Security Response recommendations for Symantec Endpoint Protection 12.1 settings

Article:TECH173752  |  Created: 2011-11-07  |  Updated: 2014-03-18  |  Article URL http://www.symantec.com/docs/TECH173752
Article Type
Technical Solution


Issue



What settings does Security Response recommend for Symantec Endpoint Protection (SEP), and how do I configure those settings using the Symantec Endpoint Protection Manager (SEPM)?


Solution



The Symantec Technology and Response (STAR) and the Symantec Endpoint Protection teams have worked together to incorporate Symantec's recommended security posture in Symantec Endpoint Protection Manager as the High Security Virus and Spyware Protection policy.

Although the High Security settings are the recommended choice, they are not the default. Customer environments cover a wide and varied range, and one recommendation does not fit all. The Symantec Endpoint Protection Manager comes with the following preconfigured Virus and Spyware Protection policies:

  • High Security
  • High Performance
  • Balanced

The Balanced policy is the default that applies to client groups. You can customize these preconfigured policies, or use them as examples in the creation of new policies. Symantec encourages you to explore and test the differences, and to choose a policy that best fits your needs.

To view and edit Virus and Spyware Protection policy settings in the Symantec Endpoint Protection Manager console, click on Policies, then Virus and Spyware Protection. The existing policies appear in the right pane. You can create a new policy by clicking Add a Virus and Spyware Protection policy under Tasks. To copy an existing policy, right-click the policy you want to copy then click Copy, then in the right pane, right-click then click Paste. Double-click on any of the policies to view and/or edit their settings.

When you create a new Virus and Spyware protection policy (instead of copying or editing an existing policy), the policy populates with the default Balanced settings. You should copy and paste one of the preconfigured policies and edit a copy rather than changing the original.

For these and other instructions (how to assign policies to Endpoint Protection clients), see the installation and administration guide pertaining to your version of Symantec Endpoint Protection, Symantec Endpoint Protection Small Business Edition, or Symantec Network Access Control.

The following table compares the settings from the three preconfigured Virus and Spyware policies. Where applicable, red text indicates settings that are locked, and green text indicates unlocked. A Symantec Endpoint Protection Manager administrator can modify all of these settings, but users on the Symantec Endpoint Protection client computers can only modify unlocked settings, even if the user is the Symantec Endpoint Protection Manager administrator. Underlined bold text indicates settings that are different for a particular policy.

Administrator-Defined Scans Balanced High Performance High Security
Daily Scheduled Scan Enabled, every day at 12:30AM Enabled, every day at 12:30AM Enabled, every day at 12:30AM
Scan Type Active Scan Active Scan Active Scan
File types Scan all files Scan all files Scan all files
Enhance scan by checking: Memory... Yes Yes Yes
...common infection locations Yes Yes Yes
...well-known virus and security risk locations Yes Yes Yes
Scan Compressed Files Yes, 3 levels deep Yes, 3 levels deep Yes, 3 levels deep
Storage Migration... Skip offline and sparse files Skip offline and sparse files Skip offline and sparse files
...open files with backup semantics No No No
Tuning Best Application Performance Best Application Performance Best Application Performance
Enable Insight Lookup Yes Yes Yes
Insight Level Level 5 (Typical) Level 1 (Minimum) Level 5 (Typical)
Insight reputation detections: 1st action / 2nd action if first fails Quarantine/Leave alone (log only) Quarantine/Leave alone (log only) Quarantine/Leave alone (log only)
Schedule Daily at 12:30AM Daily at 12:30AM Daily at 12:30AM
Scan Duration Scan up to 2 hours Scan up to 2 hours Scan up to 2 hours
Randomize start time Yes Yes Yes
Retry scan Yes, within 72 hours Yes, within 264 hours Yes, within 72 hours
Malware detections: 1st action / and 2nd action if first fails Clean/Quarantine Clean/Quarantine Clean/Quarantine
Virus: Override actions configured for malware? No No No
Security Risk detections: 1st action / and 2nd action if first fails Quarantine/Leave alone—log only Quarantine/Leave alone—log only Quarantine/Leave alone—log only
Adware: Override actions configured for security risks? No No No
Dialer? No No No
Hack Tool? No No No
Joke Program? No No No
Misleading Application? No No No
Parental Control? No No No
Remote Access? No No No
Security Assessment Tool? No No No
Security Risk? No No No
Spyware? No No No
Trackware? No No No
Backup files before attempting repair Yes Yes Yes
Terminate processes automatically Yes Yes Yes
Stop services automatically Yes Yes Yes
Display notification on infected computer No No No
Administrator On-demand Scan Settings


