Symantec Endpoint Security, SEP, for Windows

Note added November, 2009: There is a new version of SAV in the WebStore now that Supports Windows 7: Symantec Antivirus Endpoint Protection 11.0 - UIC ONLY; download Symantec for Win 7/2000/XP/Vista and for Win x64.

• What is Endpoint Security?
• New Features
• System Requirements:
• 1. Download Symantec Endpoint Protection for Windows
• 2. Installing Symantec Endpoint Protection for Windows
• The Default Configuration and Actions
• 4. Schedule Regular Full Scans and LiveUpdate
• 4a. How to Tell if Auto-Protect Is Running
• 5. More About SEP Scans
• 6. What to Do If SEP Finds a Virus
• Want to know more?
• Need Additional Help?

Symantec Endpoint Protection is Symantec AntiVirus plus Endpoint Security. That leaves us with the questions, What are endpoints?, and What is Endpoint Security?

Security, in computer terms, means controlling the access to networks and systems, controlling the purpose of the access, the conditions of the access, and the tasks permitted by the access. Security includes protection from threats to property, safety, and privacy; as well as the management and mitigation of risks due to exposure to these threats.

Endpoint Security is the sum total of the measures taken to implement security concerning endpoints. These measures include assessing risk to protect endpoints, such as with client antivirus and personal firewall, and protecting the network from the endpoints themselves, such as with quarantine and access control. Also, Endpoint Security logically extends to the management and administration of these security measures, as well as to the risk, reporting, and knowledge management of the state and results of these measures. (This latter is of interest to network administrators, not to individual "endpoint" owners, to whom this Web page is aimed.

Adapted from What is Endpoint Security, from EndpointSecurity.org.

And that is what Symantec Endpoint Protection does.

Symantec Endpoint Protection 11.0, SEP, is Symantec AntiVirus® combined with antispyware, firewall, intrusion prevention system, application control, device control, and proactive threat scanning into a single client, all managed by a single piece of management software.The combination allows instant upgrades without deploying specific software for each security technology. It protects from from both known threats and from threats that have not been seen before. Symantec Endpoint Protection protects against malware such as viruses, worms, Trojan horses, spyware, and adware. It protections against even against rootkits, zero-day attacks, and spyware that mutates.

Of interest to network managers, SEP also contains Symantec Network Access Control, which remains dormant until activated. Symantec Network Access Control works with SEP network servers to provide "the management and administration of these security measures, as well as to the risk, reporting, and knowledge management of the state and results of these measures" when SEP is used in a managed environment, which is not covered in this Web page.

Proactive Threat Scanning

Behavioral-based protection that protects against zero-day threats and threats not seen before. Unlike other heuristic-based technologies, Proactive Threat Scan scores both the good and bad behavior of unknown applications, providing a more accurate malware detection.

• Accurately detects malware without the need to set up rule-based configurations.
• Helps lower the number of false positives.

Advanced Rootkit Detection and Removal

Provides superior rootkit detection and removal using VxMS (Veritas Mapping Service, from Veritas), thereby providing access below the operating system to allow thorough analysis and repair.

• Detects and removes the most difficult rootkits.
• Saves time and money and productivity losses associated with re-imaging infected machines.

Device Control (For individuals and network administrators)

Controls which peripherals can be connected to a machine and how the peripherals are used. It locks down endpoints to prevent connections from thumb drives, CD burners, printers, and other USB devices.

• Prevents sensitive and confidential data from being extracted or stolen from endpoints (data leakage).
• Prevents endpoints from being infected by viruses spread from peripheral devices.

Application Control (For network administrators)

Allows administrators to control access to specific processes, files, and folders by users and other applications. It provides application analysis, process control, file and registry access control, and module and DLL control. It enables administrators to restrict certain activities deemed as suspicious or high risk.

• Prevents malware from spreading or harming endpoints.
• Locks down endpoints to prevent data leakage.

