Client Guide Windows SEP14.3RU6

Symantec Endpoint Protection Windows Client Guide
Updated: November 2022

Table of Contents
How do I protect my Windows computer with Symantec Endpoint Protection?...........................7
About the technologies that uses to protect your computer.................................................................................... 9
Updating definitions using LiveUpdate....................................................................................................................... 10
Types of alerts and notifications..................................................................................................... 12
About scan results.........................................................................................................................................................12
Responding to a virus or a risk detection.................................................................................................................. 13
Responding to Download Insight messages that ask you to allow or block a file that you try to download........14
Responding to messages that ask you to allow or block an application................................................................ 15
Responding to expired license messages.................................................................................................................. 15
Responding to messages to update the client software........................................................................................... 16
Managing scans on your computer.................................................................................................17
Scanning your client computer immediately.............................................................................................................. 19
Pausing and delaying scans.........................................................................................................................................20
Scheduling a user-defined scan on the client............................................................................................................ 21
Scheduling a scan to run on demand or when the computer starts up.................................................................. 23
Managing Download Insight detections on your computer...................................................................................... 23
Customizing Download Insight settings......................................................................................................................25
Customizing virus and spyware scan settings...........................................................................................................25
Configuring actions for malware and security risk detections.................................................................................27
About excluding items from scans..............................................................................................................................28
Excluding items from scans......................................................................................................................................... 29
Managing quarantined files on your computer.......................................................................................................... 31
Enabling Auto-Protect....................................................................................................................................................32
Understanding submissions to Symantec that improve protection on your computer......................................... 32
About the client and the Windows Security Center...................................................................................................33
Managing behavioral analysis (SONAR)......................................................................................................................34
Preventing false positive detections for behavioral analysis (SONAR)...................................................................35
Checking your computer's security compliance with a Host Integrity scan........................................................... 35
Remediating your computer to pass the Host Integrity check................................................................................. 36
Enabling Tamper Protection..........................................................................................................................................36
How virus and spyware scans work................................................................................................37
About viruses and security risks................................................................................................................................. 37
About the types of scans..............................................................................................................................................39
About the types of Auto-Protect.................................................................................................................................. 40
How scans respond to a virus or risk detection........................................................................................................41
How uses Symantec Insight to make decisions about files.................................................................................... 42
2
Managing firewall protection............................................................................................................ 44
How a firewall works..................................................................................................................................................... 45
Managing firewall rules on the Windows client..........................................................................................................45
The elements of a firewall rule on the client............................................................................................................ 46
What is the order that the Symantec Endpoint Protection client processes firewall rules?......................................47
Adding firewall rules on the client............................................................................................................................ 48
Importing or exporting firewall rules on the client.................................................................................................... 49
Enabling firewall settings.............................................................................................................................................. 50
Enabling network file and printer sharing with the client installed........................................................................ 50
Allowing or blocking applications from accessing the network.............................................................................. 52
Allowing or blocking applications that are already running on the client...............................................................53
Blocking traffic when the screensaver is active or the firewall does not run......................................................... 54
How intrusion prevention works...................................................................................................... 55
Configuring intrusion prevention on the Windows client..........................................................................................55
Preventing attacks on vulnerable applications.......................................................................................................... 56
Allowing or blocking malicious websites with Web and Cloud Access Protection.................... 58
What is Web and Cloud Access Protection?..............................................................................................................58
Verifying that the Web and Cloud Access Protection tunnel method is enabled and connected on the Windows
client.................................................................................................................................................................................58
Managing the Windows client.......................................................................................................... 62
Managing the Windows client.......................................................................................................................................63
Understanding the Symantec Endpoint Protection client Status page..................................................................... 64
Hiding and displaying the notification area icon on the client................................................................................. 64
About managed clients and unmanaged clients...................................................................................................... 65
Checking whether the client is managed or unmanaged......................................................................................... 66
Troubleshooting problems with a protection................................................................................ 68
Enabling protection on the client computer............................................................................................................... 69
About the logs on the Windows client........................................................................................................................ 69
Viewing the logs............................................................................................................................................................. 70
Enabling the Packet log................................................................................................................................................ 71
Dialog Help..........................................................................................................................................72
Virus and Spyware Protection...................................................................................................................................... 72
Virus and Spyware Protection Settings: Auto-Protect.............................................................................................. 72
Virus and Spyware Protection Settings: Outlook Auto-Protect.................................................................................73
Virus and Spyware Protection Settings: Download Insight...................................................................................... 73
Virus and Spyware Protection Settings: Global Settings..........................................................................................75
Scan Notification Options..........................................................................................................................................76
Download Insight Actions..........................................................................................................................................77
Download Insight Notification Options...................................................................................................................... 77
3
Early Launch Anti-Malware....................................................................................................................................... 78
Auto-Protect Advanced Options................................................................................................................................78
Floppy Settings..........................................................................................................................................................80
Advanced Scan Options........................................................................................................................................... 81
Network Scanning Settings.......................................................................................................................................82
Selected Extensions..................................................................................................................................................82
Insert Warning........................................................................................................................................................... 83
Send Email to recipient: Message............................................................................................................................84
Send Email to Others: Others.................................................................................................................................. 85
Send Email to recipient: Email Server......................................................................................................................85
Scan Actions............................................................................................................................................................. 85
Create a New Scan.................................................................................................................................................. 87
Create New Scan - Select Folders and Files...........................................................................................................87
Create New Scan - Scan Options............................................................................................................................ 87
Create New Scan - Scan Name...............................................................................................................................88
Create New Scan - Schedule................................................................................................................................... 88
Create New Scan - What to Scan............................................................................................................................89
Create New Scan - When To Scan.......................................................................................................................... 89
Scan Tuning Options.................................................................................................................................................90
Scan type or Symantec Endpoint Protection Detection Results.............................................................................. 90
Outlook Protection Advanced Options......................................................................................................................92
Scan Notification Options..........................................................................................................................................92
Notification options.................................................................................................................................................... 93
Proactive Threat Protection.......................................................................................................................................... 93
Behavioral Analysis................................................................................................................................................... 93
System Change Detection........................................................................................................................................ 94
Take Action................................................................................................................................................................95
Network and Host Exploit Mitigation........................................................................................................................... 95
Network Activity.........................................................................................................................................................95
View Application Settings..........................................................................................................................................96
Configure Application Settings..................................................................................................................................97
Network and Host Exploit Mitigation: Firewall.......................................................................................................... 98
Network and Host Exploit Mitigation: Notifications................................................................................................. 102
Network and Host Exploit Mitigation Settings: Microsoft Windows Networking..................................................... 102
Configure Firewall Rules.........................................................................................................................................103
Add or Edit Firewall Rule: General.........................................................................................................................103
Add or Edit Firewall Rule: Hosts............................................................................................................................ 104
Add or Edit Firewall Rule: Ports and Protocols......................................................................................................104
Add or Edit Firewall Rule: Applications.................................................................................................................. 106
Add or Edit Firewall Rule: Scheduling....................................................................................................................106
4
View Firewall Rules.................................................................................................................................................106
Network and Host Exploit Settings: Intrusion Prevention....................................................................................... 107
Memory Exploit Mitigation.......................................................................................................................................107
Web and Cloud Access Protection............................................................................................................................ 108
Web and Cloud Access Protection Settings........................................................................................................... 108
Exceptions.....................................................................................................................................................................108
Exceptions: User-defined Exceptions..................................................................................................................... 108
Known Security Risk Exceptions............................................................................................................................ 109
Security Risk Extension Exceptions....................................................................................................................... 110
Trusted Web Domain Exception............................................................................................................................. 110
Quarantine..................................................................................................................................................................... 111
View Quarantine...................................................................................................................................................... 111
Purge Options: Quarantine Items........................................................................................................................... 112
Purge Options: Backup Items................................................................................................................................. 112
Purge Options: Repair Items.................................................................................................................................. 112
Client Management.......................................................................................................................................................113
Client Management Settings: General....................................................................................................................113
Proxy Server Settings............................................................................................................................................. 113
Reboot Options....................................................................................................................................................... 114
Client Management Settings: Tamper Protection................................................................................................... 115
Client Management Settings: LiveUpdate.............................................................................................................. 116
Client Management Settings: LiveUpdate Proxy Server Settings: HTTP...............................................................117
Client Management Settings: LiveUpdate Proxy Server Settings: FTP................................................................. 117
Client Management Settings: Submissions............................................................................................................ 117
Troubleshooting............................................................................................................................................................118
Troubleshooting: Management/Cloud Management............................................................................................... 118
Troubleshooting: Hybrid Management.................................................................................................................... 119
Troubleshooting: Versions....................................................................................................................................... 120
Troubleshooting: Debug Logs................................................................................................................................. 120
Client Management Debug Log Settings................................................................................................................120
Troubleshooting: Windows Account........................................................................................................................121
Symantec Endpoint Protection Debug Log Settings.............................................................................................. 121
Troubleshooting: Computer..................................................................................................................................... 121
Troubleshooting: Install Settings............................................................................................................................. 122
Troubleshooting: Client Upgrade............................................................................................................................ 122
Troubleshooting: Server Connection Status or Common Cloud Connection Status.............................................. 122
Troubleshooting: Subscription Status..................................................................................................................... 123
Troubleshooting: Application Hardening................................................................................................................. 123
Troubleshooting: EDR Connection Status.............................................................................................................. 124
Troubleshooting: Web and Cloud Access Protection............................................................................................. 125
5
Logs............................................................................................................................................................................... 125
Troubleshooting: Logs............................................................................................................................................. 125
Virus and Spyware Protection Logs: Scan Log......................................................................................................126
Virus and Spyware Protection Logs: Risk Log....................................................................................................... 127
Virus and Spyware Protection Logs: System Log.................................................................................................. 128
Proactive Threat Protection Logs: Threat Log........................................................................................................129
Proactive Threat Protection Logs: System Log...................................................................................................... 130
Hardening Logs....................................................................................................................................................... 130
Filter System Log.................................................................................................................................................... 131
Client Management Logs: System Log.................................................................................................................. 131
Client Management Logs: Security Log................................................................................................................. 132
Tamper Protection Log............................................................................................................................................134
Network and Host Exploit Mitigation Settings: Logs...............................................................................................134
Client Management Logs: Control Log................................................................................................................... 135
Network and Host Exploit Mitigation Logs: Traffic Log...........................................................................................136
Network and Host Exploit Mitigation Logs: Packet Log......................................................................................... 138
Back Trace Information........................................................................................................................................... 139
6
How do I protect my Windows computer with Symantec
Endpoint Protection?
Symantec Endpoint Protection for Windows Client Guide
The default settings in the client protect your computer from many types of security threats. Either the client automatically
handles the threat, or lets you choose how to handle the threat.
You can check whether your computer is infected, and perform some additional tasks if you want increased security or
better performance.
NOTE
On managed clients, some options do not appear if your administrator has configured them to be unavailable.
On unmanaged clients, most options appear.
Table 1: Frequently asked questions on how to protect your computer
Question Description
How do I know that my The client displays the protection status of your computer.
computer is protected? Your computer is best protected with all protections installed and updated.
How to determine whether the client computer is protected using the Status page icons
Symantec Endpoint Protection client status icons
How can I tell if my computer If your computer is infected, you might see any of the following types of messages:
is infected? • An Auto-Protect scan detection or manual scan detection.
These messages describe the threat and the action that was taken on the threat. You can choose
one of several options to handle the threat.
Responding to a virus or a risk detection
About scan results
Pausing and delaying scans
• A Download Insight detection.
These messages describe the malicious and the unproven files that Download Insight detects
when you try to download them.
Responding to Download Insight messages that ask you to allow or block a file that you try to
download
Types of alerts and notifications
How do I clean my computer if If you see a scan window, your administrator has already set the action that your computer takes on
it is infected? the infection. You may be able to choose an action. If you know that a file is infected, click Clean or
Quarantine.
For scheduled scans and Auto-Protect, make sure that the main action is set to Clean risk and the
secondary action to Quarantine risk or Delete.
How virus and spyware scans work
Configuring actions for malware and security risk detections
7
How do I increase the security By default, a managed client computer is protected with the maximum amount of protection. Your
of my computer? administrator may have modified some settings to improve the client's performance.
If your administrator has enabled you to modify your own computer's protection settings, you can
perform the following tasks:
• Schedule regular full scans, typically once a day or once a week.
Scheduling a user-defined scan on the client
• Keep virus and spyware scans, Auto-Protect, SONAR, the firewall, intrusion prevention, Memory
Exploit Mitigation, and Download Insight installed, enabled, and up-to-date at all times.
Enabling protection on the client computer
Enabling Auto-Protect
Preventing attacks on vulnerable applications
On an unmanaged client, you can perform the following tasks:
• Download and install the correct virus definitions and security content by using LiveUpdate.
Security Response releases virus definitions multiple times a day, and releases other security
content regularly or as needed. By default, clients are scheduled to run LiveUpdate every four
hours. You can also launch LiveUpdate at any time.
