Comparison between an on-premises Symantec Endpoint Protection 14.x and Symantec Endpoint Security Complete
Symantec Endpoint Protection
14.x and Symantec Endpoint Security
CompleteAccess all features in
Symantec Endpoint Security
from the Endpoint
tab in Integrated Cyber Defense Manager
.In October 2019, Symantec Endpoint Protection 15 was renamed to
Symantec Endpoint Security
. Policy Types
Policies (Overview)
Some policy settings and security settings in
Symantec Endpoint Security
(Endpoint Security
) do not appear in the user interface, but they are enabled by default. In this case, there is no setting for you to disable or configure.On-premises Symantec Endpoint Protection | Symantec Endpoint Security |
---|---|
Virus and Spyware Protection |
|
Network and Host Exploit Mitigation
| In the cloud console, the Network and Host Exploit Mitigation term is no longer used and is replaced by the following policy names:
The term Network and Host Exploit Mitigation is still used on the client. |
Proactive Threat Protection (up through 14.2)
| In the cloud console, the term Protective Threat Protection is no longer used and is replaced by the following policies/features:
|
Exceptions policy | Allow List policy (14.1 and later); Deny List for HASH exception (14.1 and later) |
Host Integrity | Host Integrity policy coming soon |
|
|
Tamper Protection ( Clients > Policies tab > Settings > General Settings ) Actions to take if an application attempts to tamper with or shut down Symantec security software
| Moved to System policy; labeled as Protect Symantec security software from being tampered with or shut down (On/Off))
|
Location awareness | Renamed Policy Targeting (14.3 agents). You target a policy to a device where certain user is logged in ( Policies page > Policy Target Rules tab) |
Network application monitoring ( Clients page > Policies tab) | Deprecated
|
Deception |
On-premises only. |
Active Directory Threat Defense | On-premises only. |
Application Control | Application Control is included with Symantec Endpoint Security Complete. (Application Isolation is also available to legacy customers.) Behavioral Isolation policy provides attack surface mitigation for Symantec Endpoint Security Enterprise and Symantec Endpoint Security Complete. |
Power Eraser | Available soon |
Endpoint Detection and Response enablement (renamed from ATP) | ndpoint Detection and Response (EDR) is included with Symantec Endpoint Security Complete. |
Padlocks or mixed/server/client control :You prevent users from disabling protection on the client computer by setting the user control level or by locking the policy options. Some policies use a padlock. Other policies use the user control level | Unlock on some policies lets client users override the policy’s settings on the device. |
Policies (Actions)
On-premises SEP | Symantec Endpoint Security |
---|---|
Policies |
|
Add | Create |
Edit | Right click the vertical ellipsis (Action menu) To update the policy:
|
Copy | Duplicate |
Assign (to a group or location) | Apply (to a device group) |
Replace | N/A (Use Apply instead) |
Withdraw from assigned groups or locations before deleting | Remove |
Delete | Delete |
Import/Export |
|
Application Control and Application Isolation
The Application Control policy in
Symantec Endpoint Protection Manager
can be replaced with Application Control in the cloud. Application Isolation is only available in the cloud.On-premises SEP | Symantec Endpoint Security |
---|---|
Test/Production mode
SEPM has no override equivalent (Client users cannot override). | General Settings Turn on Run in monitor mode to test the policy. Turn off Run in monitor mode to enforce the policy.Enforcement Mode (for production)
|
Add custom rules /Conditions :
Properties:
Sub-processes inherit conditions | Add custom rules /Conditions
|
Actions: Read Attempt/Create, Delete, or Write Attempt
| |
Default rules:
| None: You make a custom rule in Application Control in the cloud.
|
Client > Policies > Location-specific Settings > Allow user to enable and disable the application device control | No - Deprecated |
On-premises SEP | Symantec Endpoint Security |
---|---|
Not available |
|
Device Control policy
Support for Mac devices is available soon.
