What's new in Symantec Endpoint Protection (SEP) 14

Protection features
  • Intelligent Threat Cloud Service for client installation packages (Windows):
    Version 14 includes three new sizes of client installation packages, based on which set of virus definitions they include:
    • Standard client: Designed for typical installations where clients have access to the cloud or the clients are version 12.1.6 and earlier. The standard client is 80% to 90% smaller than a dark network client installation package and includes the most recent virus definitions only. After installation, the client accesses the full set of virus definitions from the cloud.
    • Embedded client or VDI client: The embedded client replaces the reduced-size client that was introduced in version 12.1.6. The embedded client is smaller than the standard client and also includes the most recent virus definitions only. After installation, the client accesses the full set of virus definitions from the cloud.
    • Dark network client: Installs a full set of virus definitions and keeps the definitions locally rather than accessing them from the cloud. Use this client installation package if the client computers are in networks with no access to the cloud.
  • Generic Exploit Mitigation (Windows):
    prevents common vulnerability attacks in typical software applications. Generic Exploit Mitigation installs with intrusion prevention and includes the following types of protection: Java exploit prevention, heap spray mitigation, and structured exception handling overwrite protection (SEHOP). The protections apply to the specific applications that are listed in the Intrusion Prevention policy. Symantec Endpoint Protection downloads the application list as part of its LiveUpdate content. To see the list of applications, open an Intrusion Prevention policy and then click
    Generic Exploit Mitigation
  • SONAR/Auto-Protect:
    • Enable Suspicious Behavior Detection
      option (Windows): You can enable or disable suspicious behavior detection if SONAR is disabled. Therefore, you can have behavior policy enforcement protection of applications on while SONAR scoring is off.
    • Scan files on remote computers
      option (Windows, Linux): You can disable the option for SONAR or Auto-Protect to scan files on computers on other networks. Disabling this option increases performance. However, you should keep this option enabled as SONAR looks for worms such as Sality, which infects network drives. For Auto-Protect scans all files reduces and reduces the client computer's performance, you can enable the
      Only when files are executed
      option. To access these options, click
      Policies > Virus and Spyware Protection policy > SONAR
  • Virus scan logic moved to Auto-Protect user mode:
    Auto-Protect user mode reduces kernel memory usage and provides greater system health. In rare cases of crashes, the computer does not blue screen and is recoverable.
  • Emulator for packed malware:
    For Auto-Protect and virus scans, a new emulator improves scan performance and effectiveness by at least 10 percent. This anti-evasion technique addresses packed malware obfuscation techniques and detects the malware that is hidden inside custom packers.
  • Advanced Machine Learning (AML) on the endpoint for improved static detections:
    This new endpoint-based machine learning engine can detect malware based on static attributes. This technology enables Symantec Endpoint Protection to detect malware in the pre-execution phase, thereby stopping large classes of malware, both known and unknown. The AML engine works with the Symantec real-time cloud-based threat intelligence to provide best-in-class protection with low false positives.
  • Insight Lookup
    • You can still enable or disable Insight Lookup for version 14 and legacy 12.1.x clients, but you cannot set the sensitivity level or action settings. Instead, Insight Lookup uses internal settings to optimize the scan because Download Insight detections are now completely handled by real-time protection. The new
      Enable Insight Lookup
      option on the
      Scan Details
      tab replaces the
      Insight Lookup
      tab in version 12.1.x. Click the
      Virus and Spyware Protection policy > Administrator-Defined Scans
      , choose either scheduled scans or on-demand scans, and then click
      Scan Details
    • On standard and embedded/VDI clients, Insight Lookup now allows Auto-Protect, scheduled scans, and manual scans to look up both file reputation information and definitions in the cloud. However, the dark network clients include the full set of definitions and do not use Insight Lookup. You enable Insight Lookup in the
      Clients > Policies tab > External Communications > Submissions
  • Scheduled and on-demand scans support the %systemdrive% and %userprofile% variables
    (Windows): These scans let you select specific folders to be scanned rather than scanning all the files on the Windows client computer. The %systemdrive% variable indicates the location where the Windows operating system is installed. The %userprofile% variable corresponds to the user profile folders for the users who are logged on. You can also exclude these folders from being scanned by using an Exceptions policy.
