Replaced by the Antimalware policy on fully cloud-managed agents version 14.2 MP2 and later.

Replaced by the Intensive Protection policy on hybrid-managed 14.1 and later agents only: Combines Download Insight, Bloodhound, and some SONAR settings.

Network Threat Protection (intrusion prevention and firewall)

Memory Exploit Mitigation (replaced Generic Exploit Mitigation in 14)

Firewall policy

Intrusion Prevention policy

Exploit Protection policy (Memory Exploit Mitigation)

Application and Device Control

SONAR

Application Control policy

Device Control policy

Behavior Analysis (new name for SONAR)

(14.2 RU1 and later) PTP is still used in the

Symantec Endpoint Protection Manager

/

Symantec Endpoint Protection

client.

System lockdown

Application learning (Clients > Policies tab > Settings > General Settings)

System lockdown - Replaced by the Deny List policy and Application Control (

Symantec Endpoint Security

Complete)

Application learning - Replaced by Discovered Items; Replaced by the Deny List policy and Application Control

Block and do not log

Block and log

Log only

Block and do not log

Block and log

Log only

Policy templates

Policy types

Policy status - Published/Draft - Deprecated in December 2019

Select and open the policy, and select

Save Policy

.

The

Policies

>

Versions

tab displays previous versions of the policy.

Import supported policies from version 12.1.6.x to 14.2 MP1 and later.

Export policies (Policies > Policies tab > Actions menu > Export Policy)

Test (log only)

Production

Enforce with Overrides (dynamic devices)

Allow overrides if applications are signed and have good reputation
Allow overrides if applications are unsigned but have good reputation
Allow overrides if the applications are signed but have gray reputation
Allow overrides if the applications are unsigned and have gray reputation

Strict Enforcement (fixed-function devices)

Registry Access Attempts

File and Folder Access Attempts

Launch Process Attempts

Terminate Process Attempts

Load DLL Attempts

Rule name and Description

Enable this rule

Apply/Do not apply this rule to the following processes

Application Name

File Name

Custom rule:

Publisher
Reputation
Path
Hash

Continue processing other rules

Allow access

Block access

Terminate process

Enable logging

Send Email Alert

Notify user

Block applications from running [AC1]

Block programs from running from removable drives [AC2]

Make all removable drives read-only [AC3]

[AC4-1.1] Block writing to USB drives

[AC5-1.1] Log writing to USB drives

Block modifications to hosts file

Block access to scripts

Stop software installers [AC8]

Block access to Autorun.inf [AC9]

Block Password Reset Tool [AC10]

Block File Shares [AC11]

Prevent changes to Windows shell load points (HIPS) [AC12]

Prevent changes to system using browser and office products (HIPS) [AC13]

Prevent modification of system files (HIPS) [AC14]

Prevent registration of new Browser Helper Objects (HIPS) [AC15]

Prevent registration of new Toolbars (HIPS) [AC16]

Prevent vulnerable Windows processes from writing code [AC17]

Prevent Windows Services from using UNC paths [AC-23]

Block access to lnk and pif files [AC-24]

Block applications from running out of the recycle bin [AC-25]

Browser Isolation policy

Office Isolation policy

PDF Renderer Isolation policy

Platform Isolation policy

Trusted Updater policy

Hardware Device Control Lists

Blocked Devices
Devices Excluded From Blocking

Log detected devices

Notify users when devices are blocked or unblocked (Specify Message Text)

List of external devices (hardware)

Blocked External Devices

Log detected external devices
Notify users when external devices are allowed

Allowed External Devices (devices are excluded from blocking, an exception to a blocking rule)

Log detected external devices
Notify users when external devices are allowed

Contains Windows devices

System (default)

Custom (added manually by user)

Discovered

Add External Device (one at a time)

Edit or Remove item from list (action menu, one at a time)

Add External Device (each device is added one at a time)

Blocked External Devices

Add for Windows (can select multiple at once; can filter the list)
Remove (individually, from action menu for individual items)

Allowed External Devices:

Add for Windows (can select multiple at once)
Remove (individually, from action menu for individual items)

Control access for USB Mass Storage Devices:

Add (can select multiple at once; can filter the list)
Remove (can select multiple at once in the policy, then click Remove)

Customers now have a single view of endpoint activity recorder, Advanced Attack Technique events, and SEP events.

New and improved search tools provide unified, advanced search across all events. Search tools include:

Time-based filtering on relative ranges (e.g., "Last Week," and absolute ranges (start-end dates and times).
Pre-defined "quick filters" that filter for key items like MITRE tactics, detection technology, dual-use tools and many more.
User-specified custom filters built from any event data fields.
Ad-hoc, text-based filter creation using industry-standard Lucene Parser Syntax.
The ability to save queries.

