Comparison between an on-premises
Symantec Endpoint Protection
14.x and
Symantec Endpoint Security
Complete

Access all features in
Symantec Endpoint Security
from the
Endpoint
tab in
Integrated Cyber Defense Manager
.
In October 2019, Symantec Endpoint Protection 15 was renamed to
Symantec Endpoint Security
.
Policy Types
Policies (Overview)
Some policy settings and security settings in
Symantec Endpoint Security
(
Endpoint Security
) do not appear in the user interface, but they are enabled by default. In this case, there is no setting for you to disable or configure.
Policies (general)
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
Virus and Spyware Protection
  • Replaced by the Antimalware policy on fully cloud-managed agents version 14.2 MP2 and later.
  • Replaced by the Intensive Protection policy on hybrid-managed 14.1 and later agents only: Combines Download Insight, Bloodhound, and some SONAR settings.
Network and Host Exploit Mitigation
  • Network Threat Protection (intrusion prevention and firewall)
  • Memory Exploit Mitigation (replaced Generic Exploit Mitigation in 14)
In the cloud console, the Network and Host Exploit Mitigation term is no longer used and is replaced by the following policy names:
  • Firewall policy
  • Intrusion Prevention policy
  • Exploit Protection policy (Memory Exploit Mitigation)
The term Network and Host Exploit Mitigation is still used on the client.
Proactive Threat Protection (up through 14.2)
  • Application and Device Control
  • SONAR
In the cloud console, the term Protective Threat Protection is no longer used and is replaced by the following policies/features:
  • Application Control policy
  • Device Control policy
  • Behavior Analysis (new name for SONAR)
  • (14.2 RU1 and later) PTP is still used in the
    Symantec Endpoint Protection Manager
    /
    Symantec Endpoint Protection
    client.
Exceptions policy
Allow List policy (14.1 and later); Deny List for HASH exception (14.1 and later)
Host Integrity
Host Integrity policy coming soon
  • System lockdown
  • Application learning (Clients > Policies tab > Settings > General Settings)
  • System lockdown - Replaced by the Deny List policy and Application Control (
    Symantec Endpoint Security
    Complete)
  • Application learning - Replaced by Discovered Items; Replaced by the Deny List policy and Application Control
Tamper Protection (
Clients
>
Policies
tab >
Settings
>
General Settings
)
Actions to take if an application attempts to tamper with or shut down Symantec security software
  • Block and do not log
  • Block and log
  • Log only
Moved to System policy; labeled as
Protect Symantec security software from being tampered with or shut down
(On/Off))
  • Block and do not log
  • Block and log
  • Log only
Location awareness
Renamed Policy Targeting (14.3 agents). You target a policy to a device where certain user is logged in (
Policies
page >
Policy Target Rules
tab)
Network application monitoring (
Clients
page >
Policies
tab)
Deprecated
Deception
On-premises only.
Active Directory Threat Defense
On-premises only.
Application Control
Application Control is included with Symantec Endpoint Security Complete. (Application Isolation is also available to legacy customers.)
Behavioral Isolation policy provides attack surface mitigation for Symantec Endpoint Security Enterprise and Symantec Endpoint Security Complete.
Power Eraser
Available soon
Endpoint Detection and Response enablement (renamed from ATP)
ndpoint Detection and Response (EDR) is included with Symantec Endpoint Security Complete.
Padlocks or mixed/server/client control
:
You prevent users from disabling protection on the client computer by setting the user control level or by locking the policy options. Some policies use a padlock. Other policies use the user control level
Unlock on some policies lets client users override the policy’s settings on the device.
Policies (Actions)
Policies (actions)
On-premises SEP
Symantec Endpoint Security
Policies
  • Policy templates
  • Policy types
  • Policy status - Published/Draft - Deprecated in December 2019
Add
Create
Edit
Right click the vertical ellipsis (Action menu)
To update the policy:
  • Select and open the policy, and select
    Save Policy
    .
  • The
    Policies
    >
    Versions
    tab displays previous versions of the policy.
    A new version of a policy is created whenever you change a policy setting and apply the policy to a device or a device group.
Copy
Duplicate
Assign (to a group or location)
Apply (to a device group)
Replace
N/A (Use Apply instead)
Withdraw from assigned groups or locations before deleting
Remove
Delete
Delete
Import/Export
  • Import supported policies from version 12.1.6.x to 14.2 MP1 and later.
  • Export policies (Policies > Policies tab > Actions menu > Export Policy)
Application Control and Application Isolation
The Application Control policy in
Symantec Endpoint Protection Manager
can be replaced with Application Control in the cloud. Application Isolation is only available in the cloud.
Application Control
On-premises SEP
Symantec Endpoint Security
Test/Production mode
  • Test (log only)
  • Production
SEPM has no override equivalent (Client users cannot override).
General Settings
Turn on
Run in monitor mode
to test the policy. Turn off
Run in monitor mode
to enforce the policy.
Enforcement Mode
(for production)
  • Enforce with Overrides (dynamic devices)
    Override options
    :
    (Configures the type of applications that client users can override)
    • Allow overrides if applications are signed and have good reputation
    • Allow overrides if applications are unsigned but have good reputation
    • Allow overrides if the applications are signed but have gray reputation
    • Allow overrides if the applications are unsigned and have gray reputation
  • Strict Enforcement (fixed-function devices)
Add custom rules
/
Conditions
:
  • Registry Access Attempts
  • File and Folder Access Attempts
  • Launch Process Attempts
  • Terminate Process Attempts
  • Load DLL Attempts
Properties:
  • Rule name and Description
  • Enable this rule
  • Apply/Do not apply this rule to the following processes
Sub-processes inherit conditions
Add custom rules
/
Conditions
  • Application Name
  • File Name
  • Custom rule:
    • Publisher
    • Reputation
    • Path
    • Hash
Actions:
Read Attempt/Create, Delete, or Write Attempt
  • Continue processing other rules
  • Allow access
  • Block access
  • Terminate process
  • Enable logging
  • Send Email Alert
  • Notify user
Default rules:
  • Block applications from running [AC1]
  • Block programs from running from removable drives [AC2]
  • Make all removable drives read-only [AC3]
  • [AC4-1.1] Block writing to USB drives
  • [AC5-1.1] Log writing to USB drives
  • Block modifications to hosts file
  • Block access to scripts
  • Stop software installers [AC8]
  • Block access to Autorun.inf [AC9]
  • Block Password Reset Tool [AC10]
  • Block File Shares [AC11]
  • Prevent changes to Windows shell load points (HIPS) [AC12]
  • Prevent changes to system using browser and office products (HIPS) [AC13]
  • Prevent modification of system files (HIPS) [AC14]
  • Prevent registration of new Browser Helper Objects (HIPS) [AC15]
  • Prevent registration of new Toolbars (HIPS) [AC16]
  • Prevent vulnerable Windows processes from writing code [AC17]
  • Prevent Windows Services from using UNC paths [AC-23]
  • Block access to lnk and pif files [AC-24]
  • Block applications from running out of the recycle bin [AC-25]
None: You make a custom rule in Application Control in the cloud.
Client
>
Policies
>
Location-specific Settings
>
Allow user to enable and disable the application device control
No - Deprecated
Application Isolation
On-premises SEP
Symantec Endpoint Security
Not available
  • Browser Isolation policy
  • Office Isolation policy
  • PDF Renderer Isolation policy
  • Platform Isolation policy
  • Trusted Updater policy
Device Control policy
Support for Mac devices is available soon.
Policies (Device Control)
On-premises SEP
Symantec Endpoint Security
  • Hardware Device Control Lists
    • Blocked Devices
    • Devices Excluded From Blocking
  • Log detected devices
  • Notify users when devices are blocked or unblocked (Specify Message Text)
Policies > Policy Components > External Devices
  • List of external devices (hardware)
Policies
>
Default Device Control policy
  • Blocked External Devices
    • Log detected external devices
    • Notify users when external devices are allowed
  • Allowed External Devices (devices are excluded from blocking, an exception to a blocking rule)
    • Log detected external devices
    • Notify users when external devices are allowed
Device control works based only on Class ID (GUID) and Device ID.
Device control works based only on Class ID (GUID) and Device ID.
Device control performs wildcard matches on Class ID or Device ID with the star character or asterisk (*).
Information available soon
The Hardware Device list includes many common device types by default.
Policies > Policy Components > External Devices
  • Contains Windows devices
  • System (default)
  • Custom (added manually by user)
  • Discovered
You can add additional custom devices to the Hardware Device list by Class ID or Device ID.
Policies > Policy Components > External Devices
  • Add External Device (one at a time)
  • Edit or Remove item from list (action menu, one at a time)
Applies to external devices on Windows .
Devices to block (or to exclude from blocking) are derived only from the Hardware Device list. The list includes those default common device types, as well as custom devices you may have added.
The picklist of devices comes from the global list. You can select which device(s) you want to block or exclude from blocking, and add it directly to the policy.
You can add more than one device type at a time.
Policies > Policy Components > External Devices
  • Add External Device (each device is added one at a time)
Policies
>
Device Control policy
  • Blocked External Devices
    • Add for Windows (can select multiple at once; can filter the list)
    • Remove (individually, from action menu for individual items)
  • Allowed External Devices:
    • Add for Windows (can select multiple at once)
    • Remove (individually, from action menu for individual items)
  • Control access for USB Mass Storage Devices:
    • Add (can select multiple at once; can filter the list)
    • Remove (can select multiple at once in the policy, then click Remove)
The actions to take are to block, or to exclude from blocking (allow).
You can block or allow external devices .
Customize the client notifications
You can enable and customize client notification for block and allow .
Endpoint Detection and Response (EDR)
Endpoint Detection and Response
On-premises SEP
Symantec Endpoint Security
SEP provides threat detections to EDR for further analysis. However, SEP itself has no built-in EDR functionality.
  • Customers now have a single view of endpoint activity recorder, Advanced Attack Technique events, and SEP events.
  • New and improved search tools provide unified, advanced search across all events. Search tools include:
    • Time-based filtering on relative ranges (e.g., "Last Week," and absolute ranges (start-end dates and times).
    • Pre-defined "quick filters" that filter for key items like MITRE tactics, detection technology, dual-use tools and many more.
    • User-specified custom filters built from any event data fields.
    • Ad-hoc, text-based filter creation using industry-standard Lucene Parser Syntax.
    • The ability to save queries.
  • A new
    Incidents
    tab under
    Alerts and Events
    in the left navigation bar. The tab provides a list of all incidents that a security analyst should investigate further along with a description that explains the detection, the priority, and the number of impacted endpoints. Incidents are generated based on SEP, TAA, AAT and FDR events
  • Detailed views of individual incidents, events, and involved entities (endpoints, files, domains, etc.).
  • Graphical representation of incidents that show the relationships between the elements of the incident.
  • The ability to comment on incidents by multiple investigators, and to close the commenting upon incident resolution.
  • Policy-based endpoint data recording configuration that includes:
    • Ability to assign the policy to specific device groups.
    • Scheduling when data is sent to EDR.
    • The types of data sent to EDR.
  • Streamlined EDR provisioning and on-boarding using the same device groups you've created for other endpoint security solutions.
Investigate Search - Event results grid enhancements
  • You want to quickly narrow search results to those that either match a specific field value, or exclude results that don't match a specific field.
    This release adds the ability to easily filter for a value, or filter out a value. When you expand a row on the results grid, hover over an event field to display a
    +
    icon and a
    -
    icon. Click the
    +
    icon to filter for a value; click the
    -
    icon to filter out a value.
  • You want to see at a glance which fields have null or empty values.
    Fields with null or empty values are now displayed with a long dash (—).
  • You want to see all dates in the fields as your local dates.
    Dates for all fields now show the local date.
  • Expanded event rows no longer show duplicate values.
Investigate Search - Filter
  • You want to be able to use special characters such as [ ] " . ! { } ~ ( ) \ : and ^ in a free-form search.
    With this release, you can now perform a word search (surround the word in double quotes) for words that contain special characters.
  • Boolean values are no longer case-sensitive.
  • You can now specify a Windows file path within a Regex query.
Incidents Page
  • You want to see the non-HTTP network events for IPS Incidents in the Incident Graph.
    The Incident Graph now shows IPS incident > non-HTTP network events.
  • The Incident
    first_seen
    value is now updated during Incident Update.
  • The AVE Incident Rule now excludes blocked events.
  • Only relevant incidents are now created by App Isolation block events on CDM.
  • Null incidents no longer appear for firewall block events on CDM.
Exceptions policy
Exceptions policy
On-premises SEP
Symantec Endpoint Security
Server-based exceptions:
  • Applications
    • (View) Watched Applications
    • Unwatched applications
    • Actions: Ignore, Log only, Quarantine, Terminate, Remove
  • Applications to monitor
    • Auto-Protect
    • Scheduled and on-demand scans
  • Extensions
  • Files
    • Prefix variables
  • Folders
  • Known risks
  • Trusted Web domain
  • Tamper Protection exceptions
  • DNS or Host File Change Exception
  • Certificate (new in 14.1)
Supported:
  • Certificate
  • Filename (File > Security Risk/SONAR)
    • Auto Protect
    • Scheduled and On-Demand scans
    • Behavioral Analysis
    • Tamper Protection
  • Web domain exception (Trusted web domain)
  • Hash (Application) Supports SHA-256 values only.
  • Path (Folder > Security Risk/SONAR)
    • Auto Protect
    • Scheduled and On-Demand scans
    • Behavioral Analysis
  • Extension (new; 14.2 RU1)
    • Auto-Protect
    • Scheduled and On-Demand scans
  • IPS Host (moved from IPS policy)
    • Host type - IP4/IP6 Address, Subnet, Range
Not supported:
  • Application to Monitor (
    Symantec Endpoint Security
    Complete)
  • File - Moved to Application Control
  • Folder - Application Control (Deprecated)
  • Known Risks (Deprecated. Don't do risk-based)
  • Tamper Protection (Available soon)
  • DNS or Host File Change Exception
  • Mac or Linux exceptions (Available soon)
Client-based exceptions/restrictions:
(Controls which exceptions end users can add on the client computer)
14 and earlier:
  • Application
  • Extension
  • File
  • Folder
    • Security Risk
    • SONAR
  • Known risks
  • Trusted web domain
  • DNS or Host File Change
  • Certificate - Use third-party content management*
14.1 to 14.2 MP1:
If
Symantec Endpoint Protection Manager
is enrolled in the cloud console, SEPM does not display the following client restrictions:
  • Application Exception
  • File Exception
  • Folder Exceptions > Security risk Exception/SONAR Exception
  • Trusted Web Domain Exception
  • Certificate Exception
In addition, on Windows clients that a cloud-based exceptions policy controls, these exceptions do not appear in the client user interface.
SEPM does display the following client restrictions, whether or not SEPM is enrolled. •
  • DNS or Host File Change Exception
  • Extension Exception
  • Known Risks Exception
Client users cannot add their own exceptions. (Available soon)
Client exceptions
(How the client displays these exceptions)
  • Security Risks:
    • Known Risks
    • File
    • Folder
    • Extension
    • Web domain
  • SONAR > Folder
  • DNS Host File Change > Application
  • Application
There are no client-based exceptions for a cloud-controlled client.
Firewall policy
The Firewall policy is currently not available on Mac devices.
Firewall policy
On-premises SEP
Symantec Endpoint Security
Enable this policy
Firewall (On/Off toggle)
Default rules:
  • 13 rules
  • Inherit Firewall Rules from Parent Group
  • Enable rules
  • Move Up/Move Down
Default rules:
  • 13 rules
  • Inherit Firewall Rules from Parent Group - Deprecated. The cloud uses implied inheritance.
  • Enabled rules check box (On/Off toggle)
  • Cut/Paste (instead of Move Up/Move Down)
  • Export policies
Custom rules:
  • Add Rule wizard
  • Add Blank Rule
  • Delete Rule
  • Add
  • Delete
Add Blank Rule - Deprecated
Built-in rules:
Allowed Traffic Protocols
  • Enable Smart DHCP
  • Enable Smart DNS
  • Enable Smart WNS
  • Allow token ring traffic
Other:
  • Enable NetBIOS protection
  • Enable reverse DNS lookup
Allowed Traffic Protocols
: No longer supported. Administrators can get these in the REST API.