  • Reports display an application's hash value you can use to block applications:
    You can use the hash value instead of an application's name to add to the policies that block applications. The hash value is unique whereas an application name may not be. To find the hash value, look in the
    Hash Type / Application Hash
    column in the following reports:
    • Risk
      reports: Infected and At Risk Computers; Download Risk Distributions; SONAR Detection Results; SONAR Threat Distribution; Symantec Endpoint Protection Daily Status Report; and Symantec Endpoint Protection Weekly Status Report, To view the Risk reports, click
      Reports > Quick Reports > Risk
    • Home page > Activity Summary
  • Client submissions and server data collection:
    You can enable Symantec Endpoint Protection to send information about detected threats and your network configuration to Symantec. Symantec uses this information for additional analysis and to improve the security features in the product.
    • Version 14 has several new types of client submissions that you can enable. You access these options by clicking
      Clients > Policies tab > External Communications > Submissions tab > More options
    • The previously existing submission types are automatically submitted with the
      Send anonymous data to Symantec to receive enhanced threat protection intelligence
      option. In 12.1.6.x and earlier, this option was labeled
      Let computers automatically forward selected anonymous security information to Symantec
    • You use the new
      Send client-identifiable data to Symantec for custom analysis
      option if you participate in a Symantec-sponsored program to get recommendations specific to your security network.
    • For server data collection, the
      Yes, I would like to help optimize Symantec's endpoint security solutions by submitting anonymous system and usage information to Symantec
      option is now labeled
      Send anonymous data to Symantec to receive enhanced threat protection intelligence
      . You access this option on the
      Admin > Servers > Edit Site Properties > Data Collection
  • LiveUpdate downloads new types of content:
    Symantec Endpoint Protection Manager downloads additional types of content from LiveUpdate servers:
    • Client security patches
    • Endpoint Detection and Response: Definitions that the Endpoint Detection and Response (EDR) component uses to detect and investigate suspicious activities and issues on hosts and endpoints.
    • Common Network Transport Library and Configuration: Definitions that the entire product uses to achieve network transportation and telemetry.
System requirements
Operating system
  • Symantec Endpoint Protection Manager:
    • Windows Server 2016
  • Linux client:
    • Red Hat Enterprise Linux (RHEL) 7.1 and 7.2 (precompiled binary support)
    • Oracle Linux (OEL) 6U5
  • Mac client:
    • MacOS 10.12 (Sierra)
SQL Server 2014 SP2
Web browser
For the Symantec Endpoint Protection Manager web console and Help:
  • Microsoft Edge
  • Mozilla Firefox 5.x through 49.0.1
  • Google Chrome through 54.0.x
  • net-tools or iproute2 (Linux client communication)
  • LiveUpdate on the Linux client no longer requires the installation of Java.
Symantec Endpoint Protection Manager installation
The DVD installation screen
is simpler with fewer screens:
  • You can install Symantec Endpoint Protection Manager from the first screen rather than a later screen.
  • You can link to the
    Quick Start Guide
    , which describes how to deploy 500 or fewer clients with the default installation.
Management Server Installation Wizard
  • The installation wizard now displays the available hard drive space for local drives, but not the hard disk space for USB thumb drives or disc drives. The wizard does not let you install the management server unless the computer meets the minimum system requirements. The installation proceeds if the computer meets the recommended system requirements. The recommended minimum hard drive space the management server needs on a system drive is 40 GB. On an alternative drive, the management server needs 15 GB (system drive) and 25 GB (installation drive).
  • Symantec Endpoint Protection Manager installs with the HTTPS protocol:
    When you install Symantec Endpoint Protection Manager for the first time, it uses the HTTPS protocol by default to communicate between the management server and the clients. If you upgrade from an earlier version, Symantec Endpoint Protection Manager retains the protocol from the earlier version. For the upgrades that use HTTP, you can create a new management server list that uses HTTPS and switch to the list in the
    Communications Settings
    dialog box.
Symantec Endpoint Protection Manager configuration
Management Server Configuration Wizard
  • Changed the default installation from 100 clients or fewer to 500 clients or fewer.
  • Merged the administrator's email address and test email screens into one screen, and improved the workflow for testing the administrator's email address.
  • Includes an option to support TLS communication with the mail server,
    Prepare the server to use a secure connection
    . You also configure TLS communication in the
    Server Properties
    dialog box. In earlier versions, only SSL is available. In addition, you can test the mail server connection at any time instead of during installation only.
  • The
    Run LiveUpdate
    screen and partner information is merged into one screen.
  • Removed the default configuration settings confirmation page. These details are now written in the
    file that is located in the
    <SEPM installation folder>\tomcat\etc folder
    . When you upgrade from previous releases, Symantec Endpoint Protection Manager creates this text file.
