Symantec Endpoint Security 11.0 released

I got an email from Symantec announcing the release of Endpoint Security 11.0. Did anyone here participate in the beta and what are your thoughts on it?

 

There was something on the Symantec site that the product was to be released on Sept 27, but that must have been a "soft" opening as I have not seen any announcements in the places where commercial software releases are usually announced.

I would anticipate that the underlying technology will be very similar to NIS 2008 except that the interface will be simpler, a few of the less important features will be dropped for the sake of simplicity, and the capability for remote administration will be added. It will probably wind up on about half the desktops in Corporate America, if history is any guide.

 

I haven't been keeping up with SES 11 since NIS '08 beta went public. I was going to sign up for the SES 11 beta but changed my mind halfway through the sign up process (hence I now get Enterprise emails from Symantec).

In case someone missed it Ashishtx posted some beta screenshots here. Maybe someone will post the final screenshots in the screenshot thread.

 

I've read its very low on resources, 5-7MB and that's it. Thats not that bad actually.

 

Memory usage is only one measure of resources. One should test the effect on application speed, boot and shutdown times as well. Cnet uses MP3 and Sorrenson compression as a test. If you Google for "antivirus overhead" you can find tests done by an individual. In the case of Norton 2007, it looked better on Cnet than the individual test, which probably demonstrates how difficult this area is to evaluate.

 

I have a feeling that SEP 11 is not fully baked. There is no trial until the 1 november. I read somewhere that, memory usage is around 25mb during normal pc usage(WIN XP).

 

Here are two screen shots from the final version. Please notice that the "Task Manager" shot is from a virtual machine running Windows XP SP2 with 512mb of RAM.

The product feels solid and preforms well so far.

 

I would not go with the task manager numbers. After you remove your existing firewall and AV, check your commit charge and then check it again after installing Endpoint 11. The total is going to be a lot more than the task manager suggests. Some of the memory usage appears to have been moved to drivers and is probably showing up in kernel memory.

If you run XP in a LUA, you will not like this suite. The usual tricks to temporarily elevate to administrative don't work. You must sign on as an administrator. Facilities for dealing with multiple wireless networks are meager, requiring elevated privileges and manually checking some boxes to enable or disable file sharing and network discovery. This would not work where the policy is to lock users out of administrative privileges altogether. The designers must have envisioned setting up the wired network as trusted and the wireless network as untrusted. Not very friendly.

 

Yep, you can never tell how much ram something is using in Task Manager, there's always more used somehow, probably as Diver suggests above.. I just look at total available ram before and after an app install for a better indication of what's really going on. Nowadays many of the vendors seem to use tricks to keep the Task Manager numbers low, but all you need to do is just a quick before and after on available ram to get the real picture... Sometimes it's rather shocking...

 

Update:

This suite just rocks in Vista. The entire control panel is accessible in the Vista default mode of administrative account with UAC on. It uses about 40-50 mb more than a very lite setup (Avira Premium with Pop3 not loading, Vista firewall and Windows defender turned off). BTW, Endpoint 11 turns off Windows Defender by default.

The firewall is eerie. I doubt that it has everything white listed, but stuff runs without intervention. It must use some kind of behavioral analysis to give programs access.

 

I wonder if it has incorporated some Antibot features....

 

I've read that it fully incorporates Sygate's technology.

 

Personally i going back to Avira; i don't like it maybe it's just my impression but this is just the old Symantec Corporate Edition under a new skin nothing more, and btw even the old Sygate is present, and it FAILED ALL THE TESTS from the Firewall Leak Tester site. Below i attached all the screenshots i got.

http://www.sendspace.com/file/qrf1ci

or

http://www.filelime.com/upload/files/Symantec__Endpoint.zip

 

Actually, the old corporate edition is in there, with better memory management. The proactive protection module is all new, as is the root kit detection.

If you think protecting against outbound leaks is of paramount importance, you probably need to run Comodo ZAP or Jetico 2. I prefer to not be tinkering with my firewall all day long, and the typical computer user will be clueless every time one of these "leakproof" firewalls sends up a warning.

Besides, when was the last time you heard of outbound filtering saving the day? Its more theoretical than real.

 

Hi, I suggest you ignoring the leak test, nothing more just lead the firewall develop to heavier than ever before and let your bear the more pop ups.
this new product is the replacement for SCS, not just a new skin if you will take the change to look at it.

 

That sounds like the firewall in NIS. I did have it where I had to approve everything but decided to try out the default system control instead to observe it. I have yet to see a popup asking me if a certain program can access the net and I even tried some obscure programs such as a yEnc decoder which let it pass as well.

The only popups I get is from portscans, worms, etc.

 

Have to say that I quite like this 'suite'. Good to see the old Sygate firewall incorporated. The only thing that leaves me a little cold is the complete lack of outbound notification alerts when a program wants network access. Seems anything can access whenever it wants to. Sygate alerted whenever an application asked for network access.

I think I might use this on some of my other FD-ISR snapshots but just not sure whether to use it on my main Windows setup.

Passes everything at ShieldsUp and is fully stealthed without adjusting any settings, which I suppose a good firewall should do anyway.

If worried about leak tests then a user might need to add a HIPS to tighten things up a little.

 

Yes, they completely replaced the existing firewall with the Sygate one. You can see that from some of the menu options

 

It seems the default action for the firewall is to allow outbound. Once a program is running it is possible to go into the network activity display, right click the program and tick "block". This will put the program on the application list where custom rules may be edited. Returning the program to "allow" status does not remove it from the applications list. I could not find a way to cause the firewall to default to asking for network access on all programs. Possibly this cold be done from the management console. In any event I would expect leak test results to be less than stellar, unless other components like proactive protection are allowed to run and pick up the activity as unusual in some other way. Earlier firewall designs from Symantec incorporated definition lists of trojans and also had acces to the underlying network rules. None of that is visible in the client.

Without some testing there is no way to know if the firewall is smart enough to block "suspicious" outbound activity. Are there any Sygate users out there who know about this?

As a notebook user I am concerned that there is near continuous CPU activity with this suite. The task manager almost never hits zero and bumps up in the single digit range quite a bit, long after Vista has a chance to settle down. Even without running any tests this is certain to reduce battery life. Benchmarks with super pi indicated a slight (3%) slow down as compared to Nod32 or Avira.

 

Well, i'm trialing this 'suite' for the moment, it doesn't look bad at all (the reason i'm trying it is that i have a chance to get a valid legal licence for it through some ppl, although it's not meant to be used by individual home users....knowing right ppl is awesome ). If i like it enough, maybe i'll switch from avira free and ST, although it has to be REALLY good to persuade me.
Yaeh, i also see the constant CPU usage between 3 and 7%, although it's feather-light on my computer compared to Trendmicro 2008.
And also there's that weird firewall thingy . It seems to pass ALL applications two-way internet access (both inbound and outbound) with default settings, but it stealths the ports when not used and uses the IDS to check for bad traffic. My file sharing apps continue to work without problems, open ports 'n everything. It's probably designed that way specifically for corporate customers (imagine a secretary being asked "do you want to allow hgdgyqiyw3.exe to receive connections from internet" ), and probably can be configured othervise through the administrative console.....policies and such.
So, for the time being, i quite like it (really can't belive i said that for a symantec product! whoa!), and don't mind too much the obscure 'silent' firewall since i have a router anyways. And it sure is easier to configure, update and maintain than my favourite free combo. So maybe it'll be a keeper

 

toxical,

Its not just the secretary's. This forum is mainly inhabited by computer hobbyists who like to experiment with cutting edge security technologies. A few of them forget how much more they know than everyone else from the bosses on down.

That constant CPU usage looks like it could take some serious time of battery life on a notebook. On a desktop its not going to matter except to hard core gamers and video editing types.

I wonder if there is some way to cut down on the disk thrashing.

 

Yeah, i know that most ppl in this forum are not a handsome blond secretary who doesn't give a damn about computers (i said 'most'....who knows, maybe there are a few here ). What i did say is that this weird firewall design is probably meant to be like that, so it can be configured by more experienced users (eg tech-savy ones, or IT admins), and to take the decision making off the others. Still....this leaves a lot to be desired for someone who might use it on a non managed client machine (though one should probably get NIS in that case..).
Another thing....when i deselected the IDS features for testing purposes, i got bad results in Symantec online scan/hacker related thingy, meaning my ports were just closed, and some were open. That means that in 'normal conditions' the FW leaves all of this unblocked, and blocks ports only in case of an attack/portscan. Kind like some versions of BlackIce.
And a question: should i check the 'NetBios protection' and 'anti-MAC spoofing' options, or should i leave them unchecked (default) in the firewall settings?
Cheers!

 

I ran this one for a few days, but the cpu usage at an idle was 3-10% for me, which I didn't like at all. Also seems a little heavy in general, but I'm on an older machine so perhaps it runs better on newer hardware. Excess disk i/o seems to occur on some apps like this, not sure why, but that is another factor to consider as well. Overall, the concept is good, but I went back to Avira Suite as it just runs lighter and better on my PC...

 

Online scan? You can ignore, sygate or maybe all the wel-known firewall can stealth your port, if you behind a router, you can leave the 'NetBios protection' and 'anti-MAC spoofing' options unchecked. It is a little heavier than NIS08. The CPU usage is mainly by sygate firewall and the scan when startup or after definition update, back ground SONAR scan. Maybe you can disable the sygate Dos settings, don't log, don't scan after update, don't scan back ground, disable network pool etc

 

Did you figure out how to get the firewall to ask you before allowing an application access ?