On-premises SEP | Symantec Endpoint Security |
---|---|
| Policies > Policy Components > External Devices
Policies > Default Device Control policy
|
Device control works based only on Class ID (GUID) and Device ID. | Device control works based only on Class ID (GUID) and Device ID.
|
Device control performs wildcard matches on Class ID or Device ID with the star character or asterisk (*). | Information available soon
|
The Hardware Device list includes many common device types by default. | Policies > Policy Components > External Devices
|
You can add additional custom devices to the Hardware Device list by Class ID or Device ID. | Policies > Policy Components > External Devices
Applies to external devices on Windows
. |
Devices to block (or to exclude from blocking) are derived only from the Hardware Device list. The list includes those default common device types, as well as custom devices you may have added. | The picklist of devices comes from the global list. You can select which device(s) you want to block or exclude from blocking, and add it directly to the policy. |
You can add more than one device type at a time. | Policies > Policy Components > External Devices
Policies > Device Control policy
|
The actions to take are to block, or to exclude from blocking (allow). | You can block or allow external devices
.
|
Customize the client notifications | You can enable and customize client notification for block and allow
.
|
Endpoint Detection and Response (EDR)
On-premises SEP | Symantec Endpoint Security |
---|---|
SEP provides threat detections to EDR for further analysis. However, SEP itself has no built-in EDR functionality. |
Investigate Search - Event results grid enhancements
Investigate Search - Filter
Incidents Page
|
Exceptions policy
On-premises SEP | Symantec Endpoint Security |
---|---|
Server-based exceptions:
| Supported:
Not supported:
|
Client-based exceptions/restrictions: (Controls which exceptions end users can add on the client computer) 14 and earlier:
14.1 to 14.2 MP1: If Symantec Endpoint Protection Manager is enrolled in the cloud console, SEPM does not display the following client restrictions:
In addition, on Windows clients that a cloud-based exceptions policy controls, these exceptions do not appear in the client user interface. SEPM does display the following client restrictions, whether or not SEPM is enrolled. •
| Client users cannot add their own exceptions. (Available soon)
|
Client exceptions (How the client displays these exceptions)
| There are no client-based exceptions for a cloud-controlled client.
|
Firewall policy
The Firewall policy is currently not available on Mac devices.
On-premises SEP | Symantec Endpoint Security |
---|---|
Enable this policy | Firewall (On/Off toggle) |
Default rules:
| Default rules:
|
Custom rules:
|
Add Blank Rule - Deprecated |
Built-in rules: Allowed Traffic Protocols
Other:
| Allowed Traffic Protocols : No longer supported. Administrators can get these in the REST API. Supported:
Advanced Settings > Built-in Rules:
The Block UPnP Discovery firewall rule is configured to not log events to minimize the number of events that the client sends to the cloud. |
Protection Settings:
Stealth Settings:
| Advanced Settings > Protection Settings:
Stealth Settings:
|
Windows Integration:
|
|
Peer-to-Peer Authentication Settings:
Exclude hosts from authentication | Planned for a feature release |
Security Settings Clients > Policies tab > General > Security Settings tab
| Advanced Settings > Security Settings
|
Client control user settings Client-user server mode settings ( Clients > Policies tab > Location-specific Settings > Server mode )
| Available now:
Not available yet:
|
Notifications/Logging | Available soon:
|
|
|
Network Traffic Redirection policy
Not available yet.
On-premises SEP | Symantec Endpoint Security |
---|---|
Network Traffic Redirection (as of 14.3 RU1); called Web Security Services (WSS) Traffic Redirection (WTR) in earlier versions | Secure Connection |
Local Proxy Service (part of WSS as of 14.2) | Available soon |
Install the Symantec Web Security Service root certificate on clients to facilitate the protection of encrypted traffic | Available soon |
Intrusion Prevention policy
You can enable/disable the IPS on Mac devices.
