What's new for all releases of
Symantec Endpoint Protection
(SEP) 14.x

You can view a list of the changes for all versions of Symantec Endpoint Protection 14. This list includes the added operating system support, added browser support, and the new feature changes.
The changes for the Windows clients also apply to those managed by the Integrated Cyber Defense Manager (ICDm) cloud console. The cloud-managed clients (also called Symantec Agents) are the same as the on-premises managed clients.
  • You can manage client version (14.2 RU1) 14.2.3332.1000 or later with Symantec Endpoint Protection Manager 14.2 RU1 or later, or fully in the cloud.
  • You can manage fully in the cloud as of client version (14.2 RU1 (cloud-managed only)) 14.2.2486.1000.
  • You can manage client version (14.0.1 / 14.1) 14.0.3752.1000 with Symantec Endpoint Protection Manager 14 RU1 or later, or partially in the cloud.
Version 14.3 MP1 (refresh)
Added support with Google Cloud Platform for cloud-enrolled Symantec Endpoint Protection Managers and cloud-managed Symantec Agents. You do not need to upgrade if you continue to use the on-premises Symantec Endpoint Protection Manager to entirely manage your clients. See: FAQ: Migration of Symantec Endpoint Protection to Google Cloud Platform
Version 14.3 MP1
  • A REST API enhancement lets you copy over settings in the
    General Settings
    policy to other groups.
  • External Logging adds a new Syslog entry containing PII filtered policy changes. This change adds a second log line containing the policy payload when a policy change is made and recorded in the Audit log.
  • External Logging forwards information about the type of scan to Syslog servers. This information includes whether the scan was a full scan or active scan and a manual or scheduled scan. This change adds a new SCAN_TYPE column in External Logging for scan events. You can use this information to track regularly scheduled scans on your client computers.
  • The Symantec Endpoint Protection Manager Administrative Log displays the administrator's user name and the source and destination group names after a client moves from one group to another.
  • Added command-line scan support for the Windows Subsystem for Linux (WSL) processes. Dependent on SDS 1.12 or later.
  • The database schema includes table changes in SEM_AGENT and SERVER_POLICY_LOG_1 and 2.
Version 14.3
  • Integration with Antimalware Scan Interface (AMSI).
  • Enhanced support for web applications with WSS PAC file redirection allows administrators to customize the proxy auto configuration file hosted by WSS Local Proxy Service.
  • Symantec Endpoint Protection Manager and remote console now supports Java 11.
  • External logging failover.
  • Support for Windows 10 version 2004 and SQL Server 2019.
  • Linux agents now supports Ubuntu 18.04, RHEL 8, and CentOS 8.
Version 14.2 RU2 MP1 (refresh)
Version 14.2 RU2 MP1
  • The Integrations policy includes a new option, Allow direct traffic when WSS protection is not available. You use this option to give users access to the web if user authentication with the WSS cloud proxy (ProxySG) fails. This situation occurs if the administrator sets up WSS Traffic Redirection, but not the WSS roaming users.
  • A REST API enhancement lets you query the Location Awareness policy assigned to clients.
  • The Syslog logs for Splunk differentiate whether a scan is a full system scan, quick scan, a manual scan, or a scheduled scan. The logs also show a new "Location" column in External Logging for SONAR protection events.
  • Support was added for email addresses and distribution lists with special characters for Symantec Endpoint Protection Manager notifications.
  • Added the following operating system support for the Linux client: Red Hat Enterprise Linux Server (RHEL) 8 and 8.1, CentOS 8 with Kernel 4.18
  • Upgraded Jackson-databind and SQLite third-party components.
Version 14.2 RU2
  • Support for:
    • Windows 10 19H2 (version 1909)
    • macOS 10.15 (Catalina)
  • Upgraded multiple third-party components to newer versions.
Version 14.2 RU1 MP1 (refresh)
Release date: 24 Sept 19
No new features or enhancements.
