Using Intensive Protection settings

Intensive Protection settings provide the aggressive detection technology that leverages advanced machine learning techniques. Symantec classifies files based on their reputation, behavior, prevalence, and other factors.
For completely cloud-managed devices that are directly enrolled in the cloud, Intensive Protection is provided as part of the Default Antimalware policy settings.
For Symantec Endpoint Protection Manager domain-enrolled devices, a Default Intensive Protection policy replaces some options in your existing Virus and Spyware Protection policy in
Symantec Endpoint Protection Manager
. The Download Insight, Bloodhound, and some SONAR settings in the Virus and Spyware Protection policy are ignored. Virus and spyware action settings in
Symantec Endpoint Protection Manager
are also ignored. Devices continue to use the Virus and Spyware policy in SEPM for other antimalware options.
Intensive Protection settings are available in the following policies:
  • Default Intensive Protection policy
    Use only for any devices that are enrolled in the cloud through domain enrollment. These devices also communicate with
    Symantec Endpoint Protection Manager
    .
  • Default Antimalware policy
    Use only for any devices that are directly enrolled and communicate only with the cloud console.
  1. To modify the Intensive Protection settings
  2. Go to
    Policies
    .
  3. On the
    Policies
    tab, select the Default Antimalware policy or Default Intensive Protection policy.
  4. In the policy, move the sliders to the level that should trigger a detection action (block or log).
    • Blocking Level
      Determines the threshold for blocking detections. This setting is applicable and configurable for Windows, Linux, and Android.
    • Monitoring Level
      Lets you control logging. Use logging to figure out what types of detections the policy makes at a certain level before you start to block at that level. For mobile devices, this setting is not configurable.
    The false positive rate goes up the higher you move the slider. You can also create exclusions for files and the applications that you know are safe.
    Level 1
    The least restrictive setting. Blocks or logs known malware and known bad files.
    Results in a lower number of false positives.
    Level 2
    Blocks or logs the files that are most certainly bad or potentially bad files.
    Results in a comparable number of false positives and false negatives.
    Level 3
    Blocks or logs the files that appear suspicious.
    Results in fewer false negatives.
    Level 4
    Blocks or logs the files that are unknown or have a very low prevalence to ensure that only well-known good files are allowed to run.
    Level 5
    The most restrictive setting. Blocks or logs anything that seems even slightly suspicious. Provides the highest security but might result in a higher number of false positives.
  5. Change the options in
    General Settings
    as needed.
    Detect files as malicious based on their use in the Symantec Community
    Sets the additional requirements for the downloaded files that have the reputations that are higher than the configured threshold setting. The files are considered unproven but are detected as malicious if they meet the additional requirements.
    The additional requirements consider file usage in the Symantec Community. Files that are used by fewer users might be potentially more harmful. Files that have recently appeared in the Symantec Community also might be more potentially harmful.
    The following options are available:
    • Files with
      x
      or fewer users
      Specifies the maximum number of users who use the file. The client detects any downloaded files that are used by fewer than the specified number of users.
    • Files known by users for
      x
      or fewer days
      Specifies the maximum number of days that the file has been known in the Symantec community. The client detects any downloaded files that are known by Symantec for less than the number of specified days.
    Trusted sites
    Automatically trust any file downloaded from Internet or intranet site
    By default, Intensive Protection does not examine any files that users download from a trusted Internet or intranet site. You configure trusted sites and trusted local intranet sites on the
    Windows Control Panel > Internet Options > Security
    tab.
    When this option is enabled, Intensive Protection allows any file that a user downloads from one of the trusted sites. After the file is downloaded, other protection features can detect and take action on the file if necessary.
    Intensive Protection checks for updates to the list when you re-enable
    Automatically trust any file downloaded from Internet or intranet site
    after it has been disabled. Intensive Protection also checks for updates to the Internet Options trusted sites list at user logon and every four hours.
    You can create exceptions for specific trusted Web domains.
    Wildcards are allowed, but non-routable IP address ranges are not supported. For example, Intensive Protection does not recognize 10.*.*.* as a trusted site. Intensive Protection also does not support the sites that the
    Internet Options > Security > Automatically detect intranet network
    option discovers.