Symantec Endpoint Protection Manager - Antivirus and Antispyware - Policies explained

Article:TECH104430  |  Created: 2008-01-20  |  Updated: 2010-12-21  |  Article URL http://www.symantec.com/docs/TECH104430
Article Type
Technical Solution


Issue



You need more details about the Options in the Policies of the Symantec Endpoint Protection Manager (SEPM)

 


Cause



Antivirus and Antispyware Policy


Solution



Administrator-defined Scans: Scans

You can use the Scans tab to add a scheduled scan to an Antivirus and Antispyware Policy or to specify settings for on-demand scans. Administrators define scheduled scans to run on client computers at configurable intervals. Administrators can predefine a specific set of scan settings for running on-demand scans on clients from the management console. On-demand scans are manual scans run on a client at the administrator's request.

Table: Scheduled scan options

Option
Description
Add Specifies to add a new scheduled scan to this policy
Edit Specifies an existing scheduled scan that you want to change
Delete Specifies an existing scheduled scan that you want to delete
Table: On-demand scan options
Option
Description
Edit Specifies that you want to change the on-demand scan settings


 

Administrator-defined Scans: Advanced

Use this tab to set options for scheduled, startup and triggered scans, and for users on the computers that run these scans.

Table: Scheduled scan advanced options

Option
Description
Delay scheduled scans when running on batteries Specifies that scheduled scans be delayed when a computer is running on batteries

This option is enabled by default. You can disable this option to allow scheduled scans to run as scheduled, even when a computer is running on batteries.

Allow user-defined scheduled scans to run when the scan author is not logged on Specifies that user-defined scheduled scans run as scheduled when the scan author is not logged on

By default, user-defined scheduled scans always run at the scheduled time. This option can be particularly useful in the case of unmanaged client computers that do not use administrator-defined scheduled scans.

You can disable this option to prevent user-defined scheduled scans from running when the user who created the scan is not logged on. You may want to disable this option for multiuser computers.

Note:

If this option is enabled and the user is logged off when the scan begins, the scan progress dialog box does not display. You can check scan status in this instance by looking in the System log.

 

On multiuser workstations, when this option is enabled, scan progress is displayed as follows:
· If no users are logged in, the scan progress dialog box does not appear, even if a user logs in during a scan.
· For the first user to log in, the scan progress dialog box does not appear during a scheduled scan that another user defined.
· For the first user to log in, the scan progress dialog box appears during a scheduled scan that this user defined. The scan progress dialog box does not appear if the user has not configured the scan to allow it.
· If an administrator-defined scheduled scan runs when no user is logged in, the scan progress dialog box does not appear . When a user logs in, the scan progress dialog box appears.

Users who are not logged in when their scan runs must look at the Scan Log to see the scan results.

Table: Startup and triggered scan advanced options
Option
Description
Run startup scans when users log on Specifies that startup scans run when a user logs in

You can disable startup scans on a global basis only. If you disable this option, you disable all startup scans, including any custom startup scans that users have configured.

Allow users to modify startup scans Determines whether users can modify startup scans

This option is enabled by default. This option is only available when the Run startup scans when users logs on parameter is enabled.

Run an Active Scan when new definitions arrive Starts an Active Scan when new definitions arrive to check for any risks that the new definitions can detect

By default, an Active Scan is run when new definitions arrive. If you disable this option, you weaken the protection available to your client computers. You should only disable this option if you have special configuration or exclusion needs that conflict with this automatically triggered scan.

This option is enabled by default.

Table: Advanced user options
Option
Description
Scan progress Specifies what users see on their computers when a scan is running

Select one of the following:
· Do not show scan progress
· Show scan progress
· Show scan progress if risk detected

Close the scan progress window when done Specifies that the scan progress window closes automatically when the scan is finished

This option becomes available when you select Show Scan progress.

Allow the user to stop the scan Allows users to stop scans that start on their computers

This option becomes available when you select Show Scan progress.

Allow the user to pause or delay a scan Allow users to pause or snooze the scans that start on their computers

This option to delay a scan becomes available when you select Show Scan progress.


 

File System Auto-Protect: Scan Details

Use the Scan Details tab to configure scanning and drive type options for Auto-Protect scans of files and processes.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Use centralized exceptions to specify exclusions for files or directories.

Table: Auto-Protect scan detail options

Option name
Description
Enable File System Auto-Protect Enables or disables Auto-Protect

By default, Auto-Protect is enabled.

File types You can scan all file types or only files with selected extensions.

The following options are available:
· Scan all files

Scans all files on the computer, regardless of type.

· Scan only selected extensions

Scans only the files that have certain extensions. You can add more extensions for programs and documents, if you have the files that use the extensions that are not already in the list. You can also reset this option to its default value.

· Determine file types by examining file contents

Scans a specific, configurable group of the file extensions that contain executable code, and all .exe and .doc files. The Symantec Endpoint Protection client reads each file's header to determine its file type. It scans .exe and .doc files even if a virus changes the file extensions for the .exe and the .doc files. This option is disabled by default.

Extensions Specifies that only certain file extensions should be included in the scan

You can add or remove file extensions to scan. Only the file extensions that you specify are scanned. The client does not scan any files that have extensions that are not in the list.

Note:

If you want to exclude files or directories from scans, create a centralized exception. The exception applies to all antivirus and antispyware scans that you run.

Additional options Additional options include the following:
· Scan for security risks

This option is enabled by default.


 

Note:


 

This option has no effect on the computers that run earlier versions of the client.


· Block security risks from being installed


    If Auto-Protect determines that it would not be harmful to a computer to block a security risk, then it blocks the risk.
Network Settings Network settings provides the following options:
· Network

Enables or disables scanning on network drives

· Network Settings

When scanning is enabled on network drives, Auto-Protect scans files when a client computer or a server accesses them from a server. When network scanning is enabled, you can also enable Auto-Protect to trust remote versions of Auto-Protect and to use a network cache.


 

Actions

You can configure action and remediation options for scans.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Table: Action options
Detection type
Action options
Macro virus

Non-macro virus

You can configure a first action to take and a second action to take if the first action fails.

