What's new in Symantec Endpoint Protection (SEP) 14
- Intelligent Threat Cloud Service for client installation packages (Windows):Version 14 includes three new sizes of client installation packages, based on which set of virus definitions they include:
- Standard client: Designed for typical installations where clients have access to the cloud or the clients are version 12.1.6 and earlier. The standard client is 80% to 90% smaller than a dark network client installation package and includes the most recent virus definitions only. After installation, the client accesses the full set of virus definitions from the cloud.
- Embedded client or VDI client: The embedded client replaces the reduced-size client that was introduced in version 12.1.6. The embedded client is smaller than the standard client and also includes the most recent virus definitions only. After installation, the client accesses the full set of virus definitions from the cloud.
- Dark network client: Installs a full set of virus definitions and keeps the definitions locally rather than accessing them from the cloud. Use this client installation package if the client computers are in networks with no access to the cloud.
- Generic Exploit Mitigation (Windows):prevents common vulnerability attacks in typical software applications. Generic Exploit Mitigation installs with intrusion prevention and includes the following types of protection: Java exploit prevention, heap spray mitigation, and structured exception handling overwrite protection (SEHOP). The protections apply to the specific applications that are listed in the Intrusion Prevention policy. Symantec Endpoint Protection downloads the application list as part of its LiveUpdate content. To see the list of applications, open an Intrusion Prevention policy and then clickGeneric Exploit Mitigation.
- Enable Suspicious Behavior Detectionoption (Windows): You can enable or disable suspicious behavior detection if SONAR is disabled. Therefore, you can have behavior policy enforcement protection of applications on while SONAR scoring is off.
- Scan files on remote computersoption (Windows, Linux): You can disable the option for SONAR or Auto-Protect to scan files on computers on other networks. Disabling this option increases performance. However, you should keep this option enabled as SONAR looks for worms such as Sality, which infects network drives. For Auto-Protect scans all files reduces and reduces the client computer's performance, you can enable theOnly when files are executedoption. To access these options, clickPolicies > Virus and Spyware Protection policy > SONARorAuto-Protect.
- Virus scan logic moved to Auto-Protect user mode:Auto-Protect user mode reduces kernel memory usage and provides greater system health. In rare cases of crashes, the computer does not blue screen and is recoverable.
- Emulator for packed malware:For Auto-Protect and virus scans, a new emulator improves scan performance and effectiveness by at least 10 percent. This anti-evasion technique addresses packed malware obfuscation techniques and detects the malware that is hidden inside custom packers.
- Advanced Machine Learning (AML) on the endpoint for improved static detections:This new endpoint-based machine learning engine can detect malware based on static attributes. This technology enables Symantec Endpoint Protection to detect malware in the pre-execution phase, thereby stopping large classes of malware, both known and unknown. The AML engine works with the Symantec real-time cloud-based threat intelligence to provide best-in-class protection with low false positives.
- Insight Lookup(Windows):
- You can still enable or disable Insight Lookup for version 14 and legacy 12.1.x clients, but you cannot set the sensitivity level or action settings. Instead, Insight Lookup uses internal settings to optimize the scan because Download Insight detections are now completely handled by real-time protection. The newEnable Insight Lookupoption on theScan Detailstab replaces theInsight Lookuptab in version 12.1.x. Click theVirus and Spyware Protection policy > Administrator-Defined Scans, choose either scheduled scans or on-demand scans, and then clickScan Details.
- On standard and embedded/VDI clients, Insight Lookup now allows Auto-Protect, scheduled scans, and manual scans to look up both file reputation information and definitions in the cloud. However, the dark network clients include the full set of definitions and do not use Insight Lookup. You enable Insight Lookup in theClients > Policies tab > External Communications > Submissionstab.
- Scheduled and on-demand scans support the %systemdrive% and %userprofile% variables(Windows): These scans let you select specific folders to be scanned rather than scanning all the files on the Windows client computer. The %systemdrive% variable indicates the location where the Windows operating system is installed. The %userprofile% variable corresponds to the user profile folders for the users who are logged on. You can also exclude these folders from being scanned by using an Exceptions policy.
