Security Response recommendations for Symantec Endpoint Protection 12.1 settings
| Article:TECH173752 | | | Created: 2011-11-07 | | | Updated: 2011-11-21 | | | Article URL http://www.symantec.com/docs/TECH173752 |
Problem
What settings does Security Response recommend for Symantec Endpoint Protection and how to configure those settings using the Symantec Endpoint Protection Manager.
Solution
The Symantec Technology and Response (STAR) and the Symantec Endpoint Protection teams have worked together to incorporate Symantec's recommended security posture in Symantec Endpoint Protection Manager as the "High Security" Virus and Spyware Protection policy.
Although the "High Security" settings are the recommended choice they are not the default. Customer environments cover a wide and varied range, and one recommendation will not fit all. The Symantec Endpoint Protection Manager comes with three pre-configured Virus and Spyware Protection policies: "High Security", "High Performance", and "Balanced". The Balanced policy is the default applied to client groups. These pre-configured policies can be customized or used as examples in the creation of new policies. Customers are encouraged to explore and test the differences, and to choose a policy that best fits their needs.
To view and edit Virus and Spyware Protection policy settings in the Symantec Endpoint Protection Manager console, click on the Policies tab at far left in the console and choose "Virus and Spyware Protection" under Policies at the top of the console; a Tasks column will appear below and your existing policies will be listed to the right. A new policy can be created by right-clicking anywhere in the policy listing and choosing the Add command. An existing policy can be copied/pasted as the basis of a new policy with a right-click->Copy and right-click->Paste. Right-click->Edit or double-click on any of the policies to view and/or edit the settings. These and other commands are also available under the Tasks column.
When creating a new Virus and Spyware protection policy (instead of copying or editing an existing policy), the policy is populated with the default "Balanced" settings. It is recommended to copy and paste one of the pre-configured policies and edit a copy rather than changing the original.
For these and other instructions (how to assign policies to Endpoint Protection clients), see The Symantec Endpoint Implementation Guide (Section 2: Managing protection on Symantec Endpoint Protection, Chapter 13. Using policies to manage security, Assigning a policy to a group).
Settings from the three pre-configured Virus and Spyware policies are compared below. Where applicable, settings that are locked are in listed in red and those that are unlocked are in green. All of these settings are configurable by an administrator on the Endpoint Protection Manager, but only settings that are unlocked can be changed by a user (even an administrator) on an Endpoint client. Settings that are different for a particular policy are underlined in bold.
| Administer-Defined Scans | Balanced | High Performance | High Security |
| Daily Scheduled Scan | Enabled, every day at 12:30AM | Enabled, every day at 12:30AM | Enabled, every day at 12:30AM |
| Scan Type | Active Scan | Active Scan | Active Scan |
| File types | Scan all files | Scan all files | Scan all files |
| Enhance scan by checking: Memory... | Yes | Yes | Yes |
| ...common infection locations | Yes | Yes | Yes |
| ...well-known virus and security risk locations | Yes | Yes | Yes |
| Scan Compressed Files | Yes, 3 levels deep | Yes, 3 levels deep | Yes, 3 levels deep |
| Storage Migration... | Skip offline and sparse files | Skip offline and sparse files | Skip offline and sparse files |
| ...open files with backup semantics | No | No | No |
| Tuning | Best Application Performance | Best Application Performance | Best Application Performance |
| Enable Insight Lookup | Yes | Yes | Yes |
| Insight Level | Level 5 (Typical) | Level 1 (Minimum) | Level 5 (Typical) |
