Symantec Endpoint Protection Installation and Administration Guide

Portugues Chinese (Simplified) Czech Deutsch Español Français Italian Japanese Korean Polish Russian Chinese (Traditional) English

What's new for Symantec Endpoint Protection 14.3 RU1?

This section describes the new features in this release.
Protection Features
  • Includes the new Symantec Mac Agent and the Symantec Linux Agent that can be installed and managed from either the on-premises Symantec Endpoint Protection Manager or the Integrated Cyber Defense Manager cloud console.
  • Prevents new and unknown threats on the macOS by monitoring file behaviors in real time. The new Mac Agent includes these behavioral protection capabilities. Behavioral protection, or SONAR, uses artificial intelligence and advanced machine learning for zero-day protection to effectively stop new threats.
  • Blocks untrusted non-portable executable (PE) files such as PDF files and scripts (such as PowerShell, JavaScript, and VBScript) that are not yet identified as a threat. In the Exceptions policy, click
    Windows Exceptions
     >
    File Access
    .
  • Prevents web threats based on the reputation score of a web page. The Intrusion Prevention policy includes URL reputation filtering, which blocks web pages with reputation scores below a specific threshold. Reputation scores range from -10 (bad) to +10 (good). The
    Enable URL Reputation
     option is enabled by default.
  • You can force Symantec Endpoint Protection to learn an application based on the application's hash value. In the Exceptions policy, click
    Windows Exceptions
     >
    Application
     >
    Add an Application by Fingerprint
    .
  • Protects endpoints and users from web-based attacks on malicious sites using the Network Traffic Redirection feature. Network Traffic Redirection redirects all network traffic (any port) or just web-based traffic (ports 80 and 443) to the Symantec Web Security Service, which allows or blocks network traffic and SaaS application access based on the enterprise policy. The Network Traffic Redirection policy has a new redirection method called the tunnel method. The tunnel method automatically redirects all Internet traffic to the Symantec WSS, where the traffic is allowed or blocked based on the Symantec Web Security Service policies. The tunnel method is considered an early adopter release feature. You should perform thorough testing with your applications against your WSS policies.
  • The Integrations policy was renamed to the Network Traffic Redirection policy.
  • Provides support for MITRE-enriched events in Symantec EDR. Leverage the MITRE ATT&CK framework to provide context into what is happening in your environment.
  • Provides support for the following Symantec EDR events, which expose more visibility into the endpoints:
    • AMSI events provide visibility of threat actor methods that can evade traditional command-line interrogation methods. 
    • ETW events provide visibility into events happening on managed Windows endpoints.
  • Includes the ability to run both the Windows Defender and Symantec Endpoint Protection on the same computer. The Auto-Protect scan runs after Windows Defender and can detect any threats that Windows Defender misses. The
    Coexist with Windows Defender
    option ensures that Auto-Protect runs in case Microsoft Defender is disabled. To disable the option, click the Virus and Spyware Protection policy >
    Miscellaneous
     >
    Miscellaneous
     tab.
  • Attack chain mitigation is now supported for hybrid-managed clients.
Symantec Endpoint Protection Manager
  • The embedded database was updated to the Microsoft SQL Express database. The SQL Server Express database stores policies and security events more efficiently than the default embedded database and is installed automatically with the Symantec Endpoint Protection Manager.
  • During the installation or upgrade of the Symantec Endpoint Protection Manager, the Management Server Configuration wizard:
    • Automatically installs LiveUpdate content. 
    • Provides an option to use TLS certificate for secure communication between SQL Server and the Symantec Endpoint Protection Manager.
  • LiveUpdate uses a new engine in
    Symantec Endpoint Protection Manager
    , which is optimized to run on the cloud console. The new engine no longer supports the FTP method or LAN method to specify an internal LiveUpdate server to download content to the Symantec Endpoint Protection Manager.
  • The
    Automatically uninstall existing third-party security software
     option that was not available in 14.3 MP1 is available again in 14.3 RU1 with an updated version. This option is used to uninstall third-party security software. To access this option, click
    Admin
     page >
    Packages
     >
    Client Install Settings
    .
  • The Client Deployment Wizard that is used to deploy client packages must have its credentials verified and able to connect to the Symantec Endpoint Protection Manager. If the verification process fails, the client deployment process stops to keep Active Directory user accounts from being locked.
  • The Computer Status logs and reports now lets you select a range for the
    Client version
     and
    IPS version
     fields. The
    Product version
     filter was renamed to
    Client version
    .
  • The
    Disable the notification tray icon
