This article describes the tools that are included with Symantec Endpoint Protection and what you use the tools for.
The following tools and documentation are located in the \Tools folder of the Symantec Endpoint Protection installation file that you download from MySymantec.
This tool sets up the Apache webserver in Symantec Endpoint Protection Manager to allow Mac clients and Linux clients to download LiveUpdate content through the web server. The Apache webserver works with the Symantec Endpoint Protection Manager to download and cache the LiveUpdate content for Mac and Linux clients locally whenever new content is published.
This tool is appropriate for networks with a smaller number of clients.
Symantec Endpoint Protection can automatically forward the quarantine packages that contain the infected files and related side effects from a local quarantine to the Central Quarantine. You can gather forensic information more easily by using Central Quarantine. This tool lets you retrieve a sample from an infected computer without having to directly access that computer.
Use the Quarantine Server in a Symantec Endpoint Protection environment in the following cases:
To receive suspected threat samples from Symantec Endpoint Protection clients.
To submit these samples to Security Response automatically.
To download the rapid release definitions that are specific to the suspected threats that have been submitted only to the Quarantine Server. These definitions are not pushed to the Symantec Endpoint Protection clients where the threat originated from.
For more information, see: Best Practices for using Quarantine Server in a Symantec Endpoint Protection environment
CleanWipe uninstalls the Symantec Endpoint Protection product. Only use CleanWipe as a last resort after you have unsuccessfully tried other uninstallation methods, such as the Windows Control Panel.
You can also find this tool in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
The ContentDistributionMonitor tool helps you manage and monitor multiple Group Update Providers (GUPs) in your environment. The tool presents a graphical display of the GUPs' health and content distribution status.
In 12.1.6 and earlier,
ContentDistributionMonitor was named
SEPMMonitor. In 12.1.5 and earlier,
ContentDistributionMonitor was in the
Deception is used to detect adversary activity at the endpoint using "deceptors." The underlying assumption with this approach is that the attacker has already breached the primary defenses of the network and performs reconnaissance in the environment. The attacker looks to find critical assets, like a domain controller or database credentials.
DeviceInfo (for Mac; as of version 14) and DevViewer (for Windows) obtains the device vendor, model, or serial number for a specific device. You add this information to the Hardware Devices list. You can then add the device ID to a Device Control policy to allow or block a device on client computers.
As of version 14, the Integration folder was renamed to
The IT Analytics software expands the built-in reporting that Symantec Endpoint Protection offers by enabling you to create custom reports and custom queries. It brings multi-dimensional analysis and graphical reporting features from the data that is contained within the Symantec Endpoint Protection Manager databases. This functionality allows you to explore data on your own, without advanced knowledge of databases or third-party reporting tools.
The JAWS screen reader program and a set of scripts make it easier to read the Symantec Endpoint Protection menus and dialogs. JAWS is an assistive technology that provides compliance with Section 508 product accessibility.
Symantec LiveUpdate Administrator is a standalone web application that is separate from Symantec Endpoint Protection. LiveUpdate Administrator mirrors the content of the public LiveUpdate servers and then offers the content to Symantec products internally through a built-in web server.
LiveUpdate Administrator is an optional component for Symantec Endpoint Protection and is not required to update the Symantec Endpoint Protection clients. By default, the Symantec Endpoint Protection Manager uses the LiveUpdate technology rather than LiveUpdate Administrator to download contents directly from the Symantec public LiveUpdate servers.
You may want to use LiveUpdate Administrator in some circumstances. For example, you may need to download content to a large number of non-Windows clients or to clients if Symantec Endpoint Protection Manager cannot download the content. Therefore, you can install a LiveUpdate Administrator server and then configure the Symantec Endpoint Protection Manager to download from it.
To download LiveUpdate Administrator and the documentation, see: Download LiveUpdate Administrator (LUA)
MoveClient is a Visual Basic script that moves clients from one Symantec Endpoint Protection Manager group to another group based on the client's host name, user name, IP address, or operating system. It also can switch clients from user mode to computer mode and vice versa.
Qextract extracts and restores files from the client's local quarantine. You might need this tool if the client quarantines a file that you determine is a false positive.
SEPprep is an unsupported tool that uninstalls competitors' antivirus products automatically. SEPprep also uninstalls Symantec Norton™ products if you want to migrate from Norton to Symantec Endpoint Protection.
You can package SEPprep in a script which uninstalls the competitor's product, and then launches the Symantec Endpoint Protection installer automatically and silently.
Instead of SEPprep, use the Client Deployment Wizard to uninstall competitors' products. On the Client Install Settings tab in the wizard, click Automatically uninstall existing third-party security software.
For a list of products that the Client Deployment Wizard uninstalls, see:
SEPprep does not uninstall any Symantec products. However, as of version 14, CleanWipe is built into the Client Deployment Wizard to remove other Symantec products, including the Symantec Endpoint Protection client.
This tool scans and detects threats in offline VMware virtual disks (.vmdk files).
You use the Push Deployment Wizard to deploy the Symantec Endpoint Protection client installation package to target computers. Push Deployment Wizard is the same as the Client Deployment Wizard in Symantec Endpoint Protection Manager. You typically use it to deploy to smaller groups of computers or remote computers.
For more information, see: Overview of the Push Deployment Wizard in Symantec Endpoint Protection
The Symantec Endpoint Integration Component (SEPIC) combines Symantec Endpoint Protection with other Symantec Management Platform solutions using a single, web-based Symantec Management Console. You use SEPIC to inventory computers, update patches, deliver software, and deploy new computers. You can also back up and restore your systems and data, manage DLP agents, and manage Symantec Endpoint Protection clients.
The Sylink.xml file includes communication settings between the Windows client or Mac client and a Symantec Endpoint Protection Manager. If the clients have lost the communication with Symantec Endpoint Protection Manager, use the SylinkDrop tool to automatically replace the existing Sylink.xml file with a new Sylink.xml file on the client computer.
Replacing the Sylink.xml file does the following tasks:
Converts an unmanaged client to a managed client.
Migrates or moves clients to a new domain or management server.
Restores the communication breakages to the client that cannot be corrected on the management server.
Moves a client from one server to another server that is not a replication partner.
Moves a client from one domain to another.
You can also use this tool for Windows clients only; the tool is located in the following location (64-bit):
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
As of version 14, the SymHelp tool was renamed as Symantec Diagnostic (SymDiag).
SymDiag is a multi-product diagnostic tool that identifies common issues, gathers data for support-assisted troubleshooting, and provides links to other customer self-help and support resources.
SymDiag also provides licensing and maintenance status for some Symantec products as well as the Threat Analysis Scan, which helps to find potential malware.
The virtualization tools improve scan performance for the clients that are installed in virtual desktop infrastructure (VDI) environments.
SecurityVirtualAppliance (12.1.6 and earlier)
The Symantec Security Virtual Appliance contains the vShield-enabled Shared Insight Cache for VMware vShield infrastructures.
The Shared Insight Cache tool improves scan performance in virtualized environments by not scanning the files that a Symantec Endpoint Protection client has determined are clean. When the client scans a file for threats and determines it is clean, the client submits information about the file to Shared Insight Cache.
When another client subsequently attempts to scan the same file, that client can query Shared Insight Cache to determine if the file is clean. If the file is clean, the client does not scan that particular file. If the file is not clean, the client scans the file for viruses and submits those results to Shared Insight Cache.
Shared Insight Cache is a web service that runs independently of the client. However, Symantec Endpoint Protection must be configured to specify the location of Shared Insight Cache so that the clients can communicate with it. Shared Insight Cache communicates with the clients through HTTP or HTTPS. The client's HTTP connection is maintained until the scan is finished.
Virtual Image Exception
To increase performance and security in a VDI environment, a common practice is to leverage base images to build virtual machine sessions as needed. The Symantec Virtual Image Exception tool lets Symantec Endpoint Protection clients bypass scanning base image files for threats, which reduces the resource load on disk I/O. It also improves CPU scanning process performance in a VDI environment.
In 12.1.6 and earlier, this tool is located in the \Tools\Integration folder.
Symantec Endpoint Protection includes a set of public APIs in the form of web services to provide support for remote monitoring and management (RMM) applications. The web services provide functions on the client and on the management server. All calls to Symantec Endpoint Protection web services are authenticated using OAuth and allow access only by authorized Symantec Endpoint Protection administrators. Developers use these APIs to integrate their company's third-party network security solution with the Symantec Endpoint Protection management server and client.
Provides the support for remote management and remote monitoring. Remote management is provided by means of public APIs in the form of web services that let you integrate your third-party solution or custom console with basic client and management server functionality. Remote monitoring is provided by means of publicly supported registry keys and Windows event logging.
Web services for remote management can do the following tasks:
Reports the license status and content status on the management server by web service calls, in addition to reporting the license status to the Windows Event Log.
Issues commands to the client, such as Update, Update and Scan, and Restart.
Manages the policies that are delivered to the client. Policies can be imported from another management server, and they can be assigned to groups or locations at another management server.
The following tools are installed with the Symantec Endpoint Protection Manager in the following default location:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools.
CollectLog.cmd places the Symantec Endpoint Protection Manager logs in a compressed .zip file. You send the .zip file to Symantec Support or another administrator for troubleshooting purposes.
You find this tool in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
You use dbvalidator.bat to help Support diagnose a problem with the database that Symantec Endpoint Protection Manager runs.
You find this tool in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
Symantec Endpoint Protection Manager communicates with the Microsoft SQL Server over an encrypted channel by default. This tool lets you disable or enable TLS encryption between the management server and the Microsoft SQL Server communication. As of version 14, it can be used with the management server installations that are configured to use the Microsoft SQL Server database.
This tool is installed with Symantec Endpoint Protection Manager in the following location (64-bit): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
Symantec Endpoint Protection Manager includes a set of REST APIs that connect to and perform Symantec Endpoint Protection Manager operations from Endpoint Detection and Response (EDR). You use the APIs if you do not have access to Symantec Endpoint Protection Manager. The documentation is located in the following places:
On the Symantec Endpoint Protection Manager server at the following address, where SEPM-IP is the IP address of the Symantec Endpoint Protection Manager server:
IP address includes IPv4 and IPv6. You must enclose the IPv6 address with square brackets: http://[SEPMServer]:port number
Subscribing will provide email updates when this Article is updated. Login is required.
14.2 RU1, 14.2 MP1, 14.2, 14.0.1 MP2, 14.0.1 MP1, 14.0.1, 14.0.0 MP2, 14 MP1, 14, 12.1 RU6 MP8, 12.1 RU6 MP7, 12.1 RU6 MP6, 12.1 RU6 MP5, 12.1 RU6 MP4, 12.1 RU6 MP3, 12.1 RU6 MP2, 12.1 RU6 MP1, 12.1 RU6, 12.1 RU5, 12.1 RU4, 12.1 RU3, 12.1 RU2
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.