| Insight reputation detections: 1st action / 2nd action if first fails | Quarantine/Leave alone (log only) | Quarantine/Leave alone (log only) | Quarantine/Leave alone (log only) |
| Schedule | Daily at 12:30AM | Daily at 12:30AM | Daily at 12:30AM |
| Scan Duration | Scan up to 2 hours | Scan up to 2 hours | Scan up to 2 hours |
| Randomize start time | Yes | Yes | Yes |
| Retry scan | Yes, within 72 hours | Yes, within 264 hours | Yes, within 72 hours |
| Malware detections: 1st action / and 2nd action if first fails | Clean/Quarantine | Clean/Quarantine | Clean/Quarantine |
| Virus: Override actions configured for malware? | No | No | No |
| Security Risk detections: 1st action / and 2nd action if first fails | Quarantine/Leave alone—log only | Quarantine/Leave alone—log only | Quarantine/Leave alone—log only |
| Adware: Override actions configured for security risks? | No | No | No |
| Dialer? | No | No | No |
| Hack Tool? | No | No | No |
| Joke Program? | No | No | No |
| Misleading Application? | No | No | No |
| Parental Control? | No | No | No |
| Remote Access? | No | No | No |
| Security Assessment Tool? | No | No | No |
| Security Risk? | No | No | No |
| Spyware? | No | No | No |
| Trackware? | No | No | No |
| Backup files before attempting repair | Yes | Yes | Yes |
| Terminate processes automatically | Yes | Yes | Yes |
| Stop services automatically | Yes | Yes | Yes |
| Display notification on infected computer | No | No | No |
| Administrator On-demand Scan Settings | |||
| Scan the following folders | All Folders | All Folders | All Folders |
| File types | Scan all files | Scan all files | Scan all files |
| Enhance scan by checking: Memory... | Yes | Yes | Yes |
| ...common infection locations | Yes | Yes | Yes |
| ...well-known virus and security risk locations | Yes | Yes | Yes |
| Scan Compressed Files | Yes, 3 levels deep | Yes, 3 levels deep | Yes, 3 levels deep |
| Storage Migration... | Skip offline and sparse files | Skip offline and sparse files | Skip offline and sparse files |
| ...open files with backup semantics | No | No | No |
| Tuning | Best Application Performance | Best Application Performance | Best Application Performance |
| Insight Lookup | Enabled | Enabled | Enabled |
| Insight Level | Level 5 (Typical) | Level 1 (Minimum) | Level 5 (Typical) |
| Insight detections: 1st action / and 2nd action if first fails | Quarantine/Leave alone—log only | Quarantine/Leave alone—log only | Quarantine/Leave alone—log only |
| Malware detections: 1st action / and 2nd action if first fails | Clean/Quarantine | Clean/Quarantine | Clean/Quarantine |
| Virus: Override actions configured for malware? | No | No | No |
| Security Risk detections: 1st action / and 2nd action if first fails | Quarantine/Leave alone—log only | Quarantine/Leave alone—log only | Quarantine/Leave alone—log only |
| Adware: Override actions configured for security risks? | No | No | No |
| Dialer? | No | No | No |
| Hack Tool? | No | No | No |
| Joke Program? | No | No | No |
| Misleading Application? | No | No | No |
| Parental Control? | No | No | No |
| Remote Access? | No | No | No |
| Security Assessment Tool? | No | No | No |
| Security Risk? | No | No | No |
| Spyware? | No | No | No |
| Trackware? | No | No | No |
| Backup files before attempting repair | Yes | Yes | Yes |
| Terminate processes automatically | Yes | Yes | Yes |
| Stop services automatically | Yes | Yes | Yes |
| Display notification on infected computer | No | No | No |
| Administer-Defined Scans, Advanced Tab | |||
| Delay scheduled scans when running on batteries | Yes | Yes | Yes |
| Allow user-defined scans to run when user is not logged on | Yes | Yes | Yes |
| Display notifications about detections when user logs on | Yes | Yes | Yes |
| Allow startup scans to run when user logs on | No | No | No |
| Run an active scan when new definitions arrive | Yes | Yes | Yes |
| Show scan progress | No | No | No |
| Auto-Protect | Balanced | High Performance | High Security |
