Knowledge Base Articles
Symantec Endpoint Protection Installation Procedure on DeltaV Workstations
Article ID: AP-0800-0025
Publish Date: 26 Aug 2022
Article Status: Approved
Article Type: General Product Technical Information
Required Action: Information Only
Recent Article Revision History:
Revision/Publish Description of Revision
26 Aug 2022 Reviewed and determined applicable to DeltaV v13.3.2 and v14.FP3. Updated document
format.
(See end of article for a complete revision history listing.)
Affected Products:
Product Line Category Device Version
DeltaV Upgrade Offline Upgrade Service
DeltaV Upgrade Online Upgrade Service
DeltaV Workstation Software VE210x DeltaV Workstation v9.3.1,
v10.3.x,
v11.3.x,
v12.3.x,
v13.3.x,
v14.x
�1 Introduction
This Knowledge Base Article, AP-0800-0025, documents the procedure for installing the Symantec Endpoint Protection
(SEP) client on a DeltaV workstation in UNMANAGED mode. A custom installation is required to remove certain SEP
features that have been found to interfere with DeltaV communications.
SEP v14.3 supersedes SEP 12.1, 4.0, 14.2 MP1, 14.2 RU1 MP1, 14.2 RU2, and 14.2 RU2 MP1. Emerson Automation
Solutions has tested SEP v14.3 with DeltaV v13.3.1, and v14.x in UNMANAGED mode.
SEP v14.3 has also been tested in MANAGED mode with DeltaV v13.3.1, and v14.x. MANAGED mode deployment of
Symantec Endpoint Protection is not part of the standard Foundation/Guardian Support. Inquiries related to Symantec
Endpoint Protection Manager (SEPM), Symantec Live Update Administrator (LUA), Updated SEPM Policies, and other
SEP MANAGED mode implementation components are covered through Automated Patch Management Services
engineered solutions which may include customized evaluation, detailed design, and implementation services.
Customers who would like to avail of Automated Patch Management services should contact their Emerson Impact
Partner/FSO for consultation.
Note: As per XPHelp.chm (Windows XP and Server 2003 Installation Instructions for DeltaV), install the
antivirus software on the computer before connecting it to the network. With only the operating system
installed, the computer will be vulnerable to viruses and known security issues.
Any Microsoft security updates that are approved at the time of release are installed as part of the DeltaV
installation. New Microsoft security updates are evaluated and, if approved, posted as an Emerson
Knowledge Base Article.
For information on compatibility and known issues between Symantec Antivirus and DeltaV, refer to KBA AP-0400-0004:
Recommended Symantec Antivirus for DeltaV Workstations.
Note: Emerson recommends installing the latest DeltaV compatible Symantec Antivirus version with active
Symantec lifecycle support status and updated virus definition to ensure continuous protection against
malware and virus threats. Contact Symantec for product lifecycle status information.
2 Installation Procedure
To install SEP v14.x UNMANAGED mode client on a DeltaV workstation, perform the following steps:
Installation procedure for SEP v12.1 in Unmanaged mode is available at the bottom of this document.
Warning: Attempting to install and use SEP without following this installation procedure will block critical
DeltaV communications on which your process control network and application software may be dependent.
1. Insert the SEP v14.x installation CD.
2. Navigate through the installation disc folders, and then select the appropriate folder.
• Use the SEP folder for 32-bit operating systems.
• Use the SEPx64 folder for 64-bit operating systems.
3. Launch Setup.exe to open the autorun application.
4. Click Next on the Welcome page.
5. Accept the license agreement, and then click Next.
6. Select Custom for the Setup Type. Click Next.
Note: Selecting Typical setup mode will cause SEP to break DeltaV communications.
Page 2 of 11
� Figure 2-1: Custom Setup Type
Note: In later releases of Symantec v14.x, the Installation Type page may appear. Select Dark network
client for the Installation Type, and then click Next.
