on the data source and select the Create Query option.

5. After defining the data source, you will need to define the data source query to load Organizations.  When defining the data source query, you will need to provide a Query Name, Query Description, the Query Statement and the Table Name.  Note that the table name in this case will be the staging table where the data will be staged prior to moving it into the Organizations table.  Copy the SQL statement into the query statement section of the application. 

• The SQL Statement in this section can be used as an example to load organization information into ICA.  Cast statements are being used to ensure that the data being selected from the staging table is of data type NVARCHAR and aligns with the size of the target column defined within the ICA database.  The cast statement will prevent any data sizing issues within the integration by truncating characters from the string that exceed the character limitation of the source column.  The column name is also aliased to align with the name of the column within the integration mapping, so ICA will automatically map the columns to the correct entity when it is associated to the query. 

SELECT    CAST(Abbreviation AS NVARCHAR(10)) AS OrganizationAbbreviation,

                 CAST(Name AS NVARCHAR(10)) AS OrganizationName,

                 CAST(SubOrgName AS NVARCHAR(10)) AS OrganizationsubOrgName

FROM Stg_Organizations;

• Optionally, after defining the query for the data source query, you can click on the “Test Query” button to test the integrity of the query you have just created.  When clicking “Run” button, the query will be executed, you should see sample results returned from the query to ensure that the query will return results as expected. 

• Once you have the Organization information defined, click on the Watermarking / Scheduling tab.  In this scenario you are not required to define a watermark column or watermark value.  When a Watermark is not defined for an integration, the Integration Wizard will truncate and rebuild the staging table on a nightly basis.  Set the initial Run Date to a date in the past and set the query to run Daily with a value of 1. 

6. Once the query has been created and tested via the user interface, an Integration Wizard Integration Pack will need to be created to associate Import Rules to the Integration.  Once the Import Rules are defined, they will be associated to Import Rule Mappings which effectively defines where the data will reside within ICA.  To create an Integration pack within the Integration Wizard, click the button Create Integration Pack. 

• After clicking the Create Integration Pack button, you will have the opportunity to create the definition of the Integration Pack.  In this case you will need to provide a name and a description for the Integration Pack.  In this case the name will be ‘Foundation Data’ and the Description will be Set as ‘Integration pack created to load Organizations, Regions and Countries’.

7. After creating the Foundation Data Integration pack, we will now define the Import Rule for Organizations.  To create the Import Rule for Organizations, right-click on the ‘Foundation Data’ Integration Pack and click on ‘Create Import Rule’. 

• To define the Import Rule, you will need to provide a name and a description the name description are free-form text fields that can be used define the Import Rule.  In this scenario, the name is defined as ‘Organizations’ and the Description is ‘Import Rule that will be used to load organization data’.  Multiple import rules can be associated to an Integration Pack. 

• To create an Import Rule Mapping, right-click on the Import Rule created in the previous step and Select the option ‘Create Import Rule Mapping. 

• After clicking on the import rule mapping record, you will be required to define the Import Rule Mapping record for the integration.  The key columns here will be Mapping Name, Data Source, Organizations and Entity Type.  The Mapping Name and Description are free-form text fields that are used to describe the import mapping.  When selecting a data source, select the data source ICA or the data source configured in Step 7.   The Entity Type for this mapping will be ‘Organizations’ as the intent is to create Organizations within ICA.  Notice that since we provided alias names that align with the corresponding entity column, ICA will automatically map the query column names to the entity column. 

8. The next step in the process is to create a data source query to load region information.  To do this right click on the Data Source ICA and select Create Query. 

• After selecting the Create Query option, define the query name as ‘Region’, the query description as ‘This query will load Region information into ICA’ and use the query in section B to server as the Query Statement.  It is recommended to define the table name as opposed to allowing ICA to generate this value.  Allowing ICA to randomly assign the table name will make it a little more challenging when it comes to troubleshooting. 

• ​​​​​​​The SQL Statement in this section can be used as an example to load region information into ICA.  Cast statements are being used to ensure that the data being selected from the staging table is of data type NVARCHAR and aligns with the size of the target column defined within the ICA database.  The cast statement will prevent any data sizing issues within the integration by truncating characters from the string that exceed the character limitation of the source column.  The column name is also aliased to align with the name of the column within the integration mapping, so ICA will automatically map the columns to the correct entity when it is associated to the query. 

SELECT DISTINCT

CAST(RegionAbbreviation AS NVARCHAR(10)) AS RegionAbbreviation,

CAST(RegionName AS NVARCHAR(255)) AS RegionName

FROM Stg_CountriesRegions

• Optionally, after defining the query for the data source query, you can click on the “Test Query” button to test the integrity of the query you have just created.  When clicking “Run” button, the query will be executed, you should see sample results returned from the query to ensure that the query will return results as expected. 

