Tools that are included with Symantec Endpoint Protection

This article describes the tools that are included with
Symantec Endpoint Protection
and what you use the tools for.

Tools that are located on the installation file

The following tools and documentation are located in the \Tools folder of the
Symantec Endpoint Protection
installation file that you download from the Broadcom Download Management page.
You can find many of the Help files for these tools in the tools zip file at:
This tool sets up the Apache webserver in Symantec Endpoint Protection Manager to allow Mac clients and Linux clients to download LiveUpdate content through the web server. The Apache webserver works with the
Symantec Endpoint Protection Manager
to download and cache the LiveUpdate content for Mac and Linux clients locally whenever new content is published.
This tool is appropriate for networks with a smaller number of clients.
CleanWipe uninstalls the
Symantec Endpoint Protection
product. Only use CleanWipe as a last resort after you have unsuccessfully tried other uninstallation methods, such as the Windows Control Panel. See:
You can also find this tool in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
ContentDistributionMonitor (SEPMMonitor)
The Content Distribution Monitor helps monitor Group Update Provider (GUP) health and status as well as general content deployment. This tool is a lightweight, standalone tool designed to be run directly on the Symantec Endpoint Protection Manager (SEPM) server, and should return a graphical display of the content distribution status.
Deception is used to detect adversary activity at the endpoint using "deceptors." The underlying assumption with this approach is that the attacker has already breached the primary defenses of the network and performs reconnaissance in the environment. The attacker looks to find critical assets, like a domain controller or database credentials.
DeviceInfo, DevViewer
DeviceInfo (for Mac; as of version 14) and DevViewer (for Windows) obtains the device vendor, model, or serial number for a specific device. You add this information to the
Hardware Devices
list. You can then add the device ID to a Device Control policy to allow or block a device on client computers.
Download DevViewer from the Attachments section at:
For more information, see:
The IT Analytics software expands the built-in reporting that
Symantec Endpoint Protection
offers by enabling you to create custom reports and custom queries. It brings multi-dimensional analysis and graphical reporting features from the data that is contained within the
Symantec Endpoint Protection Manager
databases. This functionality allows you to explore data on your own, without advanced knowledge of databases or third-party reporting tools.
The JAWS screen reader program and a set of scripts make it easier to read the
Symantec Endpoint Protection
menus and dialogs. JAWS is an assistive technology that provides compliance with Section 508 product accessibility.
LiveUpdate Administrator
Symantec LiveUpdate Administrator is a standalone web application that is separate from
Symantec Endpoint Protection
. LiveUpdate Administrator mirrors the content of the public LiveUpdate servers and then offers the content to Symantec products internally through a built-in web server.
LiveUpdate Administrator is an optional component for
Symantec Endpoint Protection
and is not required to update the
Symantec Endpoint Protection
clients. By default, the
Symantec Endpoint Protection Manager
uses the LiveUpdate technology rather than LiveUpdate Administrator to download contents directly from the Symantec public LiveUpdate servers.
You may want to use LiveUpdate Administrator in some circumstances. For example, you may need to download content to a large number of non-Windows clients or to clients if
Symantec Endpoint Protection Manager
cannot download the content. Therefore, you can install a LiveUpdate Administrator server and then configure the
Symantec Endpoint Protection Manager
to download from it. See:
To download LiveUpdate Administrator and the documentation, see:
No Support > MoveClient
is a Visual Basic script that moves clients from one
Symantec Endpoint Protection Manager
group to another group based on the client's host name, user name, IP address, or operating system. It also can switch clients from user mode to computer mode and vice versa. See:
No Support > Qextract
extracts and restores files from the client's local quarantine. You might need this tool if the client quarantines a file that you determine is a false positive.
You use the Push Deployment Wizard to deploy the
Symantec Endpoint Protection
client installation package to target computers. Push Deployment Wizard is the same as the Client Deployment Wizard in
Symantec Endpoint Protection Manager
. You typically use it to deploy to smaller groups of computers or remote computers. See:
The Sylink.xml file includes communication settings between the Windows client or Mac client and a Symantec Endpoint Protection Manager. If the clients have lost the communication with
Symantec Endpoint Protection Manager
, use the SylinkDrop tool to automatically replace the existing Sylink.xml file with a new Sylink.xml file on the client computer.
Replacing the Sylink.xml file does the following tasks:
  • Converts an unmanaged client to a managed client.
  • Migrates or moves clients to a new domain or management server.
  • Restores the communication breakages to the client that cannot be corrected on the management server.
  • Moves a client from one server to another server that is not a replication partner.
  • Moves a client from one domain to another.
You can also use this tool for Windows clients only; the tool is located in the following location (64-bit):
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
For more information, see:
SymDiag (SymHelp)
As of version 14, the SymHelp tool was renamed as Symantec Diagnostic (SymDiag).
is a multi-product diagnostic tool that identifies common issues, gathers data for support-assisted troubleshooting, and provides links to other customer self-help and support resources.
also provides licensing and maintenance status for some Symantec products as well as the Threat Analysis Scan, which helps to find potential malware.
The virtualization tools improve scan performance for the clients that are installed in virtual desktop infrastructure (VDI) environments.
  • SharedInsightCache
    The Shared Insight Cache tool improves scan performance in virtualized environments by not scanning the files that a
    Symantec Endpoint Protection
    client has determined are clean. When the client scans a file for threats and determines it is clean, the client submits information about the file to Shared Insight Cache.
    When another client subsequently attempts to scan the same file, that client can query Shared Insight Cache to determine if the file is clean. If the file is clean, the client does not scan that particular file. If the file is not clean, the client scans the file for viruses and submits those results to Shared Insight Cache.
    Shared Insight Cache is a web service that runs independently of the client. However,
    Symantec Endpoint Protection
    must be configured to specify the location of Shared Insight Cache so that the clients can communicate with it. Shared Insight Cache communicates with the clients through HTTP or HTTPS. The client's HTTP connection is maintained until the scan is finished. See:
  • Virtual Image Exception
    To increase performance and security in a VDI environment, a common practice is to leverage base images to build virtual machine sessions as needed. The Symantec Virtual Image Exception tool lets
    Symantec Endpoint Protection
    clients bypass scanning base image files for threats, which reduces the resource load on disk I/O. It also improves CPU scanning process performance in a VDI environment. See:
Symantec Endpoint Protection
includes a set of public APIs in the form of web services to provide support for remote monitoring and management (RMM) applications. The web services provide functions on the client and on the management server. All calls to
Symantec Endpoint Protection
web services are authenticated using
and allow access only by authorized
Symantec Endpoint Protection
administrators. Developers use these APIs to integrate their company's third-party network security solution with the
Symantec Endpoint Protection
management server and client.
Provides the support for remote management and remote monitoring. Remote management is provided by means of public APIs in the form of web services that let you integrate your third-party solution or custom console with basic client and management server functionality. Remote monitoring is provided by means of publicly supported registry keys and Windows event logging.
Web services for remote management can do the following tasks:
  • Reports the license status and content status on the management server by web service calls, in addition to reporting the license status to the Windows Event Log.
  • Issues commands to the client, such as Update, Update and Scan, and Restart.
  • Manages the policies that are delivered to the client. Policies can be imported from another management server, and they can be assigned to groups or locations at another management server.

