What's new for Symantec Endpoint Protection 14.3 RU2?

This section describes the new features in this release.
Protection Features
  • Includes runtime protection against fileless threats such as malicious Excel macros (XLM) and payloads using Windows Management Instrumentation (WMI) with our expanded integration with Antimalware Scan Interface (AMSI).
  • Enhanced behavior detection and prevention protects against ransomware families such as Ryuk and Netwalker with improved behavioral detection and prevention of malicious modification or removal of user files.
  • Enhancements have been made to the emulator in the Symantec Endpoint Protection client to increase detection of cryptocurrency mining malware families like LemonDuck.
  • A
    browser extension
    provides better protection for both HTTP and HTTPS traffic to and from the Google Chrome web browser. The Symantec Endpoint Protection client blocks users from accessing malicious sites and redirects users to a default landing page. The browser extension depends on IPS; therefore, the IPS policy must be enabled and assigned to the group. The browser extension is downloaded from LiveUpdate by default if the computer joined an Active Directory domain. Otherwise, the browser extension is downloaded from the Google Web Store. You enable or disable this content by clicking
    Admin
    >
    Servers
    >
    Edit Site Properties
    >
    LiveUpdate
    tab >
    Content Types to Download
    >
    Browser Extension
    .
    By default, the Symantec Endpoint Protection installer installs the Google Chrome browser extension. However, if you want to use an Active Directory Group Policy Object to manage your Chrome extensions, you must add the browser extension to your list. See: Installing the Endpoint Protection Chrome Browser Extension using Group Policy Object
  • Ability for administrators to retrieve quarantined files on remote SEP clients from the Symantec Endpoint Protection Manager console. These malicious files can be used for further investigating and sandboxing. To upload the quarantined file, check the
    Admin
    >
    Domains
    >
    Edit Domain Properties
    >
    General
    tab >
    Upload quarantined files from the clients
    option. This option automatically uploads all quarantined files from the clients. You can then select and retrieve individual files from the Risk log using the
    Download file that the client quarantined
    command. The management server no longer supports old versions of the Central Quarantine Server, so the Virus and Spyware Protection policy >
    Quarantine > Quarantined Items
    options were removed.
  • Intrusion Prevention (IPS) content has been optimized considerably to reduce content size and improve network throughput. This improvement is available to all supported Symantec Endpoint Protection versions.
  • Network Traffic Redirection is renamed to Web and Cloud Access Protection in the Symantec Endpoint Protection Manager, Windows client, and Mac client. In the client, users can click a
    Reconnect
    button in the
    Web and Cloud Access Protection
    >
    Options
    menu. Client users should use this option if the client does not detect that the connection with the Symantec WSS has been broken.
Symantec Endpoint Protection Manager
  • Includes automatic LiveUpdate for critical fixes and security updates. Starting with SEP 14.3 RU2, critical patches and security fixes are delivered automatically to clients via LiveUpdate to reduce the administrative burden of managing agent updates. These patches include critical fixes only; new features are delivered separately via Release Updates (RUs). To make sure that client patches and client product updates are downloaded from a LiveUpdate server to the Symantec Endpoint Protection Manager, go to the Site properties and select
    Client patches
    and
    Client product updates
    . These options are enabled by default.
    • To download client patches from the Symantec Endpoint Protection Manager to the clients, in the LiveUpdate Settings policy, click
      Advanced Settings
      >
      Download client patches
      . The LiveUpdate policy downloads the client patch to the client like any other content; the client patch is an incremental delta file.
    • To download product updates, select
      Download delta content from a LiveUpdate server when available
      . The client tries to get a smaller amount of content from LiveUpdate if Symantec Endpoint Protection Manager only has full content. Use this option if you not want to enable client patches. The product updates option then ensures that patch builds are available in AutoUpgrade. LiveUpdate downloads a full client installation package to the management server, where the package appears in the
      Admin
      >
      Install Packages
      >
      Client Install Package
      table and in the AutoUpgrade wizard. This option is enabled by default. The version of the client does not change, only the build number. Use this option so that the client receives a smaller content from LiveUpdate if management server only has full content.
    • In earlier releases, these options were
      Download client security patches
      and
      Download client patches smaller content from a LiveUpdate server when available
      . The
      Site Properties
      >
      LiveUpdate
      tab >
      Content Types to Download
      >
      Client patches
      option was
      Client security patches
      .
  • The Management Server Configuration Wizard no longer prompts you for credentials to check whether or not the SQL Server FILESTREAM is enabled. Upgrades from an embedded database (14.3 and earlier) automatically enables FILESTREAM. Upgrades from 14.3 RU1/RU1 MP1 keep the existing FILESTREAM setting. The wizard prompts for credentials only if FILESTREAM is not already enabled on the SQL Server Express database.
  • Both the Symantec Endpoint Protection clients and the Symantec Endpoint Protection Manager is localized in the following five languages only: English, French, Spanish, Portuguese, and Japanese. If you are using one of the five supported languages, no action is required; you can upgrade as usual. You can automatically upgrade the client language to English if the previous clients' language is unavailable. If you do not choose English, the clients with an unsupported language do not get upgraded. This option is off by default. To enable this option, click
    Clients
    page >
    Install Packages
    page, click
    Add a Client Install Package
    >
    Upgrade to English if unsupported language is unavailable
    . This option applies to the Windows client only.