Actions for viruses include the following:
· Clean risk (default first action): Tries to clean the infected file when a virus is found.
· Quarantine risk (default second action): Tries to move the infected file to the Quarantine on the infected computer as soon as it is detected. After an infected file is moved to the Quarantine, a user on that client computer cannot run the file. The user must first specify an action for the file. For example, the user can specify that the client should clean the file and move the file back to its original location.
· Delete risk: Tries to delete the file. Use this option only if you can replace the infected file with a virus-free backup copy. The file is permanently deleted and cannot be recovered from the Recycle Bin.


    If the client cannot delete the file, detailed information about the action appears in the notification dialog box and the System log.

· Leave alone (log only): Denies the access to the file, displays a notification, and logs the event. Use this option to take manual control of how the client handles a virus.

    You can specify an action for the risk in the Risk log.
Security risks
· Adware
· Dialers
· Hack Tools
· Joke Programs
· Other (programs that might pose a security risk but do not fit into other security risk categories)
· Remote Access
· Spyware
· Trackware
You can configure security risk actions as follows:
· Configure the same actions to take for all security risks.
· Configure the same actions for a whole category of security risks.
· Configure individual security risk exceptions to the actions that you set for specific categories.

You can configure a first action to take and a second action to take if the first action fails. Actions for security risks include the following:
· Quarantine risk (default first action): Tries to move any infected files to the Quarantine on the infected computer as soon as the security risk is detected or completes its installation. The client removes or repairs any side effects of the risk. Side effects might include additional registry keys, modified registry key values, additions to .ini or .bat files, or extra entries in hosts files. They might also include errors in a Layered Service Provider (LSP) system driver or the effects of a rootkit. You can restore the security risk items that are quarantined to their original state on the system. In some instances, you might need to restart the computer to complete the removal or repair.
· Delete risk: Tries to delete security risk files. Use this option only if you can replace the files with a security risk-free backup copy. You cannot recover permanently deleted files from the Recycle Bin.

Use this action with caution. The deletion of security risks can cause applications to lose functionality.


 

If the client cannot delete files, detailed information about the actions appears in the notification dialog box and the System log.

· Leave alone (log only) (default second action): The risk is left alone and its detection is logged. Use this option to take manual control of how the client handles a security risk.

You can specify an action for the risk in the Risk log.
 

You can also lock exceptions so that users cannot create their own security risk exceptions for antivirus and antispyware scans.

Note:

In some instances, you might unknowingly install an application that includes a security risk such as adware or spyware. If Symantec has determined that blocking the risk does not harm the computer, then by default the client blocks the risk. If the block action might make the computer unstable, the client waits after the application installation. The client then performs the configured action on the security risk.

Table: Remediation options
Option
Description
Back up the file before attempting to repair Backs up the infected file before repairing it

By default, this option is enabled. The original virus-infected file is encrypted and then copied into the Quarantine directory. If you need, you can use this unrepaired backup file to return the file to its original, but infected state.

Note:

If you disable this option, files that contain viruses are not backed up before repairs are tried.

This setting applies only to virus-infected files. For security risks, if the action you have configured is Delete risk, no backup files are created. If the action that you configure is Quarantine risk, the security risk files are always backed up, regardless of this setting.

Terminate processes automatically Enables or disables notifications on infected computers when the client must terminate a process to remove or repair a risk.

If this option is enabled, the client automatically takes the necessary action without notifying users.

Note:

Users are always notified when a restart is required. They are allowed to save data and close open applications or to opt out of the restart.

Stop services automatically Enables or disables notifications on infected computers when the client must stop a service to remove or repair a risk

If this option is enabled, the client automatically takes the necessary action without notifying users.

Note:

Users are always notified when a restart is required. They are allowed to save data and close open applications or to opt out of the restart.


 

File System Auto-Protect: Notifications

You can set notification options for File System Auto-Protect.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Table: Notification options
Option
Description
Display a notification message on the infected computer Enables or disables displaying notifications on infected computers when Auto-Protect finds a virus or a security risk

You can modify the type of information that you want to appear in the notification .

Display the Auto-Protect results dialog on the infected computer Enables or disables displaying results on infected computers
Table: Notification message fields
Field
Description
SecurityRiskName The name of the virus or security risk that was found.
ActionTaken The action that was taken in response to detecting the virus or security risk. This action can be either the first action or second action that was configured.
Status The state of the file: Infected, Not Infected, or Deleted.

This message variable is not used by default. To display this information, manually add this variable to the message.

Filename The name of the file that the virus or the security risk has infected.
PathAndFilename The complete path and name of the file that the virus or the security risk has infected.
Location The drive on the computer on which the virus or security risk was located.
Computer The name of the computer on which the virus or security risk was found.
User The name of the user who was logged on when the virus or security risk occurred.
Event The type of event, such as "Risk Found."
LoggedBy The type of scan, on-demand, scheduled, and so on, that detected the virus or security risk.
DateFound The date on which the virus or security risk was found.
StorageName The affected area of the application, for example, File System Auto-Protect or Lotus Notes Auto-Protect.
ActionDescription A full description of the actions that were taken in response to detecting the virus or security risk.


 

File System Auto-Protect: Advanced

You can configure advanced options for File System Auto-Protect.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Table: Advanced options for File System Auto-Protect
Option
Description
Startup and Shutdown The following options are available:
· Computer starts: Loads Auto-Protect when the computer's operating system starts and unload it when the computer shuts down. This option can help protect against some viruses, such as Fun Love. If Auto-Protect detects a virus during shutdown, it places the infected file in a temporary Quarantine directory. Auto-Protect then detects the virus on startup and creates an alert notification.

Note:


 

If you disable Auto-Protect on a computer that has this option enabled, Auto-Protect still functions after each computer restart for a brief time. When the main Symantec Endpoint Protection client service starts, it disables Auto-Protect.