- Reports display an application's hash value you can use to block applications:You can use the hash value instead of an application's name to add to the policies that block applications. The hash value is unique whereas an application name may not be. To find the hash value, look in theHash Type / Application Hashcolumn in the following reports:
- Riskreports: Infected and At Risk Computers; Download Risk Distributions; SONAR Detection Results; SONAR Threat Distribution; Symantec Endpoint Protection Daily Status Report; and Symantec Endpoint Protection Weekly Status Report, To view the Risk reports, clickReports > Quick Reports > Risk.
- Home page > Activity Summarylink
- Client submissions and server data collection:You can enable Symantec Endpoint Protection to send information about detected threats and your network configuration to Symantec. Symantec uses this information for additional analysis and to improve the security features in the product.
- Version 14 has several new types of client submissions that you can enable. You access these options by clickingClients > Policies tab > External Communications > Submissions tab > More options.
- The previously existing submission types are automatically submitted with theSend anonymous data to Symantec to receive enhanced threat protection intelligenceoption. In 12.1.6.x and earlier, this option was labeledLet computers automatically forward selected anonymous security information to Symantec.
- You use the newSend client-identifiable data to Symantec for custom analysisoption if you participate in a Symantec-sponsored program to get recommendations specific to your security network.
- For server data collection, theYes, I would like to help optimize Symantec's endpoint security solutions by submitting anonymous system and usage information to Symantecoption is now labeledSend anonymous data to Symantec to receive enhanced threat protection intelligence. You access this option on theAdmin > Servers > Edit Site Properties > Data Collectiontab.
- LiveUpdate downloads new types of content:Symantec Endpoint Protection Manager downloads additional types of content from LiveUpdate servers:
- Client security patches
- Endpoint Detection and Response: Definitions that the Endpoint Detection and Response (EDR) component uses to detect and investigate suspicious activities and issues on hosts and endpoints.
- Common Network Transport Library and Configuration: Definitions that the entire product uses to achieve network transportation and telemetry.
SQL Server 2014 SP2
For the Symantec Endpoint Protection Manager web console and Help:
Symantec Endpoint Protection Manager installation
The DVD installation screenis simpler with fewer screens:
- You can install Symantec Endpoint Protection Manager from the first screen rather than a later screen.
- You can link to theQuick Start Guide, which describes how to deploy 500 or fewer clients with the default installation.
Management Server Installation Wizard
- The installation wizard now displays the available hard drive space for local drives, but not the hard disk space for USB thumb drives or disc drives. The wizard does not let you install the management server unless the computer meets the minimum system requirements. The installation proceeds if the computer meets the recommended system requirements. The recommended minimum hard drive space the management server needs on a system drive is 40 GB. On an alternative drive, the management server needs 15 GB (system drive) and 25 GB (installation drive).
- Symantec Endpoint Protection Manager installs with the HTTPS protocol:When you install Symantec Endpoint Protection Manager for the first time, it uses the HTTPS protocol by default to communicate between the management server and the clients. If you upgrade from an earlier version, Symantec Endpoint Protection Manager retains the protocol from the earlier version. For the upgrades that use HTTP, you can create a new management server list that uses HTTPS and switch to the list in theCommunications Settingsdialog box.
Symantec Endpoint Protection Manager configuration
Management Server Configuration Wizard
- Changed the default installation from 100 clients or fewer to 500 clients or fewer.
- Merged the administrator's email address and test email screens into one screen, and improved the workflow for testing the administrator's email address.
- Includes an option to support TLS communication with the mail server,Prepare the server to use a secure connection. You also configure TLS communication in theServer Propertiesdialog box. In earlier versions, only SSL is available. In addition, you can test the mail server connection at any time instead of during installation only.
- TheRun LiveUpdatescreen and partner information is merged into one screen.
- Removed the default configuration settings confirmation page. These details are now written in theSEPMConfigurationSettings.txtfile that is located in the<SEPM installation folder>\tomcat\etc folder. When you upgrade from previous releases, Symantec Endpoint Protection Manager creates this text file.
- While you wait for the installation wizard to create the embedded database, a progress bar shows how far the installation has progressed.
Reset the embedded database password:If you forget or want to change the embedded database password, run the Management Server Configuration Wizard and reconfigure the management server. On the Windows Start menu, click
All Programs > Symantec Endpoint Protection Manager > Symantec Endpoint Protection Manager Tools > Management Server Configuration Wizard.
Symantec Endpoint Protection Manager console
- New user interface:Symantec Endpoint Protection Manager now has an updated cloud look and feel with new icons and fonts. For example:
- The client status icons changed.
