What's new for Symantec Endpoint Protection 14.3 RU1?
This section describes the new features in this release.
Protection Features
- Includes the new Symantec Mac Agent and the Symantec Linux Agent that can be installed and managed from either the on-premises Symantec Endpoint Protection Manager or the Integrated Cyber Defense Manager cloud console.
- Prevents new and unknown threats on the macOS by monitoring file behaviors in real time. The new Mac Agent includes these behavioral protection capabilities. Behavioral protection, or SONAR, uses artificial intelligence and advanced machine learning for zero-day protection to effectively stop new threats.
- Blocks untrusted non-portable executable (PE) files such as PDF files and scripts that are not yet identified as a threat. In the Exceptions policy, clickWindows Exceptions>File Access.
- Prevents web threats based on the reputation score of a web page. The Intrusion Prevention policy includes URL reputation filtering, which blocks web pages with reputation scores below a specific threshold. Reputation scores range from -10 (bad) to +10 (good). TheEnable URL Reputationoption is enabled by default.
- You can force Symantec Endpoint Protection to learn an application based on the application's hash value. In the Exceptions policy, clickWindows Exceptions>Application>Add an Application by Fingerprint.
- Protects endpoints and users from web-based attacks on malicious sites using the Network Traffic Redirection feature. Network Traffic Redirection redirects all network traffic (any port) or just web-based traffic (ports 80 and 443) to the Symantec Web Security Service, which allows or blocks network traffic and SaaS application access based on the enterprise policy. The Network Traffic Redirection policy has a new redirection method called the tunnel method. The tunnel method automatically redirects all Internet traffic to the Symantec WSS, where the traffic is allowed or blocked based on the Symantec Web Security Service policies. The tunnel method is considered a beta feature. You should perform thorough testing with your applications against your WSS policies. Broadcom has a beta website that offers a testing guide and a place to leave feedback on your experience. Log on to the following website using your Broadcom credentials: Validate.broadcom.com.
- The Integrations policy was renamed to the Network Traffic Redirection policy.
- Provides support for MITRE-enriched events in Symantec EDR. Leverage the MITRE ATT&CK framework to provide context into what is happening in your environment.
- Provides support for the following Symantec EDR events, which expose more visibility into the endpoints:
- AMSI events provide visibility of threat actor methods that can evade traditional command-line interrogation methods.
- ETW events provide visibility into events happening on managed Windows endpoints.
- Includes the ability to run both the Windows Defender and Symantec Endpoint Protection on the same computer. The Auto-Protect scan runs after Windows Defender and can detect any threats that Windows Defender misses. TheCoexist with Windows Defenderoption ensures that Auto-Protect runs in case Microsoft Defender is disabled. To disable the option, click the Virus and Spyware Protection policy >Miscellaneous>Miscellaneoustab.
- Attack chain mitigation is now supported for hybrid-managed clients.
Symantec Endpoint Protection Manager
- The embedded database was updated to the Microsoft SQL Express database. The SQL Server Express database stores policies and security events more efficiently than the default embedded database and is installed automatically with the Symantec Endpoint Protection Manager.
- During the installation or upgrade of the Symantec Endpoint Protection Manager, the Management Server Configuration wizard:
- Automatically installs LiveUpdate content.
- Provides an option to use TLS certificate for secure communication between SQL Server and the Symantec Endpoint Protection Manager.
- LiveUpdate uses a new engine inSymantec Endpoint Protection Manager, which is optimized to run on the cloud console. The new engine no longer supports the FTP method or LAN method to specify an internal LiveUpdate server to download content to the Symantec Endpoint Protection Manager.
- TheAutomatically uninstall existing third-party security softwareoption that was not available in 14.3 MP1 is available again in 14.3 RU1 with an updated version. This option is used to uninstall third-party security software. To access this option, clickAdminpage >Packages>Client Install Settings.
- The Client Deployment Wizard that is used to deploy client packages must have its credentials verified and able to connect to the Symantec Endpoint Protection Manager. If the verification process fails, the client deployment process stops to keep Active Directory user accounts from being locked.
- The Computer Status logs and reports now lets you select a range for theClient versionandIPS versionfields. TheProduct versionfilter was renamed toClient version.
- TheDisable the notification tray iconoption is available for clients that run on a terminal server and that cause high CPU usage and memory usage. You can now disable the notification area icon, also known as the system tray icon, to prevent multiple instances of user session processes (like SmcGui.exe and ccSvcHost.exe) from running. For clients that run on a terminal server, theDisable the notification area iconoption overrides the registry key setting in HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\LaunchSMCGui. In lieu of manually changing this key, it is now managed via policy. As a best practice, move clients that are on a terminal server in the same group before you upgrade. For clients that do not run on a terminal server, keep this setting disabled. This option takes place only after the client smc service is restarted. You enable this option on theClients>Policiestab >General>General Settingstab.
