Symantec Endpoint Protection 12.1 Policy - Virus and Spyware Protection

Article:TECH190753  |  Created: 2012-06-11  |  Updated: 2014-09-25  |  Article URL http://www.symantec.com/docs/TECH190753
Article Type
Technical Solution

Product(s)

Issue



You need more details about the Options in the Policies of the Symantec Endpoint Protection Manager (SEPM)


Cause



Virus and Spyware Protection Policy


Solution



Overview: Use the Overview page to provide an overview for each policy. If required, you can assign this policy to specific locations in a group.

Table: Policy overview options

Tab Description
Policy Name

Provides the name and description for each policy.

The following options are available:

  • Policy name: Name of the policy. When you create a new policy, this text box is mandatory.
  • Description: Description of the policy.
  • Enable this policy: Enables a policy and assigns it to a location or group.

Disable the policy if you want to set up the policy and download the settings to the client at a later time. Policies are enabled by default.

Note: You cannot disable a Virus and Spyware policy or a LiveUpdate policy.

  • Created: The policy creator.
  • Last modified: Date of the last policy modification.
After you click OK, the new policy name and description appear in the policy list in each policy's main window.
Used By

Identifies the groups and locations to which this policy is applied.

Note: This tab appears when you edit a policy, not when you initially create one. After you assign the policy, the tab appears with the groups and locations. You can change the tree view to a list view.

 

More Information: Performing tasks that are common to all security policies

 

 

Scheduled Scans:

 

Administrator- defined Scans: Scans

Use the Scans tab to add or edit a scheduled scan to a policy, or to specify settings for on-demand scans. On-demand scans are the manual scans that run on a client at the administrator's request.

Administrators define scheduled scans to run on client computers at configurable intervals. Administrators can predefine a specific set of scan settings for running on-demand scans on clients from the console.

Under Administrator On-demand Scan, click Edit to specify the type of scan that occurs when an administrator activates a scan from the console.

More Information

About the types of scans and real-time protection

Setting up scheduled scans that run on Windows computers

 

 

Administrator-defined Scans: Advanced 

Use this tab to set options for scheduled scans and startup and triggered scans, and for users on the computers that run these scans.

Table: Scheduled scans advanced options

Option

Description

Scheduled Scans

Specified options for scheduled scans.

Delay scheduled scans when running on batteries

Specifies that scheduled scans be delayed when a computer is running on batteries.

This option is enabled by default. You can disable this option to allow scheduled scans to run as scheduled, even when a computer is running on batteries.

Allow user-defined scheduled scans to run when the scan author is not logged on

Specifies that user-defined scheduled scans run as scheduled when the scan author is not logged on.

By default, user-defined scheduled scans always run at the scheduled time. This option can be particularly useful in the case of unmanaged client computers that do not use administrator-defined scheduled scans.

You can disable this option to prevent user-defined scheduled scans from running when the user who created the scan is not logged on. You may want to disable this option for multiuser computers.

NOTE: If this option is enabled and the user is logged off when the scan begins, the scan progress dialog box does not display. You can check scan status in this instance by looking in the System log.

 

On multiuser workstations, when this option is enabled, scan progress is displayed as follows:

  • If no users are logged on, the scan progress dialog box does not appear, even if a user logs on during a scan.

  • For the first user to log on, the scan progress dialog box does not appear during a scheduled scan that another user defined.

  • For the first user to log on, the scan progress dialog box appears during a scheduled scan that this user defined. The scan progress dialog box does not appear if the user has not configured the scan to allow it.

  • If an administrator-defined scheduled scan runs when no user is logged on, the scan progress dialog box does not appear. When a user logs on, the scan progress dialog box appears.

Users who are not logged on when their scan runs must look at the Scan Log to see the scan results.

 

Display notifications about detections when the user logs on

Displays notifications when a user logs on and scans have been running in the background. The option is enabled by default. The administrator can disable this option to have a completely silent application, with no notifications displayed to the user.

 

Table: Startup and triggered scan advanced options

Option

Description

Allow startup scans to run when users log on

Allows startup scans to run when a user logs on.

This option applies to all startup scans. If you disable this option, startup scans do not run when users log on.

Allow users to modify startup scans

Determines whether users can modify startup scans.

This option is enabled by default. You can change this option only when the Run startup scans when users log on parameter is enabled.

Run an Active Scan when new definitions arrive

Starts an Active Scan when new definitions arrive to check for any risks that the new definitions can detect

By default, an Active Scan is run when new definitions arrive. If you disable this option, you weaken the protection available to your client computers. You should only disable this option if you have special configuration or exclusion needs that conflict with this automatically triggered scan.

If you set the tuning option for an Active Scan to Best Application Performance, the active scan might wait to start up to 15 minutes if the computer is not idle.

 

Table: Scan progress options

Option

Description

Select scan progress options

Specifies what users see on their computers when a scan is running.

Select one of the following:

  • Do not show scan progress

  • Show scan progress

  • Show scan progress if risk detected

  • Show scan progress if medium or higher risk impact detected

When you allow users to view scan progress, the following options appear in the main pages of the client UI:

  • When a scan runs, the message link scan in progress appears.

    The user can click the link to display the scan progress.

  • A link to reschedule the next scheduled scan also appears.

Close the scan progress window when done

Specifies that the scan progress window closes automatically when the scan is finished.

This option is available when you select either Show scan progress or Show scan progress if risk detected. This option is enabled by default.

Allow the user to stop the scan

Allows users to stop the scans that start on their computers.

This option is available when you select either Show scan progress or Show scan progress if risk detected. This option is disabled by default.

Allow the user to pause or snooze a scan

Allows the users to pause or snooze the scans that start on their computers.

This option is available when you select either Show scan progress or Show scan progress if risk detected. This option is enabled by default. When this option is enabled, click Pause Options to specify pause and snooze options.

 

 

 

 

Protection Technology:

 

Auto-Protect: Scan Details

Use the Scan Details tab to configure scanning and drive type options for Auto-Protect scans of files and processes.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.

Use an Exceptions policy to specify scan exclusions for files or folders.

Table: Auto-Protect scan detail options

 

Option Description

Enable Auto-Protect

 Enables or disables Auto-Protect for the file system.

By default, Auto-Protect is enabled.

If you disable Auto-Protect, you automatically make the following changes to the protection on your client computers:

  • Download Insight does not function even if Download Insight is enabled.
  • SONAR does not detect heuristic threats. SONAR detection of system changes or host file changes, however, continues to function.
Scanning

You can scan all file types or only files with selected extensions.

File types

The following options are available:

  • Scan all files: Scans all files on the computer, regardless of type.
  • Scan only selected extensions: Scans only the files that have certain extensions. You can add more extensions for programs and documents, if you have files that use the extensions that are not already in the list. You can also reset this option to its default value.
  • Determine file types by examining file contents: Scans a specific, configurable group of the file extensions that contain executable code, and all .exe and .doc files. The Symantec Endpoint Protection client reads each file's header to determine its file type. It scans .exe and .doc files even if a virus changes the file extensions for the .exe and the .doc files. This option is disabled by default.
  • Select Extensions: Specifies that only certain file extensions should be included in the scan

          You can add or remove file extensions to scan. Only the file extensions that you specify are scanned. The client does not scan any files that have extensions that are not in the list.

Note: If you want to exclude files or folders from scans, create an exception.

Additional options

Additional options include the following:

  • Scan for security risks: This option is enabled by default. Note: This option has no effect on the computers that run earlier versions of the client.
  • Block security risks from being installed: If Auto-Protect determines that it would not be harmful to a computer to block a security risk, then it blocks the risk. This option is enabled by default.
  • Advanced Scanning and Monitoring: Provides options for triggering automatic scans and other advanced options.

 

Network Settings

Network settings provides the following options for scanning files on remote computers:

  • Scan files on remote computers: Enables or disables scanning on network drives. If you disable this option, you might improve client computer performance.
  • Only when files are executed: By default, Auto-Protect scans files on remote computers only when file are executed. You can disable this option to scan all files on remote computers, but you might impact your client computer performance.
  • Network Settings: When scanning is enabled on network drives, Auto-Protect scans files when a client computer or a server accesses them from a server. When network scanning is enabled, you can also enable Auto-Protect to trust remote versions of Auto-Protect and to use a network cache. 

 More Information: About exceptions to Symantec Endpoint Protection

Actions

You can configure actions for virus and spyware detections.

Note: You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.