  • Location awareness has four new criteria: the computer's host name, user and group name, operating system, and whether a particular file runs on the client.
  • Added additional permission levels for accessing the SEPM REST APIs. Previously, only system administrators could perform any sort of POST operations. Now, domain administrators and limited administrators can monitor the health of their computers using the API. SOC analysts can use third-party tools to integrate with the API. The following APIs have been updated to support role-based access to the API.
    HTTP method
    Path
    Description
    Minimum role
    POST
    /api/v1/identity/authenticate
    Authenticates and returns an access token for a valid user.
    Limited Administrator
    POST
    /api/v1/identity/logout
    Logs off the user that is associated with a specified token.
    Limited Administrator
    GET
    /api/v1/licenses
    Retrieves all license-related information.
    System Administrator
    GET
    /api/v1/replication/is_replicated
    Checks whether a site has a replication partner.
    Limited Administrator
    POST
    /api/v1/replication/replicatenow
    Initiates replication for the specified replication partner.
    Administrator
    GET
    /api/v1/replication/status
    Gets the replication status.
    Limited Administrator
    POST
    /api/v1/reporting/authenticate
    Authenticates and return a PHP session token for a valid user.
    Limited Administrator
    GET
    /api/v1/sessions/currentuser
    Gets the current user token object.
    Limited Administrator
    GET
    /api/v1/version
    Gets the current version of Symantec Endpoint Protection Manager.
    Limited Administrator
  • On the
    Admin
    page >
    Administrators
    >
    Access Rights
    tab, the
    Allow editing of shared policies
    command was changed from
    Do not allow editing of shared policies
    . The
    Do not allow editing of shared policies
    checkbox was not selected by default, which causes administrators to explicitly grant permissions, rather than explicitly deny permissions.
  • The following third-party components were upgraded or added: Apache Commons FileUpload, jQuery, PHP with zip extensions enabled, Microsoft Drivers for PHP for Microsoft SQL Server, and OpenSSL.
  • The DeViewer tool is no longer installed with Symantec Endpoint Protection Manager in the Tools\DevViewer folder. Instead, download DevViewer to the client computer from the Attachments section at: Use DevViewer to find hardware device IDs for Device Blocking in Endpoint Protection. You use the DevViewer to obtain the device vendor, model, or serial number of a specific device so that you can allow or block the device in the Device Control policy.
Client and platform updates
Windows client:
  • The Symantec Endpoint Protection client for Windows client supports Citrix Studio Version 2009.0.0, Nutanix AOS 5.15 (LTS), and VMware ESXi 7.0 Update 2. 
Mac client:
  • Symantec Endpoint Protection Manager 14.3 RU2 ships with the last release of the Symantec Endpoint Protection client for Mac 14.3 RU1 MP1. When the Mac client 14.3 RU2 is available, LiveUpdate downloads the Mac client installation package to the Symantec Endpoint Protection Manager
    Admin
    >
    Install Packages
    >
    Client Install Package
    page. If you add a
    New software package
    notification to the Monitors page, you receive a notification when the installation package is ready. This feature allows you to upgrade to the latest Symantec Endpoint Protection Manager sooner.
    The Symantec Endpoint Protection client for Mac release is planned for June 2021.
  • When the Mac client is available, it will include the following features:
    • Supported on devices with the Apple M1 chip.
    • AppleScript integration with the Mac client lets you create and run AppleScript scripts to query or control your Mac client.
    • The Mac client installation package contains a tool that lets you remove the NLOK build of the Mac client (version 14.3 and earlier) from your Mac device and silently upgrade to a later version of Mac client.
    • Performance improvements on the Mac client include: Highly enhanced network throughput when using Mac client; a smaller size for the client installer; and optimized CPU and memory usage.
    • Support for the Evidence of Compromise search and the Quarantine File command for remediation. These features are supported on the clients that are managed by the Symantec Endpoint Security cloud console or by the Symantec EDR as of version 4.6.5.
Linux client:
Features Removed
  • Extended Support Life for 12.1.x ended on April 3rd 2021.
  • The management server no longer supports old versions of the Central Quarantine Server. The options in the Virus and Spyware Protection policy >
    Quarantine > Quarantined Items
    page were removed.
  • The
    Coexist with Windows Defender
    option in the Virus and Spyware Protection policy >
    Miscellaneous
    page was removed.
Documentation
  • The Windows client Help files were converted to HTML5 files, which display an updated format and the Broadcom colors.
  • You can download PDF files of the release notes for every release on the following page:
Database schema
The database schema has the following changes.
Table
Column change
HPP_APPLICATION
Added the NONPE column.
Added a new table, REQUESTED_FILES
Added the following columns:
  • ID
  • APP_HASH
  • COMMAND_ID
  • BINARY_FILE_ID
  • TIME_STAMP
  • USN
  • RETRY_COUNT
  • DELETED