Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Disabling User Access to Disable Symantec Endpoint Protection

Created: 10 Jan 2008 • Updated: 21 May 2010 | 8 comments
I have the lastest SEP realease 11.0.1000.1375 installed.  I would like to remove the ability for the user to right-click on the SEP icon and disable Symantec Endpoint Protection.  I am running into the following issue however.....
 
No matter how many features I lock I cannot get the Network Threat Protection to remove it's disable feature.  All other services have been locked and their disable feature is not available (as expected), but since the Network Threat Protection freature is not disabling this is causing the client to still have the ability to right-click and disable protection.  It's true that it is only disabling the Network Threat Protection, but it is really annoying that it is there at all. 
 
For the life of me I cannot find an option to get rid of this.  At this point I've even got all the controls unlocked, and I cannot even change settings on the Network Threat Protection....  It tells me that I have locked this feature.
 
I also have noticed that in my firewall rules policy config the "Inherit Firewall Rules from Parent Group" check box is disabled and not checked. 
 
Any help on getting this Feature to work would be appreciated.  At this point I am lost.  Please help.
 
 

Comments 8 CommentsJump to latest comment

ecshop's picture
In your Antivirus/Antispyware Policy, you will need to click and lock the little lock icon in all the Auto Protect options. They are under Scan Details tab, next to "Enable File System Auto-Protect", "Enable Internet Email Auto-Protect", etc.
 
 
mtdSEP's picture
thanks for the reply ecshop...
 
I've locked every little lock in the whole program and it still doesn't disable that feature.  I've even unlocked all the little locks causing the applications to again be disabled, but at that point I still cannot change settings on the Network Threat Protection.  Everything else is able to be changed but that.  During the previous installation release of SEP I had this all working as you stated by locking all the little locks, but this go around the Network Threat Protection option is not playing nice.
 
One thing that has me bothered now is that the Symantec Network Access Control service (SNAC.exe) is not being started when the system loads.  The service is set to Manual and if I attempt to change it to Automatic and reboot it gets set back to Manual and is not started. 
 
I'll try locking all the little locks again, but I think something else is wrong.  Everything is working great this time around except that.  This is getting frustrating.
 
 
JohnL's picture
Hello,
 
To remove the ability to disable Network Threat Protection, perform the following.
 
1. Go to Clients, then the client group you want to remove this ability from.
2. Click the Policies tab on the right, then expand 'Location-specific Settings'.
3. Click on 'Server Control', then Customize.
4. In the Network Threat Protection section, uncheck 'Allow users to enable and disable Network Threat Protection'.
 
Repeat these steps for any other locations you want to enforce this to.
 
As for SNAC, that is a separately licensed feature of SEP. The service will remain set to Manual and not start until you install SNAC on your SEPM server. After that, as your clients check in, SNAC will be set to Automatic and will start. You will see the Host Integrity policy show up in SEPM as well, which needs to be configured if you intend on using SNAC.
 
Hope this helps.
mtdSEP's picture
Thank You John!!!
 
Wonder why is that in such an obscure location compared to the other locking controls??  Oh well.... it's in the setup instructions now.
 
Thanks for the info about SNAC also. 
Justin_Smith's picture

Im having the same problem. Ive unchecked the box but when I update the policy via the client or the server it does not disable this feature? 

Hericksen's picture

Hi!! 

 

We have choosen not to allow users to stop sep client too using SEP manager interface, but because a lot of them have administrators rights, they still can stop it through windows services panel, so we have determined to secure them through GPO.

 

We think that assigning privileges as shown is sufficient (we are not using Network access control). All the startups/shutdowns shown into the logs are done by System account.

 

Service:                                       Startup Type           Rights

 

Symantec Auto-upgrade Agent         Manual                System/ Domain Admins/IT Support

Symantec Endpoint Protection          Automatic            System/ Domain Admins/IT Support

Symantec Event Manager                Automatic            System/ Domain Admins/IT Support

Symantec Management Client           Automatic            System/ Domain Admins/IT Support

Symantec Network Access Control     Manual                System/ Domain Admins/ITSupport

Symantec Settings Manager             Automatic            System/ Domain Admins/IT Support

Message Edited by Hericksen on 07-22-2008 01:32 AM
ch1221 2's picture

I have tried to lock down the services as described but  now my clients are reporting into the console with their "Antivirus Engine Off" even though the clients are running fine.  Any ideas?

Dr. Watson's picture

Check if this helps:

 

How to block user's ability to disable Symantec Endpoint Protection on Clients

 

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007110514540148

 

I followed this document word by word ... Helped me in my case .... :smileyhappy: