Installation and Administration Guide SEP12.1.5

Symantec EndpointProtection 12.1.5 Installationand Administration Guide

Symantec Endpoint Protection Installation andAdministration Guide

Product version 12.1.5

Documentation version: 1

This document was last updated on: September 26, 2014

Legal NoticeCopyright 2014 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, the Checkmark Logo, Altiris, LiveUpdate, and TruScan aretrademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. andother countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is required toprovide attribution to the third party (Third Party Programs). Some of the Third Party Programsare available under open source or free software licenses. The License Agreementaccompanying the Software does not alter any rights or obligations you may have under thoseopen source or free software licenses. Please see the Third Party Legal Notice Appendix tothis Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying,distribution, and decompilation/reverse engineering. No part of this document may bereproduced in any form by any means without prior written authorization of SymantecCorporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIEDCONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ORNON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCHDISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALLNOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTIONWITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THEINFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. Technical Supportsprimary role is to respond to specific queries about product features and functionality.The Technical Support group also creates content for our online Knowledge Base.The Technical Support group works collaboratively with the other functional areaswithin Symantec to answer your questions in a timely fashion. For example, theTechnical Support group works with Product Engineering and Symantec SecurityResponse to provide alerting services and virus definition updates.

Symantecs support offerings include the following:

A range of support options that give you the flexibility to select the right amountof service for any size organization

Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

Upgrade assurance that delivers software upgrades

Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

Premium service offerings that include Account Management Services

For information about Symantecs support offerings, you can visit our website atthe following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should be atthe computer on which the problem occurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

Product release level

Hardware information

Available memory, disk space, and NIC information

Operating system

Version and patch level

Network topology

Router, gateway, and IP address information

Problem description:

Error messages and log files

Troubleshooting that was performed before contacting Symantec

Recent software configuration changes and network changes

Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

Questions regarding product licensing or serialization

Product registration updates, such as address or name changes

General product information (features, language availability, local dealers)

Latest information about product updates and upgrades

Information about upgrade assurance and support contracts

Information about the Symantec Buying Programs

Advice about Symantec's technical support options

Nontechnical presales questions

Issues that are related to CD-ROMs, DVDs, or manuals

Support agreement resourcesIf you want to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

Technical Support ............................................................................................... 4

Chapter 1 Introducing Symantec Endpoint Protection .................. 29What is Symantec Endpoint Protection? ............................................ 29What's new in Symantec Endpoint Protection 12.1.5 ............................ 30How Symantec Endpoint Protection uses layers to protect

computers ............................................................................. 34How does Symantec Endpoint Protection enforce compliance? .............. 37

Section 1 Installing Symantec EndpointProtection ................................................................... 39

Chapter 2 Planning the installation ................................................... 40Getting up and running on Symantec Endpoint Protection for the first

time ..................................................................................... 40Components of Symantec Endpoint Protection ................................... 48Optional components for Symantec Endpoint Protection ....................... 49................................................................................................. 50

System requirements for Symantec Endpoint ProtectionManager ......................................................................... 51

System requirements for the Symantec Endpoint Protection clientfor Windows .................................................................... 52

System requirements for the Symantec Endpoint Protection clientfor Mac ........................................................................... 54

System requirements for the Symantec Endpoint Protection clientfor Linux ......................................................................... 54

Internationalization requirements ............................................... 56Product license requirements .......................................................... 57Supported virtual installations and virtualization products ...................... 59About Symantec Endpoint Protection Manager compatibility with other

products ............................................................................... 61Network architecture considerations ................................................. 61About choosing a database type ...................................................... 62About basic management server settings .......................................... 63

Contents

Management server ports .............................................................. 65About SQL Server configuration settings ........................................... 66About SQL Server database authentication modes .............................. 70

Chapter 3 Installing Symantec Endpoint ProtectionManager .......................................................................... 72

Installing Symantec Endpoint Protection Manager ............................... 72Configuring Symantec Endpoint Protection Manager during

installation ............................................................................ 74Uninstalling Symantec Endpoint Protection Manager ........................... 75Logging on to the Symantec Endpoint Protection Manager

console ................................................................................ 76About accepting the self-signed server certificate for Symantec

Endpoint Protection Manager .............................................. 78Displaying a message for administrators to see before logging on

to the Symantec Endpoint Protection Manager console ............ 79Allowing administrators to save logon credentials .......................... 79Granting or blocking access to remote Symantec Endpoint

Protection Manager consoles .............................................. 80Unlocking an administrator's account after too many logon

attempts ......................................................................... 82Changing the time period for staying logged on to the

console .......................................................................... 82What you can do from the console ................................................... 83What do I do after I install the management server? ............................ 85

Chapter 4 Managing product licenses ............................................... 88Licensing Symantec Endpoint Protection ........................................... 88About the trial license .................................................................... 90About purchasing licenses ............................................................. 91Activating or importing your Symantec Endpoint Protection 12.1.x

product license ...................................................................... 92Required licensing contact information ........................................ 95About the Symantec Licensing Portal ......................................... 96

About product upgrades and licenses ............................................... 96About renewing your Symantec Endpoint Protection license .................. 97Checking the license status in Symantec Endpoint Protection

Manager ............................................................................... 97About the licensing enforcement rules .............................................. 98Backing up your license files ........................................................... 99Recovering a deleted license .......................................................... 99

8Contents

Purging obsolete clients from the database to make more licensesavailable ............................................................................. 100

About multi-year licenses ............................................................. 101Licensing an unmanaged Windows client ........................................ 101

Chapter 5 Installing the Symantec Endpoint Protectionclient .............................................................................. 103

Preparing for client installation ....................................................... 104Preparing Windows and Mac computers for remote

deployment ................................................................... 106About the communication ports that Symantec Endpoint Protection

uses ............................................................................ 108About client installation methods .................................................... 110

Which features should you install on the client? .......................... 111Installing clients with Web Link and Email .................................. 112Installing clients with Remote Push ........................................... 115Installing clients with Save Package ......................................... 117

Exporting client installation packages .............................................. 119About the Windows client installation settings ................................... 120Configuring Windows client installation feature sets ........................... 121Configuring client packages to uninstall existing third-party security

software .............................................................................. 122Restarting the client computers from Symantec Endpoint Protection

Manager ............................................................................. 124Installing the Symantec Endpoint Protection client for Mac .................. 126Installing the Symantec Endpoint Protection client for Linux ................. 128About managed and unmanaged clients .......................................... 129

Obtaining an unmanaged Symantec Endpoint Protection clientinstallation package ........................................................ 130