A new

Incidents

tab under

Alerts and Events

in the left navigation bar. The tab provides a list of all incidents that a security analyst should investigate further along with a description that explains the detection, the priority, and the number of impacted endpoints. Incidents are generated based on SEP, TAA, AAT and FDR events

Detailed views of individual incidents, events, and involved entities (endpoints, files, domains, etc.).

Graphical representation of incidents that show the relationships between the elements of the incident.

The ability to comment on incidents by multiple investigators, and to close the commenting upon incident resolution.

Policy-based endpoint data recording configuration that includes:

Ability to assign the policy to specific device groups.
Scheduling when data is sent to EDR.
The types of data sent to EDR.

Streamlined EDR provisioning and on-boarding using the same device groups you've created for other endpoint security solutions.

You want to quickly narrow search results to those that either match a specific field value, or exclude results that don't match a specific field.

You want to see at a glance which fields have null or empty values.

You want to see all dates in the fields as your local dates.

Expanded event rows no longer show duplicate values.

You want to be able to use special characters such as [ ] " . ! { } ~ ( ) \ : and ^ in a free-form search.

Boolean values are no longer case-sensitive.

You can now specify a Windows file path within a Regex query.

You want to see the non-HTTP network events for IPS Incidents in the Incident Graph.

The Incident

first_seen

value is now updated during Incident Update.

The AVE Incident Rule now excludes blocked events.

Only relevant incidents are now created by App Isolation block events on CDM.

Null incidents no longer appear for firewall block events on CDM.

Applications

(View) Watched Applications
Unwatched applications
Actions: Ignore, Log only, Quarantine, Terminate, Remove

Applications to monitor

Auto-Protect
Scheduled and on-demand scans

Extensions

Files

Prefix variables

Folders

Known risks

Trusted Web domain

Tamper Protection exceptions

DNS or Host File Change Exception

Certificate (new in 14.1)

Certificate

Filename (File > Security Risk/SONAR)

Auto Protect
Scheduled and On-Demand scans
Behavioral Analysis
Tamper Protection

Web domain exception (Trusted web domain)

Hash (Application) Supports SHA-256 values only.

Path (Folder > Security Risk/SONAR)

Auto Protect
Scheduled and On-Demand scans
Behavioral Analysis

Extension (new; 14.2 RU1)

Auto-Protect
Scheduled and On-Demand scans

IPS Host (moved from IPS policy)

Host type - IP4/IP6 Address, Subnet, Range

Application to Monitor (

Symantec Endpoint Security

Complete)

File - Moved to Application Control

Folder - Application Control (Deprecated)

Known Risks (Deprecated. Don't do risk-based)

Tamper Protection (Available soon)

DNS or Host File Change Exception

Mac or Linux exceptions (Available soon)

Application

Extension

File

Folder

Security Risk
SONAR

Known risks

Trusted web domain

DNS or Host File Change

Certificate - Use third-party content management*

Application Exception

File Exception

Folder Exceptions > Security risk Exception/SONAR Exception

Trusted Web Domain Exception

Certificate Exception

DNS or Host File Change Exception

Extension Exception

Known Risks Exception

Security Risks:

Known Risks
File
Folder
Extension
Web domain

SONAR > Folder

DNS Host File Change > Application

Application

13 rules

Inherit Firewall Rules from Parent Group

Enable rules

Move Up/Move Down

13 rules

Inherit Firewall Rules from Parent Group - Deprecated. The cloud uses implied inheritance.

Enabled rules check box (On/Off toggle)

Cut/Paste (instead of Move Up/Move Down)

Export policies

Add Rule wizard

Add Blank Rule

Delete Rule

Add

Delete

Enable Smart DHCP

Enable Smart DNS

Enable Smart WNS

Allow token ring traffic

Enable NetBIOS protection

Enable reverse DNS lookup

Enable Smart DHCP

Enable Smart DNS

Enable Smart WNS

Allow token ring traffic

Enable NetBIOS protection

Enable reverse DNS lookup

Enable port scan detection

Enable denial of service detection

Enable anti-MAC spoofing

Automatically block an attacker's IP address

Enable stealth mode Web browsing

Enable TCP resequencing

Enable OS fingerprint masquerading

Enable port scan detection

Enable denial of service detection

Enable anti-MAC spoofing

Automatically block an attacker's IP address

Number of seconds during which to block the IP address

Enable stealth mode Web browsing

Enable TCP resequencing

Enable OS fingerprint masquerading

Disable Windows Firewall

No Action
Disable Once Only
Disable Always
Restore if Disabled

Windows Firewall Disable Message (Enable/Disable)

