Knowledge Base Article

Symantec Endpoint Protection Installation Procedure on DeltaV Workstations

Article ID: AP-0800-0025

Publish Date: 04 May 2017
Article Status: Approved
Article Type: General Product Technical Information
Required Action: Information Only

Recent Article Revision History:

Revision/Publish Description of Revision
04 May 2017 Reflected the installation procedure for SEP v14.0 and retained installation procedure for
SEP v12.1 on a PDF file.
(See end of article for a complete revision history listing.)

Affected Products:
Product Line Category Device Version
DeltaV Upgrade Offline Upgrade
DeltaV Upgrade Online Upgrade
DeltaV Workstation Software VE210x DeltaV Workstation v9.3.1,
v10.3.x,
v11.3.x
v12.3.x,
v13.3.x
This Knowledge Base Article, AP-0800-0025, documents the procedure for installing the SEP client on a DeltaV
workstation in UNMANAGED mode. A custom installation is required to remove certain SEP features that have been
found to interfere with DeltaV communications.
Symantec Endpoint Protection (SEP) 14.0 supersedes Symantec Endpoint Protection (SEP) 12.1. Emerson Automation
Solutions has tested SEP 14.0 with DeltaV v11.3, v11.3.1, v12.3, v12.3.1, v13.3, and v13.3.1 in UNMANAGED mode.
It has also been tested in MANAGED mode with DeltaV v11.3, v11.3.1, v12.3, v12.3.1, v13.3, and v13.3.1. MANAGED
mode deployment of Symantec Endpoint Protection is not part of the standard Foundation/Guardian Support. Customers
who would like to implement Patch Management should contact their Emerson local business partner for consultation.

Note: As per XPHelp.chm (Windows XP and Server 2003 Installation Instructions for DeltaV), install the
antivirus software on the computer before connecting it to the network . With only the operating system
installed, the computer will be vulnerable to viruses and k nown security issues.
Any Microsoft security updates that are approved at the time of release are installed as part of the DeltaV
installation. New Microsoft security updates are evaluated and, if approved, posted as an Emerson
Knowledge Base Article.

For information on compatibility and known issues between Symantec Antivirus and DeltaV, refer to KBA AP-0400-0004:
Recommended Antivirus and Installation Procedure for DeltaV Work stations .

Note: Emerson recommends installing the latest DeltaV compatible Symantec Antivirus version with active
Symantec lifecycle support status and updated virus definition to ensure continuous protection against
malware and virus threats. Contact Symantec for product lifecycle status information.

1 Installation Procedure
To install SEP v14.0 UNMANAGED mode client on a DeltaV workstation, perform the following steps:
Installation procedure for SEP v12.1 in Unmanaged mode is available at the bottom of this document.

Warning: Attempting to install and use SEP without following this ins tallation procedure will block critical
DeltaV communications on which your process control network and application software may be dependent.

1. Insert the SEP v14.0 installation CD.

2. Navigate through the installation disc folders, and then select the appropriate folder.
 Use the SEP folder for 32-bit operating systems.
 Use the SEPx64 folder for 64-bit operating systems.
3. Launch Setup.exe to open the autorun application.
4. Click Next on the Welcome page.
5. Accept the license agreement, and then click Next.
6. Select Custom for the Setup Type. Click Next.

Note: Selecting Typical setup mode will cause SEP to break DeltaV communications.

Note: In later releases of Symantec v14.0, the Installation Type page may appear. Select Dark network
client for the Installation Type, and then click Next.
7. Disable the program features and sub-features on the Custom Setup page.
a. Click on the small arrow to the left of the following:
 Advanced Download Protection
 Outlook Scanner
 Notes Scanner
 Proactive Threat Protection
 Network and Host Exploit Mitigation
b. Choose not to install these features. You should see an X beside these items. Click Next.
 Note: Installing on Windows 7 and Windows 10 will present the additional option POP3/SMTP Scanner. Do
not install this feature. You should see an X beside it as well.

8. In the Protection Options page, clear Run LiveUpdate, and then click Next to continue.
 Note: Installing on Windows 7 will present the option “Disable Windows Defender”. Leave its default setting
selected.

9. Clear the File Reputation Data Submission option. Click Next.

10. Make sure the check box for Data Collection – Installation Options is not selected.
Click Install and wait for the installation to finish.
11. Click Finish to close the wizard.
12. Open Symantec Endpoint Protection from Start | Programs. Click Change settings on the left pane.

13. Click the Configure Settings button for Virus and Spyware Protection.
14. Click the Auto-Protect tab.
 Set the following:
a. Click the Actions button. It is recommended that the First action be left at the default setting of “Clean risk”
followed by “Quarantine risk” (also the default) if the first action fails.
b. Click the Notifications button. It is recommended to display a notification message when a security risk is
detected.
c. Click the Advanced button. In the Scan files when section, click the radio button Scan when a file is
modified.

Important: Scheduled scans, if configured, should be set to not run when the DeltaV work station is being
used to control a live process. It is recommended that DeltaV applications, such as DeltaV Operate, be
closed before the scheduled scan starts.

