For a feature tour, see: Symantec Endpoint Protection 14 Product Tour
Intelligent Threat Cloud Service for client installation packages (Windows)
Version 14 includes three new sizes of client installation packages, based on which set of virus definitions they include:
Standard client: Designed for typical installations where clients have access to the cloud or the clients are version 12.1.6 and earlier. The standard client is 80% to 90% smaller than a dark network client installation package and includes the most recent virus definitions only. After installation, the client accesses the full set of virus definitions from the cloud.
Embedded client or VDI client: The embedded client replaces the reduced-size client that was introduced in version 12.1.6. The embedded client is smaller than the standard client and also includes the most recent virus definitions only. After installation, the client accesses the full set of virus definitions from the cloud.
Dark network client: Installs a full set of virus definitions and keeps the definitions locally rather than accessing them from the cloud. Use this client installation package if the client computers are in networks with no access to the cloud.
Generic Exploit Mitigation (Windows)
Generic Exploit Mitigation prevents common vulnerability attacks in typical software applications. Generic Exploit Mitigation installs with intrusion prevention and includes the following types of protection: Java exploit prevention, heap spray mitigation, and structured exception handling overwrite protection (SEHOP). The protections apply to the specific applications that are listed in the Intrusion Prevention policy. Symantec Endpoint Protection downloads the application list as part of its LiveUpdate content. To see the list of applications, open an Intrusion Prevention policy and then click Generic Exploit Mitigation.
Enable Suspicious Behavior Detection option (Windows)
You can enable or disable suspicious behavior detection if SONAR is disabled. Therefore, you can have behavior policy enforcement protection of applications on while SONAR scoring is off.
Scan files on remote computers option (Windows, Linux)
You can disable the option for SONAR or Auto-Protect to scan files on computers on other networks. Disabling this option increases performance. However, you should keep this option enabled as SONAR looks for worms such as Sality, which infects network drives. For Auto-Protect scans all files reduces and reduces the client computer's performance, you can enable the Only when files are executed option. To access these options, click Policies > Virus and Spyware Protection policy > SONAR or Auto-Protect.
Virus scan logic moved to Auto-Protect user mode
Auto-Protect user mode reduces kernel memory usage and provides greater system health. In rare cases of crashes, the computer does not blue screen and is recoverable.
Emulator for packed malware
For Auto-Protect and virus scans, a new emulator improves scan performance and effectiveness by at least 10 percent. This anti-evasion technique addresses packed malware obfuscation techniques and detects the malware that is hidden inside custom packers.
Advanced Machine Learning (AML) on the endpoint for improved static detections
This new endpoint-based machine learning engine can detect malware based on static attributes. This technology enables Symantec Endpoint Protection to detect malware in the pre-execution phase, thereby stopping large classes of malware, both known and unknown. The AML engine works with the Symantec real-time cloud-based threat intelligence to provide best-in-class protection with low false positives.
Insight Lookup (Windows)
You can still enable or disable Insight Lookup for version 14 and legacy 12.1.x clients, but you cannot set the sensitivity level or action settings. Instead, Insight Lookup uses internal settings to optimize the scan because Download Insight detections are now completely handled by real-time protection. The new Enable Insight Lookup option on the Scan Details tab replaces the Insight Lookup tab in version 12.1.x. Open a Virus and Spyware Protection policy > Administrator-Defined Scans, choose either scheduled scans or on-demand scans, and then click Scan Details.
On standard and embedded/VDI clients, Insight Lookup now allows Auto-Protect, scheduled scans, and manual scans to look up both file reputation information and definitions in the cloud. However, the dark network clients include the full set of definitions and do not use Insight Lookup. You enable Insight Lookup in the Clients > Policies tab > External Communications > Submissions tab.
Scheduled and on-demand scans support the %systemdrive% and %userprofile% variables (Windows)
These scans let you select specific folders to be scanned rather than scanning all the files on the Windows client computer. The %systemdrive% variable indicates the location where the Windows operating system is installed. The %userprofile% variable corresponds to the user profile folders for the users who are logged on. You can also exclude these folders from being scanned by using an Exceptions policy.
Reports display an application's hash value you can use to block applications
You can use the hash value instead of an application's name to add to the policies that block applications. The hash value is unique whereas an application name may not be. To find the hash value, look in the Hash Type / Application Hash column in the following reports:
Risk reports: Infected and At Risk Computers; Download Risk Distributions; SONAR Detection Results; SONAR Threat Distribution; Symantec Endpoint Protection Daily Status Report; and Symantec Endpoint Protection Weekly Status Report
To view the Risk reports, click Reports > Quick Reports > Risk.
Home page > Activity Summary link
Client submissions and server data collection
You can enable Symantec Endpoint Protection to send information about detected threats and your network configuration to Symantec. Symantec uses this information for additional analysis and to improve the security features in the product.
Version 14 has several new types of client submissions that you can enable. You access these options by clicking Clients > Policies tab > External Communications > Submissions tab > More options.
The previously existing submission types are automatically submitted with the Send anonymous data to Symantec to receive enhanced threat protection intelligence option. In 12.1.6.x and earlier, this option was labeled Let computers automatically forward selected anonymous security information to Symantec.
You use the new Send client-identifiable data to Symantec for custom analysis option if you participate in a Symantec-sponsored program to get recommendations specific to your security network.
For server data collection, the Yes, I would like to help optimize Symantec's endpoint security solutions by submitting anonymous system and usage information to Symantec option is now labeled Send anonymous data to Symantec to receive enhanced threat protection intelligence. You access this option on the Admin > Servers > Edit Site Properties > Data Collection tab.
LiveUpdate downloads new types of content
Symantec Endpoint Protection Manager downloads additional types of content from LiveUpdate servers:
Client security patches
Endpoint Detection and Response: Definitions that the Endpoint Detection and Response (EDR) component uses to detect and investigate suspicious activities and issues on hosts and endpoints.
Common Network Transport Library and Configuration: Definitions that the entire product uses to achieve network transportation and telemetry.
Symantec Endpoint Protection includes the following additional support:
Table: Additional system requirements
Symantec Endpoint Protection Manager:
SQL Server 2014 SP2
For the Symantec Endpoint Protection Manager web console and Help:
For Browser Intrusion Prevention, see: Supported browsers for Browser Intrusion Prevention in Endpoint Protection
DVD installation screen
The DVD installation screen is simpler with fewer screens:
You can install Symantec Endpoint Protection Manager from the first screen rather than a later screen.
You can link to the Quick Start Guide, which describes how to deploy 500 or fewer clients with the default installation.
Management Server Installation Wizard
The installation wizard now displays the available hard drive space for local drives, but not the hard disk space for USB thumb drives or disc drives. The wizard does not let you install the management server unless the computer meets the minimum system requirements. The installation proceeds if the computer meets the recommended system requirements. The recommended minimum hard drive space the management server needs on a system drive is 40 GB. On an alternative drive, the management server needs 15 GB (system drive) and 25 GB (installation drive).
For more information on hard drive space requirements, see:
Symantec Endpoint Protection Manager installs with the HTTPS protocol
When you install Symantec Endpoint Protection Manager for the first time, it uses the HTTPS protocol by default to communicate between the management server and the clients. If you upgrade from an earlier version, Symantec Endpoint Protection Manager retains the protocol from the earlier version. For the upgrades that use HTTP, you can create a new management server list that uses HTTPS and switch to the list in the Communications Settings dialog box.
Management Server Configuration Wizard
Changed the default installation from 100 clients or fewer to 500 clients or fewer.
Merged the administrator's email address and test email screens into one screen, and improved the workflow for testing the administrator's email address.
Includes an option to support TLS communication with the mail server, Prepare the server to use a secure connection. You also configure TLS communication in the Server Properties dialog box. In earlier versions, only SSL is available. In addition, you can test the mail server connection at any time instead of during installation only.
The Run LiveUpdate screen and partner information is merged into one screen.
Removed the default configuration settings confirmation page. These details are now written in the
SEPMConfigurationSettings.txt file that is located in the
<SEPM installation folder>\tomcat\etc folder. When you upgrade from previous releases, Symantec Endpoint Protection Manager creates this text file.
While you wait for the installation wizard to create the embedded database, a progress bar shows how far the installation has progressed.
Reset the embedded database password
If you forget or want to change the embedded database password, run the Management Server Configuration Wizard and reconfigure the management server. On the Windows Start menu, click All Programs > Symantec Endpoint Protection Manager > Symantec Endpoint Protection Manager Tools > Management Server Configuration Wizard.
New user interface
Symantec Endpoint Protection Manager now has an updated cloud look and feel with new icons and fonts. For example:
The client status icons changed.
Inherited firewall rules are italicized instead of shaded purple.
The name of the Welcome page changed to the Getting Started page.
The Getting Started page displays a list of required tasks to perform before you install for the first time or upgrade:
Run LiveUpdate now: LiveUpdate has run on Symantec Endpoint Protection Manager and downloaded at least one set of valid virus definitions. Or, LiveUpdate has connected to a Symantec Endpoint Protection client and downloaded at least one set of valid virus definitions.
Activate your product: The license needs to be valid and cannot be either over-deployed, a trial version, upgrade, invalid, or expired.
Install the client software on your computers: At least one Symantec Endpoint Protection client needs to be connected to the management server. The Home page > Security Status pane also indicates whether or not a minimum of one client is installed.
The Getting Started page reappears until all the required tasks are completed. Then a Do not show this page again check box appears at the bottom of the screen. You can redisplay the Getting Started page in the Help menu.
Client Deployment Wizard
The Client Deployment Wizard has the following upgrades to make it easier to install the clients:
The command to open the Client Deployment Wizard has changed from Add a client to Install a client. You access the wizard by clicking either the Clients pane > Tasks, or by clicking the Help menu > Getting Started > Required tasks > Install the client software on your computers.
The Client Install Settings dialog box has the following new options:
Remove existing Symantec Endpoint Protection client software that cannot be uninstalled uninstalls an existing Symantec Endpoint Protection client when other installation methods do not work. Only use this feature to remove corrupted or malfunctioning installations of the Symantec Endpoint Protection client.
Do not uninstall existing security software is the default setting, which you use if you do not need to uninstall any security software from the client computer.
The wizard uninstalls more third-party security products.
You access these options either through the Client Deployment Wizard or through the Admin > Install Packages > Client Install Settings dialog box.
In the Select Group and Install Feature Sets pane of the wizard, the Include all content in the client installation package option has changed to Include virus definitions in the client installation package. The meaning of the check box is clearer. This option is in the Admin > Install Packages > Export a Client Install Package dialog box. This option replaced the Select option.
Preferred mode options removed
The preferred mode options have been removed because the wizard installs the clients in computer mode by default. You can change the mode to user mode, but Symantec recommends that you continue to use computer mode.
Custom replication schedule
You can now run replication multiple times a day, which improves effective reporting while preventing deadlocks on Symantec Endpoint Protection Manager. Previously, the replication schedule only ran either once an hour or once a day, which was either too often or too infrequently. For some companies, security requirements and customer reporting requirements means that daily replication is not enough. For companies with large network environments, hourly replication between dedicated management servers might be too often and might not complete before the next replication period starts.
Subnet mask for explicit Group Update Providers
In the LiveUpdate Settings policy, you can now reduce the number of explicit Group Update Provider entries by adding a client subnet mask. The subnet mask lets you add a larger subnet which can encompass multiple subnets, reducing the number of explicit entries from thousands to a few. In previous releases, you had to manually add the IP address for each client to be sure that the explicit GUP entry was applied to that client. For example, rather than having to enter both the 192.168.1.0 and 192.168.2.0 subnet, you can add the 192.168.0.0 subnet and the 255.255.0.0 subnet mask.
You can read the latest news about Symantec Endpoint Protection by clicking the Latest News link on any main console page, which opens the Endpoint Protection Notifications webpage. A bell icon appears whenever there is new news or alerts on the webpage. After you open the webpage, the bell icon disappears. In previous versions you had to manually and repeatedly check the Symantec Endpoint Protection Support page for information.
TLS 1.2 communication
The communication between management server to management server and management server to client migrated away from SSL and earlier versions of TLS to TLS 1.2.
The overview page for an administrator account displays the following options: Password Verification Attempt Threshold displays the number of logon attempts administrators can make with an invalid password before Symantec Endpoint Protection Manager locks them out. Failed Password Verification Attempts displays the number of failed logon attempts an administrator made.
The Test Account option on the Authentication tab has changed to Check Account. This option checks whether the administrator account name exists in the connected Active Directory server or the LDAP server.
The Advanced Settings link has changed to Additional Settings on the Monitors page > Logs tab and Reports page > Quick Reports tab.
Device control (Mac)
You can now configure a Device Control policy for Mac clients. Device control controls the use of removable devices, such as USBs and FireWire. The policy supports permissions for reading, writing, and executing, and supports devices based on the type, make, model, or serial number.
You can automatically update the Mac client from Symantec Endpoint Protection Manager.
Security patches for the client (Windows)
You can now download and install security fixes for Windows clients using LiveUpdate, a Group Update Provider, or the management server. This option lets customers receive security fixes as easily as they receive virus definition updates. To download the security fixes to a management server, make sure that the option is enabled for the site. To download the security fixes to the clients, use the Download security patches to fix the vulnerabilities in the latest version of the Symantec Endpoint Protection client option in a LiveUpdate Settings policy.
Troubleshooting client crashes (Windows)
If the client crashes or behaves abnormally, a new component collects information about the client and reports it to a Symantec server. Symantec can use this information to better understand the cause of the crash, and improve the product. To enable this option, click Admin > Servers > Edit Site Properties > Data Collection tab, and make sure that Let clients send troubleshooting information to Symantec to resolve product issues faster is checked.
Symantec Endpoint Protection client drivers for the Windows 10 Device Guard (Windows)
Windows 10 includes a new feature that is called Device Guard that lets you lock down devices against new and unknown malware variants as well as advanced persistent threats (APTs). Device Guard uses hardware technology and virtualization to isolate hypervisor-related functions from the rest of the Windows operating system.
Symantec Endpoint Protection Manager includes a set of REST APIs that connect to and perform Symantec Endpoint Protection Manager operations from Symantec Advanced Threat Protection (ATP). You use the APIs if you do not have access to Symantec Endpoint Protection Manager. The documentation is located in the following places:
On the Symantec Endpoint Protection Manager server at the following address, where SEPM-IP is the IP address of the Symantec Endpoint Protection Manager server:
The API for remote monitoring and management (RMM) includes a new command, assignQuarantinePolicy. This command assigns a policy to one or more of the group's Quarantine locations.
In addition, the RMM API documentation folder was renamed from
semapisrv service listens for API commands for the Symantec Endpoint Protection Manager.
The tools in this list are located in the installation file that you download from FileConnect in the
\Tools folder, unless otherwise noted.
The DeviceInfo tool lets you obtain the device vendor, model, or serial number for a specific device on the Mac client to use in Device Control policies. The tool is located in the
TLS to Microsoft SQL Server database support
Symantec Endpoint Protection Manager communicates with the SQL Server over an encrypted channel by default. The SetSQLServerTLSEncryption.bat tool lets you disable or enable TLS encryption between the management server and the Microsoft SQL Server communication. As of version 14, it can be used with the management server installations that are configured to use the Microsoft SQL Server database. You access the tool from
<installation directory>\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools.
SymDiag replaces SymHelp
The SymHelp tool was renamed as the Symantec Diagnostic (SymDiag) tool.
SymDiag is a multi-product diagnostic tool that identifies common issues, gathers data for support-assisted troubleshooting, and provides links to other customer self-help and support resources.
Content Distribution Monitor
The Content Distribution Monitor tool monitors management servers, clients, and GUPs in your environment. The tool shows a graphical display of the health and content distribution status, site throughput, and database table records. A new Site Information tab displays the throughput data that is collected after the last heartbeat between this site's management servers and the client computers. The tool is located in the
\Tools\ContentDistributionMonitor folder. In previous versions, this tool was not supported. The tool was also called
SEPPrep tool was removed
The unsupported SEPPrep tool was used in previous releases to remove third-party competitor's security software and Symantec software remotely or by using a script. The Client Deployment Wizard includes options in the Client Install Settings dialog box to uninstall both third-party products and Symantec products. To uninstall Symantec Endpoint Protection remotely, you can also download the CleanWipe tool from the
The Quarantine Server and Quarantine Console folder was removed
The Central Quarantine Server and Quarantine Console has been removed from the Symantec Endpoint Protection installation screen and the
Tools\CentralQ folder. You can still use the Central Quarantine tool, but you can only download it from a previous version of Symantec Endpoint Protection.
Symantec Endpoint Protection Manager no longer supports:
An installation on Windows Server 2003, any desktop operating system, or any 32-bit operating system.
SQL Server 2005, SQL Server 2008 SP3 and earlier, and SQL Server 2008 R2 SP2 and earlier.
Migration from Symantec Endpoint Protection Manager 11.x or 12.0 to 14. You must first upgrade to the latest version of 12.1, or uninstall the older Symantec Endpoint Protection Manager. Symantec Endpoint Protection Manager displays a warning for 11.x or 12.0 to 14 migrations.
The ability to import a client installation package for 11.x.
The Symantec Endpoint Protection Manager web console no longer supports Internet Explorer 8, 9, or 10.
The Symantec Endpoint Protection client no longer supports:
An installation on any version of Windows XP / Server 2003.
An installation on any version of Windows Embedded that is based on Windows XP, such as Windows Embedded Standard 2009.
Mac OS X 10.8.
Updates for 11.x or 12.0 clients. Symantec Endpoint Protection 11.x clients can no longer get updated content from Symantec Endpoint Protection Manager. To continue to protect and get the best security possible for 11.x client computers, you should upgrade your clients from version 11.x to 14. You can also run a report that displays which computers still have Symantec Endpoint Protection Manager 11.x or 12.0 installed. Click the Monitors > Notifications tab to add a notification to display a list of computers with the unsupported 11.x and 12.0 versions installed.
Network Access Control is not supported
Symantec Network Access Control reaches end-of-life support between September and November 2017. Version 14 does not support Symantec Network Access Control. If you want to use Symantec Network Access Control, you should use version 12.1.5 or earlier. In addition, the Symantec Endpoint Protection Manager Help no longer includes the documentation on Symantec Network Access Control features.
The vShield-enabled Shared Insight Cache (VSIC) and Security Virtual Appliance (SVA) are no longer supported. In the Virus and Spyware Protection policy, the Windows Settings > Miscellaneous > Shared Insight Cache tab no longer has the Enable Shared Insight Cache or Shared Insight Cache using VMware vShield options. Instead, you check or uncheck Shared Insight Cache using Network. Symantec Endpoint Protection still provides the Shared Insight Cache and Virtual Image Exception features for virtual infrastructures. You can also run Symantec Data Center Security: Server and Symantec Endpoint Protection together.
The Home page > Common tasks menu was removed. The Common tasks menu was previously a list of the required tasks. To view the list of both common tasks and required tasks, click Help > Getting Started page. The Getting Started page also appears when you upgrade or when any one of the required tasks have not been completed.
The Require standard HTTP headers for LiveUpdate connection option in the LiveUpdate Settings policy > Advanced Settings tab was removed. In 12.1.6, you enable this option to require standard HTTP headers for the LiveUpdate connection if the connection used nonstandard headers that your non-Symantec Endpoint Protection firewall might block. By default, Windows, Mac, and Linux clients are required to use standard HTTP headers, so the option is no longer necessary.
The options for limited administrators being able to run reports for the clients and the servers that run Symantec AntiVirus 10.x and earlier was removed. Symantec Endpoint Protection does not support or update the content for Symantec AntiVirus clients.
The Applies To column for an Exceptions policy > Windows Application Exception was removed. The Applies To column was used for 11.0.x clients and 12.1.x and later clients. Because 11.0.x clients are no longer supported, this information is not needed.
You can review a new Quick Start Guide, which describes how to get Symantec Endpoint Protection installed and running immediately. Use this method if you have fewer than 500 clients with a default installation.
Version 14 does not include a Getting Started Guide. Instead, see the Getting Started chapter of the Symantec Endpoint Protection Installation and Administration Guide for a customizable installation. This chapter includes the same topics that used to be in the Getting Started Guide.
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.