Symantec Endpoint Protection

Discussion in 'other anti-virus software' started by cruelsister, Apr 11, 2013.

Thread Status:
Not open for further replies.
  1. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    977
    Location:
    Paris
  2. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    977
    Location:
    Paris
    We've had some complaints from users of SEP 12.1 that are running as unmanaged clients that Windows Start had become bogged down due to a Startup scan. If one wants to disable this scan, note that it cannot be done within the SEP interface. Not that anyone here asked, but to kill it,

    1). Open SEP
    2). Click Change Settings
    3). Click Configure Settings under Client Management
    4). Click Tamper Protection Tab
    5). Untick the Protect Symantec etc box
    6). Open Regedit
    7). Go to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\General
    Change the StartupScansEnabled DWORD value to 0.
    :cool:. Go back and Tick the Protect box in Tamper Protection.
     
    Last edited by a moderator: Apr 12, 2013
  3. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    Thanks Cruel Sis.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    How good is web realtime protection for unmanaged client in SEP 12.1? I used SEP 11 for a few years and its realtime protection web protection sucked.
     
  5. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    977
    Location:
    Paris
    Itman- I totally agree with you about SEP11, and for that matter earlier versions of SEP12. Lately my opinion is changing.

    Yesterday due to a client's request I did a quick-and-dirty test of SEP12, The test was run on a clone of one of the client's production machines (sadly running XP). I managed to dig up enough discrete samples of malware from our pots to establish 2 datasets- Dataset 1 contained 30 malicious URL's (via the pots) as well as 15 Email malware links (obtained via SHEILA). Dataset 2 contained 45 malware exe's for an on-demand scan. Please note that just because these malware samples showed up yesterday did not make them new (a point lost on many YouTuber's)- just Real World. I did make sure that each set had 1 sample of Ransomware- for both samples although the exe was fresh, the payload was known.

    Results:

    Dataset 1- The URL's were followed in all cases with IE8. SONAR detected all samples except the Ransomware piece. However in this case the payload was detected and quarantined.

    Dataset 2- Out of the 45 samples, an on demand scan missed 14 (~69% detection- Yikes!!). I ran the remaining 14 (including the undetected Ransomware). 12 were unable to change the system and were eventually quarantined. One sample did spew out a daughter which took up residence in App data but without a mechanism to call it forth. The Ransomware sample did hit me with a FBI screenlock after run, but surprisingly enough on reboot there was a SEP malware clean routine that occurred prior to load Windows that totally cleaned it up.

    Moral of the story- I used 90 probably not new samples (WowieZowie). But even so I couldn't criticize how SEP12 performed (even though I wanted to).

    Whenever I get a chance I will see how it performs on Windows 8 with Early Launch coming into play. But as I am so biased in favor of Win8 with regard to malware prevention I wonder if I can trust myself to do the test; but I guess that's why God created employees.
     
  6. er34

    er34 Guest

    The web/internet protection is fine. It consists of IPS system which blocks bad sites/IPs - this is may be Symatec's first defense layer. Then there is SafeWeb site reputation, then they have Download Insight - this all related about web protection in version 12 / 12.1 , etc... Let's add SONAR, signature and heuristic detection (they are not directly web-related), Microsoft technologies (SmartScreen and many others, though). Overall you should be fine.
     
  7. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    977
    Location:
    Paris
    SafeWeb is actually only found on Norton products, not on SEP. Also, Download Insight on SEP kicks in after SONAR has reacted to the potential threat, so it just will pop up with "only x users have downloaded this file" or some such nonsense.
     
  8. er34

    er34 Guest

    SafeWeb is also available for free for everybody who wants and can use it :)


    SONAR can react only when a file has been executed. Download Insight pops-up everythime a file is downloaded from the Internet (e.g. via a browser). So Download Insight generally pops-up first.

    You might be describing a case where you actually run a sample (without saving it first) , SONAR was fast to react and stop it and for some reason there was a delay in the Download Insight notification. This is non-typical issue and not how the software generally works.
     
  9. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    977
    Location:
    Paris
    Hi er- Sorry if I misunderstood, but it seemed that you wrote that SafeWeb was an intrinsic part of SEP, which it is not.

    On my SEP setup, when downloading malicious code, in all instances SONAR will pop up first (if the sample is detected) and will act on it. After that occurs DI will appear (sometimes). But the only reason this happens on my test system is that I have DI set at a very low level- necessary as the Client, a developer deals in custom code this rendering DI (for them) nothing but an annoyance. Sorry if I wasn't clear on this.
     
  10. Vladimyr

    Vladimyr Registered Member

    Joined:
    Feb 11, 2009
    Posts:
    461
    Location:
    Australia
    Thanks. No-one has complained yet but this is definitely worth knowing.
     
  11. er34

    er34 Guest

    Hi sis,

    no problem :thumb:
     
Loading...
Thread Status:
Not open for further replies.