Symantec Endpoint Protection (review & explanation)

[elite]

Hi @Umbra Polaris and @Nico@FMA how can i configure SEP to ask me before any action in the whoel configuration i want to decide for every step thanks in advance
edit:did you experience any issue with VMware ? ex:freezing guest internet etc ?

 

[Overkill]

SEP running at only 25mb during a full scan on virtually max settings

That's awesome, how much does SEP cost?

 

[Online_Sword]

I find that you enable the option "Rescan the cache when new definition loaded".
I heard that it is strongly recommended to disable this option, since it will significantly influence the performance of hard disk each time SEP updates.

 

[Nico@FMA]

I find that you enable the option "Rescan the cache when new definition loaded".
I heard that it is strongly recommended to disable this option, since it will significantly influence the performance of hard disk each time SEP updates.

Rescan the cache is great to avoid poison attacks and other malicious network attacks.
This is a feature that is worth more then any gold on the planet, its that good.
In regards to SEP performance in terms of resources, SEP resource usage is stellar compared to any other EP product out there.
So i am not sure what has been mis-configured within your setup. But what you are telling about the resource problem during update and the cache re-scanning is not even remotely true.
SEP uses no more then lets say 30/50 megs idle, and anywhere between 50/100 megs during heavy load depending on your config.

Cheers

 

[Deleted member 178]

By the way , Nico , does my SEP is compatible with Win10 (it will update itself to be compatible) or i need a separate build ?

 

[Nico@FMA]

By the way , Nico , does my SEP is compatible with Win10 (it will update itself to be compatible) or i need a separate build ?

I think that Symantec will push a compatibility update trough their Live-update feature, same way as they added Windows 8/8.1 to their Windows 7 package. Remember you did not need a reinstall? Just a hefty update?
However since Windows 10 is going to be fundamentally different i think that there is a reasonable option that Symantec requires a newer main setup. However i did not receive any word yet from them about it, since we run over 1100 clients on it.
So if there are changes then i am sure i will know ahead of time.

That said so far i honestly would not be able to tell you for the reasons stated above.

Hope this helps.

Kind Regards Nico

 

[Enju]

Is there any noticeable difference between the small business edition and the "standalone" version except the remote configuration and client overview?

 

[Nico@FMA]

Is there any noticeable difference between the small business edition and the "standalone" version except the remote configuration and client overview?

Yes there is a lot of difference between the un-managed (Standalone) version and the managed version.
One of the biggest difference is the rule set and the way how the endpoint protection configuration handles requests and deals with security.
The managed version is controlled by a master server who basically takes care of every aspect of the network security based upon rule sets, policy settings and master configurations within the server itself. While the standalone version does not have a controlling server and all its rule sets are manually added.
This is just a small yet big difference.
If you want more info i suggest you read the review of Umbra as it pretty much explains the difference.

Cheers

 

[Enju]

Yes there is a lot of difference between the un-managed (Standalone) version and the managed version.
One of the biggest difference is the rule set and the way how the endpoint protection configuration handles requests and deals with security.
The managed version is controlled by a master server who basically takes care of every aspect of the network security based upon rule sets, policy settings and master configurations within the server itself. While the standalone version does not have a controlling server and all its rule sets are manually added.
This is just a small yet big difference.
If you want more info i suggest you read the review of Umbra as it pretty much explains the difference.

Cheers

Sorry, my phrasing was a bit off, I know that the master server pushes all the rules to its endpoints, provides admins a overview and statistics and so forth (basically the same way as Sophos does for their Endpoint Protection except that Sophos doesn't really include any noteworthy features in their EP, except AV, since most of it should get dealt with by the UTM).
My question was more like: Is there any engine/protection/performance difference between the managed and un-managed version? I couldn't find any information in that regard, so I assume it's basically equal.

 

[Nico@FMA]

Sorry, my phrasing was a bit off, I know that the master server pushes all the rules to its endpoints, provides admins a overview and statistics and so forth (basically the same way as Sophos does for their Endpoint Protection except that Sophos doesn't really include any noteworthy features in their EP, except AV, since most of it should get dealt with by the UTM).
My question was more like: Is there any engine/protection/performance difference between the managed and un-managed version? I couldn't find any information in that regard, so I assume it's basically equal.

Yes there is a performance difference also in terms of protection. While the engines are the same the standalone version uses a bit more resources as the whole rule/policy-set is being loaded and 24/7 active hence a bigger memory and CPU footprint, in regards to the protection the standalone version is great yet its a mere shadow compared to the managed version.
The managed version pushes the rule/policy set over the network on a case by case situation.
Which means that if there is no traffic or no processes running that require SEP to monitor then all the clients become IDLE.
The un-managed version has its rule/policy set permanently loaded and as such is far more active then SEPM.
And this is simple to explain, on a big company network having SEPM run 24/7 in full active mode would make the load upon the network and its parent applications and processes bog down the system, as you are talking in some cases about hundreds if not thousands of connected end points so you understand that having them all in full swing even while their host system is idle will produce a significant load on the network.
Which degrades performance.
Hence why SEPM only comes into action when there is a request by a protocol or a process that requests monitoring based upon trigger rules.
The standalone version does not have that trigger system, since there is no need for it and it basically runs like your average Internet security package.

Does this answer your question?

Kind Regards Nico

 

[Enju]

Does this answer your question?
Kind Regards Nico

Yup, thanks! It's basically what I was expecting!
Would have been silly to load every ruleset onto every endpoint but still, some companies act in mysterious ways .

 

[Nico@FMA]

Yup, thanks! It's basically what I was expecting!
Would have been silly to load every ruleset onto every endpoint but still, some companies act in mysterious ways .

Correction from my end (Sorry)
I just realized that the latest version of SEPM actually does load the Zero-Day ruleset across the network towards their endpoints.
This due to the fact that some Zero-day do not trigger SEPM to act, and by having them loaded it sort of creates a trigger and is being more able to deal with true Zero-Days.

Cheers.

 

[phyniks]

Thank you all for your information.
Regarding virus def database,what do u mean by different?(norton vs sep)
Do they receive the same def butthere is a delay between them?
Or they are absolutely different.for example one product will find some malwares while other one will not find tge malware at all?

 

[jamescv7]

@phyniks :

They have same components but on some long time video reviews, seems SEP have little increase of detection compare to Norton Home products which you shouldn't surprise.*

*Caused threats on business are range to medium to high risk, therefore complex configuration and strong protection should measured

In terms of updates, well they should act the same + Pulse Updates feature are enforced to download incremental tiny footprints everytime.

 

[StriderHunterX]

Hmmm....I don't know if you have dealt with something like this.

I have been rolling out SEP 12.1.5 to our PC and servers.The thing is that PC's that share printers end up completely blocked from traffic,disabling sharing features.Also our AD servers don't authenticate if the AV is active.

Been checking those FW and Rules settings,but like Nico once commented:"You need security/Symantec specialists to maximize potential"
I'm still learning....

 

[Deleted member 178]

Been checking those FW and Rules settings,but like Nico once commented:"You need security/Symantec specialists to maximize potential"
I'm still learning....

that the whole point of Corporate solutions

 

[Online_Sword]

@Umbra

What is "emulated SEP"? Why could it work between the router and the ISP?

 

[Deleted member 178]

@Umbra

What is "emulated SEP"? Why could it work between the router and the ISP?

SEP is "supposed" to be run on machines controlled by the master server (which is a kind of "border checkpoint" for the data that bestow rules & policies) , by "Emulated SEP" i meant that the datas are probed & tagged by the unmanaged version in the purpose to emulate a master server.

 

[Online_Sword]

probed & tagged by the unmanaged version in the purpose to emulate a master server

Sorry, but it is still difficult for me to understand.

Do you mean that, SEP FW could add a new header to the packet sent from the host (and put the original packet with the original header to the payload part)?

Since the routers, ISP, and the web server are, of course, not aware of the existence of SEP firewall, the only way that I can come up with to ensure the firewall policies are carried out outside of the host (in your schematic diagram, they are carried out between the router and the ISP) is to add a new header. Please correct me if I misunderstand here.

 

[Deleted member 178]

Sorry, but it is still difficult for me to understand.

Do you mean that, SEP FW could add a new header to the packet sent from the host (and put the original packet with the original header to the payload part)?

Exact

Since the routers, ISP, and the web server are, of course, not aware of the existence of SEP firewall, the only way that I can come up with to ensure the firewall policies are carried out outside of the host (in your schematic diagram, they are carried out between the router and the ISP) is to add a new header. Please correct me if I misunderstand here.

if i remember well, your packets still pass via Symantec servers for cross-checking the datas integrity.