Recommended security settings for Endpoint Protection

book

Article ID: 155348

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The Symantec Technology and Response (STAR) and Symantec Endpoint Protection (SEP) teams have developed a recommended security posture for Endpoint Protection.

These settings are based on the High Security Virus and Spyware Protection policy, which you can configure within Symantec Endpoint Protection Manager (SEPM).

Note: Although the High Security settings are the recommended choice, they are not the default.


CAUTION: Customer environments cover a wide and varied range, and these recommendations do not fit all environments.

Resolution

Contents

Policy types

The Symantec Endpoint Protection Manager comes with the following preconfigured Virus and Spyware Protection policies:

  • High Security
  • High Performance
  • Balanced

The Balanced policy is the default policy that applies to client groups. You can customize these preconfigured policies, or use them as examples in the creation of new policies.

Symantec encourages you to explore and test the differences, and to choose a policy that best fits your needs.

How to create, copy, or edit policies

To view and edit Virus and Spyware Protection policy settings in Endpoint Protection Manager

  1. Click Policies > Virus and Spyware Protection.
    The existing policies appear in the right pane.
  2. Either create a new policy, or copy an existing policy
    • Create new policies: Under Tasks, click Add a Virus and Spyware Protection policy.
    • Copy existing policies:
      1. Right-click the policy you want to copy, then click Copy.
      2. In the right pane, right-click, then click Paste.
      3. Double-click on a policy to view or edit its settings.

When you create a new Virus and Spyware protection policy (instead of copying or editing an existing policy), the policy populates with the default Balanced settings. You should copy and paste one of the preconfigured policies and edit a copy rather than changing the original.

For these and other instructions (how to assign policies to Endpoint Protection clients), see the Endpoint Protection Installation and Administration Guide for your product version.


The following table compares the settings from the three preconfigured Virus and Spyware policies.

Policy settings

Legend:

  • Red text indicates settings that are locked.
  • Green text indicates unlocked. An Endpoint Protection Manager administrator can modify all of these settings, but users on Endpoint Protection clients can only modify unlocked settings, even if the user is the Endpoint Protection Manager administrator.
  • Underlined bold text indicates settings that are different for a particular policy.

Administrator-defined Scans

Balanced High Performance High Security
Daily Scheduled Scan Enabled, every day at 12:30AM Enabled, every day at 12:30AM Enabled, every day at 12:30AM
Scan Type Active Scan Active Scan Active Scan
File types Scan all files Scan all files Scan all files
Enhance scan by checking: Memory... Yes Yes Yes
...common infection locations Yes Yes Yes
...well-known virus and security risk locations Yes Yes Yes
Scan Compressed Files Yes, 3 levels deep Yes, 3 levels deep Yes, 3 levels deep
Storage Migration... Skip offline and sparse files Skip offline and sparse files Skip offline and sparse files
...open files with backup semantics No No No
Tuning Best Application Performance Best Application Performance Best Application Performance
Enable Insight Lookup Yes Yes Yes
Insight Level Level 5 (Typical) Level 1 (Minimum) Level 5 (Typical)
Insight reputation detections: 1st action / 2nd action if first fails Quarantine/Leave alone (log only) Quarantine/Leave alone (log only) Quarantine/Leave alone (log only)
Schedule Daily at 12:30AM Daily at 12:30AM Daily at 12:30AM
Scan Duration Scan up to 2 hours Scan up to 2 hours Scan up to 2 hours
Randomize start time Yes Yes Yes
Retry scan Yes, within 72 hours Yes, within 264 hours Yes, within 72 hours
Malware detections: 1st action / and 2nd action if first fails Clean/Quarantine Clean/Quarantine Clean/Quarantine
Virus: Override actions configured for malware? No No No
Security Risk detections: 1st action / and 2nd action if first fails Quarantine/Leave alone—log only Quarantine/Leave alone—log only Quarantine/Leave alone—log only
Adware: Override actions configured for security risks? No No No
Dialer? No No No
Hack Tool? No No No
Joke Program? No No No
Misleading Application? No No No
Parental Control? No No No
Remote Access? No No No
Security Assessment Tool? No No No
Security Risk? No No No
Spyware? No No No
Trackware? No No No
Backup files before attempting repair Yes Yes Yes
Terminate processes automatically Yes Yes Yes
Stop services automatically Yes Yes Yes
Display notification on infected computer No No No
Administrator On-demand Scan Settings      
Scan the following folders All Folders All Folders All Folders
File types Scan all files Scan all files Scan all files
Enhance scan by checking: Memory... Yes Yes Yes
...common infection locations Yes Yes Yes
...well-known virus and security risk locations Yes Yes Yes
Scan Compressed Files Yes, 3 levels deep Yes, 3 levels deep Yes, 3 levels deep
Storage Migration... Skip offline and sparse files Skip offline and sparse files Skip offline and sparse files
...open files with backup semantics No No No
Tuning Best Application Performance Best Application Performance Best Application Performance
Insight Lookup Enabled Enabled Enabled
Insight Level Level 5 (Typical) Level 1 (Minimum) Level 5 (Typical)
Insight detections: 1st action / and 2nd action if first fails Quarantine/Leave alone—log only Quarantine/Leave alone—log only Quarantine/Leave alone—log only
Malware detections: 1st action / and 2nd action if first fails Clean/Quarantine Clean/Quarantine Clean/Quarantine
Virus: Override actions configured for malware? No No No
Security Risk detections: 1st action / and 2nd action if first fails Quarantine/Leave alone—log only Quarantine/Leave alone—log only Quarantine/Leave alone—log only
Adware: Override actions configured for security risks? No No No
Dialer? No No No
Hack Tool? No No No
Joke Program? No No No
Misleading Application? No No No
Parental Control? No No No
Remote Access? No No No
Security Assessment Tool? No No No
Security Risk? No No No
Spyware? No No No
Trackware? No No No
Backup files before attempting repair Yes Yes Yes
Terminate processes automatically Yes Yes Yes
Stop services automatically Yes Yes Yes
Display notification on infected computer No No No
Administer-Defined Scans, Advanced Tab      
Delay scheduled scans when running on batteries Yes Yes Yes
Allow user-defined scans to run when user is not logged on Yes Yes Yes
Display notifications about detections when user logs on Yes Yes Yes
Allow startup scans to run when user logs on No No No
Run an active scan when new definitions arrive Yes Yes Yes
Show scan progress No No No

