Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Alerts for Disabled Endpoint Components

Created: 07 May 2012 | 4 comments
SUPPORT-2-SUPPORT's picture
6 Agree
0 Disagree
+6 6 Votes
Login to vote

Hi,

We can define number of occurences for virus outbreaks to get the notify from SEPM If found any attack.

If possible to get notification or alert from SEPM for number of endpoint where there components (Autoprotect, Tamper Protection, Scan Engine and other) are disabled by any reasons.

The alerts will help us to take immediate action on those systems to prevent virus or any attacks.

 

Regards,

S2S

Comments 4 CommentsJump to latest comment

Tibo's picture

I agree.

There should be a possibility to create a notification to send a mail with a list of clients that have some components disabled (AV, PTP, Firewall, Download insight, NTP etc...)

There is currently a report that shows this but there is no possibility to have a notification sent by mail currently. This functionality should exist by default.

 

Thamks

0
Login to vote
Scott4122's picture

I am completely dumbfounded that Symantec offers a security application that is lax in security.  In my scenario, I have a 3rd party vendor that services a few of my P.O.S. devices with SEP enabled.  The vendor  knows that they are the reason why I have SEP installed, and I recently found out that they are circumventing the SEP application so they can connect USB storage drives to my computers to deliver updates and fixes.

How did this slip through Symantec's fingers??????  On what world does Symantec think that its customers do not need an immediate alert anytime the service has been stopped?

I do not care about those instances where Symantec was stopped because the user turned off their computer for the day.  I care baout those users that are unknowingly spreading malware and viruses because they want to connect a USB memory stick and print a photo on the company color laser printer.

I mean what is the point of having the SEP application if people can disable it and SEPM not say anything?  Your entire customer base needs this fixed ASAP.

0
Login to vote
.Brian's picture

I agree with you but I'm curious to know why users are allowed to stop the SEP client?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
yaduvanshi S's picture

hi
To prevent users from disabling Symantec Endpoint Protection (SEP) on their client use the below steps

Step 1: Remove the right to disable Network Threat Protection:

Open the Symantec Endpoint Protection Manager.
Click Clients.
Select the group that contains the clients you want to be affected.
Click Policies.
Expand Location-specific Settings.
Click Tasks to the right of "Client User Interface Control Settings", then click Edit Settings.
Select Server control or Mixed control if it is not already set to one of these.
Click Customize.
If Server control is enabled this will open the Client User Interface Settings dialog.
If Mixed control is enabled this will open the Client User Interface Mixed Control Settings dialog.
Uncheck Allow users to enable and disable Network Threat Protection.
Uncheck Allow the following users to enable or disable the firewall.
Click OK> OK.

Step 2: Remove the right to disable Threat detection:

Open the Symantec Endpoint Protection Manager.
Click Clients.
Select the group that contains the clients you want to be affected.
Click Policies.
Expand Location-specific Policies
Click Antivirus and Antispyware policy.
Click File System Auto-Protect, then lock this feature by clicking the lock symbol next to Enable File System Auto-Protect.
Click Internet Email Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Internet Email Auto-Protect.
Click Microsoft Outlook Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Microsoft Outlook Auto-Protect.
Click Lotus Notes Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Lotus Notes Auto-Protect.
Click TruScan Proactive Threat Scans, then lock this feature by clicking the lock symbol next to Scan for trojans and worms and Scan for keyloggers.
Click OK.

For Symantec Endpoint Protection 12.1 or for SEP 11 clients managed by SEPM running 12.1 versions, additional policies must be locked.

In the Virus & Spyware Protection policy, click Sonar, then lock this feature by clicking the lock symbol next to Enable Sonar.
In the Instrusion Prevention policy, click Settings, then lock both lock symbols next to Enable Network Intrusion Prevention and Enable Browser Intrusion Prevention.

Step 3: Clients update policy:

Clients will receive the policy according to their Communication Settings (they will be prompted to check in within a few seconds if in Push Mode; they will check in on their next scheduled heartbeat in Pull Mode).

You can prompt the heartbeat on the client:

Right-click the Symantec Endpoint Protection system tray icon.
Click Update Policy. The client will request the new policy from the manager

Once the policy has been updated the user will not be able to disable the Antivirus/Antispyware or the Network Threat Protection features.

0
Login to vote