Version 14.2 RU1 MP1
Release date: 4 August 2019
  • Made improvements for cloud-managed clients:
    • Added the Vulnerability Remediation plug-in.
      This feature identifies missing critical Windows updates, and lets the administrator apply those updates through Windows Update from the cloud console.
      Support for this feature in the cloud console is slated for a future refresh.
    • Support for the Power Eraser command.
      Support for this command in the cloud console is slated for a future refresh.
    • Improved AutoUpgrade error reporting.
  • Upgraded these third-party components to the following versions:
    • AppRemover 4.3.31.1
    • PHP 7.1.29
    • JDBC 7.2 (for
      Symantec Endpoint Protection Manager
      )
    • JRE 1.8u212
    • OpenGC 0.19.0.0
  • Removed support for Mac OS X 10.10.
  • Removed the full list of system requirements from the release notes PDF. They are now only published on the online page in the knowledge base.
Version 14.2 RU1 MP1 (cloud-managed only)
Version 14.2 RU1 (refresh)
No new fixes specific to this refresh. Otherwise, refer to: New fixes and component versions in Endpoint Protection 14.2 RU1
Version 14.2 RU1
Symantec Endpoint Threat Defense for Active Directory integration
  • Symantec Endpoint Protection delivers a single agent that Endpoint Threat Defense for Active Directory uses when you introduce it into your environment. Product guides for Symantec Endpoint Threat Defense for Active Directory.
  • Performance improvements for intrusion prevention on servers
    : Use a new signature subset for servers to provide a protection profile that is optimized for servers. In addition, Symantec Endpoint Protection introduces a new operational mode option for Intrusion Prevention: Out-of-band scanning. This mode changes the processing model for networking traffic. Symantec recommends that you test out-of-band scanning before you deploy it to your production environment, as performance characteristics vary depending on the workload.
  • Simplify deployment of Symantec Endpoint Protection through the addition of support for NT LAN Manager (NTLM) proxy authentication.
  • Improved cloud onboarding The links within the Cloud tab of Symantec Endpoint Protection Manager now point directly to the cloud console.
  • Support added for Windows 10 May 2019 Update.
  • Symantec Advanced Threat Protection (ATP) is now Symantec Endpoint Detection and Response (Symantec EDR).
  • All software downloads and licensing details are now available through MySymantec.
  • Removed Lotus Notes and Internet Email protection in the Virus and Spyware Protection policy. You can still configure legacy client installation packages with these features through Symantec Endpoint Protection Manager.
Version 14.2 RU1 (cloud-managed only)
Version 14.2 MP1 (refresh)
  • Improvements to
    Symantec Endpoint Protection
    Hardening - Application Control and Application Isolation
Version 14.2 MP1 (refresh)
  • Support for compatibility with
    Symantec Endpoint Protection
    Hardening - Application Control
  • REST API enhancements for Symantec Advanced Threat Protection: Endpoint
  • Support for the following operating systems:
    • Windows Server 2019
    • Windows 10 October 2018 Update (version 1809), including support for case-sensitivity
    • macOS 10.14 (Mojave)
    • Red Hat Enterprise Linux Server (RHEL) 7U5 (7.5)
    • Support for Linux inode64 and XFS
    • Support for Windows Server 2016 Hyper-V
Version 14.2 MP1
  • Support for compatibility with
    Symantec Endpoint Protection
    Hardening
  • Added support for the following operating systems:
    • Windows Server 2019
    • Windows 10 October 2018 Update (version 1809), including support for case-sensitivity
    • macOS 10.14 (Mojave)
    • Red Hat Enterprise Linux Server (RHEL) 7U5 (7.5)
  • Support for Linux inode64 and XFS
  • Support for Windows Server 2016 Hyper-V
  • Removed support for Windows Server 2008 (RTM) for
    Symantec Endpoint Protection Manager
    .