• ​​​​​​​Once you have the data source query for Regions defined, click on the Watermarking / Scheduling tab.  In this scenario you are not required to define a watermark column or watermark value.  When a Watermark is not defined for an integration, the Integration Wizard will truncate and rebuild the staging table on a nightly basis.  Set the initial Run Date to a date in the past and set the query to run Daily with a value of 1. 

9. The next step in the process is to add an import rule for Regions to the Foundation Data Integration pack.  This can be done by right-clicking on the Foundation Data integration pack and selecting ‘Create Import Rule’. 

• ​​​​​​​To define the Import Rule, you will need to provide a name and a description the name description are free-form text fields that can be used define the Import Rule.  In this scenario, the name is defined as ‘Regions’ and the Description is ‘This Integration Rule will be used to load Regions into ICA’.  Multiple import rules can be associated to an Integration Pack. 

• ​​​​​​​To create an Import Rule Mapping, right-click on the Import Rule created in the previous step and Select the option ‘Create Import Rule Mapping. 

• ​​​​​​​After clicking on the create import rule mapping record, you will be required to define the Import Rule Mapping record for the integration.  The key columns here will be Mapping Name, Data Source, Query and Entity Type.  The Mapping Name and Description are free-form text fields that are used to describe the import mapping.  When selecting a data source, select the data source ICA.   The Entity Type for this mapping will be ‘Region’ as the intent is to create Regions within ICA.  Notice that since we provided alias names that align with the corresponding entity column, ICA will automatically map the query column names to the entity column. 

10. The next step in the process is to create a data source query to load region information.  To do this right click on the Data Source ICA and select Create Query. 

• After selecting the Create Query option, define the query name as ‘Countries’, the query description as ‘This query will load Country information into ICA’ and use the query in section B to server as the Query Statement.  It is recommended to define the table name as opposed to allowing ICA to generate this value.  Allowing ICA to randomly assign the table name will make it a little more challenging when it comes to troubleshooting. 

• ​​​​​​​The SQL Statement in this section can be used as an example to load region information into ICA.  Cast statements are being used to ensure that the data being selected from the staging table is of data type NVARCHAR and aligns with the size of the target column defined within the ICA database.  The cast statement will prevent any data sizing issues within the integration by truncating characters from the string that exceed the character limitation of the source column.  The column name is also aliased to align with the name of the column within the integration mapping, so ICA will automatically map the columns to the correct entity when it is associated to the query.  ​​​​​​​

Select                  CAST(CountryAbbreviation AS NVARCHAR(10)) AS CountryAbbreviation,

                                CAST(CountryName AS NVARCHAR(255)) AS CountryName,

                                CAST(RegionAbbreviation AS NVARCHAR(10)) AS RegionAbbreviation,

                                CAST(RegionName AS NVARCHAR(255)) AS RegionName

from Stg_CountriesRegions;

• ​​​​​​​Once you have the data source query for Regions defined, click on the Watermarking / Scheduling tab.  In this scenario you are not required to define a watermark column or watermark value.  When a Watermark is not defined for an integration, the Integration Wizard will truncate and rebuild the staging table on a nightly basis.  Set the initial Run Date to a date in the past and set the query to run Daily with a value of 1. 

11. Now that the data source query has been created and defined it is time to begin the process of creating an import rule to load the country data into ICA.  To do this, navigate to the Data Integrations tab, right click on Foundation Data and select Create Import Rule. 

• ​​​​​​​After creating the Import Rule within ICA for Countries, define the name and the description attributes for the integration.  The Name and Description are free-form text fields, in this case for Name use the value ‘Countries’ and for Description, enter the text ‘This Import Rule can be used to load Countries’.

• ​​​​​​​After clicking on the create import rule mapping record, you will be required to define the Import Rule Mapping record for the integration.  The key columns here will be Mapping Name, Data Source, Query and Entity Type.  The Mapping Name and Description are free-form text fields that are used to describe the import mapping.  When selecting a data source, select the data source ICA.   The Entity Type for this mapping will be ‘Countries’ as the intent is to create Countries within ICA.  Notice that since we provided alias names that align with the corresponding entity column, ICA will automatically map the query column names to the entity column. 

12. Now that the configuration is in place to bring in Countries, Regions and Organizations, the ICA nightly processing task will be leveraged to move the data into the ICA tables where the information will reside moving forward.  

For more best practice articles on Symantec Information Centric Analytics see the following posts:

• Information Centric Analytics Best Practices - Post Configuration Tasks
• Information Centric Analytics Best Practices - Enabling Email Alerts
• Information Centric Analytics Best Practices - Risk Vectors
• Information Centric Analytics Best Practices - Using the Integration Wizard
• Information Centric Analytics Best Practices - Integration Wizard Troubleshooting
• Information Centric Analytics Best Practices - Risk Optimization