Installation and Administration Guide SEP12.1.5
-
Upload
lisa-horne -
Category
Documents
-
view
570 -
download
0
description
Transcript of Installation and Administration Guide SEP12.1.5
-
Symantec EndpointProtection 12.1.5 Installationand Administration Guide
-
Symantec Endpoint Protection Installation andAdministration Guide
Product version 12.1.5
Documentation version: 1
This document was last updated on: September 26, 2014
Legal NoticeCopyright 2014 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, the Checkmark Logo, Altiris, LiveUpdate, and TruScan aretrademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. andother countries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required toprovide attribution to the third party (Third Party Programs). Some of the Third Party Programsare available under open source or free software licenses. The License Agreementaccompanying the Software does not alter any rights or obligations you may have under thoseopen source or free software licenses. Please see the Third Party Legal Notice Appendix tothis Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying,distribution, and decompilation/reverse engineering. No part of this document may bereproduced in any form by any means without prior written authorization of SymantecCorporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIEDCONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ORNON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCHDISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALLNOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTIONWITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THEINFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S.Government shall be solely in accordance with the terms of this Agreement.
-
Symantec Corporation350 Ellis StreetMountain View, CA 94043
http://www.symantec.com
-
Technical SupportSymantec Technical Support maintains support centers globally. Technical Supportsprimary role is to respond to specific queries about product features and functionality.The Technical Support group also creates content for our online Knowledge Base.The Technical Support group works collaboratively with the other functional areaswithin Symantec to answer your questions in a timely fashion. For example, theTechnical Support group works with Product Engineering and Symantec SecurityResponse to provide alerting services and virus definition updates.
Symantecs support offerings include the following:
A range of support options that give you the flexibility to select the right amountof service for any size organization
Telephone and/or Web-based support that provides rapid response andup-to-the-minute information
Upgrade assurance that delivers software upgrades
Global support purchased on a regional business hours or 24 hours a day, 7days a week basis
Premium service offerings that include Account Management Services
For information about Symantecs support offerings, you can visit our website atthe following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.
Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should be atthe computer on which the problem occurred, in case it is necessary to replicatethe problem.
When you contact Technical Support, please have the following informationavailable:
Product release level
Hardware information
-
Available memory, disk space, and NIC information
Operating system
Version and patch level
Network topology
Router, gateway, and IP address information
Problem description:
Error messages and log files
Troubleshooting that was performed before contacting Symantec
Recent software configuration changes and network changes
Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport Web page at the following URL:
www.symantec.com/business/support/
Customer serviceCustomer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:
Questions regarding product licensing or serialization
Product registration updates, such as address or name changes
General product information (features, language availability, local dealers)
Latest information about product updates and upgrades
Information about upgrade assurance and support contracts
Information about the Symantec Buying Programs
Advice about Symantec's technical support options
Nontechnical presales questions
Issues that are related to CD-ROMs, DVDs, or manuals
Support agreement resourcesIf you want to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:
-
[email protected] and Japan
[email protected], Middle-East, and Africa
[email protected] America and Latin America
-
Technical Support ............................................................................................... 4
Chapter 1 Introducing Symantec Endpoint Protection .................. 29What is Symantec Endpoint Protection? ............................................ 29What's new in Symantec Endpoint Protection 12.1.5 ............................ 30How Symantec Endpoint Protection uses layers to protect
computers ............................................................................. 34How does Symantec Endpoint Protection enforce compliance? .............. 37
Section 1 Installing Symantec EndpointProtection ................................................................... 39
Chapter 2 Planning the installation ................................................... 40Getting up and running on Symantec Endpoint Protection for the first
time ..................................................................................... 40Components of Symantec Endpoint Protection ................................... 48Optional components for Symantec Endpoint Protection ....................... 49................................................................................................. 50
System requirements for Symantec Endpoint ProtectionManager ......................................................................... 51
System requirements for the Symantec Endpoint Protection clientfor Windows .................................................................... 52
System requirements for the Symantec Endpoint Protection clientfor Mac ........................................................................... 54
System requirements for the Symantec Endpoint Protection clientfor Linux ......................................................................... 54
Internationalization requirements ............................................... 56Product license requirements .......................................................... 57Supported virtual installations and virtualization products ...................... 59About Symantec Endpoint Protection Manager compatibility with other
products ............................................................................... 61Network architecture considerations ................................................. 61About choosing a database type ...................................................... 62About basic management server settings .......................................... 63
Contents
-
Management server ports .............................................................. 65About SQL Server configuration settings ........................................... 66About SQL Server database authentication modes .............................. 70
Chapter 3 Installing Symantec Endpoint ProtectionManager .......................................................................... 72
Installing Symantec Endpoint Protection Manager ............................... 72Configuring Symantec Endpoint Protection Manager during
installation ............................................................................ 74Uninstalling Symantec Endpoint Protection Manager ........................... 75Logging on to the Symantec Endpoint Protection Manager
console ................................................................................ 76About accepting the self-signed server certificate for Symantec
Endpoint Protection Manager .............................................. 78Displaying a message for administrators to see before logging on
to the Symantec Endpoint Protection Manager console ............ 79Allowing administrators to save logon credentials .......................... 79Granting or blocking access to remote Symantec Endpoint
Protection Manager consoles .............................................. 80Unlocking an administrator's account after too many logon
attempts ......................................................................... 82Changing the time period for staying logged on to the
console .......................................................................... 82What you can do from the console ................................................... 83What do I do after I install the management server? ............................ 85
Chapter 4 Managing product licenses ............................................... 88Licensing Symantec Endpoint Protection ........................................... 88About the trial license .................................................................... 90About purchasing licenses ............................................................. 91Activating or importing your Symantec Endpoint Protection 12.1.x
product license ...................................................................... 92Required licensing contact information ........................................ 95About the Symantec Licensing Portal ......................................... 96
About product upgrades and licenses ............................................... 96About renewing your Symantec Endpoint Protection license .................. 97Checking the license status in Symantec Endpoint Protection
Manager ............................................................................... 97About the licensing enforcement rules .............................................. 98Backing up your license files ........................................................... 99Recovering a deleted license .......................................................... 99
8Contents
-
Purging obsolete clients from the database to make more licensesavailable ............................................................................. 100
About multi-year licenses ............................................................. 101Licensing an unmanaged Windows client ........................................ 101
Chapter 5 Installing the Symantec Endpoint Protectionclient .............................................................................. 103
Preparing for client installation ....................................................... 104Preparing Windows and Mac computers for remote
deployment ................................................................... 106About the communication ports that Symantec Endpoint Protection
uses ............................................................................ 108About client installation methods .................................................... 110
Which features should you install on the client? .......................... 111Installing clients with Web Link and Email .................................. 112Installing clients with Remote Push ........................................... 115Installing clients with Save Package ......................................... 117
