Endpoint Protection

Hi,

I need help. We have 250 SEP client installed and whenever we want to troubleshoot something that we think this AV is  preventing us to run, we usually use smc -stop ans smc -start to stop and start the service. I use the eicar AV test to test if the SEP is already stopped, but it still quarantines the test file. BTW, the "disable the Symantec Endpoint protection" option is already greyed-out.

What is the best way to disable the SEP client? for troubleshooting purposes. We dont want to uninstall then install it just for the sake of testing an application.

That's because doing an 'smc -stop' does not stop the auto-protection function.

What functions of the Symantec Endpoint Protection client are disabled by the smc -stop command?

Issuing the smc -stop command stops the Symantec Management Client (SMC.exe) and the Symantec Endpoint Protection service (ccsvchst.exe).

stopping SMC disables the following features:

• Client-Server communications
• Automatic content updates
• Client notifications
• The Network Threat Protection (NTP) Firewall
• The Client Intrusion Detection System (CIDS)
• Application Control
• Device Control
• Host Integrity

In your AV policy you need to either uncheck the box for auto-protect or open the lock so it can be disabled at the client end. Opening the locks for the various components with all allow you to right click the icon and 'Disable SEP'

When troubleshooting, you're best off creating a group in SEPM that allows you to disable components. When you're ready to troubleshoot just move the client into the custom group. When done then you can move it back to its regular group.