Supported:
  • Enable Smart DHCP
  • Enable Smart DNS
  • Enable Smart WNS
  • Allow token ring traffic
Advanced Settings > Built-in Rules:
  • Enable NetBIOS protection
  • Enable reverse DNS lookup
The
Block UPnP Discovery
firewall rule is configured to not log events to minimize the number of events that the client sends to the cloud.
Protection Settings:
  • Enable port scan detection
  • Enable denial of service detection
  • Enable anti-MAC spoofing
  • Automatically block an attacker's IP address
Stealth Settings:
  • Enable stealth mode Web browsing
  • Enable TCP resequencing
  • Enable OS fingerprint masquerading
Advanced Settings > Protection Settings:
  • Enable port scan detection
  • Enable denial of service detection
  • Enable anti-MAC spoofing
  • Automatically block an attacker's IP address
    • Number of seconds during which to block the IP address
Stealth Settings:
  • Enable stealth mode Web browsing
  • Enable TCP resequencing
  • Enable OS fingerprint masquerading
Windows Integration:
  • Disable Windows Firewall
    • No Action
    • Disable Once Only
    • Disable Always
    • Restore if Disabled
  • Windows Firewall Disable Message (Enable/Disable)
  • Disable Windows Firewall
    • No Action
    • Disable Once
    • Disable Always
    • Restore if Disabled
  • Enable Windows Firewall Disable Message (On/Off)
Peer-to-Peer Authentication Settings:
  • Maximum number of authentication attempts per session
  • Time between authentication attempts (seconds)
  • Time interval after which the remote computer can be reauthenticated (seconds)
  • Time that the rejected remote computer is block (seconds)
  • Time interval of inactivity between the authenticated computer and the client after which the session ends (seconds)
Exclude hosts from authentication
Planned for a feature release
Security Settings
Clients
>
Policies
tab >
General
>
Security Settings
tab
  • Block all traffic until the firewall starts and after the firewall stops
    • Allow initial DHCP and NetBIOS traffic
    • Enable secure communications between the management server and clients by using digital certificates for authentication
Advanced Settings > Security Settings
  • Block all traffic until the firewall starts and after the firewall stops
    • Allow initial DHCP and NetBIOS traffic
    • Enable secure communications: Deprecated
Client control user settings Client-user server mode settings (
Clients
>
Policies
tab >
Location-specific Settings
>
Server mode
)
  • Allow users to perform security test
  • Amount of time before re-enabling Network Threat Protection
  • Number of times users are permitted to disable Network Threat Protection
  • Allow the following users to enable and disable the firewall
    • Windows Administrators only
    • All users
    • When the firewall is disabled:
      • Allow all traffic
      • Allow outbound traffic only
  • Block all traffic menu command
  • Configure unmatched IP traffic settings
    • Allow IP traffic
    • Allow only application traffic
      • Prompt users before allowing application traffic
Available now:
  • Allow users to perform security test (moved to User Interaction Settings)
  • Amount of time before re-enabling Network Threat Protection (Deprecated)
  • Number of times users are permitted to disable Network Threat Protection (Deprecated)
  • Allow the following users to enable and disable the firewall (moved to User Interaction Settings)
    • Windows Administrators only
    • All users
    • When the firewall is disabled:
      • Allow all traffic
      • Allow outbound traffic only
Not available yet:
  • Block all traffic menu command
  • Configure unmatched IP traffic settings
    • Allow IP traffic
    • Allow only application traffic
      • Prompt users before allowing application traffic
Notifications/Logging
Available soon:
  • Notification settings
  • End user notifications
  • Logging viewer and packet viewer
  • Host groups (Firewall and Intrusion Prevention policies)
  • Network service groups
  • Network adapter groups
  • Host groups (Firewall policy only) (Settings > Host groups)
  • Network service groups (available soon)
  • Network adapter groups (available soon)
Network Traffic Redirection policy
Not available yet.
Network Traffic Redirection tpolicy (called Integrations in 14.3 MP1 and earlier)
On-premises SEP
Symantec Endpoint Security
Network Traffic Redirection (as of 14.3 RU1); called Web Security Services (WSS) Traffic Redirection (WTR) in earlier versions
Secure Connection
Local Proxy Service (part of WSS as of 14.2)
Available soon
Install the Symantec Web Security Service root certificate on clients to facilitate the protection of encrypted traffic
Available soon
Intrusion Prevention policy
You can enable/disable the IPS on Mac devices.
Intrusion Prevention policy
On-premises SEP
Symantec Endpoint Security
Support on both Windows and Mac devices
Can configure for Windows devices
Can enable/disable for Mac devices, and configure some options.
  • Enable Network Intrusion Prevention
    • Enable excluded hosts
  • Enable Browser Intrusion Prevention for Windows
    • Log detections but do not block
    • Log-only mode
Server Performance Tuning (as of 14.2 RU1)
  • Signature subset for servers
  • Out-of-band scanning
  • Audit Signatures: Add > Log, Enable, Disable
    Supports Windows devices only.
    You can configure one or more signature exceptions before you select
    Submit
    .
  • Signature action exceptions: Add > Log, Enable, Disable
    Supports Windows and Mac devices.
    You can configure one or more signature exceptions before you select
    Submit
    .
  • Advanced Settings
    • Intrusion Prevention - On or Off
    • Browser Protection - Enable, Disable, Log
      (New name for Browser Intrusion Prevention)
      Browser Protection not available for Mac.
    • Server Performance Tuning: includes out-of-band scanning and signature subset for servers.
    • Excluded hosts moved to Allow List policy.
Exceptions:
  • Show category
    • All
    • Browser Protection (335 signatures)
      Note
      : Custom exceptions are not supported for Browser Protection signatures.
    • Intrusion Prevention signatures
  • Show severity (All, High, Medium, Low)
  • Handled in policy under Signature Action Exceptions.
  • You can also add exclusions through
    Alerts and Events
    >
    Event type
    :
    IPS
    . When you view the details of the event, you can add exclusions, and edit the policy.
Show or hide user notifications
You can enable or disable notifications for Windows and Mac devices. Notifications are only sent for enabled signatures.
Show Advanced
lets you customize the notification message for Windows devices.
Custom IPS signatures
Available soon
Downloading the latest IPS signatures: The LiveUpdate Content policy
No LiveUpdate Content policy exists in
Endpoint Security
. LiveUpdate downloads the IPS signatures automatically through the System policy. You cannot configure the client to not get signatures.
Client package includes IPS
The advanced settings under
Settings > Installation Package
include an option that is selected by default,
Server-optimized installation
, which does not include IPS. However, desktop operating systems ignore this setting and IPS is always installed. You cannot disable IPS on the client.
User interaction on the client
The settings for Intrusion Prevention and Memory Exploit Mitigation are found under the Client User Interface Settings. You find these controls in
Symantec Endpoint Protection Manager
under
Clients >
Group Name
> Policies > Location-specific Policies and Settings > Location-specific Settings
.
  • Display Intrusion Prevention and Memory Exploit Mitigation notifications
    • Use sound when notifying user
    • Additional text for notifications
Notifications are enabled by default for Windows and Mac devices in the Intrusion Prevention policy. You can enable or disable the notifications, which are only sent for enabled signatures.
For Windows devices, you can customize the notification message under
Show Advanced
.
Sound: Deprecated
Host Integrity policy
Not available on Windows or Mac devices.
Host Integrity policy
On-premises SEP
Symantec Endpoint Security
When should Host Integrity checks be run on the client?
  • Always do Host Integrity checking
  • Only do Host Integrity checking when connected to the management server
  • Never do Host Integrity checking
Host Integrity Requirements
  • Antivirus requirement
  • Antispyware requirement
  • Firewall requirement
  • Patch requirement
  • Service pack requirement
  • Custom requirement
Available soon
Advanced Settings
Host Integrity Checking Options
  • Check Host Integrity every: minutes/hours/days
  • Keep results of check for: minutes/hours/days
  • Continue to check requirements after one fails
Remediation Dialog Options
  • Allow the user to cancel remediation for:
    - Minimum and Maximum times: 2 minutes to 4 weeks
  • Number of times the user is allowed to cancel remediation
Notifications
  • Show verbose Host Integrity Logging
  • Display a notification message when a Host Integrity check fails
  • Display a notification message when a Host Integrity check passes after previously failing
Available soon
LiveUpdate Settings policy (System policy)
In
Endpoint Security
, the System policy replaces the LiveUpdate Settings policy.
LiveUpdate Settings policy
On-premises SEP
Symantec Endpoint Security
Use the default management server
Deprecated - not needed
Use a LiveUpdate server (internal or external)
  • Use the default Symantec LiveUpdate server
  • Use the Symantec LiveUpdate server for prereleased content (Early Adopter server)
  • Use a specified internal LiveUpdate server
  • Use the default internal LiveUpdate server
  • Use the Symantec LiveUpdate server for prereleased content
  • Use a specified internal LiveUpdate server
FTP server mode (active or passive)
Deprecated - not needed
Use a Group Update Provider
  • Multiple GUPs
  • Explicit GUPs
  • Single GUPs
- Maximum time that client try to download updates from a GUP before trying the default management server
GUP settings
  • Default port
  • Maximum disk cache size allowed for downloading updates
  • Delete content updates if unused
  • Maximum number of simultaneous downloads to clients
  • Max bandwidth allowed for GUP downloads from the management.server
  • Max bandwidth allowed for client downloads from GUP
Available soon: The GUP will work differently
Enable third party content management
Use third-party content management
HTTP/HTTPS proxy server
  • I do not want to use a proxy server for HTTP/HTTPS
  • I want to use my Windows Internet Options proxy settings
  • I want to customize my HTTP or HTTPS settings
  • Host proxy
  • HTTP/HTTPS port
  • Authentication required
  • User name/password
  • NT LAN Manager Authentication
FTP proxy server
  • I do not want to use a proxy server for FTP
  • Use the proxy server by the client browser (default)
  • I want to customize my FTP settings
  • Server address
  • Port
HTTP/HTTPS proxy server
  • Do not use a proxy server for HTTP/HTTPS
  • Use my Windows Internet Options proxy settings
  • Use a customize my HTTP or HTTPS settings
  • Host proxy/HTTP/HTTPS port
  • Select Authentication required
  • Basic Authentication (User name/password)
  • NT LAN Manager Authentication - Deprecated
FTP proxy server
  • Do not use a proxy server for FTP
  • Use the proxy server by the client browser (default)
  • Use custom FTP settings
  • Server address
  • Port
LiveUpdate proxy configuration for client to management server communication
Clients
page >
Policies
tab >
External Communications
Deprecated. This functionality is not needed for the cloud. However, for client-to-cloud communication or for cloud enrollment, this functionality is combined with the proxy configuration settings in the new System policy. The System policy covers cloud-client communication.
Run Intelligent Updater to update content
  • Virus and spyware definitions
  • SONAR
  • IPS definitions
Not needed at this time.
LiveUpdate Schedule
  • Enable LiveUpdate Scheduling
  • Frequency
  • Retry window
  • Download randomization
  • Delay scheduled LiveUpdate until the computer is idle
  • Options for skipping LiveUpdate
    • LiveUpdate runs only if Virus and Spyware definitions are older than x
    • LiveUpdate runs only if the client is disconnected from SEPM for more than x
  • Enable LiveUpdate Scheduling
  • Frequency
  • Retry window
  • Download randomization
  • Idle detection
  • Options for skipping LiveUpdate - Deprecated
Advanced Settings:
  • Allow the user to manually launch LiveUpdate (No current plans)
    • Allow the user to modify the LiveUpdate schedule
    • Allow the user to modify HTTP, HTTPS, or FTP proxy settings for LiveUpdate
  • Download security patches to fix the vulnerabilities in the latest version of the agent
  • Download smaller client installation packages from a LiveUpdate server
Planned for a future release:
  • Allow the user to manually launch LiveUpdate
No future plans:
  • Allow the user to modify the LiveUpdate schedule
  • Allow the user to modify HTTP, HTTPS, or FTP proxy settings for LiveUpdate
Deprecated:
  • Download security patches to fix the vulnerabilities in the latest version of the agent
    - By default, this occurs when client autoupgrades. No need for admin to control this)
  • Download smaller agent installation packages from a LiveUpdate server
    By default, occurs when agent autoupgrades. No need for admin to control this
Use standard HTTP headers
Deprecated
LiveUpdate Content policy (System policy)
In
Symantec Endpoint Security
, the content is downloaded automatically and you do not have the ability to configure which content you want to download to clients.
LiveUpdate Content policy
On-premises SEP
Symantec Endpoint Security
Security definitions
  • Virus and Spyware definitions
  • SONAR heuristic signatures
  • Intrusion Prevention signatures
  • Submission Control signatures
  • Reputation settings
  • Endpoint Detection and Response
  • Common Network Transport Library and Configuration
  • Advanced Machine Learning
  • WSS Traffic Redirection
Host Integrity Requirements
  • Antivirus requirement
  • Antispyware requirement
  • Firewall requirement
  • Patch requirement
  • Service pack requirement
  • Custom requirement
Available now:
  • These same definitions are downloaded to the client by default, except for:
    • WSS Traffic Redirection
    • Endpoint Detection and Response
  • The content is not a one-for-one match in the cloud.
Available soon:
  • You have the ability to control which definitions are downloaded:
    WSS Traffic Redirection
Locking on a specific set of definitions
  • Use latest version
  • Select a revision
  • Select an engine version
Moved to System policy with the following changes:
  • Previous release
    - New. This is the release before the current/latest release and is the most stable.
  • Latest release
    - Same as the
    Symantec Endpoint Protection Manager
    , but not as stable as the Previous release
  • Select a revision
    - Deprecated
  • Prerelease
    - Changed (engine version). This is the beta version of the release and is the least stable.
Download content from LiveUpdate Administrator to
Symantec Endpoint Protection Manager
  • Client product updates
  • Client security patches
  • Virus and Spyware definitions
  • SONAR heuristic signatures
  • Intrusion Prevention signatures
  • Host Integrity content
  • Submission Control signatures
  • Reputation Settings
  • Extended File Attributes and Signatures
  • Common Network Transport Library and Configuration
  • Endpoint Detection and Response
  • Advanced Machine Learning
  • WSS Traffic Redirection
  • Application Control content
Deprecated. LiveUpdate Administrator downloads the content directly to the cloud console.
Disk Space Management: Number of content revisions to keep
Uses the default setting.
Available soon: The ability for you to control this setting
Download Schedule
Deprecated; not needed.
Platforms to Download (Mac, Windows 32-bit, 64-bit)
Uses the default setting.
Available soon: The ability for you to control this setting
Languages to Download
Uses the default setting.
Available soon: The ability for you to control this setting
Memory Exploit Protection (MEM) policy
Mac devices are currently not supported.
Memory Exploit Mitigation was introduced in 14 MP1 as Generic Exploit Mitigation. If you run 14.1 to 14.2 MP1 clients, you can use a MEM policy from either
Symantec Endpoint Protection Manager
or from the cloud.
Endpoint Security
calls the policy type
Exploit Protection
.
Memory Exploit Protection policy
On-premises SEP
Symantec Endpoint Security
Enable Memory Exploit Mitigation
You cannot modify a MEM policy in SEPM while a cloud-based policy is in use.
Memory Exploit Mitigation protection toggle (On/Off)
General Settings:
  • Set the protection action for all applications to log only
  • Choose a protection action for all applications in this list (Default/Yes/No/Log Only)
General Settings:
  • Run in monitor mode
  • Enable Java Protection (Off/On/Log)
Custom applications (No)
Custom applications -
Protection for Admin Selected Application
. You can add them directly in
Endpoint Security
or from Application Isolation.
Choose a mitigation technique
Mitigation techniques
:
  • DllLoad
  • EnhASLR
  • ForceASLR
  • ForceDEP
  • HeapSpray
  • NullProt
  • RopCall
  • RopHeap
  • SEHOP
  • StackNX
  • StackPvt
Global override for mitigation techniques protection (Off/On/Log/Default (On))
Mitigation techniques
: Same as 14.x version)
Application Rules (Protected check box)
Protection for Symantec Recommended Application Coverage (Enabled/Disabled)
Virus and Spyware Protection policy (Antimalware)
The cloud console has a single default Antimalware policy, which aligns most closely with the default Virus and Spyware Protection policy - Balanced in
Symantec Endpoint Protection Manager
. There are no plans to add a default High Performance or High Security policy.
The 14.1/14.2 cloud console supports Auto-Protect only.
*Supported on Mac devices.