Exporting client installation packages .............................................. 119About the Windows client installation settings ................................... 120Configuring Windows client installation feature sets ........................... 121Configuring client packages to uninstall existing third-party security
software .............................................................................. 122Restarting the client computers from Symantec Endpoint Protection
Manager ............................................................................. 124Installing the Symantec Endpoint Protection client for Mac .................. 126Installing the Symantec Endpoint Protection client for Linux ................. 128About managed and unmanaged clients .......................................... 129
Obtaining an unmanaged Symantec Endpoint Protection clientinstallation package ........................................................ 130
Installing an unmanaged Windows client ......................................... 131Uninstalling the Symantec Endpoint Protection client for
Windows ............................................................................. 132Uninstalling the Symantec Endpoint Protection client for Mac .............. 133Uninstalling the Symantec Endpoint Protection client for Linux ............. 134Managing client installation packages ............................................. 135Adding client installation package updates ....................................... 137
Chapter 6 Upgrading Symantec Endpoint Protection .................. 139Upgrading to a new release .......................................................... 140Upgrade resources for Symantec Endpoint Protection 12.1.x ............... 142Feature mapping between 11.0 and 12.1 clients ................................ 143Supported upgrade paths for Symantec Endpoint Protection ................ 146
9Contents
-
Increasing Symantec Endpoint Protection Manager available diskspace before upgrading to version 12.1.x .................................. 148
Upgrading a management server ................................................... 150Upgrading an environment that uses multiple embedded databases
and management servers ....................................................... 150Turning off replication before an upgrade from Symantec Endpoint
Protection 11.0 ..................................................................... 151Turning on replication after an upgrade from Symantec Endpoint
Protection 11.0 ..................................................................... 152Stopping and starting the management server service ........................ 153About upgrading client software ..................................................... 154Upgrading Windows clients by using AutoUpgrade in Symantec
Endpoint Protection ............................................................... 155Updating client software with a LiveUpdate Settings policy .................. 156Upgrading Group Update Providers ................................................ 157
Chapter 7 Managing sites and replication ...................................... 159Setting up sites and replication ...................................................... 159Deciding whether or not to set up multiple sites and replication ............ 161About determining how many sites you need .................................... 163How replication works .................................................................. 165
How to resolve data conflicts between sites duringreplication ..................................................................... 166
Replicating data on demand ......................................................... 167Changing the automatic replication schedule .................................... 168Specifying which data to replicate .................................................. 169Deleting replication partners .......................................................... 169Re-adding a replication partner that you previously deleted ................. 170
Chapter 8 Integrating Symantec Endpoint Protection withProtection Center ........................................................ 172
About Symantec Endpoint Protection and Protection Center ................ 172Integrating Symantec Endpoint Protection Manager with Protection
Center ................................................................................ 173About setting up multiple Symantec Endpoint Protection domains in
Protection Center .................................................................. 174Configuring communication between Symantec Endpoint Protection
Manager and Protection Center ............................................... 175
10Contents
-
Section 2 Managing groups, clients, andadministrators ....................................................... 177
Chapter 9 Managing groups of client computers .......................... 178Managing groups of clients ........................................................... 178How you can structure groups ....................................................... 180Adding a group .......................................................................... 181Importing existing groups and computers from an Active Directory or
an LDAP server .................................................................... 182About importing organizational units from the directory
server ........................................................................... 183Connecting Symantec Endpoint Protection Manager to a directory
server ........................................................................... 184Connecting to a directory server on a replicated site .................... 185Importing organizational units from a directory server ................... 186Searching for and importing specific accounts from a directory
server ........................................................................... 187Assigning clients to groups before you install the client software ........... 188Disabling and enabling a group's inheritance .................................... 189Blocking client computers from being added to groups ....................... 190Moving a client computer to another group ....................................... 190
Chapter 10 Managing clients ............................................................... 192Managing client computers ........................................................... 193How to determine whether the client is connected in the console .......... 195Viewing the protection status of clients and client computers ............... 197Displaying which clients do not have the client software installed .......... 198Searching for information about client computers .............................. 199About enabling and disabling protection when you need to troubleshoot
problems ............................................................................ 200About commands that you can run on client computers ...................... 202Running commands on the client computer from the console ............... 204Ensuring that a client does not restart ............................................. 205Switching a Windows client between user mode and computer
mode ................................................................................. 205Configuring a client to detect unmanaged devices ............................. 207About access to the client interface on Windows clients ...................... 208Locking and unlocking settings by changing the user control level ........ 209Unlocking user interface settings on the client ................................... 212Collecting user information ........................................................... 214Password-protecting the client ....................................................... 215
11Contents
-
Chapter 11 Managing remote clients ................................................. 216Managing remote clients .............................................................. 216Managing locations for remote clients ............................................. 218Enabling location awareness for a client .......................................... 220Adding a location to a group .......................................................... 221Changing a default location .......................................................... 222Setting up Scenario One location awareness conditions ..................... 223Setting up Scenario Two location awareness conditions ...................... 225Configuring communication settings for a location ............................. 228About strengthening your security policies for remote clients ................ 229
Best practices for Firewall policy settings ................................... 229About best practices for LiveUpdate policy settings ...................... 230
About turning on notifications for remote clients ................................ 231About customizing log management settings for remote clients ............ 231About monitoring remote clients ..................................................... 232
Chapter 12 Managing domains ............................................................ 234About domains ........................................................................... 234Adding a domain ........................................................................ 236Switching to the current domain ..................................................... 236
Chapter 13 Managing administrator accounts andpasswords ..................................................................... 238
Managing administrator accounts ................................................... 238About administrator account roles and access rights .......................... 241Adding an administrator account .................................................... 243Configuring the access rights for a limited administrator ...................... 243Changing the authentication method for administrator accounts ........... 244
Configuring the management server to authenticate administratorswho use RSA SecurID to log on ......................................... 246
Authenticating administrators who use RSA SecurID to log on tothe management server ................................................... 247
Best practices for testing whether a directory server authenticates anadministrator account ............................................................ 247
Changing the password for an administrator account ......................... 252Allowing administrators to reset forgotten passwords ......................... 253Sending a temporary password to an administrator ............................ 253Displaying the Remember my user name and Remember my password
check boxes on the logon screen ............................................. 255
12Contents
-
Section 3 Managing security policies .................................. 256
Chapter 14 Using policies to manage security ................................. 257Performing the tasks that are common to all policies .......................... 258The types of security policies ........................................................ 261About shared and non-shared policies ............................................ 263Adding a policy ........................................................................... 264Editing a policy ........................................................................... 264Copying and pasting a policy on the Policies page ............................. 265Copying and pasting a policy on the Clients page .............................. 266Locking and unlocking Virus and Spyware Protection policy