Installing an unmanaged Windows client ......................................... 131Uninstalling the Symantec Endpoint Protection client for

Windows ............................................................................. 132Uninstalling the Symantec Endpoint Protection client for Mac .............. 133Uninstalling the Symantec Endpoint Protection client for Linux ............. 134Managing client installation packages ............................................. 135Adding client installation package updates ....................................... 137

Chapter 6 Upgrading Symantec Endpoint Protection .................. 139Upgrading to a new release .......................................................... 140Upgrade resources for Symantec Endpoint Protection 12.1.x ............... 142Feature mapping between 11.0 and 12.1 clients ................................ 143Supported upgrade paths for Symantec Endpoint Protection ................ 146

9Contents

Increasing Symantec Endpoint Protection Manager available diskspace before upgrading to version 12.1.x .................................. 148

Upgrading a management server ................................................... 150Upgrading an environment that uses multiple embedded databases

and management servers ....................................................... 150Turning off replication before an upgrade from Symantec Endpoint

Protection 11.0 ..................................................................... 151Turning on replication after an upgrade from Symantec Endpoint

Protection 11.0 ..................................................................... 152Stopping and starting the management server service ........................ 153About upgrading client software ..................................................... 154Upgrading Windows clients by using AutoUpgrade in Symantec

Endpoint Protection ............................................................... 155Updating client software with a LiveUpdate Settings policy .................. 156Upgrading Group Update Providers ................................................ 157

Chapter 7 Managing sites and replication ...................................... 159Setting up sites and replication ...................................................... 159Deciding whether or not to set up multiple sites and replication ............ 161About determining how many sites you need .................................... 163How replication works .................................................................. 165

How to resolve data conflicts between sites duringreplication ..................................................................... 166

Replicating data on demand ......................................................... 167Changing the automatic replication schedule .................................... 168Specifying which data to replicate .................................................. 169Deleting replication partners .......................................................... 169Re-adding a replication partner that you previously deleted ................. 170

Chapter 8 Integrating Symantec Endpoint Protection withProtection Center ........................................................ 172

About Symantec Endpoint Protection and Protection Center ................ 172Integrating Symantec Endpoint Protection Manager with Protection

Center ................................................................................ 173About setting up multiple Symantec Endpoint Protection domains in

Protection Center .................................................................. 174Configuring communication between Symantec Endpoint Protection

Manager and Protection Center ............................................... 175

10Contents

Section 2 Managing groups, clients, andadministrators ....................................................... 177

Chapter 9 Managing groups of client computers .......................... 178Managing groups of clients ........................................................... 178How you can structure groups ....................................................... 180Adding a group .......................................................................... 181Importing existing groups and computers from an Active Directory or

an LDAP server .................................................................... 182About importing organizational units from the directory

server ........................................................................... 183Connecting Symantec Endpoint Protection Manager to a directory

server ........................................................................... 184Connecting to a directory server on a replicated site .................... 185Importing organizational units from a directory server ................... 186Searching for and importing specific accounts from a directory

server ........................................................................... 187Assigning clients to groups before you install the client software ........... 188Disabling and enabling a group's inheritance .................................... 189Blocking client computers from being added to groups ....................... 190Moving a client computer to another group ....................................... 190

Chapter 10 Managing clients ............................................................... 192Managing client computers ........................................................... 193How to determine whether the client is connected in the console .......... 195Viewing the protection status of clients and client computers ............... 197Displaying which clients do not have the client software installed .......... 198Searching for information about client computers .............................. 199About enabling and disabling protection when you need to troubleshoot

problems ............................................................................ 200About commands that you can run on client computers ...................... 202Running commands on the client computer from the console ............... 204Ensuring that a client does not restart ............................................. 205Switching a Windows client between user mode and computer

mode ................................................................................. 205Configuring a client to detect unmanaged devices ............................. 207About access to the client interface on Windows clients ...................... 208Locking and unlocking settings by changing the user control level ........ 209Unlocking user interface settings on the client ................................... 212Collecting user information ........................................................... 214Password-protecting the client ....................................................... 215

11Contents

Chapter 11 Managing remote clients ................................................. 216Managing remote clients .............................................................. 216Managing locations for remote clients ............................................. 218Enabling location awareness for a client .......................................... 220Adding a location to a group .......................................................... 221Changing a default location .......................................................... 222Setting up Scenario One location awareness conditions ..................... 223Setting up Scenario Two location awareness conditions ...................... 225Configuring communication settings for a location ............................. 228About strengthening your security policies for remote clients ................ 229

Best practices for Firewall policy settings ................................... 229About best practices for LiveUpdate policy settings ...................... 230

About turning on notifications for remote clients ................................ 231About customizing log management settings for remote clients ............ 231About monitoring remote clients ..................................................... 232

Chapter 12 Managing domains ............................................................ 234About domains ........................................................................... 234Adding a domain ........................................................................ 236Switching to the current domain ..................................................... 236

Chapter 13 Managing administrator accounts andpasswords ..................................................................... 238

Managing administrator accounts ................................................... 238About administrator account roles and access rights .......................... 241Adding an administrator account .................................................... 243Configuring the access rights for a limited administrator ...................... 243Changing the authentication method for administrator accounts ........... 244

Configuring the management server to authenticate administratorswho use RSA SecurID to log on ......................................... 246

Authenticating administrators who use RSA SecurID to log on tothe management server ................................................... 247

Best practices for testing whether a directory server authenticates anadministrator account ............................................................ 247

Changing the password for an administrator account ......................... 252Allowing administrators to reset forgotten passwords ......................... 253Sending a temporary password to an administrator ............................ 253Displaying the Remember my user name and Remember my password

check boxes on the logon screen ............................................. 255

12Contents

Section 3 Managing security policies .................................. 256

Chapter 14 Using policies to manage security ................................. 257Performing the tasks that are common to all policies .......................... 258The types of security policies ........................................................ 261About shared and non-shared policies ............................................ 263Adding a policy ........................................................................... 264Editing a policy ........................................................................... 264Copying and pasting a policy on the Policies page ............................. 265Copying and pasting a policy on the Clients page .............................. 266Locking and unlocking Virus and Spyware Protection policy

settings ............................................................................... 267Assigning a policy to a group ......................................................... 267Replacing a policy ...................................................................... 269Exporting and importing individual policies ....................................... 270Converting a shared policy to a non-shared policy ............................ 271Withdrawing a policy from a group .................................................. 272How the client computers get policy updates .................................... 274Configuring push mode or pull mode to update client policies and

content ............................................................................... 275Using the policy serial number to check client-server

communication ..................................................................... 276Manually updating policies on the client ........................................... 277Monitoring the applications and services that run on client

computers ........................................................................... 278Configuring the management server to collect information about

the applications that the client computers run ....................... 279Searching for information about the applications that the computers

run .................................................................................... 280

Chapter 15 Managing Virus and Spyware Protection ..................... 283Preventing and handling virus and spyware attacks on client

computers ........................................................................... 284Remediating risks on the computers in your network .......................... 286

Identifying the infected and at-risk computers ............................. 288Checking the scan action and rescanning the identified

computers ..................................................................... 289Managing scans on client computers .............................................. 290

About the types of scans and real-time protection ........................ 293About the types of Auto-Protect ............................................... 295About virus and security risks .................................................. 297

13Contents

About the files and folders that Symantec Endpoint Protectionexcludes from virus and spyware scans ............................... 299

About the default Virus and Spyware Protection policy scansettings ......................................................................... 302

How Symantec Endpoint Protection handles detections of virusesand security risks ............................................................ 306

How Symantec Endpoint Protection handles detections onWindows 8 computers ..................................................... 307

Setting up scheduled scans that run on Windows computers ............... 307Setting up scheduled scans that run on Mac computers ...................... 309Setting up scheduled scans that run on Linux computers .................... 310Running on-demand scans on client computers ................................ 311Adjusting scans to improve computer performance ............................ 312Adjusting scans to increase protection on your client computers ........... 315Managing Download Insight detections ........................................... 317How Symantec Endpoint Protection uses reputation data to make

decisions about files .............................................................. 321How Symantec Endpoint Protection policy features work together on

Windows computers .............................................................. 322About submitting information about detections to Symantec Security

Response ........................................................................... 324About submissions throttling ......................................................... 325Enabling or disabling client submissions to Symantec Security

Response ........................................................................... 326Specifying a proxy server for client submissions and other external

communications ................................................................... 328Managing the Quarantine ............................................................. 329

Specifying a local Quarantine folder .......................................... 330Specifying when repaired files, backup files, and quarantined files

are automatically deleted .................................................. 331Configuring clients to submit quarantined items to a Central

Quarantine Server or Symantec Security Response ............... 332Configuring how the Quarantine handles the rescanning of files

after new definitions arrive ................................................ 332Using the Risk log to delete quarantined files on your client

computers ..................................................................... 333Managing the virus and spyware notifications that appear on client

computers ........................................................................... 334About the pop-up notifications that appear on Windows 8 clients .......... 336Enabling or disabling Symantec Endpoint Protection pop-up

notifications that appear on Windows 8 clients ............................ 337Managing early launch anti-malware (ELAM) detections ..................... 337

14Contents

Adjusting the Symantec Endpoint Protection early launch anti-malware(ELAM) options .................................................................... 339

Configuring a site to use a private Insight server for reputationqueries ............................................................................... 340

Chapter 16 Customizing scans ............................................................ 342Customizing the virus and spyware scans that run on Windows

computers ........................................................................... 343Customizing the virus and spyware scans that run on Mac

computers ........................................................................... 344Customizing the virus and spyware scans that run on Linux

computers ........................................................................... 345Customizing Auto-Protect for Windows clients .................................. 346Customizing Auto-Protect for Mac clients ......................................... 347Customizing Auto-Protect for Linux clients ....................................... 348Customizing Auto-Protect for email scans on Windows

computers ........................................................................... 350Customizing administrator-defined scans for clients that run on

Windows computers .............................................................. 351Customizing administrator-defined scans for clients that run on Mac

computers ........................................................................... 352Customizing administrator-defined scans for clients that run on Linux

computers ........................................................................... 354Randomizing scans to improve computer performance in virtualized

environments on Windows clients ............................................ 355Modifying global scan settings for Windows clients ............................ 356Modifying miscellaneous settings for Virus and Spyware Protection on

Windows computers .............................................................. 357Modifying miscellaneous settings for Virus and Spyware Protection on

Linux computers ................................................................... 358Customizing Download Insight settings ........................................... 359Changing the action that Symantec Endpoint Protection takes when

it makes a detection .............................................................. 360Allowing users to view scan progress and interact with scans on

Windows computers .............................................................. 362How Symantec Endpoint Protection interacts with Windows Security

Center ................................................................................ 364

Chapter 17 Managing SONAR .............................................................. 366About SONAR ............................................................................ 366Managing SONAR ...................................................................... 367Handling and preventing SONAR false positive detections .................. 371

15Contents

Adjusting SONAR settings on your client computers .......................... 372Monitoring SONAR detection results to check for false positives ........... 373Managing TruScan proactive threat scans for legacy clients ................ 375

About adjusting TruScan settings for 11.0 clients ......................... 376Configuring TruScan proactive threat scan settings for 11.0

clients .......................................................................... 377

Chapter 18 Managing Tamper Protection ......................................... 380About Tamper Protection .............................................................. 380Changing Tamper Protection settings .............................................. 381

Chapter 19 Managing intrusion prevention ...................................... 382Managing intrusion prevention on your client computers ..................... 382How intrusion prevention works ..................................................... 385About Symantec IPS signatures ..................................................... 386About custom IPS signatures ........................................................ 387Enabling or disabling network intrusion prevention or browser intrusion

prevention ........................................................................... 388Creating exceptions for IPS signatures ............................................ 388Setting up a list of excluded computers ........................................... 390Configuring client intrusion prevention notifications ............................ 391Managing custom intrusion prevention signatures ............................. 392

Creating a custom IPS library .................................................. 393Adding signatures to a custom IPS library .................................. 394Assigning multiple custom IPS libraries to a group ....................... 396Changing the order of custom IPS signatures ............................. 396Defining variables for custom IPS signatures .............................. 397Testing custom IPS signatures ................................................. 398

Chapter 20 Managing exceptions ........................................................ 399Managing exceptions in Symantec Endpoint Protection ...................... 399About exceptions in Symantec Endpoint Protection to Virus and

Spyware scans ..................................................................... 401Creating exceptions for Virus and Spyware scans ............................. 402

Excluding a file or a folder from scans ....................................... 407Excluding known risks from virus and spyware scans on Windows

clients .......................................................................... 409Excluding file extensions from virus and spyware scans on

Windows clients and Linux clients ...................................... 410Monitoring an application to create an exception for the application

on Windows clients ......................................................... 411

16Contents

Specifying how Symantec Endpoint Protection handles monitoredapplications on Windows clients ......................................... 411