  • REST API enhancements for
    Symantec Endpoint Detection and Response
Version 14.2
Cloud-based features
  • By default, groups and devices are managed by the Symantec Endpoint Protection Manager rather than by the cloud portal:
    After you enroll a domain, the Symantec Endpoint Protection Manager manages groups and devices by default. In version 14.1, the cloud portal was the default.
  • Automatically upgrading clients with Symantec Endpoint Protection Hardening
    : Symantec Endpoint Protection Hardening was introduced between the 14.0 and the 14.2 releases. As a result, you could not upgrade 14.0.x clients with Symantec Endpoint Protection (SEP) Hardening automatically.
    • In 14.2, you can install Symantec Endpoint Protection Hardening on Windows clients using AutoUpgrade even if the feature was not previously installed. In the client installation package, even if
      Maintain existing client features when updating
      is checked, you can still install Hardening. You must also make sure that
      Application Hardening
      is selected in the custom feature set (enabled by default), or else Symantec Endpoint Protection Hardening does not install.
    • 14.2 supports Symantec Endpoint Protection Hardening on both 32-bit and 64-bit Windows desktop operating systems. Earlier clients only support 64-bit Windows desktop operating systems. Symantec Endpoint Protection Hardening is not supported on server operating systems.
  • Support for roaming clients:
    Roaming clients intermittently connect to the management server. In 14.2, when the clients cannot connect to the management server, roaming clients automatically send critical events to the cloud portal. After the client reconnects to the management server, the clients send any new critical events to the management server.
  • Integration with the Symantec Content Analysis System:
    The Symantec Content Analysis System (CAS) determines how malicious a file is based on its cloud-based file reputation classification service that identifies known files. The service uses reputation scores, numbers (1- 10) to indicate whether files are known to be trusted or malicious. High scores are more likely to be malicious. You can integrate the Symantec Endpoint Protection Manager with the Content Analysis System so that you can submit a file for analysis from the cloud portal to the CAS. After the CAS returns the reputation score, you can take an action on the file, such as blocking it or whitelisting it. To integrate the Symantec Endpoint Protection Manager with the CAS, click the
    Admin > Servers > Edit Site Properties > Content Analysis System
    tab. To submit files for analysis, go to the cloud portal.
  • Replication for multiple sites available for a management server enrolled in cloud portal:
    You can now enroll sites that replicate with partner sites into the cloud portal. The partner site is not enrolled in the cloud portal, but continues to replicate data with the first site.
  • Data collection and submissions options automatically enabled:
    After the Symantec Endpoint Protection Manager is enrolled in the cloud portal, the settings for data collection and submissions become automatically enabled. This occurs regardless of whether or not these settings were disabled beforehand. Symantec recommends that you keep these settings enabled so that the clients take advantage of the cloud's AML features.
Protection features
  • Support for IPv6:
    IPv6 support is added for the following items:
    • Communication between Windows, Mac, and Linux clients and the Symantec Endpoint Protection Manager.
    • Communication between the console and the management server, such as logging on locally or remotely to Symantec Endpoint Protection Manager.
    • Communication between management servers and internal LiveUpdate servers that run LiveUpdate Administrator.
    • IPv6-based criteria for many policies, such as custom IPS signatures, location awareness, Group Update Providers, and exceptions.
  • The Symantec Endpoint Protection firewall for Mac provides the firewall protection that fully integrates into Symantec Endpoint Protection, which includes events, policies, and commands. You manage and configure the firewall rules and some settings in the same Symantec Endpoint Protection Manager firewall policy as for Windows. The Symantec Endpoint Protection firewall is only available for managed clients.
  • WSS Traffic Redirection for Mac:
    WSS Traffic Redirection (WTR) directs web traffic with a Proxy Auto Configuration file URL to Symantec Web Security Service. This traffic redirection secures the web traffic for the client computer. This Symantec Endpoint Protection version extends WSS Traffic Redirection functionality to Macs.