Disable Windows Firewall

No Action
Disable Once
Disable Always
Restore if Disabled

Enable Windows Firewall Disable Message (On/Off)

Maximum number of authentication attempts per session

Time between authentication attempts (seconds)

Time interval after which the remote computer can be reauthenticated (seconds)

Time that the rejected remote computer is block (seconds)

Time interval of inactivity between the authenticated computer and the client after which the session ends (seconds)

Block all traffic until the firewall starts and after the firewall stops

Allow initial DHCP and NetBIOS traffic
Enable secure communications between the management server and clients by using digital certificates for authentication

Block all traffic until the firewall starts and after the firewall stops

Allow initial DHCP and NetBIOS traffic
Enable secure communications: Deprecated

Allow users to perform security test

Amount of time before re-enabling Network Threat Protection

Number of times users are permitted to disable Network Threat Protection

Allow the following users to enable and disable the firewall

Windows Administrators only
All users
When the firewall is disabled:
Allow all traffic
Allow outbound traffic only

Block all traffic menu command

Configure unmatched IP traffic settings

Allow IP traffic
Allow only application traffic
Prompt users before allowing application traffic

Allow users to perform security test (moved to User Interaction Settings)

Amount of time before re-enabling Network Threat Protection (Deprecated)

Number of times users are permitted to disable Network Threat Protection (Deprecated)

Allow the following users to enable and disable the firewall (moved to User Interaction Settings)

Windows Administrators only
All users
When the firewall is disabled:
Allow all traffic
Allow outbound traffic only

Block all traffic menu command

Configure unmatched IP traffic settings

Allow IP traffic
Allow only application traffic
Prompt users before allowing application traffic

Notification settings

End user notifications

Logging viewer and packet viewer

Host groups (Firewall and Intrusion Prevention policies)

Network service groups

Network adapter groups

Host groups (Firewall policy only) (Settings > Host groups)

Network service groups (available soon)

Network adapter groups (available soon)

Enable Network Intrusion Prevention

Enable excluded hosts

Enable Browser Intrusion Prevention for Windows

Log detections but do not block
Log-only mode

Signature subset for servers

Out-of-band scanning

Audit Signatures: Add > Log, Enable, Disable

Signature action exceptions: Add > Log, Enable, Disable

Advanced Settings

Intrusion Prevention - On or Off
Browser Protection - Enable, Disable, Log
(New name for Browser Intrusion Prevention)
Browser Protection not available for Mac.
Server Performance Tuning: includes out-of-band scanning and signature subset for servers.
Excluded hosts moved to Allow List policy.

Show category

All
Browser Protection (335 signatures)
Note
: Custom exceptions are not supported for Browser Protection signatures.
Intrusion Prevention signatures

Show severity (All, High, Medium, Low)

Handled in policy under Signature Action Exceptions.

You can also add exclusions through

Alerts and Events

>

Event type

:

IPS

. When you view the details of the event, you can add exclusions, and edit the policy.

Display Intrusion Prevention and Memory Exploit Mitigation notifications

Use sound when notifying user
Additional text for notifications

Always do Host Integrity checking

Only do Host Integrity checking when connected to the management server

Never do Host Integrity checking

Antivirus requirement

Antispyware requirement

Firewall requirement

Patch requirement

Service pack requirement

Custom requirement

Check Host Integrity every: minutes/hours/days

Keep results of check for: minutes/hours/days

Continue to check requirements after one fails

Allow the user to cancel remediation for:

Number of times the user is allowed to cancel remediation

Show verbose Host Integrity Logging

Display a notification message when a Host Integrity check fails

Display a notification message when a Host Integrity check passes after previously failing

Use the default Symantec LiveUpdate server

Use the Symantec LiveUpdate server for prereleased content (Early Adopter server)

Use a specified internal LiveUpdate server

Use the default internal LiveUpdate server

Use the Symantec LiveUpdate server for prereleased content

Use a specified internal LiveUpdate server

Multiple GUPs

Explicit GUPs

Single GUPs

Default port

Maximum disk cache size allowed for downloading updates

Delete content updates if unused

Maximum number of simultaneous downloads to clients

Max bandwidth allowed for GUP downloads from the management.server

Max bandwidth allowed for client downloads from GUP

I do not want to use a proxy server for HTTP/HTTPS

I want to use my Windows Internet Options proxy settings

I want to customize my HTTP or HTTPS settings

Host proxy

HTTP/HTTPS port

Authentication required

User name/password

NT LAN Manager Authentication

I do not want to use a proxy server for FTP

Use the proxy server by the client browser (default)

I want to customize my FTP settings

Server address

Port

Do not use a proxy server for HTTP/HTTPS

Use my Windows Internet Options proxy settings

Use a customize my HTTP or HTTPS settings

Host proxy/HTTP/HTTPS port

Select Authentication required

Basic Authentication (User name/password)

NT LAN Manager Authentication - Deprecated

Do not use a proxy server for FTP

Use the proxy server by the client browser (default)

Use custom FTP settings

Server address

Port

Virus and spyware definitions

SONAR

IPS definitions

Enable LiveUpdate Scheduling

Frequency

Retry window

Download randomization

Delay scheduled LiveUpdate until the computer is idle

Options for skipping LiveUpdate

LiveUpdate runs only if Virus and Spyware definitions are older than x
LiveUpdate runs only if the client is disconnected from SEPM for more than x

Enable LiveUpdate Scheduling

Frequency

Retry window

Download randomization

Idle detection

Options for skipping LiveUpdate - Deprecated

Allow the user to manually launch LiveUpdate (No current plans)

Allow the user to modify the LiveUpdate schedule
Allow the user to modify HTTP, HTTPS, or FTP proxy settings for LiveUpdate

Download security patches to fix the vulnerabilities in the latest version of the agent

Download smaller client installation packages from a LiveUpdate server

Allow the user to manually launch LiveUpdate

Allow the user to modify the LiveUpdate schedule

Allow the user to modify HTTP, HTTPS, or FTP proxy settings for LiveUpdate

Download security patches to fix the vulnerabilities in the latest version of the agent

Download smaller agent installation packages from a LiveUpdate server

Virus and Spyware definitions

SONAR heuristic signatures

Intrusion Prevention signatures

Submission Control signatures

Reputation settings

Endpoint Detection and Response

Common Network Transport Library and Configuration

Advanced Machine Learning

WSS Traffic Redirection

Antivirus requirement

Antispyware requirement

Firewall requirement

Patch requirement

Service pack requirement

Custom requirement

These same definitions are downloaded to the client by default, except for:

WSS Traffic Redirection
Endpoint Detection and Response

The content is not a one-for-one match in the cloud.

You have the ability to control which definitions are downloaded:

Use latest version

Select a revision

Select an engine version

Previous release

- New. This is the release before the current/latest release and is the most stable.

Latest release

- Same as the

Symantec Endpoint Protection Manager

, but not as stable as the Previous release

Select a revision

- Deprecated

Prerelease

- Changed (engine version). This is the beta version of the release and is the least stable.

Client product updates

Client security patches

Virus and Spyware definitions

SONAR heuristic signatures

Intrusion Prevention signatures

Host Integrity content

Submission Control signatures

Reputation Settings

Extended File Attributes and Signatures

Common Network Transport Library and Configuration

Endpoint Detection and Response

Advanced Machine Learning

WSS Traffic Redirection

Application Control content

Set the protection action for all applications to log only

Choose a protection action for all applications in this list (Default/Yes/No/Log Only)

Run in monitor mode

Enable Java Protection (Off/On/Log)

DllLoad

EnhASLR

ForceASLR

ForceDEP

HeapSpray

NullProt

RopCall

RopHeap

SEHOP

StackNX

StackPvt

Scheduled scans (Active, Full, Custom)

On-demand scans

Startup scans

Triggered scans

Scheduled scan templates

*Scheduled scans (Active, Full)

Custom scan

On-demand scans

Triggered scans

Startup scans

Scheduled scan templates (TBD)

Scan all types

Scan only selected extensions

Enhance the scan by checking (Memory (Custom), Common infection locations (Custom), Well-known virus and security risk locations)

Compressed files

Storage migration options

Tuning options

Scan all types

Enhance the scan by checking (Well-known virus and security risk locations)

Not available - Memory (Custom), Common infection locations (Custom)

Advanced Scanning

Tuning options

Daily, weekly, monthly

Scan duration (until finished, up to x hours, randomized) )

Missed schedule scans (retry the scan within x hours)

Randomized scheduled scans

Retry missed scheduled scans

Detections

(Types of risk that detections take an action on):

Malware (Virus)
Security Risks:
Adware
Cookie
Dialer
Hack Tool
Joke Program
Misleading Application
Parental Control
Remote Access
Security Assessment Tool
Security Risk
Spyware
Trackware

Remediation (first and second actions for detections)

Clean risk (applies to malware only)
Quarantine risk
Delete risk
Leave alone (log only)

Remediation (other)

:

Back up files before attempting to repair them
Terminate processes automatically
Stop services automatically

Back up files before attempting to repair them - On by default, you cannot disable it.