· Symantec Endpoint Protection starts: Loads Auto-Protect when the client starts.
· Check floppies when the computer shuts down: Configures the client to scan floppies when the computer shuts down.

Auto-Protect Reloading and Enablement The following options are available:
· Wait until the computer is restarted: Stops and reloads Auto-Protect when the computer restarts.
· Stop and reload Auto-Protect: Stops and reloads Auto-Protect immediately.
· When Auto-Protect is disabled: You can re-enable Auto-Protect automatically after <number> number of minutes. Valid values range from 3 to 60.

This option is useful if users need to disable Auto-Protect on occasion.

Additional Options Sets the options for the file cache and Risk Tracer


 

Internet Email Auto-Protect: Scan Details

You can configure details for Auto-Protect scans of Internet email.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Use centralized exceptions to specify exclusions for files or directories.

Table: Scan Details options

Option
Description
Enable Internet Email Auto-Protect Enables or disables Auto-Protect for Internet email.
File types Scans all file types or only files with selected extensions.

The following options are available:
· Scan all files

Scans all files on the computer, regardless of type.

· Scan only selected extensions

Scans only the files that have certain extensions. You can add more extensions for programs and documents, if you have the files that use the extensions that are not already in the list. You can also reset this option to its default value.

Selected Extensions Specifies that only certain file extensions should be included in the scan

You can add or remove file extensions to scan. Only the file extensions that you specify are scanned. Auto-Protect does not scan files with unlisted extensions.

Note:

If you want to exclude files or directories from scans, create a centralized exception. The exception applies to all antivirus and antispyware scans that you run.

Compressed files Specifies whether or not to scan files inside compressed files and how many levels to include

The following options are available:
· Scan files inside compressed files

Scans the files that act as containers for a file or group of files.

· Number of levels to expand if there are compressed files within compressed files

When a file archive (such as Files.zip) is scanned, the individual files of the archive are also scanned. If the archive itself contains compressed files, you can specify how many levels deep you want the compressed files to be scanned.


 

The default setting is three levels deep in a compressed file.
 

These types of compressed files may be included in virus scans:
· .ARJ archive files created by the ARJ* file compression software
· .ZIP files created by PKZip* and WinZip* file compression software
· .LZH files compressed by Haruyasu Yoshizaki's Lharc* software
· .EXE files created as self-extracting archives.
· Compressed files without an extension.


 

Auto-Protect for Internet Email, Microsoft Exchange, or Lotus Notes: Actions

You can configure action and remediation options for Auto-Protect scans of Internet email, Microsoft Exchange, or Lotus Notes.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Table: Action options
Detection type
Action options
Macro virus

Non-macro virus

You can configure a first action to take and a second action to take if the first action fails.

Actions for viruses include the following:
· Clean risk (default first action): Tries to clean the infected file when a virus is found.
· Quarantine risk (default second action): Tries to move the infected file to the Quarantine on the infected computer as soon as it is detected. After an infected file is moved to the Quarantine, a user on that client computer cannot run the file. The user must first specify an action for the file. For example, the user can specify that the client should clean the file and move the file back to its original location.
· Delete risk: Tries to delete the file. Use this option only if you can replace the infected file with a virus-free backup copy. The file is permanently deleted and cannot be recovered from the Recycle Bin.


    If Auto-Protect cannot delete the file, detailed information about the action appears in the notification dialog box and the System log.

· Leave alone (log only): Denies the access to the file, displays a notification, and logs the event. Use this option to take manual control of how Auto-Protect handles a virus.

    When you are notified of a virus, open the Risk log, right-click the name of the file, and select one of the following actions: Clean (viruses only), Delete Permanently, or Move To Quarantine.
Security risks
· Adware
· Dialers
· Hack Tools
· Joke Programs
· Other (programs that might pose a security risk but do not fit into other security risk categories)
· Remote Access
· Spyware
· Trackware
You can configure the following security risk actions:
· Configure the same actions to take for all security risks.
· Configure the same actions for a whole category of security risks.
· Configure individual security risk exceptions to the actions that you set for specific categories.

You can configure a first action to take and a second action to take if the first action fails. Actions for security risks include the following:
· Quarantine risk (default first action)

Tries to move any infected files to the Quarantine on the infected computer as soon as the security risk is detected or completes its installation. Auto-Protect removes or repairs any side effects of the risk. Side effects might include additional registry keys, modified registry key values, additions to .ini or .bat files, or extra entries in hosts files. They might also include errors in a Layered Service Provider (LSP) system driver or the effects of a rootkit. You can restore the security risk items that are quarantined to their original state on the system. In some instances, you might need to restart the computer to complete the removal or repair.

· Delete risk

Tries to delete security risk files. Use this option only if you can replace the files with a security risk-free backup copy. You cannot recover permanently deleted files from the Recycle Bin.


 

Use this action with caution. The deletion of security risks can cause applications to lose functionality.


 

If the client cannot delete files, detailed information about the actions appears in the notification dialog box and the System log.

· Leave alone (log only) (default second action)

The risk is left alone and its detection is logged. Use this option to take manual control of how Auto-Protect handles a security risk.


 

You can use the logs in the management console to specify the action for the logged risk. Users on client computers can use the logs to specify the action as well.
 

You can also lock exceptions so that users cannot create their own security risk exceptions for all antivirus and antispyware scans.

Note:

In some instances, you might unknowingly install an application that includes a security risk such as adware or spyware. If Symantec has determined that blocking the risk does not harm the computer, then by default Auto-Protect blocks the risk. If the computer might enter an unstable state when Auto-Protect blocks the risk, Auto-Protect waits until the application installation is complete. Then Auto-Protect performs the configured action on the security risk.


 

Internet Email Auto-Protect: Notifications

You can configure notifications options for Auto-Protect scans of Internet email. You can configure the information that you want to include in notifications and whether or not progress indicators are available on client computers.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Table: Notifications options
Option
Description
Notifications Enables or disables the display of notification messages on infected computers

The following option is available:
· Display a notification message on the infected computer

When this option is enabled, you can modify the information that should appear when Auto-Protect finds a virus or a security risk.