settings ............................................................................... 267Assigning a policy to a group ......................................................... 267Replacing a policy ...................................................................... 269Exporting and importing individual policies ....................................... 270Converting a shared policy to a non-shared policy ............................ 271Withdrawing a policy from a group .................................................. 272How the client computers get policy updates .................................... 274Configuring push mode or pull mode to update client policies and
content ............................................................................... 275Using the policy serial number to check client-server
communication ..................................................................... 276Manually updating policies on the client ........................................... 277Monitoring the applications and services that run on client
computers ........................................................................... 278Configuring the management server to collect information about
the applications that the client computers run ....................... 279Searching for information about the applications that the computers
run .................................................................................... 280
Chapter 15 Managing Virus and Spyware Protection ..................... 283Preventing and handling virus and spyware attacks on client
computers ........................................................................... 284Remediating risks on the computers in your network .......................... 286
Identifying the infected and at-risk computers ............................. 288Checking the scan action and rescanning the identified
computers ..................................................................... 289Managing scans on client computers .............................................. 290
About the types of scans and real-time protection ........................ 293About the types of Auto-Protect ............................................... 295About virus and security risks .................................................. 297
13Contents
-
About the files and folders that Symantec Endpoint Protectionexcludes from virus and spyware scans ............................... 299
About the default Virus and Spyware Protection policy scansettings ......................................................................... 302
How Symantec Endpoint Protection handles detections of virusesand security risks ............................................................ 306
How Symantec Endpoint Protection handles detections onWindows 8 computers ..................................................... 307
Setting up scheduled scans that run on Windows computers ............... 307Setting up scheduled scans that run on Mac computers ...................... 309Setting up scheduled scans that run on Linux computers .................... 310Running on-demand scans on client computers ................................ 311Adjusting scans to improve computer performance ............................ 312Adjusting scans to increase protection on your client computers ........... 315Managing Download Insight detections ........................................... 317How Symantec Endpoint Protection uses reputation data to make
decisions about files .............................................................. 321How Symantec Endpoint Protection policy features work together on
Windows computers .............................................................. 322About submitting information about detections to Symantec Security
Response ........................................................................... 324About submissions throttling ......................................................... 325Enabling or disabling client submissions to Symantec Security
Response ........................................................................... 326Specifying a proxy server for client submissions and other external
communications ................................................................... 328Managing the Quarantine ............................................................. 329
Specifying a local Quarantine folder .......................................... 330Specifying when repaired files, backup files, and quarantined files
are automatically deleted .................................................. 331Configuring clients to submit quarantined items to a Central
Quarantine Server or Symantec Security Response ............... 332Configuring how the Quarantine handles the rescanning of files
after new definitions arrive ................................................ 332Using the Risk log to delete quarantined files on your client
computers ..................................................................... 333Managing the virus and spyware notifications that appear on client
computers ........................................................................... 334About the pop-up notifications that appear on Windows 8 clients .......... 336Enabling or disabling Symantec Endpoint Protection pop-up
notifications that appear on Windows 8 clients ............................ 337Managing early launch anti-malware (ELAM) detections ..................... 337
14Contents
-
Adjusting the Symantec Endpoint Protection early launch anti-malware(ELAM) options .................................................................... 339
Configuring a site to use a private Insight server for reputationqueries ............................................................................... 340
Chapter 16 Customizing scans ............................................................ 342Customizing the virus and spyware scans that run on Windows
computers ........................................................................... 343Customizing the virus and spyware scans that run on Mac
computers ........................................................................... 344Customizing the virus and spyware scans that run on Linux
computers ........................................................................... 345Customizing Auto-Protect for Windows clients .................................. 346Customizing Auto-Protect for Mac clients ......................................... 347Customizing Auto-Protect for Linux clients ....................................... 348Customizing Auto-Protect for email scans on Windows
computers ........................................................................... 350Customizing administrator-defined scans for clients that run on
Windows computers .............................................................. 351Customizing administrator-defined scans for clients that run on Mac
computers ........................................................................... 352Customizing administrator-defined scans for clients that run on Linux
computers ........................................................................... 354Randomizing scans to improve computer performance in virtualized
environments on Windows clients ............................................ 355Modifying global scan settings for Windows clients ............................ 356Modifying miscellaneous settings for Virus and Spyware Protection on
Windows computers .............................................................. 357Modifying miscellaneous settings for Virus and Spyware Protection on
Linux computers ................................................................... 358Customizing Download Insight settings ........................................... 359Changing the action that Symantec Endpoint Protection takes when
it makes a detection .............................................................. 360Allowing users to view scan progress and interact with scans on
Windows computers .............................................................. 362How Symantec Endpoint Protection interacts with Windows Security
Center ................................................................................ 364
Chapter 17 Managing SONAR .............................................................. 366About SONAR ............................................................................ 366Managing SONAR ...................................................................... 367Handling and preventing SONAR false positive detections .................. 371
15Contents
-
Adjusting SONAR settings on your client computers .......................... 372Monitoring SONAR detection results to check for false positives ........... 373Managing TruScan proactive threat scans for legacy clients ................ 375
About adjusting TruScan settings for 11.0 clients ......................... 376Configuring TruScan proactive threat scan settings for 11.0
clients .......................................................................... 377
Chapter 18 Managing Tamper Protection ......................................... 380About Tamper Protection .............................................................. 380Changing Tamper Protection settings .............................................. 381
Chapter 19 Managing intrusion prevention ...................................... 382Managing intrusion prevention on your client computers ..................... 382How intrusion prevention works ..................................................... 385About Symantec IPS signatures ..................................................... 386About custom IPS signatures ........................................................ 387Enabling or disabling network intrusion prevention or browser intrusion
prevention ........................................................................... 388Creating exceptions for IPS signatures ............................................ 388Setting up a list of excluded computers ........................................... 390Configuring client intrusion prevention notifications ............................ 391Managing custom intrusion prevention signatures ............................. 392
Creating a custom IPS library .................................................. 393Adding signatures to a custom IPS library .................................. 394Assigning multiple custom IPS libraries to a group ....................... 396Changing the order of custom IPS signatures ............................. 396Defining variables for custom IPS signatures .............................. 397Testing custom IPS signatures ................................................. 398
Chapter 20 Managing exceptions ........................................................ 399Managing exceptions in Symantec Endpoint Protection ...................... 399About exceptions in Symantec Endpoint Protection to Virus and
Spyware scans ..................................................................... 401Creating exceptions for Virus and Spyware scans ............................. 402
Excluding a file or a folder from scans ....................................... 407Excluding known risks from virus and spyware scans on Windows
clients .......................................................................... 409Excluding file extensions from virus and spyware scans on