Scan the following folders All Folders All Folders All Folders
File types Scan all files Scan all files Scan all files
Enhance scan by checking: Memory... Yes Yes Yes
...common infection locations Yes Yes Yes
...well-known virus and security risk locations Yes Yes Yes
Scan Compressed Files Yes, 3 levels deep Yes, 3 levels deep Yes, 3 levels deep
Storage Migration... Skip offline and sparse files Skip offline and sparse files Skip offline and sparse files
...open files with backup semantics No No No
Tuning Best Application Performance Best Application Performance Best Application Performance
Insight Lookup Enabled Enabled Enabled
Insight Level Level 5 (Typical) Level 1 (Minimum) Level 5 (Typical)
Insight detections: 1st action / and 2nd action if first fails Quarantine/Leave alone—log only Quarantine/Leave alone—log only Quarantine/Leave alone—log only
Malware detections: 1st action / and 2nd action if first fails Clean/Quarantine Clean/Quarantine Clean/Quarantine
Virus: Override actions configured for malware? No No No
Security Risk detections: 1st action / and 2nd action if first fails Quarantine/Leave alone—log only Quarantine/Leave alone—log only Quarantine/Leave alone—log only
Adware: Override actions configured for security risks? No No No
Dialer? No No No
Hack Tool? No No No
Joke Program? No No No
Misleading Application? No No No
Parental Control? No No No
Remote Access? No No No
Security Assessment Tool? No No No
Security Risk? No No No
Spyware? No No No
Trackware? No No No
Backup files before attempting repair Yes Yes Yes
Terminate processes automatically Yes Yes Yes
Stop services automatically Yes Yes Yes
Display notification on infected computer No No No
Administer-Defined Scans, Advanced Tab      
Delay scheduled scans when running on batteries Yes Yes Yes
Allow user-defined scans to run when user is not logged on Yes Yes Yes
Display notifications about detections when user logs on Yes Yes Yes
Allow startup scans to run when user logs on No No No
Run an active scan when new definitions arrive Yes Yes Yes
Show scan progress No No No
Auto-Protect Balanced High Performance High Security
Auto-Protect Scan Details      
Enabled Yes (unlocked) Yes (unlocked) Yes (LOCKED)
File types to scan Scan all files (unlocked) Scan only selected exensions (common programs and documents) (unlocked) Scan all files (LOCKED)
Scan for security risks Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Block security risks from being installed Yes (LOCKED) Yes (LOCKED) Yes (LOCKED)
Scan files on remote computers... Yes (unlocked) No (unlocked) Yes (LOCKED)
...scan remote files only when files are executed Yes (unlocked) N/A Yes (LOCKED)
Trust files on remote computers running Auto-Protect Yes (unlocked) N/A Yes (LOCKED)
Enable network cache Yes; keep up to 30 entries, delete entries after 600 seconds (unlocked) N/A Yes; keep up to 30 entries, delete entries after 600 seconds (LOCKED)
Activities that trigger Auto-Protect scan File is accessed or modified (unlocked) File is accessed or modified (unlocked) File is accessed or modified (LOCKED)
Scan when a file is backed up Yes (unlocked) No (unlocked) Yes (LOCKED)
Do not scan files when trusted processes access the files Yes (unlocked) Yes (unlocked) Yes (unlocked)
Check floppies for boot virus when accessed Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Action to take when floppy boot virus is found Leave alone (log only) (unlocked) Leave alone (log only) (unlocked) Leave alone (log only) (LOCKED)
Even if action is 'Leave alone (log only)': delete newly created viruses? Yes (unlocked) Yes (unlocked) Yes (LOCKED)
...delete newly created security risks? No (unlocked) No (unlocked) No (LOCKED)
Preserve file times Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Malware detections: 1st action / and 2nd action if first fails Clean/Quarantine (unlocked) Clean/Quarantine (unlocked) Clean/Quarantine (LOCKED)
Virus: Override actions configured for malware? No (unlocked) No (unlocked) No (unlocked)
Security Risk detections: 1st action / and 2nd action if first fails Quarantine/delete (unlocked) Quarantine/leave alone (unlocked) Quarantine/delete (LOCKED)
Adware: Override actions configured for security risks? No (unlocked) No (unlocked) No (LOCKED)
Dialer? No (unlocked) No (unlocked) No (LOCKED)
Hack Tool? No (unlocked) No (unlocked) No (LOCKED)
Joke Program? No (unlocked) No (unlocked) No (LOCKED)
Misleading Application? No (unlocked) No (unlocked) No (unlocked)
Parental Control? No (unlocked) No (unlocked) No (unlocked)
Remote Access? No (unlocked) No (unlocked) No (LOCKED)
Security Assessment Tool? No (unlocked) No (unlocked) No (unlocked)
Security Risk? No (unlocked) No (unlocked) No (unlocked)
Spyware? No (unlocked) No (unlocked) No (LOCKED)
Trackware? No (unlocked) No (unlocked) No (LOCKED)
Backup files before attempting to repair them Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Terminate processes automatically Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Stop services automatically Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Display notification on infected computer No (unlocked) No (unlocked) Yes (LOCKED)
Display the Auto-Protect results dialog on the infected computer Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Load auto-protect when When computer starts (unlocked) When SEP starts (unlocked) When computer starts (LOCKED)
Check floppies when computer shuts down Yes (unlocked) Yes (unlocked) Yes (LOCKED)
When Auto-Protect must be reloaded Stop and reload Auto-Protect (unlocked) Stop and reload Auto-Protect (unlocked) Stop and reload Auto-Protect (LOCKED)
When Auto-Protect is disabled, enable after X minutes Yes, 5 minutes (unlocked) Yes, 5 minutes (unlocked) Yes, 5 minutes (LOCKED)
Enable file cache... Yes, use default cache size (unlocked) Yes, use default cache size (unlocked) Yes, use default cache size (LOCKED)
...rescan cache when new definitions arrive Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Enable Risk Tracer... No (unlocked) No (unlocked) Yes (LOCKED)
...resolve the source computer IP address N/A N/A Yes (LOCKED)
...poll for nework sessions every X milliseconds N/A N/A Yes, every 1000 msec (LOCKED)
Download Protection Balanced High Performance High Security
Enable Download Insight Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Malicious file sensitivity 5 (Typical) (unlocked) Level 1 (Minimum) (unlocked) 5 (Typical) (LOCKED)
...also detect files with X or fewer users No (unlocked) No (unlocked) No (LOCKED)
...also detect files known by users X or fewer days No (unlocked) No (unlocked) No (LOCKED)
Automatically trust any file downloaded from an intranet site Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Malicious download detection: first action... Quarantine (unlocked) Quarantine (unlocked) Quarantine (LOCKED)
...if first action fails Leave alone—log only (unlocked) Leave alone—log only (unlocked) Leave alone—log only (LOCKED)
Action for unproven files Prompt (unlocked) Prompt (unlocked) Prompt (LOCKED)
Display Download Insight notifications on infected computer Yes (unlocked) Yes (unlocked) Yes (LOCKED)
SONAR Balanced High Performance High Security
Enable SONAR Yes (unlocked) Yes (unlocked) Yes (LOCKED)
High risk detection action Quarantine (unlocked) Quarantine (unlocked) Quarantine (LOCKED)
Low risk detection action Log (unlocked) Log (unlocked) Log (LOCKED)
Enabled aggressive mode No (unlocked) No (unlocked) No (LOCKED)
Show alert upon detection Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Prompt before terminating a process No (unlocked) No (unlocked) No (LOCKED)
Prompt before stopping a service No (unlocked) No (unlocked) No (LOCKED)
Action to take when DNS change detected Ignore (unlocked) Ignore (unlocked) Block (LOCKED)
Action to take when hosts file change detected Ignore (unlocked) Ignore (unlocked) Block (LOCKED)
Suspicious behavior high risk detection action Block (unlocked) Ignore (unlocked) Block (LOCKED)
Suspicious behavior low risk detection action Ignore (unlocked) Ignore (unlocked) Ignore (LOCKED)
TruScan Legacy Client Settings


Scan for trojans and worms... Yes (unlocked) Yes (unlocked) Yes (LOCKED)
...use trojan/worm sensitivity defaults defined by Symantec Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Scan for keyloggers... Yes (unlocked) Yes (unlocked) Yes (LOCKED)
...use keylogger sensitivity defaults defined by Symantec Yes (unlocked) Yes (unlocked) Yes (LOCKED)
When a commercial keylogger is detected Log (unlocked) Log (unlocked) Log (LOCKED)
When a commercial remote control application is detected Log (unlocked) Log (unlocked) Log (LOCKED)
How often should TruScan run At the default frequency (unlocked) At a custom scanning frequency; scan processes every 6 hours, do not scan new processes (unlocked) At a custom scanning frequency; scan processes every 15 minutes, scan new processes immediately (LOCKED)
Internet, MS Outlook, and Lotus Notes
Email Auto-Protect
Balanced High Performance High Security
Enabled Email Auto-Protect Yes (unlocked) No (unlocked) Yes (LOCKED)
File types to scan Scan all files (unlocked) N/A Scan all files (LOCKED)
Scan inside compressed files Yes, 3 levels deep (unlocked) Yes, 3 levels deep (LOCKED)
Malware detections: 1st action / and 2nd action if first fails Clean/Quarantine (unlocked) Clean/Quarantine (unlocked)
Virus: Override actions configured for malware? No (unlocked) No (unlocked)
Security Risk detections: 1st action / and 2nd action if first fails Quarantine/Leave alone (unlocked) Quarantine/Leave alone (LOCKED)
Adware: Override actions configured for security risks? No (unlocked) No (LOCKED)
Dialer? No (unlocked) No (LOCKED)
Hack Tool? No (unlocked) No (LOCKED)
Joke Program? No (unlocked) No (LOCKED)
Misleading Application? No (unlocked) No (unlocked)
Parental Control? No (unlocked) No (unlocked)
Remote Access? No (unlocked) No (LOCKED)
Security Assessment Tool? No (unlocked) No (unlocked)
Security Risk? No (unlocked) No (unlocked)
Spyware? No (unlocked) No (LOCKED)
Trackware? No (unlocked) No (LOCKED)
Display a notification on the infected computer Yes (unlocked) Yes (LOCKED)
Insert warning into email message Yes (unlocked) Yes (LOCKED)
Send email to the sender No (unlocked) No (LOCKED)
Send email to others No (unlocked) No (LOCKED)
The following settings apply only to Internet Email Auto-Protect