  • WSS Traffic Redirection enhancements for Windows:
    This Symantec Endpoint Protection version adds enhanced client authentication for Symantec Web Security Services (WSS). It enables a more granular level of security management for WSS Traffic Redirection. Additionally, you can configure it to forward additional header data that identifies the user that initiated the traffic. This additional header data lets you create per-user traffic rules. To access this setting, click
    Policies > Integrations
    , open the policy, and click
    WSS Traffic Redirection
    .
  • Scans quickly handle a large number of threats on heavily infected computers:
    When manual scans and Auto-Protect scans detect a large number of threats on a client computer, the scans can quickly process the threats. This aggressive mode starts when the computer has a minimum of 100 viruses. The default action for these detections is Delete. This aggressive mode does not process spyware. You do not configure this feature; it runs automatically.
Management server features
  • Symantec VIP two-factor authentication and smart card authentication for Symantec Endpoint Protection Manager:
    You can now use two additional types of authentication for Symantec Endpoint Protection Manager administrator accounts:
    • Two-factor authentication (2FA) with Symantec VIP:
      When two-factor authentication is enabled, you must provide a unique, one-time verification code as well as a password when you log on to Symantec Endpoint Protection Manager. You can receive the code by voice, text, or with the free Symantec VIP Access application.
    • Smart card authentication:
      You can configure Symantec Endpoint Protection Manager to log on administrators who use a Personal Identity Verification (PIV) card or a Common Access Card (CAC). Smart cards are used for administrators who work for US Federal Agencies or a US military agency. With PIV/CAC authentication, you insert the card into the reader and provide a PIN number.
  • New communications module:
    A new communications module replaces the existing protocol. Both modules still use sylink.xml to establish a management connection between Symantec Endpoint Protection Manager and the client. The new communications module works with both IPv6 and IPv4 addresses, and communicates with Windows, Mac, and Linux clients.
  • Password requirements are stronger:
    When you install the management server or configure the management server, you must set a strong password for the system administrator account. The password must contain at least 8 characters and fewer than 16 characters. It must include at least one lowercase letter [a-z], one uppercase letter [A-Z], one numeric character [0-9], and one special character ["/ \ [ ] : ; | = , + * ? < >].
  • Updates for FIPS 140-2 compliance:
    Symantec Endpoint Protection 14.2 updates third-party components and validated modules to ensure continued compliance for data encryption with Federal Information Processing Standardization (FIPS) 140-2. Symantec Endpoint Protection 14.2 lets FIPS 140-2-compliant environments access cloud features.
  • LiveUpdate downloads content for the Application Control engine:
    To patch problems with an operating system such as Windows 10, LiveUpdate now downloads content for the Application Control engine for 14.2 Windows clients. To access the Application Control content, click
    Admin > Edit Site Properties > LiveUpdate tab > Content Types to Download
    . You should always keep this option enabled.
  • Additional vendors and products are added to the third-Party security software removal feature.
System requirements
The Symantec Endpoint Protection Manager web console and Help add the following browser support: Mozilla Firefox 5.x through 60.x; Google Chrome 66.x
Removed, unsupported, or modified features
  • Removed the Host Integrity for Mac option:
    Host Integrity policies for Mac required the installation of the Symantec Network Access Control On-Demand client for Mac. Symantec Network Access Control reached End of Life in November 2017, and is not supported for use with Symantec Endpoint Protection 14.x. The Mac option to add a predefined requirement for the Mac client was still in the user interface until 14.2.
  • Removed the Failed Network Compliance Status report:
    This report was a Compliance report type that was used for Symantec Network Access Control. You could access the report in the following places:
    • Reports
      page >
      Quick Reports
      tab >
      Compliance report
      type
    • Monitors
      page >
      Summary
      tab >
      Summary type
      drop-down list
    • Home
      page >
      Favorite Reports
      section
  • Changes to the third-party security software removal feature:
    Changes to the third-party security software removal for version 14.2 mean that you cannot enable it for installation packages for earlier versions. For example, you cannot enable third-party security software removal for version 14.0.1 client packages if you create them with and deploy them from Symantec Endpoint Protection Manager version 14.2.