- Inherited firewall rules are italicized instead of shaded purple.
- The name of theWelcomepage changed to theGetting Startedpage.
- TheGetting Startedpage displays a list of required tasks to perform before you install for the first time or upgrade:
- Run LiveUpdate now:LiveUpdate has run on Symantec Endpoint Protection Manager and downloaded at least one set of valid virus definitions. Or, LiveUpdate has connected to a Symantec Endpoint Protection client and downloaded at least one set of valid virus definitions.
- Activate your product:The license needs to be valid and cannot be either over-deployed, a trial version, upgrade, invalid, or expired.
- Install the client software on your computers:At least one Symantec Endpoint Protection client needs to be connected to the management server. TheHome page > Security Statuspane also indicates whether or not a minimum of one client is installed. TheGetting Startedpage reappears until all the required tasks are completed. Then aDo not show this page againcheck box appears at the bottom of the screen. You can redisplay theGetting Startedpage in theHelpmenu.
- TheClient Deployment Wizardhas the following upgrades to make it easier to install the clients:
- The command to open the Client Deployment Wizard has changed from Add a client to Install a client. You access the wizard by clicking either theClients pane > Tasks, or by clicking theHelp menu > Getting Started > Required tasks > Install the client software on your computers.
- TheClient Install Settingsdialog box has the following new options:
- Remove existing Symantec Endpoint Protection client software that cannot be uninstalleduninstalls an existing Symantec Endpoint Protection client when other installation methods do not work. Only use this feature to remove corrupted or malfunctioning installations of the Symantec Endpoint Protection client.
- Do not uninstall existing security softwareis the default setting, which you use if you do not need to uninstall any security software from the client computer.
- The wizard uninstalls more third-party security products. See Third-party security software removal in Endpoint Protection. You access these options either through the Client Deployment Wizard or through theAdmin > Install Packages > Client Install Settingsdialog box.
- In theSelect Group and Install Feature Setspane of the wizard, theInclude all content in the client installation packageoption has changed toInclude virus definitions in the client installation package. The meaning of the check box is clearer. This option is in theAdmin > Install Packages > Export a Client Install Packagedialog box. This option replaced theSelectoption.
- Preferred mode options removed:The preferred mode options have been removed because the wizard installs the clients in computer mode by default. You can change the mode to user mode, but Symantec recommends that you continue to use computer mode.
Management server features
- Custom replication schedule:You can now run replication multiple times a day, which improves effective reporting while preventing deadlocks on Symantec Endpoint Protection Manager. Previously, the replication schedule only ran either once an hour or once a day, which was either too often or too infrequently. For some companies, security requirements and customer reporting requirements means that daily replication is not enough. For companies with large network environments, hourly replication between dedicated management servers might be too often and might not complete before the next replication period starts. See How to install a second site and configure it for replication.
- Subnet mask for explicit Group Update Providers:In the LiveUpdate Settings policy, you can now reduce the number of explicit Group Update Provider entries by adding a client subnet mask. The subnet mask lets you add a larger subnet which can encompass multiple subnets, reducing the number of explicit entries from thousands to a few. In previous releases, you had to manually add the IP address for each client to be sure that the explicit GUP entry was applied to that client. For example, rather than having to enter both the 192.168.1.0 and 192.168.2.0 subnet, you can add the 192.168.0.0 subnet and the 255.255.0.0 subnet mask. See Configuring clients to download content from Group Update Providers. See About the types of Group Update Providers.
- In-product notifications:You can read the latest news about Symantec Endpoint Protection by clicking theLatest Newslink on any main console page, which opens theEndpoint Protection Notificationswebpage. A bell icon appears whenever there is new news or alerts on the webpage. After you open the webpage, the bell icon disappears. In previous versions you had to manually and repeatedly check the Symantec Endpoint Protection Support page for information.
- TLS 1.2 communication:The communication between management server to management server and management server to client migrated away from SSL and earlier versions of TLS to TLS 1.2.
- Administrator accounts:The overview page for an administrator account displays the following options:Password Verification Attempt Thresholddisplays the number of logon attempts administrators can make with an invalid password before Symantec Endpoint Protection Manager locks them out.Failed Password Verification Attemptsdisplays the number of failed logon attempts an administrator made.
