Symantec Endpoint Protection
feature dependencies for Windows clients

Some policy features require each other to provide complete protection on Windows client computers.
Symantec recommends that you do not disable Insight lookups.
Dependencies of protection features
Interoperability Notes
Download Protection
Download Protection is part of Auto-Protect and gives
Symantec Endpoint Protection
the ability to track URLs. The URL tracking is required for several policy features.
If you install
Symantec Endpoint Protection
without Download Protection, Download Insight has limited capability. Browser Intrusion Prevention and SONAR require Download Protection.
Automatically trust any file downloaded from an intranet website
option also requires Download Protection.
Download Insight
Download Insight has the following dependencies:
  • Auto-Protect must be enabled
    If you disable Auto-Protect, Download Insight cannot function even if Download Insight is enabled.
  • Insight lookups must be enabled
    Symantec recommends that you keep the Insight lookups option enabled. If you disable the option, you disable Download Insight completely.
If basic Download Protection is not installed, Download Insight runs on the client at level 1. Any level that you set in the policy is not applied. The user also cannot adjust the sensitivity level.
Even if you disable Download Insight, the
Automatically trust any file downloaded from an intranet website
option continues to function.
If you disable Download Insight, you disable portal detections. This means that Auto-Protect and scheduled and on-demand scans evaluate all files as non-portal files and use a sensitivity level that is determined by Symantec.
Insight Lookup (12.1.x clients) and cloud protection
Insight Lookup uses the Symantec Insight reputation database in the cloud to make decisions about files that were downloaded from a supported portal.
Starting in 14:
  • The Insight Lookup functionality runs automatically as part of Auto-Protect, scheduled scans, and on-demand scans on standard and embedded/VDI clients. The standard and embedded/VDI clients support cloud-enabled content.
  • You can enable or disable Insight Lookup in the scan settings for any 12.1.x clients you have, but you can no longer configure a specific sensitivity level for Insight Lookup. Legacy Insight Lookup now uses the sensitivity level that is set in the Download Insight policy.
Cloud scans and 12.1.x Insight Lookup have the following feature dependencies:
  • Insight lookups must be enabled. Otherwise, cloud scans and Insight Lookup cannot function.
  • Download Insight must be enabled so that files can be marked as portal files.
  • If Download Insight is disabled, cloud scans and Insight Lookup continue to function. They use a sensitivity level that is automatically set by Symantec that detects only the most malicious files.
(12.1.x clients only) Cloud lookups do not apply to right-click scans of folders or drives on your client computers. However, cloud lookups do apply to right-click scans of selected portal files.
SONAR has the following dependencies:
  • Download Protection must be installed.
  • Auto-Protect must be enabled.
    If Auto-Protect is disabled, SONAR loses some detection functionality and appears to malfunction on the client. SONAR can detect heuristic threats, however, even if Auto-Protect is disabled.
  • Insight lookups must be enabled.
    Without Insight lookups, SONAR can run but cannot make detections. In some rare cases, SONAR can make detections without Insight lookups. If
    Symantec Endpoint Protection
    has previously cached reputation information about particular files, SONAR might use the cached information.
Browser Intrusion Prevention
Download Protection must be installed. Download Insight can be enabled or disabled.
Trusted Web Domain exception
The exception is only applied if Download Protection is installed.
Custom IPS signatures
Power Eraser
Uses Insight lookups.
Power Eraser uses reputation information to examine files. Power Eraser has a default reputation sensitivity setting that you cannot modify. If you disable the option
Allow Insight lookups for threat detection
, Power Eraser cannot use reputation information from Symantec Insight. Without Insight, Power Eraser makes fewer detections, and the detections are more likely to be false positives.
Power Eraser uses its own reputation thresholds that are not configurable in
Symantec Endpoint Protection Manager
. Power Eraser does not use the Download Insight settings.
Memory Exploit Mitigation
(Generic Exploit Mitigation in version 14)
Intrusion prevention must be installed. Intrusion prevention can be enabled or disabled.