Policies: Virus and Spyware Protection/Antimalware
On-premises SEP (Virus and Spyware)
Symantec Endpoint Security
(Antimalware)
Administrator-defined scans:
  • Scheduled scans (Active, Full, Custom)
  • On-demand scans
  • Startup scans
  • Triggered scans
  • Scheduled scan templates
Available now:
  • *Scheduled scans (Active, Full)
Available soon:
  • Custom scan
  • On-demand scans
  • Triggered scans
  • Startup scans
  • Scheduled scan templates (TBD)
Scan Details:
  • Scan all types
  • Scan only selected extensions
  • Enhance the scan by checking (Memory (Custom), Common infection locations (Custom), Well-known virus and security risk locations)
Advanced Scanning Options:
  • Compressed files
  • Storage migration options
  • Tuning options
Enable Insight Lookup
Uses default settings (the ability to configure these settings is deprecated):
  • Scan all types
  • Enhance the scan by checking (Well-known virus and security risk locations)
    • Not available - Memory (Custom), Common infection locations (Custom)
  • Advanced Scanning
    • Tuning options
Insight Lookup is part of Intensity Level setting
Scheduled scans (Schedule)
:
  • Daily, weekly, monthly
  • Scan duration (until finished, up to x hours, randomized) )
  • Missed schedule scans (retry the scan within x hours)
Daily, weekly, monthly
Uses default settings (the ability to configure these settings is deprecated):
  • Randomized scheduled scans
  • Retry missed scheduled scans
Actions:
  • Detections
    (Types of risk that detections take an action on):
    • Malware (Virus)
    • Security Risks:
      • Adware
      • Cookie
      • Dialer
      • Hack Tool
      • Joke Program
      • Misleading Application
      • Parental Control
      • Remote Access
      • Security Assessment Tool
      • Security Risk
      • Spyware
      • Trackware
  • Remediation (first and second actions for detections)
    • Clean risk (applies to malware only)
    • Quarantine risk
    • Delete risk
    • Leave alone (log only)
    The actions apply to categories of malware and security risks that Symantec periodically updates.
  • Remediation (other)
    :
    • Back up files before attempting to repair them
    • Terminate processes automatically
    • Stop services automatically
Remediation actions: Deprecated. The cloud determines the best course of action.
Remediation (other):
  • Back up files before attempting to repair them - On by default, you cannot disable it.
  • Terminate processes automatically - Deprecated
  • Stop services automatically - On by default, you cannot disable it.
Actions to take while a scan is running:
  • Stop the scan
  • Pause a scan
  • Snooze a scan
  • Scan only when the computer is idle
Planned for a future release
Auto-Protect:
  • Enable Auto-Protect
  • Scan all files
  • Scan only selected extensions
  • Determine file types by examining file contents
  • Scan for security risks
  • Scan files on remote computers
  • Scan when files are accessed, modified, or backed up
  • Scan floppies for boot viruses, with the option to delete the boot virus or log it only
  • Always delete newly created infected files or security risks
  • Preserve file times
  • Tune scan performance for scan speed or application speed
  • Emulator for packed malware
*Auto-Protect:
  • Enable Auto-Protect
  • Load Auto-Protect when computer starts (new in
    Endpoint Security
    )
  • Enable file cache
    • File cache size 30000 files
  • Enable Risk Tracer
    • Resolve the source computer IP address
    • Poll for network sessions every 1000 milliseconds
  • Scan when files are accessed, modified, or backed up
  • Do not scan files when trusted processes access the file
  • Always delete newly created infected files
  • Specify network options for scanning files on remote computers
    • Scan files on remote computers (from Global Scan options)
      • Only when files are executed
    • Network cache
      • Keep 30 entries
      • Delete entries after 600 seconds
Not available::
  • Scan floppies for boot viruses, with the option to delete the boot virus or log it only - Deprecated
  • Always delete newly created infected files or security risks - TBD
  • Preserve file times - On by default; but you cannot disable it.
  • Tune scan performance for scan speed or application speed - Planned for a future release
  • Emulator for packed malware - On by default, but you cannot disable it
Email scans:
  • Microsoft Outlook Auto-Protect
    • Enable Microsoft Outlook Auto-Protect; Scan all files; Scan only selected extensions; Scan files inside compressed files
  • Internet Email Auto-Protect (deprecated as of 14.2 RU1; still available for legacy installation packages)
  • Lotus Notes Auto-Protect (deprecated as of 14.2 RU1; still available for legacy installation packages)
  • *Microsoft Outlook Auto-Protect (On/Off only)
  • Internet Email Auto-Protect - Deprecated
  • Lotus Notes Auto-Protect - Deprecated
  • Download Insight
  • Bloodhound
  • Insight lookups
  • SONAR
The Intensity Level setting includes:
  • Virus and Spyware Protection policy detection actions
  • Bloodhound settings
  • Download Insight Sensitivity setting
  • Download Insight prevalence, first-seen, and intranet options
  • SONAR heuristic detection, SONAR aggressive mode, and SONAR suspicious behavior settings
The default Intensive Protection blocking level is less aggressive than the most aggressive Bloodhound setting in a Virus and Spyware Protection policy. If your current policies specify Bloodhound at its highest level, you might need to increase the Intensive Protection level.
SONAR:
Scan Details:
  • High risk/Low risk detection (Log, Remove, Quarantine, Disabled)
  • Enable aggressive mode
  • When detection found:
    • Show alert upon detection
    • Prompt before terminating a process
    • Prompt before stopping a service
System Change Events:
  • DNS change detected (Ignore Prompt, Block, Log)
  • Host file change detected (Ignore, Prompt, Block, Log)
Suspicious Behavior Detection
  • Enable Suspicious Behavior Detection
  • High risk/Low risk detection (Ignore, Prompt, Block Log)
Network Settings:
  • Scan files on remote computers
Renamed as
Behavioral analysis
*
  • Enable behavioral analysis
  • DNS change detected (Ignore, Log Only, Block)
  • Host file change detected (Ignore, Log Only, Block)
  • Scan files on remote computers
Other
  • Show alert upon detection (In User Notifications Settings)
  • Prompt before terminating a process - Deprecated; disabled by default
  • Prompt before stopping a service - Deprecated; disabled by default
  • Suspicious Behavior Detection (included in Intensity Level setting)
Early Launch Anti-Malware Driver
  • When a potentially malicious driver is detected
*Enable Symantec early launch antimalware
  • When a potentially malicious driver is detected - Deprecated
Notifications
Administrator-defined scan:
  • Display a notification message on the infected computer
Auto-Protect:
  • Display a notification message on the infected computer
  • Display the Auto-Protect results dialog on the infected computer
Microsoft Outlook Auto-Protect:
  • Display a notification message on the infected computer
Download Protection:
  • Display a notification message on the infected computer
Miscellaneous:
  • When definitions are outdated
  • When the agent is running without virus definitions
  • Display error messages with a URL to a solution
Notifications from the various Virus and Spyware features are consolidated into one place in the Antimalware policy > User Notifications Settings:
  • Show antimalware scan results on the infected device
    • Set scheduled and manual scan results to show (All detections, Only medium and high. Always (Scan Progress))
    • Display a notification message to the user on infected computer
    • Display notifications about detections when the user logs on
  • When definitions are outdated (part of Download Insight)
  • When the agent is running without virus definitions - Moved to the Devices page; shows the device At Risk.
  • Custom messages - Deprecated
  • Display error messages with a URL to a solution - Deprecated
Quarantine
General tab:
  • Actions for when new virus definitions arrive
  • Local quarantine options (default or custom folder)/Allow client computers to automatically submit quarantined items to a Quarantine Server
Cleanup tab:
  • Enable automatic deleting of repaired files
  • Enable automatic deleting of backup files
  • Enable automatic deleting of quarantined files that could not be repaired
  • Actions for when new definitions arrive - Uses the default setting and is part of Intensity Level setting
  • Quarantine Server support - Deprecated
  • Cleanup options - On by default; you cannot disable them.
Quarantine a device command(
Devices
>
Managed Devices
tab > Actions menu >
Quarantine
command).
Global Scan Options
  • Enable Insight for (Symantec and Community trusted, Symantec trusted)
  • Enable Bloodhound detection to scan files for suspicious behavior (Automatic, Aggressive)
  • Ask for a password before scanning a mapped network drive
  • Display notifications about detections and remediations when the user logs on
  • Insight - Part of Advanced Intensity Settings. You cannot disable the setting.
  • Bloodhound - Part of Intensity Level setting. You cannot disable the setting.
  • Ask for password before scanning mapped network drive - Deprecated
  • Display notifications about detections - Part of User Notifications Settings.
Miscellaneous
  • Disable Windows Security Center
  • Internet Browser Protection
  • Log handling options
  • Virtual Image Exception
  • Shared Insight Cache
  • Disable Windows Security Center - TBD
  • Internet Browser Protection - in IPS policy (Enable/Disable, Log)
  • Log handling options - Enabled by default. You cannot disable them.
Planned for a future release:
  • Virtual Image Exception
  • Shared Insight Cache
Policy Components
In the cloud console, you find these components in
Policies
>
Policy Components
.
On-premises SEP
Symantec Endpoint Security
Scheduled Scan Templates
No plans for templates. You can use scheduled scan only.
Management Server Lists
Deprecated - There are no
Symantec Endpoint Protection Manager
s.
Host Groups
Yes:
Policies > Policy Components > Host Groups
Network Services
Available soon
Network Adapters
Available soon
Hardware Devices
Yes:
Policies > Policy Components
>
External Devices
Client Features
  • The Symantec Endpoint Protection client in SEP. is called the Symantec Agent in SES. They are the same client.
  • Client computers in SEP are called devices in SES.
Client installation/Device discovery
You access most client installation features by selecting:
  • Symantec Endpoint Protection Manager
    :
    Admin
    >
    Install Packages
    >
    Client Install Settings
  • Symantec Endpoint Security
    :
    Settings
    >
    Installation Package
The endpoint software is called the
Symantec Endpoint Protection
client in
Symantec Endpoint Protection
and the Symantec Agent in
Symantec Endpoint Security
.
Client installation packages
On-premises SEP
Symantec Endpoint Security
Deploy client installation package from
Symantec Endpoint Protection Manager
:
  • Save package
  • Remote push
  • Web link and email
The Symantec Agent replaces the
Symantec Endpoint Protection
client.
Deploy the Symantec Agent from
Symantec Endpoint Security
:
  • Installation package creator (Creates a package that either installs directly or that you can deploy for installation - similar to Save package)
    Installation package creator is not available for Linux.
  • Direct installation package (Downloads package components that installs directly to the device (new to
    Endpoint Security
    )
  • Invite users (Web link and email)
  • Push enrollment (Remote push)
    Push enrollment is not available for Mac and Linux.
Installation type
includes: Interactive, Silent, and Show progress bar only
Installation type
includes: Interactive, Silent, and Show progress bar only
Not available for Mac and Linux. By default, the installation is Silent.
Customizable installation folder (Client Install Settings)
Installation folder specification:
(Show More > Advanced Options)
  • Install to the default installation folder
  • Install to a custom installation folder
Not available for Mac and Linux.
Custom feature sets
(Client Install Feature Set):
  • Full Protection for Clients
  • Full Protection for Servers
  • Basic Protection for Servers
Symantec Agent protection features available for Windows workstations depend on activated products:
  • Malware Protection
  • Behavioral Analysis
  • Device Control
  • Intrusion Prevention
  • Exploit Protection
  • Firewall
  • Microsoft Outlook Auto-Protect
  • Application Control and Application Isolation
  • Active Directory Defense
  • Endpoint Detection and Response
  • Secure Connection
The
Protection settings for Windows servers
option is limited intentionally for servers only. Workstations ignore this setting. There is no plan for the granular settings that
Symantec Endpoint Protection Manager
has.
Full installation (Same as Full Protection for Servers) includes:
  • Malware Protection
  • Behavioral Analysis
  • Device Control
  • Intrusion Prevention
  • Exploit Protection
  • Firewall
Server-optimized installation (Same as Basic Protection for Servers) includes:
  • Malware Protection
Protection features available for Mac:
  • Malware Protection
  • Device Control
  • Intrusion Prevention
  • Firewall
Protection features available for Linux:
  • Malware Protection
Option to include virus definitions in installation package:
Client Deployment Wizard
>
New package
>
Content Options
Virus definitions in the deployment package is implemented but not supported.
Not available for Mac and Linux.
Set restart type for clients:
  • Forced
  • Delayed
  • No restart
  • Custom restart
Depending on selection this can be:
  • Immediately
  • At this time (or up to this time), on the next occurrence of this day, with time randomization
Restart type:
(Show More > Advanced Options)
  • No Restart
  • Immediate Restart (Forced)
  • Delayed (scheduled, up to this time, on the next occurrence of this day, with time randomization)
Not available for Mac and Linux.
Restart settings for forced, delayed, and custom:
  • No prompt
  • Prompt with a countdown, X minutes
  • Prompt and allow snooze until X (not always available)
Other options, depending on restart type:
  • Hard restart
  • Restart immediately if the user is not logged in
Restart settings:
(Show More > Advanced Options)
  • No prompt
  • Prompt with a countdown of X minutes
  • Prompt and allow user to delay restart until X
    - Restart message
Other:
  • Hard restart
  • Restart immediately if the user is not logged in
Not available for Mac and Linux.
Client software removal options
  • Do not uninstall existing security software
  • Automatically uninstall existing third-party security software
  • Remove existing
    Symantec Endpoint Protection
    client software that cannot be uninstalled (Cleanwipe) (14)
Software removal settings
(Show More):
  • Do not uninstall existing security software
  • Automatically uninstall existing third-party security software
  • Remove existing Symantec Agent software that cannot be uninstalled (Cleanwipe) (14)
Not available for Mac and Linux.
Reduced-size definitions
Deprecated
Upgrade client software (AutoUpgrade)
AutoUpgrade is not available on Mac and Linux devices. To upgrade the client software on Mac or Linux device, you must reinstall a new client installation package.
System policy (AutoUpgrade options)
On-premises SEP
Symantec Endpoint Security
Automatically upgrade the client
(Upgrade Clients with Package wizard)
  • Maintain existing client features when updating
  • Select features (Full Protection for Clients, Full Protection for Servers, Basic Protection for Servers)
  • Install Settings (Default Standard client installation settings, Embedded or VDI, Dark Network)
  • Include new content types in the client installation package
  • Upgrade schedule (From - to, Distribute upgrades over x days)
  • Notifications
    • Notify users before an upgrade
    • Notification message, use Default)
  • Allow users to postpone the upgrade process, max and minimum time)
No plans for templates. You can use scheduled scan only.
  • Maintain existing client features when updating - Deprecated
    (Not needed- The client doesn't change features when updating. Instead, LiveUpdate downloads the feature difference.)
  • Select features - Deprecated
    Not needed. The upgraded package uses the same features as in the client installation package.
  • Install Settings - Only standard-size package is supported. There are no current plans for dark, embedded.
  • Include new content types .... No- the cloud always uses LiveUpdate and no other method.
  • Upgrade schedule - The upgrade options are the same.
  • Notifications - Includes a standard but customizable message.
  • Allow users to postpone the upgrade process - Uses the Restart Type and Settings
Choose a server to download package from
  • Download from the management server
  • Download from the following URL
Uses LiveUpdate only, as the management server is not involved. Admin configures this in the
System policy
>
LiveUpdate Server & Schedule
section.
Restart options
:
  • The upgrade completes in Client Install Settings
  • Virus definitions are installed on the client
Includes an option to not restart the Windows client computer.
Restart type:
  • Immediate restart
  • No Restart
  • Scheduled Restart
Restart Settings:
  • No prompt
  • Prompt with a countdown of x minutes
  • Prompt and allow user to delay restart until x
Upgrades from an earlier version:
You can upgrade to the latest version of Symantec Endpoint Protection from any earlier version, based on the supported upgrade path.
Release channel (Client Upgrade Settings) Moved to System policy with the following changes:
  • Previous release
    - This is the release before the current/latest release and is the most stable.
  • Latest release
    - Same as in the
    Symantec Endpoint Protection Manager
    , but not as stable as the
    Previous release
    .
  • Select a revision
    - Removed.
  • Prerelease
    - Changed (engine version). This is the beta version of the release and is the least stable.
Client management and general protection
Not yet available on Mac or Linux devices.