Excluding a trusted Web domain from scans on Windowsclients .......................................................................... 412

Creating a Tamper Protection exception on Windows clients .......... 413Creating an exception for an application that makes a DNS or host

file change .................................................................... 414Restricting the types of exceptions that users can configure on client

computers ........................................................................... 415Creating exceptions from log events in Symantec Endpoint Protection

Manager ............................................................................. 415

Chapter 21 Managing content updates ............................................. 418Managing content updates ........................................................... 419

About the types of content that LiveUpdate can provide ................ 422How client computers receive content updates ............................ 427

Configuring a site to download content updates ................................ 432Configuring the LiveUpdate download schedule for Symantec Endpoint

Protection Manager ............................................................... 435Downloading LiveUpdate content manually to Symantec Endpoint

Protection Manager ............................................................... 436Checking LiveUpdate server activity ............................................... 437Configuring Symantec Endpoint Protection Manager to connect to a

proxy server to access the Internet and download content fromSymantec LiveUpdate ............................................................ 437

Specifying a proxy server that clients use to communicate to SymantecLiveUpdate or an internal LiveUpdate server .............................. 438

Configuring the types of content used to update client computers ......... 439Configuring the LiveUpdate download schedule for client

computers ........................................................................... 440Configuring the amount of control that users have over

LiveUpdate .......................................................................... 441Configuring the content revisions that clients use .............................. 442About randomization of simultaneous content downloads .................... 443Randomizing content downloads from the default management server

or a Group Update Provider .................................................... 444Randomizing content downloads from a LiveUpdate server ................. 445Configuring client updates to run when client computers are idle .......... 446Configuring client updates to run when definitions are old or the

computer has been disconnected ............................................. 447Setting up an external LiveUpdate server for Symantec Endpoint

Protection clients .................................................................. 448

17Contents

Setting up an internal LiveUpdate server for Symantec EndpointProtection clients .................................................................. 449

Using Group Update Providers to distribute content to clients .............. 452About the types of Group Update Providers ................................ 454About the effects of configuring more than one type of Group

Update Provider in your network ........................................ 458About configuring rules for multiple Group Update Providers .......... 460Configuring Group Update Providers ........................................ 461Searching for the clients that act as Group Update Providers ......... 464

Using Intelligent Updater files to update content on Windowscomputers ........................................................................... 465

Using third-party distribution tools to update client computers .............. 466Configuring a LiveUpdate Settings policy to allow third-party

content distribution to managed clients ................................ 467Preparing unmanaged clients to receive updates from third-party

distribution tools ............................................................. 469Distributing the content using third-party distribution tools ............. 470

Chapter 22 Testing security policies .................................................. 474Testing Symantec Endpoint Protection Manager policies ..................... 474Testing a Virus and Spyware Protection policy .................................. 475Blocking a process from starting on client computers ......................... 475Preventing users from writing to the registry on client computers .......... 476Preventing users from writing to a particular file ................................ 478Adding and testing a rule that blocks a DLL ..................................... 479Adding and testing a rule that terminates a process ........................... 480

Section 4 Enforcing policies and meetingcompliance requirements ............................... 482

Chapter 23 Managing firewall protection .......................................... 483Managing firewall protection .......................................................... 483

How a firewall works .............................................................. 484About the Symantec Endpoint Protection firewall ......................... 485

Creating a firewall policy .............................................................. 486Enabling and disabling a firewall policy ...................................... 489Automatically allowing communications for essential network

services ........................................................................ 490Configuring firewall settings for mixed control ............................. 491Automatically blocking connections to an attacking computer ......... 492Detecting potential attacks and spoofing attempts ....................... 492

18Contents

Preventing stealth detection .................................................... 493Disabling the Windows firewall ................................................ 494

Managing firewall rules ................................................................ 495About firewall server rules and client rules ................................. 496About the firewall rule, firewall setting, and intrusion prevention

processing order ............................................................ 497About inherited firewall rules ................................................... 498Changing the order of firewall rules .......................................... 500How the firewall uses stateful inspection .................................... 500About firewall rule application triggers ....................................... 501About firewall rule host triggers ................................................ 505About firewall rule network services triggers ............................... 509About firewall rule network adapter triggers ................................ 510

Setting up firewall rules ................................................................ 512Adding a new firewall rule ....................................................... 513Importing and exporting firewall rules ........................................ 514Copying and pasting firewall rules ............................................ 515Customizing firewall rules ....................................................... 515

Chapter 24 Managing application control, device control, andsystem lockdown ......................................................... 526

About application and device control ............................................... 526About Application and Device Control policies .................................. 528About the structure of an Application and Device Control policy ............ 528Setting up application and device control ......................................... 529Enabling a default application control rule set ................................... 531Creating custom application control rules ......................................... 532

About best practices for creating application control rules .............. 534Typical application control rules ............................................... 536Creating a custom rule set and adding rules ............................... 538Copying application rule sets or rules between Application and

Device Control policies .................................................... 539Applying a rule to specific applications and excluding applications

from a rule ..................................................................... 540Adding conditions and actions to a custom application control

rule .............................................................................. 542Testing application control rule sets .......................................... 543

Configuring system lockdown ........................................................ 544Making the blacklist mode for system lockdown appear in

Symantec Endpoint Protection Manager .............................. 550Creating a file fingerprint list with checksum.exe .......................... 551

19Contents

Importing or merging file fingerprint lists in Symantec EndpointProtection Manager ......................................................... 553

Manually updating a file fingerprint list in Symantec EndpointProtection Manager ......................................................... 554

Creating an application name list to import into the systemlockdown configuration .................................................... 555

Automatically updating whitelists or blacklists for systemlockdown ...................................................................... 556

Setting up and testing the system lockdown configuration beforeyou enable system lockdown ............................................ 561

Enabling system lockdown to run in whitelist mode ...................... 563Enabling system lockdown to run in blacklist mode ...................... 565Testing selected items before you add or remove them when

system lockdown is already enabled ................................... 566Managing device control .............................................................. 568

About the hardware devices list ............................................... 569Obtaining a class ID or device ID ............................................. 570Adding a hardware device to the Hardware Devices list ................ 571Configuring device control ...................................................... 571

Chapter 25 Managing Host Integrity to enforce securitypolicies ........................................................................... 573

How Host Integrity works .............................................................. 574Setting up Host Integrity ............................................................... 575About Host Integrity requirements .................................................. 577Adding predefined requirements to a Host Integrity policy ................... 578