On-premises SEP | Symantec Endpoint Security |
---|---|
Support on both Windows and Mac devices | Can configure for Windows devices Can enable/disable for Mac devices, and configure some options. |
Server Performance Tuning (as of 14.2 RU1)
|
|
Exceptions:
|
|
Show or hide user notifications | You can enable or disable notifications for Windows and Mac devices. Notifications are only sent for enabled signatures. Show Advanced lets you customize the notification message for Windows devices.
|
Custom IPS signatures | Available soon |
Downloading the latest IPS signatures: The LiveUpdate Content policy | No LiveUpdate Content policy exists in Endpoint Security . LiveUpdate downloads the IPS signatures automatically through the System policy. You cannot configure the client to not get signatures. |
Client package includes IPS | The advanced settings under Settings > Installation Package include an option that is selected by default, Server-optimized installation , which does not include IPS. However, desktop operating systems ignore this setting and IPS is always installed. You cannot disable IPS on the client. |
User interaction on the client The settings for Intrusion Prevention and Memory Exploit Mitigation are found under the Client User Interface Settings. You find these controls in Symantec Endpoint Protection Manager under Clients > .
Group Name > Policies > Location-specific Policies and Settings > Location-specific Settings
| Notifications are enabled by default for Windows and Mac devices in the Intrusion Prevention policy. You can enable or disable the notifications, which are only sent for enabled signatures. For Windows devices, you can customize the notification message under Show Advanced .Sound: Deprecated |
Host Integrity policy
Not available on Windows or Mac devices.
On-premises SEP | Symantec Endpoint Security |
---|---|
When should Host Integrity checks be run on the client?
Host Integrity Requirements
| Available soon |
Advanced Settings Host Integrity Checking Options
Remediation Dialog Options
Notifications
| Available soon |
LiveUpdate Settings policy (System policy)
In
Endpoint Security
, the System policy replaces the LiveUpdate Settings policy.On-premises SEP | Symantec Endpoint Security |
---|---|
Use the default management server | Deprecated - not needed |
Use a LiveUpdate server (internal or external)
|
|
FTP server mode (active or passive) | Deprecated - not needed |
Use a Group Update Provider
- Maximum time that client try to download updates from a GUP before trying the default management server GUP settings
| Available soon: The GUP will work differently
|
Enable third party content management | Use third-party content management |
HTTP/HTTPS proxy server
FTP proxy server
| HTTP/HTTPS proxy server
FTP proxy server
|
LiveUpdate proxy configuration for client to management server communication Clients page > Policies tab > External Communications | Deprecated. This functionality is not needed for the cloud. However, for client-to-cloud communication or for cloud enrollment, this functionality is combined with the proxy configuration settings in the new System policy. The System policy covers cloud-client communication. |
Run Intelligent Updater to update content
| Not needed at this time.
|
LiveUpdate Schedule
|
|
Advanced Settings:
| Planned for a future release:
No future plans:
Deprecated:
|
Use standard HTTP headers | Deprecated |
LiveUpdate Content policy (System policy)
In
Symantec Endpoint Security
, the content is downloaded automatically and you do not have the ability to configure which content you want to download to clients.On-premises SEP | Symantec Endpoint Security |
---|---|
Security definitions
Host Integrity Requirements
| Available now:
Available soon:
|
Locking on a specific set of definitions
| Moved to System policy with the following changes:
|
Download content from LiveUpdate Administrator to Symantec Endpoint Protection Manager
| Deprecated. LiveUpdate Administrator downloads the content directly to the cloud console. |
Disk Space Management: Number of content revisions to keep | Uses the default setting. Available soon: The ability for you to control this setting |
Download Schedule | Deprecated; not needed. |
Platforms to Download (Mac, Windows 32-bit, 64-bit) | Uses the default setting. Available soon: The ability for you to control this setting |
Languages to Download | Uses the default setting. Available soon: The ability for you to control this setting |
Memory Exploit Protection (MEM) policy
Mac devices are currently not supported.