Client management and general protection
On-premises SEP
Symantec Endpoint Security
Run commands on clients from the management server:
  • Scan
  • Update content
  • Update content and scan
  • Start Power Eraser analysis
  • Restart client computers
  • Enable Auto-Protect
    Notify users before an upgrade
  • Enable/Disable Network Threat Protection
  • Enable/Disable Download Insight
  • Collect File Fingerprint List
  • Delete from Quarantine**
  • Cancel all scans**
  • Scan
  • Update content
  • Restart
Server control, client control, mixed control
  • Mixed control - Deprecated.
  • Server control/Client control - The settings on these pages have mostly been removed and are enabled by default and not visible to the user. A few settings are visible to the client user if the admin makes them visible. In each policy, these types of settings should be in
    User Interaction Settings
    .
Low bandwidth mode (new in 14.1)
System policy > General settings:
  • Run in low Bandwidth Mode
  • Allow the user to request an exception for a blocked event (only available if you have Application Control enabled)
Password protecting the client
(Clients > Policies tab)
  • Require a password to open the client user interface
  • Require a password to stop the client service
  • Require a password to uninstall the client
  • Require a password to import or export a policy and to import client communication settings
  • Apply password settings to non-inherited subgroups
  • Password/Confirm Password
  • Require a password to open the client user interface
  • Require a password to stop the client service
  • Require a password to uninstall the client
  • Require a password to import or export a policy and to import client communication settings
  • Apply password settings to non-inherited subgroups - Deprecated. Not needed; groups use natural inheritance from cloud.
  • Password/Confirm Password
  • Move clients to a different management server by running the SylinkDrop tool
  • Move clients to a different management server by redeploying a client package with the Communication update package deployment option
The cloud does not have management servers, but it does have domains. In both cases, use one of the following methods:
  • You move the client to another domain or a custom domain (rare case).
  • Use the FSD package by redeploying the client package or enrolling in a new domain.
Configure client submissions of pseudonymous security information to Symantec
Enabled by default. You can't disable it; however, the ability to control this may be available later. .
Configure clients to securely submit pseudonymous system and usage information
Not available
Manage the external communication between the management server and the clients
  • Management server lists
  • Communication mode (push or pull)
  • Set heartbeat interval
  • Upload learned applications
  • Upload critical events immediately
  • Set download randomization
  • Set reconnection preferences
No - Deprecated because the management server isn't used.
Upload critical events immediately
runs by default
Configure clients to use private servers
  • Advanced Threat Protection server for Insight lookups and submissions
  • Private Insight server for Insight lookups
Note:
ATP is renamed to Endpoint Detection and Response (EDR)
No - Deprecated
Proxy support
Proxy server used for client installation and enrollment. Used for LiveUpdate Server as well.
Unmanaged detector
Partial support -
Endpoint Security
includes on-demand detection of unmanaged devices, where the cloud looks for and finds unmanaged devices continuously. This feature is more advanced but not automatic.
Devices
>
Unmanaged Devices
Set User Information Collection
Deprecated
Mac Agent features
Mac Agent features
Option
Symantec Endpoint Security
Installation
  • Installation package creator: Creates a package that either installs directly or that you can deploy for installation - similar to Save package
  • Direct installation package: By default, installation is Silent. Customization is not available on Mac.
  • Customizable installation folder (Client Install Settings): Only for restart and upgrade. You cannot customize the installation folder. Installation logging always writes to /tmp/sepinstall.log.
Policies
Available now:
Antimalware:
  • Scheduled scans (quick and full)
  • Turn on/off AutoProtect
  • Turn on/off behavioral analysis
  • Turn on/off Symantec early launch antimalware
  • Turn on/off Microsoft Outlook Auto-Protect
Intrusion Prevention:
  • Turn on/off Intrusion Prevention
  • Signature action exceptions
  • Turn on/off user notifications
Available soon:
  • Device Control
  • Firewall
  • Allow List
  • Deny List
Device commands (such as Run LiveUpdate, Scan Now, Quarantine)
Linux Agent features
Linux Agent features
Option
Symantec Endpoint Security
Installation
Installation package creator: Creates a package that either installs directly or that you can deploy for installation - similar to Save package
Policies
Antimalware:
  • Intensity Level
  • Scheduled scans (quick and full)
  • Turn on/off AutoProtect
  • Turn on/off behavioral analysis
  • Turn on/off Symantec early launch antimalware
  • Turn on/off Microsoft Outlook Auto-Protect
Intrusion Prevention:
  • Turn on/off Intrusion Prevention
  • Signature action exceptions
  • Turn on/off user notifications
Log settings for clients
Client log settings
On-premises SEP
Symantec Endpoint Security
Log settings on
Symantec Endpoint Protection Manager
for the clients
Set size and retention options for logs that are maintained on the client computers:
Client Activity, System, Security and risk, Security, Traffic, Packet, Control
Not available yet.
Risk log settings:
  • Delete acknowledge notifications after 30 days
  • Delete risk events after 60 days
  • Delete scan events after 30 days
  • Compress risk events after 7 days
  • Delete unacknowledged notifications after 30 days
  • Delete commands after 30 days
  • Delete EICAR events
No plans
Management Features
Symantec Endpoint Security
replaces the management server (
Symantec Endpoint Protection Manager
) with a global cloud console, Integrated Cyber Defense Manager (ICDm).
An upgrade wizard is available to migrate
Symantec Endpoint Protection Manager
policies to
Symantec Endpoint Security
.
Management console
Console
On-premises SEP
Symantec Endpoint Security
Symantec Endpoint Protection Manager
(SEPM)
Integrated Cyber Defense Manager (ICDm).
  • My Tasks
    >
    Tasks
    page - Collects actions and displays them based on their status, severity, and which feature they belong to. When the admin completes a task, it moves from the pending to the completed category.
  • My Tasks
    >
    Playbooks
    runs preconfigured workflows on-demand on multiple devices.
Management server
Installation, domains, sites, replication, servers, licenses
On-premises SEP
Symantec Endpoint Security
Installing
Symantec Endpoint Protection Manager
Deprecated.
You install an agent, but not the management server
Domains:
Add, remove, edit a domain
For hybrid management, you enroll a SEPM domain in
Integration
>
Enrollment
(14.0.1 and later)
For cloud-only management you can use the following domains:
  • Default (production) domain (paid subscription): Create, rename, or delete. (
    Settings
    >
    Domain Management
    or the Domain drop-down menu).
  • Testpad (trial subscription) - A trial version of the software is only available through your account representative.
  • Launchpad (for prereleased features) - Deprecated in January 2020. Existing customers should contact Support.
You can add, remove, or edit a domain
Sites
Deprecated - no need
Replication
Deprecated - no need
Databases
Deprecated - no need
Servers
Deprecated - no need
Licenses
  • Activate license
  • Edit Partner Information
  • Purchase additional licenses
Trial license is 90 days
Yes - Subscriptions
  • Cloud console - Endpoint tab > Settings > Subscriptions or Endpoint tab > Home > Activate Subscription
  • Client - Troubleshooting > Licensing entitlement (14.2 RU1) The licensing is similar to SEPM.
The SEPM licenses (through Oracle) are automatically uploaded and extended to the cloud console and appear in the cloud (through the Try Now option).
The trial subscription is hidden but converts to a paid subscription.
Symantec Endpoint Security
-enabled devices that have been offline for more than 30 days are automatically deleted from the cloud.
APIs (Integration)
APIs
On-premises SEP
Symantec Endpoint Security
Administrators
Administrators
On-premises SEP
Symantec Endpoint Security
General:
  • Add, rename, edit, and delete an administrator
  • Change admin password
  • Lock the account after the specified number of unsuccessful logon attempts
  • Lock the account for the specified number of minutes
  • Send an alert to the administrator when the account is locked
  • Add, rename, edit, and delete an administrator
  • Change admin password
Access Rights:
  • System Administrator
  • Administrator (Domain)
  • Limited Administrator
    • View reports
    • Manage groups (Remotely run commands > Run commands on read-only groups)
    • Site rights
    • Manage installation packages
    • Manage policies > Do not allow editing of shared policies
Renamed to
Roles
:
(
Settings
>
Administrator & Roles
page)
  • Endpoint Console Super Administrator (create, edit, delete for all domains)
  • Endpoint Console Domain Administrator (create, edit, delete for 1 domain)
  • Limited Administrator (create, edit for all domains)
    • Yes, but no assets
    • No commands
    • No policies
  • Viewer (read-only for all domains)
Authentication for
Symantec Endpoint Protection Manager
logon:
  • Symantec Endpoint Protection Manager
    authentication
  • Directory authentication
  • Two-factor authentication (new in 14.2)
  • RSA authentication
  • Smart card (PIV/CAC) authentication (new in 14.2)
Applies to all products in the cloud console, and can be found under
Settings > Access and Authentication
.