| Auto-Protect Scan Details | |||
| Enabled | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| File types to scan | Scan all files (unlocked) | Scan only selected exensions (common programs and documents) (unlocked) | Scan all files (LOCKED) |
| Scan for security risks | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| Block security risks from being installed | Yes (LOCKED) | Yes (LOCKED) | Yes (LOCKED) |
| Scan files on remote computers... | Yes (unlocked) | No (unlocked) | Yes (LOCKED) |
| ...scan remote files only when files are executed | Yes (unlocked) | N/A | Yes (LOCKED) |
| Trust files on remote computers running Auto-Protect | Yes (unlocked) | N/A | Yes (LOCKED) |
| Enable network cache | Yes; keep up to 30 entries, delete entries after 600 seconds (unlocked) | N/A | Yes; keep up to 30 entries, delete entries after 600 seconds (LOCKED) |
| Activities that trigger Auto-Protect scan | File is accessed or modified (unlocked) | File is accessed or modified (unlocked) | File is accessed or modified (LOCKED) |
| Scan when a file is backed up | Yes (unlocked) | No (unlocked) | Yes (LOCKED) |
| Do not scan files when trusted processes access the files | Yes (unlocked) | Yes (unlocked) | Yes (unlocked) |
| Check floppies for boot virus when accessed | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| Action to take when floppy boot virus is found | Leave alone (log only) (unlocked) | Leave alone (log only) (unlocked) | Leave alone (log only) (LOCKED) |
| Even if action is 'Leave alone (log only)': delete newly created viruses? | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| ...delete newly created security risks? | No (unlocked) | No (unlocked) | No (LOCKED) |
| Preserve file times | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| Malware detections: 1st action / and 2nd action if first fails | Clean/Quarantine (unlocked) | Clean/Quarantine (unlocked) | Clean/Quarantine (LOCKED) |
| Virus: Override actions configured for malware? | No (unlocked) | No (unlocked) | No (unlocked) |
| Security Risk detections: 1st action / and 2nd action if first fails | Quarantine/delete (unlocked) | Quarantine/leave alone (unlocked) | Quarantine/delete (LOCKED) |
| Adware: Override actions configured for security risks? | No (unlocked) | No (unlocked) | No (LOCKED) |
| Dialer? | No (unlocked) | No (unlocked) | No (LOCKED) |
| Hack Tool? | No (unlocked) | No (unlocked) | No (LOCKED) |
| Joke Program? | No (unlocked) | No (unlocked) | No (LOCKED) |
| Misleading Application? | No (unlocked) | No (unlocked) | No (unlocked) |
| Parental Control? | No (unlocked) | No (unlocked) | No (unlocked) |
| Remote Access? | No (unlocked) | No (unlocked) | No (LOCKED) |
| Security Assessment Tool? | No (unlocked) | No (unlocked) | No (unlocked) |
| Security Risk? | No (unlocked) | No (unlocked) | No (unlocked) |
| Spyware? | No (unlocked) | No (unlocked) | No (LOCKED) |
| Trackware? | No (unlocked) | No (unlocked) | No (LOCKED) |
| Backup files before attempting to repair them | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| Terminate processes automatically | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| Stop services automatically | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| Display notification on infected computer | No (unlocked) | No (unlocked) | Yes (LOCKED) |
| Display the Auto-Protect results dialog on the infected computer | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| Load auto-protect when | When computer starts (unlocked) | When SEP starts (unlocked) | When computer starts (LOCKED) |
| Check floppies when computer shuts down | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| When Auto-Protect must be reloaded | Stop and reload Auto-Protect (unlocked) | Stop and reload Auto-Protect (unlocked) | Stop and reload Auto-Protect (LOCKED) |
| When Auto-Protect is disabled, enable after X minutes | Yes, 5 minutes (unlocked) | Yes, 5 minutes (unlocked) | Yes, 5 minutes (LOCKED) |