Enabling and disabling Host Integrity requirements ...................... 579Setting up remediation for a predefined Host Integrity

requirement ......................................................................... 579Allowing users to delay or cancel Host Integrity remediation .......... 580

Configuring the frequency of Host Integrity check settings ................... 582Allowing the Host Integrity check to pass if a requirement fails ............. 582Configuring notifications for Host Integrity checks .............................. 583Creating a Quarantine policy for a failed Host Integrity check ............... 584Configuring peer-to-peer authentication for Host Integrity

enforcement ........................................................................ 585Adding a custom requirement from a template .................................. 586Writing a customized requirement script .......................................... 587

About registry conditions ........................................................ 589Writing a custom requirement to run a script on the client .............. 590Writing a custom requirement to set the timestamp of a file ........... 591

20Contents

Writing a custom requirement to increment a registry DWORDvalue ............................................................................ 592

Creating a test Host Integrity policy with a custom requirementscript .................................................................................. 592

Section 5 Monitoring and reporting ..................................... 595

Chapter 26 Monitoring protection with reports and logs ............... 596Monitoring endpoint protection ...................................................... 596

Viewing a daily or weekly status report ...................................... 601Viewing system protection ...................................................... 601Finding offline computers ....................................................... 602Finding unscanned computers ................................................. 602Viewing risks ....................................................................... 603Viewing the status of deployed client computers .......................... 604Viewing attack targets and sources .......................................... 605Generating a list of the Symantec Endpoint Protection versions

installed on the clients and servers in your network ................ 606Configuring reporting preferences .................................................. 606Logging on to reporting from a stand-alone Web browser .................... 607About the types of reports ............................................................. 608Running and customizing quick reports ........................................... 610Saving and deleting custom reports ................................................ 612Creating scheduled reports ........................................................... 613Editing the filter used for a scheduled report ..................................... 615Printing and saving a copy of a report ............................................. 616Viewing logs .............................................................................. 617

What you can do from the logs ................................................ 618Saving and deleting custom logs by using filters .......................... 621Viewing logs from other sites ................................................... 622

Running commands from the computer status log ............................. 623

Chapter 27 Managing notifications .................................................... 626Managing notifications ................................................................. 626

How notifications work ........................................................... 627What are the types of notifications and when are they sent? .......... 628About partner notifications ...................................................... 633

Establishing communication between the management server andemail servers ....................................................................... 633

Viewing and acknowledging notifications ......................................... 634Saving and deleting administrative notification filters .......................... 635

21Contents

Setting up administrator notifications ............................................... 636How upgrades from another version affect notification conditions .......... 637

Section 6 Managing protection in virtualenvironments ......................................................... 640

Chapter 28 Overview of Symantec Endpoint Protection andvirtual infrastructures ................................................ 641

Using Symantec Endpoint Protection in virtual infrastructures .............. 641About Shared Insight Cache ......................................................... 643About the Virtual Image Exception tool ............................................ 643

Chapter 29 Installing andusing anetwork-basedShared InsightCache ............................................................................. 645

What do I need to do to use a network-based Shared InsightCache? .............................................................................. 645

System requirements for implementing a network-based Shared InsightCache ................................................................................ 646

Installing and uninstalling a network-based Shared Insight Cache ......... 647Enabling or disabling the use of a network-based Shared Insight

Cache ................................................................................ 648Customizing network-based Shared Insight Cache configuration

settings ............................................................................... 650About stopping and starting the network-based Shared Insight Cache

service ............................................................................... 654Viewing network-based Shared Insight Cache log events .................... 654Monitoring network-based Shared Insight Cache performance

counters ............................................................................. 656Troubleshooting issues with Shared Insight Cache ........................... 657

Chapter 30 Installing a Security Virtual Appliance and using avShield-enabled Shared Insight Cache ................... 658

What do I need to do to use a vShield-enabled Shared InsightCache? .............................................................................. 659

What do I need to do to install a Security Virtual Appliance? ................ 660About the Symantec Endpoint Protection Security Virtual

Appliance ............................................................................ 661VMware software requirements to install a Symantec Security Virtual

Appliance ............................................................................ 663VMware software requirements for the Guest Virtual Machines ............ 664

22Contents

Configuring the Symantec Endpoint Protection Security VirtualAppliance installation settings file ............................................. 664

Installing a Symantec Endpoint Protection Security VirtualAppliance ............................................................................ 667

Enabling Symantec Endpoint Protection clients to use avShield-enabled Shared Insight Cache ...................................... 670

Stopping and starting the vShield-enabled Shared Insight Cacheservice ............................................................................... 670

Service commands for the vShield-enabled Shared InsightCache ................................................................................ 671

Configuration file settings for a vShield-enabled Shared InsightCache ................................................................................ 671

About vShield-enabled Shared Insight Cache event logging ................ 674Uninstalling a Symantec Endpoint Protection Security Virtual

Appliance ............................................................................ 675

Chapter 31 Using Virtual Image Exception ....................................... 676Using the Virtual Image Exception tool on a base image ..................... 676System requirements for the Virtual Image Exception tool ................... 677Running the Virtual Image Exception tool ......................................... 678Configuring Symantec Endpoint Protection to bypass the scanning of

base image files ................................................................... 678

Chapter 32 Non-persistent virtual desktop infrastructures .......... 680Using Symantec Endpoint Protection in non-persistent virtual desktop

infrastructures ...................................................................... 680Setting up the base image for non-persistent guest virtual machines

in virtual desktop infrastructures ............................................... 681Creating a registry key to mark the base image Guest Virtual Machines

(GVMs) as non-persistent clients ............................................. 682Configuring a separate purge interval for offline non-persistent VDI

clients ................................................................................ 682

23Contents

Section 7 Configuring and managing themanagement server ........................................... 684

Chapter 33 Managing the connectionbetween themanagementserver and the client computers .............................. 685

Managing the client-server connection ............................................ 686How to determine whether the client computer is connected and

protected ............................................................................ 687Why do I need to replace the client-server communications file on the

client computer? ................................................................... 688How do I replace the client-server communications file on the client

computer? ........................................................................... 689Restoring client-server communications with Communication Update

Package Deployment ............................................................ 690Exporting the client-server communications file (Sylink.xml)

manually ............................................................................. 691Importing client-server communication settings into the Windows

client .................................................................................. 693Importing client-server communication settings into the Linux

client .................................................................................. 694Configuring SSL between Symantec Endpoint Protection Manager and

the clients ........................................................................... 695Verifying port availability ......................................................... 695Changing the SSL port assignment in Symantec Endpoint

