Submitting
Symantec Endpoint Protection
telemetry to improve your security

Introduction

Telemetry, also known as submissions or data collection, collects information to improve the security posture of your network and improve the product experience. Telemetry broadly collects the following types of information:
  • System environment, including hardware and software details
  • Product errors and related events
  • Effectiveness of the product configuration
The collected data is sent to Symantec.
The data that Symantec telemetry collects may include pseudonymous elements that are not directly identifiable. Symantec neither needs nor seeks to use telemetry data to identify any individual user.

Purpose

Symantec uses the information to analyze and improve product experience for customers.
  • Symantec Support uses telemetry.
  • Symantec uses telemetry for insights into the threat landscape and as part of the Risk Insight program.

Enabling telemetry collection

Symantec collects telemetry data from both the management server and the
Symantec Endpoint Protection
client.
You might need to disable telemetry submissions, however, in response to network bandwidth issues or restrictions on data leaving the client. You can check the Client Activity log to view submissions activity and monitor your bandwidth usage.
To enable or disable management server telemetry collection
  1. Enable or disable the
    Send pseudonymous data to Symantec to receive enhanced threat protection intelligence
    option for server data collection.
    • In the management console, go to
      Admin > Servers > Local Site > Site Properties > Data Collection
      and change the option.
    During the installation of the
    Symantec Endpoint Protection Manager
    , you can also change the server data collection option.
To enable or disable client telemetry submissions
  1. Enable or disable the
    Send pseudonymous data to Symantec to receive enhanced threat protection intelligence
    option for client submissions. You can change the option at the group level in the management console, or for a single client in the client user interface.
    • In the management console, go to
      Clients > Policies
      tab. In the
      Settings
      pane, select
      External Communications Settings > Submissions
      .
    • In the client user interface, go to
      Change Settings > Client Management > Configure Settings > Submissions.
Each client in the enterprise belongs to a group. A group has its own policy. In some cases, a group is configured to inherit the policy from its parent group. Since the client submissions are a group-wide setting, make sure that you apply the setting as necessary to all groups.
If you disable submissions and lock the setting, the user cannot configure clients in the group to send submissions. If you enable the option, select submission types and lock the setting, the user cannot disable submissions. If you do not lock the setting, the user can change the configuration, including the submission types in
More Options
.
Symantec recommends that you submit threat information to help Symantec provide the best threat protection.