  • While you wait for the installation wizard to create the embedded database, a progress bar shows how far the installation has progressed.
Reset the embedded database password:
If you forget or want to change the embedded database password, run the Management Server Configuration Wizard and reconfigure the management server. On the Windows Start menu, click
All Programs > Symantec Endpoint Protection Manager > Symantec Endpoint Protection Manager Tools > Management Server Configuration Wizard
Symantec Endpoint Protection Manager console
  • New user interface:
    Symantec Endpoint Protection Manager now has an updated cloud look and feel with new icons and fonts. For example:
    • The client status icons changed.
    • Inherited firewall rules are italicized instead of shaded purple.
  • The name of the
    page changed to the
    Getting Started
  • The
    Getting Started
    page displays a list of required tasks to perform before you install for the first time or upgrade:
    • Run LiveUpdate now:
      LiveUpdate has run on Symantec Endpoint Protection Manager and downloaded at least one set of valid virus definitions. Or, LiveUpdate has connected to a Symantec Endpoint Protection client and downloaded at least one set of valid virus definitions.
    • Activate your product:
      The license needs to be valid and cannot be either over-deployed, a trial version, upgrade, invalid, or expired.
    • Install the client software on your computers:
      At least one Symantec Endpoint Protection client needs to be connected to the management server. The
      Home page > Security Status
      pane also indicates whether or not a minimum of one client is installed. The
      Getting Started
      page reappears until all the required tasks are completed. Then a
      Do not show this page again
      check box appears at the bottom of the screen. You can redisplay the
      Getting Started
      page in the
Client installation
  • The
    Client Deployment Wizard
    has the following upgrades to make it easier to install the clients:
    • The command to open the Client Deployment Wizard has changed from Add a client to Install a client. You access the wizard by clicking either the
      Clients pane > Tasks
      , or by clicking the
      Help menu > Getting Started > Required tasks > Install the client software on your computers
    • The
      Client Install Settings
      dialog box has the following new options:
      • Remove existing Symantec Endpoint Protection client software that cannot be uninstalled
        uninstalls an existing Symantec Endpoint Protection client when other installation methods do not work. Only use this feature to remove corrupted or malfunctioning installations of the Symantec Endpoint Protection client.
      • Do not uninstall existing security software
        is the default setting, which you use if you do not need to uninstall any security software from the client computer.
      • The wizard uninstalls more third-party security products. See Third-party security software removal in Endpoint Protection. You access these options either through the Client Deployment Wizard or through the
        Admin > Install Packages > Client Install Settings
        dialog box.
  • In the
    Select Group and Install Feature Sets
    pane of the wizard, the
    Include all content in the client installation package
    option has changed to
    Include virus definitions in the client installation package
    . The meaning of the check box is clearer. This option is in the
    Admin > Install Packages > Export a Client Install Package
    dialog box. This option replaced the
  • Preferred mode options removed:
    The preferred mode options have been removed because the wizard installs the clients in computer mode by default. You can change the mode to user mode, but Symantec recommends that you continue to use computer mode.
Management server features
  • Custom replication schedule:
    You can now run replication multiple times a day, which improves effective reporting while preventing deadlocks on Symantec Endpoint Protection Manager. Previously, the replication schedule only ran either once an hour or once a day, which was either too often or too infrequently. For some companies, security requirements and customer reporting requirements means that daily replication is not enough. For companies with large network environments, hourly replication between dedicated management servers might be too often and might not complete before the next replication period starts. See How to install a second site and configure it for replication.
  • Subnet mask for explicit Group Update Providers:
    In the LiveUpdate Settings policy, you can now reduce the number of explicit Group Update Provider entries by adding a client subnet mask. The subnet mask lets you add a larger subnet which can encompass multiple subnets, reducing the number of explicit entries from thousands to a few. In previous releases, you had to manually add the IP address for each client to be sure that the explicit GUP entry was applied to that client. For example, rather than having to enter both the and subnet, you can add the subnet and the subnet mask. See Configuring clients to download content from Group Update Providers. See About the types of Group Update Providers.
  • In-product notifications:
    You can read the latest news about Symantec Endpoint Protection by clicking the
    Latest News
    link on any main console page, which opens the
    Endpoint Protection Notifications
    webpage. A bell icon appears whenever there is new news or alerts on the webpage. After you open the webpage, the bell icon disappears. In previous versions you had to manually and repeatedly check the Symantec Endpoint Protection Support page for information.
  • TLS 1.2 communication:
    The communication between management server to management server and management server to client migrated away from SSL and earlier versions of TLS to TLS 1.2.
  • Administrator accounts:
    The overview page for an administrator account displays the following options:
    Password Verification Attempt Threshold
    displays the number of logon attempts administrators can make with an invalid password before Symantec Endpoint Protection Manager locks them out.
    Failed Password Verification Attempts
    displays the number of failed logon attempts an administrator made.
  • The
    Test Account
    option on the
    tab has changed to
    Check Account
    . This option checks whether the administrator account name exists in the connected Active Directory server or the LDAP server.
  • The
    Advanced Settings
    link has changed to
    Additional Settings
    on the
    page >
    tab and
    page >
    Quick Reports
Client features
  • Device control
    (Mac): You can now configure a Device Control policy for Mac clients. Device control controls the use of removable devices, such as USBs and FireWire. The policy supports permissions for reading, writing, and executing, and supports devices based on the type, make, model, or serial number.
  • AutoUpgrade
    (Mac): You can automatically update the Mac client from Symantec Endpoint Protection Manager.
  • Security patches for the client
    (Windows): You can now download and install security fixes for Windows clients using LiveUpdate, a Group Update Provider, or the management server. This option lets customers receive security fixes as easily as they receive virus definition updates. To download the security fixes to a management server, make sure that the option is enabled for the site. To download the security fixes to the clients, use the
    Download security patches to fix the vulnerabilities in the latest version of the Symantec Endpoint Protection client
    option in a LiveUpdate Settings policy.
  • Troubleshooting client crashes
    (Windows): If the client crashes or behaves abnormally, a new component collects information about the client and reports it to a Symantec server. Symantec can use this information to better understand the cause of the crash, and improve the product. To enable this option, click
    Admin > Servers > Edit Site Properties > Data Collection
    tab, and make sure that
    Let clients send troubleshooting information to Symantec to resolve product issues faster
    is checked.
  • Symantec Endpoint Protection client drivers for the Windows 10 Device Guard
    (Windows): Windows 10 includes a new feature that is called Device Guard that lets you lock down devices against new and unknown malware variants as well as advanced persistent threats (APTs). Device Guard uses hardware technology and virtualization to isolate hypervisor-related functions from the rest of the Windows operating system.
API references
  • Symantec Endpoint Protection Manager includes a set of REST APIs that connect to and perform Symantec Endpoint Protection Manager operations from Symantec Advanced Threat Protection (ATP). You use the APIs if you do not have access to Symantec Endpoint Protection Manager. The documentation is located in the following places:
    • On the Symantec Endpoint Protection Manager server at the following address, where SEPM-IP is the IP address of the Symantec Endpoint Protection Manager server: https://SEPM-IP:8446/sepm/restapidocs.html
  • The API for remote monitoring and management (RMM) includes a new command,
    . This command assigns a policy to one or more of the group's Quarantine locations. In addition, the RMM API documentation folder was renamed from
    Tools\Integration to Tools\WebServicesDocumentation
  • The
    service listens for API commands for the Symantec Endpoint Protection Manager.
The tools in this list are located in the installation file that you download from FileConnect in the \Tools folder, unless otherwise noted.
  • DeviceInfo (Mac):
    The DeviceInfo tool lets you obtain the device vendor, model, or serial number for a specific device on the Mac client to use in Device Control policies. The tool is located in the
  • TLS to Microsoft SQL Server database support:
    Symantec Endpoint Protection Manager communicates with the SQL Server over an encrypted channel by default. The SetSQLServerTLSEncryption.bat tool lets you disable or enable TLS encryption between the management server and the Microsoft SQL Server communication. As of version 14, it can be used with the management server installations that are configured to use the Microsoft SQL Server database. You access the tool from
    <installation directory>\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
  • SymDiag replaces SymHelp:
    The SymHelp tool was renamed as the Symantec Diagnostic (SymDiag) tool. SymDiag is a multi-product diagnostic tool that identifies common issues, gathers data for support-assisted troubleshooting, and provides links to other customer self-help and support resources.
  • Content Distribution Monitor:
    The Content Distribution Monitor tool monitors management servers, clients, and GUPs in your environment. The tool shows a graphical display of the health and content distribution status, site throughput, and database table records. A new Site Information tab displays the throughput data that is collected after the last heartbeat between this site's management servers and the client computers. The tool is located in the
    folder. In previous versions, this tool was not supported. The tool was also called
  • SEPPrep tool was removed:
    The unsupported SEPPrep tool was used in previous releases to remove third-party competitor's security software and Symantec software remotely or by using a script. The Client Deployment Wizard includes options in the Client Install Settings dialog box to uninstall both third-party products and Symantec products. To uninstall Symantec Endpoint Protection remotely, you can also download the CleanWipe tool from the
  • The Quarantine Server and Quarantine Console folder was removed:
    The Central Quarantine Server and Quarantine Console has been removed from the Symantec Endpoint Protection installation screen and the
    folder. You can still use the Central Quarantine tool, but you can only download it from a previous version of Symantec Endpoint Protection.
