Policy types

To find out more about how policy types differ in an on-premises
Symantec Endpoint Protection
(SEP) 14.x and
Symantec Endpoint Security
(SES) Complete, see the following policy topics:

General policies

Some policy settings and security settings in
Symantec Endpoint Security
(
Endpoint Security
) do not appear in the cloud console user interface, but they are enabled by default. In this case, there is no setting for you to disable or configure.
General policies: SEP vs. SES
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
Virus and Spyware Protection
  • Replaced by the Antimalware policy on fully cloud-managed agents version 14.2 MP2 and later.
  • Replaced by the Intensive Protection policy on hybrid-managed 14.1 and later agents only. Combines Download Insight, Bloodhound, and some SONAR settings.
Network and Host Exploit Mitigation
  • Network Threat Protection (intrusion prevention and firewall)
  • Memory Exploit Mitigation (replaced Generic Exploit Mitigation in 14)
In the cloud console, the term
Network and Host Exploit Mitigation
is no longer used and is replaced by the following policy names:
  • Firewall policy
  • Intrusion Prevention policy
  • Exploit Protection policy (Memory Exploit Mitigation)
The term
Network and Host Exploit Mitigation
is still used on the client.
Proactive Threat Protection (up through 14.2)
  • Application and Device Control
  • SONAR
In the cloud console, the term
Protective Threat Protection (PTP)
is no longer used and is replaced by the following policies/features:
  • Application Control policy
  • Device Control policy
  • Behavior Analysis (new name for SONAR)
In 14.2 RU1 and later, the term
PTP
is still used in the
Symantec Endpoint Protection Manager
/
Symantec Endpoint Protection
client.
Exceptions
  • Allow List policy (14.1 and later)
  • Deny List for HASH exception (14.1 and later)
Host Integrity
  • Scheduling
  • Notifications
  • Custom requirements
  • System lockdown
  • Application learning: Go to
    Clients
    >
    Policies
    tab >
    Settings
    >
    General Settings
    .
  • System lockdown: Replaced by the Deny List policy and Application Control (
    Symantec Endpoint Security
    Complete).
  • Application learning: Replaced by Discovered Items. Replaced by the Deny List policy and Application Control. See:
Tamper Protection: Go to
Clients
>
Policies
tab >
Settings
>
General Settings
.
Actions to take if an application attempts to tamper with or shut down Symantec security software:
  • Block and do not log
  • Block and log
  • Log only
Moved to System policy. Labeled as
Protect Symantec security software from being tampered with or shut down
(On/Off).
  • Block and do not log
  • Block and log
  • Log only
Location awareness
Renamed Policy Targeting (14.3 agents).
You target a policy to a device where certain user is logged in. Go to
Policies
page >
Policy Target Rules
tab.
Network application monitoring: Go to
Clients
page >
Policies
tab.
Deprecated
Deception
On-premises only.
Active Directory Threat Defense
On-premises only.
Application Control
Application Control is included with Symantec Endpoint Security Complete. (Application Isolation is also available to legacy customers.)
Adaptive Protection provides attack surface mitigation for Symantec Endpoint Security Complete.
Power Eraser
Available soon.
Endpoint Detection and Response enablement (renamed from ATP)
Endpoint Detection and Response (EDR) is included with Symantec Endpoint Security Complete.
Padlocks or mixed/server/client control
:
You prevent users from disabling protection on the client computer by setting the user control level or by locking the policy options. Some policies use a padlock. Other policies use the user control level
Unlock on some policies lets client users override the policy’s settings on the device.

Policies/Actions

Other policies now appear on the
Actions
menu in the cloud console.
Policies/Actions: SEP vs. SES
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
Policies
  • Policy templates
  • Policy types
For more information, see:
Add
Create
Edit
Right-click the vertical ellipsis (
Actions
menu).
To update the policy:
  • Select and open the policy, and select
    Save Policy
    .
  • The
    Policies
    >
    Versions
    tab displays previous versions of the policy.
    A new version of a policy is created whenever you change a policy setting and apply the policy to a device or a device group. See:
Copy
Duplicate
Assign (to a group or location)
Apply (to a device group).
Replace
N/A. Use Apply instead.
Withdraw from assigned groups or locations before deleting
Remove
Delete
Delete
Import/Export
  • Import supported policies from version 12.1.6.x to 14.2 MP1 and later.
  • Export policies: Go to
    Policies
    >
    Policies
    tab >
    Actions
    menu >
    Export Policy
    .

