Symantec Endpoint Protection 12 is designed to protect workstations and servers running Windows, Mac OS X, and Linux (both 32-bit and 64-bit editions). Computers running these operating systems make up the overwhelming majority of the technical park located in the local networks of enterprises.
The main documentation for Symantec Endpoint Protection 12 has been translated into Russian and made with sufficient quality. The main document, the Implementation Guide for Symantec Endpoint Protection and Symantec Network Access Control, is 1,167 pages long. However, it is a fairly structured document in which an anti-virus network administrator can find answers to most of the questions that arise during the deployment and operation of Symantec Endpoint Protection 12. For novice administrators of Symantec Endpoint Protection 12, the document “Getting Started with Symantec Endpoint Protection ”, Which is 32 pages long and provides the basic information you need to get started with Symantec Endpoint Protection 12. Some documents related to working with Symantec Endpoint Protection 12 clients are available in English only. For example, this concerns the documentation for an antivirus package for Linux systems.
The client interface for Windows is completely Russified. The installation package for Mac OS X is partially Russified (there are English-language windows), and the client's interface is available exclusively in English. The client for protecting computers running Linux systems is available only in English, which, in general, should not be an obstacle for Linux system administrators.
This Symantec Endpoint Protection 12 client overview provides an option to install local clients that are not connected to anti-virus server(the so-called "unmanaged clients"). In this case, the user has the ability to fully manage the anti-virus protection on his computer. This allows you to describe all the options for managing the protection of Symantec Endpoint Protection 12 clients. Managing clients from the Administrator Console will be described in the second part of the overview.
The size of the distributions of Symantec Endpoint Protection 12 is also close to record indicators - the Russian-language distribution of Symantec Endpoint Protection 12.1 has a size of 1.45 GB, and a package with documentation and utilities with a total size of 397 MB is also offered for this distribution. Nevertheless, such sizes of distributions of corporate software products are no longer surprising, and downloading them is unlikely to cause inconvenience when using the average enterprise Internet channel. So this parameter can hardly be considered a disadvantage in modern conditions.
System requirements
The system requirements for Symantec Endpoint Protection 12 clients are based on Symantec Endpoint Protection 12.1. Specification: Endpoint Security ".
Symantec Endpoint Protection client for Windows
Windows 2000, Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, Windows Small Business Server 2003, Windows Small Business Server 2008, Windows Essential Business Server 2008, or Windows Small Business Server 2011 (32-bit and 64-bit editions of Windows are supported);
32-bit processor: Intel Pentium III 1 GHz or equivalent (Intel Pentium 4 or equivalent processor recommended);
64-bit processor: Pentium 4 2 GHz or equivalent (Itanium processors are not supported);
700 MB of disk space.
Symantec Endpoint Protection client for Mac
PowerPC-based Mac with Mac OS X 10.4-10.5x
Mac on Intel based Mac OS X 10.4-10.6 (32-bit and 64-bit editions of Mac OS X are supported);
500 MB of free disk space for installation;
Note. Support for the current Mac OS X 10.7 Lion was added in SEP 12.1.1000 (RU1 - Release Update 1). SEP 12.1 RU1 became available on November 16.
Symantec AntiVirus client for Linux
Debian 6.0 Squeeze, 5.0 Lenny, 4.0 Etch;
Fedora 15,13,12,10;
Novell - Linux Desktop 9 (NLD9);
OES2 SP1, SP2, SP3 / OES11;
Red Hat version 6.0 ES, 5.0 ES, 4.0 ES, 3.0 ES;
Red Hat version 5.0 AS, 4.0 AS;
Red Hat version 4.0 Desktop;
Red Hat Enterprise Linux 4.0 ES, 3.0 ES;
Red Hat Linux AS 3;
SuSE Linux Enterprise Desktop 11, 10;
SuSE Linux Enterprise Server 11, 10, 9;
Ubuntu 11.04, 10.04, 9.10, 8.04.
Installing Symantec Endpoint Protection 12 client for Windows
Let's describe the installation of Symantec Endpoint Protection 12 clients for Windows using Windows 7 SP1 (32-bit edition) as an example. For Windows servers, it is proposed to install the same Symantec Endpoint Protection 12 clients as for Windows workstations, but, at the same time, it is suggested not to install components that do not make sense to use on a specific server. For example, it is possible not to install the component responsible for scanning mail traffic. For the writing of the review, the installation was also tested Symantec client Endpoint Protection 12 on Windows Server 2008 R2, which was also successful and looked identical to installing on Windows 7.
The installation traditionally begins with a welcome screen, which is replaced by a window with the text of the license agreement, which must be accepted. After that, you need to select the client's mode of operation. In our case, it will be an unmanaged client.
Figure 1: Selecting the type of client inSymantecEndpointProtection 12
After that, you need to choose between normal and custom installation. Components such as Outlook Scanner and Notes Scanner are not installed by default. In a custom installation, you can activate them if you want to integrate protection more closely with your Microsoft Outlook email client or if you want to scan traffic generated by the IBM Lotus Notes client.
Figure 2: Installed client componentsSymantecEndpointProtection 12
On the next screen installation package Windows client offers to enable automatic (real-time) protection, automatic LiveUpdate, and to avoid conflicts with Symantec Endpoint Protection 12 client, disable Windows Defender.
Figure 3: Client Security ComponentsSymantecEndpointProtection 12
The next two installation screens are for asking the user for permission to send file reputation information to Symantec, as well as information about the installation progress of the Symantec Endpoint Protection 12 client for Windows.
Figure 4: Completing Client InstallationSymantecEndpointProtection 12
After clicking the "Install" button, the installation program performs the necessary manipulations that do not require user intervention, after which it will only be necessary to click the "Finish" button to complete the installation. If the installation was performed with the default settings, then upon completion of the installation, the LiveUpdate component is automatically launched, which updates the Symantec Endpoint Protection 12 client for Windows components and virus definitions to the latest state.
Figure 5: Update ComponentSymantecEndpointProtection 12 – LiveUpdate
In order for all installed components to work in normal mode, a computer restart is required. Until the moment of reboot, the firewall components are inactive, the rest of the components work in full.
Symantec Endpoint Protection 12 client for Windows components
The main window of the Symantec Endpoint Protection 12 client for Windows interface displays up-to-date information about the protection status. Also, for each component, using the Parameters button, you can go to the corresponding settings or to the logs of their work.
Figure 6: The main window of the interface in the clientSymantecEndpointProtection12 forWindows
If you go to the "Scan" menu item of the main interface window, then tasks for periodic scanning will be displayed. Links are also available to launch an active scan, or a scan of the entire system. When scanning is active, only some objects are scanned file system Windows on which malware is most commonly found. By clicking on the corresponding link, you can make global scan settings.
Figure 7: Menu item "Scan" in the interfaceSymantecEndpointProtection12 forWindows
When you start an on-demand scan, a scanner window opens, which displays the progress and results of the scan, as well as actions performed with malicious objects, the degree of risk and the type of threats detected.
Figure 8: Client Scanner InterfaceSymantecEndpointProtection12 forWindows
The Change Settings menu item in the main client window contains settings for all Symantec Endpoint Protection 12 for Windows protection components. You can access them using the Configure Settings button, which is displayed to the right of the name of each protection component.
Figure 9: Menu "Change parameters" in the interfaceSymantecEndpointProtection12 forWindows
The window with settings for the Virus and Spyware Protection component is divided into four tabs:
Global settings;
Automatic protection;
Download Insight;
Automatic protection of Internet mail.
On the Global Settings tab, you can enable or disable the use of Insight and Bloodhound technologies. At the same time, for Insight technology it is possible to choose which information will be used for its operation - only that which is verified by Symantec specialists, or information from the community of product users will be taken into account. The options differ from each other in the level of confidence in the reputation of the files. In the first case, the level of confidence is maximum, but information exists about fewer files. In the second case, there is a very small fraction of the probability of an error, but the number of files about which there is information is maximum.
Figure 10: The tab "Global settings" of the settings of the component "Protection against viruses and spyware"
Reputational Insight technology allows known safe files to be skipped during scans.
Bloodhound technology is a proactive technology that isolates certain areas of files in order to detect a significant number of unknowns malware... In case of attempts to penetrate programs beyond the isolated perimeter, their actions are analyzed and a decision is made about the degree of danger of these programs.
The Auto-Protect tab is dedicated to enabling and disabling scanning for various types of threats. Also on this tab, you can configure actions that are applied to detected malicious files, configure notifications, configure floppy disk check settings, and configure scan settings collected in the Advanced Auto-Protect Settings window.
Figure 11: Additional Auto-Protect Options inSymantecEndpointProtection12 forWindows
On the Download Insight tab, you can configure how Insight works when downloading files from the Internet. In particular, you can set the sensitivity of this technology on a 9-point scale, as well as the minimum number of users or the minimum period of "popularity" of the file for the Insight technology before making a decision.
On the "Automatic protection of Internet mail" tab, you can accordingly configure the settings for scanning mail traffic on the protected computer. In particular, you can configure actions with messages containing malicious objects and configure appropriate notifications. Experienced users can fine tune the operation of this component. But there are also limitations in the settings. In particular, some hosting providers often offer customers to use a non-standard SMTP port, while when sending from other user boxes, it may use a standard SMTP port. In the settings for scanned mail traffic in Symantec Endpoint Protection 12, you can specify only one SMTP port. It should be borne in mind that this is not as critical for clients of a corporate anti-virus product as for home users.
Figure 12: Advanced Internet Mail Options inSymantecEndpointProtection 12 forWindows
The settings for Proactive Threat Protection are divided into 3 tabs:
Detection of suspicious behavior;
System change detection.
The first tab is devoted to the settings for SONAR 3 technology. This behavioral analysis technology works in real time and detects potentially harmful applications when they are launched or while they are running. At the same time, to determine them, both classical heuristic technologies and reputational technologies are used, for the implementation of which the global cloud functions.
This cloud-based reputational technology, called Insight, is designed to detect new and unknown threats that cannot be detected by other means, and at the same time save the computing resources of the system (using this technology, according to the vendor, can reduce the load on the system by 70% during its scanning). At the moment, the system contains anonymous data on the distribution of more than 3 billion files on more than 175 million client computers.
Figure 13: Preventive protection parameters inSymantecEndpointProtection 12 forWindows
The next two tabs are also dedicated to the settings for how the SONAR technology works. The first is responsible for responding to threats of high and low levels and the second is responsible for configuring how SONAR reacts to changes in system settings, such as changing DNS and the hosts file.
The settings for the Network Threat Protection component are divided into five tabs. The "Firewall" tab contains many parameters that allow you to perform basic configuration of the firewall.
Drawing14: Firewall settingsSymantecEndpointProtection 12 forWindows
On the Intrusion Prevention tab, you can enable or disable Network Protection and Browser Intrusion Protection. On the tab “ Microsoft Network Windows ", you can specify a specific adapter, or select all available adapters to control traffic, as well as block access to some system or user network resources from the outside. On the "Notifications" tab, you can enable the display of notifications, as well as sound alerts. Finally, the Logs tab defines for each log type its maximum size and the storage time of records in it.