| Enable file cache... | Yes, use default cache size (unlocked) | Yes, use default cache size (unlocked) | Yes, use default cache size (LOCKED) |
| ...rescan cache when new definitions arrive | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| Enable Risk Tracer... | No (unlocked) | No (unlocked) | Yes (LOCKED) |
| ...resolve the source computer IP address | N/A | N/A | Yes (LOCKED) |
| ...poll for nework sessions every X milliseconds | N/A | N/A | Yes, every 1000 msec (LOCKED) |
| Download Protection | Balanced | High Performance | High Security |
| Enable Download Insight | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| Malicious file sensitivity | 5 (Typical) (unlocked) | Level 1 (Minimum) (unlocked) | 5 (Typical) (LOCKED) |
| ...also detect files with X or fewer users | No (unlocked) | No (unlocked) | No (LOCKED) |
| ...also detect files known by users X or fewer days | No (unlocked) | No (unlocked) | No (LOCKED) |
| Automatically trust any file downloaded from an intranet site | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| Malicious download detection: first action... | Quarantine (unlocked) | Quarantine (unlocked) | Quarantine (LOCKED) |
| ...if first action fails | Leave alone—log only (unlocked) | Leave alone—log only (unlocked) | Leave alone—log only (LOCKED) |
| Action for unproven files | Prompt (unlocked) | Prompt (unlocked) | Prompt (LOCKED) |
| Display Download Insight notifications on infected computer | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| SONAR | Balanced | High Performance | High Security |
| Enable SONAR | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| High risk detection action | Quarantine (unlocked) | Quarantine (unlocked) | Quarantine (LOCKED) |
| Low risk detection action | Log (unlocked) | Log (unlocked) | Log (LOCKED) |
| Enabled aggressive mode | No (unlocked) | No (unlocked) | No (LOCKED) |
| Show alert upon detection | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| Prompt before terminating a process | No (unlocked) | No (unlocked) | No (LOCKED) |
| Prompt before stopping a service | No (unlocked) | No (unlocked) | No (LOCKED) |
| Action to take when DNS change detected | Ignore (unlocked) | Ignore (unlocked) | Block (LOCKED) |
| Action to take when hosts file change detected | Ignore (unlocked) | Ignore (unlocked) | Block (LOCKED) |
| Suspicious behavior high risk detection action | Block (unlocked) | Ignore (unlocked) | Block (LOCKED) |
| Suspicious behavior low risk detection action | Ignore (unlocked) | Ignore (unlocked) | Ignore (LOCKED) |
| TruScan Legacy Client Settings | |||
| Scan for trojans and worms... | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| ...use trojan/worm sensitivity defaults defined by Symantec | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| Scan for keyloggers... | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| ...use keylogger sensitivity defaults defined by Symantec | Yes (unlocked) | Yes (unlocked) | Yes (LOCKED) |
| When a commercial keylogger is detected | Log (unlocked) | Log (unlocked) | Log (LOCKED) |
| When a commercial remote control application is detected | Log (unlocked) | Log (unlocked) | Log (LOCKED) |
| How often should TruScan run | At the default frequency (unlocked) | At a custom scanning frequency; scan processes every 6 hours, do not scan new processes (unlocked) | At a custom scanning frequency; scan processes every 15 minutes, scan new processes immediately (LOCKED) |
| Internet, MS Outlook, and Lotus Notes Email Auto-Protect |
Balanced | High Performance | High Security |
| Enabled Email Auto-Protect | Yes (unlocked) | No (unlocked) | Yes (LOCKED) |
| File types to scan | Scan all files (unlocked) | N/A | Scan all files (LOCKED) |
| Scan inside compressed files | Yes, 3 levels deep (unlocked) | “ | Yes, 3 levels deep (LOCKED) |
| Malware detections: 1st action / and 2nd action if first fails | Clean/Quarantine (unlocked) | “ | Clean/Quarantine (unlocked) |
| Virus: Override actions configured for malware? | No (unlocked) | “ | No (unlocked) |