Single Agent and Single Console (For network administrators)

A single agent for all Symantec Endpoint Protection technologies and Symantec Network Access Control. Delivers a single integrated interface for managing all Symantec Endpoint Protection technologies and Symantec Network Access Control. All allow for a single communication method and content delivery system across all technologies. Reduces administrative effort for managed deployments.

Symantec Endpoint Protection Client (32-bit)

Minimum requirements

• Windows 2000 SP3+, Windows XP, Windows Server 2003, Windows Vista (x86), Windows SBS 2003, Windows 7, and you must use an administrator account
• Pentium III 300 MHz
• 256MB RAM
• 500 MB disk (plus an additional 440 MB during installation)
• Internet Explorer 6.0 or later

Symantec Endpoint Protection Client (64-bit)

Minimum requirements

• Windows XP (x64) SP1+, Windows Server 2003 (x64), Windows Vista (x64), Windows 7, and you must use an administrator account
• 1 GHz with one of the following processors: Intel Xeon with Intel EM64T support, Intel Pentium IV with EM64T support, AMD 64-bit Opteron, AMD 64-bit Athlon (Note: Itanium is not supported)
• 256MB RAM
• 500 MB disk (plus an additional 440 MB during installation)
• Internet Explorer 6.0 or later

The downloaded SEP install file is 92 MB; if you want to install it at home and you have a slow network connection, you might want to download it on campus and put it on USB flash drive to take home.

1. Symantec Endpoint Protection can be downloaded from the University of Illinois Webstore. You will have to login to the Webstore using Bluestem with your UIC netid (be sure to include @uic.edu) and ACCC password. SEP continues to be available to the entire UIC community, faculty, staff, and registered students, at no charge.
   
2. After you log in to the Webstore, click on the FACULTY/STAFF or STUDENTS tab. Click on the Symantec Endpoint Protection link in the Freature Products boxes.
3. This is the client that is free for everyone to use on all their Windows XP and Vista machines, both on- and off-campus. Click on Symantec Endpoint Protection.
4. On the next window, click on Add To Cart.
5. Click I Agree to agree to the licensing agreement.
6. Click Check out.
7. Enter your name and email address, click Next>>.
8. Click on Download and then View Order Details to the download page.
9. Click on Install Now beside the correct installer to download the product.
   • Symantec Endpoint Protection (without firewall)
   • Symantec Endpoint Protection (with firewall component) If you choose to install this version, make sure to first read the documentation on how to configure the firewall.
     
10. You will be asked to enter your netid and ACCC password again. It will ask for your password for ad.uic.edu or your AD password; that is your ACCC common password.
    

Note: After a successful installation, you can safely delete the downloaded SEP file.

You must uninstall all other antivirus software before you install Symantec Endpoint Protection, except for Symantec AntiVirus Version 10. (Actually, the Symantec documentation says you can install it over SAV version 9 as well, but we haven't tried that.)

You must use an administrator account to install and set up Symantec Endpoint Protection.

1. Double-click on the SEP-F.exe file you downloaded. (Or SEP-WF.exe)
• If you are using Windows Vista and receive an error message about SaSetupWrapper, right-click on the SEP-F.exe file and select Run as Administrator.
2. A dialog box will open warning you that the software publisher is unknown. Click Run.
   
3. This is a quiet installation. You will see one or two status dialog boxes saying what is being done with estimates of how much longer the installation will take, but that is it.
   
   
   
   
4. At the end, a dialog box will open saying that your Antivirus Definitions are too old. (This may not happen if you are installing over SAV 10. Click to close this box.
   
5. Check to make sure that LiveUpdate ran by default:
   1. Right-click on the SEP yellow shield icon in the system tray (or as Microsoft calls it, notification area, the end of the taskbar which is generally at the lower right-hand corner of your screen) and click Open Symantec Endpoint Protection.
      
      
   2. SEP opens with the Status tab (down the left side) selected.
      • If there is a green bar which says Your computer is protected., then your computer is protected, and by default, it will run a scan again at around 8 pm tonight. (Either don't turn your computer off or change when the default scans are run if you must turn it off.)
        
      • If there is a red bar that says you have a problem or a yellow bar saying the definitions are out of date, click the yellow Fix button.
        
        Most likely the problem is that LiveUpdate was not run automatically and all that needs to be done is to run it. SEP will run it and that will fix the problem.
6. LiveUpdate runs a little differently in SEP than it did in Symantec and Norton AntiVirus. By default, it runs automatically and closes itself when it finishes. So you may not see it run at all, and if you do, it might close itself before you see it finish.
   

Configurations:

The default SEP Configuration is probably want you want. I only changed two things. But you might want to take a look at it anyway.

• Click on the Options button beside Antivirus and Antispyware Protection and Proactive Threat Protection, and select Change Settings..., or
• Click the Change Settings tab and click Configure Settings.
  

The default configuration is:

• All types of scans are turned on; these are: File System Auto-Protect, Internet Email Auto-Protect
• All scans scan all files.
• The default scanning frequency is every hour (Configure Settings for Proactive Threat Protection, Scan Frequency tab)
• Auto-Protect: Antivirus and Antispyware Protection Configure Settings -> File System Auto-Protect -> Advanced
  • Starts at system start
  • Runs on files when they are opened or modified
  • Turns itself back on after 30 minutes when you turn it off (say to install something)
  • Backs up files before attempting repair
  • Enables Threat Tracer
  • Turns on Heuristics -- searching for viruses and worms by their generic characteristics
• Internet Email: Antivirus and Antispyware Protection Configure Settings -> Internet E-mail Auto-Protect -> Advanced
  • Scans files inside compressed files
  • Uses Heuristics
  • Protects incoming and outgoing email, using POP3 or SMTP protocols.
• And turns on Tamper Protection, which protects SEP and LiveUpdate from being tampered with by unauthorized sources. (Viruses have been known to break the antivirus program; that's a wise first step for them.)

Set Internet E-Mail Auto-Protect to Scan SSL Email

There are two things that you should change:

1. Click Configure Settings for Proactive Threat Protection, then the Scan Details tab.
   1. At the bottom, in the Commercial Applications box, select Terminate or Quarantine for When a commercial keylogger is detected: and When a commercial remote control application is detected:.
2. Click Configure Settings for Antivirus and Antispyware Protection, then select the Internet E-Mail Auto-Protect tab.
   1. Click Enable Internet E-mail Auto-Protect if it isn't already selected.
   2. Click the Advanced button on the right. Click both Allow encrypted POP 3 connections and Allow encrypted SMTP connections.
   3. Replace the 110 for the POP3 port with 995, and the replace the 25 for the SMTP port with either either 587 (if you are using Start TLS) or 465 (if you are using SSL and alternate port). (It might be the easiest thing to do is to check your email program and see what you have set for your SMTP outgoing email port.) SEP doesn't check the IMAP port, so it can not check incoming IMAP email.
   4. Click OK, OK.
3. Close SEP.

Actions:

When SEP finds a virus, worm, or expanded security threat -- spyware, adware and the like -- it has two actions that it can take. The first action is intended to fix the problem. It employs the second action when the first action fails.

The default actions are the same for each type of threat for each type of scan, but you can change the actions by scan or by file if you wish:

Antivirus and Antispyware Protection -> Configure Settings ->File System Auto-Protect -> Actions

• Worms, Viruses, and Macro Viruses:
  • First: Clean
  • Second: Quarantine
• Expanded Security Threat - adware, dialers, hack tools, joke programs, remote access, spyware, trackware, others
  • First: Quarantine and clear any changes to the registry
  • Second: Leave alone but Log

You don't have to do this; SEP does it for you, a daily full scan at about 8 PM. Note that LiveUpdate in SEP is set up to run and close automatically. If you want it to wait until you close it, you have to:

Start -> Settings ->Control Panel ->Symantec LiveUpdate -> Interactive Mode -> OK

You can tell when Auto-Protect is running because you'll see the gold shield in the Windows system tray. (Generally the lower right corner of the Windows monitor screen.) When Auto-Protect is turned off, the gold shield with have a red circle with a crossed line over it its bottom.