Windows clients and Linux clients ...................................... 410Monitoring an application to create an exception for the application
on Windows clients ......................................................... 411
16Contents
-
Specifying how Symantec Endpoint Protection handles monitoredapplications on Windows clients ......................................... 411
Excluding a trusted Web domain from scans on Windowsclients .......................................................................... 412
Creating a Tamper Protection exception on Windows clients .......... 413Creating an exception for an application that makes a DNS or host
file change .................................................................... 414Restricting the types of exceptions that users can configure on client
computers ........................................................................... 415Creating exceptions from log events in Symantec Endpoint Protection
Manager ............................................................................. 415
Chapter 21 Managing content updates ............................................. 418Managing content updates ........................................................... 419
About the types of content that LiveUpdate can provide ................ 422How client computers receive content updates ............................ 427
Configuring a site to download content updates ................................ 432Configuring the LiveUpdate download schedule for Symantec Endpoint
Protection Manager ............................................................... 435Downloading LiveUpdate content manually to Symantec Endpoint
Protection Manager ............................................................... 436Checking LiveUpdate server activity ............................................... 437Configuring Symantec Endpoint Protection Manager to connect to a
proxy server to access the Internet and download content fromSymantec LiveUpdate ............................................................ 437
Specifying a proxy server that clients use to communicate to SymantecLiveUpdate or an internal LiveUpdate server .............................. 438
Configuring the types of content used to update client computers ......... 439Configuring the LiveUpdate download schedule for client
computers ........................................................................... 440Configuring the amount of control that users have over
LiveUpdate .......................................................................... 441Configuring the content revisions that clients use .............................. 442About randomization of simultaneous content downloads .................... 443Randomizing content downloads from the default management server
or a Group Update Provider .................................................... 444Randomizing content downloads from a LiveUpdate server ................. 445Configuring client updates to run when client computers are idle .......... 446Configuring client updates to run when definitions are old or the
computer has been disconnected ............................................. 447Setting up an external LiveUpdate server for Symantec Endpoint
Protection clients .................................................................. 448
17Contents
-
Setting up an internal LiveUpdate server for Symantec EndpointProtection clients .................................................................. 449
Using Group Update Providers to distribute content to clients .............. 452About the types of Group Update Providers ................................ 454About the effects of configuring more than one type of Group
Update Provider in your network ........................................ 458About configuring rules for multiple Group Update Providers .......... 460Configuring Group Update Providers ........................................ 461Searching for the clients that act as Group Update Providers ......... 464
Using Intelligent Updater files to update content on Windowscomputers ........................................................................... 465
Using third-party distribution tools to update client computers .............. 466Configuring a LiveUpdate Settings policy to allow third-party
content distribution to managed clients ................................ 467Preparing unmanaged clients to receive updates from third-party
distribution tools ............................................................. 469Distributing the content using third-party distribution tools ............. 470
Chapter 22 Testing security policies .................................................. 474Testing Symantec Endpoint Protection Manager policies ..................... 474Testing a Virus and Spyware Protection policy .................................. 475Blocking a process from starting on client computers ......................... 475Preventing users from writing to the registry on client computers .......... 476Preventing users from writing to a particular file ................................ 478Adding and testing a rule that blocks a DLL ..................................... 479Adding and testing a rule that terminates a process ........................... 480
Section 4 Enforcing policies and meetingcompliance requirements ............................... 482
Chapter 23 Managing firewall protection .......................................... 483Managing firewall protection .......................................................... 483
How a firewall works .............................................................. 484About the Symantec Endpoint Protection firewall ......................... 485
Creating a firewall policy .............................................................. 486Enabling and disabling a firewall policy ...................................... 489Automatically allowing communications for essential network
services ........................................................................ 490Configuring firewall settings for mixed control ............................. 491Automatically blocking connections to an attacking computer ......... 492Detecting potential attacks and spoofing attempts ....................... 492
18Contents
-
Preventing stealth detection .................................................... 493Disabling the Windows firewall ................................................ 494
Managing firewall rules ................................................................ 495About firewall server rules and client rules ................................. 496About the firewall rule, firewall setting, and intrusion prevention
processing order ............................................................ 497About inherited firewall rules ................................................... 498Changing the order of firewall rules .......................................... 500How the firewall uses stateful inspection .................................... 500About firewall rule application triggers ....................................... 501About firewall rule host triggers ................................................ 505About firewall rule network services triggers ............................... 509About firewall rule network adapter triggers ................................ 510
Setting up firewall rules ................................................................ 512Adding a new firewall rule ....................................................... 513Importing and exporting firewall rules ........................................ 514Copying and pasting firewall rules ............................................ 515Customizing firewall rules ....................................................... 515
Chapter 24 Managing application control, device control, andsystem lockdown ......................................................... 526
About application and device control ............................................... 526About Application and Device Control policies .................................. 528About the structure of an Application and Device Control policy ............ 528Setting up application and device control ......................................... 529Enabling a default application control rule set ................................... 531Creating custom application control rules ......................................... 532
About best practices for creating application control rules .............. 534Typical application control rules ............................................... 536Creating a custom rule set and adding rules ............................... 538Copying application rule sets or rules between Application and
Device Control policies .................................................... 539Applying a rule to specific applications and excluding applications
from a rule ..................................................................... 540Adding conditions and actions to a custom application control
rule .............................................................................. 542Testing application control rule sets .......................................... 543
Configuring system lockdown ........................................................ 544Making the blacklist mode for system lockdown appear in
Symantec Endpoint Protection Manager .............................. 550Creating a file fingerprint list with checksum.exe .......................... 551
19Contents
-
Importing or merging file fingerprint lists in Symantec EndpointProtection Manager ......................................................... 553
Manually updating a file fingerprint list in Symantec EndpointProtection Manager ......................................................... 554
Creating an application name list to import into the systemlockdown configuration .................................................... 555
Automatically updating whitelists or blacklists for systemlockdown ...................................................................... 556
Setting up and testing the system lockdown configuration beforeyou enable system lockdown ............................................ 561
Enabling system lockdown to run in whitelist mode ...................... 563Enabling system lockdown to run in blacklist mode ...................... 565Testing selected items before you add or remove them when
system lockdown is already enabled ................................... 566Managing device control .............................................................. 568
About the hardware devices list ............................................... 569Obtaining a class ID or device ID ............................................. 570Adding a hardware device to the Hardware Devices list ................ 571Configuring device control ...................................................... 571
Chapter 25 Managing Host Integrity to enforce securitypolicies ........................................................................... 573
How Host Integrity works .............................................................. 574Setting up Host Integrity ............................................................... 575About Host Integrity requirements .................................................. 577Adding predefined requirements to a Host Integrity policy ................... 578
Enabling and disabling Host Integrity requirements ...................... 579Setting up remediation for a predefined Host Integrity
