What are the tools included with Symantec Endpoint Protection?
This article describes the tools that are included with
Symantec Endpoint Protectionand what you use the tools for.
Tools that are located on the installation file
The following tools and documentation are located in the \Tools folder of the
Symantec Endpoint Protectioninstallation file that you download from the Broadcom Download Management page.
ApacheReverseProxy (12.1.4 and later)
This tool sets up the Apache webserver in Symantec Endpoint Protection Manager to allow Mac clients and Linux clients to download LiveUpdate content through the web server. The Apache webserver works with the
Symantec Endpoint Protection Managerto download and cache the LiveUpdate content for Mac and Linux clients locally whenever new content is published.
This tool is appropriate for networks with a smaller number of clients.
CentralQ (12.1.6 and earlier)
Symantec Endpoint Protectioncan automatically forward the quarantine packages that contain the infected files and related side effects from a local quarantine to the Central Quarantine. You can gather forensic information more easily by using Central Quarantine. This tool lets you retrieve a sample from an infected computer without having to directly access that computer.
Use the Quarantine Server in a
Symantec Endpoint Protectionenvironment in the following cases:
- To receive suspected threat samples fromSymantec Endpoint Protectionclients.
- To submit these samples to Security Response automatically.
- To download the rapid release definitions that are specific to the suspected threats that have been submitted only to the Quarantine Server. These definitions are not pushed to theSymantec Endpoint Protectionclients where the threat originated from.
For more information, see: Best Practices for using Quarantine Server in a Symantec Endpoint Protection environment
CleanWipe uninstalls the
Symantec Endpoint Protectionproduct. Only use CleanWipe as a last resort after you have unsuccessfully tried other uninstallation methods, such as the Windows Control Panel.
You can also find this tool in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
The ContentDistributionMonitor tool helps you manage and monitor multiple Group Update Providers (GUPs) in your environment. The tool presents a graphical display of the GUPs' health and content distribution status.
In 12.1.6 and earlier,
SEPMMonitor. In 12.1.5 and earlier,
ContentDistributionMonitorwas in the
Deception is used to detect adversary activity at the endpoint using "deceptors." The underlying assumption with this approach is that the attacker has already breached the primary defenses of the network and performs reconnaissance in the environment. The attacker looks to find critical assets, like a domain controller or database credentials.
DeviceInfo (14), DevViewer
DeviceInfo (for Mac; as of version 14) and DevViewer (for Windows) obtains the device vendor, model, or serial number for a specific device. You add this information to the
Hardware Deviceslist. You can then add the device ID to a Device Control policy to allow or block a device on client computers.
As of version 14, the Integration folder was renamed to
The IT Analytics software expands the built-in reporting that
Symantec Endpoint Protectionoffers by enabling you to create custom reports and custom queries. It brings multi-dimensional analysis and graphical reporting features from the data that is contained within the
Symantec Endpoint Protection Managerdatabases. This functionality allows you to explore data on your own, without advanced knowledge of databases or third-party reporting tools.
The JAWS screen reader program and a set of scripts make it easier to read the
Symantec Endpoint Protectionmenus and dialogs. JAWS is an assistive technology that provides compliance with Section 508 product accessibility.
LiveUpdate Administrator (12.1.4 and earlier)
Symantec LiveUpdate Administrator is a standalone web application that is separate from
Symantec Endpoint Protection. LiveUpdate Administrator mirrors the content of the public LiveUpdate servers and then offers the content to Symantec products internally through a built-in web server.
LiveUpdate Administrator is an optional component for
Symantec Endpoint Protectionand is not required to update the
Symantec Endpoint Protectionclients. By default, the
Symantec Endpoint Protection Manageruses the LiveUpdate technology rather than LiveUpdate Administrator to download contents directly from the Symantec public LiveUpdate servers.
You may want to use LiveUpdate Administrator in some circumstances. For example, you may need to download content to a large number of non-Windows clients or to clients if
Symantec Endpoint Protection Managercannot download the content. Therefore, you can install a LiveUpdate Administrator server and then configure the
Symantec Endpoint Protection Managerto download from it.
To download LiveUpdate Administrator and the documentation, see: Download LiveUpdate Administrator (LUA)
No Support > MoveClient
MoveClientis a Visual Basic script that moves clients from one
Symantec Endpoint Protection Managergroup to another group based on the client's host name, user name, IP address, or operating system. It also can switch clients from user mode to computer mode and vice versa.
No Support > Qextract
Qextractextracts and restores files from the client's local quarantine. You might need this tool if the client quarantines a file that you determine is a false positive.
No Support > SEPprep (12.1.6 and earlier)
SEPprep is an unsupported tool that uninstalls competitors' antivirus products automatically. SEPprep also uninstalls Symantec Norton ™ products if you want to migrate from Norton to
Symantec Endpoint Protection.
You can package SEPprep in a script which uninstalls the competitor's product, and then launches the
Symantec Endpoint Protectioninstaller automatically and silently.
Instead of SEPprep, use the Client Deployment Wizard to uninstall competitors' products. On the
Client Install Settingstab in the wizard, click
Automatically uninstall existing third-party security software.
For a list of products that the Client Deployment Wizard uninstalls, see:
SEPprep does not uninstall any Symantec products. However, as of version 14, CleanWipe is built into the Client Deployment Wizard to remove other Symantec products, including the
Symantec Endpoint Protectionclient.
OfflineImageScanner (12.1.6 and earlier)
This tool scans and detects threats in offline VMware virtual disks (.vmdk files).
You use the Push Deployment Wizard to deploy the
Symantec Endpoint Protectionclient installation package to target computers. Push Deployment Wizard is the same as the Client Deployment Wizard in
Symantec Endpoint Protection Manager. You typically use it to deploy to smaller groups of computers or remote computers.