Figure 2-2: Dark Network Client Installation Type
7. Disable program features and sub-features on the Custom Setup page.
a. Click on the icon down arrow to the left and choose not to install the features and sub-features as noted
below:
• Core Files (Install this feature)
▪ Virus, Spyware, and Basic Download (Install this feature)
o Advanced Download Protection (Do not install this sub-feature)
Page 3 of 11
� o Outlook Scanner (Do not install this sub-feature)
o Notes Scanner (Do not install this sub-feature)
o POP3/SMTP Scanner (Do not install this sub-feature which may be available when installing
later releases of Symantec v14.x)
▪ Proactive Threat Protection (Do not install this feature)
▪ Network and Host Exploit Mitigation (Do not install this feature)
▪ Application Hardening (Do not install this feature which may be available when installing later
releases of Symantec v14.x)
▪ Threat Defense for Active Directory (Do not install this feature which may be available when
installing later releases of Symantec v14.x)
b. You should see an X beside the features and sub-features icon that are not to be installed. Click Next.
8. In the Protection Options page, clear Run LiveUpdate, and then click Next to continue.
Figure 2-3: Run LiveUpdate cleared in Protection Options
Note: Installation may present the option “Disable Windows Defender”. Leave its default setting selected.
Page 4 of 11
� Figure 2-4: Disable Windows Defender selected
Note: Installing SEP v14.0 RU1 on Windows 7 and Windows 10 will not display the Protection Options page.
9. Clear the File Reputation Data Submission option. Click Next.
10. Make sure the check box for Data Collection – Installation Options is not selected.
Click Install and wait for the installation to finish.
11. Click Finish to close the wizard.
12. Open Symantec Endpoint Protection from Start | Programs. Click Change settings on the left pane.
Figure 2-5: Change Settings
13. Click the Configure Settings button for Virus and Spyware Protection.
14. Click the Auto-Protect tab.
Page 5 of 11
� Figure 2-6: Auto-Protect Tab
Set the following:
a. Click the Actions button. It is recommended that the First action be left at the default setting of “Clean risk”
followed by “Quarantine risk” (also the default) if the first action fails.
b. Click the Notifications button. It is recommended to display a notification message when a security risk is
detected.
c. Click the Advanced button. In the Scan files when section, click the radio button Scan when a file is
modified.
Important: Scheduled scans, if configured, should be set to not run when the DeltaV workstation is being
used to control a live process. It is recommended that DeltaV applications, such as DeltaV Operate, be
closed before the scheduled scan starts.
The following recommendations should be taken into account for a Remote Client Server running Remote
Desktop Services (RDS) or Terminal Services in Windows Server 2008 and earlier:
• AntiVirus and AntiSpyware Protection
Configure Auto-Protect to:
o Scan when a file is modified
o Disable network scanning
• Centralized Exceptions
o Exclude the pagefile
o Exclude the print spooler folder
o If the server is a license server, exclude the license server folder and databases
• Scheduled Scans
Page 6 of 11
� o If a scheduled scan is required, then it should be run during low-usage hours in order to minimize
user impact.
o In addition, ActiveScans of new definitions and startup scans should not be scheduled during high-
usage hours as they could place an unnecessary load on the terminal server.
For detailed instructions, please refer to:
https://gsuds.emerson.com/pickup/PSG/symantec_ts.pdf : (Size: 418 KB)
Checksum: 6E6A273FB09B7195E654F820FFA00B738D448800C2BB35089C73396C2F78E2BF
For the latest version of this document, go to Symantec article.
15. Go back to the Change Settings page, and then click the Configure Settings button for Client Management.
16. Go to the LiveUpdate tab. Clear the box for Enable automatic updates.
17. Go to the Submissions tab. Clear the boxes for Send anonymous data to Symantec to receive enhanced
threat protection intelligence. Click OK.
18. Install the latest virus definition. Virus definitions are updated regularly and can be downloaded from Virus
Definitions website.
• If running on a 32-bit operating system, download the executable file found under “Symantec Endpoint
Protection Client Installations on Windows Platforms (32-bit) (SEP 14.0 and later Dark-Network Client only)”
• If running on a 64-bit operating system, download the executable file found under “Symantec Endpoint
Protection Client Installations on Windows Platforms (64-bit) (SEP 14.0 to 14.2 RU2 MP1 Dark-Network Client
only)”
19. After DeltaV has been installed, perform this step on configuring SEP “Centralized Exceptions”.
Certain DeltaV files are updated frequently and could become very large. It is recommended that DeltaV folders
be excluded from being scanned to prevent SEP from consuming too much workstation resources.