Terminate processes automatically - Deprecated

Stop services automatically - On by default, you cannot disable it.

Stop the scan

Pause a scan

Snooze a scan

Scan only when the computer is idle

Enable Auto-Protect

Scan all files

Scan only selected extensions

Determine file types by examining file contents

Scan for security risks

Scan files on remote computers

Scan when files are accessed, modified, or backed up

Scan floppies for boot viruses, with the option to delete the boot virus or log it only

Always delete newly created infected files or security risks

Preserve file times

Tune scan performance for scan speed or application speed

Emulator for packed malware

Enable Auto-Protect

Load Auto-Protect when computer starts (new in

Endpoint Security

)

Enable file cache

File cache size 30000 files

Enable Risk Tracer

Resolve the source computer IP address
Poll for network sessions every 1000 milliseconds

Scan when files are accessed, modified, or backed up

Do not scan files when trusted processes access the file

Always delete newly created infected files

Specify network options for scanning files on remote computers

Scan files on remote computers (from Global Scan options)
Only when files are executed
Network cache
Keep 30 entries
Delete entries after 600 seconds

Scan floppies for boot viruses, with the option to delete the boot virus or log it only - Deprecated

Always delete newly created infected files or security risks - TBD

Preserve file times - On by default; but you cannot disable it.

Tune scan performance for scan speed or application speed - Planned for a future release

Emulator for packed malware - On by default, but you cannot disable it

Microsoft Outlook Auto-Protect

Enable Microsoft Outlook Auto-Protect; Scan all files; Scan only selected extensions; Scan files inside compressed files

Internet Email Auto-Protect (deprecated as of 14.2 RU1; still available for legacy installation packages)

Lotus Notes Auto-Protect (deprecated as of 14.2 RU1; still available for legacy installation packages)

*Microsoft Outlook Auto-Protect (On/Off only)

Internet Email Auto-Protect - Deprecated

Lotus Notes Auto-Protect - Deprecated

Download Insight

Bloodhound

Insight lookups

SONAR

Virus and Spyware Protection policy detection actions

Bloodhound settings

Download Insight Sensitivity setting

Download Insight prevalence, first-seen, and intranet options

SONAR heuristic detection, SONAR aggressive mode, and SONAR suspicious behavior settings

High risk/Low risk detection (Log, Remove, Quarantine, Disabled)

Enable aggressive mode

When detection found:

Show alert upon detection
Prompt before terminating a process
Prompt before stopping a service

DNS change detected (Ignore Prompt, Block, Log)

Host file change detected (Ignore, Prompt, Block, Log)

Enable Suspicious Behavior Detection

High risk/Low risk detection (Ignore, Prompt, Block Log)

Scan files on remote computers

Enable behavioral analysis

DNS change detected (Ignore, Log Only, Block)

Host file change detected (Ignore, Log Only, Block)

Scan files on remote computers

Show alert upon detection (In User Notifications Settings)

Prompt before terminating a process - Deprecated; disabled by default

Prompt before stopping a service - Deprecated; disabled by default

Suspicious Behavior Detection (included in Intensity Level setting)

When a potentially malicious driver is detected

When a potentially malicious driver is detected - Deprecated

Display a notification message on the infected computer

Display a notification message on the infected computer

Display the Auto-Protect results dialog on the infected computer

Display a notification message on the infected computer

Display a notification message on the infected computer

When definitions are outdated

When the agent is running without virus definitions

Display error messages with a URL to a solution

Show antimalware scan results on the infected device

Set scheduled and manual scan results to show (All detections, Only medium and high. Always (Scan Progress))
Display a notification message to the user on infected computer
Display notifications about detections when the user logs on

When definitions are outdated (part of Download Insight)

When the agent is running without virus definitions - Moved to the Devices page; shows the device At Risk.

Custom messages - Deprecated

Display error messages with a URL to a solution - Deprecated

Actions for when new virus definitions arrive

Local quarantine options (default or custom folder)/Allow client computers to automatically submit quarantined items to a Quarantine Server

Enable automatic deleting of repaired files

Enable automatic deleting of backup files

Enable automatic deleting of quarantined files that could not be repaired

Actions for when new definitions arrive - Uses the default setting and is part of Intensity Level setting

Quarantine Server support - Deprecated

Cleanup options - On by default; you cannot disable them.