Email Notifications Enables or disable the notifications about infected email

The following options are available:
· Insert a warning into the email message: Adds an email warning to infected messages. Click Warning to change the text.
· Send email to the sender: Notifies the senders of infected messages in Internet email applications. You can click Sender to change the default text.
· Send email to others: Notifies the specified recipients of infected messages in email applications. You can click Others to change the default text.

Progress Notifications Enables or disables the display of a progress message and an icon on client computers during email scans

The following options are available:
· Display a progress indicator when email is being sent
· Display notification area icon

Table: Notification message fields
Field
Description
SecurityRiskName The name of the virus or security risk that was found.
ActionTaken The action that was taken in response to detecting the virus or security risk. This action can be either the first action or second action that was configured.
Status The state of the file: Infected, Not Infected, or Deleted.

This message variable is not used by default. To display this information, manually add this variable to the message.

Filename The name of the file that the virus or the security risk has infected.
PathAndFilename The complete path and name of the file that the virus or the security risk has infected.
Location The drive on the computer on which the virus or security risk was located.
Computer The name of the computer on which the virus or security risk was found.
User The name of the user who was logged on when the virus or security risk occurred.
Event The type of event, such as "Risk Found."
LoggedBy The type of scan that detected the virus or security risk.
DateFound The date on which the virus or security risk was found.
StorageName The affected area of the application, for example, File System Auto-Protect or Lotus Notes Auto-Protect.
ActionDescription A full description of the actions that were taken in response to detecting the virus or security risk.


 

Internet Email Auto-Protect: Advanced

You can configure connection settings for Auto-Protect scans of Internet email.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Table: Advanced options for Auto-Protect scans of Internet email
Option
Description
Connection Settings The following options are available:
· Incoming mail server (POP3)

    Auto-Protect scanning for Internet email uses the standard POP3 email ports by default. If you configure your network to use a different port, you must change the port setting here to match the port that you selected.

· Outgoing mail server (SMTP)

    Auto-Protect scanning for Internet email uses the standard SMTP email ports by default. If you configure your network to use a different port, you must change the port setting here to match the port that you selected.

· Use Defaults

    Returns the Incoming mail server (POP3) and Outgoing mail server (SMTP) port settings to their defaults.
Encrypted Connections The following options are available:
· Allow encrypted POP3 connections

Use this option to enable or disable POP3 messages that use encrypted connections. Auto-Protect does not scan any email that uses POP3 over the Secure Sockets Layer (SSL). Auto-Protect continues to protect computers from viruses and security risks in attachments.

· Allow encrypted SMTP connections

Use this option to enable or disable the SMTP messages that use encrypted connections. Auto-Protect does not scan any email that uses SMTP over the Secure Sockets Layer (SSL). Auto-Protect continues to protect computers from viruses and security risks in attachments.

Mass Mailing Worm Heuristics The following options are available:
· Outbound worm heuristics: Use this option to scan outgoing messages for suspicious behavior.
· First action: Select an action to take when the scan detects suspicious behavior. You can choose to quarantine the threat, delete the threat, or to log the detection but take no action on the threat.
· If first action fails: Select an action to take when the scan cannot perform the first action on the detected threat. You can choose to delete the threat or to log the detection but take no action on the threat.

Note:


 

If you set the First action to Leave alone (log only), then this option is not available.


·


 

Microsoft Outlook Auto-Protect: Scan Details

You can configure details for Auto-Protect scans of Microsoft Exchange email clients.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Use centralized exceptions to specify exclusions for files or directories.

Table: Scan Details options

Option
Description
Enable Auto-Protect for Microsoft Exchange Enables or disables Auto-Protect for Microsoft Exchange email clients
File types Scans all file types or only files with selected extensions.

The following options are available:
· Scan all files

Scans all files on the computer, regardless of type.

· Scan only selected extensions

Scans only the files that have certain extensions. You can add more extensions for programs and documents, if you have the files that use the extensions that are not already in the list. You can also reset this option to its default value.

Selected Extensions Specifies that only certain file extensions should be included in the scan

You can add or remove file extensions to scan. Only the file extensions that you specify are scanned. Auto-Protect does not scan files with unlisted extensions.

Note:

If you want to exclude files or directories from scans, create a centralized exception. The exception applies to all antivirus and antispyware scans that you run.

Compressed files Specifies whether or not to scan files inside compressed files and how many levels to include

The following options are available:
· Scan files inside compressed files

Scans the files that act as containers for a file or group of files.

· Number of levels to expand if there are compressed files within compressed files

When a file archive (such as Files.zip) is scanned, the individual files of the archive are also scanned. If the archive itself contains compressed files, you can specify how many levels deep you want the compressed files to be scanned.


 

The default setting is three levels deep in a compressed file.
 

These types of compressed files may be included in virus scans:
· .ARJ archive files created by the ARJ* file compression software
· .ZIP files created by PKZip* and WinZip* file compression software
· .LZH files compressed by Haruyasu Yoshizaki's Lharc* software
· .EXE files created as self-extracting archives.
· Compressed files without an extension.


 

Auto-Protect for Internet Email, Microsoft Exchange, or Lotus Notes: Actions

You can configure action and remediation options for Auto-Protect scans of Internet email, Microsoft Exchange, or Lotus Notes.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Table: Action options
Detection type
Action options
Macro virus

Non-macro virus

You can configure a first action to take and a second action to take if the first action fails.

Actions for viruses include the following:
· Clean risk (default first action): Tries to clean the infected file when a virus is found.
· Quarantine risk (default second action): Tries to move the infected file to the Quarantine on the infected computer as soon as it is detected. After an infected file is moved to the Quarantine, a user on that client computer cannot run the file. The user must first specify an action for the file. For example, the user can specify that the client should clean the file and move the file back to its original location.
· Delete risk: Tries to delete the file. Use this option only if you can replace the infected file with a virus-free backup copy. The file is permanently deleted and cannot be recovered from the Recycle Bin.


    If Auto-Protect cannot delete the file, detailed information about the action appears in the notification dialog box and the System log.

