What's new for Symantec Endpoint Protection 14.3 RU2?
This section describes the new features in this release.
- Includes runtime protection against fileless threats such as malicious Excel macros (XLM) and payloads using Windows Management Instrumentation (WMI) with our expanded integration with Antimalware Scan Interface (AMSI).
- Enhanced behavior detection and prevention protects against ransomware families such as Ryuk and Netwalker with improved behavioral detection and prevention of malicious modification or removal of user files.
- Enhancements have been made to the emulator in the Symantec Endpoint Protection client to increase detection of cryptocurrency mining malware families like LemonDuck.
- Abrowser extensionprovides better protection for both HTTP and HTTPS traffic to and from the Google Chrome web browser. The Symantec Endpoint Protection client blocks users from accessing malicious sites and redirects users to a default landing page. The browser extension depends on IPS; therefore, the IPS policy must be enabled and assigned to the group. The browser extension is downloaded from LiveUpdate by default if the computer joined an Active Directory domain. Otherwise, the browser extension is downloaded from the Google Web Store. You enable or disable this content by clickingAdmin>Servers>Edit Site Properties>LiveUpdatetab >Content Types to Download>Browser Extension.By default, the Symantec Endpoint Protection installer installs the Google Chrome browser extension. However, if you want to use an Active Directory Group Policy Object to manage your Chrome extensions, you must add the browser extension to your list. See: Installing the Endpoint Protection Chrome Browser Extension using Group Policy Object
- Ability for administrators to retrieve quarantined files on remote SEP clients from the Symantec Endpoint Protection Manager console. These malicious files can be used for further investigating and sandboxing. To upload the quarantined file, check theAdmin>Domains>Edit Domain Properties>Generaltab >Upload quarantined files from the clientsoption. This option automatically uploads all quarantined files from the clients. You can then select and retrieve individual files from the Risk log using theDownload file that the client quarantinedcommand. The management server no longer supports old versions of the Central Quarantine Server, so the Virus and Spyware Protection policy >Quarantine > Quarantined Itemsoptions were removed.
- Intrusion Prevention (IPS) content has been optimized considerably to reduce content size and improve network throughput. This improvement is available to all supported Symantec Endpoint Protection versions.
- Network Traffic Redirection is renamed to Web and Cloud Access Protection in the Symantec Endpoint Protection Manager, Windows client, and Mac client. In the client, users can click aReconnectbutton in theWeb and Cloud Access Protection>Optionsmenu. Client users should use this option if the client does not detect that the connection with the Symantec WSS has been broken.
Symantec Endpoint Protection Manager
- Includes automatic LiveUpdate for critical fixes and security updates. Starting with SEP 14.3 RU2, critical patches and security fixes are delivered automatically to clients via LiveUpdate to reduce the administrative burden of managing agent updates. These patches include critical fixes only; new features are delivered separately via Release Updates (RUs). To make sure that client patches and client product updates are downloaded from a LiveUpdate server to the Symantec Endpoint Protection Manager, go to the Site properties and selectClient patchesandClient product updates. These options are enabled by default.
- To download client patches from the Symantec Endpoint Protection Manager to the clients, in the LiveUpdate Settings policy, clickAdvanced Settings>Download client patches. The LiveUpdate policy downloads the client patch to the client like any other content; the client patch is an incremental delta file.
- To download product updates, selectDownload delta content from a LiveUpdate server when available. The client tries to get a smaller amount of content from LiveUpdate if Symantec Endpoint Protection Manager only has full content. Use this option if you not want to enable client patches. The product updates option then ensures that patch builds are available in AutoUpgrade. LiveUpdate downloads a full client installation package to the management server, where the package appears in theAdmin>Install Packages>Client Install Packagetable and in the AutoUpgrade wizard. This option is enabled by default. The version of the client does not change, only the build number. Use this option so that the client receives a smaller content from LiveUpdate if management server only has full content.
- In earlier releases, these options wereDownload client security patchesandDownload client patches smaller content from a LiveUpdate server when available. TheSite Properties>LiveUpdatetab >Content Types to Download>Client patchesoption wasClient security patches.
- The Management Server Configuration Wizard no longer prompts you for credentials to check whether or not the SQL Server FILESTREAM is enabled. Upgrades from an embedded database (14.3 and earlier) automatically enables FILESTREAM. Upgrades from 14.3 RU1/RU1 MP1 keep the existing FILESTREAM setting. The wizard prompts for credentials only if FILESTREAM is not already enabled on the SQL Server Express database.
- Both the Symantec Endpoint Protection clients and the Symantec Endpoint Protection Manager is localized in the following five languages only: English, French, Spanish, Portuguese, and Japanese. If you are using one of the five supported languages, no action is required; you can upgrade as usual. You can automatically upgrade the client language to English if the previous clients' language is unavailable. If you do not choose English, the clients with an unsupported language do not get upgraded. This option is off by default. To enable this option, clickClientspage >Install Packagespage, clickAdd a Client Install Package>Upgrade to English if unsupported language is unavailable. This option applies to the Windows client only.
- Location awareness has four new criteria: the computer's host name, user and group name, operating system, and whether a particular file runs on the client.
- Added additional permission levels for accessing the SEPM REST APIs. Previously, only system administrators could perform any sort of POST operations. Now, domain administrators and limited administrators can monitor the health of their computers using the API. SOC analysts can use third-party tools to integrate with the API. The following APIs have been updated to support role-based access to the API.HTTP methodPathDescriptionMinimum rolePOST/api/v1/identity/authenticateAuthenticates and returns an access token for a valid user.Limited AdministratorPOST/api/v1/identity/logoutLogs off the user that is associated with a specified token.Limited AdministratorGET/api/v1/licensesRetrieves all license-related information.System AdministratorGET/api/v1/replication/is_replicatedChecks whether a site has a replication partner.Limited AdministratorPOST/api/v1/replication/replicatenowInitiates replication for the specified replication partner.AdministratorGET/api/v1/replication/statusGets the replication status.Limited AdministratorPOST/api/v1/reporting/authenticateAuthenticates and return a PHP session token for a valid user.Limited AdministratorGET/api/v1/sessions/currentuserGets the current user token object.Limited AdministratorGET/api/v1/versionGets the current version of Symantec Endpoint Protection Manager.Limited Administrator
- On theAdminpage >Administrators>Access Rightstab, theAllow editing of shared policiescommand was changed fromDo not allow editing of shared policies. TheDo not allow editing of shared policiescheckbox was not selected by default, which causes administrators to explicitly grant permissions, rather than explicitly deny permissions.
- The following third-party components were upgraded or added: Apache Commons FileUpload, jQuery, PHP with zip extensions enabled, Microsoft Drivers for PHP for Microsoft SQL Server, and OpenSSL.
- The DeViewer tool is no longer installed with Symantec Endpoint Protection Manager in the Tools\DevViewer folder. Instead, download DevViewer to the client computer from the Attachments section at: Use DevViewer to find hardware device IDs for Device Blocking in Endpoint Protection. You use the DevViewer to obtain the device vendor, model, or serial number of a specific device so that you can allow or block the device in the Device Control policy.
Client and platform updates
- The Symantec Endpoint Protection client for Windows client supports Citrix Studio Version 2009.0.0, Nutanix AOS 5.15 (LTS), and VMware ESXi 7.0 Update 2.
- Symantec Endpoint Protection Manager 14.3 RU2 ships with the last release of the Symantec Endpoint Protection client for Mac 14.3 RU1 MP1. When the Mac client 14.3 RU2 is available, LiveUpdate downloads the Mac client installation package to the Symantec Endpoint Protection ManagerAdmin>Install Packages>Client Install Packagepage. If you add aNew software packagenotification to the Monitors page, you receive a notification when the installation package is ready. This feature allows you to upgrade to the latest Symantec Endpoint Protection Manager sooner.The Symantec Endpoint Protection client for Mac release is planned for June 2021.
- When the Mac client is available, it will include the following features:
- Supported on devices with the Apple M1 chip.
- AppleScript integration with the Mac client lets you create and run AppleScript scripts to query or control your Mac client.
- The Mac client installation package contains a tool that lets you remove the NLOK build of the Mac client (version 14.3 and earlier) from your Mac device and silently upgrade to a later version of Mac client.
- Performance improvements on the Mac client include: Highly enhanced network throughput when using Mac client; a smaller size for the client installer; and optimized CPU and memory usage.
- Support for the Evidence of Compromise search and the Quarantine File command for remediation. These features are supported on the clients that are managed by the Symantec Endpoint Security cloud console or by the Symantec EDR as of version 4.6.5.
- The Symantec Endpoint Protection client for Linux supports Debian 9 and Debian 10.
- The Symantec Endpoint Protection client for Linux command line tool (sav) lets you control and check on your Linux client.
- Extended Support Life for 12.1.x ended on April 3rd 2021.
- The management server no longer supports old versions of the Central Quarantine Server. The options in the Virus and Spyware Protection policy >Quarantine > Quarantined Itemspage were removed.
- TheCoexist with Windows Defenderoption in the Virus and Spyware Protection policy >Miscellaneouspage was removed.
- The Windows client Help files were converted to HTML5 files, which display an updated format and the Broadcom colors.
- You can download PDF files of the release notes for every release on the following page:
The database schema has the following changes.
Added the NONPE column.
Added a new table, REQUESTED_FILES
Added the following columns: