Using Intensive Protection settings
Intensive Protection settings provide the aggressive detection technology that leverages advanced machine learning techniques. Symantec classifies files based on their reputation, behavior, prevalence, and other factors.
For completely cloud-managed devices that are directly enrolled in the cloud, Intensive Protection is provided as part of the Default Antimalware policy settings.
For Symantec Endpoint Protection Manager domain-enrolled devices, a Default Intensive Protection policy replaces some options in your existing Virus and Spyware Protection policy in
Symantec Endpoint Protection Manager. The Download Insight, Bloodhound, and some SONAR settings in the Virus and Spyware Protection policy are ignored. Virus and spyware action settings in
Symantec Endpoint Protection Managerare also ignored. Devices continue to use the Virus and Spyware policy in SEPM for other antimalware options.
Intensive Protection settings are available in the following policies:
- Default Intensive Protection policyUse only for any devices that are enrolled in the cloud through domain enrollment. These devices also communicate withSymantec Endpoint Protection Manager.
- Default Antimalware policyUse only for any devices that are directly enrolled and communicate only with the cloud console.
- To modify the Intensive Protection settings
- Go toPolicies.
- On thePoliciestab, select the Default Antimalware policy or Default Intensive Protection policy.
- In the policy, move the sliders to the level that should trigger a detection action (block or log).
The false positive rate goes up the higher you move the slider. You can also create exclusions for files and the applications that you know are safe.Level 1The least restrictive setting. Blocks or logs known malware and known bad files.Results in a lower number of false positives.Level 2Blocks or logs the files that are most certainly bad or potentially bad files.Results in a comparable number of false positives and false negatives.Level 3Blocks or logs the files that appear suspicious.Results in fewer false negatives.Level 4Blocks or logs the files that are unknown or have a very low prevalence to ensure that only well-known good files are allowed to run.Level 5The most restrictive setting. Blocks or logs anything that seems even slightly suspicious. Provides the highest security but might result in a higher number of false positives.
- Blocking LevelDetermines the threshold for blocking detections. This setting is applicable and configurable for Windows, Linux, and Android.
- Monitoring LevelLets you control logging. Use logging to figure out what types of detections the policy makes at a certain level before you start to block at that level. For mobile devices, this setting is not configurable.
- Change the options inGeneral Settingsas needed.Detect files as malicious based on their use in the Symantec CommunitySets the additional requirements for the downloaded files that have the reputations that are higher than the configured threshold setting. The files are considered unproven but are detected as malicious if they meet the additional requirements.The additional requirements consider file usage in the Symantec Community. Files that are used by fewer users might be potentially more harmful. Files that have recently appeared in the Symantec Community also might be more potentially harmful.The following options are available:
Trusted sitesAutomatically trust any file downloaded from Internet or intranet siteBy default, Intensive Protection does not examine any files that users download from a trusted Internet or intranet site. You configure trusted sites and trusted local intranet sites on theWindows Control Panel > Internet Options > Securitytab.When this option is enabled, Intensive Protection allows any file that a user downloads from one of the trusted sites. After the file is downloaded, other protection features can detect and take action on the file if necessary.Intensive Protection checks for updates to the list when you re-enableAutomatically trust any file downloaded from Internet or intranet siteafter it has been disabled. Intensive Protection also checks for updates to the Internet Options trusted sites list at user logon and every four hours.You can create exceptions for specific trusted Web domains.Wildcards are allowed, but non-routable IP address ranges are not supported. For example, Intensive Protection does not recognize 10.*.*.* as a trusted site. Intensive Protection also does not support the sites that theInternet Options > Security > Automatically detect intranet networkoption discovers.
- Files withxor fewer usersSpecifies the maximum number of users who use the file. The client detects any downloaded files that are used by fewer than the specified number of users.
- Files known by users forxor fewer daysSpecifies the maximum number of days that the file has been known in the Symantec community. The client detects any downloaded files that are known by Symantec for less than the number of specified days.