- TheTest Accountoption on theAuthenticationtab has changed toCheck Account. This option checks whether the administrator account name exists in the connected Active Directory server or the LDAP server.
- TheAdvanced Settingslink has changed toAdditional Settingson theMonitorspage >Logstab andReportspage >Quick Reportstab.
- Device control(Mac): You can now configure a Device Control policy for Mac clients. Device control controls the use of removable devices, such as USBs and FireWire. The policy supports permissions for reading, writing, and executing, and supports devices based on the type, make, model, or serial number.
- AutoUpgrade(Mac): You can automatically update the Mac client from Symantec Endpoint Protection Manager.
- Security patches for the client(Windows): You can now download and install security fixes for Windows clients using LiveUpdate, a Group Update Provider, or the management server. This option lets customers receive security fixes as easily as they receive virus definition updates. To download the security fixes to a management server, make sure that the option is enabled for the site. To download the security fixes to the clients, use theDownload security patches to fix the vulnerabilities in the latest version of the Symantec Endpoint Protection clientoption in a LiveUpdate Settings policy.
- Troubleshooting client crashes(Windows): If the client crashes or behaves abnormally, a new component collects information about the client and reports it to a Symantec server. Symantec can use this information to better understand the cause of the crash, and improve the product. To enable this option, clickAdmin > Servers > Edit Site Properties > Data Collectiontab, and make sure thatLet clients send troubleshooting information to Symantec to resolve product issues fasteris checked.
- Symantec Endpoint Protection client drivers for the Windows 10 Device Guard(Windows): Windows 10 includes a new feature that is called Device Guard that lets you lock down devices against new and unknown malware variants as well as advanced persistent threats (APTs). Device Guard uses hardware technology and virtualization to isolate hypervisor-related functions from the rest of the Windows operating system.
- Symantec Endpoint Protection Manager includes a set of REST APIs that connect to and perform Symantec Endpoint Protection Manager operations from Symantec Advanced Threat Protection (ATP). You use the APIs if you do not have access to Symantec Endpoint Protection Manager. The documentation is located in the following places:
- On the Symantec Endpoint Protection Manager server at the following address, where SEPM-IP is the IP address of the Symantec Endpoint Protection Manager server: https://SEPM-IP:8446/sepm/restapidocs.html
- The API for remote monitoring and management (RMM) includes a new command,assignQuarantinePolicy. This command assigns a policy to one or more of the group's Quarantine locations. In addition, the RMM API documentation folder was renamed fromTools\Integration to Tools\WebServicesDocumentation.
- Thesemapisrvservice listens for API commands for the Symantec Endpoint Protection Manager.
The tools in this list are located in the installation file that you download from FileConnect in the \Tools folder, unless otherwise noted.
- DeviceInfo (Mac):The DeviceInfo tool lets you obtain the device vendor, model, or serial number for a specific device on the Mac client to use in Device Control policies. The tool is located in the\Tools\DeviceInfofolder.
- TLS to Microsoft SQL Server database support:Symantec Endpoint Protection Manager communicates with the SQL Server over an encrypted channel by default. The SetSQLServerTLSEncryption.bat tool lets you disable or enable TLS encryption between the management server and the Microsoft SQL Server communication. As of version 14, it can be used with the management server installations that are configured to use the Microsoft SQL Server database. You access the tool from<installation directory>\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools.
- SymDiag replaces SymHelp:The SymHelp tool was renamed as the Symantec Diagnostic (SymDiag) tool. SymDiag is a multi-product diagnostic tool that identifies common issues, gathers data for support-assisted troubleshooting, and provides links to other customer self-help and support resources.
- Content Distribution Monitor:The Content Distribution Monitor tool monitors management servers, clients, and GUPs in your environment. The tool shows a graphical display of the health and content distribution status, site throughput, and database table records. A new Site Information tab displays the throughput data that is collected after the last heartbeat between this site's management servers and the client computers. The tool is located in the\Tools\ContentDistributionMonitorfolder. In previous versions, this tool was not supported. The tool was also calledSEPMMonitor.
- SEPPrep tool was removed:The unsupported SEPPrep tool was used in previous releases to remove third-party competitor's security software and Symantec software remotely or by using a script. The Client Deployment Wizard includes options in the Client Install Settings dialog box to uninstall both third-party products and Symantec products. To uninstall Symantec Endpoint Protection remotely, you can also download the CleanWipe tool from theTools\Cleanwipefolder.