Protection Manager ......................................................... 696Enabling SSL for the Apache web server for client

communication ............................................................... 698Improving client and server performance ......................................... 699About server certificates ............................................................... 701Best practices for updating server certificates and maintaining the

client-server connection ......................................................... 702Disabling or enabling secure communications between the server

and the client ................................................................. 704Updating or restoring a server certificate .................................... 705

Chapter 34 Configuring the management server ............................ 707Managing Symantec Endpoint Protection Manager servers and

third-party servers ................................................................. 707About the types of Symantec Endpoint Protection servers ................... 710Exporting and importing server settings ........................................... 710

24Contents

Enabling or disabling Symantec Endpoint Protection Manager webservices .............................................................................. 711

Chapter 35 Managing databases ......................................................... 713Maintaining the database ............................................................. 713Scheduling automatic database backups ......................................... 717Scheduling automatic database maintenance tasks ........................... 718

Increasing the Microsoft SQL Server database file size ................. 719Exporting data to a Syslog server ................................................... 720Exporting log data to a text file ....................................................... 721Exporting log data to a comma-delimited text file ............................... 722Specifying client log size and which logs to upload to the management

server ................................................................................. 723Specifying how long to keep log entries in the database ...................... 724About increasing the disk space on the server for client log data ........... 724Clearing log data from the database manually .................................. 725

Chapter 36 Managing failover and load balancing .......................... 727Setting up failover and load balancing ............................................. 727About failover and load balancing .................................................. 728Configuring a management server list ............................................. 730Assigning a management server list to a group and location ................ 731

Chapter 37 Preparing for disaster recovery ...................................... 733Preparing for disaster recovery ...................................................... 733Backing up the database and logs .................................................. 734Backing up a server certificate ....................................................... 736

Section 8 Troubleshooting Symantec EndpointProtection Manager ............................................ 737

Chapter 38 Performing disaster recovery .......................................... 738Performing disaster recovery ......................................................... 738Reinstalling or reconfiguring Symantec Endpoint Protection

Manager ............................................................................. 739Generating a new server certificate ................................................ 740Restoring the database ................................................................ 741

25Contents

Chapter 39 Troubleshooting installation and communicationproblems ....................................................................... 743

Troubleshooting Symantec Endpoint Protection ................................ 743Troubleshooting computer issues with the Symantec Help support

tool .................................................................................... 745Identifying the point of failure of an installation .................................. 745Troubleshooting communication problems between the management

server and the client .............................................................. 746Checking the connection to the management server on the client

computer ...................................................................... 748Investigating protection problems using the troubleshooting file

on the client ................................................................... 748Enabling and viewing the Access log to check whether the client

connects to the management server ................................... 749Stopping and starting the Apache Web server ............................ 750Using the ping command to test the connectivity to the

management server ........................................................ 751Using a browser to test the connectivity to Symantec Endpoint

Protection Manager on the Symantec Endpoint Protectionclient ............................................................................ 751

Checking the debug log on the client computer ........................... 752Checking the inbox logs on the management server .................... 752Restoring client-server communication settings by using the

SylinkDrop tool ............................................................... 753Troubleshooting communication problems between the management

server and the console or the database ..................................... 755Verifying the connection with the database ................................. 756

Client and server communication files ............................................. 758

Chapter 40 Troubleshooting reporting issues .................................. 759Troubleshooting reporting issues ................................................... 759Changing timeout parameters for reviewing reports and logs ............... 761Accessing reporting pages when the use of loopback addresses is

disabled .............................................................................. 763About recovering a corrupted client System Log on 64-bit

computers ........................................................................... 764

26Contents

Chapter 41 Using Power Eraser to troubleshoot difficult andpersistent threats ........................................................ 765

What you should know before you run Power Eraser from the SymantecEndpoint Protection Manager console ....................................... 765

Tasks to perform when you need to run Power Eraser from theSymantec Endpoint Protection Manager console ......................... 768

Starting Power Eraser analysis from Symantec Endpoint ProtectionManager ............................................................................. 772

Responding to Power Eraser detections .......................................... 774

Appendix A Reference: Client feature comparison tables .............. 777Client protection features based on platform ..................................... 777Management features based on platform ......................................... 778Virus and Spyware Protection policy settings based on platform ........... 782Intrusion prevention policy settings based on platform ........................ 786LiveUpdate policy settings based on platform ................................... 787Exceptions policy settings based on platform .................................... 788

Appendix B Customizing and deploying the Windows clientinstallation by using third-party tools .................... 790

Installing Windows client software using third-party tools ..................... 791About client installation features and properties ................................. 792

About configuring MSI command strings .................................... 793About configuring Setaid.ini .................................................... 793

Symantec Endpoint Protection command-line client installationproperties ........................................................................... 794

Symantec Endpoint Protection command-line client features ............... 795Windows Installer parameters ....................................................... 797Windows Security Center properties ............................................... 799Command-line examples for installing the Windows client ................... 800About installing and deploying Windows client software with the

Symantec Management Agent ................................................. 800Installing Windows clients with Microsoft SCCM/SMS ......................... 801Installing Windows clients with an Active Directory Group Policy Object

(GPO) ................................................................................ 802Creating a GPO software distribution ........................................ 803Adding computers to an organizational unit to install

software ........................................................................ 805Copying a Sylink.xml file to make a managed installation

package ....................................................................... 806

27Contents

Uninstalling client software with an Active Directory Group PolicyObject ................................................................................ 807

Appendix C Command-line options for the Windows client ........... 809Running the Windows client using the smc command-line

interface ............................................................................. 809smc command error codes ............................................................ 813

Appendix D Command-line options for the Virtual ImageException tool .............................................................. 815

vietool ...................................................................................... 816

Appendix E Syntax for custom intrusion prevention signaturesand application control rules .................................... 818

Regular expressions in Symantec Endpoint Protection Manager ........... 819About signature syntax and conventions .......................................... 821Protocol type arguments .............................................................. 822TCP protocol arguments .............................................................. 822UDP protocol arguments .............................................................. 824ICMP protocol arguments ............................................................. 825IP protocol arguments .................................................................. 826Msg arguments .......................................................................... 829Content arguments ..................................................................... 830Optional content arguments .......................................................... 830Case-sensitivity .......................................................................... 831HTTP decoding .......................................................................... 831Offset and depth ......................................................................... 831Streamdepth arguments ............................................................... 832Supported operators ................................................................... 833Sample custom IPS signature syntax .............................................. 833

Index ................................................................................................................... 836

28Contents

Introducing SymantecEndpoint Protection

This chapter includes the following topics:

What is Symantec Endpoint Protection?

What's new in Symantec Endpoint Protection 12.1.5

How Symantec Endpoint Protection uses layers to protect computers

How does Symantec Endpoint Protection enforce compliance?

What is Symantec Endpoint Protection?Symantec Endpoint Protection is a client-server solution that protects laptops,desktops, and servers in your network against malware, risks, and vulnerabilities.Symantec Endpoint Protection combines virus protection with advanced threatprotection to proactively secure your client computers against known and unknownthreats, such as viruses, worms, Trojan horses, and adware. Symantec EndpointProtection provides protection against even the most sophisticated attacks thatevade traditional security measures, such as rootkits, zero-day attacks, and spywarethat mutates.

Providing low maintenance and high power, Symantec Endpoint Protectioncommunicates over your network to automatically safeguard both physical systemsand virtual systems against attacks. Symantec Endpoint Protection providesmanagement solutions that are efficient and easy to deploy and use.

Symantec Endpoint Protection protects your network by accomplishing the followingkey tasks:

Protects your endpoints from malware and maximizes system uptime.

1Chapter

See How Symantec Endpoint Protection uses layers to protect computerson page 34.

Enforces protection policies and compliance on the endpoint.See How does Symantec Endpoint Protection enforce compliance? on page 37.

Responds to threats and incidents effectively by quickly quarantining andremoving malware from endpoints.See Managing the Quarantine on page 329.

Monitors and tracks risk exposure across platforms, devices, remote locations,and in physical, virtual or hybrid environments.See Monitoring endpoint protection on page 596.

See Components of Symantec Endpoint Protection on page 48.

What's new in Symantec Endpoint Protection 12.1.5

Note: Symantec Endpoint Protection 12.1.5 is the last release update to supportSymantec Protection Center 2.0.

In addition, LiveUpdate Administration Utility 1.x reaches end of life on January 5,2015. If you use this utility in your environment, you should migrate to LiveUpdateAdministrator 2.3.x. To get the latest version of LiveUpdate Administrator, seeDownloading LiveUpdate Administrator.

Table 1-1 describes the new features in the latest version of Symantec EndpointProtection.

Table 1-1 New features in Symantec Endpoint Protection 12.1.5

DescriptionFeature

Symantec Endpoint Protection Manager now uses OpenSSL 1.0.1h. The update to OpenSSLaddresses several security vulnerabilities, including the one known as Heartbleed, which theOpenSSL Security Advisory for CVE-2014-0160 describes. Earlier versions of OpenSSL canreveal sensitive information from the computer's memory to a remote attacker.

You can read the full text of the OpenSSL Security Advisory at the following link:

OpenSSL Security Advisory for CVE-2014-0160

OpenSSL 1.0.1hfor SymantecEndpointProtectionManager

30Introducing Symantec Endpoint ProtectionWhat's new in Symantec Endpoint Protection 12.1.5

Table 1-1 New features in Symantec Endpoint Protection 12.1.5 (continued)

DescriptionFeature

Symantec Endpoint Protection 12.1.5 adds the following operating system support:

Windows 8.1 Update 2

Windows Server 2012 Update 2

Mac OS X 10.10

You can now access Symantec Endpoint Protection Manager from the following browsers:

Microsoft Internet Explorer 10.2, 11

Mozilla Firefox 5.x through 31.0

Google Chrome through 37.0.2062.94

For the complete list of system requirements:

See on page 50.

Systemrequirements



DescriptionFeature

The Windows client provides the following new protection enhancements:

Virus and Spyware Protection:

Power Eraser can now be run from the Symantec Endpoint Protection Manager console.Power Eraser provides aggressive scanning and analysis to help resolve issues with heavilyinfected Windows computers. You should only run Power Eraser in emergency situations,such as when a repair fails or a computer is unstable. Note that when you run Power Eraserfrom the management console, Power Eraser does not scan and analyze user-specificlocations. Use Power Eraser in the SymHelp tool directly on the client computer to examineuser-specific locations.See What you should know before you run Power Eraser from the Symantec EndpointProtection Manager console on page 765.

Download Insight and SONAR can now scan Office 2013 applications.See Managing scans on client computers on page 290.

The client no longer scans and deletes backed up files on a server where the SymantecEndpoint Protection client and either Symantec Backup Exec or Symantec NetBackup isinstalled.

Network Threat Protection:

For firewall rules, you can now define a host group with an IPv6 IP address. Intrusion Preventionpolicies do not support host names with IPv6 addresses.See Adding host groups on page 507.The default firewall policy includes a default Allow ICMPv6 firewall rule that contains ICMPv6types of 1-4,128-132,141-143,148,149,151-153. You can also add a rule with ICMPv6 as aprotocol in the network service list.See Adding network services to the default network services list on page 509.

See Adding a new firewall rule on page 513.See Creating a file fingerprint list with checksum.exe on page 551.See Configuring system lockdown on page 544.

IPS audit signatures monitor the network traffic of certain applications on Windows computers.For example, you can use these signatures to detect Yahoo IM logons. You can enable logging,review the Network Threat Protection traffic logs, and then decide whether or not to take actionon the traffic.

Windows clientprotection features

The Symantec Endpoint Protection for Linux client replaces the Symantec AntiVirus for Linuxclient. You can now provide Virus and Spyware Protection on the clients that run Linux. SymantecEndpoint Protection Manager provides client policy management, reporting, monitoring, logging,and licensing in a single client package for Linux.

See Customizing the virus and spyware scans that run on Linux computers on page 345.

Linux management



DescriptionFeature

The Host Integrity policy is now included with Symantec Endpoint Protection. The Host Integritypolicy evaluates the client computers and ensures that they meet the security policies you havedownloaded to those client computers.

See How Host Integrity works on page 574.

See Setting up Host Integrity on page 575.

Policy enforcement

You can now remotely deploy the Mac client installation package in addition to deploying itwith a third-party installation tool.See Installing clients with Remote Push on page 115.

See About Symantec Endpoint Protection and Protection Center on page 172.

You can configure the installation package to remove from the client computer over 300third-party software products from more than 60 vendors. For more information, see:Third-party security software removal support in Symantec Endpoint Protection

Client password settings dialog boxSee Password-protecting the client on page 215.

You can no longer set the console timeout to Never. For security reasons, the maximumtimeout period is one hour.See Changing the time period for staying logged on to the console on page 82.