Documentation changes
The following options on the
Admin > Administrator
page were changed to be clearer:
  • Attempt Threshold
    was changed to
    Number of Incorrect Logon Attempts Allowed
  • Password Verification Attempt Threshold
    was changed to
    Number of Change Current Password Attempts Allowed
    . In addition, this option was described incorrectly. This option displays the number of times you try to change the password on another administrator account, but type the wrong current password.
  • Failed Password Verification Attempts
    was changed to
    Failed Change Current Password Attempts
    .
Version 14.0.1 MP2
What's new in this version
  • Support for Windows 10 April 2018 Update (version 1803)
    (This support is backward-compatible to 14.0.1.)
  • Customer defects
  • Customer experience
    • Support for Microsoft Storage Spaces
    • Support for Microsoft OneDrive
    • Support for SQL Server databases that are hosted on Amazon RDS
  • Third-party component updates
Version 14.0.1 MP1
Cloud-based features
  • Symantec Endpoint Protection Hardening:
    Symantec Endpoint Protection provides application isolation. Application isolation protects users from malicious macros in Microsoft Office, malicious PDF files, and browser plug-ins with vulnerabilities. Application Isolation protects applications from overwrites by other applications if both the applications use same resource. For example, infected tab of a browser may end up sharing the same memory with the other tab. One infected tab may infect the tabs on other browsers. Symantec Endpoint Protection Hardening provides a set of policies that you can use to isolate applications so that they operate in a protected environment.
Protection features
  • WSS Traffic Redirection:
    Symantec Endpoint Protection provides web security to remote users by connecting the client to Web Security Services (WSS) when a route through a corporate network is not possible or practical. WSS Traffic Redirection (WTR) directs traffic from the endpoint to WSS/CASB Services, eliminating the need to install a separate client. You deploy them once and manage them centrally, which lowers the cost of management and eliminates conflict between the agents. This functionality allows Symantec Endpoint Protection to rapidly enable connectivity to cloud services with minimal interruption to users.
  • Ability to test new engine content and definitions before they are released:
    Symantec Endpoint Protection contains several content engines that carry out parts of its functionality. Symantec provides a special server that lets you download and test the engine content before you roll out the content to your production environment. Engine updates are released to the EAS for 2 weeks before its phased release on the public LiveUpdate server. Symantec provides the engine updates using your regular LiveUpdate configuration. You can find the option Use a Symantec LiveUpdate early release server in the LiveUpdate Settings policy.
  • Option to lock engine version:
    The LiveUpdate Content policy now has the option to revert to an older version of the engine but continue to receive the latest content that corresponds with that engine. In the LiveUpdate Content policy under
    Windows Settings
    , click
    Security Definitions > Select an engine version > Edit
    . Clients that are locked to a specific engine version only receive LiveUpdate content that corresponds to that engine version.
Management server features
On the Symantec Endpoint Protection Manager Home page banner, the
Latest News
link changed to
Latest Alerts
. The associated bell-shaped icon now displays a red dot to indicate new messages. Click
Latest Alerts
to read the news or alerts about Symantec Endpoint Protection.
System requirements
Added the following support:
  • Third-party component upgrades, including Java SE Development Kit 8, zlib, and Commons-Jelly.
  • Symantec Endpoint Protection Manager web console: Mozilla Firefox 5.x through 57.x, Google Chrome 63.0.x
REST API commands
The documentation for the Symantec Endpoint Protection Manager REST APIs is now available in the following locations:
  • http://apidocs.symantec.com/home/saep/ - You can access this location from the cloud portal Help by clicking the last icon at the bottom of the dashboard. Note: If Symantec Endpoint Protection Manager is enrolled with the cloud portal, using REST API commands to manage what that the cloud portal manages is not supported.
