What are the tools included with Symantec Endpoint Protection?

This article describes the tools that are included with
Symantec Endpoint Protection
and what you use the tools for.
Tools that are located on the installation file
The following tools and documentation are located in the \Tools folder of the
Symantec Endpoint Protection
installation file that you download from the Broadcom Download Management page.
ApacheReverseProxy (12.1.4 and later)
This tool sets up the Apache webserver in Symantec Endpoint Protection Manager to allow Mac clients and Linux clients to download LiveUpdate content through the web server. The Apache webserver works with the
Symantec Endpoint Protection Manager
to download and cache the LiveUpdate content for Mac and Linux clients locally whenever new content is published.
This tool is appropriate for networks with a smaller number of clients.
CentralQ (12.1.6 and earlier)
Symantec Endpoint Protection
can automatically forward the quarantine packages that contain the infected files and related side effects from a local quarantine to the Central Quarantine. You can gather forensic information more easily by using Central Quarantine. This tool lets you retrieve a sample from an infected computer without having to directly access that computer.
Use the Quarantine Server in a
Symantec Endpoint Protection
environment in the following cases:
  • To receive suspected threat samples from
    Symantec Endpoint Protection
    clients.
  • To submit these samples to Security Response automatically.
  • To download the rapid release definitions that are specific to the suspected threats that have been submitted only to the Quarantine Server. These definitions are not pushed to the
    Symantec Endpoint Protection
    clients where the threat originated from.
CleanWipe
CleanWipe uninstalls the
Symantec Endpoint Protection
product. Only use CleanWipe as a last resort after you have unsuccessfully tried other uninstallation methods, such as the Windows Control Panel.
You can also find this tool in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
ContentDistributionMonitor (SEPMMonitor)
The ContentDistributionMonitor tool helps you manage and monitor multiple Group Update Providers (GUPs) in your environment. The tool presents a graphical display of the GUPs' health and content distribution status.
In 12.1.6 and earlier,
ContentDistributionMonitor
was named
SEPMMonitor
. In 12.1.5 and earlier,
ContentDistributionMonitor
was in the
NoSupport
folder.
Deception (14.0.1)
Deception is used to detect adversary activity at the endpoint using "deceptors." The underlying assumption with this approach is that the attacker has already breached the primary defenses of the network and performs reconnaissance in the environment. The attacker looks to find critical assets, like a domain controller or database credentials.
DeviceInfo (14), DevViewer
DeviceInfo (for Mac; as of version 14) and DevViewer (for Windows) obtains the device vendor, model, or serial number for a specific device. You add this information to the
Hardware Devices
list. You can then add the device ID to a Device Control policy to allow or block a device on client computers.
Integration (WebServicesDocumentation)
As of version 14, the Integration folder was renamed to
WebServicesDocumentation
.
ITAnalytics
The IT Analytics software expands the built-in reporting that
Symantec Endpoint Protection
offers by enabling you to create custom reports and custom queries. It brings multi-dimensional analysis and graphical reporting features from the data that is contained within the
Symantec Endpoint Protection Manager
databases. This functionality allows you to explore data on your own, without advanced knowledge of databases or third-party reporting tools.
JAWS
The JAWS screen reader program and a set of scripts make it easier to read the
Symantec Endpoint Protection
menus and dialogs. JAWS is an assistive technology that provides compliance with Section 508 product accessibility.
LiveUpdate Administrator (12.1.4 and earlier)
Symantec LiveUpdate Administrator is a standalone web application that is separate from
Symantec Endpoint Protection
. LiveUpdate Administrator mirrors the content of the public LiveUpdate servers and then offers the content to Symantec products internally through a built-in web server.
LiveUpdate Administrator is an optional component for
Symantec Endpoint Protection
and is not required to update the
Symantec Endpoint Protection
clients. By default, the
Symantec Endpoint Protection Manager
uses the LiveUpdate technology rather than LiveUpdate Administrator to download contents directly from the Symantec public LiveUpdate servers.
