Antimalware policy - Advanced Settings

The
Symantec Endpoint Security
Antimalware policy includes advanced settings for Auto-Protect and other antimalware features. See:
Antimalware Advanced Settings
Option
Description
Enable Auto-Protect
Enables or disables Auto-Protect for the file system. By default, Auto-Protect is enabled. See:
Enable behavioral analysis
Enables or disables behavior analysis.
Behavior analysis (also known as SONAR) is the real-time protection that detects potentially malicious applications when they run on your computers. Behavior analysis uses heuristics as well as reputation data to detect emerging and unknown threats. Behavior analysis provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats. See:
Enable Symantec early launch antimalware
Early launch antimalware (ELAM) protects your devices from any threats that load at startup.
Endpoint Security
includes an early launch antimalware driver that works with the Microsoft early launch antimalware driver to provide the protection. The settings are supported on Microsoft Windows 8 and Windows Server 2012.
The early launch antimalware driver is a special type of driver that initializes first and inspects other startup drivers for malicious code. When the
Endpoint Security
driver detects a startup driver, it determines whether the driver is good, bad, or unknown. The
Endpoint Security
driver then passes the information to Windows to decide to allow or block the detected driver.
The
Endpoint Security
settings provide an option to treat bad drivers and bad critical drivers as unknown. Bad critical drivers are the drivers that are identified as malware but are required for computer startup. By default, Windows allows unknown drivers to load. You might want to select the override option if you get any false positive detections that block an important driver. If you block an important driver, you might prevent devices from starting up.
The Windows early launch anti-malware driver must be enabled for the
Endpoint Security
settings to take effect. You use the Windows Group Policy editor to view and modify the Windows ELAM settings. See your Windows documentation for more information.
Enable Microsoft Outlook Auto-Protect
Enables or disables Auto-Protect for Microsoft Exchange email clients (Outlook)
Auto-Protect advanced options
Auto-Protect advanced options
Option
Description
Load Auto-Protect when computer starts
Loads Auto-Protect when the computer’s operating system starts and unloads it when the computer shuts down. This option can help protect against some viruses. If Auto-Protect detects a virus during shutdown, it places the infected file in a temporary Quarantine folder. Auto-Protect then detects the virus on startup and creates an alert notification.
If you disable Auto-Protect on a device that has this option enabled, Auto-Protect still functions after each device restart for a brief time. When the main client service starts, it disables Auto-Protect.
Enable file cache
For more information, see:
Enable Risk Tracer
For more information, see:
Scan when a file is accessed
Scans the files when they are written, opened, moved, copied, or run.
Use this option for more complete file system protection. This option might affect performance because Auto-Protect scans files during all types of file operations.
Scan when a file is modified
Scans the files when they are written, modified, or copied.
Use this option for slightly faster performance, because Auto-Protect scans files only when they are written, modified, or copied.
Scan when a file is backed up
Scans a file during backup if another process tries to write to the file during the backup. The backup process only reads the files during backup, so the backup process itself does not initiate the scan.
If you disable this option, Auto-Protect does not scan any file during a backup. The client scans the files that it restores from a backup, however, regardless of this setting.
Do not scan when trusted processes access the file
Skips the files that are accessed by Windows Search indexer and other processes that
Endpoint Security
determines are safe.
Enable Custom List
lets you enable or disable a list of trusted processes that you know are safe. The list is used in addition to processes that Symantec already trusts as safe. Use the
Add Custom Process
option to add processes. Add the process name without a path name, for example, foo.exe.
Always delete newly created infected files
Enable this option to delete a new file that is infected regardless of the action that is configured for the type of risk. This setting does not apply to Auto-Protect detections of any existing files that contain viruses. Auto-Protect does not delete infected files that already exist on the device unless the configured action is
Delete
.
Always delete newly created security risks
This option is only available when
Always delete newly created infected files
is enabled. Enable this option to delete a newly created file that contains a security risk regardless of the action that is configured for the type of risk. This setting does not apply to Auto-Protect detections of existing files that contain security risks. Auto-Protect does not delete security risks that already exist on the client computer unless the configured action is
Delete
.
Coexist with Windows Defender
You can enable the option to allow Windows Defender to run before Auto-Protect runs. This option is off by default.