Updating the client content using LiveUpdate
• Run a full scan of your computer with all scan enhancements enabled.
By default, a full scan runs on your computer weekly. However, you can run a scan at any time.
Scanning your client computer immediately
How do I modify my scan If scans slow down your computer, adjust the following settings:
settings if the scan slows • Create a scheduled full scan for after hours or when you are not on the computer.
down my work? Scheduling a user-defined scan on the client
• Exclude the applications and files that you know are safe.
Excluding items from scans
• Turn off the scan of compressed files, or reduce the number of levels to expand compressed files
within compressed files.
Customizing virus and spyware scan settings
• Disable the scan enhancement options for user-defined scans.
Note: You may not be able to change these settings if your administrator has locked them.
What do I do if the firewall By default, the firewall does not block access to the Internet. If you cannot access the Internet, contact
blocks my ability to browse your administrator. Your administrator may have blocked access to certain websites or may not allow
the Internet? your computer to access a certain browser. You may or may not have the rights to modify the firewall
rules.
On an unmanaged client, you can modify the firewall rules. However, you should not change or add a
firewall rule until you understand whether or not the traffic that the firewall rule blocks is malicious.
Before you modify the firewall rule, ask the following questions:
• Is the web application that accesses the Internet legitimate?
• Are the remote ports that the web application accesses correct? HTTP traffic is legitimate traffic for
web applications, and HTTP traffic uses port TCP 80 and 443. You may not be able to trust traffic
from other ports.
• Is the IP address for the website that the application accesses correct or legitimate?
Adding firewall rules on the client
8
What actions do I take Read the message in the notification area on the toolbar.
when I get a message in the The notifications tell you one of the following things:
notification area? • Your computer might have been attacked and the client handled the threat.
Responding to messages that ask you to allow or block an application
• Your computer automatically received a new security policy.
You can also go to one of the logs for more information, depending on the type of threat.
Viewing the logs
Checking whether the client is managed or unmanaged

Managing the client
About the technologies that uses to protect your computer

The client combines several layers of protection to proactively secure your computer against known and unknown threats
and network attacks.
Table 2: Types of protection
Layer Description
Virus and Spyware Virus and Spyware Protection combats a wide range of threats, including spyware, worms, Trojan horses,
Protection rootkits, and adware. File System Auto-Protect continuously inspects all computer files for viruses and
security risks. Microsoft Outlook Auto-Protect scans incoming and outgoing Outlook email messages.
Managing scans on your computer
Proactive Threat Protection Proactive threat technology includes behavioral analysis (SONAR), which offers real-time protection
against zero-day attacks. Behavioral analysis can stop attacks even before traditional signature-based
definitions detect a threat. Behavioral analysis uses heuristics as well as file reputation data to make
decisions about applications or files.
Managing behavioral analysis (SONAR)
Network and Host Exploit This protection includes a firewall, an intrusion prevention system, and Memory Exploit Mitigation.
Mitigation • The rules-based firewall prevents unauthorized users from accessing your computer.
• The intrusion prevention system automatically detects and blocks network attacks.
• Memory Exploit Mitigation stops attacks on the commonly used applications that run on your
Windows computer.
Managing firewall protection
Configuring intrusion prevention
Web and Cloud Access Web and Cloud Access Protection redirects network traffic from the Symantec Endpoint Protection
Protection client to the Symantec Web Security Service, which allows or blocks the traffic based on rules that your
administrator sets up.
What is Web and Cloud Access Protection?
Your administrator manages the types of protection that the management server downloads to your client computer. The
client also downloads virus definitions, IPS definitions, and product updates to your computer. If you travel with a portable
computer, you can get virus definitions and product updates directly from LiveUpdate.
9
Updating definitions using LiveUpdate
Symantec products depend on current information to protect your computer from newly discovered threats. Symantec
makes this information available through LiveUpdate.
Content updates are the files that keep your Symantec products current with the latest threat protection technology. The
content updates that you receive depend on which protections are installed on your computer. For example, LiveUpdate
downloads virus definition files for Virus and Spyware Protection and IPS definition files for Network Threat Protection.
Starting in 14, clients also have access to the full set of content in the cloud. Scans that run on a standard or embedded/
VDI client that is connected to the cloud get the full definitions set in the cloud.
How Windows clients receive definitions from the cloud
LiveUpdate can also provide improvements to the installed client on an as-needed basis. These improvements are usually
created to extend the operating system or hardware compatibility, adjust performance issues, or fix product errors. These
updates can come through the management server for managed clients if it is configured to do so.
LiveUpdate retrieves the new content files from a Symantec Internet site, and then replaces the old content files. A
managed client computer most commonly receives content updates from its management server. A managed or an
unmanaged client computer can receive this content directly from a LiveUpdate server. How your computer receives the
updates depends on whether your computer is managed or unmanaged, and on how your administrator has configured
updates.
Table 3: Ways to update content on your computer
Task Description
Update the content on a By default, LiveUpdate runs automatically at scheduled intervals. You can also modify the schedule so that
schedule LiveUpdate runs automatically at scheduled intervals. You may want to schedule LiveUpdate to run during
a time that you do not use your computer.
On managed clients, you can only configure LiveUpdate to run on a schedule or modify the existing
schedule if enabled by the administrator. If the padlock icon appears and the options are grayed out, you
cannot update your content on a schedule, or modify the existing schedule. On an unmanaged client, you
can disable or change a LiveUpdate schedule.
To update the content on a schedule with LiveUpdate
Update the content Based on your security settings, you can run LiveUpdate immediately. You should run LiveUpdate manually
immediately for the following reasons:
• The client software was installed recently.
• It has been a long time since the last scan.
• You suspect you have a virus or other malware problem.
Note: Managed clients can run LiveUpdate manually only if the administrator configured the settings to
allow it.
To update the content immediately with LiveUpdate
To update the content on a schedule with LiveUpdate:

1. In the client, in the sidebar, click Change Settings.
2. Beside Client Management, click Configure Settings.
3. In the Client Management Settings dialog box, click LiveUpdate.
4. On the LiveUpdate tab, check Enable automatic updates.
5. In the Frequency and Time group box, modify the frequency of the updates, as needed.
6. Optionally enable and configure the randomization options and idle detection settings.
10
These options improve the amount of time it takes LiveUpdate to update the client.
7. Click OK.
To update the content immediately with LiveUpdate:
In the client, in the sidebar, click LiveUpdate.
LiveUpdate connects to the Symantec server, checks for available updates, then downloads and installs them
automatically.
11
The client works in the background to keep your computer safe from malicious activity. Sometimes the client needs to
notify you about an activity or to prompt you for feedback.
Table 4: Types of alerts and notifications
Alert Description
Scan results dialog box If a scan detects a virus or a security risk, the scan results or Symantec Endpoint Protection Detection
Results dialog box appears with details about the infection. The dialog box also displays the action that
the scan performs on the risk. You usually do not need to take any further actions other than to review the
activity and to close the dialog box. You can take action if necessary, however.
If the scan is still in progress, the dialog box may display a name such as Scan name started on Date
Time. If the scan is complete, the dialog box may display a name such as Symantec Endpoint Protection
Detection Results.
About scan results
Other message dialog You may see pop-up messages for the following reasons:
boxes • The client automatically updates the client software.
Responding to messages to update the client software
• The client asks you to allow or block an application.
• The client's trial license has expired.
Responding to expired license messages
Notification area icon Notifications that appear in the notification area icon occur in the following situations:
messages • The client blocks an application:
Traffic has been blocked from this application: Application name
If the client is configured to block all traffic, these notifications appear frequently and generally require
no action on your part. If your client is configured to allow all traffic, these notifications do not appear.
• The client terminates an application:
Symantec Endpoint Protection: Attack: Structured Exception Handler Overwrite detected. Symantec
Endpoint Protection will terminate <application name> application
• The client detects a network attack against your computer:
Traffic from IP address 192.168.0.3 is blocked
from 2/14/2010 15:37:58 to 2/14/2010 15:47:58.
Port Scan attack is logged.
You do not need to do anything else other than read the messages.
• The security compliance check failed. Traffic may be blocked from going to and from your computer:
Security compliance scan failed.
Remediating your computer to pass the Host Integrity check
client status icons
About scan results

12
For managed clients, your administrator typically configures a full scan to run at least one time each week. For
unmanaged clients, an automatically generated Active Scan runs when you turn on your computer. By default, Auto-
Protect runs continuously on your computer.
When a scan runs, a scan dialog box appears to report progress and to show the results of the scan. When the scan is
completed, the results appear in the list. If the client detects no viruses or security risks, the list remains empty and the
status is completed.