· Leave alone (log only): Denies the access to the file, displays a notification, and logs the event. Use this option to take manual control of how Auto-Protect handles a virus.

    When you are notified of a virus, open the Risk log, right-click the name of the file, and select one of the following actions: Clean (viruses only), Delete Permanently, or Move To Quarantine.
Security risks
· Adware
· Dialers
· Hack Tools
· Joke Programs
· Other (programs that might pose a security risk but do not fit into other security risk categories)
· Remote Access
· Spyware
· Trackware
You can configure the following security risk actions:
· Configure the same actions to take for all security risks.
· Configure the same actions for a whole category of security risks.
· Configure individual security risk exceptions to the actions that you set for specific categories.

You can configure a first action to take and a second action to take if the first action fails. Actions for security risks include the following:
· Quarantine risk (default first action)

Tries to move any infected files to the Quarantine on the infected computer as soon as the security risk is detected or completes its installation. Auto-Protect removes or repairs any side effects of the risk. Side effects might include additional registry keys, modified registry key values, additions to .ini or .bat files, or extra entries in hosts files. They might also include errors in a Layered Service Provider (LSP) system driver or the effects of a rootkit. You can restore the security risk items that are quarantined to their original state on the system. In some instances, you might need to restart the computer to complete the removal or repair.

· Delete risk

Tries to delete security risk files. Use this option only if you can replace the files with a security risk-free backup copy. You cannot recover permanently deleted files from the Recycle Bin.


 

Use this action with caution. The deletion of security risks can cause applications to lose functionality.


 

If the client cannot delete files, detailed information about the actions appears in the notification dialog box and the System log.

· Leave alone (log only) (default second action)

The risk is left alone and its detection is logged. Use this option to take manual control of how Auto-Protect handles a security risk.


 

You can use the logs in the management console to specify the action for the logged risk. Users on client computers can use the logs to specify the action as well.
 

You can also lock exceptions so that users cannot create their own security risk exceptions for all antivirus and antispyware scans.

Note:

In some instances, you might unknowingly install an application that includes a security risk such as adware or spyware. If Symantec has determined that blocking the risk does not harm the computer, then by default Auto-Protect blocks the risk. If the computer might enter an unstable state when Auto-Protect blocks the risk, Auto-Protect waits until the application installation is complete. Then Auto-Protect performs the configured action on the security risk.


 

Microsoft Outlook or Lotus Notes Auto-Protect: Notifications

You can configure notifications options for Auto-Protect scans of Microsoft Outlook or Lotus Notes. You can configure the information that should appear in notifications.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Table: Notifications options
Group: Option
Description
Notifications Display a notification message on the infected computer

Enables or disables the display of a notification message on an infected computer when Auto-Protect finds a security risk.

When this option is enabled, you can modify the type of information that you want to appear on the affected computer.

Email Notifications The following options are available:
· Insert a warning into the email message

Adds an email warning to an infected message. You can click Warning to change the default text.

· Send email to sender

Notifies the senders of infected messages in Internet email applications. You can click Sender to change the default text.

· Send email to others

Notifies the specified recipients of infected messages in email applications. You can click Others to change the default text and to specify recipients.

Table: Message variables
Field
Description
SecurityRiskName The name of the virus or security risk that was found.
ActionTaken The action that was taken in response to detecting the virus or security risk. This action can be either the first action or second action that was configured.
Status The state of the file: Infected, Not Infected, or Deleted.

This message variable is not used by default. To display this information, manually add this variable to the message.

Filename The name of the file that the virus or the security risk has infected.
PathAndFilename The complete path and name of the file that the virus or the security risk has infected.
Location The drive on the computer on which the virus or security risk was located.
Computer The name of the computer on which the virus or security risk was found.
User The name of the user who was logged on when the virus or security risk occurred.
Event The type of event, such as "Risk Found."
LoggedBy The type of scan that detected the virus or security risk.
DateFound The date on which the virus or security risk was found.
StorageName The affected area of the application, for example, File System Auto-Protect or Lotus Notes Auto-Protect.
ActionDescription A full description of the actions that were taken in response to detecting the virus or security risk.

 

Lotus Notes Auto-Protect: Scan Details

You can configure details for Auto-Protect scans of Lotus Notes email.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Use centralized exceptions to specify exclusions for files or directories.

Table: Scan Details options

Option
Description
Enable Lotus Notes Auto-Protect Enables or disables Auto-Protect for Lotus Notes
File types Scans all file types or only files with selected extensions.

The following options are available:
· Scan all files

Scans all files on the computer, regardless of type.

· Scan only selected extensions

Scans only the files that have certain extensions. You can add more extensions for programs and documents, if you have the files that use the extensions that are not already in the list. You can also reset this option to its default value.


 

Note:


 

If you want to exclude files or directories from scans, create a centralized exception. The exception applies to all antivirus and antispyware scans that you run.

Selected Extensions Specifies that only certain file extensions should be included in the scan

You can add or remove file extensions to scan. Only the file extensions that you specify are scanned. Auto-Protect does not scan files with unlisted extensions.

Note:

If you want to exclude files or directories from scans, create a centralized exception. The exception applies to all antivirus and antispyware scans that you run.

Compressed files Specifies whether or not to scan files inside compressed files and how many levels to include

The following options are available:
· Scan files inside compressed files

Scans the files that act as containers for a file or group of files.

· Number of levels to expand if there are compressed files within compressed files

When a file archive (such as Files.zip) is scanned, the individual files of the archive are also scanned. If the archive itself contains compressed files, you can specify how many levels deep you want the compressed files to be scanned.


 

The default setting is three levels deep in a compressed file.
 

These types of compressed files may be included in virus scans:
· .ARJ archive files created by the ARJ* file compression software
· .ZIP files created by PKZip* and WinZip* file compression software
· .LZH files compressed by Haruyasu Yoshizaki's Lharc* software
· .EXE files created as self-extracting archives.
· Compressed files without an extension.