Specify network options for scanning files on remote computers
Options for Auto-Protect scans on remote computers:
  • Scan files on remote computers
    Enables or disables scanning on network drives. If you disable this option, you might improve device performance.
    When scanning is enabled on network drives, Auto-Protect scans files when a device accesses them from a server.
  • Only when files are executed
    By default, Auto-Protect scans files on remote computers only when files are executed. You can disable this option to scan all files on remote computers, but you might affect your device performance.
  • Network cache
    Enables or disables a record of the files that Auto-Protect has already scanned from a network server.
    This option prevents Auto-Protect from scanning the same file more than one time and may improve system performance.
  • Keep <number> entries
    Sets the number of files (entries) that Auto-Protect scans and remembers.
  • Delete entries after <number> seconds
    Sets the timeout before the files are removed from the cache. After the timeout expires, Auto-Protect scans the network files again if the device requests them from the network server.
Auto-Protect file cache options
Auto-Protect File cache options
Option
Description
Enable file cache
Auto-Protect uses a file cache so that it remembers the clean files from the last scan. The file cache persists across startups. If the device shuts down and restarts, Auto-Protect remembers the clean files and does not scan them.
File caching decreases Auto-Protect’s memory usage and can and help improve Auto-Protect scan performance.
Auto-Protect rescans the files in the following situations:
  • The device downloads new definitions.
  • Auto-Protect detects that the files might have changed when Auto-Protect was not running.
You can disable the file cache if you always want Auto-Protect to scan every file. If you disable the file cache, you might affect the performance of your devices.
You can disable this option for troubleshooting. If you disable this option, when the device restarts, Auto-Protect rescans all files.
File cache size
You can specify the number of custom file cache entries to include. This option is useful for file servers or web servers on which you want to cache a large number of files.
Auto-Protect Risk Tracer options
Auto-Protect Risk Tracer options
Option
Description
Enable Risk Tracer
Risk Tracer identifies the source of network share-based virus infections on your devices. Risk Tracer does not block any attacking IP addresses. The option to automatically block IP addresses is enabled by default in the Firewall policy.
Resolve the source computer IP address
If this option is disabled, Risk Tracer looks up and records only the computer’s NetBIOS name. If this option is enabled, Risk Tracer tries to get an IP address for the known NetBIOS name.
If the infection came from a remote computer, Risk Tracer can do the following actions:
  • Look up and record the computer's NetBIOS computer name and its IP address.
  • Look up and record who was logged on to the computer at delivery time.
Poll for network sessions every <number> milliseconds
Enables or disables polling for network sessions.
Lower values use greater amounts of CPU and memory. Lower values also increase the possibility that Risk Tracer can record the network session information before the threat can turn off network shares.
Higher values decrease system overhead, but also decrease Risk Tracer’s ability to detect the source of the infections.
Risk Tracer polls at the specified interval for network sessions, and then caches this information as a remote computer secondary source list. This information maximizes the frequency with which Risk Tracer can successfully identify the infected remote computer. For example, a risk may close the network share before Risk Tracer can record the network session. Risk Tracer then uses the secondary source list to try to identify the remote computer.
Behavior analysis advanced options
Behavior analysis advanced options
Option
Description
DNS change detected
and
Host file change detected
Configures the action that behavior analysis takes when it detects a DNS change or a host file change.
Behavior analysis does not take any action when a process tries to open or access a host file. Behavior analysis takes action when a process modifies a host file.
The DNS or host file change settings do not exempt an application from detection by behavior analysis. Behavior analysis always detects an application if it exhibits suspicious behavior.
You can configure the following actions:
  • Ignore
    Ignores the detection. This action is the default action. Any action other than
    Ignore
    might result in many log events in the console and email notifications to administrators.
  • Block
    Blocks the change.
    If you set the action to
    Block
    , you might block important applications on your devices.
    For example, if you set the action to
    Block
    for
    DNS change detected
    , you might block VPN clients. If you set the action to
    Block
    for
    Host file change detected
    , you might block your applications that need to access the host file.
  • Log Only
    Allows the change but creates a log entry for the event. This action might result in large log files.
Scan files on remote computers
Enables or disables behavior analysis scans on network drives.
Enable this option when you need to scan the file operations that target network drives. Disable this option to increase the device performance. Behavior analysis looks for worms such as Sality, which infects network drives. Sality is a type of malware that infects files on Microsoft Windows systems and spreads through removable drives and network shares.