     option is available for clients that run on a terminal server and that cause high CPU usage and memory usage. You can now disable the notification area icon, also known as the system tray icon, to prevent multiple instances of user session processes (like SmcGui.exe and ccSvcHost.exe) from running. For clients that run on a terminal server, the
    Disable the notification area icon
     option overrides the registry key setting in HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\LaunchSMCGui. In lieu of manually changing this key, it is now managed via policy.  As a best practice, move clients that are on a terminal server in the same group before you upgrade. For clients that do not run on a terminal server, keep this setting disabled. This option takes place only after the client smc service is restarted. You enable this option on the
    Clients
     >
    Policies
     tab >
    General
     >
    General Settings
     tab.
  • Updated the whitelist and blacklist mode to reflect the allow and block functionality. On the
    Clients
     page >
    Policies
     tab >
    System Lockdown
     dialog box, the application file lists changed from
    Whitelist Mode
     and
    Blacklist Mode
      to
    Allow Mode
     and
    Deny Mode
    .
  • On the
    Admin
     page >
    Servers
     tab >
    Configure External Logging
     >
    General
     tab, the
    Master Logging Server
     option changed to
    Primary Logging Server
    .
  • The
    System
     log type > 
    Administrative
     log and the
    Audit
     log lists the computer name.
  • Client firewall logs are collected so that you get fewer notifications on the cloud console.
  • Replaced the Oracle Java SE with the OpenJDK.
  • Updated the third-party components JQuery to a newer version.
Client and platform updates
  • The Windows client supports Windows 10 20H2 (Windows 10 version 2009).
  • The Mac client supports macOS 11 (Big Sur) on a Intel Core i5 processor and later.
  • Moved the legacy Mac client installation packages to the AdditionalPackages folder.
Features Removed
  • The
    Risk severity
     and
    Risk Distribution by Severity
     options were removed from notifications and reports.
  • The
    CASMA
     tab and
    Analyze
     command were removed, as this functionality was deprecated in 14.3.
  • The Mac client no longer supports macOS 10.13 or 10.14.x.
  • You can no longer view exclusions in the registry.  For 14.3 RU1 and earlier, to view exclusions, see: Verify if an Endpoint Client has Automatically Excluded an Application or Directory
Documentation
The Symantec Endpoint Protection Manager Help is now online and located at: Symantec Endpoint Protection Installation and Administration Guide
Database schema
The database schema has the following changes.
Table
Column change
ALERTS
Added the ENRICHED_DATA column.
AGENT_BEHAVIOR_LOG1
AGENT_BEHAVIOR_LOG2
AGENT_PACKET_LOG_1
AGENT_PACKET_LOG_2
AGENT_SECURITY_LOG_1
AGENT_SECURITY_LOG_2
AGENT_SYSTEM_LOG_1
AGENT_SYSTEM_LOG_2
AGENT_TRAFFIC_LOG_1
AGENT_TRAFFIC_LOG_2
BASIC_METADATA
COMMAND
COMPUTER_APPLICATION
ENFORCER_CLIENT_LOG_1
ENFORCER_CLIENT_LOG_2
ENFORCER_SYSTEM_LOG_1
ENFORCER_SYSTEM_LOG_2
ENFORCER_TRAFFIC_LOG_1
ENFORCER_TRAFFIC_LOG_2
IDENTITY_MAP
LAN_DEVICE_DETECTED
LAN_DEVICE_EXCLUDED
LEGACY_AGENT
LOCAL_METADATA
LOG_CONFIG
REPORTS
SEM_APPLICATION
SEM_CLIENT
SEM_COMPUTER
SEM_JOB
SEM_SVA_CLIENT
SEM_SVA_COMPUTER
SERVER_ADMIN_LOG_1
SERVER_ADMIN_LOG_2
SERVER_CLIENT_LOG_1
SERVER_CLIENT_LOG_2
Removed the following columns from each table:
RESERVED_INT1
RESERVED_INT2
RESERVED_BIGINT1
RESERVED_BIGINT2
RESERVED_CHAR1
RESERVED_CHAR2
RESERVED_VARCHAR1
RESERVED_BINARY
SERVER_ENFORCER_LOG_1
SERVER_ENFORCER_LOG_2
SERVER_POLICY_LOG_1
SERVER_POLICY_LOG_2
SERVER_SYSTEM_LOG_1
SERVER_SYSTEM_LOG_2
SYSTEM_STATE
V_AGENT_BEHAVIOR_LOG
V_AGENT_PACKET_LOG
V_AGENT_SECURITY_LOG
V_AGENT_SYSTEM_LOG
V_AGENT_TRAFFIC_LOG
V_DOMAINS
V_ENFORCER_CLIENT_LOG
V_ENFORCER_SYSTEM_LOG
V_ENFORCER_TRAFFIC_LOG
V_GROUPS
V_LAN_DEVICE_DETECTED
V_LAN_DEVICE_EXCLUDED
V_SEM_COMPUTER
V_SERVER_ADMIN_LOG
V_SERVER_CLIENT_LOG
V_SERVER_ENFORCER_LOG
V_SERVER_SYSTEM_LOG
V_SERVERS
(Continued)
BINARY_FILE
SERVER_POLICY_LOG_1
SERVER_POLICY_LOG_2
V_SERVER_POLICY_LOG
  • The CONTENT column changed its type from 'image' to ‘varbinary’
  • Added an FILESTREAM_ID indexed column
  • Added a FILESTREAM_ID index
  • Removed the following columns:
    • RESERVED_INT1
    • RESERVED_INT2
    • RESERVED_BIGINT1
    • RESERVED_BIGINT2
    • RESERVED_CHAR1
    • RESERVED_CHAR2
    • RESERVED_VARCHAR1
    • RESERVED_BINARY
INVENTORYREPORT
Added the following columns:
  • PRODUCTVERSIONFROM
  • PRODUCTVERSIONTO
  • IDS_VERSIONFROM
  • IDS_VERSIONTO
SEM_AGENT
  • Added the NTR_MESSAGE column.
  • Removed the following columns:
    • RESERVED_INT1
    • RESERVED_INT2
    • RESERVED_BIGINT1
    • RESERVED_BIGINT2
    • RESERVED_CHAR1
    • RESERVED_CHAR2
    • RESERVED_VARCHAR1
    • RESERVED_BINARY
SEM_AGENT_VERSION
Added the following columns:
  • VERSION
  • FORMATTED_VERSION
  • REFRESH_USN
  • AGENT_VERSION_FORMAT_REFRESH
  • VERSION1
  • ntec.com/sep/14/whats_new_all
  • VERSION2
  • VERSION3
  • VERSION4
SEM_SVA
Removed the following columns:
  • RESERVED_INT1
  • RESERVED_INT2
  • RESERVED_BIGINT1
  • RESERVED_BIGINT2
  • RESERVED_CHAR1
  • RESERVED_CHAR2
  • RESERVED_VARCHAR1
V_ALERTS
Added the ENRICHED_DATA column.