This occurs, if the users have admin rights on their local machine... they can deactivate SEP, kill the process... they even can stop the services so that they are absolutely unprotected.
To remove the ability to disable Network Threat Protection, perform the following.
1. Go to Clients, then the client group you want to remove this ability from. 2. Click the Policies tab on the right, then expand 'Location-specific Settings'. 3. Click on 'Server Control', then Customize. 4. In the Network Threat Protection section, uncheck 'Allow users to enable and disable Network Threat Protection'.
Repeat these steps for any other locations you want to enforce this to.
As for SNAC, that is a separately licensed feature of SEP. The service will remain set to Manual and not start until you install SNAC on your SEPM server. After that, as your clients check in, SNAC will be set to Automatic and will start. You will see the Host Integrity policy show up in SEPM as well, which needs to be configured if you intend on using SNAC.
I tried this... but my users are still able to deactivate the Protection... who can help me please?
This is how we are doing it, i lost the link this is from but its on Symantec's site,
How to block user's ability to disable Symantec Endpoint Protection (SEP) on Clients
Step 1: Remove the right to disable Network Threat Protection:
1. Open the Symantec Endpoint Protection Manager.
2. Click Clients.
3. Choose the group that contains the clients you want to be affected.
4. Click Policies.
5. Expand Location-specific settings.
6. Click Tasks to the right of Client User Interface Control Settings, then click Edit.
7. Choose Server control or Mixed control if it is not already set to one of these.
8. Click Customize.
- If Server control is enabled this will open the Client User Interface Settings dialog. - If Mixed control is enabled this will open the Client User Interface Mixed Control Settings dialog. 9. Uncheck Allow users to enable or disable Network Threat protection. 10. Click OK, then click OK again.
Step 2: Remove the right to disable Threat detection:
1. Open the Symantec Endpoint Protection Manager.
2. Click Clients.
3. Choose the group that contains the clients you want to be affected.
4. Click Policies.
5. Expand Location-Specific Policies
6. Click Antivirus and Antispyware Policy.
7. Click File System Auto-Protect, then lock this feature by clicking the lock symbol next to Enable File System Auto-Protect.
8. Click Internet Email Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Internet Email Auto-Protect.
9. Click Microsoft Outlook Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Microsoft Outlook Auto-Protect.
10. Click Lotus Notes Auto-Protect, then lock thisfeature by clicking the lock symbol next to Enable Lotus Notes Auto-Protect.
11. Click Proactive Threat Scan, then lock this feature by clicking the lock symbol next to Scan for trojansand worms and Scan for keyloggers.
Is there a way to password protect the "Disable Symantec Endpoint Protection" option rather than disabling it altogether? It would simplify the process of individual software installs and updates.because we could avoid opening the SEPM, waiting, logging in, waiting, clicking policy, waiting, change policy, waiting, clicking clients, waiting, selecting the client, waiting, pushing new policy, ..., then all the steps to undo these changes!
The admin should be prompted how long to keep SEP disabled.
Clixck on the Clients icon, then highlight the GLOBAL root option in the left pane. This should bring up a tabbed interface on the right with the tabs: Clients, Policies, Details, etc.
Under the Policies tab there is a General Settings link (located under the Settings box). Clicking on that will take you to another tabbed interface. Click on the security settings. Here is where I set a password that keeps users completely out of the SEPM client, unless they know the password. That was a big help for me. Will that accomplish what you are looking for?
Comments
To remove the ability to disable Network Threat Protection, perform the following.
1. Go to Clients, then the client group you want to remove this ability from.
2. Click the Policies tab on the right, then expand 'Location-specific Settings'.
3. Click on 'Server Control', then Customize.
4. In the Network Threat Protection section, uncheck 'Allow users to enable and disable Network Threat Protection'.
Repeat these steps for any other locations you want to enforce this to.
As for SNAC, that is a separately licensed feature of SEP. The service will remain set to Manual and not start until you install SNAC on your SEPM server. After that, as your clients check in, SNAC will be set to Automatic and will start. You will see the Host Integrity policy show up in SEPM as well, which needs to be configured if you intend on using SNAC.
hi
in SEPM:
policies-> Sntivirus and antispyware policy-> File System autoprotect - > lock the Enable File system autoprotect
How to block user's ability to disable Symantec Endpoint Protection (SEP) on Clients
Step 1: Remove the right to disable Network Threat Protection:
1. Open the Symantec Endpoint Protection Manager.
2. Click Clients.
3. Choose the group that contains the clients you want to be affected.
4. Click Policies.
5. Expand Location-specific settings.
6. Click Tasks to the right of Client User Interface Control Settings, then click Edit.
7. Choose Server control or Mixed control if it is not already set to one of these.
8. Click Customize.
- If Server control is enabled this will open the Client User Interface Settings dialog.
- If Mixed control is enabled this will open the Client User Interface Mixed Control Settings dialog.
9. Uncheck Allow users to enable or disable Network Threat protection.
10. Click OK, then click OK again.
Step 2: Remove the right to disable Threat detection:
1. Open the Symantec Endpoint Protection Manager.
2. Click Clients.
3. Choose the group that contains the clients you want to be affected.
4. Click Policies.
5. Expand Location-Specific Policies
6. Click Antivirus and Antispyware Policy.
7. Click File System Auto-Protect, then lock this feature by clicking the lock symbol next to Enable File System Auto-Protect.
8. Click Internet Email Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Internet Email Auto-Protect.
9. Click Microsoft Outlook Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Microsoft Outlook Auto-Protect.
10. Click Lotus Notes Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Lotus Notes Auto-Protect.
11. Click Proactive Threat Scan, then lock this feature by clicking the lock symbol next to Scan for trojans and worms and Scan for keyloggers.
12. Click OK.
Is there a way to password protect the "Disable Symantec Endpoint Protection" option rather than disabling it altogether? It would simplify the process of individual software installs and updates.because we could avoid opening the SEPM, waiting, logging in, waiting, clicking policy, waiting, change policy, waiting, clicking clients, waiting, selecting the client, waiting, pushing new policy, ..., then all the steps to undo these changes!
The admin should be prompted how long to keep SEP disabled.
Unless I missed this feature.
Message Edited by Mike T on 02-29-2008 12:16 PM
Would you like to reply?
Login or Register to post your comment.