requirement ......................................................................... 579Allowing users to delay or cancel Host Integrity remediation .......... 580
Configuring the frequency of Host Integrity check settings ................... 582Allowing the Host Integrity check to pass if a requirement fails ............. 582Configuring notifications for Host Integrity checks .............................. 583Creating a Quarantine policy for a failed Host Integrity check ............... 584Configuring peer-to-peer authentication for Host Integrity
enforcement ........................................................................ 585Adding a custom requirement from a template .................................. 586Writing a customized requirement script .......................................... 587
About registry conditions ........................................................ 589Writing a custom requirement to run a script on the client .............. 590Writing a custom requirement to set the timestamp of a file ........... 591
20Contents
-
Writing a custom requirement to increment a registry DWORDvalue ............................................................................ 592
Creating a test Host Integrity policy with a custom requirementscript .................................................................................. 592
Section 5 Monitoring and reporting ..................................... 595
Chapter 26 Monitoring protection with reports and logs ............... 596Monitoring endpoint protection ...................................................... 596
Viewing a daily or weekly status report ...................................... 601Viewing system protection ...................................................... 601Finding offline computers ....................................................... 602Finding unscanned computers ................................................. 602Viewing risks ....................................................................... 603Viewing the status of deployed client computers .......................... 604Viewing attack targets and sources .......................................... 605Generating a list of the Symantec Endpoint Protection versions
installed on the clients and servers in your network ................ 606Configuring reporting preferences .................................................. 606Logging on to reporting from a stand-alone Web browser .................... 607About the types of reports ............................................................. 608Running and customizing quick reports ........................................... 610Saving and deleting custom reports ................................................ 612Creating scheduled reports ........................................................... 613Editing the filter used for a scheduled report ..................................... 615Printing and saving a copy of a report ............................................. 616Viewing logs .............................................................................. 617
What you can do from the logs ................................................ 618Saving and deleting custom logs by using filters .......................... 621Viewing logs from other sites ................................................... 622
Running commands from the computer status log ............................. 623
Chapter 27 Managing notifications .................................................... 626Managing notifications ................................................................. 626
How notifications work ........................................................... 627What are the types of notifications and when are they sent? .......... 628About partner notifications ...................................................... 633
Establishing communication between the management server andemail servers ....................................................................... 633
Viewing and acknowledging notifications ......................................... 634Saving and deleting administrative notification filters .......................... 635
21Contents
-
Setting up administrator notifications ............................................... 636How upgrades from another version affect notification conditions .......... 637
Section 6 Managing protection in virtualenvironments ......................................................... 640
Chapter 28 Overview of Symantec Endpoint Protection andvirtual infrastructures ................................................ 641
Using Symantec Endpoint Protection in virtual infrastructures .............. 641About Shared Insight Cache ......................................................... 643About the Virtual Image Exception tool ............................................ 643
Chapter 29 Installing andusing anetwork-basedShared InsightCache ............................................................................. 645
What do I need to do to use a network-based Shared InsightCache? .............................................................................. 645
System requirements for implementing a network-based Shared InsightCache ................................................................................ 646
Installing and uninstalling a network-based Shared Insight Cache ......... 647Enabling or disabling the use of a network-based Shared Insight
Cache ................................................................................ 648Customizing network-based Shared Insight Cache configuration
settings ............................................................................... 650About stopping and starting the network-based Shared Insight Cache
service ............................................................................... 654Viewing network-based Shared Insight Cache log events .................... 654Monitoring network-based Shared Insight Cache performance
counters ............................................................................. 656Troubleshooting issues with Shared Insight Cache ........................... 657
Chapter 30 Installing a Security Virtual Appliance and using avShield-enabled Shared Insight Cache ................... 658
What do I need to do to use a vShield-enabled Shared InsightCache? .............................................................................. 659
What do I need to do to install a Security Virtual Appliance? ................ 660About the Symantec Endpoint Protection Security Virtual
Appliance ............................................................................ 661VMware software requirements to install a Symantec Security Virtual
Appliance ............................................................................ 663VMware software requirements for the Guest Virtual Machines ............ 664
22Contents
-
Configuring the Symantec Endpoint Protection Security VirtualAppliance installation settings file ............................................. 664
Installing a Symantec Endpoint Protection Security VirtualAppliance ............................................................................ 667
Enabling Symantec Endpoint Protection clients to use avShield-enabled Shared Insight Cache ...................................... 670
Stopping and starting the vShield-enabled Shared Insight Cacheservice ............................................................................... 670
Service commands for the vShield-enabled Shared InsightCache ................................................................................ 671
Configuration file settings for a vShield-enabled Shared InsightCache ................................................................................ 671
About vShield-enabled Shared Insight Cache event logging ................ 674Uninstalling a Symantec Endpoint Protection Security Virtual
Appliance ............................................................................ 675
Chapter 31 Using Virtual Image Exception ....................................... 676Using the Virtual Image Exception tool on a base image ..................... 676System requirements for the Virtual Image Exception tool ................... 677Running the Virtual Image Exception tool ......................................... 678Configuring Symantec Endpoint Protection to bypass the scanning of
base image files ................................................................... 678
Chapter 32 Non-persistent virtual desktop infrastructures .......... 680Using Symantec Endpoint Protection in non-persistent virtual desktop
infrastructures ...................................................................... 680Setting up the base image for non-persistent guest virtual machines
in virtual desktop infrastructures ............................................... 681Creating a registry key to mark the base image Guest Virtual Machines
(GVMs) as non-persistent clients ............................................. 682Configuring a separate purge interval for offline non-persistent VDI
clients ................................................................................ 682
23Contents
-
Section 7 Configuring and managing themanagement server ........................................... 684
Chapter 33 Managing the connectionbetween themanagementserver and the client computers .............................. 685
Managing the client-server connection ............................................ 686How to determine whether the client computer is connected and
protected ............................................................................ 687Why do I need to replace the client-server communications file on the
client computer? ................................................................... 688How do I replace the client-server communications file on the client
computer? ........................................................................... 689Restoring client-server communications with Communication Update
Package Deployment ............................................................ 690Exporting the client-server communications file (Sylink.xml)
manually ............................................................................. 691Importing client-server communication settings into the Windows
client .................................................................................. 693Importing client-server communication settings into the Linux
client .................................................................................. 694Configuring SSL between Symantec Endpoint Protection Manager and
the clients ........................................................................... 695Verifying port availability ......................................................... 695Changing the SSL port assignment in Symantec Endpoint
Protection Manager ......................................................... 696Enabling SSL for the Apache web server for client
communication ............................................................... 698Improving client and server performance ......................................... 699About server certificates ............................................................... 701Best practices for updating server certificates and maintaining the
client-server connection ......................................................... 702Disabling or enabling secure communications between the server
and the client ................................................................. 704Updating or restoring a server certificate .................................... 705
Chapter 34 Configuring the management server ............................ 707Managing Symantec Endpoint Protection Manager servers and
third-party servers ................................................................. 707About the types of Symantec Endpoint Protection servers ................... 710Exporting and importing server settings ........................................... 710
24Contents
-
Enabling or disabling Symantec Endpoint Protection Manager webservices .............................................................................. 711
Chapter 35 Managing databases ......................................................... 713Maintaining the database ............................................................. 713Scheduling automatic database backups ......................................... 717Scheduling automatic database maintenance tasks ........................... 718
Increasing the Microsoft SQL Server database file size ................. 719Exporting data to a Syslog server ................................................... 720Exporting log data to a text file ....................................................... 721Exporting log data to a comma-delimited text file ............................... 722Specifying client log size and which logs to upload to the management
server ................................................................................. 723Specifying how long to keep log entries in the database ...................... 724About increasing the disk space on the server for client log data ........... 724Clearing log data from the database manually .................................. 725
Chapter 36 Managing failover and load balancing .......................... 727Setting up failover and load balancing ............................................. 727About failover and load balancing .................................................. 728Configuring a management server list ............................................. 730Assigning a management server list to a group and location ................ 731
Chapter 37 Preparing for disaster recovery ...................................... 733Preparing for disaster recovery ...................................................... 733Backing up the database and logs .................................................. 734Backing up a server certificate ....................................................... 736
Section 8 Troubleshooting Symantec EndpointProtection Manager ............................................ 737
Chapter 38 Performing disaster recovery .......................................... 738Performing disaster recovery ......................................................... 738Reinstalling or reconfiguring Symantec Endpoint Protection
Manager ............................................................................. 739Generating a new server certificate ................................................ 740Restoring the database ................................................................ 741
25Contents
-
Chapter 39 Troubleshooting installation and communicationproblems ....................................................................... 743
Troubleshooting Symantec Endpoint Protection ................................ 743Troubleshooting computer issues with the Symantec Help support
tool .................................................................................... 745Identifying the point of failure of an installation .................................. 745Troubleshooting communication problems between the management
server and the client .............................................................. 746Checking the connection to the management server on the client
computer ...................................................................... 748Investigating protection problems using the troubleshooting file
on the client ................................................................... 748Enabling and viewing the Access log to check whether the client
connects to the management server ................................... 749Stopping and starting the Apache Web server ............................ 750Using the ping command to test the connectivity to the
management server ........................................................ 751Using a browser to test the connectivity to Symantec Endpoint
Protection Manager on the Symantec Endpoint Protectionclient ............................................................................ 751
Checking the debug log on the client computer ........................... 752Checking the inbox logs on the management server .................... 752Restoring client-server communication settings by using the
SylinkDrop tool ............................................................... 753Troubleshooting communication problems between the management
server and the console or the database ..................................... 755Verifying the connection with the database ................................. 756
Client and server communication files ............................................. 758
Chapter 40 Troubleshooting reporting issues .................................. 759Troubleshooting reporting issues ................................................... 759Changing timeout parameters for reviewing reports and logs ............... 761Accessing reporting pages when the use of loopback addresses is
disabled .............................................................................. 763About recovering a corrupted client System Log on 64-bit
computers ........................................................................... 764
26Contents
-
Chapter 41 Using Power Eraser to troubleshoot difficult andpersistent threats ........................................................ 765
What you should know before you run Power Eraser from the SymantecEndpoint Protection Manager console ....................................... 765
Tasks to perform when you need to run Power Eraser from theSymantec Endpoint Protection Manager console ......................... 768
Starting Power Eraser analysis from Symantec Endpoint ProtectionManager ............................................................................. 772
Responding to Power Eraser detections .......................................... 774
Appendix A Reference: Client feature comparison tables .............. 777Client protection features based on platform ..................................... 777Management features based on platform ......................................... 778Virus and Spyware Protection policy settings based on platform ........... 782Intrusion prevention policy settings based on platform ........................ 786LiveUpdate policy settings based on platform ................................... 787Exceptions policy settings based on platform .................................... 788
Appendix B Customizing and deploying the Windows clientinstallation by using third-party tools .................... 790
Installing Windows client software using third-party tools ..................... 791About client installation features and properties ................................. 792
About configuring MSI command strings .................................... 793About configuring Setaid.ini .................................................... 793
Symantec Endpoint Protection command-line client installationproperties ........................................................................... 794
Symantec Endpoint Protection command-line client features ............... 795Windows Installer parameters ....................................................... 797Windows Security Center properties ............................................... 799Command-line examples for installing the Windows client ................... 800About installing and deploying Windows client software with the
Symantec Management Agent ................................................. 800Installing Windows clients with Microsoft SCCM/SMS ......................... 801Installing Windows clients with an Active Directory Group Policy Object
(GPO) ................................................................................ 802Creating a GPO software distribution ........................................ 803Adding computers to an organizational unit to install
software ........................................................................ 805Copying a Sylink.xml file to make a managed installation
package ....................................................................... 806
27Contents
-
Uninstalling client software with an Active Directory Group PolicyObject ................................................................................ 807
Appendix C Command-line options for the Windows client ........... 809Running the Windows client using the smc command-line
interface ............................................................................. 809smc command error codes ............................................................ 813
Appendix D Command-line options for the Virtual ImageException tool .............................................................. 815
vietool ...................................................................................... 816
Appendix E Syntax for custom intrusion prevention signaturesand application control rules .................................... 818
Regular expressions in Symantec Endpoint Protection Manager ........... 819About signature syntax and conventions .......................................... 821Protocol type arguments .............................................................. 822TCP protocol arguments .............................................................. 822UDP protocol arguments .............................................................. 824ICMP protocol arguments ............................................................. 825IP protocol arguments .................................................................. 826Msg arguments .......................................................................... 829Content arguments ..................................................................... 830Optional content arguments .......................................................... 830Case-sensitivity .......................................................................... 831HTTP decoding .......................................................................... 831Offset and depth ......................................................................... 831Streamdepth arguments ............................................................... 832Supported operators ................................................................... 833Sample custom IPS signature syntax .............................................. 833
Index ................................................................................................................... 836
28Contents
-
Introducing SymantecEndpoint Protection
This chapter includes the following topics:
What is Symantec Endpoint Protection?
What's new in Symantec Endpoint Protection 12.1.5
How Symantec Endpoint Protection uses layers to protect computers
How does Symantec Endpoint Protection enforce compliance?
What is Symantec Endpoint Protection?Symantec Endpoint Protection is a client-server solution that protects laptops,desktops, and servers in your network against malware, risks, and vulnerabilities.Symantec Endpoint Protection combines virus protection with advanced threatprotection to proactively secure your client computers against known and unknownthreats, such as viruses, worms, Trojan horses, and adware. Symantec EndpointProtection provides protection against even the most sophisticated attacks thatevade traditional security measures, such as rootkits, zero-day attacks, and spywarethat mutates.
Providing low maintenance and high power, Symantec Endpoint Protectioncommunicates over your network to automatically safeguard both physical systemsand virtual systems against attacks. Symantec Endpoint Protection providesmanagement solutions that are efficient and easy to deploy and use.
Symantec Endpoint Protection protects your network by accomplishing the followingkey tasks:
Protects your endpoints from malware and maximizes system uptime.
1Chapter
-
See How Symantec Endpoint Protection uses layers to protect computerson page 34.
Enforces protection policies and compliance on the endpoint.See How does Symantec Endpoint Protection enforce compliance? on page 37.
Responds to threats and incidents effectively by quickly quarantining andremoving malware from endpoints.See Managing the Quarantine on page 329.
Monitors and tracks risk exposure across platforms, devices, remote locations,and in physical, virtual or hybrid environments.See Monitoring endpoint protection on page 596.
See Components of Symantec Endpoint Protection on page 48.
What's new in Symantec Endpoint Protection 12.1.5
Note: Symantec Endpoint Protection 12.1.5 is the last release update to supportSymantec Protection Center 2.0.
In addition, LiveUpdate Administration Utility 1.x reaches end of life on January 5,2015. If you use this utility in your environment, you should migrate to LiveUpdateAdministrator 2.3.x. To get the latest version of LiveUpdate Administrator, seeDownloading LiveUpdate Administrator.
Table 1-1 describes the new features in the latest version of Symantec EndpointProtection.
Table 1-1 New features in Symantec Endpoint Protection 12.1.5
DescriptionFeature
Symantec Endpoint Protection Manager now uses OpenSSL 1.0.1h. The update to OpenSSLaddresses several security vulnerabilities, including the one known as Heartbleed, which theOpenSSL Security Advisory for CVE-2014-0160 describes. Earlier versions of OpenSSL canreveal sensitive information from the computer's memory to a remote attacker.
You can read the full text of the OpenSSL Security Advisory at the following link:
OpenSSL Security Advisory for CVE-2014-0160
OpenSSL 1.0.1hfor SymantecEndpointProtectionManager
30Introducing Symantec Endpoint ProtectionWhat's new in Symantec Endpoint Protection 12.1.5
-
Table 1-1 New features in Symantec Endpoint Protection 12.1.5 (continued)
DescriptionFeature
Symantec Endpoint Protection 12.1.5 adds the following operating system support:
Windows 8.1 Update 2
Windows Server 2012 Update 2
Mac OS X 10.10
You can now access Symantec Endpoint Protection Manager from the following browsers:
Microsoft Internet Explorer 10.2, 11
Mozilla Firefox 5.x through 31.0
Google Chrome through 37.0.2062.94
For the complete list of system requirements:
See on page 50.
Systemrequirements
31Introducing Symantec Endpoint ProtectionWhat's new in Symantec Endpoint Protection 12.1.5
-
Table 1-1 New features in Symantec Endpoint Protection 12.1.5 (continued)
DescriptionFeature
The Windows client provides the following new protection enhancements:
Virus and Spyware Protection:
Power Eraser can now be run from the Symantec Endpoint Protection Manager console.Power Eraser provides aggressive scanning and analysis to help resolve issues with heavilyinfected Windows computers. You should only run Power Eraser in emergency situations,such as when a repair fails or a computer is unstable. Note that when you run Power Eraserfrom the management console, Power Eraser does not scan and analyze user-specificlocations. Use Power Eraser in the SymHelp tool directly on the client computer to examineuser-specific locations.See What you should know before you run Power Eraser from the Symantec EndpointProtection Manager console on page 765.
Download Insight and SONAR can now scan Office 2013 applications.See Managing scans on client computers on page 290.
The client no longer scans and deletes backed up files on a server where the SymantecEndpoint Protection client and either Symantec Backup Exec or Symantec NetBackup isinstalled.
Network Threat Protection:
For firewall rules, you can now define a host group with an IPv6 IP address. Intrusion Preventionpolicies do not support host names with IPv6 addresses.See Adding host groups on page 507.The default firewall policy includes a default Allow ICMPv6 firewall rule that contains ICMPv6types of 1-4,128-132,141-143,148,149,151-153. You can also add a rule with ICMPv6 as aprotocol in the network service list.See Adding network services to the default network services list on page 509.
See Adding a new firewall rule on page 513.See Creating a file fingerprint list with checksum.exe on page 551.See Configuring system lockdown on page 544.
IPS audit signatures monitor the network traffic of certain applications on Windows computers.For example, you can use these signatures to detect Yahoo IM logons. You can enable logging,review the Network Threat Protection traffic logs, and then decide whether or not to take actionon the traffic.
Windows clientprotection features
The Symantec Endpoint Protection for Linux client replaces the Symantec AntiVirus for Linuxclient. You can now provide Virus and Spyware Protection on the clients that run Linux. SymantecEndpoint Protection Manager provides client policy management, reporting, monitoring, logging,and licensing in a single client package for Linux.
See Customizing the virus and spyware scans that run on Linux computers on page 345.
Linux management
32Introducing Symantec Endpoint ProtectionWhat's new in Symantec Endpoint Protection 12.1.5
-
Table 1-1 New features in Symantec Endpoint Protection 12.1.5 (continued)
DescriptionFeature
The Host Integrity policy is now included with Symantec Endpoint Protection. The Host Integritypolicy evaluates the client computers and ensures that they meet the security policies you havedownloaded to those client computers.
See How Host Integrity works on page 574.
See Setting up Host Integrity on page 575.
Policy enforcement
You can now remotely deploy the Mac client installation package in addition to deploying itwith a third-party installation tool.See Installing clients with Remote Push on page 115.
See About Symantec Endpoint Protection and Protection Center on page 172.
You can configure the installation package to remove from the client computer over 300third-party software products from more than 60 vendors. For more information, see:Third-party security software removal support in Symantec Endpoint Protection
Client password settings dialog boxSee Password-protecting the client on page 215.
You can no longer set the console timeout to Never. For security reasons, the maximumtimeout period is one hour.See Changing the time period for staying logged on to the console on page 82.
After an administrator's failed logon attempts trigger an account lockout, the lockout intervalnow doubles with each subsequent lockout. Symantec Endpoint Protection Manager revertsto the original lockout interval after a successful logon, or after 24 hours since the first lockout.See Unlocking an administrator's account after too many logon attempts on page 82.