The exclusion parameters are implemented as a single window in which you can specify known threats by the name of detection, files, folders, extensions, web domains, as well as excluding objects from scanning by SONAR technology. You can also exclude applications from scanning entirely.
Figure 15: Exception settings inSymantecEndpointProtection 12 forWindows
The last group of settings is united under the heading "Client Management", and these settings are divided into 4 tabs. The General tab covers Symantec Endpoint Protection 12 client interface display options, proxy settings, restart options for different situations, and application and device management. The "Protection against changes" tab is essentially devoted to the anti-virus self-defense settings. The LiveUpdate tab contains settings that determine the options for automatic product updates. The final Submit tab contains checkboxes that indicate whether you want to submit a particular type of information to the Symantec cloud to help counteract intruders and help develop future SEP releases.
Figure 16: Client management options inSymantecEndpointProtection 12 forWindows
The Quarantine menu item in the main interface window for Symantec Endpoint Protection 12 for Windows has a fairly standard interface. Files in it can be restored, deleted, rescanned and exported. You can also add any suspicious file to quarantine, or send it to Symantec for analysis. Cleaning parameters are divided into three tabs: "Objects in quarantine", "Copies of infected files" and "Fixed files". For each of the types of objects, you can configure the time of their storage in quarantine, as well as the maximum storage size.
Figure 17: Client quarantine interfaceSymantecEndpointProtection 12 forWindows
The Show Logs menu item in the main window of the Symantec Endpoint Protection 12 for Windows client interface contains buttons that display the logs associated with each anti-virus protection component.
Figure 18: List of components with the ability to display the logs of their work inSymantecEndpointProtection 12 forWindows
In these logs, you can find detailed information about the operation of each component of Symantec Endpoint Protection 12 for Windows and, in case of problems in the operation of the anti-virus client, you can quickly localize them. As an example, we will give an image of the "System Log".
Figure 19: System log in clientSymantecEndpointProtection 12 forWindows
The Symantec Endpoint Protection 12 client for Windows also has a Help button on the main window, which you can click to select, among other things, "Troubleshoot." At the same time, a window with detailed information about the system settings and the anti-virus client is displayed. This information can be very useful, for example, when contacting technical support.
Figure 20: Window "Eliminationproblems "in the clientSymantecEndpointProtection 12 forWindows
In general, Symantec Endpoint Protection 12 client for Windows can be compared in functionality to similar home antivirus products for Windows from this company. Unfortunately, not all manufacturers can boast of the presence of reputational and HIPS technologies in products intended for use in manufacturing. Often such use is hindered by the excessive "talkativeness" or unreliability of such components, which does not allow their use in a "silent" mode or in production where the stability of the software used is important. Therefore, give credit to Symantec's antivirus client for Windows, it is one of the best products in its class.
But modern local area networks of enterprises are not alone alive. Let's take a look at the Symantec Endpoint Protection anti-virus protection clients for the rapidly gaining operating systems in the corporate segment from Apple and Unix systems.
Symantec Endpoint Protection Client 12 for Mac OS X
For this review, the client was installed and configured on Mac OS X 10.6 Snow Leopard, the older supported version of Mac OS X.
The Symantec Endpoint Protection 12 client for Mac OS X installation traditionally begins with a welcome screen followed by the text of the license agreement. Having agreed with him, we must answer the question of whether the client will be manageable or unmanageable. In the first part of the Symantec Endpoint Protection 12 review, we agreed to install all clients in unmanaged mode. After that, you must select the disk for installing Symantec Endpoint Protection 12 for Mac OS X.
Figure 21: Choosing a Location During InstallationSymantecEndpointProtection 12 forMacOSX
On the next window, you can specify the location of the installation files, after which the installation process itself begins, which does not require additional actions from the user. The installation process ends with a window about its successful completion.
After that, the LiveUpdate component automatically starts and updates the components and virus databases of the Symantec Endpoint Protection 12 client for Mac OS X to the latest state.
Figure 22:LiveUpdateas part of the clientSymantecEndpointProtection 12 forMacOSX
The main window of the Symantec Endpoint Protection 12 client for Mac OS X is very concise and contains information about the exact client version, the date of the latest malware definitions, the Live Update button, which manually starts the update process, and the Scan ... button, which launches the scanner. on demand.
Figure 23: Client main windowSymantecEndpointProtection 12 forMacOSX
The scanner interface for Mac OS X is fairly standard and contains current information about the file being scanned, as well as general information about the entire scanning session.
Figure 24: Scanner InterfaceSymantecEndpointProtection 12 forMacOSX
The main LiveUpdate window contains three buttons. The button "Customize this Update Session" allows you to select those components from the currently available for updating that the user wants to update. The Update Everything Now button immediately launches a scan of all components available for update.
Figure 25: Main interfaceLiveUpdateforMacOSX
The last button, Symantec Scheduler, launches a scheduler that allows you to set the time period for update tasks and scan sessions.
Figure 26: Scheduler InterfaceSymantecEndpointProtection 12 forMacOSX
The following figure shows the interface for setting up a new periodic scan job.
Figure 27: Configuring job parameters for periodic scanning inSymantecEndpointProtection 12 forMacOSX
The Symantec Endpoint Protection 12 for Mac OS X active (real-time) protection settings window is divided into three tabs. The General tab contains settings for automatic recovery, sending files to quarantine and scanning archives. The SafeZones tab contains a list of zones to be monitored, or a list of zones that will be excluded from scanning. Finally, the Mount Scan tab is used to select scan settings for removable drives (music / video discs, data discs, iPods and other types of discs).
Figure 28: Automatic protection settings inSymantecEndpointProtection 12 forMacOSX
In conclusion of the description of the antivirus client for Mac OS X, it should be said that at the moment this component is capable of repelling the existing threats to these systems. The only thing that this component lacks is the same frequent updates virus databases, as in the client for Windows, because the number of threats per unit of time for Mac OS X is constantly growing exponentially.
Symantec AntiVirus client for Linux
The Symantec AntiVirus Client (SAV) for Linux distribution for this overview was installed on SUSE Linux Enterpise Server 9 (32-bit edition).
There is no full SEP client for Linux systems. For these systems, it is suggested to use a regular antivirus. But, at the same time, the user has the ability to configure receiving updates from locally installed server updates, thereby reducing the load on the enterprise's Internet channel.
Installation packages for SAV Linux are presented in both rpm and deb format, with support for 32-bit and 64-bit Linux versions.
To use components that include a graphical interface, you must first install Java JRE version 1.4 or higher.
In our case, to install SAV on SLES 9, we sequentially installed the rpm package first, sav - *. Rpm, and then the rest of the packages.
The Symantec Endpoint Protection 12 client for Linux, like the client for Mac OS X, includes a file monitor, an updater, and an on-demand scanner. However, unlike the types of clients described above, the Symantec Endpoint Protection 12 client for Linux does not have a scanner with graphical interface, i.e. you need to run it with the appropriate command from the terminal.
All client settings for Linux must be entered directly into config file... True, to simplify this task, there is a SAVCorp Configuration Editor utility, which is designed to work on Windows.
Figure 29: Utility for editing the configuration fileSymantecEndpointProtection 12 forLinux
The main window of the Symantec Endpoint Protection 12 client for Linux contains only information about current version client and search module, as well as a button that calls the update utility LiveUpate.
Figure 30: Main client windowSymantecEndpointProtection 12 forLinux
The interface of the LiveUpdate update utility for Linux also has a fairly standard interface. The first window displays a list of components that require updating, and the subsequent ones - the progress of the update and its result.
Figure 31: The interface of the update utilityLiveUpdatein clientSymantecEndpointProtection 12 forLinux
conclusions
In the first part of our review of Symantec Endpoint Protection 12, we took a close look at the clients of this antivirus product designed to run on Windows, Mac OS X, and Linux.
Most of all positive words can be said about the client for Windows systems. The current version of this corporate product contains such modern technologies as Insight, Bloodhound and SONAR, which brings the protection of this OS line to a high quality new level... At the same time, each of the protection components can be fine-tuned to find the best balance between the quality of protection, the required hardware resources, and the number of false positives.
SONAR technology deserves a more detailed mention. The 12th version of the corporate antivirus product from Symantec includes the third generation of this hybrid technology, which uses both elements of reputation assessment of scanned objects and elements of behavioral analysis. In modern conditions, when the number of new malicious objects is tens and hundreds of thousands per day, technologies such as SONAR allow maintaining high quality Windows protection-systems.
In addition to the antivirus component, Symantec Endpoint Protection 12 for Windows clients are equipped with components that allow you to control the applications launched by the user and plug-in removable devices. This client is optimized for use in virtual environments. This product also includes a function to prevent exploitation of browser vulnerabilities. After all, browsers today are involved in the vast majority of system infection schemes. And all these technologies together make Symantec Endpoint Protection 12 a reliable, coherent defense against modern threats.
Clients for Mac OS X and Linux are not that advanced at this time. The set of components in them is actually limited to the file monitor, scanner and update module.
Symantec Endpoint Protection 12 does not currently support Mac OS X 10.7 Lion as a client OS. But at the same time, support for this version of Mac OS will appear in the coming weeks. Currently, the development of this version is at the release candidate stage.
The virus databases in Symantec Endpoint Protection 12 for Mac OS X and Linux are updated once a day, unlike the Windows client. Also, these clients do not use mechanisms for determining the reputation of scanned objects. This would be useful for identifying Windows malware on these platforms.
In general, Symantec Endpoint Protection 12, after analyzing the set of available antivirus clients, can be recommended for use in local networks of enterprises, the majority of computers in which work under Windows control, and there are also several Linux servers and workstations for Mac control OS X.
Separately, it should be said about the licensing of Symantec Endpoint Protection 12. While many manufacturers offer protection for server OS versions at a separate, overpriced price (and the number of protection components in the server version of anti-virus agents may be less than in the client for workstations), Symantec offers protection for server systems at the same price as protection for workstations. At the same time, all the functionality intended for workstations is available on the server versions of the systems.
This concludes our tour of the Symantec Endpoint Protection 12 client. Part 2 of the overview covers the Symantec Endpoint Protection Manager management component and the Symantec Network Access Control client management component. In the course of highlighting the functionality of these components, various methods of automatic deployment of an anti-virus network, as well as the possibilities centralized management protected objects in the local network of the enterprise.
Symantec Endpoint Protection- a corporate product that provides anti-virus protection, protection against spyware, protection against network attacks and also includes an intrusion prevention system and firewall.
The solution is a command and control server () and clients. Clients are not only Windows servers and workstations (32-bit and 64-bit), but also workstations based on Mac OS.
Consider deploying protection to Windows workstations.
- Opening the console Symantec Endpoint Protection Manager... Go to the tab "Clients" and on the taskbar, click "Add a client"(Fig. 1):
2. A window will open "Client Deployment Wizard"... We choose "New Package Deployment" and press "Next"(Fig. 2):
3. In the field "Install Packages" choose a client for Windows. In field "Group" select the group we need (Fig. 3):
4. In the field "Install Feature Sets" choose one of three installation options: "Full Protection for Clients"(option to install all protection modules on client PCs), "Full Protection for Servers"(option to install all protection modules on the server) and "Basic Protection for Servers"(Basic protection for file servers). When deploying client protection, two types of installation are available: Computer Mode and User Mode ... With this parameter, we determine to which entity the protection policies are applied, to users or to computers. We select the option we need and click Next(Fig. 4):
5. On the next page, we need to select a method for installing the protection client. We have three options: "Web Link and Email"- creating an installation package and sending a link to this client with instructions for the user by e-mail; "Remote Push"- transfer installation files over the network and further installation; "Save Package"- saving to the installation package for further manual installation. We choose "Remote Push" and press Next(Fig. 5):
6. In the window "Computer Selection" go to the tab "Search Network" and press the button "Find Computers"... Select a range of IP addresses and click OK. We find the computer we need and add it to the column "Install Protection Client on" and press Next(Fig. 6):
7. In the next window, click Next and send the installation package to the client (Fig. 7).
At the end of 2016, Symantec released a new version of the product, Symantec Endpoint Protection 14. Over the past five years, the product has added many new security features, redesigned the configuration program, simplified deployment, and increased the number of supported operating systems.
Trend recent years- a change in the concept of endpoint protection, expressed in increasing the complexity of the product, increasing the number of protective mechanisms united by common management, and focusing on unsignature protection against unknown threats and zero-day vulnerabilities. To formalize the classification of endpoint protections, analysts and journalists have coined the term Next Generation Endpoint Protection (NGEP), the next generation endpoint protection. We observed a similar process in the field of network protection and the transition from UTM solutions to NGFW. The world's major vendors strive to keep up with the times and update their products to meet the challenges of today's security. The goal of the release of version 14 of Symantec Endpoint Protection was to move to the NGEP class. Since then, Symantec has acquired the assets of Blue Coat, one of the leaders in the network devices for caching data and DPI, which has allowed the introduction of new technologies throughout the Symantec line, such as transparent analysis of encrypted SSL traffic, as well as increased the total volume of reputation databases. by network resources and applications.
Symantec Endpoint Protection version 14 introduces new protection mechanisms against the exploitation of zero-day vulnerabilities and unknown threats. These include Generic Exploit Mitigation, an updated version of SONAR's real-time application behavior analyzer, and Advanced Machine Learning for static analysis of executable files.
System requirements
Symantec Endpoint Protection Manager system requirements (includes a management server and a configuration program):
- Intel Pentium Dual-Core processor or equivalent, from 8 cores.
- At least 2 GB of RAM, 8 GB or more recommended.
- A minimum of 40 GB of free hard disk space.
Symantec Endpoint Protection Manager software requirements:
- OS:
- Windows Server 2008 (64-bit)
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Supported browsers (for the web version of the management interface):
- Microsoft Edge (64-bit)
- Microsoft Internet Explorer 11
- Mozilla Firefox 5.x and later
- Google Chrome 54.0.x and later
- External database (optional, not required for deploying up to 5000 protected computers):
- Microsoft SQL Server 2008, SP4
- Microsoft SQL Server 2008 R2, SP3
- Microsoft SQL Server 2012, RTM - SP3
- Microsoft SQL Server 2014, RTM - SP2
- Microsoft SQL Server 2016
System requirements for a security client for Windows:
- Intel Pentium III processor (for 32-bit systems) or Intel Pentium 4 or higher.
- Minimum 512 MB of RAM, 1 GB or more recommended.
- From 250 to 500 MB of free hard disk space, depending on the type of client.
- Windows Vista
- Windows 7
- Windows 8 / 8.1
- Windows 10
- Windows Server 2008 SP1 / SP2 / 2008 R2
- Windows Server 2012 / 2012R2
- Windows Server 2012 R2
- Windows Server 2016
System requirements for a security client for macOS:
- Intel Core 2 Duo processor or higher.
- At least 2 GB of RAM.
- 500 MB of free hard disk space.
- Supported operating systems:
- macOS X 10.9
- macOS X 10.10
- macOS X 10.11
- macOS 10.12
System requirements for a security client for Linux:
- Intel Pentium 4 processor (2 GHz) or higher.
- At least 1 GB of RAM.
- 7 GB of free hard disk space.
- Supported distributions:
- CentOS 6U4 / 6U5
- Debian 6.0.5 / 8
- Fedora 16/17
- Oracle Linux 6U2 / 6U4 / 6U5 / 7
- Red Hat Enterprise Linux Server 6U2 - 6U8 / 7 / 7.1 / 7.2
- SUSE Linux Enterprise Server 11 SP1 - 11 SP3 / 12
- SUSE Linux Enterprise Desktop 11 SP1 - 11 SP3
- Ubuntu 12.04 / 14.04 / 16.04
Supported virtualization environments for protecting the guest operating system:
- Windows Azure, Amazon WorkSpaces
- VMware WS 5.0 and later
- VMware GSX version 3.2 and later
- VMware ESX 2.5 and later
- VMware ESXi 4.1 - 5.5 / 6.0
- Microsoft Virtual Server 2005
- Windows Server Hyper-V 2008/2012/2012 R2
- Citrix XenServer version 5.6 and later
- Virtual box
Symantec Endpoint Protection functionality 14
The functionality can be divided into two main categories - protection mechanisms and centralized control capabilities.
Protective functions:
- Network firewall(firewall) - a classic personal firewall with customizable traffic flow rules. Firewall rules include the following parameters:
- Title and Description
- Action (allow, deny, issue a request to the user)
- Appendix
- Sender and recipient host
- Service / port (protocols TCP, UDP, ICMP, IP, Ethernet)
- Audit (logging, e-mail notification)
- Flag of the severity of the rule for ranking threats
- Network adapter (by type or specific board)
- Time of action
Additionally, the system has built-in smart rules for DHCP, DNS, WINS and Token Ring... Also, the network firewall includes functions for authenticating network connections "point-to-point" with the ability to configure an exclusion list.
- Preventing network attacks- static and heuristic network traffic analyzer. Supports detection and blocking of port scans and denial of service attacks, protection against ARP attacks, masking of the type and version of the operating system. Signature and heuristic analyzers help protect a host from various network attacks on the system and web browser, and also detect network actions of malicious applications.
- Application control- the ability to create various rules for granular control of application access to files and registry entries, as well as starting and ending processes and loading libraries. Each deny rule can be provided with a description that is displayed to the user when access is denied. When entering paths to files and registry objects, regular expressions and flexible path selection settings are supported. Works on Windows clients only.
- Device control- white and black lists of devices, the setting of which allows you to restrict device connections to the computer. For Windows clients, it is possible to specify only the device type (for example, all printers or all USB devices); for macOS, the device vendor, model and serial number can be specified additionally. Device control in macOS appeared only in this version of the product, previously this function was only available under Windows. Device control for Linux is under development and has not yet been implemented in the product.
- Protection against exploitation of vulnerabilitiesGenericExploitMitigation- control mechanism Windows memory to provide protection against exploitation of zero-day vulnerabilities in various software and operating systems. This mechanism works before SONAR and other security components start analyzing executable files, which increases general level system security and allows you to protect against attacks on the protection tool itself.
- Reputation analysis- Part of the SONAR engine that takes into account the reputation of processes running on the system using the Symantec global cloud or a customer-deployed private cloud. It is used to block unknown malicious programs that are not detected by anti-virus mechanisms. Works on Windows clients only. Also, reputation analysis is used in the Download Insight technology, which checks the reputation of files downloaded from the network and prevents threats even at the download stage.
- Machine learning- an advanced mechanism for detecting malicious files by static methods by analyzing the contents of executable files and scripts. The base for machine learning has billions of samples of "good" and "bad" microcode, which is compared with the code of the analyzed files. This mechanism is similar in principle to a signature analyzer, but provides protection against as yet unknown threats. Works on Windows clients only.
- Emulator- An updated and optimized engine for analyzing executable files in a lightweight sandbox to recognize polymorphic and packed viruses. Changes made to this module have increased the speed and performance of its work, as well as increased the percentage of successful detection of malicious executable files. Works on Windows clients only.
- Antivirus- classic antivirus solution with signature and heuristic analyzers. Additional protection provides an early launch driver, which is launched first in the system, which allows you to detect and neutralize malware executed in the form of a driver. Antivirus has all the standard features - real-time protection, on-demand scanning, context scanning, quarantine, email protection, and so on.
- Integrity check(protection control) - a mechanism for checking and correcting violations of security policies in corporate security, allows you to determine the presence of antivirus, firewall, installation of software and operating system updates. If inconsistencies are detected, it allows you to install the necessary protection measures or perform certain settings. Works on Windows clients only.
- LiveUpdate- a mechanism for checking product updates, signature bases and other elements of the protection system. In version 14, this mechanism was supplemented with the functions of installing bug fixes in the binary modules of the product.
- Integration withSymantecAdvancedThreatProtection- Symantec Endpoint Protection 14 client applications integrate agent functions for Symantec Advanced Threat Protection, which allow you to transfer network traffic metrics and application performance data to the Anti-APT cloud for event correlation and targeted attacks detection.
Control functions:
- Centralized product management using a Windows client program or a web interface (Java applet).
- Centralized deployment - preparing installation packages to automatically connect the client being installed to the server. Supports provisioning a package for self-installation, linking to a package on a web server, or remote deployment by providing administrator account credentials to remote computers.
- Centralized monitoring with security status dashboard, event monitors, security logs, e-mail notifications and more.
- System for generating reports on the security status of network nodes and information security events.
- Centralized management of security policies with the ability to create various policies and assign them to groups of protected computers.
- Support for integration with Active Directory and LDAP directories.
- Availability of REST API, a special set of service functions for integration and interaction with other Symantec products, third-party security tools, custom-built modules and management systems.
Symantec Endpoint Protection 14 client for Windows supports three deployment types — standard, dark network, and embedded / VDI. The standard client for Windows provides all the product's functions and is designed to work on protected computers within a local area network of an organization. Dark network is a client version for remote computers that do not have a permanent connection to the private or global Symantec cloud and management server. V this type the client disabled checks related to the analysis of potentially unsafe files in the cloud, while other functions work similarly to the standard client, including reputation databases. Embedded / VDI is a downsized distribution using more possibilities cloud than other clients, and is intended for use in embedded systems and virtual desktop infrastructure.
Installing Symantec Endpoint Protection 14
Product installation has not undergone big changes compared to version 12. Supports deployment of the security client in a custom mode of operation without centralized management and a network structure with a shared server. As before, a built-in database is used to protect computers up to 5000 units; in large infrastructures for storing information, the Microsoft SQL DBMS is used.
