Video Screencast Help

Difference between Scan Engines of 11.x and 12.x SEP

Created: 12 Jun 2012 | 6 comments

Hi all,

Does Symantec 12.1 Endpoint Protection scans faster than 11.x?

Whats the difference between there Engines?

Comments 6 CommentsJump to latest comment

Mithun Sanghavi's picture


The Scan Engines for 11.x and 12.x SEP are lot different. The scan engine in 12.1 is much better.

A Quick Check on these Articles:

What is new in the 12.1 product.

Difference between SEP 11 & SEP 12

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Simpson Homer's picture

There are many differences between SEP 11.x and SEP 12.1 a few are listed below.

SEP 11.x can create package with only two options i.e. reboot is required or not

Reboot Manager is a new feature it manages reboot at the endpoints.

Ability to schedule reboots.

Gives more power to the SEPM admin(s) to manage reboot at the endpoints

SEP 11.x have only resetpass.bat to reset password

•   Configurable Password Recovery options

•    Passwords can be recovered via Email

SEP 11.X is paper license product, no software license needed to activate product

SEP 12.1 is license product.

•    Advantage: Expired license cannot submit suspicious files to Symantec site.Only a registered and paid customer can submit files to the Insight database to avoid poisoning from malware authors.

•    Customers and partners can keep track of license usage.

•      Symantec License Format, SLF, (like other Symantec software) is used.

In SEP 11.x there are no any predefined notifications.

In SEP 12.1 there are predefine reports like AV definitions out of date, license expire, over deployed clients.  It will help you to monitor SEPM status.

SEP 11.x can support up to 50,000 clients per server

SEP 12.1 can support up to 80,000 clients per server

SEP 11.x you will have to break SEPM’S replication before performing upgrade

SEP 12.1 onwards there is no need to break replication before product upgrade.

Starting in SEP 12.1, replication performs version checking

Eliminates cross version replication corruption.

SEP 11.x firewall have limited support for IPV6--can only Allow All or Block All IPV6 traffic.

SEP 12.1 firewall supports IPV6 and NDIS5/NDIS6.

-Decoupled FW Dependencies with AV/DC/IDS

-Improved Windows Firewall Integration

-Improved IDS Reporting and Error Handling
Main Features:
-FW rule for TCP/UDP is now effective for both ipv4 and ipv6 traffic.

-All FW rule columns are applied for both ipv4 and ipv6 traffic.

-Traffic, Packet, Security Logs can display ipv4/ipv6 addresses.
-The FW rule does not allow user to specify ipv6-only address, i.e. must use "All hosts" for the Hosts column--this means all ipv4 and ipv6 addresses.
-No support yet for IPv6 tunneling (ISATAP, Teredo, etc).

SEP 11.x doesn’t support application and device control policy on 64 bit OS

SEP 12.1 does support application and device control policy on 64 bit OS

with few limitations

Features supported on 64 bit OS         


Proactive threat Scan (a.k.a truscan or Sonar)     



Tamper Protection                                            

Internet email scanning

Device Control



Application learning

Host Integrity (SNAC)

IIS is mandatory in SEP 11.X. Reporting issues are commonly observed due to IIS issue.

SEP 12.1 has replaced IIS with Apache, dependency is removed from IIS.

Database maintenance was concern with SEP 11.x with day to day increase in Size.

Improve database efficiency through automatic maintenance

SEP 11.x is using third party software’s with old engines

SEP 12.1 is using third party software with latest engines.

•          Tomcat Upgrade From v4.1.25 To v6.0.29

•          Embedded Sybase DB Upgrade from v9x to v11.0.1.2472

•          JRE Upgrade to v1.6u21

•          PHP Upgrade to v5.3.3

SEP 11.x are not supporting with latest operating systems

SEP 12.1 now support latest market operating systems, it does support now Small business Server 2008, 2011.

SEP 11.x will stop support around 2014

SEP 12.1 will have more life span compare to SEP 11.x

SEP 11.x policies are not updated to latest threat

Upgraded Default Polices Tuned for Today’s Threat Landscape

New ICMP Trigger for Location Awareness

Improved Tamper Protection

When you export package through SEP 11.x, it contains old definitions when SEPM was installed first time or upgraded last time

SEP 12.1 export package with latest definitions.

SEP 11.x shows succeeded (if package copied successfully) status even though SEP clients is not installed successfully

Clients register in console as soon as installation starts, enables rich detail on install status

Reports now show




-Unsupported Operating systems

-Reboot required

SEP 11.x upgrade failure may cause client to not protect system, SEP client may become inactive

SEP 12.1 uses an MSI based, Side-by-Side, Replace on Reboot installation system.

This method never leaves the client without protection, even in case of upgrade failure.

PTP feature is not supported on Server operating systems

PTP feature is supported on server operating systems.

Scan performance is low

Scan performance is significantly improved in SEP 12.1

SEPM can’t be install on windows 7

SEPM can be install on windows 7

SEP 11.x cannot manage Mac OS through console

SEP 12.1 can manage Mac OS through console

SEP 11.x have 15 firewall rules

SEP 12.1 have 26 built in default firewall rules

SEP 11.x administrator have limitation while providing access to other administrator

By default, administrators have access to all features in a single domain. That is, the administrator can view and run reports, manage groups, remotely run commands, manage installation packages, and manage policies for that domain. The administrator can also run reports on all groups in the domain, except for any groups that migrated from Symantec Antivirus 10.x. You must explicitly configure reporting rights to these migrated groups.

Also, you can grant site rights to administrators to authorize them to fully manage a site, which includes managing the database and servers. When you create a new administrator, the administrator is not authorized to manage sites. You must explicitly grant site privileges to allow the administrator to fully manage sites in a single domain.

Live update is slower compare to SEP 12.1

Live update is faster than sep 11.x, using latest live update engine, luall.exe will download update for SEP only. luall.exe will work on SEPM only, it won't work on SEP client in SEP 12.1

Chetan Savade's picture


There is scan performance improvement if we compared with SEP 11.

Especially you will observe it with Virtual Machines, SEP 12.1 has introuduced feature i.e. Shared Insight cache.

Shared Insight Cache (SIC) is a server application which caches known clean files in order to optimize scan performances.SIC server is mainly designed for virtual environment but usage on physical system is supported given that network latency is kept at an absolute low.SIC server keeps a record in memory (ram) of files which are voted clean by system performing scans 

First SEP client needs to scan a file.  Queries SIC and finds no record.  SEP scans the file and sends the results to the SIC.

Subsequent SEP clients need to scan the same file.  They query the cache server and find the file has already been scanned with the same version of defs and the file is clean.  SEP client skips scanning the file.

When a second client run the scan it goes though the same process and since the file is cached on the SIC therefore will skip the scan. 

Shared Insight Cache is only available for the clients that perform scheduled scans and manual scans. 

Symantec has tried to upgrade built in engines as well as third party engines.

SEP 12.1 is using third party software with latest engines.

•  Tomcat Upgrade From v4.1.25 To v6.0.29

•  Embedded Sybase DB Upgrade from v9x to v11.0.1.2472

•  JRE Upgrade to v1.6u21

•  PHP Upgrade to v5.3.3

In SEP 12.1 RU1 MP1 few engines are upgraded again.

Symantec Endpoint Protection Shared Insight Cache User Guide 12.1

Viewing Shared Insight Cache events in the Cache Server log
How Shared Insight Cache works

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mick2009's picture

"Thumbs up" to the advice, above. 

Especially if you are using SEP 12.1's reputation features, SEP 12.1's manual and scheduled scans will be much faster.  (Not only faster, but better too!)

Here are some articles that explain the various components in more detail.....

How Symantec Endpoint Protection uses reputation data to make decisions about files
Article: HOWTO55275   |  Created: 2011-06-29   |  Updated: 2011-12-17   | 
Article URL

About the types of threat protection that Symantec Endpoint Protection provides
Article: HOWTO55272   |  Created: 2011-06-29   |  Updated: 2011-12-17   | 
Article URL 

About the types of scans and real-time protection
Article: HOWTO55226   |  Created: 2011-06-29   |  Updated: 2011-12-17   | 
Article URL 

Hope this helps!  &: )

With thanks and best regards,


Mick2009's picture

How Symantec Endpoint Protection protection features work together
Article: HOWTO55268   |  Created: 2011-06-29   |  Updated: 2011-12-17   | 
Article URL 

With thanks and best regards,


John Santana's picture

thanks man !

Kind regards,

John Santana
IT Professional


Please be nice to me as I'm newbie in this forum.