Sometimes Auto-Protect will try to protect you from installing programs that you want to install. In this case, turn it off for a short period of time, while you install the program:

• Right-click on the gold shield icon, and un-check Enable Auto-Protect. To turn it back on, right-click it again and check Enable Auto-Protect to select it.
  
  
• Or in Symantec Endpoint Protection, click Change Settings, then Antivirus and Antispyware Protection Configure Settings. On the File System Auto-Protect tab,  uncheck Enable Auto-Protect. Recheck it to turn it back on.

Double-clicking on the gold shield is an alternate way to open SEP.

After you finish setting everything up, SEP will run your first automatic scan.

To run scans manually or change the options on the scheduled scans, first you:

1. Open Symantec Endpoint Protection: Start -> Programs -> Symantec Endpoint Protection -> Symantec Endpoint Protection.
2. Click Scan for Threats.

To run a manual scan in SEP:

Click Active Scan or Full Scan.

To create a new scan:

Click Create a New Scan.

• A Quick Scan scans system memory and all the common virus and security risk locations on your computer.
• A Full Scan scans system memory, boot sector, and all attached drives, including network drives.
• Custom user-defined Scan is limited to the files and folders that you specify.

You don't have to select the drives or files to search for Quick or Full Scans, though you can select files to skip. If you want to specify which files to scan, use User-defined Scan.

To change the schedule of the Daily Full Scan:

Right-click on its name and select Edit..... Change the day and time on the Scan Schedule tab.

By default, SEP will try to clean up the virus from the infected file. If it's Auto-Protect or a manual scan that finds the file, it will offer the file to you if the first action fails.

It it's a scheduled scan and the first action fails, it will automatically execute the second action, which by default is put it into Quarantine, where you won't accidentally access the file.

You can change these default settings to (1) delete the infected file when it's found, or (2) leave it alone and just log that you've found the the virus, which is called "log only".

(Sorry, these pictures are from an old version; I don't have any viruses. And, no, I don't want any sent to me, thanks.)

When the clean action fails :

1. Run LiveUpdate again: In SEP, click LiveUpdate. (If there is a new virus definition file, SEP might be able to clean up your file.)
   
   
2. If the file is in Quarantine, in the left pane, click View Quarantine.
   If it's the result of Auto-Protect or a manual scan, the worms, viruses, and security threats will be listed in a Results window (see below).
   
   
   
3. Double-click on the name of the virus or right-click and select Properties to see what the virus is, where it is, what type it is, and the status of the first action.
   
   
   
4. Right-click on the name of the file you want to clean, and select Clean from the right-click menu.
   
   
5. If SEP cleans your file, you're done. Well, you'll have to move the file back where it came from, and SEP won't remember where that is.
   
   
6. If not, then right-click again and select either Delete Permanently or Move To Quarantine. (You should be cautious about deleting files; move them to quarantine and see whether the next virus update can clean them.)

To delete a file in Quarantine, do the same as above, only click Delete.

• Use the SEP online help:
  • On the Help menu, click Help Topics.
  • On the right pane and in various dialog boxes, click the Help button for context sensitive help. (This is only available when there is something that you can do.)
    
    
• Client Guide for Symantec Endpoint Protection and Symantec Network Access Control (PDF, 2.2 MB) has the basic information that you might need, including how to configure the firewall if you have installed it.
  
  
• For general information and documentation on SEP, visit the Symantec Endpoint Protection Product Support page. The manuals on the whole are well written, but they mostly concern the managed use of SEP and the use of the SEP Manager, which won't be of use to people using the unmanaged client.
  
  
• Do check out the Frequently Asked Questions, they include information on how SEP works, managed and unmanaged. A fair number of these FAQ questions are about managing SEP, but there is a lot of useful information on how Symantec Endpoint Protection works, also.
  
  
• Symantec Security Response Page: http://www.symantec.com/avcenter/
  
  
• To search for information about a specific virus: http://www.symantec.com/avcenter/vinfodb.html

If you need additional help downloading or installing the antivirus software, please contact the Client Services Office.