Auto-Protect

Balanced High Performance High Security
Auto-Protect Scan Details      
Enabled Yes (LOCKED) Yes (unlocked) Yes (LOCKED)
File types to scan Scan all files (unlocked) Scan only selected exensions (common programs and documents) (unlocked) Scan all files (LOCKED)
Scan for security risks Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Scan files on remote computers... Yes (unlocked) No (unlocked) Yes (LOCKED)
...scan remote files only when files are executed Yes (unlocked) N/A Yes (LOCKED)
Trust files on remote computers running Auto-Protect Yes (unlocked) N/A Yes (LOCKED)
Enable network cache Yes; keep up to 30 entries, delete entries after 600 seconds (unlocked) N/A Yes; keep up to 30 entries, delete entries after 600 seconds (LOCKED)
Activities that trigger Auto-Protect scan File is accessed or modified (unlocked) File is accessed or modified (unlocked) File is accessed or modified (LOCKED)
Scan when a file is backed up Yes (unlocked) No (unlocked) Yes (LOCKED)
Do not scan files when trusted processes access the files Yes (unlocked) Yes (unlocked) Yes (unlocked)
Check floppies for boot virus when accessed Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Action to take when floppy boot virus is found Leave alone (log only) (unlocked) Leave alone (log only) (unlocked) Leave alone (log only) (LOCKED)
Always delete newly created infected files Yes (unlocked) Yes (unlocked) Yes (LOCKED)
...delete newly created security risks No (unlocked) No (unlocked) No (LOCKED)
Preserve file times Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Malware detections: 1st action / and 2nd action if first fails Clean/Quarantine (unlocked) Clean/Quarantine (unlocked) Clean/Quarantine (LOCKED)
Virus: Override actions configured for malware? No (unlocked) No (unlocked) No (unlocked)
Security Risk detections: 1st action / and 2nd action if first fails Quarantine/delete (unlocked) Quarantine/leave alone (unlocked) Quarantine/delete (LOCKED)
Adware: Override actions configured for security risks? No (unlocked) No (unlocked) No (LOCKED)
Dialer? No (unlocked) No (unlocked) No (LOCKED)
Hack Tool? No (unlocked) No (unlocked) No (LOCKED)
Joke Program? No (unlocked) No (unlocked) No (LOCKED)
Misleading Application? No (unlocked) No (unlocked) No (unlocked)
Parental Control? No (unlocked) No (unlocked) No (unlocked)
Remote Access? No (unlocked) No (unlocked) No (LOCKED)
Security Assessment Tool? No (unlocked) No (unlocked) No (unlocked)
Security Risk? No (unlocked) No (unlocked) No (unlocked)
Spyware? No (unlocked) No (unlocked) No (LOCKED)
Trackware? No (unlocked) No (unlocked) No (LOCKED)
Backup files before attempting to repair them Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Terminate processes automatically Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Stop services automatically Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Display notification on infected computer No (unlocked) No (unlocked) Yes (LOCKED)
Display the Auto-Protect results dialog on the infected computer Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Load auto-protect when When computer starts (unlocked) When SEP starts (unlocked) When computer starts (LOCKED)
Check floppies when computer shuts down Yes (unlocked) Yes (unlocked) Yes (LOCKED)
When Auto-Protect must be reloaded Stop and reload Auto-Protect (unlocked) Stop and reload Auto-Protect (unlocked) Stop and reload Auto-Protect (LOCKED)
When Auto-Protect is disabled, enable after X minutes Yes, 5 minutes (unlocked) Yes, 5 minutes (unlocked) Yes, 5 minutes (LOCKED)
Enable file cache... Yes, use default cache size (unlocked) Yes, use default cache size (unlocked) Yes, use default cache size (LOCKED)
...rescan cache when new definitions arrive Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Enable Risk Tracer... No (unlocked) No (unlocked) Yes (LOCKED)
...resolve the source computer IP address N/A N/A Yes (LOCKED)
...poll for nework sessions every X milliseconds N/A N/A Yes, every 1000 msec (LOCKED)

Download Protection

Balanced High Performance High Security
Enable Download Insight Yes (LOCKED) Yes (unlocked) Yes (LOCKED)
Malicious file sensitivity 5 (Typical) (unlocked) Level 1 (Minimum) (unlocked) 5 (Typical) (LOCKED)
...also detect files with X or fewer users No (unlocked) No (unlocked) No (LOCKED)
...also detect files known by users X or fewer days No (unlocked) No (unlocked) No (LOCKED)
Automatically trust any file downloaded from an intranet site Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Malicious download detection: first action... Quarantine (unlocked) Quarantine (unlocked) Quarantine (LOCKED)
...if first action fails Leave alone—log only (unlocked) Leave alone—log only (unlocked) Leave alone—log only (LOCKED)
Action for unproven files Prompt (unlocked) Prompt (unlocked) Prompt (LOCKED)
Display Download Insight notifications on infected computer Yes (unlocked) Yes (unlocked) Yes (LOCKED)

SONAR

Balanced High Performance High Security
Enable SONAR Yes (LOCKED) Yes (unlocked) Yes (LOCKED)
High risk detection action Quarantine (unlocked) Quarantine (unlocked) Quarantine (LOCKED)
Low risk detection action Log (unlocked) Log (unlocked) Log (LOCKED)
Enabled aggressive mode No (unlocked) No (unlocked) No (LOCKED)
Show alert upon detection Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Prompt before terminating a process No (unlocked) No (unlocked) No (LOCKED)
Prompt before stopping a service No (unlocked) No (unlocked) No (LOCKED)
Action to take when DNS change detected Ignore (unlocked) Ignore (unlocked) Block (LOCKED)
Action to take when hosts file change detected Ignore (unlocked) Ignore (unlocked) Block (LOCKED)
Suspicious behavior high risk detection action Block (unlocked) Ignore (unlocked) Block (LOCKED)
Suspicious behavior low risk detection action Ignore (unlocked) Ignore (unlocked)

Log (LOCKED)

Note: Recommend to "Log" except for customers adopting a very aggressive detection posture, with a tolerance for false positives.

TruScan Legacy Client Settings      
Scan for trojans and worms... Yes (unlocked) Yes (unlocked) Yes (LOCKED)
...use trojan/worm sensitivity defaults defined by Symantec Yes (unlocked) Yes (unlocked) Yes (LOCKED)
Scan for keyloggers... Yes (unlocked) Yes (unlocked) Yes (LOCKED)
...use keylogger sensitivity defaults defined by Symantec Yes (unlocked) Yes (unlocked) Yes (LOCKED)
When a commercial keylogger is detected Log (unlocked) Log (unlocked) Log (LOCKED)
When a commercial remote control application is detected Log (unlocked) Log (unlocked) Log (LOCKED)
How often should TruScan run At the default frequency (unlocked) At a custom scanning frequency; scan processes every 6 hours, do not scan new processes (unlocked) At a custom scanning frequency; scan processes every 15 minutes, scan new processes immediately (LOCKED)

Internet, MS Outlook, and Lotus Notes Email Auto-Protect

Balanced High Performance High Security
Enabled Email Auto-Protect Yes (unlocked) No (unlocked) Yes (LOCKED)
File types to scan Scan all files (unlocked) N/A Scan all files (LOCKED)
Scan inside compressed files Yes, 3 levels deep (unlocked) N/A Yes, 3 levels deep (LOCKED)
Malware detections: 1st action / and 2nd action if first fails Clean/Quarantine (unlocked) N/A Clean/Quarantine (unlocked)
Virus: Override actions configured for malware? No (unlocked) N/A No (unlocked)
Security Risk detections: 1st action / and 2nd action if first fails Quarantine/Leave alone (unlocked) N/A Quarantine/Leave alone (LOCKED)
Adware: Override actions configured for security risks? No (unlocked) N/A No (LOCKED)
Dialer? No (unlocked) N/A No (LOCKED)
Hack Tool? No (unlocked) N/A No (LOCKED)
Joke Program? No (unlocked) N/A No (LOCKED)
Misleading Application? No (unlocked) N/A No (unlocked)
Parental Control? No (unlocked) N/A No (unlocked)
Remote Access? No (unlocked) N/A No (LOCKED)
Security Assessment Tool? No (unlocked) N/A No (unlocked)
Security Risk? No (unlocked) N/A No (unlocked)
Spyware? No (unlocked) N/A No (LOCKED)
Trackware? No (unlocked) N/A No (LOCKED)
Display a notification on the infected computer Yes (unlocked) N/A Yes (LOCKED)
Insert warning into email message Yes (unlocked) N/A Yes (LOCKED)
Send email to the sender No (unlocked) N/A No (LOCKED)
Send email to others No (unlocked) N/A No (LOCKED)
The following settings apply only to Internet Email Auto-Protect      
Display progress indicator when email is being sent No (unlocked) N/A No (LOCKED)
Display a notification area icon No (unlocked) N/A No (LOCKED)
Incoming mail server (POP3) port 110 (unlocked) N/A 110 (LOCKED)
Outgoing mail server (SMTP) port 25 (unlocked) N/A 25 (LOCKED)
Allow encrypted POP3 connections Yes (unlocked) N/A Yes (LOCKED)
Allow encrypted SMTP connections Yes (unlocked) N/A Yes (LOCKED)
Use outbound worm heuristics Yes (unlocked) N/A Yes (LOCKED)
Outbound worm detection, first action Quarantine (unlocked) N/A Quarantine (LOCKED)
Outbound worm detection, second action if first fails Delete (unlocked) N/A Delete (LOCKED)

Global Scan Options

Balanced High Performance High Security
Enable Insight Yes: Symantec Trusted (LOCKED) Yes: Symantec Trusted (unlocked) Yes: Symantec Trusted (LOCKED)
Enable Bloodhound Yes, automatic (unlocked) Yes, automatic (unlocked) Yes, aggressive (LOCKED)

Please note: the Aggressive setting is likely to produce more False Positives. Only enable Aggressive Mode if this is acceptable.
 
Ask for password before scanning mapped network drive No No No
Enable Shared Insight Cache No No No

Exceptions

Balanced High Performance High Security
Application Exception No No No
Extension Exception No No No
File Exception No No No
Folder Exception No No No
Security Risk Exception No No No
SONAR Exception No No No
Known Risks Exception No No No
Trusted Web Domain Exception No No No
DNS or Host File Change Exception No No No

Quarantine

Balanced High Performance High Security
When new definitions arrive, take automatic action on quarantine items Silent repair and restore Silent repair and restore Silent repair and restore
Quarantine folder location Use the default Use the default Use the default
Allow client computers to manually submit to Security Response Yes Yes Yes
Allow client computers to manually submit to Quarantine Server No No No
Enable automatic deleting of repaired files... Yes, delete after 30 days Yes, delete after 30 days Yes, delete after 30 days
...delete oldest repaired files to limit folder size to X MB No No No
Enable automatic deleting of backup files... Yes, delete after 30 days Yes, delete after 30 days Yes, delete after 30 days
...delete oldest backup files to limit folder size to X MB No No No
Enable automatic deleting of files that could not be repaired... Yes, delete after 30 days Yes, delete after 30 days Yes, delete after 30 days
...delete oldest non-repairable files to limit folder size to X MB No No No

Miscellaneous

Balanced High Performance High Security
Disable Windows Security center Never Never Never
Display antivirus alerts within Windows Security center Enable Enable Enable
Display WSC message when definitions are outdated by X days Warn after 29 days Warn after 29 days Warn after 29 days
Address to use as browser home page if a security risk changes it Symantec Security Response Symantec Security Response Symantec Security Response
Selected events sent from client to management server Scan aborted, started, stopped
Security risk side effect repair failed
Client running without virus definitions
Virus definition rollback
Antivirus installed
Uninstall, uinstalll rolled back
Error loading services
Scan aborted, started, stopped
Security risk side effect repair failed
Client running without virus definitions
Virus definition rollback
Antivirus installed
Uninstall, uinstalll rolled back
Error loading services
Scan aborted, started, stopped
Security risk side effect repair failed
Client running without virus definitions
Virus definition rollback
Antivirus installed
Uninstall, uinstalll rolled back
Error loading services
Delete logs older than X days 14 days (unlocked) 14 days (unlocked) 14 days (unlocked)
Send aggregate events every X minutes 5 minutes 5 minutes 5 minutes
Days before a warning appears in SEP client for outdated definitions... 14 days (unlocked) 14 days (unlocked) 14 days (unlocked)
...display a notification message on the client computer No No No
Remediation attempts before warning appears on a client running without definitions... 2 2 2
...display a notification message on the client computer No No No
Display error messages with a URL to a solution Yes, display URL to Symantec KB article Yes, display URL to Symantec KB article Yes, display URL to Symantec KB article
Enable Virtual Image Exception for Auto-Protect No No No
Enable Virtual Image Exception for Administrator-Defined Scans No No No

macOS

Balanced High Performance High Security
Scheduled Scan      
Daily Scheduled Scan Enabled, every day at 8:00PM Enabled, every day at 8:00PM Enabled, every day at 8:00PM
Scan Drives or Folders Folders, Library folder only Folders, Library folder only Folders, Library folder only
Priority Low Low Medium
Administrator On-demand Scan Settings      
Scan Drives or Folders in on-demand Scans Drives only, Hard drives and removable Drives only, Hard drives and removable Drives only, Hard drives and removable
Scan compressed files in on-demand scans Yes No Yes
Automatically repair files Yes Yes Yes
Quarantine files that cannot be repaired Yes Yes Yes
On-demand scan infection notification on client No No No
Administrator-Defined Scans, Common Settings      
Display a notification message on the infected computer No No No
Scan Compressed Files Yes No Yes
Allow scan snooze No No No
Allow scan cancel No No No
Automatically repair files Yes Yes Yes
Quarantine files that cannot be repaired Yes Yes Yes
Show alerts ...only when infected files are found ...only when infected files are found ...only when infected files are found
Macintosh Auto-Protect Settings      
Lock Auto-Protect Settings No No No
Enable Auto-Protect Yes (unlocked) Yes (unlocked) Yes (unlocked)
Automatically repair files Yes (unlocked) Yes (unlocked) Yes (unlocked)
Quarantine files that cannot be repaired Yes (unlocked) Yes (unlocked) Yes (unlocked)
Scan Compressed Files Yes (unlocked) Yes (unlocked) Yes (unlocked)
What files are scanned by Auto-Protect Scan everywhere Scan everywhere Scan everywhere
Scan disks when they are mounted Yes Yes Yes
Show progress during mount scans Yes Yes Yes
Scan the following disks or devices when mounted (“All”, or select from “Music or video disks”, “iPod”, “Data disks”, “All other disks”) “iPods”, “Data disks”, “All other disks” “iPods”, “Data disks”, “All other disks” “iPods”, “Data disks”, “All other disks”
Display notification on infected computer for Auto-Protect detection Yes Yes Yes
Display warning on client when definitions are outdated by X days Yes, 30 days Yes, 30 days Yes, 30 days

Attachments

table.xls get_app