Endpoint Protection

Hello...

In our enterprise environment, we use a different A/V product that is conflicting w/ a particular application.

We are testing SEP v12.1.6 on one mission critical server.  I want to configure SEP to run a scheduled scan once a day, and eliminate or minimize any other A/V or SEP activity outside of that scan window.  I have created a scheduled scan (2:00AM) but we are still seeing the application crashing outside of the scheduled scan (only when the product is installed).

My questions

1) There are many features of the product, I don't fully understand them as we just began to test & evaluate. I want to eliminate all Symantec product activity (if possible) except during the scheduled scan.  Any suggestions on features I can disable or turn off such that we only get AV activity during the scheduled window - I would greatly appreciate.

 

2) Alternatively, ideally really, I'd like to have no A/V sofware on this machine and run the A/V scan from a different server. Is SEP capable of that, while still providing a similar level of protection?

thanks for any assistance.

 

(ps I am not looking to investigate the cause of the crash in this forum - just how to constrain all SEP activity to the scan window.)

Hi,

Thank you for posting in Symantec community.

I would be glad to answer your query.

1) There are many features of the product, I don't fully understand them as we just began to test & evaluate. I want to eliminate all Symantec product activity (if possible) except during the scheduled scan.  Any suggestions on features I can disable or turn off such that we only get AV activity during the scheduled window - I would greatly appreciate.

--> Apart from scan windows, SEP will connect to the SEPM server to get the latest definitions as per heartbeat intervals.

2) Alternatively, ideally really, I'd like to have no A/V sofware on this machine and run the A/V scan from a different server. Is SEP capable of that, while still providing a similar level of protection?

--> Yes, it's possible. Can map the drive to scan it remotely.

This article can be of interest: Does a Full Scan scan Mapped Network Drives?

http://www.symantec.com/docs/TECH96284

It's not possible to turn off features on schedule. You'd have to manually shut them off. You could map a drive to that machine then create a custom scan to scan it.

Chetan,

thanks for the quick response.

is it logged when the the product contacts the SEPM server for updates - I'd like to see if that corresponds to crashes (guessing no)?

More importantly, I'm not clear about disabling real time scanning or other processes.  For example, if I have my scheduled scan configured, then, from the main Virus and Spyware Protection Settings dialog - what is the effect of unchecking (disabling) the following:

"Enable Insight for",
"Enable Bloodhound heuristics"
"Enable File System Auto-Protect"

Will this be OK, given my objective?  What actions will my scheduled scan take - is it only a file scan at that point? Which would be fine.

(also tks for responding ᗺrian)

Yes, that can be a possibility. Also if you disabled Insight, bloodhound heuristics or auto protect it's as good as scanning machine without or less protection.

Not recommended to disable those features unless it's really required.

By looking at your requirement it's not possible to restrict SEP activities only during scan windows. Either you will have to disable SEP during rest of the time or map the drives.

I am curious to know why you want to restrict SEP activities.

In this case it is required, but we can't leave the machine completely unprotected.

I wasn't clear on this: " if you disabled Insight, bloodhound heuristics or auto protect it's as good as scanning machine without or less protection".  Are you saying this has a negative impact on the scheduled scan - that the actual scheduled scan will be less effective w/ those disabled, or just that it is not recommeneded b/c the machine wil be unprotected except for what it might catch during the scan window?

-if that  makes sense ;-\

(sorry for the double post before)

Yes, it will make negative impact on scan. Those features access Symantec gloabal database to keep SEP client database updated.

For e.g. During scan if SEP found any suspicious file on your machine & is unable to determined with existing database, it will make a call to the global database to decide next action.

& I have deleted your duplicate posts. :)
 

If you want to make this easy, simply configure the scheduled scan to run. You can disable the Insight lookup option from within the scheduled scan.

The other options you mention above are real-time protection features and won't come into play for the scheduled scan.

If all your wanting is a scheduled scan then you just need to configure that.

Easiest way is to map a drive to the machine and configure a custom scan as I already mentioned.

ᗺrian - I like you're suggestion of an external scan to a mapped drive, might be our best bet. I'm going to look into that, although there are aspects to this environment that may make that impractical (so I still need to clarify what Chetan is advising in case the external scan is not possible for us).

During the scheduled scan window, the product can do whatever it wants w/o impact to our app, I just want to prevent any scanning or detection outside the scan window.

With that in mind…if I leave insight and heuristics enabled, but Disable File System Auto Protect - in this state, will SEP do any scanning or detection outside the scheduled window? (Updating its database probably OK, don’t think that’s part of the issue).

thanks also…

You should get familiar with SEP technologies, here are they:

Auto Protect:

Auto-Protect is the first line of defense against threats by providing real-time protection for your computer. Whenever you access, copy, save, move, open or close a file, Auto-Protect scans the file to ensure that a threat has not attached itself. By default, it loads when you start your computer to guard against threats and security risks. It also monitors your computer for any activity that might indicate the presence of a threat or security risk. Auto-Protect can determine a file's type even when a threat changes the file's extension

Refernece: http://www.symantec.com/docs/TECH94990

If you disabled auto protect, it will by default disable Download Insight and SONAR. It's as good as NO AV.

Download Insight:

Advanced Download Protection (Download Insight) is a new advanced protection feature included with the SEP 12.1 client. This feature allows the SEP client to leverage Symantec's Cloud-based reputation database when files are downloaded or executed directly from popular Web browsers

Reference: http://www.symantec.com/docs/TECH171776

SONAR:

SONAR is a real-time protection that detects potentially malicious applications when they run on your computers. SONAR provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats.

SONAR uses heuristics as well as reputation data to detect emerging and unknown threats. SONAR provides an additional level of protection on your client computers and complement your existing Virus and Spyware Protection, intrusion prevention, and firewall protection.

Reference: http://www.symantec.com/docs/HOWTO55254

Check this article as well: How the Insight Lookup process works

http://www.symantec.com/docs/TECH169282

Best bet can be to uninstall SEP from mission critical server drives & map them to perform full scan because you can't restrict SEP services o specific time stamp.

 

 

Insight would scan any time a file is downloaded. Heuristics would scan any time a new process is started. So yes in theory it could start outside the scan window

Have you thought about excluding the files and folders of your "Application" from all sacn of SEP. This will help prevent the application from crashing with all the features still enabled on the SEP client. This will be a better option (than disabling all the protection features at all times) as the server will stay protected all the time and also SEP will leave your application alone.

Excluding the application's files/folder from all types of Scans will prevent them from being scanned by all scan technologies of SEP (including auto-protect, scheduled scan, manual scan, on demand scan, application control and SONAR/Heuristics).

If you have not tried this before, please try it once before you decide to completly remove SEP client from the server. Check the link below to know about how to add exclusions (in centralized exceptions policy).

http://www.symantec.com/docs/TECH183201