You may want to use LiveUpdate Administrator in some circumstances. For example, you may need to download content to a large number of non-Windows clients or to clients if
Symantec Endpoint Protection Manager
cannot download the content. Therefore, you can install a LiveUpdate Administrator server and then configure the
Symantec Endpoint Protection Manager
to download from it.
To download LiveUpdate Administrator and the documentation, see: Download LiveUpdate Administrator (LUA)
No Support > MoveClient
MoveClient
is a Visual Basic script that moves clients from one
Symantec Endpoint Protection Manager
group to another group based on the client's host name, user name, IP address, or operating system. It also can switch clients from user mode to computer mode and vice versa.
No Support > Qextract
Qextract
extracts and restores files from the client's local quarantine. You might need this tool if the client quarantines a file that you determine is a false positive.
No Support > SEPprep (12.1.6 and earlier)
SEPprep is an unsupported tool that uninstalls competitors' antivirus products automatically. SEPprep also uninstalls Symantec Norton
products if you want to migrate from Norton to
Symantec Endpoint Protection
.
You can package SEPprep in a script which uninstalls the competitor's product, and then launches the
Symantec Endpoint Protection
installer automatically and silently.
Instead of SEPprep, use the Client Deployment Wizard to uninstall competitors' products. On the
Client Install Settings
tab in the wizard, click
Automatically uninstall existing third-party security software
.
For a list of products that the Client Deployment Wizard uninstalls, see:
SEPprep does not uninstall any Symantec products. However, as of version 14, CleanWipe is built into the Client Deployment Wizard to remove other Symantec products, including the
Symantec Endpoint Protection
client.
OfflineImageScanner (12.1.6 and earlier)
This tool scans and detects threats in offline VMware virtual disks (.vmdk files).
PushDeploymentWizard
You use the Push Deployment Wizard to deploy the
Symantec Endpoint Protection
client installation package to target computers. Push Deployment Wizard is the same as the Client Deployment Wizard in
Symantec Endpoint Protection Manager
. You typically use it to deploy to smaller groups of computers or remote computers.
SEPIntegrationComponent (12.1.5 and earlier)
The Symantec Endpoint Integration Component (SEPIC) combines
Symantec Endpoint Protection
with other Symantec Management Platform solutions using a single, web-based Symantec Management Console. You use SEPIC to inventory computers, update patches, deliver software, and deploy new computers. You can also back up and restore your systems and data, manage DLP agents, and manage
Symantec Endpoint Protection
clients.
SylinkDrop
The Sylink.xml file includes communication settings between the Windows client or Mac client and a Symantec Endpoint Protection Manager. If the clients have lost the communication with
Symantec Endpoint Protection Manager
, use the SylinkDrop tool to automatically replace the existing Sylink.xml file with a new Sylink.xml file on the client computer.
Replacing the Sylink.xml file does the following tasks:
  • Converts an unmanaged client to a managed client.
  • Migrates or moves clients to a new domain or management server.
  • Restores the communication breakages to the client that cannot be corrected on the management server.
  • Moves a client from one server to another server that is not a replication partner.
  • Moves a client from one domain to another.
You can also use this tool for Windows clients only; the tool is located in the following location (64-bit):
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
SymDiag (SymHelp)
As of version 14, the SymHelp tool was renamed as Symantec Diagnostic (SymDiag).
SymDiag
is a multi-product diagnostic tool that identifies common issues, gathers data for support-assisted troubleshooting, and provides links to other customer self-help and support resources.
SymDiag
also provides licensing and maintenance status for some Symantec products as well as the Threat Analysis Scan, which helps to find potential malware.
Virtualization
The virtualization tools improve scan performance for the clients that are installed in virtual desktop infrastructure (VDI) environments.
  • SecurityVirtualAppliance (12.1.6 and earlier)
    The Symantec Security Virtual Appliance contains the vShield-enabled Shared Insight Cache for VMware vShield infrastructures.
