Recommended settings for Endpoint Protection 11

Article:TECH122943  |  Created: 2010-01-03  |  Updated: 2014-11-21  |  Article URL http://www.symantec.com/docs/TECH122943
Article Type
Technical Solution


Environment

Issue



This article describes the recommended settings for Symantec Endpoint Protection (SEP) 11, and how to set them using Symantec Endpoint Protection Manager (SEPM).

 


Cause



The default behavior for Symantec Endpoint Protection does not fully utilize the protection offered by Symantec Endpoint Protection and can be modified to more aggressively scan and protect in the cases of a detection. This document explains the ways in which you can modify the relevant settings.


Solution



Recommended scan settings

Antivirus Security Setting Default Setting High Security Policy Security Response Recommendation
Lock settings Some Some All
Remediation: terminate processes No No Yes
Remediation: terminate services No No Yes
Auto-Protect action taken for security risks Quarantine/Log Quarantine/Log Quarantine/Delete
Network Auto-Protect Disabled Enabled Enabled
Bloodhound Level Default (2) Default (2) Default (3)
SEP Startup System Start System Start System Start
Auto-Protect Scan Modify and access Modify and access Modify and access

To implement the recommended settings:

  1. In the Symantec Endpoint Protection Manager, click the Policies tab .
  2. Right-click the policy you want to modify, and click Edit.
  3. Once in the Antivirus and Antispyware policy, select File System Auto-Protect from the list on the left.
  4. Click the Scan Details tab
  5. Lock all options. Any option not locked is configurable at the client.
  6. Check Network Settings to enable network scanning.
  7. Click Advanced Scanning and Monitoring.
  8. Lock all options.
  9. Check Enable Bloodhound(TM) heuristic virus detection.
  10. Click the Level of protection to use drop-down, and select Maximum.
  11. Click OK.
  12. Click the Actions tab.
  13. Lock all options.
  14. Under Detection, select Security Risks.
  15. Click the First Action drop-down, and select Quarantine risk.
  16. Click the If first action fails drop-down, and select Delete risk.
  17. Check Terminate processes automatically.
  18. Check Stop services automatically.
  19. Click OK.

 


 

Recommended Truscan settings

Truscan Default Setting Security Response Recommendation
Scan Sensitivity 9/Low 100
Action on Detection Log Terminate
Scan Frequency 1:00 00:15

To implement the recommended settings:

  1. In the Symantec Endpoint Protection Manager, click the Policies tab .
  2. Right-click the policy you want to modify, and click Edit.
  3. Once in the Antivirus and Antispyware policy, select TruScan Proactive Threat Scans from the list on the left
  4. Click the Scan Details tab.
  5. Lock the options for the following by clicking the lock icon so that the icon shows a closed lock: Scan for trojans and worms, use defaults defined by Symantec, When a trojan or worm is detected within the sensitivity threshold, Sensitivity.
  6. Uncheck Use defaults defined by Symantec.
  7. Click the When a trojan or worm is detected drop-down, and select Terminate (instead of the default of Log).
  8. Slide the sensitivity slider to the far right. This sets it to 100.
  9. Lock all three options by clicking the lock icon so that the icon shows a closed lock.
  10. Reduce the Scan processes every value to 15 minutes.

Symantec recommends testing any changes made before deploying to production machines as many of the ones suggested in this document have the potential to affect machine and network performance.




Legacy ID



2010020308592948


Article URL http://www.symantec.com/docs/TECH122943


Terms of use for this information are found in Legal Notices