Enable Insight for (Symantec and Community trusted, Symantec trusted)

Enable Bloodhound detection to scan files for suspicious behavior (Automatic, Aggressive)

Ask for a password before scanning a mapped network drive

Display notifications about detections and remediations when the user logs on

Insight - Part of Advanced Intensity Settings. You cannot disable the setting.

Bloodhound - Part of Intensity Level setting. You cannot disable the setting.

Ask for password before scanning mapped network drive - Deprecated

Display notifications about detections - Part of User Notifications Settings.

Disable Windows Security Center

Internet Browser Protection

Log handling options

Virtual Image Exception

Shared Insight Cache

Disable Windows Security Center - TBD

Internet Browser Protection - in IPS policy (Enable/Disable, Log)

Log handling options - Enabled by default. You cannot disable them.

Virtual Image Exception

Shared Insight Cache

Save package

Remote push

Web link and email

Installation package creator (Creates a package that either installs directly or that you can deploy for installation - similar to Save package)

Direct installation package (Downloads package components that installs directly to the device (new to

Endpoint Security

)

Invite users (Web link and email)

Push enrollment (Remote push)

Install to the default installation folder

Install to a custom installation folder

Full Protection for Clients

Full Protection for Servers

Basic Protection for Servers

Malware Protection

Behavioral Analysis

Device Control

Intrusion Prevention

Exploit Protection

Firewall

Microsoft Outlook Auto-Protect

Application Control and Application Isolation

Active Directory Defense

Endpoint Detection and Response

Secure Connection

Malware Protection

Behavioral Analysis

Device Control

Intrusion Prevention

Exploit Protection

Firewall

Malware Protection

Malware Protection

Device Control

Intrusion Prevention

Firewall

Malware Protection

Forced

Delayed

No restart

Custom restart

Immediately

At this time (or up to this time), on the next occurrence of this day, with time randomization

No Restart

Immediate Restart (Forced)

Delayed (scheduled, up to this time, on the next occurrence of this day, with time randomization)

No prompt

Prompt with a countdown, X minutes

Prompt and allow snooze until X (not always available)

Hard restart

Restart immediately if the user is not logged in

No prompt

Prompt with a countdown of X minutes

Prompt and allow user to delay restart until X

Hard restart

Restart immediately if the user is not logged in

Do not uninstall existing security software

Automatically uninstall existing third-party security software

Remove existing

Symantec Endpoint Protection

client software that cannot be uninstalled (Cleanwipe) (14)

Do not uninstall existing security software

Automatically uninstall existing third-party security software

Remove existing Symantec Agent software that cannot be uninstalled (Cleanwipe) (14)

Maintain existing client features when updating

Select features (Full Protection for Clients, Full Protection for Servers, Basic Protection for Servers)

Install Settings (Default Standard client installation settings, Embedded or VDI, Dark Network)

Include new content types in the client installation package

Upgrade schedule (From - to, Distribute upgrades over x days)

Notifications

Notify users before an upgrade
Notification message, use Default)

Allow users to postpone the upgrade process, max and minimum time)

Maintain existing client features when updating - Deprecated

Select features - Deprecated

Install Settings - Only standard-size package is supported. There are no current plans for dark, embedded.

Include new content types .... No- the cloud always uses LiveUpdate and no other method.

Upgrade schedule - The upgrade options are the same.

Notifications - Includes a standard but customizable message.

Allow users to postpone the upgrade process - Uses the Restart Type and Settings

Download from the management server

Download from the following URL

The upgrade completes in Client Install Settings

Virus definitions are installed on the client

Immediate restart

No Restart

Scheduled Restart

No prompt

Prompt with a countdown of x minutes

Prompt and allow user to delay restart until x

Previous release

- This is the release before the current/latest release and is the most stable.

Latest release

- Same as in the

Symantec Endpoint Protection Manager

, but not as stable as the

Previous release

.

Select a revision

- Removed.

Prerelease

- Changed (engine version). This is the beta version of the release and is the least stable.

Scan

Update content

Update content and scan

Start Power Eraser analysis

Restart client computers

Enable Auto-Protect

Enable/Disable Network Threat Protection

Enable/Disable Download Insight

Collect File Fingerprint List

Delete from Quarantine**

Cancel all scans**

Scan

Update content

Restart

Mixed control - Deprecated.

Server control/Client control - The settings on these pages have mostly been removed and are enabled by default and not visible to the user. A few settings are visible to the client user if the admin makes them visible. In each policy, these types of settings should be in

User Interaction Settings

.