Table: Actions options

Detection type

Action options

Malware

You can configure a first action to take and a second action to take if the first action fails.

Actions for viruses include the following actions:

  • Clean risk (default first action): Tries to clean the infected file when a virus is found.
  • Quarantine risk (default second action): Tries to move the infected file to the Quarantine on the infected computer as soon as it is detected. After an infected file is moved to the Quarantine, a user on that client computer cannot run the file. The user must first specify an action for the file. For example, the user can specify that the client should clean the file and move the file back to its original location.
  • Delete risk: Tries to delete the file. Use this option only if you can replace the infected file with a virus-free backup copy. The file is permanently deleted and cannot be recovered from the Recycle Bin. 

          If the client cannot delete the file, detailed information about the action appears in the Notifications window and the System log.

  • Leave alone (log only): Denies the access to the file, displays a notification, and logs the event. Use this option to take manual control of how the client handles a virus.

          When you select this action, by default Symantec Endpoint Protection automatically deletes newly created or saved infected files.

          When you are notified of a virus, open the Risk log, right-click the name of the file, and select one of the following actions: Clean (viruses only), Delete Permanently, or Move To Quarantine.

          You can also specify an action for the risk in the Risk log.

See Risk logs and reports

Security Risks

You can configure security risk actions as follows:

  • Configure the same actions to take for all security risks.
  • Configure the same actions for a whole category of security risks.
  • Configure individual security risk exceptions to the actions that you set for specific categories. The Override actions configured for Security Risks option is disabled by default. 

You can configure a first action to take and a second action to take if the first action fails. Actions for security risks include the following: 

  • Quarantine risk (default first action): Tries to move any infected files to the Quarantine on the infected computer as soon as the security risk is detected or completes its installation. The client removes or repairs any side effects of the risk. Side effects might include additional registry keys, modified registry key values, additions to .ini or .bat files, or extra entries in hosts files. They might also include errors in a Layered Service Provider (LSP) system driver or the effects of a rootkit. You can restore the security risk items that are quarantined to their original state on the system. In some instances, you might need to restart the computer to complete the removal or repair.
  • Delete risk: Tries to delete security risk files. Use this option only if you can replace the files with a security risk-free backup copy. You cannot recover permanently deleted files from the Recycle Bin.

         Use this action with caution. The deletion of security risks can cause applications to lose functionality.

         If the client cannot delete files, detailed information about the actions appears in the Notifications window and the System log.

  • Leave alone (log only) (default second action): The risk is left alone and its detection is logged. Use this option to take manual control of how the client handles a security risk.

          When you select this action, by default Symantec Endpoint Protection automatically deletes the newly created or saved files that are security risks.

          You can use the Risk log in the console to specify the action for the logged risk. Users on client computers can use the logs to specify the action as well.

You can also lock exceptions so that users cannot create their own security risk exceptions for scans. 

Note: In some instances, you might unknowingly install an application that includes a security risk such as adware or spyware. If Symantec has determined that blocking the risk does not harm the computer, then by default the client blocks the risk. If the block action might make the computer unstable, the client waits after the application installation. The client then performs the configured action on the security risk.

 

Table: Remediation options

Option

Description

Back up files before attempting to repair them

Backs up the infected file before repairing it

When this option is enabled, the original virus-infected file is encrypted and then copied into the Quarantine folder. If you need, you can use this unrepaired backup file to return the file to its original, but infected state.

Note: If you disable this option, files that contain viruses are not backed up before repairs are tried.

 

This setting applies only to virus-infected files. For security risks, if the action you have configured is Delete risk, no backup files are created. If the action that you configure is Quarantine risk, the security risk files are always backed up, regardless of this setting.

 

Terminate processes automatically

Enables or disables notifications on infected computers when the client must terminate a process to remove or repair a risk.

When this option is enabled, the client automatically takes the necessary action without notifying users.

Note: Users are always notified when a restart is required. They are allowed to save data and close open applications or to opt out of the restart.

Stop services automatically

Enables or disables notifications on infected computers when the client must stop a service to remove or repair a risk.

When this option is enabled, the client automatically takes the necessary action without notifying users.

Note: Users are always notified when a restart is required. They are allowed to save data and close open applications or to opt out of the restart.

 




Article URL http://www.symantec.com/docs/TECH190753


Terms of use for this information are found in Legal Notices