Application Control

The Application Control policy in
Symantec Endpoint Protection
can be replaced with Application Control in the cloud console.
Application Control: SEP vs. SES
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
Modes
Test/Production mode:
  • Test (log only)
  • Production
SEPM has no override equivalent. Client users cannot override.
General Settings:
  • Turn on
    Run in monitor mode
    to test the policy.
  • Turn off
    Run in monitor mode
    to enforce the policy.
Enforcement Mode
(for production):
  • Enforce with Overrides (dynamic devices). Configure the type of applications that client users can override.
    Override options
    :
    • Allow overrides if applications are signed and have good reputation
    • Allow overrides if applications are unsigned but have good reputation
    • Allow overrides if the applications are signed but have gray reputation
    • Allow overrides if the applications are unsigned and have gray reputation
  • Strict Enforcement (fixed-function devices)
Add custom rules/conditions
  • Registry Access Attempts
  • File and Folder Access Attempts
  • Launch Process Attempts
  • Terminate Process Attempts
  • Load DLL Attempts
Properties:
  • Rule name and Description
  • Enable this rule
  • Apply/Do not apply this rule to the following processes
Sub-processes inherit conditions
  • Application Name
  • File Name
  • Custom rule:
    • Publisher
    • Reputation
    • Path
    • Hash
Actions
Read Attempt/Create, Delete, or Write Attempt
  • Continue processing other rules
  • Allow access
  • Block access
  • Terminate process
  • Enable logging
  • Send Email Alert
  • Notify user
Default rules
  • Block applications from running [AC1]
  • Block programs from running from removable drives [AC2]
  • Make all removable drives read-only [AC3]
  • Block writing to USB drives [AC4-1.1]
  • Log writing to USB drives [AC5-1.1]
  • Block modifications to hosts file
  • Block access to scripts
  • Stop software installers [AC8]
  • Block access to Autorun.inf [AC9]
  • Block Password Reset Tool [AC10]
  • Block File Shares [AC11]
  • Prevent changes to Windows shell load points (HIPS) [AC12]
  • Prevent changes to system using browser and office products (HIPS) [AC13]
  • Prevent modification of system files (HIPS) [AC14]
  • Prevent registration of new Browser Helper Objects (HIPS) [AC15]
  • Prevent registration of new Toolbars (HIPS) [AC16]
  • Prevent vulnerable Windows processes from writing code [AC17]
  • Prevent Windows Services from using UNC paths [AC-23]
  • Block access to lnk and pif files [AC-24]
  • Block applications from running out of the recycle bin [AC-25]
None. You make a custom rule in Application Control in the cloud.
Enabling/Disabling
Go to
Client
>
Policies
>
Location-specific Settings
>
Allow user to enable and disable the application device control
.
Deprecated.

Application Isolation

Application Isolation is only available in the cloud console.
Application Isolation: SES only
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
Not available.
  • Browser Isolation policy
  • Office Isolation policy
  • PDF Renderer Isolation policy
  • Platform Isolation policy
  • Trusted Updater policy

Device Control

Support for Mac devices is available soon.
Device Control: SEP vs. SES
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
Access
  • Hardware Device Control Lists
    • Blocked Devices
    • Devices Excluded From Blocking
  • Log detected devices
  • Notify users when devices are blocked or unblocked (Specify Message Text)
Go to
Policies
>
Policy Components
>
External Devices
.
  • List of external devices (hardware)
Go to
Policies
>
Default Device Control policy
.
  • Blocked External Devices:
    • Log detected external devices
    • Notify users when external devices are allowed
  • Allowed External Devices (devices are excluded from blocking, an exception to a blocking rule)
    • Log detected external devices
    • Notify users when external devices are allowed
How Device Control works
Device control works based only on Class ID (GUID) and Device ID.
Device control works based only on Class ID (GUID) and Device ID.
Wildcards
Device control performs wildcard matches on Class ID or Device ID with the star character or asterisk (*).
Information available soon.
Default external devices
The Hardware Device list includes many common device types by default.
Go to
Policies
>
Policy Components
>
External Devices
.
  • Contains Windows devices
  • System (default)
  • Custom (added manually by user)
  • Discovered
Adding custom devices
You can add additional custom devices to the Hardware Device list by Class ID or Device ID.
Go to
Policies
>
Policy Components
>
External Devices
.
  • Add External Device (one at a time)
  • Edit or Remove item from list (action menu, one at a time)
Applies to external devices on Windows .
Blocking devices
Devices to block (or to exclude from blocking) are derived only from the Hardware Device list. The list includes those default common device types, as well as custom devices you may have added.
The picklist of devices comes from the global list. You can select which device(s) you want to block or exclude from blocking, and add it directly to the policy.
Adding device types
You can add more than one device type at a time.
Go to
Policies
>
Policy Components
>
External Devices
.
  • Add External Device (each device is added one at a time)
Go to
Policies
>
Device Control policy
.
  • Blocked External Devices
    • Add for Windows (can select multiple at once; can filter the list)
    • Remove (individually, from action menu for individual items)
  • Allowed External Devices:
    • Add for Windows (can select multiple at once)
    • Remove (individually, from action menu for individual items)
  • Control access for USB Mass Storage Devices:
    • Add (can select multiple at once; can filter the list)
    • Remove (can select multiple at once in the policy, then click Remove)
Block and allow actions
The actions to take are to block, or to exclude from blocking (allow).
You can block or allow external devices .
Notifications
Customize the client notifications
You can enable and customize client notification for block and allow. .

Endpoint Detection and Response (EDR)

While
Symantec Endpoint Protection
provides threat detections to EDR for further analysis, it has no built-in EDR functionality. The cloud console provides this functionality.
Endpoint Detection and Response (EDR): SEP vs. SES
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
No built-in EDR functionality.
  • Customers now have a single view of endpoint activity recorder, Advanced Attack Technique events, and SEP events.
  • New and improved search tools provide unified, advanced search across all events. Search tools include:
    • Time-based filtering on relative ranges (e.g., "Last Week," and absolute ranges (start-end dates and times).
    • Pre-defined "quick filters" that filter for key items like MITRE tactics, detection technology, dual-use tools and many more.
    • User-specified custom filters built from any event data fields.
    • Ad-hoc, text-based filter creation using industry-standard Lucene Parser Syntax.
    • The ability to save queries.
  • A new
    Incidents
    tab under
    Alerts and Events
    in the left navigation bar. The tab provides a list of all incidents that a security analyst should investigate further along with a description that explains the detection, the priority, and the number of impacted endpoints. Incidents are generated based on SEP, TAA, AAT and FDR events
  • Detailed views of individual incidents, events, and involved entities (endpoints, files, domains, etc.).
  • Graphical representation of incidents that show the relationships between the elements of the incident.
  • The ability to comment on incidents by multiple investigators, and to close the commenting upon incident resolution.
  • Policy-based endpoint data recording configuration that includes:
    • Ability to assign the policy to specific device groups.
    • Scheduling when data is sent to EDR.
    • The types of data sent to EDR.
  • Streamlined EDR provisioning and on-boarding using the same device groups you've created for other endpoint security solutions.
Investigate Search - Event results grid enhancements:
  • You want to quickly narrow search results to those that either match a specific field value, or exclude results that don't match a specific field.
    This release adds the ability to easily filter for a value, or filter out a value. When you expand a row on the results grid, hover over an event field to display a
    +
    icon and a
    -
    icon. Click the
    +
    icon to filter for a value; click the
    -
    icon to filter out a value.
  • You want to see at a glance which fields have null or empty values.
    Fields with null or empty values are now displayed with a long dash (—).
  • You want to see all dates in the fields as your local dates.
    Dates for all fields now show the local date.
  • Expanded event rows no longer show duplicate values.
Investigate Search - Filter:
  • You want to be able to use special characters such as [ ] " . ! { } ~ ( ) \ : and ^ in a free-form search.
    With this release, you can now perform a word search (surround the word in double quotes) for words that contain special characters.
  • Boolean values are no longer case-sensitive.
  • You can now specify a Windows file path within a Regex query.
Incidents Page:
  • You want to see the non-HTTP network events for IPS Incidents in the Incident Graph.
    The Incident Graph now shows IPS incident > non-HTTP network events.
  • The Incident
    first_seen
    value is now updated during Incident Update.
  • The AVE Incident Rule now excludes blocked events.
  • Only relevant incidents are now created by App Isolation block events on CDM.
  • Null incidents no longer appear for firewall block events on CDM.

Exceptions

The main difference is that there are currently no client-based exceptions for a cloud-controlled client.
Exceptions: SEP vs. SES
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
Server-based exceptions
  • Applications
    • (View) Watched Applications
    • Unwatched applications
    • Actions: Ignore, Log only, Quarantine, Terminate, Remove
  • Applications to monitor
    • Auto-Protect
    • Scheduled and on-demand scans
  • Extensions
  • Files
    • Prefix variables
  • Folders
  • Known risks
  • Trusted Web domain
  • Tamper Protection exceptions
  • DNS or Host File Change Exception
  • Certificate (new in 14.1)
Supported:
  • Certificate
  • Filename (File > Security Risk/SONAR)
    • Auto Protect
    • Scheduled and On-Demand scans
    • Behavioral Analysis
    • Tamper Protection
  • Web domain exception (Trusted web domain)
  • Hash (Application) Supports SHA-256 values only.
  • Path (Folder > Security Risk/SONAR)
    • Auto Protect
    • Scheduled and On-Demand scans
    • Behavioral Analysis
  • Extension (new; 14.2 RU1)
    • Auto-Protect
    • Scheduled and On-Demand scans
  • IPS Host (moved from IPS policy)
    • Host type - IP4/IP6 Address, Subnet, Range
Not supported:
  • Application to Monitor (
    Symantec Endpoint Security
    Complete)
  • File - Moved to Application Control
  • Folder - Application Control (Deprecated)
  • Known Risks (Deprecated. Don't do risk-based)
  • Tamper Protection (Available soon)
  • DNS or Host File Change Exception
  • Mac or Linux exceptions (Available soon)
Client-based exceptions/restriction
Controls which exceptions end users can add on the client computer).
14 and earlier:
  • Application
  • Extension
  • File
  • Folder
    • Security Risk
    • SONAR
  • Known risks
  • Trusted web domain
  • DNS or Host File Change
  • Certificate - Use third-party content management*
14.1 to 14.2 MP1:
If
Symantec Endpoint Protection Manager
is enrolled in the cloud console, SEPM does not display the following client restrictions:
  • Application Exception
  • File Exception
  • Folder Exceptions > Security risk Exception/SONAR Exception
  • Trusted Web Domain Exception
  • Certificate Exception
In addition, on Windows clients that a cloud-based exceptions policy controls, these exceptions do not appear in the client user interface.
SEPM does display the following client restrictions, whether or not SEPM is enrolled. •
  • DNS or Host File Change Exception
  • Extension Exception
  • Known Risks Exception
Client users cannot add their own exceptions. Available soon.
Client exceptions
Control how the client displays these exceptions.
  • Security Risks:
    • Known Risks
    • File
    • Folder
    • Extension
    • Web domain
  • SONAR > Folder
  • DNS Host File Change > Application
  • Application
There are no client-based exceptions for a cloud-controlled client.

Firewall

The Firewall policy is currently not available on Mac devices.
Firewall: SEP vs. SES
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
Enabling
Enable this policy.
Use the Firewall (On/Off toggle).
Default rules
  • 13 rules
  • Inherit Firewall Rules from Parent Group
  • Enable rules
  • Move Up/Move Down
  • 13 rules
  • Inherit Firewall Rules from Parent Group - Deprecated. The cloud uses implied inheritance.
  • Enabled rules check box (On/Off toggle)
  • Cut/Paste (instead of Move Up/Move Down)
  • Export policies
Custom rules
  • Add Rule wizard
  • Add Blank Rule
  • Delete Rule
  • Add
  • Delete
Add Blank Rule: Deprecated
Built-in rules
Allowed Traffic Protocols:
  • Enable Smart DHCP
  • Enable Smart DNS
  • Enable Smart WNS
  • Allow token ring traffic
Other:
  • Enable NetBIOS protection
  • Enable reverse DNS lookup
Allowed Traffic Protocols:
No longer supported. Administrators can get these in the REST API.
Supported:
  • Enable Smart DHCP
  • Enable Smart DNS
  • Enable Smart WNS
  • Allow token ring traffic
Advanced Settings > Built-in Rules:
  • Enable NetBIOS protection
  • Enable reverse DNS lookup
The
Block UPnP Discovery
firewall rule is configured to not log events to minimize the number of events that the client sends to the cloud.
Protection Settings
  • Enable port scan detection
  • Enable denial of service detection
  • Enable anti-MAC spoofing
  • Automatically block an attacker's IP address
Go to
Advanced Settings
>
Protection Settings
.
  • Enable port scan detection
  • Enable denial of service detection
  • Enable anti-MAC spoofing
  • Automatically block an attacker's IP address
    • Number of seconds during which to block the IP address
Stealth Settings
  • Enable stealth mode Web browsing
  • Enable TCP resequencing
  • Enable OS fingerprint masquerading
  • Enable stealth mode Web browsing
  • Enable TCP resequencing
  • Enable OS fingerprint masquerading
Windows Integration
  • Disable Windows Firewall:
    • No Action
    • Disable Once Only
    • Disable Always
    • Restore if Disabled
  • Windows Firewall Disable Message (Enable/Disable)
  • Disable Windows Firewall:
    • No Action
    • Disable Once
    • Disable Always
    • Restore if Disabled
  • Enable Windows Firewall Disable Message (On/Off)
Peer-to-Peer Authentication settings
  • Maximum number of authentication attempts per session
  • Time between authentication attempts (seconds)
  • Time interval after which the remote computer can be reauthenticated (seconds)
  • Time that the rejected remote computer is block (seconds)
  • Time interval of inactivity between the authenticated computer and the client after which the session ends (seconds)
Exclude hosts from authentication
Planned for a feature release.
Security Settings
Go to
Clients
>
Policies
tab >
General
>
Security Settings
tab.
  • Block all traffic until the firewall starts and after the firewall stops
    • Allow initial DHCP and NetBIOS traffic
    • Enable secure communications between the management server and clients by using digital certificates for authentication
Go to
Advanced Settings
>
Security Settings
.
  • Block all traffic until the firewall starts and after the firewall stops
    • Allow initial DHCP and NetBIOS traffic
    • Enable secure communications: Deprecated
Client-user server mode settings
Go to
Clients
>
Policies
tab >
Location-specific Settings
>
Server mode
.
  • Allow users to perform security test
  • Amount of time before re-enabling Network Threat Protection
  • Number of times users are permitted to disable Network Threat Protection
  • Allow the following users to enable and disable the firewall
    • Windows Administrators only
    • All users
    • When the firewall is disabled:
      • Allow all traffic
      • Allow outbound traffic only
  • Block all traffic menu command
  • Configure unmatched IP traffic settings
    • Allow IP traffic
    • Allow only application traffic
      • Prompt users before allowing application traffic
Available now:
  • Allow users to perform security test (moved to User Interaction Settings)
  • Amount of time before re-enabling Network Threat Protection (Deprecated)
  • Number of times users are permitted to disable Network Threat Protection (Deprecated)
  • Allow the following users to enable and disable the firewall (moved to User Interaction Settings)
    • Windows Administrators only
    • All users
    • When the firewall is disabled:
      • Allow all traffic
      • Allow outbound traffic only
Not available yet:
  • Block all traffic menu command
  • Configure unmatched IP traffic settings
    • Allow IP traffic
    • Allow only application traffic
      • Prompt users before allowing application traffic
Notifications/Logging
Supported.
Available soon:
  • Notification settings
  • End user notifications
  • Logging viewer and packet viewer
Groups
  • Host groups (Firewall and Intrusion Prevention policies)
  • Network service groups
  • Network adapter groups
  • Host groups (Firewall policy only): Go to
    Settings
    >
    Host groups
    .
  • Network service groups (available soon)
  • Network adapter groups (available soon)

Network Traffic Redirection

The Network Traffic Redirection policy was called Integrations in SEP 14.3 MP1 and earlier.
Network Traffic Redirection: SEP vs. SES
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
Network Traffic Redirection (as of 14.3 RU1). Called Web Security Services (WSS) Traffic Redirection (WTR) in earlier versions.
Secure Connection.
Local Proxy Service (part of WSS as of 14.2).
Available soon.
Install the Symantec Web Security Service root certificate on clients to facilitate the protection of encrypted traffic.
Available soon.

Intrusion Prevention

You can enable/disable the IPS policy on Mac devices.
Intrusion Prevention: SEP vs. SES
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
Platforms
Support on both Windows and Mac devices
Can configure for Windows devices.
Can enable/disable for Mac devices, and configure some options.
Settings
  • Enable Network Intrusion Prevention
    • Enable excluded hosts
  • Enable Browser Intrusion Prevention for Windows
    • Log detections but do not block
    • Log-only mode
Server Performance Tuning (as of 14.2 RU1)
  • Signature subset for servers
  • Out-of-band scanning
  • Audit Signatures: Add > Log, Enable, Disable
    Supports Windows devices only.
    You can configure one or more signature exceptions before you select
    Submit
    .
  • Signature action exceptions: Add > Log, Enable, Disable
    Supports Windows and Mac devices.
    You can configure one or more signature exceptions before you select
    Submit
    .
  • Advanced Settings:
    • Intrusion Prevention - On or Off
    • Browser Protection - Enable, Disable, Log
      (New name for Browser Intrusion Prevention)
      Browser Protection not available for Mac.
    • Server Performance Tuning: includes out-of-band scanning and signature subset for servers.
    • Excluded hosts moved to Allow List policy.
For more information, see:
Exceptions
  • Show category
    • All
    • Browser Protection (335 signatures)
      Note
      : Custom exceptions are not supported for Browser Protection signatures.
    • Intrusion Prevention signatures
  • Show severity (All, High, Medium, Low)
  • Handled in policy under Signature Action Exceptions.
  • You can also add exclusions through
    Alerts and Events
    >
    Event type
    :
    IPS
    . When you view the details of the event, you can add exclusions, and edit the policy.
For more information, see:
Notifications
Show or hide user notifications.
You can enable or disable notifications for Windows and Mac devices. Notifications are only sent for enabled signatures.
Show Advanced
lets you customize the notification message for Windows devices.
Signatures
Custom IPS signatures.
Available soon.
LiveUpdate Content
The LiveUpdate Content policy downloads the latest IPS signatures.
No LiveUpdate Content policy exists in
Endpoint Security
. LiveUpdate downloads the IPS signatures automatically through the System policy. You cannot configure the client to not get signatures.
Client package
Client package includes IPS.
The advanced settings under
Settings
>
Installation Package
include an option that is selected by default,
Server-optimized installation
, which does not include IPS. However, desktop operating systems ignore this setting and IPS is always installed. You cannot disable IPS on the client. See:
User interaction on the client
The settings for Intrusion Prevention and Memory Exploit Mitigation are found under the Client User Interface Settings. You find these controls in
Symantec Endpoint Protection Manager
under
Clients
>
Group Name
>
Policies
>
Location-specific Policies and Settings
>
Location-specific Settings
.
  • Display Intrusion Prevention and Memory Exploit Mitigation notifications
    • Use sound when notifying user
    • Additional text for notifications
Notifications are enabled by default for Windows and Mac devices in the Intrusion Prevention policy. You can enable or disable the notifications, which are only sent for enabled signatures.
For Windows devices, you can customize the notification message under
Show Advanced
.
Sound: Deprecated

Host Integrity

This policy is not available on Mac devices or Linux devices.
Host Integrity: SEP vs. SES
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
General settings
When should Host Integrity checks be run on the client?
  • Always do Host Integrity checking
  • Only do Host Integrity checking when connected to the management server
  • Never do Host Integrity checking
Host Integrity Requirements
  • Antivirus requirement
  • Antispyware requirement
  • Firewall requirement
  • Patch requirement
  • Service pack requirement
  • Custom requirement
Scheduling
  • Always run the Host Integrity check
  • Only run the Host Integrity check when connected to the cloud
  • Never run the Host Integrity check
Requirements
  • Custom requirement
Advanced Settings
Host Integrity Checking Options:
  • Check Host Integrity every: minutes/hours/days
  • Keep results of check for: minutes/hours/days
  • Continue to check requirements after one fails
Remediation Dialog Options:
  • Allow the user to cancel remediation for:
    Minimum and Maximum times: 2 minutes to 4 weeks
  • Number of times the user is allowed to cancel remediation
Notifications:
  • Show verbose Host Integrity Logging
  • Display a notification message when a Host Integrity check fails
  • Display a notification message when a Host Integrity check passes after previously failing
Advanced Scheduling > Host Integrity Checking Options
  • Check Host Integrity every: minutes/hours/days
  • Keep results of check for: minutes/hours/days
  • Continue the check even if a requirement fails
Remediation
  • Allow the user to cancel remediation for:
    Minimum and Maximum times: 2 minutes to 4 weeks
  • Number of times the user is allowed to cancel remediation
Notifications
  • Show verbose results of the Host Integrity check in the Security log
  • Display a message when the Host Integrity check fails
  • Display a notification when a Host Integrity check passes after it previously failed

LiveUpdate Settings

In the cloud console, the LiveUpdate Settings policy is under the System policy.
LiveUpdate Settings: SEP vs. SES
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
Management server
Use the default management server.
Deprecated. Not needed.
LiveUpdate server (internal or external)
  • Use the default Symantec LiveUpdate server.
  • Use the Symantec LiveUpdate server for prereleased content (Early Adopter server).
  • Use a specified internal LiveUpdate server.
  • Use the default internal LiveUpdate server.
  • Use the Symantec LiveUpdate server for prereleased content.
  • Use a specified internal LiveUpdate server.

FTP server mode
Supported (active or passive).
Deprecated. Not needed.
Group Update Provider (GPU)
  • Multiple GUPs
  • Explicit GUPs
  • Single GUPs
Set the maximum time that client tries to download updates from a GUP before trying the default management server.
GUP settings:
  • Default port
  • Maximum disk cache size allowed for downloading updates
  • Delete content updates if unused
  • Maximum number of simultaneous downloads to clients
  • Max bandwidth allowed for GUP downloads from the management.server
  • Max bandwidth allowed for client downloads from GUP
Not yet available.
Third-party content management
Enable third-party content management.
Use third-party content management.
HTTP/HTTPS proxy server
  • I do not want to use a proxy server for HTTP/HTTPS
  • I want to use my Windows Internet Options proxy settings
  • I want to customize my HTTP or HTTPS settings
  • Host proxy
  • HTTP/HTTPS port
  • Authentication required
  • User name/password
  • NT LAN Manager Authentication
  • Do not use a proxy server for HTTP/HTTPS
  • Use my Windows Internet Options proxy settings
  • Use a customize my HTTP or HTTPS settings
  • Host proxy/HTTP/HTTPS port
  • Select Authentication required
  • Basic Authentication (User name/password)
  • NT LAN Manager Authentication - Deprecated
FTP proxy server
  • I do not want to use a proxy server for FTP
  • Use the proxy server by the client browser (default)
  • I want to customize my FTP settings
  • Server address
  • Port
  • Do not use a proxy server for FTP
  • Use the proxy server by the client browser (default)
  • Use custom FTP settings
  • Server address
  • Port
LiveUpdate proxy
Set up LiveUpdate proxy configuration for client to management server communication.
Go to
Clients
page >
Policies
tab >
External Communications
.
Deprecated. This functionality is not needed for the cloud. However, for client-to-cloud communication or for cloud enrollment, this functionality is combined with the proxy configuration settings in the new System policy. The System policy covers cloud-client communication.
Intelligent Updater
Run Intelligent Updater to update content.
  • Virus and spyware definitions
  • SONAR
  • IPS definitions
Not needed at this time.
LiveUpdate Schedule
  • Enable LiveUpdate Scheduling
  • Frequency
  • Retry window
  • Download randomization
  • Delay scheduled LiveUpdate until the computer is idle
  • Options for skipping LiveUpdate
    • LiveUpdate runs only if Virus and Spyware definitions are older than x
    • LiveUpdate runs only if the client is disconnected from SEPM for more than x
  • Enable LiveUpdate Scheduling
  • Frequency
  • Retry window
  • Download randomization
  • Idle detection
  • Options for skipping LiveUpdate - Deprecated
Advanced Settings
  • Allow the user to manually launch LiveUpdate (No current plans)
    • Allow the user to modify the LiveUpdate schedule
    • Allow the user to modify HTTP, HTTPS, or FTP proxy settings for LiveUpdate
  • Download security patches to fix the vulnerabilities in the latest version of the agent
  • Download smaller client installation packages from a LiveUpdate server
Planned for a future release:
  • Allow the user to manually launch LiveUpdate
No future plans:
  • Allow the user to modify the LiveUpdate schedule
  • Allow the user to modify HTTP, HTTPS, or FTP proxy settings for LiveUpdate
Deprecated:
  • Download security patches to fix the vulnerabilities in the latest version of the agent
    - By default, this occurs when client autoupgrades. No need for admin to control this)
  • Download smaller agent installation packages from a LiveUpdate server
    By default, occurs when agent autoupgrades. No need for admin to control this
HTTP headers
Use standard HTTP headers.
Deprecated.

LiveUpdate Content

In the cloud console, the LiveUpdate Content policy is under the System policy. Additionally, the content is downloaded automatically and you do not have the ability to configure which content you want to download to clients.
LiveUpdate Content: SEP vs. SES
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
Security definitions:
  • Virus and Spyware definitions
  • SONAR heuristic signatures
  • Intrusion Prevention signatures
  • Submission Control signatures
  • Reputation settings
  • Endpoint Detection and Response
  • Common Network Transport Library and Configuration
  • Advanced Machine Learning
  • WSS Traffic Redirection
Host Integrity Requirements:
  • Antivirus requirement
  • Antispyware requirement
  • Firewall requirement
  • Patch requirement
  • Service pack requirement
  • Custom requirement
Available now:
  • These same definitions are downloaded to the client by default, except for:
    • WSS Traffic Redirection
    • Endpoint Detection and Response
  • The content is not a one-for-one match in the cloud.
Not yet available:
  • You have the ability to control which definitions are downloaded:
    WSS Traffic Redirection
Locking on a specific set of definitions
  • Use latest version
  • Select a revision
  • Select an engine version
Moved to System policy with the following changes:
  • Previous release:
    New. This is the release before the current/latest release and is the most stable.
  • Latest release:
    Same as the
    Symantec Endpoint Protection Manager
    , but not as stable as the Previous release
  • Select a revision:
    Deprecated.
  • Prerelease:
    Changed (engine version). This is the beta version of the release and is the least stable.
Download content from LiveUpdate Administrator to
Symantec Endpoint Protection Manager
  • Client product updates
  • Client security patches
  • Virus and Spyware definitions
  • SONAR heuristic signatures
  • Intrusion Prevention signatures
  • Host Integrity content
  • Submission Control signatures
  • Reputation Settings
  • Extended File Attributes and Signatures
  • Common Network Transport Library and Configuration
  • Endpoint Detection and Response
  • Advanced Machine Learning
  • WSS Traffic Redirection
  • Application Control content
Deprecated. LiveUpdate Administrator downloads the content directly to the cloud console.
Disk Space Management: Number of content revisions to keep
Uses the default setting.
Available soon: The ability for you to control this setting
Download Schedule
Deprecated; not needed.
Platforms to Download (Mac, Windows 32-bit, 64-bit)
Uses the default setting.
Available soon: The ability for you to control this setting
Languages to Download
Uses the default setting.
Available soon: The ability for you to control this setting

Memory Exploit Protection

Mac devices are currently not supported.
Memory Exploit Mitigation (MEM) was introduced in 14 MP1 as Generic Exploit Mitigation. If you run 14.1 to 14.2 MP1 clients, you can use a MEM policy from either
Symantec Endpoint Protection Manager
or from the cloud.
Endpoint Security
calls the policy type
Exploit Protection
.
Memory Exploit Protection: SEP vs. SES
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
Policy
Enable Memory Exploit Mitigation
You cannot modify a MEM policy in SEPM while a cloud-based policy is in use.
Memory Exploit Mitigation protection toggle (On/Off)
General settings
  • Set the protection action for all applications to log only
  • Choose a protection action for all applications in this list (Default/Yes/No/Log Only)
  • Run in monitor mode
  • Enable Java Protection (Off/On/Log)
Custom applications
Not supported.
Protection for Admin Selected Application
. You can add them directly in
Endpoint Security
or from Application Isolation.
Mitigation techniques
Choose a mitigation technique
  • DllLoad
  • EnhASLR
  • ForceASLR
  • ForceDEP
  • HeapSpray
  • NullProt
  • RopCall
  • RopHeap
  • SEHOP
  • StackNX
  • StackPvt
Global override for mitigation techniques protection (Off/On/Log/Default (On))
Mitigation techniques
: Same as 14.x version)
Applications
Application Rules: Protected check box.
Protection for Symantec Recommended Application Coverage (Enabled/Disabled)

Virus and Spyware Protection/Antimalware

The cloud console has a single default Antimalware policy, which aligns most closely with the default Virus and Spyware Protection policy - Balanced in
Symantec Endpoint Protection Manager
. There are no plans to add a default High Performance or High Security policy. See:
The 14.1/14.2 cloud console supports Auto-Protect only.
Virus and Spyware Protection/Antimalware: SEP vs. SES
On-premises
Symantec Endpoint Protection
: Virus and Spyware Protection
Symantec Endpoint Security
 cloud console: Antimalware
Scans
  • Administrator-defined scans
  • Scheduled scans:
    • Active
    • Full
    • Custom
  • On-demand scans
  • Startup scans
  • Administrator-defined scans
  • Scheduled scans:
    • Active
    • Full
    • Custom
  • On-demand scans
  • Startup scans
Scan Details
  • Scan all types
  • Scan only selected extensions
  • Enhance the scan by checking (Memory (Custom), Common infection locations (Custom), Well-known virus and security risk locations)
Advanced Scanning Options:
  • Compressed files
  • Storage migration options
  • Tuning options
Enable Insight Lookups
  • Scan all types
  • Scan only selected extensions
Compression options
Tuning options
Insight Lookup is part of Intensity Level setting
Scheduled scans (Schedule)
  • Daily, weekly, monthly
  • Scan duration (until finished, up to x hours, randomized) )
  • Missed scheduled scans
  • Daily, weekly, monthly
  • Scan duration (including randomization)
  • Missed scheduled scans
Actions
  • Detections (types of risk that detections take an action on):
    • Malware (Virus)
    • Security Risks:
      • Adware
      • Cookie
      • Dialer
      • Hack Tool
      • Joke Program
      • Misleading Application
      • Parental Control
      • Remote Access
      • Security Assessment Tool
      • Security Risk
      • Spyware
      • Trackware
  • Remediation (first and second actions for detections):
    • Clean risk (applies to malware only)
    • Quarantine risk
    • Delete risk
    • Leave alone (log only)
    The actions apply to categories of malware and security risks that Symantec periodically updates.
  • Remediation (other):
    • Back up files before attempting to repair them
    • Terminate processes automatically
    • Stop services automatically
Remediation actions: Deprecated. The cloud determines the best course of action.
Remediation (other):
  • Back up files before attempting to repair them - On by default, you cannot disable it.
  • Terminate processes automatically - Deprecated
  • Stop services automatically - On by default, you cannot disable it.
Actions to take while a scan is running
  • Stop the scan
  • Pause a scan
  • Snooze a scan
  • Scan only when the computer is idle
Planned for a future release.
Auto-Protect
  • Enable Auto-Protect
  • Scan all files
  • Scan only selected extensions
  • Determine file types by examining file contents
  • Scan for security risks
  • Scan files on remote computers
  • Scan when files are accessed, modified, or backed up
  • Scan floppies for boot viruses, with the option to delete the boot virus or log it only
  • Always delete newly created infected files or security risks
  • Preserve file times
  • Tune scan performance for scan speed or application speed
  • Emulator for packed malware
Auto-protect is supported on Mac devices.
  • Enable Auto-Protect
  • Load Auto-Protect when computer starts (new in
    Endpoint Security
    )
  • Enable file cache:
    • File cache size 30000 files
  • Enable Risk Tracer:
    • Resolve the source computer IP address
    • Poll for network sessions every 1000 milliseconds
  • Scan when files are accessed, modified, or backed up
  • Do not scan files when trusted processes access the file
  • Always delete newly created infected files
  • Specify network options for scanning files on remote computers:
    • Scan files on remote computers (from Global Scan options):
      • Only when files are executed
    • Network cache:
      • Keep 30 entries
      • Delete entries after 600 seconds
Not available:
  • Scan floppies for boot viruses, with the option to delete the boot virus or log it only: Deprecated.
  • Always delete newly created infected files or security risks: TBD
  • Preserve file times: On by default; but you cannot disable it.
  • Tune scan performance for scan speed or application speed: Planned for a future release.
  • Emulator for packed malware: On by default, but you cannot disable it.
Email scans
  • Microsoft Outlook Auto-Protect:
    • Enable Microsoft Outlook Auto-Protect
    • Scan all files
    • Scan only selected extensions;
    • Scan files inside compressed files
  • Internet Email Auto-Protect: Deprecated as of 14.2 RU1; still available for legacy installation packages.
  • Lotus Notes Auto-Protect: Deprecated as of 14.2 RU1; still available for legacy installation packages.
  • Microsoft Outlook Auto-Protect (On/Off only): Supported on Mac devices.
  • Internet Email Auto-Protect - Deprecated
  • Lotus Notes Auto-Protect - Deprecated
Intensity settings
  • Download Insight
  • Bloodhound
  • Insight lookups
  • SONAR
The Intensity Level setting includes:
  • Virus and Spyware Protection policy detection actions
  • Bloodhound settings
  • Download Insight Sensitivity setting
  • Download Insight prevalence, first-seen, and intranet options
  • SONAR heuristic detection, SONAR aggressive mode, and SONAR suspicious behavior settings
The default Intensive Protection blocking level is less aggressive than the most aggressive Bloodhound setting in a Virus and Spyware Protection policy. If your current policies specify Bloodhound at its highest level, you might need to increase the Intensive Protection level.
SONAR
Behavioral analysis:
Scan Details:
  • High risk/Low risk detection (Log, Remove, Quarantine, Disabled)
  • Enable aggressive mode
  • When detection found:
    • Show alert upon detection
    • Prompt before terminating a process
    • Prompt before stopping a service
System Change Events:
  • DNS change detected (Ignore Prompt, Block, Log)
  • Host file change detected (Ignore, Prompt, Block, Log)
Suspicious Behavior Detection:
  • Enable Suspicious Behavior Detection
  • High risk/Low risk detection (Ignore, Prompt, Block Log)
Network Settings:
  • Scan files on remote computers
Renamed as
Behavioral analysis
. Supported on Mac devices.
  • Enable behavioral analysis
  • DNS change detected (Ignore, Log Only, Block)
  • Host file change detected (Ignore, Log Only, Block)
  • Scan files on remote computers
Other:
  • Show alert upon detection (In User Notifications Settings)
  • Prompt before terminating a process - Deprecated; disabled by default
  • Prompt before stopping a service - Deprecated; disabled by default
  • Suspicious Behavior Detection (included in Intensity Level setting)
Early launch antimalware
Early Launch Antimalware Driver:
  • When a potentially malicious driver is detected
Enable Symantec early launch antimalware:
  • When a potentially malicious driver is detected: Deprecated.
Supported on Mac devices.
Notifications
Administrator-defined scan:
  • Display a notification message on the infected computer
Auto-Protect:
  • Display a notification message on the infected computer
  • Display the Auto-Protect results dialog on the infected computer
Microsoft Outlook Auto-Protect:
  • Display a notification message on the infected computer
Download Protection:
  • Display a notification message on the infected computer
Miscellaneous:
  • When definitions are outdated
  • When the agent is running without virus definitions
  • Display error messages with a URL to a solution
Notifications from the various Virus and Spyware features are consolidated into one place in the
Antimalware
policy >
User Notifications Settings
:
  • Show antimalware scan results on the infected device:
    • Set scheduled and manual scan results to show (All detections, Only medium and high. Always (Scan Progress))
    • Display a notification message to the user on infected computer
    • Display notifications about detections when the user logs on
  • When definitions are outdated (part of Download Insight)
  • When the agent is running without virus definitions: Moved to the Devices page; shows the device At Risk.
  • Custom messages: Deprecated.
  • Display error messages with a URL to a solution: Deprecated.
Quarantine
General tab:
  • Actions for when new virus definitions arrive
  • Local quarantine options (default or custom folder)/Allow client computers to automatically submit quarantined items to a Quarantine Server
Cleanup tab:
  • Enable automatic deleting of repaired files
  • Enable automatic deleting of backup files
  • Enable automatic deleting of quarantined files that could not be repaired
  • Actions for when new definitions arrive: Uses the default setting and is part of Intensity Level setting.
  • Quarantine Server support: Deprecated.
  • Cleanup options: On by default. You cannot disable them.
Quarantine a device command: Go to
Devices
>
Managed Devices
tab >
Actions
menu >
Quarantine
command.
Global Scan Options
  • Enable Insight for (Symantec and Community trusted, Symantec trusted)
  • Enable Bloodhound detection to scan files for suspicious behavior (Automatic, Aggressive)
  • Ask for a password before scanning a mapped network drive
  • Display notifications about detections and remediations when the user logs on
  • Insight: Part of Advanced Intensity Settings. You cannot disable the setting.
  • Bloodhound: Part of Intensity Level setting. You cannot disable the setting.
  • Ask for password before scanning mapped network drive: Deprecated.
  • Display notifications about detections: Part of User Notifications Settings.
Miscellaneous
  • Disable Windows Security Center
  • Internet Browser Protection
  • Log handling options
  • Virtual Image Exception
  • Shared Insight Cache
Currently supported:
  • Disable Windows Security Center: TBD
  • Internet Browser Protection: In IPS policy (Enable/Disable, Log)
  • Log handling options: Enabled by default. You cannot disable them.
Planned for a future release:
  • Virtual Image Exception
  • Shared Insight Cache

Policy Components

In the cloud console, you find these components in
Policies
>
Policy Components
.
Policy Components: SEP vs. SES
On-premises
Symantec Endpoint Protection
Symantec Endpoint Security
cloud console
Scheduled Scan Templates
Supported.
There are no plans for templates. You can use scheduled scan only.
Management Server Lists
Supported.
Deprecated. There are no
Symantec Endpoint Protection Manager
s.
Host Groups
Supported.
Yes. Go to
Policies
>
Policy Components
>
Host Groups
.
Network Services
Supported.
Available soon.
Network Adapters
Supported.
Available soon.
Hardware Devices
Supported.
Yes. Go to
Policies
>
Policy Components
>
External Devices
.