Display progress indicator when email is being sent No (unlocked) No (LOCKED)
Display a notification area icon No (unlocked) No (LOCKED)
Incoming mail server (POP3) port 110 (unlocked) 110 (LOCKED)
Outgoing mail server (SMTP) port 25 (unlocked) 25 (LOCKED)
Allow encrypted POP3 connections Yes (unlocked) Yes (LOCKED)
Allow encrypted SMTP connections Yes (unlocked) Yes (LOCKED)
Use outbound worm heuristics Yes (unlocked) Yes (LOCKED)
Outbound worm detection, first action Quarantine (unlocked) Quarantine (LOCKED)
Outbound worm detection, second action if first fails Delete (unlocked) Delete (LOCKED)
Global Scan Options Balanced High Performance High Security
Enable Insight Yes: Symantec Trusted (unlocked) Yes: Symantec Trusted (unlocked) Yes: Symantec Trusted (LOCKED)
Enable Bloodhound Yes, automatic (unlocked) Yes, automatic (unlocked) Yes, aggressive (LOCKED)
Ask for password before scanning mapped network drive No No No
Enable Shared Insight Cache No No No
Quarantine Balanced High Performance High Security
When new definitions arrive, take automatic action on quarantine items Silent repair and restore Silent repair and restore Silent repair and restore
Quarantine folder location Use the default Use the default Use the default
Allow client computers to manually submit to Security Response Yes Yes Yes
Allow client computers to manually submit to Quarantine Server No No No
Enable automatic deleting of repaired files... Yes, delete after 30 days Yes, delete after 30 days Yes, delete after 30 days
...delete oldest repaired files to limit folder size to X MB No No No
Enable automatic deleting of backup files... Yes, delete after 30 days Yes, delete after 30 days Yes, delete after 30 days
...delete oldest backup files to limit folder size to X MB No No No
Enable automatic deleting of files that could not be repaired... Yes, delete after 30 days Yes, delete after 30 days Yes, delete after 30 days
...delete oldest non-repairable files to limit folder size to X MB No No No
Miscellaneous Balanced High Performance High Security
Disable Windows Security Center Never Never Never
Display antivirus alerts within Windows Security Center Enable Enable Enable
Display WSC message when definitions are outdated by X days Warn after 29 days Warn after 29 days Warn after 29 days
Address to use as browser home page if a security risk changes it Symantec Security Response Symantec Security Response Symantec Security Response
Selected events sent from client to management server Scan aborted, started, stopped
Security risk side effect repair failed
Client running without virus definitions
Virus definition rollback
Antivirus installed
Uninstall, uinstalll rolled back
Error loading services
Scan aborted, started, stopped
Security risk side effect repair failed
Client running without virus definitions
Virus definition rollback
Antivirus installed
Uninstall, uinstalll rolled back
Error loading services
Scan aborted, started, stopped
Security risk side effect repair failed
Client running without virus definitions
Virus definition rollback
Antivirus installed
Uninstall, uinstalll rolled back
Error loading services
Delete logs older than X days 14 days (unlocked) 14 days (unlocked) 14 days (unlocked)
Send aggregate events every X minutes 5 minutes 5 minutes 5 minutes
Days before a warning appears in SEP client for outdated definitions... 14 days (unlocked) 14 days (unlocked) 14 days (unlocked)
...display a notification message on the client computer No No No
Remediation attempts before warning appears on a client running without definitions... 2 2 2
...display a notification message on the client computer No No No
Display error messages with a URL to a solution Yes, display URL to Symantec KB article Yes, display URL to Symantec KB article Yes, display URL to Symantec KB article
Enable Virtual Image Exception for Auto-Protect No No No
Enable Virtual Image Exception for Administrator-Defined Scans No No No
Macintosh Settings Balanced High Performance High Security
Scheduled Scan      
Daily Scheduled Scan Enabled, every day at 8:00PM Enabled, every day at 8:00PM Enabled, every day at 8:00PM
Scan Drives or Folders Folders, Library folder only Folders, Library folder only Folders, Library folder only
Priority Low Low Medium
Administrator On-demand Scan Settings      
Scan Drives or Folders in on-demand Scans Drives only, Hard drives and removable Drives only, Hard drives and removable Drives only, Hard drives and removable
Scan compressed files in on-demand scans Yes No Yes
Automatically repair files Yes Yes Yes
Quarantine files that cannot be repaired Yes Yes Yes
On-demand scan infection notification on client No No No
Administrator-Defined Scans, Common Settings      
Display a notification message on the infected computer No No No
Scan Compressed Files Yes No Yes
Allow scan snooze No No No
Allow scan cancel No No No
Automatically repair files Yes Yes Yes
Quarantine files that cannot be repaired Yes Yes Yes
Show alerts ...only when infected files are found ...only when infected files are found ...only when infected files are found
Macintosh Auto-Protect Settings      
Lock Auto-Protect Settings No No No
Enable Auto-Protect Yes (unlocked) Yes (unlocked) Yes (unlocked)
Automatically repair files Yes (unlocked) Yes (unlocked) Yes (unlocked)
Quarantine files that cannot be repaired Yes (unlocked) Yes (unlocked) Yes (unlocked)
Scan Compressed Files Yes (unlocked) Yes (unlocked) Yes (unlocked)
What files are scanned by Auto-Protect Scan everywhere Scan everywhere Scan everywhere
Scan disks when they are mounted Yes Yes Yes
Show progress during mount scans Yes Yes Yes
Scan the following disks or devices when mounted (“All”, or select from “Music or video disks”, “iPod”, “Data disks”, “All other disks”) “iPods”, “Data disks”, “All other disks” “iPods”, “Data disks”, “All other disks” “iPods”, “Data disks”, “All other disks”
Display notification on infected computer for Auto-Protect detection Yes Yes Yes
Display warning on client when definitions are outdated by X days Yes, 30 days Yes, 30 days Yes, 30 days

 


Attachments

Microsoft Excel 97/2000/XP format spreadsheet used for policy settings table
table.xls (36 kBytes)



Article URL http://www.symantec.com/docs/TECH173752


Terms of use for this information are found in Legal Notices