Video Screencast Help

How to block user's ability to disable Symantec Endpoint Protection on Clients

Created: 14 May 2009 • Updated: 21 May 2010 | 14 comments

Hi Team,

I had used the directions below to block the user's ability to disable Symantec but the users could still disable Symantec.
Just to add, we are using MR4MP1a and the users profiles are not admin accounts.
Please kindly advice additional Procedures not written below.

Best Regards,

Nel Ramos

********************
Procedures used:
********************

How to block user's ability to disable Symantec Endpoint Protection on Clients
Question/Issue:
How to prevent users from disabling Symantec Endpoint Protection by right-clicking on the client system tray icon and selecting "Disable Symantec Endpoint Protection"?

Solution:
To prevent users from disabling Symantec Endpoint Protection on their client:

Step 1: Remove the right to disable Network Threat Protection:

Open the "Symantec Endpoint Protection Manager."
Click Clients.
Select the group that contains the clients you want to be affected.
Click Policies.
Expand Location-specific settings.
Click Tasks to the right of "Client User Interface Control Settings", then click Edit.
Select Server control or Mixed control if it is not already set to one of these.
Click Customize.
If Server control is enabled this will open the Client User Interface Settings dialog.
If Mixed control is enabled this will open the Client User Interface Mixed Control Settings dialog.

Uncheck Allow users to enable or disable Network Threat protection.
Click OK> OK.

Step 2: Remove the right to disable Threat detection:
Open the "Symantec Endpoint Protection Manager."
Click Clients.
Select the group that contains the clients you want to be affected.
Click Policies.
Expand Location-Specific Policies
Click Antivirus and Antispyware Policy.
Click File System Auto-Protect, then "lock this feature" by clicking the lock symbol next to Enable File System Auto-Protect.
Click Internet Email Auto-Protect, then "lock this feature" by clicking the lock symbol next to Enable Internet Email Auto-Protect.
Click Microsoft Outlook Auto-Protect, then "lock this feature" by clicking the lock symbol next to Enable Microsoft Outlook Auto-Protect.
Click Lotus Notes Auto-Protect, then "lock this feature" by clicking the lock symbol next to Enable Lotus Notes Auto-Protect.
Click Proactive Threat Scan, then "lock this feature" by clicking the lock symbol next to Scan for trojans and worms and Scan for keyloggers.
Click OK.

Step 3: Force clients to update policy:
This step is not necessary as clients will receive the policy during their normal check-in

From the manager:
Open the "Symantec Endpoint Protection Manager."
Click Clients.
Select the group that contains the clients you want to be affected.
Click Run Command on Group.
Click Update Content.
The client will receive a prompt to heartbeat and update its policy. Once the policy has been updated the option to Disable Symantec Endpoint Protection will be grayed-out when users right-click the Symantec Endpoint Protection system tray icon.

On the client:

Right-click the Symantec Endpoint Protection system tray icon.
Click Update Policy
The client will request the new policy from the manager. Once the policy has been updated the option to Disable Symantec Endpoint Protection will be grayed-out.
 

Comments 14 CommentsJump to latest comment

Thomas K's picture

You need to configure the settings "require a password to stop the client service" or "require a password to uninstall the client" in General Settings -> Security Settings; without these, the end user still has a means to disable SEP.

If you are logon with a local admin account, the changes made on SEPM console will not take place. You need to log off and then log back in as a normal User to see the option "Disable Symantec Endpoint Protection" grayed out

Thomas

Ooyala - Check us out!

mon_raralio's picture

@Cycletech: Do you mean to say that local admins can still disable the SEP?

“Your most unhappy customers are your greatest source of learning.”

Nel Ramos's picture

would there be a work around for this.. since some users might have admin accounts that must not have powers to disable symantec...

thanks...  

Nel Ramos

mon_raralio's picture

Administrator accounts take precedence over all applications. If they have the ability to install applications, then logically, there's nothing stopping them from disabling or uninstalling them.

Best you can do is to demote this admins to powerusers.

“Your most unhappy customers are your greatest source of learning.”

Nel Ramos's picture

@mon_raralio: well since ours is a big company..
I shall visit our AD admin on this...
just very sad to see that the powerful policy that we made was only turned off using services.msc...
be giving you feedback for laters..

thanks..

Nel Ramos

Nel Ramos's picture

regular users (agents) could not disable it but there are some contractors that has the ability to disable thru services after I hide the symantec sheild in the system tray.

Nel Ramos

runi0221's picture

Some admin accounts tends to brake the rules of the organization.
Its depressing that we have to secure the network from them.

 
SameerU's picture

Solution:
To prevent users from disabling Symantec Endpoint Protection on their client:

Step 1: Remove the right to disable Network Threat Protection:

Open the "Symantec Endpoint Protection Manager."
Click Clients.
Select the group that contains the clients you want to be affected.
Click Policies.
Expand Location-specific settings.
Click Tasks to the right of "Client User Interface Control Settings", then click Edit.
Select Server control or Mixed control if it is not already set to one of these.
Click Customize.
If Server control is enabled this will open the Client User Interface Settings dialog.
If Mixed control is enabled this will open the Client User Interface Mixed Control Settings dialog.

Uncheck Allow users to enable or disable Network Threat protection.
Click OK> OK.

Step 2: Remove the right to disable Threat detection:
Open the "Symantec Endpoint Protection Manager."
Click Clients.
Select the group that contains the clients you want to be affected.
Click Policies.
Expand Location-Specific Policies
Click Antivirus and Antispyware Policy.
Click File System Auto-Protect, then "lock this feature" by clicking the lock symbol next to Enable File System Auto-Protect.
Click Internet Email Auto-Protect, then "lock this feature" by clicking the lock symbol next to Enable Internet Email Auto-Protect.
Click Microsoft Outlook Auto-Protect, then "lock this feature" by clicking the lock symbol next to Enable Microsoft Outlook Auto-Protect.
Click Lotus Notes Auto-Protect, then "lock this feature" by clicking the lock symbol next to Enable Lotus Notes Auto-Protect.
Click Proactive Threat Scan, then "lock this feature" by clicking the lock symbol next to Scan for trojans and worms and Scan for keyloggers.
Click OK.

Step 3: Force clients to update policy:
This step is not necessary as clients will receive the policy during their normal check-in

From the manager:
Open the "Symantec Endpoint Protection Manager."
Click Clients.
Select the group that contains the clients you want to be affected.
Click Run Command on Group.
Click Update Content.
The client will receive a prompt to heartbeat and update its policy. Once the policy has been updated the option to Disable Symantec Endpoint Protection will be grayed-out when users right-click the Symantec Endpoint Protection system tray icon.

On the client:
Right-click the Symantec Endpoint Protection system tray icon.
Click Update Policy
The client will request the new policy from the manager. Once the policy has been updated the option to Disable Symantec Endpoint Protection will be grayed-out.

Nel Ramos's picture

@SameerU: thanks for the additional advice.
We had demoted the people that habitually breaks the rules from admins to just power users...
They were not very happy about that.

Nel Ramos

mon_raralio's picture

They have no right to complain as it's not their personal property anyways.
People tend to forget that company PCs belong to the company and its contents - OS, Apps, even files  -belong to the company.

“Your most unhappy customers are your greatest source of learning.”