 

Auto-Protect for Internet Email, Microsoft Exchange, or Lotus Notes: Actions

You can configure action and remediation options for Auto-Protect scans of Internet email, Microsoft Exchange, or Lotus Notes.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Table: Action options
Detection type
Action options
Macro virus

Non-macro virus

You can configure a first action to take and a second action to take if the first action fails.

Actions for viruses include the following:
· Clean risk (default first action): Tries to clean the infected file when a virus is found.
· Quarantine risk (default second action): Tries to move the infected file to the Quarantine on the infected computer as soon as it is detected. After an infected file is moved to the Quarantine, a user on that client computer cannot run the file. The user must first specify an action for the file. For example, the user can specify that the client should clean the file and move the file back to its original location.
· Delete risk: Tries to delete the file. Use this option only if you can replace the infected file with a virus-free backup copy. The file is permanently deleted and cannot be recovered from the Recycle Bin.


    If Auto-Protect cannot delete the file, detailed information about the action appears in the notification dialog box and the System log.

· Leave alone (log only): Denies the access to the file, displays a notification, and logs the event. Use this option to take manual control of how Auto-Protect handles a virus.

    When you are notified of a virus, open the Risk log, right-click the name of the file, and select one of the following actions: Clean (viruses only), Delete Permanently, or Move To Quarantine.
Security risks
· Adware
· Dialers
· Hack Tools
· Joke Programs
· Other (programs that might pose a security risk but do not fit into other security risk categories)
· Remote Access
· Spyware
· Trackware
You can configure the following security risk actions:
· Configure the same actions to take for all security risks.
· Configure the same actions for a whole category of security risks.
· Configure individual security risk exceptions to the actions that you set for specific categories.

You can configure a first action to take and a second action to take if the first action fails. Actions for security risks include the following:
· Quarantine risk (default first action)

Tries to move any infected files to the Quarantine on the infected computer as soon as the security risk is detected or completes its installation. Auto-Protect removes or repairs any side effects of the risk. Side effects might include additional registry keys, modified registry key values, additions to .ini or .bat files, or extra entries in hosts files. They might also include errors in a Layered Service Provider (LSP) system driver or the effects of a rootkit. You can restore the security risk items that are quarantined to their original state on the system. In some instances, you might need to restart the computer to complete the removal or repair.

· Delete risk

Tries to delete security risk files. Use this option only if you can replace the files with a security risk-free backup copy. You cannot recover permanently deleted files from the Recycle Bin.


 

Use this action with caution. The deletion of security risks can cause applications to lose functionality.


 

If the client cannot delete files, detailed information about the actions appears in the notification dialog box and the System log.

· Leave alone (log only) (default second action)

The risk is left alone and its detection is logged. Use this option to take manual control of how Auto-Protect handles a security risk.


 

You can use the logs in the management console to specify the action for the logged risk. Users on client computers can use the logs to specify the action as well.
 

You can also lock exceptions so that users cannot create their own security risk exceptions for all antivirus and antispyware scans.

Note:

In some instances, you might unknowingly install an application that includes a security risk such as adware or spyware. If Symantec has determined that blocking the risk does not harm the computer, then by default Auto-Protect blocks the risk. If the computer might enter an unstable state when Auto-Protect blocks the risk, Auto-Protect waits until the application installation is complete. Then Auto-Protect performs the configured action on the security risk.


 

Microsoft Outlook or Lotus Notes Auto-Protect: Notifications

You can configure notifications options for Auto-Protect scans of Microsoft Outlook or Lotus Notes. You can configure the information that should appear in notifications.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Table: Notifications options
Group: Option
Description
Notifications Display a notification message on the infected computer

Enables or disables the display of a notification message on an infected computer when Auto-Protect finds a security risk.

When this option is enabled, you can modify the type of information that you want to appear on the affected computer.

Email Notifications The following options are available:
· Insert a warning into the email message

Adds an email warning to an infected message. You can click Warning to change the default text.

· Send email to sender

Notifies the senders of infected messages in Internet email applications. You can click Sender to change the default text.

· Send email to others

Notifies the specified recipients of infected messages in email applications. You can click Others to change the default text and to specify recipients.

Table: Message variables
Field
Description
SecurityRiskName The name of the virus or security risk that was found.
ActionTaken The action that was taken in response to detecting the virus or security risk. This action can be either the first action or second action that was configured.
Status The state of the file: Infected, Not Infected, or Deleted.

This message variable is not used by default. To display this information, manually add this variable to the message.

Filename The name of the file that the virus or the security risk has infected.
PathAndFilename The complete path and name of the file that the virus or the security risk has infected.
Location The drive on the computer on which the virus or security risk was located.
Computer The name of the computer on which the virus or security risk was found.
User The name of the user who was logged on when the virus or security risk occurred.
Event The type of event, such as "Risk Found."
LoggedBy The type of scan that detected the virus or security risk.
DateFound The date on which the virus or security risk was found.
StorageName The affected area of the application, for example, File System Auto-Protect or Lotus Notes Auto-Protect.
ActionDescription A full description of the actions that were taken in response to detecting the virus or security risk.


 

TruScan: Scan Details

You can configure what types of risks proactive threat scans detect. You can also configure what actions the client takes when proactive threat scans detect the commercial applications. Commercial applications are keylogger and the remote control applications that could be used for malicious purposes.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Both the Scan for trojans and worms and the Scan for keyloggers options must be enabled for client computers to show a Proactive Threat Protection status of On.

Table: Scan details options

Option
Description
Scan for trojans and worms Not supported on the client computers that run Windows server operating systems or Windows XP 64-bit operating systems

Specifies whether or not proactive threat scans detect processes that behave like Trojan horses and worms (default is enabled)

When this option is enabled, the following options are available:
· Use defaults defined by Symantec


    Symantec recommends using this option to minimize false positive detections. When proactive threat scans detect key loggers, the scan engine determines the action that the client takes on the process. If the Symantec Endpoint Protection client suspects that the Trojan horse or worm is malicious, the process is quarantined. If not, the client only logs an event.

· When a trojan or worm is detected within the sensitivity threshold

    If you uncheck Use defaults defined by Symantec, you can specify the type of action the client takes when a Trojan horse or worm is detected: Log, Quarantine, or Terminate. This action is applied every time a proactive threat scan detects a Trojan horse or worm.

· Sensitivity

    Symantec detemines the default sensitivity. If you uncheck Use defaults defined by Symantec, you can move the slider to increase or decrease the sensitivity.
Scan for keyloggers Not supported on the client computers that run Windows server operating systems or Windows XP 64-bit operating systems

Specifies whether or not proactive threat scans detect processes that behave like key loggers (default is enabled)

When this option is enabled, the following options are available:
· Use defaults defined by Symantec

Symantec recommends using this option to minimize false positive detections. When proactive threat scans detect key loggers, the scan engine determines the type of action the client takes on the process. If the client software suspects the keylogger is malicious, the client quarantines the process. If not, the client only logs an event.

· When a keylogger is detected within the sensitivity threshold

If you uncheck Use defaults defined by Symantec, you can specify the type of action that the client takes when it detects a key logger: Log, Quarantine, or Terminate. The client applies this action every time a proactive threat scan detects a key logger.

· Sensitivity

Symantec determines the default sensitivity. If you uncheck Use defaults defined by Symantec, you can select Low or High.

Detecting Commercial Applications Specifies the type of action that the client takes when proactive threat scans detect certain types of commercial applications (default is Log)

The following options are available:
· When a commercial keylogger is detected
· When a commercial remote control is detected

You can specify the type of action taken: Log, Quarantine, Terminate, or Ignore.

Table: Actions for proactive threat scan detections
Option
Description
Log Logs the detection and leaves the process alone

If notifications are enabled, the user can right-click the name of the risk, and select one of the following actions: Terminate or Move To Quarantine.

Note:

If Use defaults defined by Symantec is enabled, detections with this action only appear in a notification message if the scan engine recommends remediating the risk.

 

The user can also use the entry in the proactive threat log to specify the type of remediation action to take on each individual detection.

Quarantine Tries to move any of the files associated with the process to the Quarantine on the infected computer

The client removes or repairs any side effects of the process.

The repairs might include any of the following:
· Delete registry keys that were added.
· Revert registry keys that were changed.
· Delete additions to .ini or .bat files.
· Delete entries in hosts files.
· Repair a Layered Service Provider (LSP) system driver.
· Repair the effects of a rootkit.

Users can use the proactive threat log or the notification message to restore quarantined items. If you restore a process, the process does not automatically restart. You must manually restart it.

Terminate Tries to terminate the process

Use this action with caution, because in some cases, terminating processes can cause applications to lose functionality.

If the client cannot terminate a process, detailed information about the termination attempt appears in the notification message and the proactive threat log.

Users can use the proactive threat log or the notification message to move terminated items to the Quarantine.

Ignore Ignores the process

This action is only available for commercial application detections. When the client applies this action, it does not log the detection.


 

TruScan: Notifications

You can configure whether or not notifications should appear on client computers to show the results of proactive threat scans.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Table: TruScan notifications options
Option
Description
Display a message when there is a detection Displays the results on a client computer when a proactive threat scan makes a detection (default is enabled)

When the detections dialog box appears on the client computer, the user can specify additional remediation actions for the detections.

Prompt before terminating a process Prompts the user before the client terminates a process that a proactive threat scan detects (default is enabled)

When the prompt appears on the client computer, the user can decide to terminate the process or not.

Prompt before stopping a service Prompts the user before the client stops a service that a proactive threat scan detects (default is enabled)

When the prompt appears on the client computer, the user can decide to stop the process or not.


 

TruScan: Scan Frequency

You can configure how often the proactive threat scan should run.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Table: Proactive threat scan frequency options
Option
Description
At the default scanning frequency Runs the proactive threat scans on a Symantec-determined frequency (1 hour)

By default, this option is enabled.

At a custom scanning frequency Runs the proactive threat scans immediately or on a manually set frequency

When this option is enabled, the following options are available:
· Scan new processes immediately

Scans new processes soon after the client detects them.


 

When the client detects a new process, it initiates a proactive threat scan of all running processes.

· Scan protected processes every

Scans all processes at the specified frequency.


 

The default is 1 hour.


 

Quarantine: General

You can use this tab to set the options for the local Quarantine.

Table: Quarantine options

Option
Description
When New Virus Definitions Arrive Specifies what happens when a computer receives new virus and security risk definitions

Select one of the following options:
· Automatically repair and restore files in Quarantine silently.


    If the new definitions include repairs for quarantined files, the Symantec Endpoint Protection client repairs the files. The client also restores the files to their previous location without notifying the user.

· Repair files in Quarantine silently without restoring.

    If the new definitions include a repair for quarantined files, the client repairs the files but does not restore them to their previous location.

· Prompt user.

    The user is prompted to decide whether or not to try to repair quarantined files.

· Do nothing.

    The client does not try to repair quarantined files.
Local Quarantine Options Specifies the folder where files are quarantined

You can select the default folder or browse to any other folder that you want to use.


 

Quarantine: Clean-up Options

You can use this option to enable the automatic deletion of repaired, backup, and quarantined files from the computer. You can delete the files based on file age, folder size, or both. If you set both types of limits, then all files older than the time you have set are deleted first. If the size of the folder still exceeds the limit, then the oldest files are deleted until the folder size falls below the limit. By default, these options are enabled.

Table: Clean-up options

Option
Description
Enable automatic deleting of <repaired files | backup files | quarantined files that could not be repaired> Enables the automatic deletion of any files that cannot be repaired
Delete after Specifies the number of days to keep the files

The maximum is 30 days.

Delete oldest files to fit folder size limit (MB) Specifies the maximum size the directory can reach

The default is 50 MB.


 

Submissions

You can configure whether or not client computers submit information to Symantec Security Response and how quarantined items are submitted to Symantec Security Response.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.
Table: Submissions options
Option
Description
TruScan Proactive Threat Scans The following options are available:
· Allow client computers to submit processes detected by TruScan proactive threat scans (default is enabled): Specifies whether or not client computers submit information about processes detected by proactive threat scans. This information may help Symantec address new threats.
· Percentage of client computers allowed to submit (default is 100): The percentage of the computers that are allowed to submit information about processes to Symantec.
Detection Rates The following options are available:
· Allow client computers to submit threat detection rates (default is enabled): Specifies whether or not client computers submit information about detection rates to Symantec. Detection rates for Auto-Protect and manual scans can help Symantec Security Response determine what virus definitions are no longer needed.
· Percentage of client computers allowed to submit (default is 100): The percentage of the computers that are allowed to submit information about detection rates to Symantec.
Quarantined Items The following options are available:
· Allow client computers to manually submit quarantined items to Symantec Security Response (default is enabled): Specifies whether or not users of client computers can manually submit quarantined items to Symantec Security Response.
· Allow client computers to automatically submit quarantined items to a Quarantine Server (default is disabled): Specifies whether or not client computers automatically submit quarantined items to a central Quarantine Server.

When this option is enabled, you can configure the following information for the Quarantine Server:
· Server name

The server name should match the server name that is configured for the Central Quarantine Server.

· Port

The port number should match the port number that is configured for the Central Quarantine Server. By default, this option is 33.

· Retry

By default, this option is 600 seconds.


 

Miscellaneous

You can use this tab to set miscellaneous Antivirus and Antispyware Policy options.

Table: Antivirus and Antispyware Policy miscellaneous options

Option
Description
Disable Windows Security Center Specifies whether to use Windows Security Center (WSC) on the clients

Select one of the following:
· Never


    Never disable WSC. Leave it completely alone. This setting is the default value.

· Once

    Disable WSC only one time. If a user re-enables it, the client does not disable it again.

· Always

    Always disable WSC. If a user re-enables it, it is disabled again immediately.

· Restore if disabled.

    Re-enable WSC only if the client disabled it.


Note:

Symantec product status is always available in Symantec Endpoint Protection, regardless of whether WSC is enabled or disabled.

Display antivirus alerts within Windows Security Center Specifies when WSC displays antivirus alerts

Select one of the following:
· Enable

WSC displays these alerts in the notification area.

· Disable

WSC does not display these alerts on the notification area.

· Use existing setting

WSC uses the existing setting for displaying these alerts.

Display Windows Security Center message when definitions are outdated. Warn after Set the time period after which WSC considers definitions files to be out of date and displays a message about it.

Specifies the number of days that definitions are allowed to be out of date.

The value must be in the range from 1 to 30. The default value is 29 days.

The client checks every 15 minutes to compare the out-of-date time, the date of the definitions, and the current date. Typically, no out-of-date status is reported to WSC because definitions are usually updated automatically. If you update definitions manually, you might wait up to 15 minutes to view an accurate status.

Internet Browser Protection Specifies a URL to use as the home page when a security risk hijacks a client computer's home page

The client uses this URL when it repairs the risk.

You can click the lock icon to prevent users from changing the home page to be used when repairing side effects after a browser hijacking.

Ask for a password before scanning a mapped network drive Specifies whether or not clients prompt users for a password when the client scans network drives

The default password is symantec. You can change the password by clicking Change Password and setting the password.


 

Miscellaneous: Log handling

You can use this tab to set the options that are related to antivirus logs.

Table: Antivirus log handling options

Options
Description
Show Specifies the category of events you want to display

The following possibilities are included:
· All antivirus and antispyware events
· Scanning and infection events
· Virus definition events
· Management and configuration events
· Startup and shutdown events
· Licensing events
· Security related events

Delete logs older than Specifies the number of days you want to keep antivirus-related events in the logs.

The option does not affect any events that the clients send to the management console. You can use the option to reduce the actual log size on the client computers.

Send aggregated events every Specifies the number of minutes that should pass before clients send aggregated events to the System log for antivirus-related events

Antivirus-related events are aggregated before they are sent to the event log to keep the number of events manageable. After the events are sent, aggregation starts again.


 

Miscellaneous: Notifications

You can configure notifications to appear on client computers when virus definitions are out-of-date or missing. You can also determine the URL and text to include in the error messages that appear on client computers.

Table: General notification options

Option
Description
Display warning when definitions are outdated Displays a message on client computers when definitions are out-of-date

You can specify the number of days. The notification message appears when definitions are out of date by more than the specified number of days.

Display warning when Symantec Endpoint Protection is running without virus definitions Displays a message on client computers when the Symantec Endpoint Protection client is running without definitions

You can specify the number of attempts to update definitions, and then customize the warning message that appears on the client computer.

Display error messages with a URL to a solution Enables or disables the error messages that appear on client computers and in the System log

The error messages appear when users encounter the errors that are related to the system, licensing, installation, and Antivirus and Antispyware Protection.

In client control mode, error messages do not appear.

You can include the following types of URLs (uniform resource locations) in the error messages:
· Display the URL to a Symantec Technical Support Knowledge Base article

Displays a link to redirect users to a Knowledge Base article about a specific error that users see. If an article does not exist, a prompt appears enabling users to send an email message to online technical support or phone support.

· Display a custom URL

Displays a link to a customized Web site with alternative text and support information for the specific error that users see.

Custom Error Message Opens a dialog box in which you can edit the default error message that appears on client computers and in the System log



References
Online Help - SEPM



Technical Information
 

Overview - Policies www.symantec.com/docs/TECH104436
Antivirus and Antispyware www.symantec.com/docs/TECH104430
Application and Device Control www.symantec.com/docs/TECH104431
Centralized Exceptions www.symantec.com/docs/TECH104432
Firewall www.symantec.com/docs/TECH104433 
Intrusion Prevention www.symantec.com/docs/TECH104434 
LiveUpdate www.symantec.com/docs/TECH104435 

 



Legacy ID



2008032010461048


Article URL http://www.symantec.com/docs/TECH104430


Terms of use for this information are found in Legal Notices