Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Block a user's ability to disable Symantec Endpoint Protection on Clients

Created: 22 Feb 2010 | 26 comments

Hi, I am using the SEPM 11.0 RU5 and not able to Block a User's ability to disable SEP on Client.

The process is given in

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007110514540148

But it won't work

Anybody has any idea?

Comments 26 CommentsJump to latest comment

AravindKM's picture

Whether non of the settings are working or some of them. Also assure that clients got latest policy.This you can find with the help of policy sl. no. 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

anil4urhelp's picture

Policy is properly implemented on clients. But "Disable SEPM is not grey out" any other suggestion.

One Man Army! One Man Show!

AravindKM's picture

"Disable SEPM is not grey out" do you mean "Disable Symantec Endpoint Protection not grayed-out".
Try by restarting the client. 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Rafeeq's picture

you need to close the lock symbol as per this document
follow these steps top to bottom,

Step 2: Remove the right to disable Threat detection:

  1. Open the Symantec Endpoint Protection Manager.
  2. Click Clients.
  3. Select the group that contains the clients you want to be affected.
  4. Click Policies.
  5. Expand Location-specific Policies
  6. Click Antivirus and Antispyware policy.
  7. Click File System Auto-Protect, then lock this feature by clicking the lock symbol next to Enable File System Auto-Protect.
  8. Click Internet Email Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Internet Email Auto-Protect.
  9. Click Microsoft Outlook Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Microsoft Outlook Auto-Protect.
  10. Click Lotus Notes Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Lotus Notes Auto-Protect.
  11. Click TruScan Proactive Threat Scans, then lock this feature by clicking the lock symbol next to Scan for trojans and worms and Scan for keyloggers.
  12. Click OK.
anil4urhelp's picture

NO Luck !!! even i done all the things mentioned in Step 2. Even now user is able to Disable the SEP.

One Man Army! One Man Show!

AravindKM's picture

Keep the Client User Interface Control Settings as Server control and try.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

anil4urhelp's picture

How could i Keep the Client User Interface Control Settings as Server Control?

But i think my Client User under Location -> Edit - > Server Control , Mixed Control. Server Control is selected.

One Man Army! One Man Show!

deepak.vasudevan's picture

I see this in my box too. The helpdesk person says I can not disable. But the options are readily available.

Rafeeq's picture

check the policy use count of your antivirus and antispyware, make sure you have applied to all the groups, and you are indeed checking on the system which has the policy applied :)) 

sprewell's picture

Hi Rafeeq i think what user want to know is how can he prevent the user not to disable the symantec endpoint protection. Hi if  you have a (AD) active directory in your location just remove the domain admin and administrator rights of the user just leave the domain user and it will automatically grey out the disable symantec endpoint protection. But if your client or organization needs the domain admin and administrator rights there still a work around left same as my current settings open your symantec endpoint protection manager open clients policies location specific settings edit client user interface click on server control in general uncheck the display the client then applied ok.  Then after that if you want to take effect immediately run the command on group. The endpoint protection in the taskbar will not be visible. Hope this will help.

Tabgw's picture

Sorry, i have the same issue, and this is happening to admins and non admins. I have tried almost everything mentioned in this thread and still unable to make the "disable symantec endpoint protection" gray out.

AravindKM's picture

In SEPM go to  Clients -------> <the group which the client resides> ----->policies (right side)--->General settings----->Security settings Here you put some password for opening the client GUI and see whether it is getting effective..

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Tabgw's picture

I have applied a password so users are unable. but problem is when they right click on the systray, disabling the client protection is enabled

Ajit Jha's picture

Probably the policy might have not being recieved by the clients, because i face the same issue at a Customer's end but when i dployed the settings it didn't work but the very next morning it was applied.
Might be a delay in policy inheritance

Regard's

Ajit Jha

Technical Consultant

ASC & STS

Ronnieml's picture

Click on the image of the podlock to lock and unlock it not the words itself.

ajkreddy's picture

Go to Antivirus and Antispyware policy and select truscan proactive threat scans and in scan details, LOCK scan for keyloggers. Now it will disable user to disable SEP. In case of emergency, if administrator wants to disable protection, he needs to run command smc -stop. Make sure you start it back smc -start. ALONG WITH THESE STEPS, YOU NEED TO FOLLOW SYMANTEC STEPS IN THE LINK BELOW.

http://service1.symantec.com/support/ent-security.nsf/docid/2007110514540148?Open&seg=ent

Regards,
Jeevan Reddy

Shajee's picture

Hi,

I'm am usingSymantec Endpoint Protection version 11.0.6005.562 , like other Administrators above I'd like to disable users ability to disable the symantec clients. So I tried the Instruction mentioned in http://service1.symantec.com/support/ent-security.nsf/docid/2007110514540148?Open&seg=ent but the problem is there is no lock option next to enable client .

Rafeeq's picture

its not on the client; its on the policy in the SEPM; where you will see a small lock option...

Shajee's picture

Yes, for example, I opened the Antivirus and Antispyware policy> File System Auto-Protect>Scan Details. There is a tick button for "Enable System Auto-Protect" but the option to lock this button is not there that's why i cant lock it down.Unlike previous version there is a button beside with the podlock icon that you can toggle to lock or unlock the enable option.

Tabgw's picture

We the same issue as you Shajee! I wonder if there is an available update to this current version?

Sprechen Sie SEP's picture

I had this issue as well.  I did some poking around in the settings.  In SEP Manager go to Clients and select  your client group.  Click the Policies tab.  Toward the bottom of the Location-specific Policies and Settings you should see Location-specific Settings.  Expand that and click the link for Server Control.  Click the Customize button that appears next to Server Control.  Uncheck "Allow users to enable and disable Network Threat Protection".  You should be good to go.

mon_raralio's picture

Everybody is partially right here. :D

What the previous posts says is to lock the settings, but each suggestion is for one component only. End users can still be able to click on the "Disable.." option, but only the unlocked components will be disabled. I've previously setup for a client to allow the endusers to disable NTP but AV will still run. The client will PC has the "Disable..." option clickable but only the NTP component is stopped. Checking on task manager shows that the AV component is still up.

“Your most unhappy customers are your greatest source of learning.”