Frequently Asked Questions about telemetry

What types of information does
Symantec Endpoint Protection
collect?
For more information, see:
The following table describes the type of information that
Symantec Endpoint Protection
collects.
More details about the types of information that
Symantec Endpoint Protection
collects
Type
More Details
Software configuration, product details and installation status
Includes information about Virus and Spyware Protection policies:
  • Bloodhound settings
    Whether or not Bloodhound is enabled or disabled, and whether the level is automatic or aggressive. (
    Virus and Spyware Protection policy > Global Scan Options
    )
  • Download Insight settings
    Whether Download Insight is enabled or disabled, and what the Download Insight settings are, including the sensitivity level and prevalence threshold. (
    Virus and Spyware Protection policy > Download Protection
    )
  • Auto-Protect settings
    What overrides are configured for malware or security risks. (
    Virus and Spyware Protection policy > Auto-Protect
    )
Includes information about the top 20 groups with the most number of clients. For each group, the first location, typically the default location, is selected to send the information.
Typically, the information includes:
  • Client mode: Whether the client uses server control, client control, mixed mode, or no data found
  • Push/pull mode: Whether the client gets or requests policies from the server
  • Application learning on or off
  • Heartbeat interval in minutes
  • Upload of critical events on or off
  • Download randomization on or off; randomization window in minutes
  • Whether the client uses last-used group settings or last-used group mode
  • Whether the client sends detection submissions and what type, such as antivirus detections, file reputation, or SONAR
  • Whether Host Integrity is enabled on the client
  • The number of domains.
  • The total number of groups in all domains, that is shown in approximations such as
    <1500
    . More than 3,000 is sent as
    >/= 3000
  • The maximum depth of group among all domains
  • The count of the total number of clients
  • The number of clients in computer mode
  • The number of clients in user mode
  • The number of clients in organizational unit (OU) groups
License status, license entitlement information, license ID and license usage
N/A
Device name, type, OS version, language, location, browser type and version, IP address and ID
N/A
Device hardware, software and application inventory
The server database sends the aggregate information about the client hardware. The information includes CPU, RAM, and free disk space on the
Symantec Endpoint Protection
installation disk.
Application and database access configurations, policy requirements and policy compliance status, and application exception and workflow failure logs
Includes the number of rules for System Administrative log entries. Also sends the number of log entries as well as the number of days until the log entries expire for the following database logs:
  • System Administrative log
  • Client-Server Activity log
  • Audit log
  • System Server Activity log
Includes any server replication failure events, such as replication failure or database versions that do not match.
Information associated with possible threats including: client security event information, IP address, User ID, path, device information such as device name and status, files downloaded, file actions
N/A
File and application reputation information including file downloads, actions and executing application information, and malware submissions
File reputation data is information about the files that are detected based on their reputation.
  • These submissions contribute to the Symantec Insight reputation database and helps protect your computers from new and emerging risks.
    The information includes file hash, client IP hash, IP address from where the file was downloaded, file size, and reputation score of the file.
Application exception and workflow failure logs
N/A
Personal information provided during configuration of the Service or any other subsequent service call
N/A
Licensing information such as name, version, language and licensing entitlement data
N/A
Usage of protection technologies included in SEP
Includes information about the top 20 groups with the most number of clients. For each group, the first location, typically the default location, is selected to send the information.
The information includes:
  • The number of clients that have a particular protection technology enabled or disabled.
  • The number of and type (such as
    Quarantine
    ,
    Log only
    ,
    Clean
    , etc.) of the first and second actions for detections by the protection technologies that are enabled.
Symantec Endpoint Protection Manager
sends the number of shared policies of each type in its database, which is equal to the number of default policies plus the number of custom policies. The information includes:
  • The number of domains
  • The number of each of the following shared policies:
    • Virus and Spyware Protection policies
    • Firewall policies
    • Intrusion Prevention policies
    • Application and Device Control policies
    • LiveUpdate policies
    • Host Integrity policies
  • The number of custom intrusion prevention signatures
Information that describes the configuration of SEP, such as operating system information, server hardware and software configuration specifics, CPU name, memory size, software version and features for installed packages
Includes server information such as:
  • Number of replication partners
  • Whether log data is replicated
  • Whether content data is replicated
Includes the Linux operating system type and kernel versions, plus a count of the number of clients with this configuration.
Includes the aggregation information in the
Symantec Endpoint Protection Manager
database about
Symantec Endpoint Protection
client operational state, including counts of the following:
  • Total clients
  • Reduced-size clients
  • Standard-size clients
  • EWF-enabled clients
  • FBWF-enabled clients
  • UWF-enabled clients
  • Microsoft hypervisor clients
  • VMware hypervisor clients
  • Citrix hypervisor clients
  • Unknown hypervisor clients
Sends the approximate number of LiveUpdate revisions, for example
<30
.
Information on potential security risks, portable executable files and files with executable content that are identified as malware which may contain personal information, including information on the actions taken by such files at the time of installation
Includes the following:
  • Antivirus detections (Windows and Mac only)
    Information about virus and spyware scan detections. The type of information that clients submit includes file hash, client IP hash, antivirus signatures, attacker URL, etc.
  • Antivirus advanced heuristic detections (Windows only)
    Information about the potential threats that Bloodhound and other virus and spyware scan heuristics detect. These detections are silent and do not appear in the Risk log. Information about these detections is used for statistical analysis.
  • SONAR detections (Windows only)
    Information about the threats that SONAR detects, which include high or low risk detections, system change events, and suspicious behavior from trusted applications.
Also includes process data such as:
  • SONAR heuristic detections (Windows only) are silent and do not appear in the Risk log. This information is used for statistical analysis. The type of information that clients submit typically includes attributes of the detection such as the following:
    • Hidden processes
    • Small footprint processes
    • Keystroke logging or screen capture behavior
    • Disabling of security product behavior
    • Date and timestamps of detection
Information related to network activity including URLs accessed and aggregate information on network connections (e.g., hostname, IP addresses and statistical info on a network connection)
Includes the following:
  • Network detection events (Windows and Mac only)
    Information about detections by the IPS engine (intrusion prevention). The information that clients submit includes client IP hash, attacker URL, detection timestamp, attacker IP address, IPS signature, etc.
  • Browser detection events (Windows only)
    All URLs typed in the browser address bar, clicked on, or connected to for downloading.
    Clients also send metadata about the following:
    • Each network connection, including IP addresses, port numbers, host names, applications initiating connections, protocols, connection time, number of bytes per connection.
    • All file transfer activities between devices, including device identification, time of the transfer, protocol, file attributes (type, name, path, size), and SHA-256 of the content.
Status information regarding installation and operation of SEP, which may contain personal information only if such information is included in the name or file folder encountered by SEP at the time of installation or error, and indicates to Symantec whether installation of SEP was successfully completed, as well as whether SEP has encountered an error
N/A
Pseudonymous general, statistical and status information
N/A
How do I know that my
Symantec Endpoint Protection
clients are sending telemetry submissions?
Check the Client Activity log to view submissions events. If the log does not contain current submission events, check the following:
  • Make sure that client submissions are enabled.
  • If you use a proxy server, check the proxy exceptions. See:
  • Check connectivity to Symantec servers. See the knowledge base article:
  • Check to make sure that clients have current LiveUpdate content.
    Symantec Endpoint Protection uses a Submission Control Data (SCD) file. Symantec publishes the SCD file and includes it as part of a LiveUpdate package. Each Symantec product has its own SCD file. The SCD file controls the following settings:
    • How many submissions a client can submit in one day
    • How long to wait before the client software retries submissions
    • How many times to retry failed submissions
    • Which IP address of the Symantec Security Response server receives the submissions
If the SCD file becomes out-of-date, then the clients stop sending submissions. Symantec considers the SCD file out-of-date when client computers have not retrieved LiveUpdate content in 7 days. The client stops sending submissions after 14 days.
If clients stop the transmission of the submissions, the client software does not collect the submission information and send it later. When clients start to transmit submissions again, they only send the information about the events that occur after the transmission restart.
Can I opt out of telemetry submission?
Yes, you can opt out. You can modify the server data collection or client submissions options in the client and the server user interfaces. However, Symantec recommends that you enable as much telemetry as possible to improve the security of your network.

Performance, sizing, and deployment

How much bandwidth does telemetry consume?
Symantec Endpoint Protection throttles client computer submissions to minimize any effect on your network. Symantec Endpoint Protection throttles submissions in the following ways:
  • Client computers only send samples when the computer is idle. Idle submission helps randomize the submissions traffic across the network.
  • Client computers send samples for unique files only. If Symantec has already seen the file, the client computer does not send the information.
The data size of these submissions is very negligible. For instance, antivirus submissions do not typically exceed 4 KB and similarly IPS submissions are about 32 KB in size.
Can I specify a proxy server for client submissions?
You can configure the
Symantec Endpoint Protection Manager
to use a proxy server for submissions and other external communications that your Windows clients use. If your client computers use a proxy with authentication, you might need to specify exceptions for Symantec URLs in your proxy server configuration. The exceptions let your client computers communicate with Symantec Insight and other important Symantec sites.
For more details about the proxy, see:
To learn more about the exceptions for Symantec URLs, see: