In Symantec Enterprise Protection (SEP) 5.1 MR3 the kernel drivers will be automatically disabled on the agent if there are no OS Protection or Buffer Overflow Protection policies applied to its group.
For versions prior to MR3 you can create a Host Integrity rule that disables the drivers using the following settings:
- Add a Custom Requirement to your Host Integrity rule.
- Add a "Registry: Set registry value" rule with the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysGuard", the value name "Start" and the DWORD value "4".
- Add a "Registry: Set registry value" rule with the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant", the value name "Start" and the DWORD value "4".
- Apply the new Host Integrity rule to the group containing the clients you which to disable the drivers on.
After the next reboot the OS Protection and Buffer Overflow Protection drivers will not be loaded.
The same method can be used with the Symantec Endpoint Protection 11.x agent for the SysPlant driver if needed.