After an administrator's failed logon attempts trigger an account lockout, the lockout intervalnow doubles with each subsequent lockout. Symantec Endpoint Protection Manager revertsto the original lockout interval after a successful logon, or after 24 hours since the first lockout.See Unlocking an administrator's account after too many logon attempts on page 82.

Managementserver updates

Web services on the management server now support integration with Symantec ManagedSecurity Services. Together, Symantec Managed Security Services and Symantec EndpointProtection Manager provide advanced threat monitoring and targeted remediation options.

The following new web services are also available for use by third-party remote monitoring andmanagement solutions:

You can run the new Power Eraser commands.

You can place clients into Quarantine.

You can run an Evidence of Compromise command on the client.

Documentation and other tools for remote monitoring and management support appear in theweb services SDK. The SDK is located in the Tools installation file in the following folder:

/Integration/SEPM_WebService_SDK

Managementserver integrationwith networksecuritytechnology

/ITAnalyticsManagementserver integrationwith advancedreporting



DescriptionFeature

The management server and the client include the following performance improvements:

Bandwidth control for client communicationThe management server now includes an Apache module that you can configure to controlnetwork bandwidth. The module reduces the network load between Symantec EndpointProtection Manager and the client computers, especially when the clients download contentdefinitions or client installation packages.

To reduce hard disk space, Symantec Endpoint Protection Manager now stores only the mostrecent full set of virus definitions, plus the deltas for previous versions. Storing the deltasreduces delivery time and network bandwidth, and improves disk storage requirements onthe management server by 65% to 80%.See Increasing Symantec Endpoint Protection Manager available disk space before upgradingto version 12.1.x on page 148.See Configuring a site to download content updates on page 432.

The client startup time has improved by more than 10%.

The client service needs fewer processes to run.

Enhancements to the scan throttling logic for the Windows client improve scan performance.These enhancements also minimize the effect on computers with solid-state drives (SSDs)or that run in a virtualized or Terminal Services environment.

If Symantec Endpoint Protection and Critical System Protection are both installed on the sameclient computer, these applications now share Symantec components.

Managementserver and clientperformance

Symantec Endpoint Protection provides the following documentation changes:

The Symantec Endpoint Protection Installation and Administration Guide no longer includesNetwork Access Control topics. A new Symantec Network Access Control Installation andAdministration Guide includes the Network Access Control topics.

Documentation

How Symantec Endpoint Protection uses layers toprotect computers

Symantec's core protection against known and unknown threats uses a layeredapproach to defense. The layered approach protects the network before, during,and after an attack. Symantec Endpoint Protection reduces your risk of exposureby providing tools to increase your security posture ahead of any attack.

Table 1-2 describes the types of protection that Symantec Endpoint ProtectionManager uses to protect your network.

34Introducing Symantec Endpoint ProtectionHow Symantec Endpoint Protection uses layers to protect computers

Table 1-2 The layers of protection that are integrated into Symantec EndpointProtection

Symantec Endpoint Protectiontechnology name

DescriptionType of protectionLayer

Network Threat Protection:

Firewall

Protocol-aware IPS


Browser protection

See Managing firewall protectionon page 483.

See Managing intrusion preventionon your client computerson page 382.

See Modifying miscellaneoussettings for Virus and SpywareProtection on Windows computerson page 357.

The firewall and the intrusion preventionsystem block over 60% of malware as ittravels over the network and before itarrives at the computer.

This primary defense protects againstdrive-by downloads, social engineering, fakeantivirus programs, individual systemvulnerabilities, rootkits, botnets, and more.Stopping malware before it reaches yourcomputer is definitely preferred to identifyinga vulnerability that has already beenexploited.

Network-based protection1


Antivirus engine

Auto-Protect

Bloodhound

See Managing scans on clientcomputers on page 290.

This traditional signature-based antivirusprotection looks for and eradicates themalware that has already taken upresidence on a system. Virus and SpywareProtection blocks and removes the malwarethat arrives on the computer by using scans.

Unfortunately, many companies leavethemselves exposed through the belief thatantivirus alone keeps their systemsprotected.

File-based protection2


Table 1-2 The layers of protection that are integrated into Symantec EndpointProtection (continued)

Symantec Endpoint Protectiontechnology name

DescriptionType of protectionLayer


Domain reputation score

File reputation (Insight)

See Managing Download Insightdetections on page 317.

Insight establishes information aboutentities, such as websites, files, and IPaddresses to be used in effective security.

Download Insight determines the safety offiles and websites by using the wisdom ofthe community. Sophisticated threatsrequire leveraging the collective wisdom ofover 200 million systems to identify new andmutating malware. Symantecs Insight givescompanies access to the largest globalintelligence network available to allow themto filter every file on the internet based onreputation.

Reputation-basedprotection

3

Proactive Threat Protection(Virus and Spyware Protectionpolicy): SONAR

See Managing SONARon page 367.

SONAR looks at processes as they executeand use malicious behaviors to indicate thepresence of malware.

SONAR watches programs as they run, andblocks suspicious behaviors. SONARcatches targeted and unknown threats byaggressively monitoring file processes asthey execute and identify maliciousbehavior. SONAR uses artificial intelligence,behavior signatures, and policy lockdownto monitor nearly 1,400 file behaviors asthey execute in real time. When SONAR iscombined with Insight, this technology isable to aggressively stop zero-day threatswithout increasing false-positives.

Behavioral-basedprotection

4

Power Eraser:

Boot to clean operating system

Power Eraser uses aggressiveheuristics

Threat-specific tools

See What you should know beforeyou run Power Eraser from theSymantec Endpoint ProtectionManager console on page 765.

When malware does get through, PowerEraser scrubs hard-to-remove infectionsand gets your system back online as quicklyas possible. Power Eraser uses aggressiveremediation on hard-to-remove infections.

Repair and remediationtools

5


Symantec Endpoint Protection extends and enhances security with the followingadditional technologies:

System LockdownSystem Lockdown lets you limit the applications that can run. System Lockdownoperates in either a whitelisting or a blacklisting mode. In either mode, SystemLockdown uses checksum and file location parameters to verify whether anapplication is approved or unapproved. System Lockdown is useful for kioskswhere you want to run a single application only.See Configuring system lockdown on page 544.

Application controlApplication control monitors and controls an application's behavior.Application control protects against unauthorized access and attack by controllingwhat applications can run. Application control blocks or terminates processes,limits file and folder access, protects the Windows registry, and controls moduleand DLL loading. Application control includes predefined templates t

Installation and Administration Guide SEP12.1.5

Documents

Transcript of Installation and Administration Guide SEP12.1.5