How to block a user's ability to disable Symantec Endpoint Protection on Clients

Article:TECH102822  |  Created: 2007-01-05  |  Updated: 2014-01-06  |  Article URL http://www.symantec.com/docs/TECH102822
Article Type
Technical Solution

Product(s)

Environment

Issue



You want to prevent users from disabling the Symantec Endpoint Protection (SEP) client by right-clicking on the client system tray icon and selecting "Disable Symantec Endpoint Protection", or block a user's ability to disable Symantec Endpoint Protection on Clients.


Solution



To prevent users from disabling Symantec Endpoint Protection (SEP) on their client:

Step 1: Remove the right to disable Network Threat Protection:

  1. Open the Symantec Endpoint Protection Manager.
  2. Click Clients.
  3. Select the group that contains the clients you want to be affected.
  4. Click Policies.
  5. Expand Location-specific Settings.
  6. Click Tasks to the right of "Client User Interface Control Settings", then click Edit Settings.
  7. Select Server control or Mixed control if it is not already set to one of these.
  8. Click Customize.
    • If Server control is enabled this will open the Client User Interface Settings dialog.
    • If Mixed control is enabled this will open the Client User Interface Mixed Control Settings dialog.
  9. Uncheck Allow users to enable and disable Network Threat Protection.
  10. Uncheck Allow the following users to enable or disable the firewall.
  11. Click OK> OK.



Step 2: Remove the right to disable Threat detection:

  1. Open the Symantec Endpoint Protection Manager.
  2. Click Clients.
  3. Select the group that contains the clients you want to be affected.
  4. Click Policies.
  5. Expand Location-specific Policies
  6. Click Antivirus and Antispyware policy.
  7. Click File System Auto-Protect, then lock this feature by clicking the lock symbol next to Enable File System Auto-Protect.
  8. Click Internet Email Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Internet Email Auto-Protect.
  9. Click Microsoft Outlook Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Microsoft Outlook Auto-Protect.
  10. Click Lotus Notes Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Lotus Notes Auto-Protect.
  11. Click TruScan Proactive Threat Scans, then lock this feature by clicking the lock symbol next to Scan for trojans and worms and Scan for keyloggers.
  12. Click OK.

 

For Symantec Endpoint Protection 12.1 or for SEP 11 clients managed by SEPM running 12.1 versions, additional policies must be locked. 

  1. In the Virus & Spyware Protection policy, click Sonar, then lock this feature by clicking the lock symbol next to Enable Sonar.  
  2. In the Instrusion Prevention policy, click Settings, then lock both lock symbols next to Enable Network Intrusion Prevention and Enable Browser Intrusion Prevention.  

 

Step 3: Clients update policy:

Clients will receive the policy according to their Communication Settings (they will be prompted to check in within a few seconds if in Push Mode; they will check in on their next scheduled heartbeat in Pull Mode).

You can prompt the heartbeat on the client:

  1. Right-click the Symantec Endpoint Protection system tray icon.
  2. Click Update Policy. The client will request the new policy from the manager


Once the policy has been updated the user will not be able to disable the Antivirus/Antispyware or the Network Threat Protection features. 


References:
This document is available in the following languages:




Legacy ID



2007110514540148


Article URL http://www.symantec.com/docs/TECH102822


Terms of use for this information are found in Legal Notices