If the client detects risks during the scan, the scan results dialog box shows results with the following information:
• The names of the viruses or security risks
• The names of the infected files
• The actions that the client performs on the risks
If the client detects a virus or security risk, you might need to act on an infected file.
NOTE
For managed clients, your administrator might choose to hide the scan results dialog box. If the client is
unmanaged, you can display or hide this dialog box.
If you or your administrator configures the client software to display a scan results dialog box, you can pause, restart, or
stop the scan.

When an administrator-defined scan, a user-defined scan, or Auto-Protect runs, you might see a scan results dialog box.
You can use the scan results dialog box to act on the affected file immediately. For example, you might decide to delete a
cleaned file because you want to replace it with an original file.
If needs to terminate a process or application or stop a service, the Remove Risks Now option is active. You might not
be able to close the dialog box if risks in the dialog require you to take action.
You might need to take action on a risk but choose not to take action right now. You can use the Quarantine or the Risk
Log or Scan Log to act on the file later in the following ways:
• You can open the risk log, right-click the risk, and then take an action.
• You can run a scan to detect the risk and reopen the results dialog box.
You can also take action by right-clicking a risk in the dialog box and by selecting an action. The actions that you can take
depend on the previously configured actions for the particular type of risk that the scan detected.
To respond to a virus or risk detection in the scan results dialog box:
1. In the scan results dialog box, select the files on which you want to act.
2. Right-click the selection, and then select one of the following options:
Clean Removes the virus from the file. This option is only available for viruses.
Exclude Excludes the file from being scanned again.
Delete Permanently Deletes the infected file and tries to remove or repair any side effects of the infection. For security risks,
use this action with caution. In some cases, if you delete security risks you might cause an application to
lose functionality.
Undo Action Taken Reverses the action taken.
Move To Quarantine Places the infected files in the Quarantine. For security risks, the client also tries to remove or repair the
side effects of the infection. In some cases, if the client quarantines a security risk, it might cause an
application to lose functionality.
13
Properties Displays the information about the virus or security risk.
In some cases, the action might not be available.

3. In the dialog box, click Close.
You might not be able to close the dialog box if the risks that are listed require you to take action. For example, the
client may need to terminate a process or an application, or it may need to stop a service.
If you need to take action, one of the following notifications appear:
• Remove Risk Required
Appears when a risk requires process termination. If you choose to remove the risk, you return to the results dialog
box. If a restart is also required, the information in the risk's row in the dialog box indicates that a restart is required.
• Restart Required
Appears when a risk requires a restart.
If a restart is required, the removal or repair is not complete until you restart the computer.
• Remove Risk and Restart Required
Appears when a risk requires process termination and another risk requires a restart.
4. If the Remove Risks Now dialog box appears, click one of the following options:
• Remove Risks Now (recommended)
The client removes the risk. The removal of the risk might require a restart. Information in the dialog box indicates
whether or not a restart is required.
• Do not Remove Risks
The results dialog box reminds you that you still need to take action. However, the Remove Risks Now dialog box
is suppressed until you restart your computer.
5. If the results dialog box did not close in step 3, click Close.
Responding to Download Insight messages that ask you to allow or

block a file that you try to download
Download Insight notifications display information about the malicious files and the unproven files that Download Insight
detects when you try to download them.
NOTE
Regardless of whether or not notifications are enabled, you receive detection messages when the action for
unproven files is Prompt.
You or your administrator can change how sensitive Download Insight is to malicious files. Changing the sensitivity level
might change the number of notifications that you receive.
Download Insight uses Symantec's Insight technology, which evaluates and determines a file rating that is based on its
global community of millions of users.
The Download Insight notification shows the following information about the detected file:
• File reputation
The file reputation indicates the trustworthiness of a file. Malicious files are not trustworthy. Unproven files may or may
not be trustworthy.
• How common the file is in the community
The prevalence of a file is important. Files that are not common might be more likely to be threats.
• How new the file is
14
The newer a file is, the less information Symantec has about the file.
The information can help you to decide whether to allow or block the file.
To respond to a Download Insight detection that asks you to allow or block a file that you try to download:
In the Download Insight detection message, do one of the following actions:
• Click Remove this file from my computer.
Download Insight moves the file to the Quarantine. This option only appears for unproven files.
• Click Allow this file.
You might see a permission dialog that asks whether or not you are sure that you want to allow the file.
If you choose to allow an unproven file that was not quarantined, the file runs automatically. If you choose to allow a
quarantined file, the file does not automatically run. You can run the file from your temporary Internet folder.
