Name: Symantec Endpoint Protection
Mac Platform: Intel
OS Version: OS X 10.9 or later
Web Site: http://www.symantec.com/
Symantec Endpoint Protection – Proactively detect and block today’s most advanced threats with an endpoint protection solution that goes beyond antivirus. Unrivaled Security – Stop advanced threats with intelligent security!
Intelligent Endpoint Workshop
- About the importance and function of each of the protection engines in Symantec Endpoint Protection
- The top 10 misconceptions about deploying advanced features in Symantec Endpoint Protection and strategies for implementing them successfully
- How Symantec Endpoint Protection forms a solid foundation for advanced threat protection across multiple control points, including the endpoint, network, and email
- How to gain more value from your existing Symantec Endpoint Protection implementation
Stop advanced threats with intelligent security
Last year, we saw 317 million new malware variants, with targeted attacks and zero-day threats at an all-time high. Organizations are struggling to keep up with the rapidly evolving threats. Symantec Endpoint Protection is designed to protect against advanced threats with powerful, layered protection backed by industry leading security intelligence.
- Network Threat Protection stops most threats before they can take up residence on the machine
- Insight reputation scoring accurately detects rapidly mutating malware and zeroday threats
- SONAR™ behavioral analysis stops malicious files designed to appear legitimate
- Strong antivirus, antispyware and firewall protection eradicate known mass malware
Granular Control – Get extended protection, flexibility, and scalability
If you have multiple user groups or you have users across different locations, you need the flexibility to set different security policies. You can proactively secure your ecosystem by using policy-based system lockdown and application control. These features will allow you to have tighter controls for employees handling confidential data.
- Application Control monitors and controls applications behavior, including automated system lockdown, and advanced whitelisting and blacklisting capabilities
- External media control restricts and enables access to the hardware that can be used to protect and increase productivity
- Host Integrity detects unauthorized change, conducts damage assessment and ensures endpoints are protected and compliant
Smarter Management – Single management across physical and virtual
Managing endpoint protection should be easy. Symantec provides multiple layers of protection through a single high-powered client and management console across both physical and virtual machines. We make it easy to deploy, update and manage your endpoint security across various locations, user groups, and operating systems.
- One solution protects Windows, Mac, Linux, virtual machines and embedded systems
- Optimized for performance across physical, virtual and embedded machines
- Single console provides a one stop shop for reporting, alerts, configuration and management
- Enabled for remote deployment and client management
What’s New Version 14: Protection features
Intelligent Threat Cloud Service for client installation packages (Windows)
Version 14 includes three new sizes of client installation packages, based on which set of virus definitions they include:
- Standard client: Designed for typical installations where clients have access to the cloud or the clients are version 12.1.6 and earlier. The standard client is 80% to 90% smaller than a dark network client installation package and includes the most recent virus definitions only. After installation, the client accesses the full set of virus definitions from the cloud.
- Embedded client or VDI client: The embedded client replaces the reducedsize client that was introduced in version 12.1.6. The embedded client is smaller than the standard client and also includes the most recent virus definitions only. After installation, the client accesses the full set of virus definitions from the cloud.
- Dark network client: Installs a full set of virus definitions and keeps the definitions locally rather than accessing them from the cloud. Use this client installation package if the client computers are in networks with no access to the cloud.
Generic Exploit Mitigation (Windows)
Generic Exploit Mitigation prevents common vulnerability attacks in typical software applications. Generic Exploit Mitigation installs with intrusion prevention and includes the following types of protection: Java exploit prevention, heap spray mitigation, and structured exception handling overwrite protection (SEHOP). The protections apply to the specific applications that are listed in the Intrusion Prevention policy. Symantec Endpoint Protection downloads the application list as part of its LiveUpdate content. To see the list of applications, open an Intrusion Prevention policy and then click Generic Exploit Mitigation.
- Enable Suspicious Behavior Detection option (Windows)
- You can enable or disable suspicious behavior detection if SONAR is disabled. Therefore, you can have behavior policy enforcement protection of applications on while SONAR scoring is off.
- Scan files on remote computers option (Windows, Linux)
- You can disable the option for SONAR or AutoProtect to scan files on computers on other networks. Disabling this option increases performance. However, you should keep this option enabled as SONAR looks for worms such as Sality, which infects network drives. For AutoProtect scans all files reduces and reduces the client computer’s performance, you can enable the Only when files are executed option. To access these options, click Policies > Virus and Spyware Protection policy > SONAR or AutoProtect.
Virus scan logic moved to Auto-Protect user mode
Auto-Protect user mode reduces kernel memory usage and provides greater system health. In rare cases of crashes, the computer does not blue screen and is recoverable.
Emulator for packed malware
For Auto-Protect and virus scans, a new emulator improves scan performance and effectiveness by at least 10 percent. This anti-evasion technique addresses packed malware obfuscation techniques and detects the malware that is hidden inside custom packers.
Advanced Machine Learning (AML) on the endpoint for improved static detections
This new endpoint-based machine learning engine can detect malware based on static attributes. This technology enables Symantec Endpoint Protection to detect malware in the pre-execution phase, thereby stopping large classes of malware, both known and unknown. The AML engine works with the Symantec real-time cloud-based threat intelligence to provide best-in-class protection with low false positives.
Insight Lookup (Windows)
- You can still enable or disable Insight Lookup for version 14 and legacy 12.1.x clients, but you cannot set the sensitivity level or action settings. Instead, Insight Lookup uses internal settings to optimize the scan because Download Insight detections are now completely handled by realtime protection. The new Enable Insight Lookup option on the Scan Details tab replaces the Insight Lookup tab in version 12.1.x. Open a Virus and Spyware Protection policy > AdministratorDefined Scans, choose either scheduled scans or ondemand scans, and then click Scan Details.
- On standard and embedded/VDI clients, Insight Lookup now allows AutoProtect, scheduled scans, and manual scans to look up both file reputation information and definitions in the cloud. However, the dark network clients include the full set of definitions and do not use Insight Lookup. You enable Insight Lookup in the Clients > Policies tab > External Communications > Submissions tab.
Scheduled and on-demand scans support the %systemdrive% and %userprofile% variables (Windows)
These scans let you select specific folders to be scanned rather than scanning all the files on the Windows client computer. The %systemdrive% variable indicates the location where the Windows operating system is installed. The %userprofile% variable corresponds to the user profile folders for the users who are logged on. You can also exclude these folders from being scanned by using an Exceptions policy.
Reports display an application’s hash value you can use to block applications
You can use the hash value instead of an application’s name to add to the policies that block applications. The hash value is unique whereas an application name may not be. To find the hash value, look in the Hash Type / Application Hash column in the following reports:
- Risk reports: Infected and At Risk Computers; Download Risk Distributions; SONAR Detection Results; SONAR Threat Distribution; Symantec Endpoint Protection Daily Status Report; and Symantec Endpoint Protection Weekly Status Report
- To view the Risk reports, click Reports > Quick Reports > Risk.
- Home page > Activity Summary link
Client submissions and server data collection
You can enable Symantec Endpoint Protection to send information about detected threats and your network configuration to Symantec. Symantec uses this information for additional analysis and to improve the security features in the product.
- Version 14 has several new types of client submissions that you can enable. You access these options by clicking Clients > Policies tab > External Communications > Submissions tab > More options.
- The previously existing submission types are automatically submitted with the Send anonymous data to Symantec to receive enhanced threat protection intelligence option. In 12.1.6.x and earlier, this option was labeled Let computers automatically forward selected anonymous security information to Symantec.
- You use the new Send clientidentifiable data to Symantec for custom analysis option if you participate in a Symantecsponsored program to get recommendations specific to your security network.
- For server data collection, the Yes, I would like to help optimize Symantec’s endpoint security solutions by submitting anonymous system and usage information to Symantec option is now labeled Send anonymous data to Symantec to receive enhanced threat protection intelligence. You access this option on the Admin > Servers > Edit Site Properties > Data Collection tab.
LiveUpdate downloads new types of content
Symantec Endpoint Protection Manager downloads additional types of content from LiveUpdate servers:
- Client security patches
- Endpoint Detection and Response: Definitions that the Endpoint Detection and Response (EDR) component uses to detect and investigate suspicious activities and issues on hosts and endpoints.
- Common Network Transport Library and Configuration: Definitions that the entire product uses to achieve network transportation and telemetry.
What’s New in Symantec Endpoint Protection 14.0.3929.1200
- Release notes not available at the time of this post.