Antimalware policy - Advanced Settings
Symantec Endpoint SecurityAntimalware policy includes advanced settings for Auto-Protect and other antimalware features. See:
Enables or disables Auto-Protect for the file system. By default, Auto-Protect is enabled. See:
Enable behavioral analysis
Enables or disables behavior analysis.
Behavior analysis (also known as SONAR) is the real-time protection that detects potentially malicious applications when they run on your computers. Behavior analysis uses heuristics as well as reputation data to detect emerging and unknown threats. Behavior analysis provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats. See:
Enable Symantec early launch antimalware
Early launch antimalware (ELAM) protects your devices from any threats that load at startup.
Endpoint Securityincludes an early launch antimalware driver that works with the Microsoft early launch antimalware driver to provide the protection. The settings are supported on Microsoft Windows 8 and Windows Server 2012.
The early launch antimalware driver is a special type of driver that initializes first and inspects other startup drivers for malicious code. When the
Endpoint Securitydriver detects a startup driver, it determines whether the driver is good, bad, or unknown. The
Endpoint Securitydriver then passes the information to Windows to decide to allow or block the detected driver.
Endpoint Securitysettings provide an option to treat bad drivers and bad critical drivers as unknown. Bad critical drivers are the drivers that are identified as malware but are required for computer startup. By default, Windows allows unknown drivers to load. You might want to select the override option if you get any false positive detections that block an important driver. If you block an important driver, you might prevent devices from starting up.
The Windows early launch anti-malware driver must be enabled for the
Endpoint Securitysettings to take effect. You use the Windows Group Policy editor to view and modify the Windows ELAM settings. See your Windows documentation for more information.
Enable Microsoft Outlook Auto-Protect
Enables or disables Auto-Protect for Microsoft Exchange email clients (Outlook)
Auto-Protect advanced options
Load Auto-Protect when computer starts
Loads Auto-Protect when the computer’s operating system starts and unloads it when the computer shuts down. This option can help protect against some viruses. If Auto-Protect detects a virus during shutdown, it places the infected file in a temporary Quarantine folder. Auto-Protect then detects the virus on startup and creates an alert notification.
If you disable Auto-Protect on a device that has this option enabled, Auto-Protect still functions after each device restart for a brief time. When the main client service starts, it disables Auto-Protect.
Enable file cache
For more information, see:
Enable Risk Tracer
For more information, see:
Scan when a file is accessed
Scans the files when they are written, opened, moved, copied, or run.
Use this option for more complete file system protection. This option might affect performance because Auto-Protect scans files during all types of file operations.
Scan when a file is modified
Scans the files when they are written, modified, or copied.
Use this option for slightly faster performance, because Auto-Protect scans files only when they are written, modified, or copied.
Scan when a file is backed up
Scans a file during backup if another process tries to write to the file during the backup. The backup process only reads the files during backup, so the backup process itself does not initiate the scan.
If you disable this option, Auto-Protect does not scan any file during a backup. The client scans the files that it restores from a backup, however, regardless of this setting.
Do not scan when trusted processes access the file
Skips the files that are accessed by Windows Search indexer and other processes that
Endpoint Securitydetermines are safe.
Enable Custom Listlets you enable or disable a list of trusted processes that you know are safe. The list is used in addition to processes that Symantec already trusts as safe. Use the
Add Custom Processoption to add processes. Add the process name without a path name, for example, foo.exe.
Always delete newly created infected files
Enable this option to delete a new file that is infected regardless of the action that is configured for the type of risk. This setting does not apply to Auto-Protect detections of any existing files that contain viruses. Auto-Protect does not delete infected files that already exist on the device unless the configured action is
Always delete newly created security risks
This option is only available when
Always delete newly created infected filesis enabled. Enable this option to delete a newly created file that contains a security risk regardless of the action that is configured for the type of risk. This setting does not apply to Auto-Protect detections of existing files that contain security risks. Auto-Protect does not delete security risks that already exist on the client computer unless the configured action is
Coexist with Windows Defender
You can enable the option to allow Windows Defender to run before Auto-Protect runs. This option is off by default.
Specify network options for scanning files on remote computers
Options for Auto-Protect scans on remote computers:
Auto-Protect file cache options
Enable file cache
Auto-Protect uses a file cache so that it remembers the clean files from the last scan. The file cache persists across startups. If the device shuts down and restarts, Auto-Protect remembers the clean files and does not scan them.
File caching decreases Auto-Protect’s memory usage and can and help improve Auto-Protect scan performance.
Auto-Protect rescans the files in the following situations:
You can disable the file cache if you always want Auto-Protect to scan every file. If you disable the file cache, you might affect the performance of your devices.
You can disable this option for troubleshooting. If you disable this option, when the device restarts, Auto-Protect rescans all files.
File cache size
You can specify the number of custom file cache entries to include. This option is useful for file servers or web servers on which you want to cache a large number of files.
Auto-Protect Risk Tracer options
Enable Risk Tracer
Risk Tracer identifies the source of network share-based virus infections on your devices. Risk Tracer does not block any attacking IP addresses. The option to automatically block IP addresses is enabled by default in the Firewall policy.
Resolve the source computer IP address
If this option is disabled, Risk Tracer looks up and records only the computer’s NetBIOS name. If this option is enabled, Risk Tracer tries to get an IP address for the known NetBIOS name.
If the infection came from a remote computer, Risk Tracer can do the following actions:
Poll for network sessions every <number> milliseconds
Enables or disables polling for network sessions.
Lower values use greater amounts of CPU and memory. Lower values also increase the possibility that Risk Tracer can record the network session information before the threat can turn off network shares.
Higher values decrease system overhead, but also decrease Risk Tracer’s ability to detect the source of the infections.
Risk Tracer polls at the specified interval for network sessions, and then caches this information as a remote computer secondary source list. This information maximizes the frequency with which Risk Tracer can successfully identify the infected remote computer. For example, a risk may close the network share before Risk Tracer can record the network session. Risk Tracer then uses the secondary source list to try to identify the remote computer.
Behavior analysis advanced options
DNS change detectedand
Host file change detected
Configures the action that behavior analysis takes when it detects a DNS change or a host file change.
Behavior analysis does not take any action when a process tries to open or access a host file. Behavior analysis takes action when a process modifies a host file.
The DNS or host file change settings do not exempt an application from detection by behavior analysis. Behavior analysis always detects an application if it exhibits suspicious behavior.
You can configure the following actions:
Scan files on remote computers
Enables or disables behavior analysis scans on network drives.
Enable this option when you need to scan the file operations that target network drives. Disable this option to increase the device performance. Behavior analysis looks for worms such as Sality, which infects network drives. Sality is a type of malware that infects files on Microsoft Windows systems and spreads through removable drives and network shares.