Security Response recommendations for Symantec Endpoint Protection settings
|Article:TECH122943|||||Created: 2010-01-03|||||Updated: 2014-01-03|||||Article URL http://www.symantec.com/docs/TECH122943|
You would like to know what settings Security Response recommends for Symantec Endpoint Protection 11 (SEP 11) and how to set those settings using the Symantec Endpoint Protection Manager (SEPM).
The default behavior for Symantec Endpoint Protection does not fully utilize the protection offered by Symantec Endpoint Protection and can be modified to more aggressively scan and protect in the cases of a detection. This document explains the ways in which you can modify the relevant settings.
Security Response recommends the following Scan Settings
|Antivirus Security Setting||Default Setting||High Security Policy||Security Response Recommendation|
|Remediation: terminate processes||No||No||Yes|
|Remediation: terminate services||No||No||Yes|
|Auto-Protect action taken for security risks||Quarantine/Log||Quarantine/Log||Quarantine/Delete|
|Bloodhound Level||Default (2)||Default (2)||Default (3)|
|SEP Startup||System Start||System Start||System Start|
|Auto-Protect Scan||Modify and access||Modify and access||Modify and access|
To make changes to these settings, do the following:
- Navigate to the Policies tab in the Symantec Endpoint Protection Manager
- Select the policy you would like to modify
- Right click that policy and chose the Edit option
- Once in the Antivirus and Antispyware policy, select "File System Auto-Protect" from the list on the left.
- Select the "Scan Details" tab
- Lock all options. Any option not locked is configurable at the client.
- Enable network scanning by clicking on the box next to the "Network Settings" until it shows a check mark.
- Click on the "Advanced Scanning and Monitoring" button
- Lock all options.
- Click on the box next to "Enable Bloodhound(TM) heuristic virus detection so that it shows a check mark.
- Select the drop down next to "Level of protection to use". Select "Maximum".
- Click the button labeled "OK".
- Select the "Actions" tab.
- Lock all options.
- Select "Security Risks" under the Detection heading.
- Select the drop down for First Action and change it to "Quarantine risk".
- Select the drop down for If first action fails and change it to "Delete Risk".
- Click on the box next to "Terminate processes automatically" so that it shows a check mark.
- Click on the box next to 'Stop services automatically" so that it shows a check mark.
- Click "OK" to save your changes.
Security Response recommends the following setting changes to Truscan for best protection
|Truscan||Default Setting||Security Response Recommendation|
|Action on Detection||Log||Terminate|
To make the recommended changes
- Navigate to the Policies tab in the Symantec Endpoint Protection Manager.
- Select the policy you would like to modify.
- Right click that policy and choose the Edit option.
- Once in the Antivirus and Antispyware policy, select TruScan Proactive Threat Scans from the list on the left
- Select the Scan Details tab.
- Lock the options for the following by clicking the lock icon so that the icon shows a closed lock: Scan for trojans and worms, use defaults defined by Symantec, When a trojan or worm is detected within the sensitivity threshold, Sensitivity.
- Click on the check box for "Use defaults defined by Symantec" so that the box is empty as shown.
- Select the dropdown for "When a trojan or worm is detected" and click Terminate to change it from its default of Log as shown in the above screenshot.
- Slide the sensitivity slider to the far right to set it to 100, as shown in the above screenshot.
- Select the Scan Frequency tab
- Lock all three options by clicking the lock icon so that the icon shows a closed lock.
- Reduce the "Scan processes every" value to 15 minutes.
Symantec recommends testing any changes made before deploying to production machines as many of the ones suggested in this document have the potential to affect machine and network performance.
Article URL http://www.symantec.com/docs/TECH122943