Memory Exploit Mitigation was introduced in 14 MP1 as Generic Exploit Mitigation. If you run 14.1 to 14.2 MP1 clients, you can use a MEM policy from either
Symantec Endpoint Protection Manager
or from the cloud. Endpoint Security
calls the policy type Exploit Protection
.On-premises SEP | Symantec Endpoint Security |
---|---|
Enable Memory Exploit Mitigation You cannot modify a MEM policy in SEPM while a cloud-based policy is in use. | Memory Exploit Mitigation protection toggle (On/Off) |
General Settings:
| General Settings:
|
Custom applications (No) | Custom applications - Protection for Admin Selected Application . You can add them directly in Endpoint Security or from Application Isolation. |
Choose a mitigation technique Mitigation techniques :
| Global override for mitigation techniques protection (Off/On/Log/Default (On)) Mitigation techniques : Same as 14.x version) |
Application Rules (Protected check box) | Protection for Symantec Recommended Application Coverage (Enabled/Disabled) |
Virus and Spyware Protection policy (Antimalware)
The cloud console has a single default Antimalware policy, which aligns most closely with the default Virus and Spyware Protection policy - Balanced in
Symantec Endpoint Protection Manager
. There are no plans to add a default High Performance or High Security policy.The 14.1/14.2 cloud console supports Auto-Protect only.
*Supported on Mac devices.
On-premises SEP (Virus and Spyware) | Symantec Endpoint Security (Antimalware) |
---|---|
Administrator-defined scans:
| Available now:
Available soon:
|
Scan Details:
Advanced Scanning Options:
Enable Insight Lookup | Uses default settings (the ability to configure these settings is deprecated):
Insight Lookup is part of Intensity Level setting |
Scheduled scans (Schedule) :
| Daily, weekly, monthly Uses default settings (the ability to configure these settings is deprecated):
|
Actions:
| Remediation actions: Deprecated. The cloud determines the best course of action.
Remediation (other):
|
Actions to take while a scan is running:
| Planned for a future release
|
Auto-Protect:
| *Auto-Protect:
Not available::
|
Email scans:
|
|
| The Intensity Level setting includes:
The default Intensive Protection blocking level is less aggressive than the most aggressive Bloodhound setting in a Virus and Spyware Protection policy. If your current policies specify Bloodhound at its highest level, you might need to increase the Intensive Protection level. |
SONAR: Scan Details:
System Change Events:
Suspicious Behavior Detection
Network Settings:
| Renamed as Behavioral analysis *
Other
|
Early Launch Anti-Malware Driver
| *Enable Symantec early launch antimalware
|
Notifications Administrator-defined scan:
Auto-Protect:
Microsoft Outlook Auto-Protect:
Download Protection:
Miscellaneous:
| Notifications from the various Virus and Spyware features are consolidated into one place in the Antimalware policy > User Notifications Settings:
|
Quarantine General tab:
Cleanup tab:
|
Quarantine a device command( Devices > Managed Devices tab > Actions menu > Quarantine command).
|
Global Scan Options
|
|
Miscellaneous
|
Planned for a future release:
|
Policy Components
In the cloud console, you find these components in
Policies
> Policy Components
.On-premises SEP | Symantec Endpoint Security |
---|---|
Scheduled Scan Templates | No plans for templates. You can use scheduled scan only. |
Management Server Lists | Deprecated - There are no Symantec Endpoint Protection Manager s. |
Host Groups | Yes: Policies > Policy Components > Host Groups |
Network Services | Available soon |
Network Adapters | Available soon |
Hardware Devices | Yes: Policies > Policy Components > External Devices |
Client Features
- The Symantec Endpoint Protection client in SEP. is called the Symantec Agent in SES. They are the same client.
- Client computers in SEP are called devices in SES.
