截屏视频帮助
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How can I remove ability to disable protection on SBE 12 Managed Clients?

创建时间: 04 4 月 2012 • Updated: 14 1 月 2013 | 4 条评论
此问题已解决。 请查看解决方案。

I have searched for the answer to that question but I keep finding solutions that apply to version 11. Those options do not exist in my version which is 12. I think I am at 12.0, but how do I see for sure if I am 12.0 or 12.1? I don't see that anywhere.

I have also found a way to remove the taskbar icon completely, using a registry setting, but I do not want to do that because it also removes a lot of other functionality.

I would like to know how to at least remove the client's ablility to disable Endpoint Protection, and possibly to change other settings.

Thanks!

评论 条评论跳转至最新评论

Mithun Sanghavi 的图片

Hello,

To check if you are carrying SEP 12.0 or SEP 12.1, you can open the Symantec Protection Center and on on the right hand side, top corner you can click on "Help" and then click on "About".

Again, in reference to your query, check this Article - 

How to block a user's ability to disable Symantec Endpoint Protection Small Business Edition on Clients

http://www.symantec.com/docs/TECH172434

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

解决方案
ksoszka 的图片

Hmmm, well for the record I have 12.0, thanks for telling me how to see that.

I already have the padlock in locked state, I have attached a screenshot. Still my users can disable their SEP.

SEP Policy Edit.jpg
Mithun Sanghavi 的图片

Hello,

I believe, this could not be done with SEP SBE 12.0

Check this:

https://www-secure.symantec.com/connect/forums/endpoint-protection-small-business-12-disable-auto-protect

I would recommend you to migrate SEP SBE 12.0 to SEP SBE 12.1

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Sayan 的图片

Solution

To prevent users from disabling Symantec Endpoint Protection (SEP) on their client:

Step 1: Remove the right to disable Network Threat Protection:

  1. Open the Symantec Endpoint Protection Manager.
  2. Click Clients.
  3. Select the group that contains the clients you want to be affected.
  4. Click Policies.
  5. Expand Location-specific Settings.
  6. Click Tasks to the right of "Client User Interface Control Settings", then click Edit Settings.
  7. Select Server control or Mixed control if it is not already set to one of these.
  8. Click Customize.
    • If Server control is enabled this will open the Client User Interface Settings dialog.
    • If Mixed control is enabled this will open the Client User Interface Mixed Control Settings dialog.
  9. Uncheck Allow users to enable and disable Network Threat Protection.
  10. Click OKOK.

Step 2: Remove the right to disable Threat detection:

  1. Open the Symantec Endpoint Protection Manager.
  2. Click Clients.
  3. Select the group that contains the clients you want to be affected.
  4. Click Policies.
  5. Expand Location-specific Policies
  6. Click Antivirus and Antispyware policy.
  7. Click File System Auto-Protect, then lock this feature by clicking the lock symbol next to Enable File System Auto-Protect.
  8. Click Internet Email Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Internet Email Auto-Protect.
  9. Click Microsoft Outlook Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Microsoft Outlook Auto-Protect.
  10. Click Lotus Notes Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Lotus Notes Auto-Protect.
  11. Click TruScan Proactive Threat Scans, then lock this feature by clicking the lock symbol next to Scan for trojans and wormsand Scan for keyloggers.
  12. Click OK.

For Symantec Endpoint Protection 12.1, additional policies must be locked. 

  1. In the Virus & Spyware Protection policy, click Sonar, then lock this feature by clicking the lock symbol next to Enable Sonar.  
  2. In the Instrusion Prevention policy, click Settings, then lock both lock symbols next to Enable Network Intrusion Prevention andEnable Browser Intrusion Prevention.  

Step 3: Clients update policy: 
Clients will receive the policy according to their Communication Settings (they will be prompted to check in within a few seconds if in Push Mode; they will check in on their next scheduled heartbeat in Pull Mode).

You can prompt the heartbeat on the client:

  1. Right-click the Symantec Endpoint Protection system tray icon.
  2. Click Update Policy. The client will request the new policy from the manager

Once the policy has been updated the user will not be able to disable the Antivirus/Antispyware or the Network Threat Protection features.