Removed or unsupported features
  • Symantec Endpoint Protection Manager no longer supports:
    • An installation on Windows Server 2003, any desktop operating system, or any 32-bit operating system.
    • SQL Server 2005, SQL Server 2008 SP3 and earlier, and SQL Server 2008 R2 SP2 and earlier.
    • Migration from Symantec Endpoint Protection Manager 11.x or 12.0 to 14. You must first upgrade to the latest version of 12.1, or uninstall the older Symantec Endpoint Protection Manager. Symantec Endpoint Protection Manager displays a warning for 11.x or 12.0 to 14 migrations.
    • The ability to import a client installation package for 11.x.
  • The Symantec Endpoint Protection Manager web console no longer supports Internet Explorer 8, 9, or 10.
  • The Symantec Endpoint Protection client no longer supports:
    • An installation on any version of Windows XP / Server 2003.
    • An installation on any version of Windows Embedded that is based on Windows XP, such as Windows Embedded Standard 2009.
    • Mac OS X 10.8.
    • Updates for 11.x or 12.0 clients. Symantec Endpoint Protection 11.x clients can no longer get updated content from Symantec Endpoint Protection Manager. To continue to protect and get the best security possible for 11.x client computers, you should upgrade your clients from version 11.x to 14. You can also run a report that displays which computers still have Symantec Endpoint Protection Manager 11.x or 12.0 installed. Click the
      Monitors > Notifications
      tab to add a notification to display a list of computers with the unsupported 11.x and 12.0 versions installed.
  • Symantec Network Access Control
    reaches end-of-life support between September and November 2017. Version 14 does not support Symantec Network Access Control. If you want to use Symantec Network Access Control, you should use version 12.1.5 or earlier. In addition, the Symantec Endpoint Protection Manager Help no longer includes the documentation on Symantec Network Access Control features.
  • The vShield-enabled Shared Insight Cache (VSIC) and Security Virtual Appliance (SVA) are no longer supported. In the Virus and Spyware Protection policy, the
    Windows Settings > Miscellaneous > Shared Insight Cache
    tab no longer has the
    Enable Shared Insight Cache
    Shared Insight Cache using VMware vShield
    options. Instead, you check or uncheck
    Shared Insight Cache using Network
    . Symantec Endpoint Protection still provides the Shared Insight Cache and Virtual Image Exception features for virtual infrastructures. You can also run Symantec Data Center Security: Server and Symantec Endpoint Protection together.
  • The
    Home page > Common tasks
    menu was removed. The
    Common tasks
    menu was previously a list of the required tasks. To view the list of both common tasks and required tasks, click
    Help > Getting Started page
    . The Getting Started page also appears when you upgrade or when any one of the required tasks have not been completed.
  • The
    Require standard HTTP headers for LiveUpdate connection
    option in the
    LiveUpdate Settings policy > Advanced Settings
    tab was removed. In 12.1.6, you enable this option to require standard HTTP headers for the LiveUpdate connection if the connection used nonstandard headers that your non-Symantec Endpoint Protection firewall might block. By default, Windows, Mac, and Linux clients are required to use standard HTTP headers, so the option is no longer necessary.
  • The options for limited administrators being able to run reports for the clients and the servers that run Symantec AntiVirus 10.x and earlier was removed. Symantec Endpoint Protection does not support or update the content for Symantec AntiVirus clients.
  • The
    Applies To
    column for an
    Exceptions policy > Windows Application Exception
    was removed. The
    Applies To
    column was used for 11.0.x clients and 12.1.x and later clients. Because 11.0.x clients are no longer supported, this information is not needed.
  • You can review a new
    Quick Start Guide
    , which describes how to get Symantec Endpoint Protection installed and running immediately. Use this method if you have fewer than 500 clients with a default installation.
  • Version 14 does not include a
    Getting Started Guide
    . Instead, see the Getting Started chapter of the
    Symantec Endpoint Protection Installation and Administration Guide
    for a customizable installation. This chapter includes the same topics that used to be in the
    Getting Started Guide