- The Quarantine Server and Quarantine Console folder was removed:The Central Quarantine Server and Quarantine Console has been removed from the Symantec Endpoint Protection installation screen and theTools\CentralQfolder. You can still use the Central Quarantine tool, but you can only download it from a previous version of Symantec Endpoint Protection.
Removed or unsupported features
- Symantec Endpoint Protection Manager no longer supports:
- An installation on Windows Server 2003, any desktop operating system, or any 32-bit operating system.
- SQL Server 2005, SQL Server 2008 SP3 and earlier, and SQL Server 2008 R2 SP2 and earlier.
- Migration from Symantec Endpoint Protection Manager 11.x or 12.0 to 14. You must first upgrade to the latest version of 12.1, or uninstall the older Symantec Endpoint Protection Manager. Symantec Endpoint Protection Manager displays a warning for 11.x or 12.0 to 14 migrations.
- The ability to import a client installation package for 11.x.
- The Symantec Endpoint Protection Manager web console no longer supports Internet Explorer 8, 9, or 10.
- The Symantec Endpoint Protection client no longer supports:
- An installation on any version of Windows XP / Server 2003.
- An installation on any version of Windows Embedded that is based on Windows XP, such as Windows Embedded Standard 2009.
- Mac OS X 10.8.
- Updates for 11.x or 12.0 clients. Symantec Endpoint Protection 11.x clients can no longer get updated content from Symantec Endpoint Protection Manager. To continue to protect and get the best security possible for 11.x client computers, you should upgrade your clients from version 11.x to 14. You can also run a report that displays which computers still have Symantec Endpoint Protection Manager 11.x or 12.0 installed. Click theMonitors > Notificationstab to add a notification to display a list of computers with the unsupported 11.x and 12.0 versions installed.
- Symantec Network Access Controlreaches end-of-life support between September and November 2017. Version 14 does not support Symantec Network Access Control. If you want to use Symantec Network Access Control, you should use version 12.1.5 or earlier. In addition, the Symantec Endpoint Protection Manager Help no longer includes the documentation on Symantec Network Access Control features.
- The vShield-enabled Shared Insight Cache (VSIC) and Security Virtual Appliance (SVA) are no longer supported. In the Virus and Spyware Protection policy, theWindows Settings > Miscellaneous > Shared Insight Cachetab no longer has theEnable Shared Insight CacheorShared Insight Cache using VMware vShieldoptions. Instead, you check or uncheckShared Insight Cache using Network. Symantec Endpoint Protection still provides the Shared Insight Cache and Virtual Image Exception features for virtual infrastructures. You can also run Symantec Data Center Security: Server and Symantec Endpoint Protection together.
- TheHome page > Common tasksmenu was removed. TheCommon tasksmenu was previously a list of the required tasks. To view the list of both common tasks and required tasks, clickHelp > Getting Started page. The Getting Started page also appears when you upgrade or when any one of the required tasks have not been completed.
- TheRequire standard HTTP headers for LiveUpdate connectionoption in theLiveUpdate Settings policy > Advanced Settingstab was removed. In 12.1.6, you enable this option to require standard HTTP headers for the LiveUpdate connection if the connection used nonstandard headers that your non-Symantec Endpoint Protection firewall might block. By default, Windows, Mac, and Linux clients are required to use standard HTTP headers, so the option is no longer necessary.
- The options for limited administrators being able to run reports for the clients and the servers that run Symantec AntiVirus 10.x and earlier was removed. Symantec Endpoint Protection does not support or update the content for Symantec AntiVirus clients.
- TheApplies Tocolumn for anExceptions policy > Windows Application Exceptionwas removed. TheApplies Tocolumn was used for 11.0.x clients and 12.1.x and later clients. Because 11.0.x clients are no longer supported, this information is not needed.
- You can review a newQuick Start Guide, which describes how to get Symantec Endpoint Protection installed and running immediately. Use this method if you have fewer than 500 clients with a default installation.
- Version 14 does not include aGetting Started Guide. Instead, see the Getting Started chapter of theSymantec Endpoint Protection Installation and Administration Guidefor a customizable installation. This chapter includes the same topics that used to be in theGetting Started Guide.