Endpoint Protection

Our servers, without stable connection to Internet, are installed with SEP 14.X standard client, and get virus definition update from our internal SEPM server.

I did not know there is a so-called "dark network client" until recently. When I saw the difference between the 2 versions, I was pretty shocked:

https://support.symantec.com/us/en/article.howto125352.html

Can anyone explain to me the difference about virius definition?

Standard client is "download latest definition only", "use definition in the cloud";

while the dark web client is "full set of definition".

If our servers cannot connect to Internet, does that mean their SEP (standard client) are not able to detect some virus due to lack of some definitions?!?!?!

AFAIK:Standard clients ( for ex desktops) can go out to internet and fetch only the required defs from cloud

Dark ( no internet access) will reach out to SEPM and download full def content. If SEPM is updated with latest both clients will have same set of defs

Thanks for the quick reply.

But in the link I posted, it says standard client size is smaller, reason is that it only download/install latest definition only.

If it gets same full set of definition from SEPM as the dark web client, how can it be smaller size?

please check if this will help you to clarify this:

https://www.symantec.com/connect/forums/sep-14-standard-client

Thanks S_K.

From the Symantec support staff Matt's answer:

The reduced size definitions remove very old threat detections that we have not had telemetry for within a certain period of time.  (I cannot share specifics around these metrics.)  Threats which have been active recently would still have signatures included in the reduced size definitions, or certainly major threats like Wannacry would have their detection included in these definitions.  For any threat where there is currently a major outbreak / concern (such as we saw with the Wannacry situation), that means we will be getting current telemetry for that threat, and therefore its signature would still be included in reduced size defs. 

Overall I would still suggest the Darknet client for any system which cannot leverage the cloud-based definitions. 

My understanding is,

Standard client (SC) really has less virus definition on disk. Those are old virus that Symantec thinks less relevant nowadays. If a SC cannot connect to Internet, it really cannot detect those old virus. In this case, please install Dark network client (DNC).

What I still don't know is, if we have an on-prem SEPM, will our SC rely on our SEPM instead of the cloud to use those old definitions?

What I still don't know is, if we have an on-prem SEPM, will our SC rely on our SEPM instead of the cloud to use those old definitions?

It depends on how you configure your LU, if you set to get from internet via policy then its smaller if from SEPM then they all have same def size

It depends on how you configure your LU, if you set to get from internet via policy then its smaller if from SEPM then they all have same def size

We did configued our Internet-disconnected SEP to get definition from our on-prem SEPM. But recently SEP on 1 of our servers detected a risk, but the risk report could not show a proper file path of the risky file (the shown file path is a meaningless string). We asked Symantec support, and their advise was to change from standard client to dark network client.

I don't know why showing a local file path has anything to do with standard client or dark network client. But it gave me a feeling that our current standard client, relying on SEPM, is not a fully functional SEP.