Tools that are installed with Symantec Endpoint Protection Manager

The following tools are installed with the
Symantec Endpoint Protection Manager
in the following default location:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
CollectLog.cmd places the
Symantec Endpoint Protection Manager
logs in a compressed .zip file. You send the .zip file to Symantec Support or another administrator for troubleshooting purposes.
You find this tool in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
Database Validator
You use dbvalidator.bat to help Support diagnose a problem with the database that
Symantec Endpoint Protection Manager
You find this tool in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
Symantec Endpoint Protection Manager
communicates with the Microsoft SQL Server over an encrypted channel by default. This tool lets you disable or enable TLS encryption between the management server and the Microsoft SQL Server communication. As of version 14, it can be used with the management server installations that are configured to use the Microsoft SQL Server database.
This tool is installed with Symantec Endpoint Protection Manager in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
Symantec Endpoint Protection Manager
API reference
Symantec Endpoint Protection Manager
includes a set of REST APIs that connect to and perform
Symantec Endpoint Protection Manager
operations from Endpoint Detection and Response (EDR). You use the APIs if you do not have access to
Symantec Endpoint Protection Manager
. The documentation is located in the following places:
  • On the
    Symantec Endpoint Protection Manager
    server at the following address, where
    is the IP address of the
    Symantec Endpoint Protection Manager
    IP address includes IPv4 and IPv6. You must enclose the IPv6 address with square brackets:
    port number