The following recommendations should be taken into account for a Remote Client Server running Remote
Desktop Services (RDS) or Terminal Services in Windows Server 2008 and earlier:
 AntiVirus and AntiSpyware Protection
Configure Auto-Protect to:
o Scan when a file is modified
o Disable network scanning
  Centralized Exceptions
o Exclude the pagefile
o Exclude the print spooler folder
o If the server is a license server, exclude the license server folder and databases
 Scheduled Scans
o If a scheduled scan is required, then it should be run during low-usage hours in order to minimize
user impact.
o In addition, ActiveScans of new definitions and startup scans should not be scheduled during high-
usage hours as they could place an unnecessary load on the terminal server.
For detailed instructions, please refer to:
https://gsuds.emersonprocess.com/pickup/PSG/symantec_ts.pdf: (Size: 418 KB)
Checksum: 6E6A273FB09B7195E654F820FFA00B 738D448800C2BB35089C73396C2F78E 2BF
For the latest version of this document, go to Symantec article
https://support.symantec.com/en_US/article.TECH91070.html.
15. Go back to the Change Settings page, and then click the Configure Settings button for Client Management.
16. Go to the LiveUpdate tab. Clear the box for Enable automatic updates.
17. Go to the Submissions tab. Clear the boxes for Send anonymous data to Symantec to receive enhanced
threat protection intelligence. Click OK.
18. Install the latest virus definition. Virus definitions are updated regularly and can be downloaded from Symantec’s
website.
 If running on a 32-bit operating system, download the v5i32 executable file found under “Symantec
Endpoint Protection Client Installations on Windows Platforms (32-bit)”.
 If running on a 64-bit operating system, download the v5i64 executable file found under “Symantec
Endpoint Protection Client Installations on Windows Platforms (64-bit)”.
19. After DeltaV has been installed, perform this step on configuring SEP “Centralized Exceptions”.
Certain DeltaV files are updated frequently and could become very large. It is recommended that DeltaV folders
be excluded from being scanned to prevent SEP from consuming too much workstation resources.
These folders include:
 C:\DeltaV
 D:\DeltaV
 D:\DeltaVHistory
 D:\DVBatchHistory
 D:\DeltaVHistorianData
 PI folder (when applicable)
To make this change:
a. Go to the Change Settings page, and then click the Configure Settings button for Exceptions.
b. From the new page, click Add… | Security Risk Exception | Folder. Browse for the DeltaV folders listed
above to include these in the exception list.
For the installation procedure of SEP v12.1 in UNMANAGED mode, download the pdf file from the following link:
https://gsuds.emersonprocess.com/pickup/PSG/SEP_v12_Installation_Procedure_05022017.pdf (Size: 438 KB)

Contact Information
Services are delivered through our global services network. To contact your Emerson local service provider, click Contact
Us. To contact the Global Service Center, click Technical Support.

Download the Sigcheck tool: Click This Link

To get information on how to use the Sigcheck tool: Click This Link

Complete Article Revision History:

Revision/Publish Description of Revision
04 May 2017 Reflected the installation procedure for SEP v14.0 and retained installation procedure for
SEP v12.1 on a PDF file.
29 Mar 2017 Included DeltaV v13.3.1 in the list of supported versions.
05 Dec 2016 Reviewed and determined applicable for DeltaV v13.3.1.
07 Apr 2016 Minor modifications to installation procedure
27 Jan 2016 Minor modifications for compatibility to later versions of Symantec.
08 Sep 2015 Added checksum code.
02 Sep 2015 Updated the installation procedure to be applicable with Symantec 12.1 (RU6 MP1a).
Included DeltaV v13.3 in the list of supported versions. Included screenshots from a
Windows 7 installation.
02 Mar 2015 Reflected the installation procedure for SEP v12.1 only
16 May 2014 Included DeltaV v12.3.1 in the list of supported versions.
27 Sep 2013 Added DeltaV version 12.3
18 Jan 2013 Added configuration needed for terminal servers and revised Symantec versions affected.
23 Jan 2012 Added information about Symantec Endpoint Protection 12.1 and its installation procedure.
18 Nov 2011 Added information about RU6 MP2 and RU6 MP3 on step 8, and additional snapshot on step
11 when installing RU6a, RU6 MP1, RU6 MP2 and RU6 MP3.
11 May 2011 Added v11.3.1 in the versions where SEP was tested in Managed mode.
14 Apr 2011 Added v11.3.1 in the tested DeltaV versions.
13 Jan 2011 Added Note obtained from XPHelp.chm; added link to KBA AP-0400-0004; added
screenshot for step 4; modified steps 7, 8, 11, and 14; and added steps 10, 11.b, and 12
12 Nov 2010 Updated the introductory paragraphs to include support for managed mode on DeltaV
v9.3.1, v10.3.1, and v11.3 only.
20 Jul 2010 Included DeltaV v11.3 in the list of supported versions.
20 Nov 2009 Added D:\DeltaVHistorianData to the list of folders to be excluded from the virus scan.
06 Apr 2009 Added additional SEP features to be disabled during installation, and added steps to
configure "Centralized Exceptions" and "File System Auto-Protect" options.
29 Dec 2008 Updated the navigation instructions to locate the latest virus definition for SEP from
Symantec's website.
19 Dec 2008 Added a step to select 'Unmanaged client' as the Client Type after step 3.
20 Oct 2008 Included DeltaV v10.3 in the list of supported versions.
03 Jul 2008 Included DeltaV v9.3.1 in the list of supported versions.
26 Mar 2008 Original release of article

©Emerson Automation Solutions 2009-2017. All rights reserved. For Emerson Automation Solutions trademarks and service marks, click this link to
see trademarks. All other marks are properties of their respective owners. The contents of this publication are presented for informational p urposes
only, and while every effort has been made to ensure their accuracy, they are not to be construed as warrantees or guarantees, express or implied,
regarding the products or services described herein or their use or applicability. All sales are governed by our terms and co nditions, which are
available on request. We reserve the right to modify or improve the design or specification of such products at any time without notice.
View Emerson Products and Services: Click This Link