Typically, the folder location is:
– Windows 7: Drive:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files
– Windows 8/8.1: Drive:\Users\username\AppData\Local\Microsoft\Windows\INetCache
On unmanaged clients, if you allow a file, the client automatically creates an exception for the file on this computer. On
managed clients, if your administrator lets you create exceptions, the client automatically creates an exception for the
file on this computer.

When an application on your computer tries to access the network, the client might ask you to allow or block the
application. You can choose to block an application that you think is unsafe from accessing the network.
This type of notification appears for one of the following reasons:
• The application asks to access your network connection.
• An application that has accessed your network connection has been upgraded.
• Your administrator updated the client software.
You might see the following type of message, which tells you when an application tries to access your computer:
IEXPLORE.EXE is attempting to access the network.
Do you want to allow this program to access the network?
To respond to a message that asks you to allow or block an application:

1. Optionally, to suppress the message the next time the application tries to access the network, in the dialog box, click
Remember my answer, and do not ask me again for this application.
2. Do one of the following actions:
• To allow the application to access the network, click Yes.
• To block the application from accessing the network, click No.
On unmanaged computers and on some managed computers, you can also change the action on the application
through the Status page. Next to Network and Host Exploit Mitigation, click Options, and then click View Network
Activity, or click View Application Settings.
Allowing or blocking applications that are already running on the client
Responding to expired license messages

15
The client uses a license to update the virus definitions for scans and to update the client software. The client may use a
trial license or a paid license. If the trial license has expired, the client does not update any content.
Table 5: Types of licenses
License type Description
Trial license If a trial license has expired, the top of the client's Status pane is red and displays the following message:
Trial License has expired.
Click Details for more information.
When you click Details, the message indicates content downloads discontinue on a specific date, and to
contact your administrator to purchase a paid license. The Status pane may also display some text that
indicates the content is outdated.
You can also view the license expiration date through the client interface. Click Help > About.
Paid license If a paid license has expired, you should see no message regarding the expired status in the client's Status
pane. The paid license expiration date does not display under Help > About.
Content continues to update, such as Virus and Spyware definitions.
For either type of license, you must contact your administrator to update or renew the license.
Viewing the logs
Responding to messages to update the client software

If there is a client software update available for you to download, you may see the following notification:
has detected that
a newer version of the software is available from
the .
Do you wish to download it now?
The client software update may also install silently in the background. When the installation completes, you may see a
message to notify you that you must restart the computer.
To respond to an update notification:
• To download the software immediately, click Download Now.
• To be reminded after the specified time, click Remind me later.
2. If a message appears after the installation process begins for the updated software, click OK.
3. If a message appears to notify you that an upgrade completed, follow the on-screen instructions to restart. The
installation completes once you restart the computer.
16
By default, the client runs an active scan every day. On a managed client, you might be able to configure your own scans,
if your administrator made these settings available. An unmanaged client includes a preset active scan that is disabled,
but you can manage your own scans.
Scans access the complete definitions set in the cloud.
Table 6: Managing scans
Task Description
Read about how scans Review the types of scans and the types of viruses and security risks.
work How virus and spyware scans work
Update virus definitions Make sure that you have the latest virus definitions installed on your computer.
Check that Auto-Protect Auto-Protect is enabled by default. You should always keep Auto-Protect enabled. If you disable Auto-
is enabled Protect, you also disable Download Insight and you prevent SONAR from making heuristic detections (14.3
RU4 or earlier).
Scan your computer Regularly scan your computer for viruses and security risks. Ensure that scans run regularly by checking
the last scan date.
When scans run, you might see a scan results dialog box. You can use the scan results dialog box to
perform some actions on the items that scans detect.
You can pause a scan that you started. On a managed client, your administrator determines whether you
can pause an administrator-initiated scan.
On a managed client, the administrator might initiate a Power Eraser scan from the management console.
Power Eraser is a powerful scan that detects difficult threats and sometimes requires a restart to complete.
The administrator manually handles the remediation for the detections.
You cannot run Power Eraser directly from the client, however, Power Eraser is available as part of the
SymDiag support tool. If you download the SymDiag tool and run a Power Eraser scan directly on the
client, the logs are not sent to the management console. You should make sure not to run Power Eraser
locally with the SymDiag tool while the administrator runs Power Eraser from the management console;
otherwise, you might negatively affect your computer's performance.