Managementserver updates
Web services on the management server now support integration with Symantec ManagedSecurity Services. Together, Symantec Managed Security Services and Symantec EndpointProtection Manager provide advanced threat monitoring and targeted remediation options.
The following new web services are also available for use by third-party remote monitoring andmanagement solutions:
You can run the new Power Eraser commands.
You can place clients into Quarantine.
You can run an Evidence of Compromise command on the client.
Documentation and other tools for remote monitoring and management support appear in theweb services SDK. The SDK is located in the Tools installation file in the following folder:
/Integration/SEPM_WebService_SDK
Managementserver integrationwith networksecuritytechnology
/ITAnalyticsManagementserver integrationwith advancedreporting
33Introducing Symantec Endpoint ProtectionWhat's new in Symantec Endpoint Protection 12.1.5
-
Table 1-1 New features in Symantec Endpoint Protection 12.1.5 (continued)
DescriptionFeature
The management server and the client include the following performance improvements:
Bandwidth control for client communicationThe management server now includes an Apache module that you can configure to controlnetwork bandwidth. The module reduces the network load between Symantec EndpointProtection Manager and the client computers, especially when the clients download contentdefinitions or client installation packages.
To reduce hard disk space, Symantec Endpoint Protection Manager now stores only the mostrecent full set of virus definitions, plus the deltas for previous versions. Storing the deltasreduces delivery time and network bandwidth, and improves disk storage requirements onthe management server by 65% to 80%.See Increasing Symantec Endpoint Protection Manager available disk space before upgradingto version 12.1.x on page 148.See Configuring a site to download content updates on page 432.
The client startup time has improved by more than 10%.
The client service needs fewer processes to run.
Enhancements to the scan throttling logic for the Windows client improve scan performance.These enhancements also minimize the effect on computers with solid-state drives (SSDs)or that run in a virtualized or Terminal Services environment.
If Symantec Endpoint Protection and Critical System Protection are both installed on the sameclient computer, these applications now share Symantec components.
Managementserver and clientperformance
Symantec Endpoint Protection provides the following documentation changes:
The Symantec Endpoint Protection Installation and Administration Guide no longer includesNetwork Access Control topics. A new Symantec Network Access Control Installation andAdministration Guide includes the Network Access Control topics.
Documentation
How Symantec Endpoint Protection uses layers toprotect computers
Symantec's core protection against known and unknown threats uses a layeredapproach to defense. The layered approach protects the network before, during,and after an attack. Symantec Endpoint Protection reduces your risk of exposureby providing tools to increase your security posture ahead of any attack.
Table 1-2 describes the types of protection that Symantec Endpoint ProtectionManager uses to protect your network.
34Introducing Symantec Endpoint ProtectionHow Symantec Endpoint Protection uses layers to protect computers
-
Table 1-2 The layers of protection that are integrated into Symantec EndpointProtection
Symantec Endpoint Protectiontechnology name
DescriptionType of protectionLayer
Network Threat Protection:
Firewall
Protocol-aware IPS
Virus and Spyware Protection:
Browser protection
See Managing firewall protectionon page 483.
See Managing intrusion preventionon your client computerson page 382.
See Modifying miscellaneoussettings for Virus and SpywareProtection on Windows computerson page 357.
The firewall and the intrusion preventionsystem block over 60% of malware as ittravels over the network and before itarrives at the computer.
This primary defense protects againstdrive-by downloads, social engineering, fakeantivirus programs, individual systemvulnerabilities, rootkits, botnets, and more.Stopping malware before it reaches yourcomputer is definitely preferred to identifyinga vulnerability that has already beenexploited.
Network-based protection1
Virus and Spyware Protection:
Antivirus engine
Auto-Protect
Bloodhound
See Managing scans on clientcomputers on page 290.
This traditional signature-based antivirusprotection looks for and eradicates themalware that has already taken upresidence on a system. Virus and SpywareProtection blocks and removes the malwarethat arrives on the computer by using scans.
Unfortunately, many companies leavethemselves exposed through the belief thatantivirus alone keeps their systemsprotected.
File-based protection2
35Introducing Symantec Endpoint ProtectionHow Symantec Endpoint Protection uses layers to protect computers
-
Table 1-2 The layers of protection that are integrated into Symantec EndpointProtection (continued)
Symantec Endpoint Protectiontechnology name
DescriptionType of protectionLayer
Virus and Spyware Protection:
Domain reputation score
File reputation (Insight)
See Managing Download Insightdetections on page 317.
Insight establishes information aboutentities, such as websites, files, and IPaddresses to be used in effective security.
Download Insight determines the safety offiles and websites by using the wisdom ofthe community. Sophisticated threatsrequire leveraging the collective wisdom ofover 200 million systems to identify new andmutating malware. Symantecs Insight givescompanies access to the largest globalintelligence network available to allow themto filter every file on the internet based onreputation.
Reputation-basedprotection
3
Proactive Threat Protection(Virus and Spyware Protectionpolicy): SONAR
See Managing SONARon page 367.
SONAR looks at processes as they executeand use malicious behaviors to indicate thepresence of malware.
SONAR watches programs as they run, andblocks suspicious behaviors. SONARcatches targeted and unknown threats byaggressively monitoring file processes asthey execute and identify maliciousbehavior. SONAR uses artificial intelligence,behavior signatures, and policy lockdownto monitor nearly 1,400 file behaviors asthey execute in real time. When SONAR iscombined with Insight, this technology isable to aggressively stop zero-day threatswithout increasing false-positives.
Behavioral-basedprotection
4
Power Eraser:
Boot to clean operating system
Power Eraser uses aggressiveheuristics
Threat-specific tools
See What you should know beforeyou run Power Eraser from theSymantec Endpoint ProtectionManager console on page 765.
When malware does get through, PowerEraser scrubs hard-to-remove infectionsand gets your system back online as quicklyas possible. Power Eraser uses aggressiveremediation on hard-to-remove infections.
Repair and remediationtools
5
36Introducing Symantec Endpoint ProtectionHow Symantec Endpoint Protection uses layers to protect computers
-
Symantec Endpoint Protection extends and enhances security with the followingadditional technologies:
System LockdownSystem Lockdown lets you limit the applications that can run. System Lockdownoperates in either a whitelisting or a blacklisting mode. In either mode, SystemLockdown uses checksum and file location parameters to verify whether anapplication is approved or unapproved. System Lockdown is useful for kioskswhere you want to run a single application only.See Configuring system lockdown on page 544.
Application controlApplication control monitors and controls an application's behavior.Application control protects against unauthorized access and attack by controllingwhat applications can run. Application control blocks or terminates processes,limits file and folder access, protects the Windows registry, and controls moduleand DLL loading. Application control includes predefined templates t