- Updated the whitelist and blacklist mode to reflect the allow and block functionality. On theClientspage >Policiestab >System Lockdowndialog box, the application file lists changed fromWhitelist ModeandBlacklist ModetoAllow ModeandDeny Mode.
- On theAdminpage >Serverstab >Configure External Logging>Generaltab, theMaster Logging Serveroption changed toPrimary Logging Server.
- TheSystemlog type >Administrativelog and theAuditlog lists the computer name.
- Client firewall logs are collected so that you get fewer notifications on the cloud console.
- Replaced the Oracle Java SE with the OpenJDK.
- Updated the third-party components JQuery to a newer version.
Client and platform updates
- The Windows client supports Windows 10 20H2 (Windows 10 version 2009).
- Moved the legacy Mac client installation packages to the AdditionalPackages folder.
Features Removed
- TheRisk severityandRisk Distribution by Severityoptions were removed from notifications and reports.
- TheCASMAtab andAnalyzecommand were removed, as this functionality was deprecated in 14.3.
- The Mac client no longer supports macOS 10.13 or 10.14.x.
- You can no longer view exclusions in the registry. For 14.3 RU1 and earlier, to view exclusions, see: Verify if an Endpoint Client has Automatically Excluded an Application or Directory
Documentation
The Symantec Endpoint Protection Manager Help is now online and located at: Symantec Endpoint Protection Installation and Administration Guide
Database schema
The database schema has the following changes.
Table | Column change |
---|---|
ALERTS | Added the ENRICHED_DATA column. |
AGENT_BEHAVIOR_LOG1 AGENT_BEHAVIOR_LOG2 AGENT_PACKET_LOG_1 AGENT_PACKET_LOG_2 AGENT_SECURITY_LOG_1 AGENT_SECURITY_LOG_2 AGENT_SYSTEM_LOG_1 AGENT_SYSTEM_LOG_2 AGENT_TRAFFIC_LOG_1 AGENT_TRAFFIC_LOG_2 BASIC_METADATA COMMAND COMPUTER_APPLICATION ENFORCER_CLIENT_LOG_1 ENFORCER_CLIENT_LOG_2 ENFORCER_SYSTEM_LOG_1 ENFORCER_SYSTEM_LOG_2 ENFORCER_TRAFFIC_LOG_1 ENFORCER_TRAFFIC_LOG_2 IDENTITY_MAP LAN_DEVICE_DETECTED LAN_DEVICE_EXCLUDED LEGACY_AGENT LOCAL_METADATA LOG_CONFIG REPORTS SEM_APPLICATION SEM_CLIENT SEM_COMPUTER SEM_JOB SEM_SVA_CLIENT SEM_SVA_COMPUTER SERVER_ADMIN_LOG_1 SERVER_ADMIN_LOG_2 SERVER_CLIENT_LOG_1 SERVER_CLIENT_LOG_2 | Removed the following columns from each table:
RESERVED_INT1 RESERVED_INT2 RESERVED_BIGINT1 RESERVED_BIGINT2 RESERVED_CHAR1 RESERVED_CHAR2 RESERVED_VARCHAR1 RESERVED_BINARY |
SERVER_ENFORCER_LOG_1 SERVER_ENFORCER_LOG_2 SERVER_POLICY_LOG_1 SERVER_POLICY_LOG_2 SERVER_SYSTEM_LOG_1 SERVER_SYSTEM_LOG_2 SYSTEM_STATE V_AGENT_BEHAVIOR_LOG V_AGENT_PACKET_LOG V_AGENT_SECURITY_LOG V_AGENT_SYSTEM_LOG V_AGENT_TRAFFIC_LOG V_DOMAINS V_ENFORCER_CLIENT_LOG V_ENFORCER_SYSTEM_LOG V_ENFORCER_TRAFFIC_LOG V_GROUPS V_LAN_DEVICE_DETECTED V_LAN_DEVICE_EXCLUDED V_SEM_COMPUTER V_SERVER_ADMIN_LOG V_SERVER_CLIENT_LOG V_SERVER_ENFORCER_LOG V_SERVER_SYSTEM_LOG V_SERVERS | (Continued) |
BINARY_FILE SERVER_POLICY_LOG_1 SERVER_POLICY_LOG_2 V_SERVER_POLICY_LOG |
|
INVENTORYREPORT | Added the following columns:
|
SEM_AGENT |
|
SEM_AGENT_VERSION | Added the following columns:
|
SEM_SVA | Removed the following columns:
|
V_ALERTS | Added the ENRICHED_DATA column. |