For more information, see: Overview of the Push Deployment Wizard in Symantec Endpoint Protection
SEPIntegrationComponent (12.1.5 and earlier)
The Symantec Endpoint Integration Component (SEPIC) combines
Symantec Endpoint Protectionwith other Symantec Management Platform solutions using a single, web-based Symantec Management Console. You use SEPIC to inventory computers, update patches, deliver software, and deploy new computers. You can also back up and restore your systems and data, manage DLP agents, and manage
Symantec Endpoint Protectionclients.
The Sylink.xml file includes communication settings between the Windows client or Mac client and a Symantec Endpoint Protection Manager. If the clients have lost the communication with
Symantec Endpoint Protection Manager, use the SylinkDrop tool to automatically replace the existing Sylink.xml file with a new Sylink.xml file on the client computer.
Replacing the Sylink.xml file does the following tasks:
- Converts an unmanaged client to a managed client.
- Migrates or moves clients to a new domain or management server.
- Restores the communication breakages to the client that cannot be corrected on the management server.
- Moves a client from one server to another server that is not a replication partner.
- Moves a client from one domain to another.
You can also use this tool for Windows clients only; the tool is located in the following location (64-bit):
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
As of version 14, the SymHelp tool was renamed as Symantec Diagnostic (SymDiag).
SymDiagis a multi-product diagnostic tool that identifies common issues, gathers data for support-assisted troubleshooting, and provides links to other customer self-help and support resources.
SymDiagalso provides licensing and maintenance status for some Symantec products as well as the Threat Analysis Scan, which helps to find potential malware.
The virtualization tools improve scan performance for the clients that are installed in virtual desktop infrastructure (VDI) environments.
- SecurityVirtualAppliance (12.1.6 and earlier)The Symantec Security Virtual Appliance contains the vShield-enabled Shared Insight Cache for VMware vShield infrastructures.
- SharedInsightCacheThe Shared Insight Cache tool improves scan performance in virtualized environments by not scanning the files that aSymantec Endpoint Protectionclient has determined are clean. When the client scans a file for threats and determines it is clean, the client submits information about the file to Shared Insight Cache.When another client subsequently attempts to scan the same file, that client can query Shared Insight Cache to determine if the file is clean. If the file is clean, the client does not scan that particular file. If the file is not clean, the client scans the file for viruses and submits those results to Shared Insight Cache.Shared Insight Cache is a web service that runs independently of the client. However,Symantec Endpoint Protectionmust be configured to specify the location of Shared Insight Cache so that the clients can communicate with it. Shared Insight Cache communicates with the clients through HTTP or HTTPS. The client's HTTP connection is maintained until the scan is finished.
- Virtual Image ExceptionTo increase performance and security in a VDI environment, a common practice is to leverage base images to build virtual machine sessions as needed. The Symantec Virtual Image Exception tool letsSymantec Endpoint Protectionclients bypass scanning base image files for threats, which reduces the resource load on disk I/O. It also improves CPU scanning process performance in a VDI environment.
In 12.1.6 and earlier, this tool is located in the \Tools\Integration folder.
Symantec Endpoint Protectionincludes a set of public APIs in the form of web services to provide support for remote monitoring and management (RMM) applications. The web services provide functions on the client and on the management server. All calls to
Symantec Endpoint Protectionweb services are authenticated using
OAuthand allow access only by authorized
Symantec Endpoint Protectionadministrators. Developers use these APIs to integrate their company's third-party network security solution with the
Symantec Endpoint Protectionmanagement server and client.
Provides the support for remote management and remote monitoring. Remote management is provided by means of public APIs in the form of web services that let you integrate your third-party solution or custom console with basic client and management server functionality. Remote monitoring is provided by means of publicly supported registry keys and Windows event logging.
Web services for remote management can do the following tasks:
- Reports the license status and content status on the management server by web service calls, in addition to reporting the license status to the Windows Event Log.
- Issues commands to the client, such as Update, Update and Scan, and Restart.
- Manages the policies that are delivered to the client. Policies can be imported from another management server, and they can be assigned to groups or locations at another management server.
Tools that are installed with Symantec Endpoint Protection Manager
The following tools are installed with the
Symantec Endpoint Protection Managerin the following default location:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools.
CollectLog.cmd places the
Symantec Endpoint Protection Managerlogs in a compressed .zip file. You send the .zip file to Symantec Support or another administrator for troubleshooting purposes.
You find this tool in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
You use dbvalidator.bat to help Support diagnose a problem with the database that
Symantec Endpoint Protection Managerruns.
You find this tool in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
Symantec Endpoint Protection Managercommunicates with the Microsoft SQL Server over an encrypted channel by default. This tool lets you disable or enable TLS encryption between the management server and the Microsoft SQL Server communication. As of version 14, it can be used with the management server installations that are configured to use the Microsoft SQL Server database.
This tool is installed with Symantec Endpoint Protection Manager in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
Symantec Endpoint Protection ManagerAPI reference (14)
Symantec Endpoint Protection Managerincludes a set of REST APIs that connect to and perform
Symantec Endpoint Protection Manageroperations from Endpoint Detection and Response (EDR). You use the APIs if you do not have access to
Symantec Endpoint Protection Manager. The documentation is located in the following places:
- On theSymantec Endpoint Protection Managerserver at the following address, whereSEPM-IPis the IP address of theSymantec Endpoint Protection Managerserver:https://SEPM-IP:8446/sepm/restapidocs.htmlIP address includes IPv4 and IPv6. You must enclose the IPv6 address with square brackets:http://[SEPMServer]:port number