| Security Risk detections: 1st action / and 2nd action if first fails | Quarantine/Leave alone (unlocked) | “ | Quarantine/Leave alone (LOCKED) |
| Adware: Override actions configured for security risks? | No (unlocked) | “ | No (LOCKED) |
| Dialer? | No (unlocked) | “ | No (LOCKED) |
| Hack Tool? | No (unlocked) | “ | No (LOCKED) |
| Joke Program? | No (unlocked) | “ | No (LOCKED) |
| Misleading Application? | No (unlocked) | “ | No (unlocked) |
| Parental Control? | No (unlocked) | “ | No (unlocked) |
| Remote Access? | No (unlocked) | “ | No (LOCKED) |
| Security Assessment Tool? | No (unlocked) | “ | No (unlocked) |
| Security Risk? | No (unlocked) | “ | No (unlocked) |
| Spyware? | No (unlocked) | “ | No (LOCKED) |
| Trackware? | No (unlocked) | “ | No (LOCKED) |
| Display a notification on the infected computer | Yes (unlocked) | “ | Yes (LOCKED) |
| Insert warning into email message | Yes (unlocked) | “ | Yes (LOCKED) |
| Send email to the sender | No (unlocked) | “ | No (LOCKED) |
| Send email to others | No (unlocked) | “ | No (LOCKED) |
| The following settings apply only to Internet Email Auto-Protect | |||
| Display progress indicator when email is being sent | No (unlocked) | “ | No (LOCKED) |
| Display a notification area icon | No (unlocked) | “ | No (LOCKED) |
| Incoming mail server (POP3) port | 110 (unlocked) | “ | 110 (LOCKED) |
| Outgoing mail server (SMTP) port | 25 (unlocked) | “ | 25 (LOCKED) |
| Allow encrypted POP3 connections | Yes (unlocked) | “ | Yes (LOCKED) |
| Allow encrypted SMTP connections | Yes (unlocked) | “ | Yes (LOCKED) |
| Use outbound worm heuristics | Yes (unlocked) | “ | Yes (LOCKED) |
| Outbound worm detection, first action | Quarantine (unlocked) | “ | Quarantine (LOCKED) |
| Outbound worm detection, second action if first fails | Delete (unlocked) | “ | Delete (LOCKED) |
| Global Scan Options | Balanced | High Performance | High Security |
| Enable Insight | Yes: Symantec Trusted (unlocked) | Yes: Symantec Trusted (unlocked) | Yes: Symantec Trusted (LOCKED) |
| Enable Bloodhound | Yes, automatic (unlocked) | Yes, automatic (unlocked) | Yes, aggressive (LOCKED) |
| Ask for password before scanning mapped network drive | No | No | No |
| Enable Shared Insight Cache | No | No | No |
| Quarantine | Balanced | High Performance | High Security |
| When new definitions arrive, take automatic action on quarantine items | Silent repair and restore | Silent repair and restore | Silent repair and restore |
| Quarantine folder location | Use the default | Use the default | Use the default |
| Allow client computers to manually submit to Security Response | Yes | Yes | Yes |
| Allow client computers to manually submit to Quarantine Server | No | No | No |
| Enable automatic deleting of repaired files... | Yes, delete after 30 days | Yes, delete after 30 days | Yes, delete after 30 days |
| ...delete oldest repaired files to limit folder size to X MB | No | No | No |
| Enable automatic deleting of backup files... | Yes, delete after 30 days | Yes, delete after 30 days | Yes, delete after 30 days |
| ...delete oldest backup files to limit folder size to X MB | No | No | No |
| Enable automatic deleting of files that could not be repaired... | Yes, delete after 30 days | Yes, delete after 30 days | Yes, delete after 30 days |
| ...delete oldest non-repairable files to limit folder size to X MB | No | No | No |
| Miscellaneous | Balanced | High Performance | High Security |
| Disable Windows Security Center | Never | Never | Never |
| Display antivirus alerts within Windows Security Center | Enable | Enable | Enable |
| Display WSC message when definitions are outdated by X days | Warn after 29 days | Warn after 29 days | Warn after 29 days |
| Address to use as browser home page if a security risk changes it | Symantec Security Response | Symantec Security Response | Symantec Security Response |
