How Does Symantec Endpoint Protection Work?

Written by gigmocha in Uncategorized

How Does Symantec Endpoint Protection Work?

Introduction to Symantec Endpoint Protection

Symantec Endpoint Protection (SEP) is an extensive security solution that protects endpoints of all kinds, including physical desktops, virtual servers and laptops. SEP’s power comes not only from its deep threat intelligence, but also through the depth of features it provides to IT administrators to protect their endpoints. It is true that with great power comes greater complexity; however, properly deploying Symantec Endpoint Protection simplifies this vast amount of protection into five easy-to-execute steps .

During installation, Symantec Endpoint Protection deploys on every endpoint through a series of pre configured policies which define what settings should be applied during install time. Each policy contains configuration items or ‘CI/CIs’, which are the building blocks to layering settings. In other words, a policy is a collection of CIs which describe what security should be applied on a given endpoint while being compliant with compliance standards and settings defined by the IT administrator.

Working of Symantec Endpoint Protection

Working of Symantec Endpoint Protection is based on the CI’s are the building blocks to layering settings. In other words, a policy is a collection of CIs which describes what security should be applied on a given endpoint while being compliant with compliance standards and settings defined by IT administrator. For SEP 11 and higher, this process will get executed when the “Default” policy is received from Policy Manager Server (PMS).

Here we’ll go over each step:

Step 1: SEP connections to the Management Console:

During installation, SEP connects to a Symantec management console which is primarily used for pushing out patches and software updates. If a connection cannot be made during install because of incorrect hostname/IP information or firewall rules, then it will attempt to connect every 5 minutes until successful.

Step 2: Read policy from PM Server:

After successfully connecting to the management console, SEP will now download its appropriate default policy from the Policy Manager server. The deployed policy contains all CIs needed for endpoint protection. In particular, this step executes <Gina CA> (First boot) CI’s on the endpoint where they are responsible for immediate deployment of some initial configuration settings following reboot after installation; and <Gina-Settings> (Apply Gina Settings) CI’s which apply more granular configuration settings during the policy refresh interval.

Step 3: Policy Update Schedule:

The policy update schedule is a recurring interval that SEP will connect to the Symantec Management Console on, in order to retrieve new CIs for both scheduled and new detected threats. This connection is used to download daily definition updates from the Symantec servers, scan engine updates and new metadata files containing information about new or updated viruses, spyware and potentially unwanted applications. In addition, SEP will use this connection to check for policies on a regular basis while enforcing compliance checks on endpoint computers by scanning them against one or more preconfigured policy baselines.

Define the “Policy update schedule” CI:

The policy update schedule is a recurring interval that Symantec Endpoint Protection will connect to the Symantec Management Console on, in order to download new CIs for both scheduled and new detected threats. This connection will also download daily definition updates from Symantec servers, scan engine updates and new metadata files containing information about new or updated viruses, spyware and potentially unwanted applications. In addition, SEP will check for policies on a regular basis while enforcing compliance checks on endpoint computers by scanning them against one or more preconfigured policy baselines. The default value of this setting is set to 22 hours/days; however it can be configured as desired depending upon the internal network and external patching schedule.

The default value of the “Policy update schedule” CI is set to 22 hours/days; however it can be configured as desired depending upon the internal network and external patching schedule.

The Policy update interval must be smaller than or equal to the policy download interval from Symantec Management Console. If it does not comply with this rule then a warning message will display on the first scheduled scan after changing this setting- Please fix or reconfigure accordingly!

To configure go to:

Policies > Compliance Settings > Updates > General tab -> Definition Update Interval (Hours)

Step 4: Enforcing compliance checks on endpoint computers by scanning them against one or more preconfigured policy baselines:

Compliance Settings defines four main policies that must be checked and enforced on a daily basis.

These are as follows:

File System Protection –

 All anti-virus related CIs within the policy which manage file system protection – “File System CI” – need to be enabled and applied to all endpoints where SEP is deployed. This includes all active scanning, real time monitoring, scheduled scan & archive offline scanning configurations. It also ensures that the correct registry keys for those settings exist on those same computers.

Device Control – 

Controls whether or not users can move from one computer to another while still maintaining their applications and other endpoint specific data such as bookmarks and history. The option of Device Control This feature must be enabled and applied to all endpoints where SEP is installed.

Email Scanning –

 If required, SEP can be configured to scan all incoming and outgoing email traffic for viruses and other malicious code on your network. When you enable this setting it will enable all of the relevant scanning settings within the policy depending upon how you configure it.

Conclusion

Today, Symantec Endpoint Protection provides one of the most comprehensive suites for endpoint security and data protection capabilities in the market. However, to ensure that all functions are enabled and configured correctly, it must be performed during deployment planning phase as well as ongoing management after installing SEP on client computers.The installation will only create the necessary policies and rules that will be used to handle the protection of a computer system.

Frequent checks must also be performed regularly in order to ensure all settings are being enforced correctly on a daily basis. This is where using proper tools for ongoing management such as Symantec Endpoint Protection Management Console can help simplify these tasks, optimize performance and realize the full benefits of your investment in Symantec Endpoint Protection.

Recent Posts