What's new for Symantec Endpoint Protection (SEP) 14.0.1 (14 RU1)

Protection features
  • Cloud-based management using the Symantec Endpoint Protection cloud portal:
    Symantec Endpoint Protection 14.1 includes a cloud portal that provides cloud-based management that extends Symantec Endpoint Protection's abilities to detect and remediate emerging threats in your environment. The cloud portal increases the visibility you have into your network security posture with the dashboard views that provide insight into suspicious files across your devices. Symantec Endpoint Protection Manager seamlessly connects to the cloud through an internal bridge. You can also access the interface to the cloud portal directly.
    You access the cloud portal Help for these features in the cloud portal.
    • Discover and block suspicious detections with an Intensive Protection policy:
      The Intensive Protection policy settings tune multiple engines to improve detections. You can choose to log detections at a higher intensity so that you can see what files would be detected and blocked at that level. What-if logging helps you proactively whitelist any false positives before you decide to block the detections. When you apply this policy, some settings in Symantec Endpoint Protection Manager are ignored. For example, the Intensive Protection policy ignores the Bloodhound setting in the Virus and Spyware Protection policy.
    • Stronger support for low-bandwidth environments:
      The cloud portal controls whether or not Symantec Endpoint Protection 14.0.1 clients receive updates less frequently for the clients that are on slower networks. In low-bandwidth mode, you can use the Intensive Protection policy to tune the security on your endpoints even more. These updates include virus, SONAR, and IPS definitions. The low-bandwidth improvements also include an automatic reduction of telemetry submissions data. Low bandwidth is off by default.
    • Integrated false positive management:
      You can allow (whitelist) or block (blacklist) files from multiple views.
  • Additional Memory Exploit Mitigation features:
    Memory Exploit Mitigation hardens the operating system to stop the attack on zero day regardless of the flaw, bug, or vulnerability in the software. Instead of waiting for a patch from the vendor and then scheduling time to apply the patch, Memory Exploit Mitigation handles the exploits immediately. Version 14.0.1 includes the following changes:
    • Generic Exploit Mitigation is renamed to Memory Exploit Mitigation.
    • The Memory Exploit Mitigation is a separate policy from the Intrusion Prevention policy.
    • Memory Exploit Mitigation includes more fine-tuned control to let you test and troubleshoot to mitigate false positives.
    • Memory Exploit Mitigation several new mitigation techniques
    • The command to remotely enable or disable Memory Exploit Mitigation on the Windows client changed from smc -enable -gem and smc -disable -gem to smc -enable -mem and smc -disable -mem.
  • Exceptions policy can exclude detections based on a file's certificate (Windows):
    You can add exceptions for individual certificates to prevent the Window client from scanning and detecting the signed files as suspicious. For example, a tool that your company developed internally may use a self-signed certificate. Excluding this certificate from scans prevents Auto-Protect, Download Insight, SONAR, or other scans from detecting the files that it signs as suspicious.
  • Updated EDR integration with Symantec Advanced Threat Protection:
    Endpoint Symantec Advanced Threat Protection: Endpoint (ATP) is an on-premises virtual appliance that detects advanced threats on endpoints in your network. ATP: Endpoint delivers actionable data so that you can quickly analyze and respond to the threats. The ATP module provides Endpoint Detection and Response (EDR), which allows for direct communication with registered client computers. EDR greatly improves the time for client computers to receive commands for evidence of compromise (EOC) searches and file remediation. A new version of the EDR component allows for collection of events on a client computer. EDR includes information on files, processes, registries, and network connections. This data is submitted to the ATP: Endpoint console. The newest version of EDR requires the ATP: Endpoint 3.0 product, and is not licensed in Symantec Endpoint Protection itself. You can download the latest EDR content through LiveUpdate.
  • Symantec Endpoint Protection Deception:
    Deception is used to detect adversary activity at the endpoint using "deceptors." The underlying assumption with this approach is that the attacker has already breached the primary defenses of the network and performs reconnaissance in the environment. The attacker looks to find critical assets, like a domain controller or database credentials. With Deception, you can more quickly detect infiltration attempts. You can download a sample deceptor through FileConnect, either in the Tools directory on the full installation file or as a standalone download.
  • Advanced Machine Learning (AML) for Mac clients:
    The AML engine now works with the Symantec real-time cloud-based threat intelligence on Mac clients. AML enables Symantec Endpoint Protection to detect malware in the pre-execution phase, thereby stopping large classes of malware, both known and unknown.
Management server features
  • The option to enable notifications on the Symantec Endpoint Protection Manager and the Windows client has changed from Display Intrusion Prevention notifications to Display Intrusion Prevention and Memory Exploit Mitigation notifications. In versions 12.1.6.x and earlier, this option works for IPS notifications only.
  • In the Computer Status logs and quick reports, Network and Host Exploit Mitigation Protection off changed to Firewall off and Proactive Threat Protection off changed to SONAR off. To access the log, click
    Monitors > Logs tab > Computer Status log type > Additional Settings > Compliance options
    . To access the quick reports, click
    Reports > Quick Reports tab > Computer Status report type > Additional Settings > Compliance
  • Enable/Disable Network and Host Exploit Mitigation
    mixed mode setting has been renamed to
    Enable/Disable Network Threat Protection
    . In 14 MPx versions, in the Client/Server Control Settings tab for mixed mode, the
    Enable/Disable Network and Host Exploit Mitigation
    command is not correctly named. This command is for the firewall and the intrusion prevention system only (Network Threat Protection), and not Memory Exploit Mitigation.
System requirements
Symantec Endpoint Protection 14.0.1 adds support for:
  • SQL Server 2016 SP1 for use with Symantec Endpoint Protection Manager
  • macOS 10.13 (High Sierra)
  • Windows 10 Fall Creators Update (2017) (32-bit, 64-bit)
  • Browser support: Mozilla Firefox 5.x through 56.x, Google Chrome 61.0.x
Client installation
  • The Client Deployment Wizard includes host name and IP address column labels:
    To install new clients using remote push, you search for available computers in your network. Previously, the list of the available computers had appeared in a random order. Now, you can sort the computers by alphabetical or numerical order using new host name and IP address columns. You can then find the computers you want to install the clients on quicker. The labels appear in the Client Deployment Wizard. On the Computer Selection panel, click Search Network, and then click Find Computers.
  • Password required to uninstall the Mac client:
    You can now require that the user enter a password to uninstall the Mac client.
  • Symantec Endpoint Protection kernel authorization required as of macOS 10.13:
    MacOS 10.13 adds a security requirement that kernel extensions be authorized. Symantec Endpoint Protection 14.0.1 adds support for macOS 10.13. If the kernel extension needs to be authorized, you are prompted during the installation of the Mac client. If you do not authorize the kernel extension, the Mac client cannot properly function. To authorize the kernel extension, click Allow in the Security & Privacy system preference. You do not need to provide administrator credentials. You only need to authorize the kernel extension once. If you uninstall and reinstall the client, or upgrade your operating system to 10.13 with version 14 installed, you do not need to reauthorise. Kernel authorization is required even when you use Remote Push. You must take this additional step after using Remote Push to deploy Symantec Endpoint Protection.
  • Option for Add Client Install Package renamed:
    In version 14, the option for Include latest content in the client installation package was incorrectly changed to Include virus definitions in the client installation package. To more accurately describe this option, this option is changed to Include new content types in the client installation package.
REST API commands
  • The Symantec Endpoint Protection Manager REST APIs enable programmatic interaction with Symantec Endpoint Protection. This set of REST APIs connect to and perform Symantec Endpoint Protection Manager operations from Symantec Advanced Threat Protection: Endpoint (ATP) and Symantec Web Gateway (SWG). You use the APIs if you do not have access to Symantec Endpoint Protection Manager. Note: If Symantec Endpoint Protection Manager is enrolled with the cloud portal, using REST API commands to manage what that the cloud portal manages is not supported.
  • The documentation is located on the Symantec Endpoint Protection Manager server at the following address, where SEPM-IP is the IP address of the Symantec Endpoint Protection Manager server: https://SEPM-IP:8446/sepm/restapidocs.html
Removed or unsupported features
  • End of Life announced for Endpoint Protection 12.1.x:
    On April 3, 2017, Symantec announced the End of Life for Endpoint Protection 12.1.x. The End of Life date starts the process that leads to the end of support for all released versions of 12.1. These released versions include release updates and maintenance patches.
  • Removed option to manually submit quarantined threats to Symantec Security Response:
    In version 14 and earlier, you can submit threats in the quarantine manually from Windows clients to the Security Response team. As of version 14.0.1, you can submit these samples automatically only to a Central Quarantine Server.
  • In Symantec Endpoint Protection Manager, the
    Allow client computers to manually submit quarantined items to Symantec Security Response
    option was in the
    Virus and Spyware Protection policy > Quarantine > General
  • On the Windows client, click
    View Quarantine
    . The
    option and the right-click
    menu item were removed.
  • Removed support for Mac OS X 10.9
  • Host Integrity policy options for Mac:
    Host Integrity policies for Mac required the installation of the Symantec Network Access Control On-Demand client for Mac. Symantec Network Access Control has reached End of Life, and is not supported for use with Symantec Endpoint Protection 14.x. While the Mac options are still in the user interface, they are not supported.