avast Enterprise Administrator (AEA) managing the avast Endpoint Protection Suite Plus

 

The avast! Enterprise Administrator (AEA) managing the avast Endpoint Protection Plus

The AEA console is the desired platform when managing 200+ systems.  This Enterprise console is one of the most powerful anti-virus management tools in the industry, and does NOT have to be loaded on a server. Supported O.S. include Server 2003, 2008, and 2012 R2, as well as Windows XP, 7, and 8.1. During installation, you are prompted for choice of SQL 2008 R2 Express (to be installed with AEA), or use an existing installation of SQL. If you have SQL 2005, 2008 or 2012 on your target system, you then can use the same SQL by creating a new instance “avast”

NOTE:  IT IS PREFFERED TO HAVE SQL FULLY INSTALLED PRIOR TO INSTALLING THE AVAST! ENTERPRISE ADMINISTRATOR (AEA).

If any other version of avast! or other anti-virus is present, then these products will need to be removed prior to an avast! deployment. The Endpoint client will require a reboot after installation, so be prepared for this. The avast! AEA console can support tens of thousands of clients.  This is achieved through support of multiple avast! Enterprise Administration Servers (AEAS).  The AEAS is a mirror of an avast! update server, and each AEAS can manage up to 4000 systems. The AEA console then can manage many AEAS.  However, full SQL is required for the “Replication Service” to support multiple AEAS (to support 4000+ clients)

avast! Enterprise Administration console (AEA) installation Guide – http://www.advantage77.com/Files/avast_Quick_Guide_AEA.pdf

Enterprise Administration Console + Client – http://files.avast.com/iavs5x/setup_enterprise_epsp.exe

Enterprise Administration Console User Manual – http://files.avast.com/files/documentation/enterprise-administration-user-guide.pdf

Endpoint Protection Plus Stand Alone Client – http://files.avast.com/iavs5x/setup_av_epsp.exe

1) The very 1st step is to install and configuring the Microsoft SQL Server (SQL 2005, 2008, 2012 or Express). This is one of the “gotcha’s” when AEA is installed prior to SQL. AEA will install SQL, but will NOT always make the correct settings to validate your SQL, leaving your installation non-functional. So installing SQL prior to installing AEA is preferred –

2) Please make sure the ports listed below are opened in the network on both the client and server side (you can use the GPO to dispatch on all machines, and make sure to reboot the machines for the changes to be applied). Other prerequisites include File & Printer sharing, plus Network Discovery to be enabled. The avast! Enterprise Administration Console uses the following ports: Service Port Numbers: Mirror 16135 Client communication port 16136 Client communication port, push requests 16139 SSL communication port console 16138 UDP information port 16133 Standard RPC, NETBIOS and SMB TCP ports for remote deployment 135, 139, 445 Standard NETBIOS UDP ports for remote deployment 137, 138 When installing the Enterprise Administration Console please make sure to have SQL pre-installed, and do not rely on the auto installer in the AEA console installer.  Later, in your “CUSTOM” installation, you can select and connect the AEA to your SQL (best practice)

3) Do a discovery task to find all the machines
4) Create the avast! default configuration for the domain
5) Create and modify user groups for best practice defaults: Under “File System” Shield settings, choose Sensitivity: Set the “Heuristics sensitivity” to high, and enable “Scan for potentially unwanted programs” Under “Mail” Shield settings, choose Sensitivity: Set the “Heuristics sensitivity” to high, and enable “Scan for potentially unwanted programs” Under “Web” Shield settings, choose Sensitivity: Set the “Heuristics sensitivity” to high, and enable “Scan for potentially unwanted programs” Cloud services should be enabled for the best protection:
6) Create a deployment package for each type of system deployment: Desktop, Server, Sharepoint, Exchange, Terminal Server, etc.
File Servers
For servers, I will recommend to modify the components of the deployment package (create a light installation package for servers OS’s) which consists of the File System Shield only. This is usually the only real protection required for file servers and this is an industry standard best practice. This assumes that the File Server not being used as a workstation. NOTE: DO NOT use the Network Shield on servers.   SharePoint servers should add the SharePoint shield in addition to the File System Shield.  Add the email server protection (exchange plug-in) if you want to have avast! anti-virus protect the Exchange server Mail store. Each server type will require its own server group, separate from the managed client group. If the server will go online, then it is best to include the File System Shield, as well as the Web Shield, Behavioral Shield, and Script shield. Terminal Server protection is best tailored to the function of the clients. At one site, the users remotely access the SQL server, so here only File System Shield would be required. However, I have a site that uses thin clients.  All email and browsing are preformed through the Terminal Server. Proper protection will now include File System Shield, Mail Shield,  Web Shield, Behavioral Shield, and Script shield.
avast! anti-spam plug-ins

I prefer the anti-spam at the Outlook level instead of the Exchange server level (both are included).  End users are truly the only ones that know what is solicited, and unsolicited email (spam).  This way user’s can look for themselves what they are not receiving, by the contents of their Junk Mail folder, and can adjust accordingly. Please see the article below on “How to properly use the avast! Anti-Spam Filter for Outlook” 

http://www.advantage77.com/2012/12/06/how-to-properly-use-the-avast-antispam-filter-for-outlook/  

Workstations

For desktop installation, I recommend to remove all the server protection modules from the deployment components, so they are not installed on the client. Note: When creating an installation package please be sure to select the server name / address in the installation package for the clients to communicate with the console after deployment. It is best to have the system hosting the AEA console to use a fixed IP vs. DNS name.  This will eliminate DNS issues during deployment (there are always DNS issues)

7) Start to deploy by group of 10-20 machines at once, make sure to enable the “Reboot the machine” option in the deployment task settings. **Important** – Before sending out an installation please be sure the mirror is up to date which you can check by going to view tab in the console and check mirror status. Once it’s up to date then you can send out the installation.
8) After you send out a installation you may received an error code 0×00000005 which usually means access denied. This can occur when clients haven’t been rebooted after the initial installation. Reboot clients and then refresh the Console. Also be sure to use the network administrative passwords or a password with full administrative rights to push the client through the network.
9) If you find that when you deploy some of your clients license change or remain in the trial mode please check to be sure you’re not over your license count in which case you will have a “KEY” icon over the PC. Please note the total sum of your license count is Computers with Agent + Computers without Agent = License Count. If you have ghost clients in the Active Directory, they will need to be deleted from the Active Directory. If you find that you have more Active Directory listings than your current license, please contact J.R. @ 520-290-0595 for a remedy.

The DEFAULT PASSWORD for the EA Console is ADMIN. This of course can be changed after installing.

WORKGROUP VS DOMAIN (ACTIVE DIRECTORY).

A. If using Active Directory you can easily create an installation package to push the client remotely through the network with Network Administrating password and in the Deploying Group.

B. If using a Workgroup you can only DEPLOY Remotely and ONLY With the EA Console to one computer at a time. You will need to use the local administrative password to have  rights to push the deployment. We recommend to create the installation package manually and send it via email to each client or install it separately via USB Flash disk (manually install it on each client). Once the client has been installed only then will it be detected in the Enterprise Console.

NOTE: It is a requirement to reboot all systems after Deployment, to finalize installation / protection. I have seen systems reboot on their own even when selecting the option to reboot later, so plan accordingly!

Sincerely,
J.R.  Guthrie
President
Advantage Micro Corporation
520-290-0595
jr@advantage77.com
avast_sig_logo
“At this point in time, the Internet should be regarded as an Enemy Weapons System!”      

 

Leave a Reply

Your email address will not be published. Required fields are marked *