Figure 1. Selecting a Symantec Endpoint Protection 14 management server configuration
During the installation of the management server, you select a deployment scheme, specify your e-mail settings, create an administrator account, and configure other settings. The final stage of the installation is downloading updates through the LiveUpdate utility.
Figure 2. Updating Symantec Endpoint Protection 14 product during installation
Working with Symantec Endpoint Protection 14
In version 14 has changed appearance Symantec Endpoint Protection Manager - product management programs. The program received a new modern design while maintaining the overall layout of the interfaces. The control console can be accessed through a Windows application or in a web browser, while the appearance of the interface is unchanged, since a common Java applet is used for its implementation.
The Symantec Endpoint Protection 14 Manager interface is navigated using the side menu, which includes the following sections:
- "Main" - a dashboard for the overall state of the protection system, on which there is a block displaying the need to take any action to correct the level of infrastructure protection.
- "Monitors" - a dashboard panel that displays graphs of events, system statistics and audit logs.
- "Reports" - a system for generating reports on work statistics and audit events.
- “Policies” is the interface for managing product security policies.
- Clients - managing the list of protected computers, including the system of deployment and assignment of security policies.
- Admin is the administrative section for managing privileged user accounts and Symantec Endpoint Protection 14 management server settings.
Figure 4. The main screen of the Symantec Endpoint Protection 14 management system accessed through a web browser
Monitoring of the state of the protection system and information security events is carried out from the "Monitors" section. V this section there are four tabs - Overview, Logs, Team Status, and Notifications. On the overview screen there are graphs reflecting the state of various aspects of the system operation; using the "Summary type" switch, the set of output data can be changed. All statistics reflect the situation at the time of loading the screen, you can update the current data using the "Update" link in the upper right corner of the interface.
Figure 5. Monitor Panel in Symantec Endpoint Protection 14
The Logs section displays the latest audit events. There is a filtering system by various fields - log type, time interval, product and policy versions, domain, computer groups, IP addresses and many others. Customized filters can be saved for future use. The log is displayed page by page, for each event a detailed description is available. Export of events in CSV format is supported.
Figure 6. Audit logs in Symantec Endpoint Protection 14
The "Command status" tab displays the status and result of execution of various commands, first of all, tasks for anti-virus scanning and commands for enabling and disabling individual protective functions.
In the "Notifications" section, you can configure the parameters and conditions for sending e-mail messages when various events occur in the system.
Figure 7. Configuring e-mail notifications in Symantec Endpoint Protection 14
The Symantec Endpoint Protection 14 reporting system is generally similar in function to logs - in the product you can specify the type of audit to be displayed in the reports and there is filtering of events by various parameters... The report is an extract from the audit trail ready for printing and export (in HTML format) form. There is a possibility of building reports on a schedule, sending the generated scheduled reports is carried out by e-mail.
The Policies section is divided into seven main functional groups:
- Virus and Spyware Protection - Antivirus policies and settings include on-demand scan options, Auto-Protect settings, operating system boot protection management, SONAR subsystems for heuristic and reputation detection, and email scan policies. Separate groups of settings allow you to manage the policies of the anti-virus in macOS and Linux.
Figure 8. Virus and Spyware Protection Policies in Symantec Endpoint Protection 14
- Firewall - Manage personal firewall rules. The display of the rules is made in the form of a flat table listing all the available parameters. Additionally, it supports configuring notifications, managing built-in rules, configuring protection against network attacks, masking and hiding data about a host, as well as options for integrating with Windows and authentication parameters between computers.
Figure 9. Firewall policies in Symantec Endpoint Protection 14
- Intrusion Prevention - Set up exploit protection for popular office and application applications, manage network attack protection, and set up exclusions to make it easier to respond to false positives.
- Application and device control - policies to control application access to devices and computer objects, as well as configure policies to allow and deny working with devices.
Figure 10. Application Control Policy Settings in Symantec Endpoint Protection 14
- Host Integrity - Manage the integrity and protection requirements of protected computers.
- LiveUpdate - settings for accessing LiveUpdate servers, including local or global server selection and proxy server settings, as well as managing the update schedule. Additionally, the LiveUpdate content for download is configured.
- Exceptions is a global exclusion policy to which you can add a variety of objects to be excluded from all applicable security policies. Files, directories, devices, network nodes, applications and much more are supported as objects.
Many policies are supported for each group, they can be added, removed, replaced, copied, exported and imported from a file. Policies are applied to individual protected computers or to groups of computers.
Figure 11. Managing security policies in Symantec Endpoint Protection 14
In the "Clients" section, protected computers are managed, added, removed and operational commands sent. Additional tabs are used to assign security policies to network nodes and manage installation packages.
Figure 12. Managing protected computers in Symantec Endpoint Protection 14
There are five sections in the "Admin" section:
- Administrators - manage administrator accounts.
- Domains - synchronization with Active Directory and work with network domains.
- Servers — Manage Symantec Endpoint Protection servers, configure management servers, databases, and other settings.
- Installation packages - Manage client distributions and their distribution to target systems.
- Licenses — Configure product licenses.
Figure 13. Managing Administrator Accounts in Symantec Endpoint Protection 14
Interfaces client applications for the operating systems Windows, Linux and macOS as a whole, practically did not change - the style of design, the location of the menu and the functionality available ordinary users, are practically unchanged compared to version 12.
Figure 14. Symantec Endpoint Protection 14 protection agent interface for Windows
conclusions
The developers of Symantec Endpoint Protection 14 have done a great job of strengthening the ways and means of protection against unknown malware and vulnerabilities since the 12th version of the product. The addition of Generic Exploit Mitigation protection modules, SONAR technology updates and the introduction of Advanced Machine Learning technology significantly strengthened Symantec's position in the endpoint protection market and allowed Endpoint Protection to remain the leader in its segment.
The acquisition of Blue Coat and the use of its technologies in the product also significantly affected the quality of network attack detection and the overall level of endpoint security with Symantec Endpoint Protection. Significant improvements in security capabilities and product quality are actually taking Symantec Endpoint Protection to the next level. The new version of this solution can be considered a full-fledged product of the Next Generation Endpoint Protection class. An additional plus is the integration with Symantec Advanced Threat Protection, which allows you to integrate NGEP-product into the infrastructure of protection against targeted attacks.
While Symantec has focused on improving and enhancing security features, the product's design and interface have not been forgotten. The new look and feel of the Symantec Endpoint Protection Manager console improves the product's ease of management and configuration. The manager's interface looks modern, the usability of the product has improved significantly, and the overall user experience is pleasant.
Advantages:
- A wide range of features to protect against malware and vulnerabilities - machine learning, an emulator of executable files, voluminous reputation databases, early loading, analysis of files downloaded over the network and many others. Flexibility and ease of management of security policies.
- Support for various types of client applications under Windows for protection various devices- computers in a local network, remote workstations, virtual environments and virtual desktops (VDI).
- Built-in system for working with logs, reports and the ability to configure flexible filters for prompt notification of threats by e-mail.
- A system for automatically downloading and applying updates, which completely solves all issues related to updating the databases and executable modules of the product.
- No need to deploy a database for companies with small number protected computers.
- Integration with Active Directory and LDAP directories, REST API support for third-party integration with the product.
Flaws:
- General slowness of the control interface and shortcomings in its localization - the use of inappropriate abbreviations, inconsistent phrases, the use of English terms.
- Reduced functionality in macOS and Linux clients, support for protecting Windows XP using the agent of the previous version 12.1.
- Lack of FSTEC certificate of Russia (expected in 2017).
Cloud components
By default, groups and devices are managed by the Symantec Endpoint Protection Manager, not the cloud portal
After registering a domain, Symantec Endpoint Protection Manager manages default groups and devices. In version 14.1, the cloud portal was used by default.
Automatic client updates with Symantec Endpoint Protection hardening
Symantec Endpoint Protection hardening was introduced between versions 14.0 and 14.2. As a result, you cannot automatically update 14.0.x clients with Symantec Endpoint Protection (SEP) hardening.
- In 14.2, you can install Symantec Endpoint Protection hardening on Windows clients using Automatic Updates, even if you have not previously installed it. In a client installation package, even if the Keep existing client components on upgrade check box is selected, you can install hardening. Ensure that Application Protection Hardening is selected in the Custom Feature Set (enabled by default), or Symantec Endpoint Protection Hardening will not install.
- 14.2 supports Symantec Endpoint Protection hardening on 32-bit and 64-bit Windows desktop operating systems. Earlier clients only support 64-bit Windows desktop operating systems. Symantec Endpoint Protection hardening is not supported on server operating systems.
Roaming client support
Roaming clients connect to the management server from time to time. In version 14.2, roaming clients automatically send critical events to the cloud portal when clients cannot connect to the management server. After the client reconnects to the management server, the clients send any new critical events to the management server.
Symantec Content Analytics Integration
The Content Analytics System (CAS) determines the severity of a file using a cloud-based file reputation classification service that identifies known files. The service uses reputation scores (1-10) to indicate whether files are trusted or malicious. Files with a high score are more likely to be malicious. You can integrate Symantec Endpoint Protection Manager with Content Analytics to submit files for analysis from the cloud portal to the CAS. When the CAS returns a reputation score, you can take action on the file, such as block or whitelist it.
To integrate Symantec Endpoint Protection Manager with the CAS, go to Admin> Servers> Edit Site Properties> Content Analytics. To submit files for analysis, go to the cloud portal.
Multi-site replication is available for the management server registered in the cloud portal
You can now register sites that are replicated with partner sites in the cloud portal. The partner site is not registered with the cloud portal, but continues to replicate data from the first site.
Data collection and submission options are automatically enabled
Once the Symantec Endpoint Protection Manager is registered with the cloud portal, the collection and submission options are automatically enabled. This happens regardless of whether these settings were previously disabled. Symantec recommends enabling these options so that customers can take advantage of AML in the cloud. Managing anonymous and non-anonymous data that clients send to Symantec Importance of collecting server data and information sent by clients for network security
Protection components
IPv6 support
IPv6 support has been added for the following items:
- Communication between Windows, Mac and Linux clients and Symantec Endpoint Protection Manager.
- Communication between the console and the management server, such as logging in locally or remotely to Symantec Endpoint Protection Manager.
- Communication between management servers and back-end LiveUpdate servers running LiveUpdate Administrator.
- IPv6-based criteria for many policies such as custom IPS signatures, location service, group update providers, and exceptions.
Firewall on the Symantec Endpoint Protection client for Mac
Symantec Endpoint Protection Firewall for Mac provides firewall protection that is fully integrated with Symantec Endpoint Protection, including events, policies, and commands. Rules and some firewall settings are managed and configured in the same Symantec Endpoint Protection Manager firewall policy as for Windows.
Symantec Endpoint Protection Firewall is available only for managed clients.
WSS traffic redirection for Mac
WSS Traffic Forwarding (WTR) routes web traffic with the URL of the proxy autoconfiguration file to the Symantec Web Security Service. This traffic redirection protects the web traffic of the client computer. This version of Symantec Endpoint Protection extends WSS traffic redirection for Mac computers.
WSS Traffic Redirection Extensions for Windows
This release of Symantec Endpoint Protection adds extended client authentication for Symantec Web Security Services (WSS). This provides more granular security controls for redirecting WSS traffic. In addition, you can configure the forwarding of additional header data to identify the user who initiated the traffic. This additional header data allows you to create traffic rules for each user. To access this setting, click Policies> Integrations, open a policy, and click WSS Traffic Redirection.
Scans quickly process a large number of threats on highly infected computers
When manual scan and Auto-Protect scans detect a large number of threats on client computer, scans can quickly process threats. This aggressive mode starts when at least 100 viruses are found on the computer. The default action for these detections is Delete. This aggressive mode does not handle spyware. This component does not need to be configured; it starts automatically.
Management Server Components
Symantec VIP Two-Factor and Smart Card Authentication for Symantec Endpoint Protection Manager
You can now use two additional types of authentication for Symantec Endpoint Protection Manager administrator accounts.
- Two-factor authentication (2FA) with Symantec VIP. When two factor authentication enabled, you must provide a unique one-time confirmation code when you log into Symantec Endpoint Protection Manager in addition to the password you use. This code can be obtained by voice mail, SMS, or through the free Symantec VIP Access app.
- Smart card authentication. You can configure the Symantec Endpoint Protection Manager to log in administrators who use an identity card (PIV) or shared access card (CAC). Smart cards are used among administrators who work for the US Federal Agencies or the US Army. With PIV / CAC authentication, you insert the card into the reader and enter the PIN.
New module connections
The new communication module replaces the existing protocol. Both modules still use sylink.xml to establish an administrative connection between the Symantec Endpoint Protection Manager and the client. The new communication module works with both IPv6 and IPv4 addresses and communicates with Windows, Mac and Linux clients.
Stricter password requirements
When installing or configuring the management server, you must set a strong password for the system administrator account. The password must be between 8 and 15 characters long. It must contain at least one lowercase letter, one uppercase letter, one numeric character, and one special character ["/ \:; | =, + *?].
FIPS 140-2 Compliance Updates
Symantec Endpoint Protection 14.2 updates third-party components and validated modules to ensure continued compliance with Federal Information Processing Standards (FIPS) 140-2 data encryption requirements. Symantec Endpoint Protection 14.2 enables FIPS 140-2 compliant environments to access cloud components.
LiveUpdate downloads content for the application control module
To fix issues with operating systems such as Windows 10, LiveUpdate now downloads content for the App Control Module for Windows clients running version 14.2. To access Application Management content, click Admin> Edit Site Properties> LiveUpdate tab> Downloadable Content Types. This parameter should always be enabled.
Based on materials from Symantec:
- Symantec Endpoint Protection 14.2 available (off.site, English)
- Release notes (off.site, English + Russian)
Found a typo? Press Ctrl + Enter
Symantec ™ Endpoint Protection and Symantec Network Access Control Client Guide Symantec ™ Endpoint Protection and Symantec Network Access Control Operation Guide ...
-- [ Page 1 ] --
Symantec ™ Endpoint
Protection and Symantec
Network Access Control:
guide to work with
client
Symantec ™ Endpoint Protection and Symantec Network
Access Control Client Guide
The software described in this book comes with a licensed
agreement and can only be used if the conditions of this
agreement.
Documentation version: 11.00.02.01.00
Legal information
© 2008 Symantec Corporation. All rights reserved.
Symantec, the Symantec logo, LiveUpdate, Sygate, Symantec AntiVirus, Bloodhound, Confidence Online, Digital Immune System, Norton, and TruScan are trademarks or registered trademarks of Symantec Corporation or its subsidiaries in the United States and other countries. Other names are trademarks of their respective owners.
This Symantec product may contain third party software modules that Symantec must acknowledge as attributed to ("Third Party Programs"). Certain Third Party Programs are distributed as freeware or software from open source(protected by the GPL license). License agreement accompanying this software does not in any way affect the rights and obligations of the user specified in the licenses for free or open source software. For more information about Third Party Programs, see the Third Party Legal Appendix to this documentation or the TPIP ReadMe file that accompanies this Symantec product.
The product described in this document is distributed under a license restricting its use, copying, distribution, and decompilation / obtaining of source code. Reproduction of any portion of this document is prohibited without the written consent of Symantec Corporation and its licensors (if any).
DOCUMENTATION IS PROVIDED ON AN "AS IS" CONDITION WITHOUT ANY
EXPRESS AND IMPLIED CONDITIONS, STATEMENTS AND WARRANTIES, INCLUDING
ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR ANYONE
PURPOSE OR NON-VIOLATION, UNDER THE CONDITION THAT SUCH DISCLAIMER IS NOT
CONTRAINING THE LAW. SYMANTEC CORPORATION IS NOT RESPONSIBLE
FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGE RELATED TO
BY PACKING OR USING THIS DOCUMENTATION.
INFORMATION CONTAINED IN THE DOCUMENTATION MAY BE CHANGED WITHOUT
PRELIMINARY NOTICES.
The Licensed Software and Documentation are considered commercial computer software as defined in FAR 12.212 and are subject to the limited rights set forth in FAR Commercial Computer Software - Restricted Rights Parts 52.227-19 and 227.7202 DFARS, "Rights in Commercial Computer Software or Commercial Computer Software Documentation," and subsequent regulations.Any use, modification, reproduction, performance, demonstration and disclosure of the Licensed software and Documentation shall be made by the US government solely under the terms of this Agreement.
Symantec Corporation 20330 Stevens Creek Blvd.
Cupertino, CA 95014
- & nbsp– & nbsp–
Chapter 2 Responding to Client Messages
Customer Interaction Details
Actions on an infected file
About the dangers of viruses
About Notifications and Alerts
Reacting to app-related notifications
What to do when you receive a security alert
Reacting to network access control notifications
Chapter 3 Client Management
About LiveUpdate
Running LiveUpdate on a Schedule
Launching LiveUpdate manually
Computer protection check
Location information
Change protection information
Enabling, disabling and configuring Tamper Protection
- & nbsp– & nbsp–
Chapter 5 Understanding Symantec Endpoint Protection
- & nbsp– & nbsp–
Email Scanning and Auto-Protect ................................. 67 Disable Email Auto-Protect for Encrypted Data Connections
Viewing Auto-Protect Inspection Statistics
Viewing the list of threats
Configuring file type recognition in Auto-Protect
Disabling and enabling the search and blocking of security threats in Auto-Protect ... 72 Configuring network scan settings
Working with Virus and Spyware Protection scans
Virus and Security Risk Detection in Symantec Endpoint Protection Client
Description file information
About scanning compressed files
Run inspections on demand
Configuring antivirus and antispyware scans
Creating a scheduled inspection
Creating On-Demand and Startup Scans ............ 82 Modifying and Deleting Startup Scans, Custom Scans, and Scheduled Scans
Interpretation of inspection results
Working with the results of inspection or automatic protection
Submitting virus and spyware scans to Symantec Security Response
Configuring actions for processing viruses and security risks
Tips for choosing second actions for viruses
Tips for choosing second actions for security threats
Assessment of the level of influence of threats
Configuring Notifications for Virus and Security Risks ............ 95 Configuring Global Exclusions for Virus and Spyware Protection Scans
Insulator Information
Information about infected files in the Quarantine
Information about working with infected files in the Quarantine
- & nbsp– & nbsp–
Section 3 Symantec Network Access Control ................. 149 Chapter 9 Symantec Network Access Control Product Basics
About Symantec Network Access Control
How Symantec Network Access Control Works
Host Integrity Policy Update Information ... 153 Performing a Host Integrity Check
Fixing your computer
Viewing Symantec Network Access Logs
Verification details
Configuring the Client for Authentication
Re-identify your computer
Section 4 Monitoring and Logging
Chapter 10 Working with and Managing Logs
General information about magazines
Viewing logs and information from logs
Filtering events in logs
- & nbsp– & nbsp–
Customer Information Symantec provides two endpoint security products that can be used together or separately:
Symantec Endpoint Protection and Symantec Network Access Control.
An administrator installed one or both of these Symantec products on this computer. If the client was installed by an administrator, then the administrator specified which products should be enabled.
Note: If the administrator has installed only one of these products on the computer, then its name will be shown with the title bar. If both products are installed, the title bar displays Symantec Endpoint Protection.
Symantec Endpoint Protection protects your computer against Internet and security threats.
It can perform the following operations:
14 Symantec client overview Client details
- & nbsp– & nbsp–
About the notification area icon
The client icon in the notification area shows the client's status:
online or offline, and the protection level of the client computer. Right-click on it to open a list of frequently used commands. The icon is in the lower right corner of your desktop.
Note: On managed clients, this icon will not appear if your administrator has turned it off.
Symantec Endpoint Protection client status icons are shown in Table. 1-1.
- & nbsp– & nbsp–
Hiding and showing the notification area icon You can hide the notification area icon if necessary.
For example, this can be done if in the panel Windows tasks not enough storage.
Note: On managed clients, the notification area icon cannot be hidden unless restricted by the administrator.
To hide the notification area icon 1 From the sidebar of the main window, click Change settings.
3 In the Client Management Options window, General tab, under Display Options, or turn off Show Symantec Security Icon In Notification Area.
4 Click OK.
To show the icon in the notification area 1 On the sidebar of the main window, click Change settings.
2 On the Edit Settings page, in the Client Management group, click Configure Settings.
3 In the Client Management Options window, General tab, under Display Options, select the Show Symantec security icon in the notification area check box.
4 Click OK.
How computer protection is updated Symantec employees monitor outbreaks computer viruses to identify new types of viruses. They also watch out for complex threats, spyware and vulnerabilities that can be exploited when the computer is connected to the Internet.
When a threat is detected, Symantec employees create a signature (a collection of information about the threat) and store it in a descriptor file. A descriptor file is essential for finding, eliminating, and fixing threats and side effects. During a scan, Symantec Endpoint Protection searches for known signatures.
In addition to the descriptions, the client must update the allowed and denied lists of processes and attack signatures. The list of processes helps 18 Symantec client overview How computer protection is updated
- & nbsp– & nbsp–
removing threats. The encyclopedia is located on the Symantec Security website
Response at:
http://securityresponse.symantec.com How the protection of managed clients is updated How virus and security risk definitions are updated is up to the administrator. Typically, the user does not need to take any action to get new descriptions.
An administrator can configure Symantec Endpoint Protection's LiveUpdate feature to keep virus and security risk defenses up to date. LiveUpdate connects to the update computer, checks if a client update is required, and downloads the necessary files. Updates can be stored on the Symantec Endpoint Protection Manager server on the organization's intranet. It can also be a Web-accessible Symantec LiveUpdate server.
How security is updated for unmanaged clients Administrators do not update security on unmanaged clients. LiveUpdate allows you to update programs and definition files. If the default LiveUpdate settings are applied on the unmanaged client, the client checks the Symantec server for updates once a week.
The user can change the frequency of checking for updates using LiveUpdate. In addition, LiveUpdate can be manually launched when there is an outbreak of viruses or other threats.
See “About LiveUpdate” on page 33.
About security policies A security policy is a collection of security settings that a managed client administrator configures and deploys to clients. Security policies define client properties, including a set of settings that the user is allowed to view and change.
Managed clients connect to the management server and automatically receive updated security policies. If you have network access 20 Symantec Client Overview Where to Find More Information
- & nbsp– & nbsp–
Client Interaction Details The client runs in the background, protecting the computer from malicious actions... Sometimes the client needs to notify the user about some action or get an answer to a question.
If Symantec Endpoint Protection is enabled on the client, the following client interactions are possible:
24 Responding to client messages Actions on an infected file
- & nbsp– & nbsp–
Auto-Protect shows a window of results when a threat is detected. During the inspection, a window with its results is displayed on the screen. On managed clients, the administrator can turn off these types of notifications.
If these types of notifications are sent, then in some cases it may be necessary to perform an action on the infected file.
By default, the automatic protection function and other types of scans, when an infected file is detected, try to remove the virus from it.
If the client is unable to fix the file, it will log the error and move the infected file to the Quarantine. The Local Quarantine is a special location for storing infected files and system objects that have been altered by side effects.
When it detects security threats, the client isolates the infected files and removes or removes their side effects. If the file cannot be repaired, the client logs the threat.
Note: In the Quarantine, the virus loses its ability to spread.
A file placed in the Quarantine is not available to users.
If Symantec Endpoint Protection has successfully repaired a virus-infected file, then the user does not need to take additional action.
If, after isolating a file infected with a threat, the client is able to remove the threat and fix the file, then the user does not need to take any action either.
However, even in cases where the file does not need to be processed manually, a number of additional steps can be performed for it. For example, a file cleaned of a virus can be deleted if you have a copy of it.
Notifications allow you to process files immediately. Lazy file processing can be performed in the log and Quarantine.
See “Interpreting Inspection Results” on page 85.
See “Isolating Risks and Threats from the Risk Log and Threat Log” on page 175.
See “About the Isolator” on page 100.
How to process an infected file 1 Do one of the following:
In the dialog box with information about the scan status, select the required files after the scan is completed.
In the scan results window, select the required files.
26 Responding to customer messages About notifications and alerts
- & nbsp– & nbsp–
Responding to Application Notifications The client may display a notification asking whether to allow the application or service to start.
Such notifications appear for one of the following reasons:
The application has requested access to network connection.
- & nbsp– & nbsp–
When an application or service tries to access the network from the local computer, a message with the following content may appear:
Internet Explorer (IEXPLORE.EXE) tries to connect to www.symantec.ru via remote port 80 (HTTP - World Wide Web).
Allow this program to access the network?
- & nbsp– & nbsp–
Table. Figure 2-1 shows the options for answering the question of whether to allow or block the application.
28 Responding to customer messages About notifications and alerts
- & nbsp– & nbsp–
"Symantec Endpoint Protection could not open the user interface. If you are using Fast Switch Windows users XP, make sure other users are logged out of Windows, then log out and log back in. The user interface is not supported when running through Terminal Services. "
or “Symantec Endpoint Protection was not running but will start.
However, Symantec Endpoint Protection cannot open the user interface. If you are using Windows XP Fast User Switching, make sure other users are logged out of Windows, then log out and log back in. The user interface is not supported when running through Terminal Services. "
Fast User Switching is a Windows feature that allows you to quickly switch between accounts without leaving your computer session. Several users can work with the computer at the same time and switch sessions without closing running applications.
When switching users using this function, one of the messages described above appears.
Follow the instructions shown in the message to reply to the message.
Responding to automatic update notifications After an automatic update of the client program, the following notification may appear:
Symantec Endpoint Protection has detected a new version of Symantec Endpoint Protection Manager.
Download it now?
To respond to an automatic update notification 1 Do one of the following:
To download the program immediately, click the Download Now button.
If you want to be reminded of the update after a while, click the Remind me later button.
2 If a message appears after installing the updated software, click OK.
30 Responding to customer messages About notifications and alerts
- & nbsp– & nbsp–
How to respond to network access control notifications 1 Follow the directions shown in the message box.
2 In the message box, click OK.
32 Responding to customer messages About notifications and alerts
- & nbsp– & nbsp–
About LiveUpdate LiveUpdate downloads software and security updates over an Internet connection.
Software updates are used to make minor changes and improvements to installed products. Updating should not be confused with installing a new version of the product. Typically, software updates are applied to improve operating system and hardware compatibility, improve performance, or fix bugs.
Software updates are generated as needed.
Note: Some software updates require you to restart your computer after installing.
34 Client Management Run LiveUpdate on a Schedule
- & nbsp– & nbsp–
Manually running LiveUpdate LiveUpdate allows you to update programs and definition files.
It automatically finds new definition files on the Symantec site and then replaces the old files with them. In order for Symantec products to protect your computer from all new types of attacks, they need to provide them with the latest information on a regular basis. Symantec provides this information through LiveUpdate.
How to get updates using LiveUpdate In the client sidebar, select LiveUpdate.
LiveUpdate connects to the Symantec server, checks for updates, and then automatically downloads and installs them.
Checking the protection of your computer Check the effectiveness of your computer's protection against external threats possible by examining the computer. Inspection is an important step in ensuring that your computer is securely protected from possible intrusion.
The scan results help you correctly configure the client's attack protection settings.
To check the protection of your computer 1 On the client sidebar, select Status.
2 Under Network Threat Protection, click Options Show network activity.
3 Select Tools Check Network Protection.
4 On the Symantec Security Check website, do one of the following:
To check if your computer is protected from Internet threats, select Security Scan(Inspection of the protection system).
36 Client Management Location Information
- & nbsp– & nbsp–
Note: Depending on the configured security policies, a user may be granted access to multiple locations. In some cases, clicking a location does not navigate to that location. This means that the current network configuration does not match this location. For example, the Office location can only be accessed when the computer is connected to a local area network (LAN). If the client is not on this network, you cannot switch to the "Office" location.
To change the location 1 In the client sidebar, click Change Settings.
2 On the Edit Settings page, in the Client Management group, click Configure Settings.
3 On the General tab, under Location Options, select the location you want to switch to.
4 Click OK.
About Tamper Protection Tamper Protection provides constant protection Symantec applications. It stops attacks from malware such as worms, Trojans, viruses, and security threats.
Tamper Protection can be configured to do one of the following:
Blocked modification attempts and logged events
Logged change attempts in the log, but did not block them
By default, Tamper Protection is enabled on both managed and unmanaged clients (unless the administrator has changed the default settings). By default, when an attempt to change is detected, Tamper Protection records an event in its log. It can be configured to show a notification about this event.
You can set the displayed message yourself. Tamper Protection does not notify you of attempted changes until you manually enable Tamper Protection.
On an unmanaged client, you can change Tamper Protection settings. On a managed client, settings can only be changed if allowed by the administrator.
38 Client Management Enabling, Disabling and Configuring Tamper Protection
- & nbsp– & nbsp–
To configure tamper protection 1 On the sidebar of the main window, click Change settings.
2 Under Client Management, click Change Settings.
3 On the Tamper Protection tab, under Action if an application tries to modify or close Symantec security software, select Block and Log Event or Log Only.
4 To receive notifications of suspicious activity detected by Tamper Protection, select the Show message when change is detected check box.
When sending notifications is enabled, will be displayed as messages about Windows processes and messages about Symantec processes.
5 To customize the message displayed, update the text in the message field.
6 Click OK.
40 Client Management Enabling, Disabling and Configuring Tamper Protection
- & nbsp– & nbsp–
About Symantec Endpoint Protection Symantec Endpoint Protection can run as a stand-alone program or under the control of an administrator. Work stand-alone program Symantec Endpoint Protection is not administered by an administrator; that is, it operates as a stand-alone client.
If you are in control own computer, it must be one of the following types of computer:
A stand-alone computer that is not connected to a network, such as a home computer or laptop. You must have Symantec Endpoint Protection installed on your computer with the default settings or the settings predefined by your administrator.
The remote computer used to connect to corporate network... The connection will be allowed if the computer meets the security requirements.
Symantec Endpoint Protection default settings provide network threat protection, proactive protection, and antivirus and spyware protection. You can change these settings to suit your organization's needs, to improve system performance, or to disable unnecessary settings.
44 Symantec Endpoint Protection - Introduction How Symantec Endpoint Protection Protects Your Computer
- & nbsp– & nbsp–
About Network Threat Protection Symantec Endpoint Protection client includes a configurable firewall to protect your computer from intrusions and unauthorized use (both accidental and malicious). It detects many known types of attacks, including port scanning. The firewall selectively allows and blocks various network services, applications, ports and components. Several types of firewall rules and security settings are provided to help protect client computers from dangerous network traffic.
Network Threat Protection provides firewall and intrusion prevention signatures to block intrusions and malicious data. The firewall blocks or allows traffic based on various criteria.
The decision to block or allow inbound or outbound applications and services that try to connect to a computer over a network connection is based on firewall rules. Firewall rules allow or block inbound or outbound applications and traffic with specific source and destination IP addresses and ports. Security settings allow you to identify standard types attacks, send email notifications of attacks, display a custom message, and perform other security tasks.
Understanding Proactive Threat Protection Proactive Threat Scan uses TruScan scanning technology to ensure that your computer is protected from threats in time unknown types... Using heuristic scanning methods, it analyzes the structure of the program, its behavior and other characteristics, comparing them with the characteristics of viruses. This feature blocks most threats such as worms mass mailing and macro viruses.
46 Symantec Endpoint Protection - Introduction How Symantec Endpoint Protection Protects Your Computer
- & nbsp– & nbsp–
Understanding viruses and security threats The Symantec Endpoint Protection client is capable of detecting both viruses and other security threats such as spyware and adware. Such threats can put not only your computer at risk, but your entire network. Antivirus and antispyware scans also identify rootkit threats at the OS kernel level. Rootkit is a program that tries to hide itself from the computer's operating system and can perform malicious actions.
By default, all types of virus and spyware scans, including Auto-Protect scans, 48 Basics of Symantec Endpoint Protection About viruses and security risks
- & nbsp– & nbsp–
Display programs Individual or attached programs that secretly collect user information through Internet advertisements and send it to another computer.
Such programs can track the user's browsing habits in order to select the most appropriate advertising. They are also used to send advertisements.
- & nbsp– & nbsp–
Dialing Programs Programs that, without the knowledge or permission of the user, use a computer to dial toll numbers and register on FTP servers. As a rule, such programs use paid services.
- & nbsp– & nbsp–
Other Any other security threat that does not match the exact definition of a virus, trojan horse, worms and other categories of threats.
Programs Programs that provide access over the Internet from other computers, remote access that allows them to collect information, attack or modify your computer.
Some remote access programs may be required to work. A process can install such a program without your knowledge. The program can be harmful, in particular, by modifying the original remote access program.
50 Understanding Symantec Endpoint Protection Understanding Viruses and Security Risks
- & nbsp– & nbsp–
How the client responds to detection of viruses and security threats The client protects the computer from viruses and security threats from all sources. These sources include hard drives, floppy disks, and networks. Provides protection of computers from viruses and other threats that spread through e-mail attachments and some other means. For example, a security risk can be installed on a computer without your knowledge while browsing the Internet.
52 Symantec Endpoint Protection Basics Enabling and disabling protection components
- & nbsp– & nbsp–
Turning Virus and Spyware Protection On or Off By default, Automatic Protection against Viruses and other security risks is loaded at system startup. Auto-Protect scans programs for viruses and security threats when they start. In addition, it logs any activity that might indicate the presence of a virus or security threat. When a virus, virus-like activity (events that may result from the presence of a virus) or a security threat is detected, the automatic protection function warns the user about this.
You can enable or disable the automatic protection of files and processes as you like. In addition, you can independently enable or disable Auto-Protect for Internet Mail and Workgroup Mail. In a controlled environment, the corresponding settings can be locked by the administrator.
When you might want to turn off Auto-Protect In some cases, Auto-Protect may warn you of actions that indicate a virus is present, although these actions are known not to be caused by a virus. For example, when installing new programs, a warning message may appear. To avoid displaying warnings, you can temporarily disable automatic protection before installing other programs. Be sure to turn on automatic protection immediately after the task is completed to keep your computer protected from viruses.
Even if Auto-Protect is disabled, all other types of scans that you or your administrator have scheduled (scheduled or at startup) will run as usual.
The administrator can prohibit disabling automatic protection. It can also specify that after a temporary shutdown, the automatic protection should automatically recover after a specified period of time.
About the status of antivirus and antispyware protection Auto-Protect The Auto-Protect settings affect the antivirus and antispyware protection status shown in the client interface and in the Windows notification area.
54 Symantec Endpoint Protection Basics Turning protection components on or off
- & nbsp– & nbsp–
If the protection is allowed to be turned off, then it can be turned on again at any time. The administrator has the right to turn protection on and off at any time, including overriding the protection state set by the user.
See “About managing network threat protection” on page 121.
56 Understanding Symantec Endpoint Protection Using the client with Windows Security Center
- & nbsp– & nbsp–
Symantec Endpoint Protection installed with full Enabled (marked with a set of protection components in green) Symantec Endpoint Protection product installed but Outdated (marked with virus and threat definitions out of date in red) Symantec Endpoint Protection product installed but Disabled (marked with automatic file system protection disabled in red color) Symantec Endpoint Protection is installed, but Disabled (Automatic file system protection is disabled, and in red) virus and threat definitions are out of date Symantec Endpoint Protection product is installed, but Disabled (the Rtvscan feature was manually disabled in red). Figure 5-3 lists the state of the Symantec Endpoint Protection firewall that can be displayed in the WSC.
- & nbsp– & nbsp–
Symantec Firewall is not installed, or disabled, or Enabled (green marked with installed and enabled) Note: Symantec Endpoint Protection turns off Windows Firewall by default.
58 Symantec Endpoint Protection Basics Pausing and Delaying Scanning
- & nbsp– & nbsp–
To pause an inspection 1 While an inspection is in progress, click the Pause icon
in the inspection window.
An inspection started by the user will be stopped immediately and the inspection window will remain open for re-launch.
If the scan was started by the administrator, the Pause Scheduled Scan window will appear.
2 In the Pause Scheduled Scan window, select Pause.
The inspections scheduled by the administrator stop immediately; the inspection window remains open to restart the inspection.
3 To continue scanning, click on the "Run" icon in the inspection window.
60 Symantec Endpoint Protection Basics Pausing and Delaying Scanning
- & nbsp– & nbsp–
Working with Virus & Spyware scans Configuring Virus & Spyware scans
- & nbsp– & nbsp–
Sending information about virus and spyware scans to Symantec Security Response Configuring virus and security risk actions Configuring notifications for viruses and security threats Configuring global exclusions for Virus and Spyware scans
- & nbsp– & nbsp–
Symantec generally does not recommend excluding files from scanning. However, if the Inbox file is excluded, the client retains the ability to detect any viruses upon opening mail messages... If a virus is detected when the mail message is opened, the client safely isolates or deletes the message.
To exclude a file, configure a global exclusion.
About scanning files with specific extensions A client can only scan files with specific extensions on the computer.
You can choose one of the following types of file extensions:
- & nbsp– & nbsp–
Programs Includes dynamically linked libraries (.dll), batch files (.com), executable files(.exe) and other program files. The client checks program files for program viruses.
To add file exclusions to the list of files scanned by Auto-Protect 1 On the client sidebar, click Change Settings.
3 In the Antivirus and Spyware Protection Settings window, click the File System Auto-Protect tab, then find the File Types section and select Selected.
4 Click the Extensions button.
5 Enter the extension in the text box and click Add.
6 Repeat step 5 as many times as necessary and click OK.
7 Click OK.
64 Managing Virus and Spyware Protection Understanding Virus and Spyware Protection
- & nbsp– & nbsp–
The corporate security policy may allow the use of a program that is recognized by the client as a threat. In this case, exclude the folders of this program.
To exclude objects from scans, global exclusions are configured. These exclusions apply to all Virus and Spyware Protection scans. Some exceptions can be configured by the administrator. These exceptions take precedence over user-defined exceptions.
See “Configuring global exclusions for antivirus and antispyware scans” on page 89.
Warning! Exceptions should be chosen carefully. If you exclude a file from scanning, its virus infection will remain unnoticed by the client. This will pose a security risk to the system.
- & nbsp– & nbsp–
Symantec Endpoint Protection client actions when a virus or security risk is detected The client actions when it detects an infected file depends on the type of threat. First, the client tries to perform the first action configured for the corresponding threat type, and if it fails, the second action.
66 Managing antivirus and spyware protection About Automatic Protection
- & nbsp– & nbsp–
Scanning for security threats can be turned off in the automatic protection settings.
See "Disable or enable Auto-Protect scanning and blocking of security risks" on page 64.
If a process is detected that is constantly downloading a security risk to your computer, Auto-Protect displays a notification and logs information about the detected threat. (Auto-Protect must be configured to send notifications.) If the process continues to download the same security risk, multiple identical notifications and log entries will be generated. To avoid unnecessary repeated notifications and log entries, Auto-Protect sends a maximum of three notifications for a single threat. Likewise, Auto-Protect records a maximum of three log entries for a single threat.
In some cases, Auto-Protect does not stop sending notifications and logging events.
This happens in the following cases:
On client computers, the user or administrator has disabled Blocking Security Risk Installation (this option is enabled by default).
The security threat that the process is loading is configured with a Do Not Remediate action.
- & nbsp– & nbsp–
Disable automatic mail protection when using data encryption connections E-mail can be transmitted over a secure connection. By default, Internet Mail Auto-Protect supports encrypted passwords and mail sent over POP3 and SMTP connections. When POP3 or SMTP is used in conjunction with SSL, the client recognizes secure connections but does not examine encrypted messages.
Although Auto-Protect does not scan email messages sent over secure connections, it continues to protect your computer from threats from attachments. It examines email attachments as they are saved to your hard drive.
Note: Due to possible performance degradation, Internet Mail Auto-Protect is not supported for POP3 on server operating systems.
If necessary, you can turn off support for encrypted mail messages. In this case, Auto-Protect examines incoming and outgoing unencrypted messages and blocks all encrypted mail. In order to be able to send encrypted mail again, it is necessary not only to activate the corresponding automatic protection settings, but also to restart the mail client.
Note: Disabling support for encrypted connections in Auto-Protect settings does not take effect until you log on to Windows again. Log back in for the change to take effect immediately.
70 Managing antivirus and spyware protection About Automatic Protection
- & nbsp– & nbsp–
Typically, viruses only infect certain types of files. However, selecting only some of the extensions for Auto-Protect scanning weakens your computer's protection. The default list of extensions includes files that are most likely to be infected by viruses.
Auto-Protect examines all executable files as well as all .exe and .doc files. It correctly detects the file type even if the file extension has been changed by a virus. For example, it will examine .doc files even if their extension has been changed by a virus.
To provide the best protection for your computer against viruses and security threats, Auto-Protect should scan all file types.
To configure Auto-Protect file type recognition 1 On the client sidebar, click Change Settings.
2 Under Virus and Spyware Protection, click Change Settings.
3 Click the Auto-Protect tab and do one of the following under File Types:
Select All types to scan all files.
- & nbsp– & nbsp–
4 If you checked Selected, select or deselect the Detect file types by content option.
5 Click OK.
72 Managing antivirus and spyware protection About Automatic Protection
- & nbsp– & nbsp–
Configuring Network Scan Settings
In the network scan configuration, you can set the following parameters:
Whether to store information about network files that Auto-Protect checked in the cache.
By default, Auto-Protect scans files when a file is written to a remote computer. In addition, it inspects files uploaded to local computer from remote computers.
However, Auto-Protect does not always scan when a file is read on a remote computer. By default, Auto-Protect trusts the Remote Auto-Protections. If the trust setting is enabled on both computers, the local Auto-Protect function checks the Auto-Protect settings on the remote computer. If these settings are at least as secure as the local settings, the local Auto-Protect trusts the remote Auto-Protect. In this case, the local Auto-Protect feature does not scan files read from the remote computer. She believes that remote function Auto-Protect has already examined the files.
Note: Local Auto-Protect always examines files copied from a remote computer.
By default, the trust setting is enabled. Disabling this feature may result in slower network speeds.
To deny trust to remote versions of Auto-Protect 1 On the client sidebar, click Change Settings.
2 Under Virus and Spyware Protection, click Change Settings.
3 On the File System Auto-Protect tab, click Advanced.
74 Managing antivirus and antispyware protection About Automatic Protection
- & nbsp– & nbsp–
Working with Virus and Spyware Protection scans Auto-Protect is the most powerful weapon against viruses and security threats. However, in addition to Auto-Protect, Virus and Spyware Protection includes a number of other types of scans to help keep your computer even more secure.
The available inspection types are described in Table. 6-1
- & nbsp– & nbsp–
Custom Scans a specified set of files at any time.
If Auto-Protect is enabled, you can perform an active scan daily and perform a scheduled scan of all files on a weekly basis to ensure a high level of security. If your computer is frequently attacked by viruses, then it is recommended to add a full scan at startup or a daily scheduled scan.
Additionally, you can configure the frequency of the scan, which looks for suspicious activity rather than known threats.
See “Configuring how often TruScan proactive threat scans run” on page 112.
76 Managing Virus and Spyware Protection Working with Virus and Spyware Protection Scans
- & nbsp– & nbsp–
About Definition Files Viruses contain snippets of code that, once highlighted, can be used as templates. These patterns can be traced in infected files. Patterns are sometimes referred to as signatures. Similar signatures are recognized in security threats such as ad serving programs and spyware.
Description files contain a list of known virus signatures that do not include malicious code, and known security threat signatures. The scan engine searches for known signatures from description files in files stored on your computer. A file is considered infected if a match with the virus pattern was found. Using the description files, the client identifies the virus that infected the file and how to eliminate its side effects. When a security threat is detected, the client uses the definition files to isolate the threat and eliminate its side effects.
New viruses and threats regularly appear in the computer environment. Therefore, it is very important that the current definition files are installed on the computer. This will allow the client to find and remove even those viruses and threats that have appeared quite recently.
78 Managing antivirus and antispyware protection Working with antivirus and antispyware scans
- & nbsp– & nbsp–
Configuring antivirus and antispyware scans You can configure different types of scans to help protect your computer from viruses and security threats.
Creating a Scheduled Inspection Scheduled inspections are important component protection against security threats.
In order for your computer to be reliably protected from viruses and security threats, a scheduled scan should be performed at least once a week.
The scans created are shown in the Scan for Threats window.
Note: If the scheduled scan was created by the administrator, then it will be shown in the list of scans in the "Scan for threats" window.
- & nbsp– & nbsp–
Selective Scans specific areas of the computer for viruses and security threats.
80 Managing antivirus and spyware protection Configuring antivirus and spyware protection scans
- & nbsp– & nbsp–
Performance Options Migration Options Between Memory Types 11 In the Dialog Box section, expand the drop-down list, select Show Scan Progress, and click OK.
12 In the scan parameters window, you can additionally change the following parameters:
- & nbsp– & nbsp–
14 In the When to Inspect window, select B specified time and click Next.
15 In the scheduling window, specify the frequency and time of the scan.
16 Click the Advanced button.
17 In the advanced schedule settings window, do the following:
Select Retry missed scans, then enter a value in the Maximum number of days to wait before repeating scans field.
For example, you can allow weekly scans to run within three days of the scheduled time.
Select or clear the Perform inspection even if no user is logged in check box.
If at the time at which the inspection is scheduled, the user is working in the system, then the inspection is performed in any case, regardless of the value of this parameter.
Similar works:
“Social assistance to minors affected by armed conflicts: within the framework of the target program Children of Russia, subprogram Prevention of neglect and juvenile delinquency: information and analytical materials based on the results of a pilot project, 2005, 5902079403, 9785902079408, North Caucasian sots. Institute, 2005 Published: 7th August 2010 Social help minors who have suffered in the course of armed conflicts: within the framework of the target program Children ... "
"Yaroslavl Branch of the Educational Institution of Trade Unions of Higher Education" Academy of Labor and Social Relations "APPROVED by the Academic Council Minutes No. 8 dated March 26, 2015. Chairman of the Academic Council Tyurin SB April 01, 2015 SELF-SURVEY REPORT of the Yaroslavl branch of the Educational Institution of Higher Education Trade Unions "Academy of Labor and Social Relations" Yaroslavl 2015 CONTENTS I. ANALYTICAL PART. Introduction .. 1. Organizational and legal support of activities ... "
“MINISTRY OF EDUCATION AND SCIENCE OF THE RUSSIAN FEDERATION Yaroslavl State University named after P.G. Demidova Faculty of Law APPROVED Vice-Rector for Education Development _E.V. Sapir _2012 Working programm postgraduate disciplines vocational education(postgraduate study) Theory and history of law and state; history of doctrines about law and state in the specialty of scientific workers 12.00.01 Theory and history of law and state; history of doctrines about law and state Yaroslavl 2012 ... "
"State Autonomous Educational Institution of Higher Professional Education" Moscow City University of Management of the Government of Moscow "Institute of Higher Professional Education Department of Jurisprudence APPROVED Vice-Rector for Academic and Scientific Work А.А. Aleksandrov "_" _ 2015 Work program academic discipline"Family Law" for students of the direction of training 40.03.01 "Jurisprudence" profile " Legal support state and municipal administration in ... "
"MINISTRY OF EDUCATION AND SCIENCE OF THE RUSSIAN FEDERATION Federal State Budgetary Educational Institution of Higher Professional Education" Kemerovo State University»Novokuznetsk Institute (branch) Faculty of Law APPROVED Dean of the Faculty A.B. Divaev March 16, 2015 WORKING PROGRAM OF THE DISCIPLINE B3.V.OD.8 Criminology Direction 40.03.01 "Jurisprudence" Direction (profile) of training State legal, civil law, criminal law ... "
"one. Objectives of mastering the discipline To teach the student to navigate in the university library, to acquaint him with the system of reference and scientific literature, to teach the method of searching for documents on a topic of interest using information and bibliographic aids, catalogs, card indexes and databases, instilling a reading culture means not only helping him to study in university today, but also to prepare a future specialist for independent work tomorrow 2. The place of discipline in the structure of OOP undergraduate The course refers to ... "
“Federal State Budgetary Educational Institution of Higher Education“ Russian Legal Academy of the Ministry of Justice of the Russian Federation ”Northern (Petrozavodsk) Branch (SF RPA of the Russian Ministry of Justice) Faculty of Law APPROVED Branch Director E.E. Petrov The working program of the discipline Legal and organizational bases of the bailiff service DIRECTION OF TRAINING 40.05.02 - LAW ENFORCEMENT QUALIFICATION (degree) - specialist DEPARTMENT ... "
"DISCIPLINES ATTORNEYS Direction of training 030900.62" Jurisprudence "Qualification (degree) of a graduate - bachelor Form of study - full-time, part-time St. Petersburg Developer: Candidate of Legal Sciences, Associate Professor E.G. state ... "
"ASSOCIATED SCHOOL OF YUNE C O OANO GYMNASIUM" ELLADA "in the name of Saints Cyril and Methodius city innovation platform for educational and research activities Agreed Agreed at the meeting of LDNO and PP Approved Deputy Director for Internal Affairs Director of OANO Gymnasium" Ellada "_ Savchenko A. "" August 2014 Sidorov V.A. WORKING PROGRAM Subject title Fundamentals of the Orthodox Faith Class 1 "A" Program implementation period 2015-2016 academic year Full name teachers, category Pleshinets Inora Mashrabovna ... "
"Institute for 2013-2018 and the Action Plan (" road map ")" Changes in the training system of the Ministry of Internal Affairs of Russia, aimed at increasing the efficiency of education and science " .2013 No. 2dsp "O ..."
"Introduction 1. For the purpose of self-examination and in accordance with the Orders of the Ministry of Education and Science of the Russian Federation of June 14, 2013 No. 462 in the Municipal Autonomous Preschool Educational Institution" Child Development Center "Umka" 05/31/2015 Self-analysis was carried out in three stages: I stage. Familiarizing employees and parents with the goals of introspection. Stage II. Collecting information about the work of a preschool organization .... "
"CONTENTS GENERAL SCOPE AND SCOPE OF THE PROGRAM regulatory requirements for knowledge of people entering Judicial Training Institute of Legislation and Comparative PRAVOVOEDENIYA GOVERNMENT OF THE RUSSIAN FEDERATION OF WRITTEN ORDER complex interdisciplinary entrance exams 1.1. ON THE CRITERIA FOR EVALUATING THE RESULTS OF THE WRITTEN COMPREHENSIVE INTERDISCIPLINARY ENTRANCE EXAMINATION 1.2. PURPOSE OF THE PROGRAM 1.3. SECTION 1. THEORY ... "
"Head Department of Legal Sciences, prof. Kolomytsev N.A. "_" _ 20_y. CONSTITUTIONAL (state) LAW OF RUSSIA WORK PROGRAM Direction of training 030900.62 "Jurisprudence" Qualification (degree) of a graduate - bachelor Form of study - full-time, part-time St. Petersburg Developers: Doctor of Law, Professor VINOKUROV Vladimir Anatolyevich, ... "
"N.V. Miklyaeva modern science and practice to describe the educational process in which children with a conditional norm of development and children with special educational needs and disabilities are trained and brought up together, terms such as integration, mainstreaming, inclusion are used. The term "integration" ... "
“Mikhail Pozdnyakov Practical implementation of the principle of openness of justice in the Russian Federation St. Petersburg Problems of practical implementation of the principle of openness of justice in the Russian Federation. - St. Petersburg: Institute for the Problems of Law Enforcement at the European University at St. Petersburg, 2013. - 49 pages. Author: Mikhail Lvovich Pozdnyakov - Research Fellow at the Institute for Problems of Law Enforcement. The Institute for the Rule of Law was established in 2009 as part of ... "
“CONTENTS General information about the educational institution 4 1. General characteristics of the educational institution. 1.1 Organizational and legal support of the educational activities of the college. 1.2 Special goals and distinctive features of the educational institution, expected 1.3 performance results. The structure of the College and its management system 2. The structure and content of the training of specialists 9 3. Directions of training and the formation of the contingent, the dynamics of the number. 3.1 Organization and content ... "
"MINIBRANAUKI RUSSIA FEDERAL STATE BUDGETARY EDUCATIONAL INSTITUTION OF HIGHER PROFESSIONAL EDUCATION" VORONEZH STATE UNIVERSITY "(FGBOU VPO" VSU ") FINANCIAL LAW 1. Code and name of the field of study / specialty: 030900 Jurisprudence 2. Training profile: State law 3. Qualification (degree) of the graduate: bachelor ... "
“STATE AND MUNICIPAL ADMINISTRATION IN THE SPHERE OF TOURISM Under the general editorship of Doctor of Law E.L. Pisarevsky Recommended by the Federal Agency for Tourism as a textbook for teaching university students in the direction of training "Tourism" Recommended by the UMO of educational institutions of the Russian Federation for education in the field of service and tourism as a textbook for teaching students of higher educational institutions in the direction of training "Tourism" MOSCOW UDC 351 /379.85(075.8) BBK 65.43я73 ... "
"Federal State Institution of Higher Professional Education" Russian Legal Academy of the Ministry of Justice "(RPA Russian Ministry of Justice) PROGRAM entrance exam for the discipline" History "for applicants Admission in areas of training 40.03.01" Jurisprudence "specially 40.05. 01 "LEGAL SUPPORT OF NATIONAL SECURITY", 40.05.02 "LAW ENFORCEMENT" Moscow Exam content ... "
The materials on this site are posted for review, all rights belong to their authors.
If you do not agree that your material is posted on this site, please write to us, we will delete it within 1-2 business days.