| Selected events sent from client to management server | Scan aborted, started, stopped Security risk side effect repair failed Client running without virus definitions Virus definition rollback Antivirus installed Uninstall, uinstalll rolled back Error loading services |
Scan aborted, started, stopped Security risk side effect repair failed Client running without virus definitions Virus definition rollback Antivirus installed Uninstall, uinstalll rolled back Error loading services |
Scan aborted, started, stopped Security risk side effect repair failed Client running without virus definitions Virus definition rollback Antivirus installed Uninstall, uinstalll rolled back Error loading services |
| Delete logs older than X days | 14 days (unlocked) | 14 days (unlocked) | 14 days (unlocked) |
| Send aggregate events every X minutes | 5 minutes | 5 minutes | 5 minutes |
| Days before a warning appears in SEP client for outdated definitions... | 14 days (unlocked) | 14 days (unlocked) | 14 days (unlocked) |
| ...display a notification message on the client computer | No | No | No |
| Remediation attempts before warning appears on a client running without definitions... | 2 | 2 | 2 |
| ...display a notification message on the client computer | No | No | No |
| Display error messages with a URL to a solution | Yes, display URL to Symantec KB article | Yes, display URL to Symantec KB article | Yes, display URL to Symantec KB article |
| Enable Virtual Image Exception for Auto-Protect | No | No | No |
| Enable Virtual Image Exception for Administrator-Defined Scans | No | No | No |
| Macintosh Settings | Balanced | High Performance | High Security |
| Scheduled Scan | |||
| Daily Scheduled Scan | Enabled, every day at 8:00PM | Enabled, every day at 8:00PM | Enabled, every day at 8:00PM |
| Scan Drives or Folders | Folders, Library folder only | Folders, Library folder only | Folders, Library folder only |
| Priority | Low | Low | Medium |
| Administrator On-demand Scan Settings | |||
| Scan Drives or Folders in on-demand Scans | Drives only, Hard drives and removable | Drives only, Hard drives and removable | Drives only, Hard drives and removable |
| Scan compressed files in on-demand scans | Yes | No | Yes |
| Automatically repair files | Yes | Yes | Yes |
| Quarantine files that cannot be repaired | Yes | Yes | Yes |
| On-demand scan infection notification on client | No | No | No |
| Administrator-Defined Scans, Common Settings | |||
| Display a notification message on the infected computer | No | No | No |
| Scan Compressed Files | Yes | No | Yes |
| Allow scan snooze | No | No | No |
| Allow scan cancel | No | No | No |
| Automatically repair files | Yes | Yes | Yes |
| Quarantine files that cannot be repaired | Yes | Yes | Yes |
| Show alerts | ...only when infected files are found | ...only when infected files are found | ...only when infected files are found |
| Macintosh Auto-Protect Settings | |||
| Lock Auto-Protect Settings | No | No | No |
| Enable Auto-Protect | Yes (unlocked) | Yes (unlocked) | Yes (unlocked) |
| Automatically repair files | Yes (unlocked) | Yes (unlocked) | Yes (unlocked) |
| Quarantine files that cannot be repaired | Yes (unlocked) | Yes (unlocked) | Yes (unlocked) |
| Scan Compressed Files | Yes (unlocked) | Yes (unlocked) | Yes (unlocked) |
| What files are scanned by Auto-Protect | Scan everywhere | Scan everywhere | Scan everywhere |
| Scan disks when they are mounted | Yes | Yes | Yes |
| Show progress during mount scans | Yes | Yes | Yes |
| Scan the following disks or devices when mounted (“All”, or select from “Music or video disks”, “iPod”, “Data disks”, “All other disks”) | “iPods”, “Data disks”, “All other disks” | “iPods”, “Data disks”, “All other disks” | “iPods”, “Data disks”, “All other disks” |
| Display notification on infected computer for Auto-Protect detection | Yes | Yes | Yes |
| Display warning on client when definitions are outdated by X days | Yes, 30 days | Yes, 30 days | Yes, 30 days |
Attachments
|
|
Article URL http://www.symantec.com/docs/TECH173752
Terms of use for this information are found in Legal Notices
Thank you.