  • On the Symantec Endpoint Protection Manager server at the following address, where SEPM-IP is the IP address of the Symantec Endpoint Protection Manager server: https://SEPM-IP:8446/sepm/restapidocs.html
Removed or unsupported features
  • End-of-Support for Network Access Control:
    Symantec discontinued technical support and content updates for customers with current Basic Maintenance Support or Essential Support on November 5, 2017 for Symantec Network Access Control, Symantec Network Access Control Starter Edition, and Symantec Network Access Control Enforcer with 6100 Series Appliance. Host Integrity has already been integrated in Symantec Endpoint Protection.
Version 14.0.1 / 14.1
Version 14.01 refers to the client; version 14.1 refers to Symantec Endpoint Protection Manager.
What is the difference between the Symantec Endpoint Protection 14.0.1 and 14.1 releases?
Symantec Endpoint Protection 14.0.1 is the next release after version 14 MP2 and includes improvements for both the Symantec Endpoint Protection Manager and the Symantec Endpoint Protection clients. 14.0.1 also includes components to connect to and manage Symantec Endpoint Protection Manager from a new cloud portal that is part of the subsequent release, version 14.1. Version 14.1 releases about the same time as 14.0.1. Symantec Endpoint Protection 14.1 includes the cloud portal, a 14.0.1 Symantec Endpoint Protection Manager, and 14.0.1 clients. The functionality for Symantec Endpoint Protection Manager and the clients does not change, and the user interface for both components is still labeled as 14.0.1. You do not need to upgrade to a new 14.1 management server or new 14.1 clients. The 14.1 cloud portal lets you manage Symantec Endpoint Protection Manager clients and includes some additional functionality that Symantec Endpoint Protection Manager does not have. If you do not enroll in the cloud portal, you continue to manage your client computers entirely from Symantec Endpoint Protection Manager. To connect to the cloud portal, you enroll a 14.0.1 Symantec Endpoint Protection Manager domain in the 14.1 cloud portal.
For an overview of the new cloud-based features available as of this release, see:
Version 14 MP2
  • Third-party component upgrades
Version 14 MP1
If you run 14 MP1 (14.0.2332.0100), DO NOT upgrade to the 14 MP1 Refresh Build (14.0.2349.0100). Both versions are considered current. Upgrading from 14 MP1 to 14 MP1 Refresh Build (14.0.2349.0100) is NOT supported. The code change in 14 MP1 Refresh Build, which addresses the following issue, is slated for inclusion in a future release of version 14:
  • Support for Red Hat Enterprise Linux (RHEL) 7.3.
  • Third-party components updates, including PHP, Java, and Apache Tomcat.
  • Corrected style and formatting issues within the
    Symantec Endpoint Protection Manager
    user interface.
Version 14
  • Improved protection:
    • Virus definitions in the cloud (Intelligent Threat Cloud Service)
    • Advanced Machine Learning (AML) on the endpoint for improved static detections
    • OS hardening (Generic Exploit Mitigation)
    • Emulator for packed malware
    • Security patches for Windows clients that download using LiveUpdate
  • Usability and scale:
    • New user interface
    • Custom replication schedule
    • Subnet mask for explicit Group Update Providers
    • In-product notifications
    • REST API references
  • Cross-platform support
    :
    • Device control (Mac client)
    • AutoUpgrade (Mac client)
System requirements
For the full list of system requirements, see System requirements for
Symantec Endpoint Protection
14
.
  • Symantec Endpoint Protection Manager
    :
    • Support added for Windows Server 2016
  • Windows client
    :
    • Support added for Windows 10 Anniversary Update
  • Linux client
    :
    • Support added for Red Hat Enterprise Linux (RHEL) 7.1 and 7.2 (precompiled binary support)
    • Support added for Oracle Linux (OEL) 6U5
  • Mac client
    :
    • Support added for macOS 10.12 (Sierra)
  • Database
    :
    • Support added for SQL Server 2014 SP2
  • Browser support for the
    Symantec Endpoint Protection Manager
    web console and Help:
    • Microsoft Edge
    • Mozilla Firefox 5.x through 49.0.1
    • Google Chrome through 54.0.x