These folders include:
• C:\DeltaV
• D:\DeltaV
• D:\DeltaVHistory
• D:\DVBatchHistory
• D:\DeltaVHistorianData
• C:\MSSQL2K
• D:\MSSQL2K
• PI folder (when applicable)
The following files should also be excluded in Symantec v12.1.1 and earlier:
• C:\pagefile.sys
• D:\pagefile.sys
Note: An error “You specified a file that does not exist” maybe encountered when adding the pagefile.sys
in the SEP “Centralized Exceptions” in Symantec v12.1.3 and later. Symantec Knowledge Base Article
TECH100183 indicates Symantec AntiVirus does not scan the Windows pagefile for viruses. The
pagefile.sys files are protected operating system files. To view these files, go to the Folder Options in
Windows File Explorer and temporarily deselect ‘Hide protected operating system files
(Recommended)’.
For DeltaV v14.x, it is also recommended that the following DeltaV folders be excluded in addition to the above:
• ProgramData
Page 7 of 11
� o Default: %ProgramData%\Emerson (typically C:\ProgramData\Emerson)
o If DVData is not in default (C:) location, the ProgramData directory is located alongside DVData: e.g.
D:\DVData --> D:\ProgramData\Emerson
• C:\Program Files (x86)\Emerson\DeltaV
If there are Complementary Software installed, add the following directories to be excluded from being scanned:
Page 8 of 11
� Complementary
Directory
Software
AMS Server Plus and Client SC
AMS ▪ C:\AMS
▪ D:\AMS
SHM Server and Client
System Health
▪ C:\azeti
Monitoring (SHM)
▪ D:\azeti
Acronis Management Server (non-DeltaV)
▪ SQL Server databases
Either
o acronis_cms_cards.mdf
o acronis_cms_cards.ldf
o acronis_cms_logs.mdf
o acronis_cms_logs.ldf
OR (entire default directory)
o C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Data
▪ SQLite Databases
Either
o dml_objects.db3
OR
o C:\ProgramData\Acronis\AMS
Backup and Recovery
▪ Storage Node SQLite database
Either
o asn_dml_objects.db3
OR
o C:\ProgramData\Acronis\BackupAndRecovery\ASN\DmlDatabase
▪ Vaults
o Root level of vault on local hard disk (host local storage)
Acronis Client machine
▪ Agent Local SQLite database … name varies with machine’s Acronis ID/GUID so
directory level exclusion more practical
Either
o C:\ProgramData\Acronis\BackupAndRecovery\ASN\DmlDatabase
OR
o Exclude only *.db3 files in directory above
Patch Management WSUS Server (non-DeltaV)
Patch Management ▪ C:\WSUS
▪ D:\WSUS
Table 2-1: Installed Complementary Software Directories added
To make this change:
a. Go to the Change Settings page, and then click the Configure Settings button for Exceptions.
b. From the new page, click Add… | Security Risk Exception | Folder. Browse for the folders listed above to
include them in the exception list.
Page 9 of 11
�For the installation procedure of SEP v12.1 in UNMANAGED mode, download the pdf file from the following link:
https://gsuds.emerson.com/pickup/PSG/SEP_v12_Installation_Procedure_05022017.pdf (Size: 438 KB)
Contact Information
Services are delivered through the Emerson global services network. To contact your Emerson local service provider,
click Contact Us. To contact the Global Service Center (GSC), click Technical Support.
Related products and services: DeltaV DCS | Lifecycle Services
Complete Article Revision History:
Revision/Publish Description of Revision
26 Aug 2022 Reviewed and determined applicable to DeltaV v13.3.2 and v14.FP3. Updated document
format.
27 Sep 2021 Updated Section 1 about information on inquiries regarding SEP Managed mode
implementation components.
21 Sep 2021 Reviewed and determined applicable for DeltaV v14.FP2
17 Nov 2020 Indicated the Dark-Network Client definitions on Section 2-18
14 Sep 2020 Reviewed and determined applicable to DeltaV v14.FP1
26 Jun 2020 Updated to reflect SEP 14.3 as the latest tested version. Determined installation instruction
is the same.
01 Oct 2019 Reviewed and determined applicable for DeltaV v14.3.1
18 Sep 2019 Updated Step 7.
21 Jan 2019 Updated the content to indicate that SEP v14.2 MP1 supersedes SEP 12.1 and 14.0 and
added compatibility with DeltaV v11.3.2
24 Sep 2018 Updated the link for latest virus definition
14 Sep 2018 Updated notes regarding the latest SEP version compatible with DeltaV v11.3.1, v12.3.1, and
v13.3.1
19 Jun 2018 Added complementary software directories to be added in SEP “Centralized Exceptions” in
Step 19. Reviewed and determined applicable for DeltaV v14.3
11 Apr 2018 Removed AppData directories in SEP “Centralized Exceptions” in Step 19.
19 Mar 2018 Added additional directories in v14.3 to be excluded from being scanned in Step 19.
15 Dec 2017 Updated notes regarding screenshot changes when installing SEP v14.0 RU1.
22 Aug 2017 Corrected the link to the Symantec website for the latest virus definitions for SEP v14, and
corrected the link to the Symantec website in the PDF file for SEP v12.1.
04 May 2017 Reflected the installation procedure for SEP v14.0 and retained installation procedure for
SEP v12.1 on a PDF file.
29 Mar 2017 Included DeltaV v13.3.1 in the list of supported versions.
05 Dec 2016 Reviewed and determined applicable for DeltaV v13.3.1.
07 Apr 2016 Minor modifications to installation procedure
27 Jan 2016 Minor modifications for compatibility to later versions of Symantec.
08 Sep 2015 Added checksum code.
02 Sep 2015 Updated the installation procedure to be applicable with Symantec 12.1 (RU6 MP1a).
Included DeltaV v13.3 in the list of supported versions. Included screenshots from a
Windows 7 installation.
02 Mar 2015 Reflected the installation procedure for SEP v12.1 only
16 May 2014 Included DeltaV v12.3.1 in the list of supported versions.
27 Sep 2013 Added DeltaV version 12.3
18 Jan 2013 Added configuration needed for terminal servers and revised Symantec versions affected.
23 Jan 2012 Added information about Symantec Endpoint Protection 12.1 and its installation procedure.
18 Nov 2011 Added information about RU6 MP2 and RU6 MP3 on step 8, and additional snapshot on step
11 when installing RU6a, RU6 MP1, RU6 MP2 and RU6 MP3.
11 May 2011 Added v11.3.1 in the versions where SEP was tested in Managed mode.
14 Apr 2011 Added v11.3.1 in the tested DeltaV versions.
Page 10 of 11
�13 Jan 2011 Added Note obtained from XPHelp.chm; added link to KBA AP-0400-0004; added
screenshot for step 4; modified steps 7, 8, 11, and 14; and added steps 10, 11.b, and 12
12 Nov 2010 Updated the introductory paragraphs to include support for managed mode on DeltaV
v9.3.1, v10.3.1, and v11.3 only.
20 Jul 2010 Included DeltaV v11.3 in the list of supported versions.
20 Nov 2009 Added D:\DeltaVHistorianData to the list of folders to be excluded from the virus scan.
06 Apr 2009 Added additional SEP features to be disabled during installation, and added steps to
configure "Centralized Exceptions" and "File System Auto-Protect" options.
29 Dec 2008 Updated the navigation instructions to locate the latest virus definition for SEP from
Symantec's website.
19 Dec 2008 Added a step to select 'Unmanaged client' as the Client Type after step 3.
20 Oct 2008 Included DeltaV v10.3 in the list of supported versions.
03 Jul 2008 Included DeltaV v9.3.1 in the list of supported versions.
26 Mar 2008 Original release of article
©Emerson Automation Solutions 2009-2022. All rights reserved. For Emerson Automation Solutions trademarks and service marks, click this link to
see trademarks. All other marks are properties of their respective owners. The contents of this publication are presented for informational purposes
only, and while diligent effort has been made to ensure their accuracy, they are not to be construed as warrantees or guarantees, express or implied,
regarding the products or services described herein or their use or applicability. All sales are governed by our terms and conditions, which are
available on request. We reserve the right to modify or improve the design or specification of such products at any time without notice.
View Emerson Products and Services: Click This Link
Page 11 of 11
