Security Response recommendations for Symantec Endpoint Protection settings

Article:TECH122943  |  Created: 2010-01-03  |  Updated: 2014-01-03  |  Article URL http://www.symantec.com/docs/TECH122943
Article Type
Technical Solution


Environment

Issue



You would like to know what settings Security Response recommends for Symantec Endpoint Protection 11 (SEP 11) and how to set those settings using the Symantec Endpoint Protection Manager (SEPM).

 


Cause



The default behavior for Symantec Endpoint Protection does not fully utilize the protection offered by Symantec Endpoint Protection and can be modified to more aggressively scan and protect in the cases of a detection. This document explains the ways in which you can modify the relevant settings.


Solution





Security Response recommends the following Scan Settings

 

Antivirus Security Setting Default Setting High Security Policy Security Response Recommendation
Lock settings Some Some All
Remediation: terminate processes No No Yes
Remediation: terminate services No No Yes
Auto-Protect action taken for security risks Quarantine/Log Quarantine/Log Quarantine/Delete
Network Auto-Protect Disabled Enabled Enabled
Bloodhound Level Default (2) Default (2) Default (3)
SEP Startup System Start System Start System Start
Auto-Protect Scan Modify and access Modify and access Modify and access



To make changes to these settings, do the following:

  1. Navigate to the Policies tab in the Symantec Endpoint Protection Manager
  2. Select the policy you would like to modify
  3. Right click that policy and chose the Edit option
  4. Once in the Antivirus and Antispyware policy, select "File System Auto-Protect" from the list on the left.
  5. Select the "Scan Details" tab
  6. Lock all options. Any option not locked is configurable at the client.
  7. Enable network scanning by clicking on the box next to the "Network Settings" until it shows a check mark.
  8. Click on the "Advanced Scanning and Monitoring" button
  9. Lock all options.
  10. Click on the box next to "Enable Bloodhound(TM) heuristic virus detection so that it shows a check mark.
  11. Select the drop down next to "Level of protection to use". Select "Maximum".
  12. Click the button labeled "OK".
  13. Select the "Actions" tab.
  14. Lock all options.
  15. Select "Security Risks" under the Detection heading.
  16. Select the drop down for First Action and change it to "Quarantine risk".
  17. Select the drop down for If first action fails and change it to "Delete Risk".
  18. Click on the box next to "Terminate processes automatically" so that it shows a check mark.
  19. Click on the box next to 'Stop services automatically" so that it shows a check mark.
  20. Click "OK" to save your changes.



Security Response recommends the following setting changes to Truscan for best protection

 

Truscan Default Setting Security Response Recommendation
Scan Sensitivity 9/Low 100
Action on Detection Log Terminate
Scan Frequency 1:00 00:15



To make the recommended changes

  1. Navigate to the Policies tab in the Symantec Endpoint Protection Manager.
  2. Select the policy you would like to modify.
  3. Right click that policy and choose the Edit option.
  4. Once in the Antivirus and Antispyware policy, select TruScan Proactive Threat Scans from the list on the left
  5. Select the Scan Details tab.
  6. Lock the options for the following by clicking the lock icon so that the icon shows a closed lock: Scan for trojans and worms, use defaults defined by Symantec, When a trojan or worm is detected within the sensitivity threshold, Sensitivity.
  7. Click on the check box for "Use defaults defined by Symantec" so that the box is empty as shown.
  8. Select the dropdown for "When a trojan or worm is detected" and click Terminate to change it from its default of Log as shown in the above screenshot.
  9. Slide the sensitivity slider to the far right to set it to 100, as shown in the above screenshot.
  10. Select the Scan Frequency tab
  11. Lock all three options by clicking the lock icon so that the icon shows a closed lock.
  12. Reduce the "Scan processes every" value to 15 minutes.


Symantec recommends testing any changes made before deploying to production machines as many of the ones suggested in this document have the potential to affect machine and network performance.



 

 




Legacy ID



2010020308592948


Article URL http://www.symantec.com/docs/TECH122943


Terms of use for this information are found in Legal Notices