  • SharedInsightCache
    The Shared Insight Cache tool improves scan performance in virtualized environments by not scanning the files that a
    Symantec Endpoint Protection
    client has determined are clean. When the client scans a file for threats and determines it is clean, the client submits information about the file to Shared Insight Cache.
    When another client subsequently attempts to scan the same file, that client can query Shared Insight Cache to determine if the file is clean. If the file is clean, the client does not scan that particular file. If the file is not clean, the client scans the file for viruses and submits those results to Shared Insight Cache.
    Shared Insight Cache is a web service that runs independently of the client. However,
    Symantec Endpoint Protection
    must be configured to specify the location of Shared Insight Cache so that the clients can communicate with it. Shared Insight Cache communicates with the clients through HTTP or HTTPS. The client's HTTP connection is maintained until the scan is finished.
  • Virtual Image Exception
    To increase performance and security in a VDI environment, a common practice is to leverage base images to build virtual machine sessions as needed. The Symantec Virtual Image Exception tool lets
    Symantec Endpoint Protection
    clients bypass scanning base image files for threats, which reduces the resource load on disk I/O. It also improves CPU scanning process performance in a VDI environment.
WebServicesDocumentation (Integration)
In 12.1.6 and earlier, this tool is located in the \Tools\Integration folder.
Symantec Endpoint Protection
includes a set of public APIs in the form of web services to provide support for remote monitoring and management (RMM) applications. The web services provide functions on the client and on the management server. All calls to
Symantec Endpoint Protection
web services are authenticated using
OAuth
and allow access only by authorized
Symantec Endpoint Protection
administrators. Developers use these APIs to integrate their company's third-party network security solution with the
Symantec Endpoint Protection
management server and client.
Provides the support for remote management and remote monitoring. Remote management is provided by means of public APIs in the form of web services that let you integrate your third-party solution or custom console with basic client and management server functionality. Remote monitoring is provided by means of publicly supported registry keys and Windows event logging.
Web services for remote management can do the following tasks:
  • Reports the license status and content status on the management server by web service calls, in addition to reporting the license status to the Windows Event Log.
  • Issues commands to the client, such as Update, Update and Scan, and Restart.
  • Manages the policies that are delivered to the client. Policies can be imported from another management server, and they can be assigned to groups or locations at another management server.
Tools that are installed with Symantec Endpoint Protection Manager
The following tools are installed with the
Symantec Endpoint Protection Manager
in the following default location:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
.
CollectLog
CollectLog.cmd places the
Symantec Endpoint Protection Manager
logs in a compressed .zip file. You send the .zip file to Symantec Support or another administrator for troubleshooting purposes.
You find this tool in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
Database Validator
You use dbvalidator.bat to help Support diagnose a problem with the database that
Symantec Endpoint Protection Manager
runs.
You find this tool in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
SetSQLServerTLSEncryption (14)
Symantec Endpoint Protection Manager
communicates with the Microsoft SQL Server over an encrypted channel by default. This tool lets you disable or enable TLS encryption between the management server and the Microsoft SQL Server communication. As of version 14, it can be used with the management server installations that are configured to use the Microsoft SQL Server database.
This tool is installed with Symantec Endpoint Protection Manager in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
Symantec Endpoint Protection Manager
API reference (14)
Symantec Endpoint Protection Manager
includes a set of REST APIs that connect to and perform
Symantec Endpoint Protection Manager
operations from Endpoint Detection and Response (EDR). You use the APIs if you do not have access to
Symantec Endpoint Protection Manager
. The documentation is located in the following places:
  • On the
    Symantec Endpoint Protection Manager
    server at the following address, where
    SEPM-IP
    is the IP address of the
    Symantec Endpoint Protection Manager
    server:
    https://
    SEPM-IP
    :8446/sepm/restapidocs.html
    IP address includes IPv4 and IPv6. You must enclose the IPv6 address with square brackets:
    http://[
    SEPMServer
    ]:
    port number