Run in low Bandwidth Mode

Allow the user to request an exception for a blocked event (only available if you have Application Control enabled)

Require a password to open the client user interface

Require a password to stop the client service

Require a password to uninstall the client

Require a password to import or export a policy and to import client communication settings

Apply password settings to non-inherited subgroups

Password/Confirm Password

Require a password to open the client user interface

Require a password to stop the client service

Require a password to uninstall the client

Require a password to import or export a policy and to import client communication settings

Apply password settings to non-inherited subgroups - Deprecated. Not needed; groups use natural inheritance from cloud.

Password/Confirm Password

Move clients to a different management server by running the SylinkDrop tool

Move clients to a different management server by redeploying a client package with the Communication update package deployment option

You move the client to another domain or a custom domain (rare case).

Use the FSD package by redeploying the client package or enrolling in a new domain.

Management server lists

Communication mode (push or pull)

Set heartbeat interval

Upload learned applications

Upload critical events immediately

Set download randomization

Set reconnection preferences

Advanced Threat Protection server for Insight lookups and submissions

Private Insight server for Insight lookups

Installation package creator: Creates a package that either installs directly or that you can deploy for installation - similar to Save package

Direct installation package: By default, installation is Silent. Customization is not available on Mac.

Customizable installation folder (Client Install Settings): Only for restart and upgrade. You cannot customize the installation folder. Installation logging always writes to /tmp/sepinstall.log.

Scheduled scans (quick and full)

Turn on/off AutoProtect

Turn on/off behavioral analysis

Turn on/off Symantec early launch antimalware

Turn on/off Microsoft Outlook Auto-Protect

Turn on/off Intrusion Prevention

Signature action exceptions

Turn on/off user notifications

Device Control

Firewall

Allow List

Deny List

Intensity Level

Scheduled scans (quick and full)

Turn on/off AutoProtect

Turn on/off behavioral analysis

Turn on/off Symantec early launch antimalware

Turn on/off Microsoft Outlook Auto-Protect

Turn on/off Intrusion Prevention

Signature action exceptions

Turn on/off user notifications

Delete acknowledge notifications after 30 days

Delete risk events after 60 days

Delete scan events after 30 days

Compress risk events after 7 days

Delete unacknowledged notifications after 30 days

Delete commands after 30 days

Delete EICAR events

My Tasks

>

Tasks

page - Collects actions and displays them based on their status, severity, and which feature they belong to. When the admin completes a task, it moves from the pending to the completed category.

Default (production) domain (paid subscription): Create, rename, or delete. (

Settings

>

Domain Management

or the Domain drop-down menu).

Testpad (trial subscription) - A trial version of the software is only available through your account representative.

Launchpad (for prereleased features) - Deprecated in January 2020. Existing customers should contact Support.

Activate license

Edit Partner Information

Purchase additional licenses

Cloud console - Endpoint tab > Settings > Subscriptions or Endpoint tab > Home > Activate Subscription

Client - Troubleshooting > Licensing entitlement (14.2 RU1) The licensing is similar to SEPM.

Add, rename, edit, and delete an administrator

Change admin password

Lock the account after the specified number of unsuccessful logon attempts

Lock the account for the specified number of minutes

Send an alert to the administrator when the account is locked

Add, rename, edit, and delete an administrator

Change admin password

System Administrator

Administrator (Domain)

Limited Administrator

View reports
Manage groups (Remotely run commands > Run commands on read-only groups)
Site rights
Manage installation packages
Manage policies > Do not allow editing of shared policies

Endpoint Console Super Administrator (create, edit, delete for all domains)

Endpoint Console Domain Administrator (create, edit, delete for 1 domain)

Limited Administrator (create, edit for all domains)

Yes, but no assets
No commands
No policies

Viewer (read-only for all domains)

Symantec Endpoint Protection Manager

authentication

Directory authentication

Two-factor authentication (new in 14.2)

RSA authentication

Smart card (PIV/CAC) authentication (new in 14.2)

Symantec Security Cloud sign-on

Microsoft Azure

SAML 2.0-based identity provider

Top Groups With Most Alerted Application Control Logs

Top Targets Blocked

Top Devices Blocked

Application Control

Top 5 Unique Blocked External Devices

Device Control Security Control

KPI

:

Host Integrity Status

Clients by Compliance Failure Summary

Compliance Failure Details

Non-compliant Clients by Location

Virus Definitions Distribution

Computer Not Recently Updated

Symantec Endpoint Protection Product Versions

Intrusion Prevention Signature Distribution

Download Protection Signature Distribution

SONAR Signature Distribution

Low Bandwidth Content Distribution

Client Inventory

Compliance Status Distribution

Client Online Status

Clients With Latest Policy

Client Count by Group

Security Status Summary

Protection Content Versions

Symantec Endpoint Protection Licensing Status

Client Inventory Details

Deployment Report

Device Integrity Comprehensive Report

Device Integrity Computer Status Report: Includes cloud-managed and on-premises clients

Blocked Apps Report

Isolated Applications and Files Report

Top Targets Attacked

Top Sources of Attack

Top Types of Attack

Top Blocked Applications

Attacks Over Time

Security Events by Severity

Blocked Applications Over Time

Traffic Notifications Over Time

Top Traffic Notifications

Memory Exploit Mitigation Detections

Full Report

Intrusion Prevention Report

Firewall Report

Threats Blocked

Total Infection Actors

Top Intrusion Prevention Detections

Top Sources for Intrusion Prevention Events

Top Infection Actors

Default Intrusion Prevention Report

Infected and At Risk Computers

Action List

Risk Detections Count

New Risks Detected in the Network

Top Risks Detections Correlation

Download Risk Distributions

Risk Distribution Summary

Risk Distribution Over Time

Risk Distribution by Protection Technology

SONAR Detection Results

SONAR Threat Distribution

SONAR Threat Detection Over Time

Action Summary for Top Risks

Number of Notifications

Number of Notifications Over Time

Weekly Outbreaks

Comprehensive Risk Report

Symantec Endpoint Protection Daily Status

Symantec Endpoint Protection Weekly Status

Suspicious Detections

Recent Antimalware Activity

Suspicious Detections by Intensity Level

Risk Distribution Over Time

Scan Statistics Histogram

Computer by Last Scan Time

Computers Not Scanned

SES Daily Report

SES Weekly Report

SES Comprehensive Report

Top Clients That Generate Errors

Top Servers That Generate Errors

Database Replication Failures Over Time

Site Status

WSS Integration Token Usage

Host Integrity status:

All, Fail, Success, Pending, Disabled, Ignored

Host Integrity reason:

All
Pass
Antivirus version is out-of-date
Antivirus is not running
Script failed
Check is incomplete
Check is disabled
Location changed

Filters:

Infected only
Tamper Protection off
Auto-Protect off
Trusted Platform Module installed
Memory Exploit Mitigation off
Download Insight off
SONAR off
Firewall off
Intrusion Prevention off
Antivirus engine off
Restart required

Informational

Minor

Major

Critical

Informational

Warning

Minor

Major

Critical

Fatal

Analyze

Evidence of Compromise Scan/Cancel Evidence of Compromise Scan

Scan/Cancel Scan

Collect File Fingerprint List

Delete from Quarantine

Disable/Enable Download Insight

Disable/Enable Network Threat Protection

Enable Auto-Protect

Power Eraser

Restart Client Computers

Update Content

Update Content and Scan

Not received

Received

In progress

Completed

Rejected

Cancelled

Error

Evidence of Compromise Scan (Available soon)

Power Eraser (Available soon)

Restart Client Computers

Run Scan

Run LiveUpdate

Authentication failure

Client list changed

Client security alert

Download Protection content out-of-date

File reputation lookup alert

Forced application detected

IPS signature out-of-date

Licensing issue

Low-bandwidth AML content out-of-date

Memory Exploit Mitigation detection

Network load alert: requests for virus and spyware full definitions

New learned application

New risk detected

New software package

New user-allowed download

Power Eraser recommended

Risk outbreak

Server health

Single risk event

SONAR definitions out-of-date

System event

Unmanaged computers

Virus definitions out-of-date

Log the notification

Run the batch or executable file

Send email to system administrators

Send email to (comma or semicolon separated)

Suspicious Threats

License

Unknown reputation

Compromised device

LiveUpdate failed

Device Security Status

Recent Security Events

Recent Devices With Unresolved Threats

Device License Status

Risk Distribution Over Time

Suspicious Detections by Intensity Level

Key Performance Indicators: Blocked Events, Allowed Events

Key Performance Indicators: Threats Blocked, Total Infection Actors

Top Intrusion Prevention Detections

Top Sources for Intrusion Prevention Events

Top Infection Actors

Key Performance Indicators: Total Devices with Blocked External Devices, Total Unique External Devices Blocked

Total Devices with Blocked External Devices

Total Unique External Devices Blocked

Key Performance Indicators: Devices with Out-of-Date Definitions, Devices with LiveUpdate Failures

Client Version Distribution

Key Performance Indicators: Exploits Prevented