Client installation/Device discovery
You access most client installation features by selecting:
- Symantec Endpoint Protection Manager:Admin>Install Packages>Client Install Settings
- Symantec Endpoint Security:Settings>Installation Package
The endpoint software is called the
Symantec Endpoint Protection
client in Symantec Endpoint Protection
and the Symantec Agent in Symantec Endpoint Security
.On-premises SEP | Symantec Endpoint Security |
---|---|
Deploy client installation package from Symantec Endpoint Protection Manager :
| The Symantec Agent replaces the Symantec Endpoint Protection client.Deploy the Symantec Agent from Symantec Endpoint Security :
|
Installation type includes: Interactive, Silent, and Show progress bar only | Installation type includes: Interactive, Silent, and Show progress bar onlyNot available for Mac and Linux. By default, the installation is Silent. |
Customizable installation folder (Client Install Settings) | Installation folder specification: (Show More > Advanced Options)
Not available for Mac and Linux. |
Custom feature sets (Client Install Feature Set):
| Symantec Agent protection features available for Windows workstations depend on activated products:
The Protection settings for Windows servers option is limited intentionally for servers only. Workstations ignore this setting. There is no plan for the granular settings that Symantec Endpoint Protection Manager has. Full installation (Same as Full Protection for Servers) includes:
Server-optimized installation (Same as Basic Protection for Servers) includes:
Protection features available for Mac:
Protection features available for Linux:
|
Option to include virus definitions in installation package: Client Deployment Wizard > New package > Content Options | Virus definitions in the deployment package is implemented but not supported.
Not available for Mac and Linux. |
Set restart type for clients:
Depending on selection this can be:
| Restart type: (Show More > Advanced Options)
Not available for Mac and Linux. |
Restart settings for forced, delayed, and custom:
Other options, depending on restart type:
| Restart settings: (Show More > Advanced Options)
Other:
Not available for Mac and Linux. |
Client software removal options
| Software removal settings (Show More):
Not available for Mac and Linux. |
Reduced-size definitions | Deprecated |
Upgrade client software (AutoUpgrade)
AutoUpgrade is not available on Mac and Linux devices. To upgrade the client software on Mac or Linux device, you must reinstall a new client installation package.
On-premises SEP | Symantec Endpoint Security |
---|---|
Automatically upgrade the client (Upgrade Clients with Package wizard)
| No plans for templates. You can use scheduled scan only.
|
Choose a server to download package from
| Uses LiveUpdate only, as the management server is not involved. Admin configures this in the System policy > LiveUpdate Server & Schedule section. |
Restart options :
Includes an option to not restart the Windows client computer. | Restart type:
Restart Settings:
|
Upgrades from an earlier version: You can upgrade to the latest version of Symantec Endpoint Protection from any earlier version, based on the supported upgrade path. | Release channel (Client Upgrade Settings) Moved to System policy with the following changes:
|
Client management and general protection
Not yet available on Mac or Linux devices.
On-premises SEP | Symantec Endpoint Security |
---|---|
Run commands on clients from the management server:
|
|
Server control, client control, mixed control |
|
Low bandwidth mode (new in 14.1) | System policy > General settings:
|
Password protecting the client (Clients > Policies tab)
|
|
| The cloud does not have management servers, but it does have domains. In both cases, use one of the following methods:
|
Configure client submissions of pseudonymous security information to Symantec | Enabled by default. You can't disable it; however, the ability to control this may be available later.
. |
Configure clients to securely submit pseudonymous system and usage information | Not available |
Manage the external communication between the management server and the clients
| No - Deprecated because the management server isn't used. Upload critical events immediately runs by default
|
Configure clients to use private servers
Note: ATP is renamed to Endpoint Detection and Response (EDR) | No - Deprecated |
Proxy support | Proxy server used for client installation and enrollment. Used for LiveUpdate Server as well.
|
Unmanaged detector | Partial support - Endpoint Security includes on-demand detection of unmanaged devices, where the cloud looks for and finds unmanaged devices continuously.
This feature is more advanced but not automatic. Devices > Unmanaged Devices |
Set User Information Collection | Deprecated |
Mac Agent features
Option | Symantec Endpoint Security |
---|---|
Installation |
|
Policies | Available now: Antimalware:
Intrusion Prevention:
Available soon:
Device commands (such as Run LiveUpdate, Scan Now, Quarantine) |
Linux Agent features
Option | Symantec Endpoint Security |
---|---|
Installation | Installation package creator: Creates a package that either installs directly or that you can deploy for installation - similar to Save package |
Policies | Antimalware:
Intrusion Prevention:
|
Log settings for clients
On-premises SEP | Symantec Endpoint Security |
---|---|
Log settings on Symantec Endpoint Protection Manager for the clientsSet size and retention options for logs that are maintained on the client computers: Client Activity, System, Security and risk, Security, Traffic, Packet, Control | Not available yet. |
Risk log settings:
| No plans |
Management Features
Symantec Endpoint Security
replaces the management server (Symantec Endpoint Protection Manager
) with a global cloud console, Integrated Cyber Defense Manager (ICDm).An upgrade wizard is available to migrate
Symantec Endpoint Protection Manager
policies to Symantec Endpoint Security
.Management console
On-premises SEP | Symantec Endpoint Security |
---|---|
Symantec Endpoint Protection Manager (SEPM) | Integrated Cyber Defense Manager (ICDm).
|
Management server
On-premises SEP | Symantec Endpoint Security |
---|---|
Installing Symantec Endpoint Protection Manager | Deprecated. You install an agent, but not the management server |
Domains: Add, remove, edit a domain | For hybrid management, you enroll a SEPM domain in Integration > Enrollment (14.0.1 and later)For cloud-only management you can use the following domains:
You can add, remove, or edit a domain |
Sites | Deprecated - no need |
Replication | Deprecated - no need |
Databases | Deprecated - no need |
Servers | Deprecated - no need |
Licenses
Trial license is 90 days | Yes - Subscriptions
The SEPM licenses (through Oracle) are automatically uploaded and extended to the cloud console and appear in the cloud (through the Try Now option). The trial subscription is hidden but converts to a paid subscription. Symantec Endpoint Security -enabled devices that have been offline for more than 30 days are automatically deleted from the cloud. |
APIs (Integration)
Administrators
On-premises SEP | Symantec Endpoint Security |
---|---|
General:
|
|
Access Rights:
| Renamed to Roles :( Settings > Administrator & Roles page)
|
Authentication for Symantec Endpoint Protection Manager logon:
| Applies to all products in the cloud console, and can be found under Settings > Access and Authentication .Identity Provider:
Two-factor authentication |
Home page
On-premises SEP | Symantec Endpoint Security |
---|---|
Home page commands | Replaced by Dashboard > Security Controls Goes through My Tasks . Some actions are available through the allow list and deny list. You can create a custom dashboard that becomes the default dashboard when you sign on.
|
Preferences | Not available |
VDI (Virtualization)
On-premises SEP | Symantec Endpoint Security |
---|---|
VDI | No |
Shared Insight Cache | Deprecated |
vShield-enabled (12.1.6 and earlier) | TBD |
Reports, Logs, Notifications
Reports and Templates
On-premises SEP | Symantec Endpoint Security |
---|---|
Audit Policies Used | Not available |
Application and Device Control
| Application Control:
Device Control:
|
Compliance
| Available soon
|
Computer Status
|
Application Isolation/Application Control :
|
Deception (new as of 14.1) | Available soon. |
Network and Host Exploit Mitigation
|
Separated into 3 Security Controls/KPIs : Intrusion Prevention:
|
Risk
| Antimalware Security Control
Quick Links:
|
Scan
|
|
System:
| |
Format : HTML | PDF, HTML, CSV |
Logs (Events), Notifications (Alerts), Commands
In
Symantec Endpoint Security
, logs are Events
, and notifications are called Alerts
.On-premises SEP | Symantec Endpoint Security |
---|---|
Logs
| No commands on events |
Events (Severity)
|
|
Commands
With status:
| Devices:
Policies :TBD |
Notifications
| Alerts :
Available soon: Customizable notifications |
Dashboard and Security Controls (Monitors > Summary)
Each policy has a quick setup to show you a short video and the default policy.
On-premises SEP | Symantec Endpoint Security |
---|---|
Dashboard |
|
Antimalware |
|
Firewall |
|
Intrusion Prevention |
|
Device Control |
|
Device Integrity |
|
Exploit Mitigation |
|