Identity Provider:
  • Symantec Security Cloud sign-on
  • Microsoft Azure
  • SAML 2.0-based identity provider
Two-factor authentication
Home page
Home page
On-premises SEP
Symantec Endpoint Security
Home
page commands
Replaced by
Dashboard
>
Security Controls
Goes through
My Tasks
.
Some actions are available through the allow list and deny list.
You can create a custom dashboard that becomes the default dashboard when you sign on.
Preferences
Not available
VDI (Virtualization)
Virtualization
On-premises SEP
Symantec Endpoint Security
VDI
No
Shared Insight Cache
Deprecated
vShield-enabled (12.1.6 and earlier)
TBD
Reports, Logs, Notifications
Reports and Templates
Reports
On-premises SEP
Symantec Endpoint Security
Audit
Policies Used
Not available
Application and Device Control
  • Top Groups With Most Alerted Application Control Logs
  • Top Targets Blocked
  • Top Devices Blocked
Application Control:
  • Application Control
Device Control:
  • Top 5 Unique Blocked External Devices
  • Device Control Security Control
  • KPI
    :
    Total Devices with Blocked External Devices
    Total Unique External Devices Blocked
Compliance
  • Host Integrity Status
  • Clients by Compliance Failure Summary
  • Compliance Failure Details
  • Non-compliant Clients by Location
Available soon
Computer Status
  • Virus Definitions Distribution
  • Computer Not Recently Updated
  • Symantec Endpoint Protection Product Versions
  • Intrusion Prevention Signature Distribution
  • Download Protection Signature Distribution
  • SONAR Signature Distribution
  • Low Bandwidth Content Distribution
  • Client Inventory
  • Compliance Status Distribution
  • Client Online Status
  • Clients With Latest Policy
  • Client Count by Group
  • Security Status Summary
  • Protection Content Versions
  • Symantec Endpoint Protection Licensing Status
  • Client Inventory Details
  • Deployment Report
  • Device Integrity Comprehensive Report
  • Device Integrity Computer Status Report: Includes cloud-managed and on-premises clients
Application Isolation/Application Control
:
  • Blocked Apps Report
  • Isolated Applications and Files Report
Deception
(new as of 14.1)
Available soon.
Network and Host Exploit Mitigation
  • Top Targets Attacked
  • Top Sources of Attack
  • Top Types of Attack
  • Top Blocked Applications
  • Attacks Over Time
  • Security Events by Severity
  • Blocked Applications Over Time
  • Traffic Notifications Over Time
  • Top Traffic Notifications
  • Memory Exploit Mitigation Detections
  • Full Report
  • Intrusion Prevention Report
  • Firewall Report
Separated into 3 Security Controls/KPIs
:
Intrusion Prevention:
  • Threats Blocked
  • Total Infection Actors
  • Top Intrusion Prevention Detections
  • Top Sources for Intrusion Prevention Events
  • Top Infection Actors
  • Default Intrusion Prevention Report
Risk
  • Infected and At Risk Computers
  • Action List
  • Risk Detections Count
  • New Risks Detected in the Network
  • Top Risks Detections Correlation
  • Download Risk Distributions
  • Risk Distribution Summary
  • Risk Distribution Over Time
  • Risk Distribution by Protection Technology
  • SONAR Detection Results
  • SONAR Threat Distribution
  • SONAR Threat Detection Over Time
  • Action Summary for Top Risks
  • Number of Notifications
  • Number of Notifications Over Time
  • Weekly Outbreaks
  • Comprehensive Risk Report
  • Symantec Endpoint Protection Daily Status
  • Symantec Endpoint Protection Weekly Status
Antimalware Security Control
Quick Links:
  • Suspicious Detections
  • Recent Antimalware Activity
  • Suspicious Detections by Intensity Level
  • Risk Distribution Over Time
Scan
  • Scan Statistics Histogram
  • Computer by Last Scan Time
  • Computers Not Scanned
  • SES Daily Report
  • SES Weekly Report
  • SES Comprehensive Report
System:
  • Top Clients That Generate Errors
  • Top Servers That Generate Errors
  • Database Replication Failures Over Time
  • Site Status
  • WSS Integration Token Usage
Format
: HTML
PDF, HTML, CSV
Logs (Events), Notifications (Alerts), Commands
In
Symantec Endpoint Security
, logs are
Events
, and notifications are called
Alerts
.
Notifications/Commands
On-premises SEP
Symantec Endpoint Security
Logs
  • Host Integrity status:
    All, Fail, Success, Pending, Disabled, Ignored
  • Host Integrity reason:
    • All
    • Pass
    • Antivirus version is out-of-date
    • Antivirus is not running
    • Script failed
    • Check is incomplete
    • Check is disabled
    • Location changed
  • Filters:
    • Infected only
    • Tamper Protection off
    • Auto-Protect off
    • Trusted Platform Module installed
    • Memory Exploit Mitigation off
    • Download Insight off
    • SONAR off
    • Firewall off
    • Intrusion Prevention off
    • Antivirus engine off
    • Restart required
No commands on events
Events (Severity)
  • Informational
  • Minor
  • Major
  • Critical
  • Informational
  • Warning
  • Minor
  • Major
  • Critical
  • Fatal
Commands
  • Analyze
  • Evidence of Compromise Scan/Cancel Evidence of Compromise Scan
  • Scan/Cancel Scan
  • Collect File Fingerprint List
  • Delete from Quarantine
  • Disable/Enable Download Insight
  • Disable/Enable Network Threat Protection
  • Enable Auto-Protect
  • Power Eraser
  • Restart Client Computers
  • Update Content
  • Update Content and Scan
With status:
  • Not received
  • Received
  • In progress
  • Completed
  • Rejected
  • Cancelled
  • Error
Devices:
  • Evidence of Compromise Scan (Available soon)
  • Power Eraser (Available soon)
  • Restart Client Computers
  • Run Scan
  • Run LiveUpdate
Policies
:
TBD
Notifications
  • Authentication failure
  • Client list changed
  • Client security alert
  • Download Protection content out-of-date
  • File reputation lookup alert
  • Forced application detected
  • IPS signature out-of-date
  • Licensing issue
  • Low-bandwidth AML content out-of-date
  • Memory Exploit Mitigation detection
  • Network load alert: requests for virus and spyware full definitions
  • New learned application
  • New risk detected
  • New software package
  • New user-allowed download
  • Power Eraser recommended
  • Risk outbreak
  • Server health
  • Single risk event
  • SONAR definitions out-of-date
  • System event
  • Unmanaged computers
  • Virus definitions out-of-date
  • What should happen when this notification is triggered?
  • Log the notification
  • Run the batch or executable file
  • Send email to system administrators
  • Send email to (comma or semicolon separated)
Alerts
:
  • Suspicious Threats
  • License
  • Unknown reputation
  • Compromised device
  • LiveUpdate failed
Available soon: Customizable notifications
Dashboard and Security Controls (Monitors > Summary)
Each policy has a quick setup to show you a short video and the default policy.
Security Controls
On-premises SEP
Symantec Endpoint Security
Dashboard
  • Device Security Status
  • Recent Security Events
  • Recent Devices With Unresolved Threats
  • Device License Status
Antimalware
  • Risk Distribution Over Time
  • Suspicious Detections by Intensity Level
Firewall
  • Key Performance Indicators: Blocked Events, Allowed Events
Intrusion Prevention
  • Key Performance Indicators: Threats Blocked, Total Infection Actors
  • Top Intrusion Prevention Detections
  • Top Sources for Intrusion Prevention Events
  • Top Infection Actors
Device Control
  • Key Performance Indicators: Total Devices with Blocked External Devices, Total Unique External Devices Blocked
  • Total Devices with Blocked External Devices
  • Total Unique External Devices Blocked
Device Integrity
Exploit Mitigation
  • Key Performance Indicators: Exploits Prevented