17
Task Description
Adjust scans to By default, Symantec Endpoint Protection provides a high level of security while it minimizes the effect on
improve your computer your computer performance. You can customize settings to increase the computer performance even more.
performance For scheduled and on-demand scans you can change the following options:
• Scan tuning
Set the scan tuning to Best Application Performance.
• Compressed files
Change the number of levels to scan compressed files.
• Resumable scans
You can specify a maximum time for a scan to run. The scan resumes when the computer is idle.
• Randomized scans
You can specify that a scan randomizes its start time within a specific time interval.
You might also want to disable startup scans or change the schedule for your scheduled scans.
Adjust scans to increase In most cases, the default scan settings provide adequate protection for your computer. In some cases you
protection on your might want to increase the protection. If you do increase the protection, you might affect your computer
computer performance.
For scheduled and on-demand scans you can change the following options:
• Scan performance
Set the scan tuning to Best Scan Performance.
• Scan actions
Change the remediation actions that occur when a virus is detected
• Scan duration
By default, the scheduled scans that run until the specified time interval expires and then resume when
the client computer is idle. You can set the scan duration to Scan until finished.
• Increase the level of Bloodhound protection.
Bloodhound locates and isolates the logical regions of a file to detect virus-like behavior. You can
change the detection level from Automatic to Aggressive to increase the protection on your computer.
The Aggressive setting, however, is likely to produce more false positives.
Adjust scans to reduce Exclude a safe file or process from being scanned.
false positives Excluding items from scans
Submit information about By default, your client computer sends information about detections to Symantec Security Response. You
detections to Symantec can turn off submissions or choose which kinds of information to submit.
Symantec recommends that you always enable submissions. The information helps Symantec address
threats.
Understanding submissions to Symantec that improve protection on your computer
Manage quarantined files Symantec Endpoint Protection quarantines infected files and moves them to a location where the files do
not infect other files on the computer. If a quarantined file cannot be repaired, the client eventually removes
it. You can also take other actions on the file.
Managing quarantined files on your computer
The following table displays additional scan settings that you can modify if you want to increase protection, improve
performance, or reduce false positives.
18
Table 7: Scan settings
Task Description
Modify Auto-Protect For Auto-Protect, you might want to change the following options:
settings to improve your • File cache
computer performance or Make sure that the file cache is enabled (the default is enabled). When the file cache is enabled, Auto-
increase protection Protect remembers the clean files that it scanned and does not rescan them.
• Network settings
When Auto-Protect on remote computers is enabled, make sure that Only when files are executed is
enabled.
• You can also specify that Auto-Protect trusts files on remote computers and uses a network cache.
By default, Auto-Protect scans files as they are written from your computer to a remote computer. Auto-
Protect also scans files when they are written from a remote computer to your computer.
A network cache stores a record of the files that Auto-Protect scanned from a remote computer. If you
use a network cache, you prevent Auto-Protect from scanning the same file more than one time.
Manage Download Download Insight inspects the files that you try to download through web browsers and text messaging
Insight detections clients and other portals. Download Insight uses information from Symantec Insight, which collects
information about file reputation. Download Insight uses a file's reputation rating to allow or block a file or
prompt the user to take action on the file.
Managing Download Insight detections on your computer
Manage behavioral You can adjust the settings for behavioral analysis.
analysis (SONAR) Managing behavioral analysis (SONAR)

You can manually scan for viruses and security risks at any time. You should scan your computer immediately if you
recently installed the client, or if you think you have recently received a virus or security risk.
Select anything to scan from a single file to a USB drive to your entire computer. On-demand scans include the Active
Scan and Full Scan. You can also create a custom scan to run on demand.
You can scan your computer immediately in one of the following ways:
• To scan your Windows computer immediately from the Scan for Threats page
• To scan your Windows computer immediately from the Status page
• To scan your computer immediately from Windows
To scan your Windows computer immediately from the Scan for Threats page:
1. In the client, in the sidebar, click Scan for threats.
The scan starts immediately.
You can view the scan progress unless your administrator disables the option. To view scan progress, click the
message link that appears for the current scan: scan in progress.
For more information on the options on each dialog box, click Help.
You can also pause or cancel the scan.
– Click Run Active Scan to scan the most commonly infected areas.
– Click Run Full Scan to scan the entire computer.
– Click Run Host Integrity Scan to check for compliance with security policies.
19
NOTE
Run Host Integrity Scan appears only if the client has a Host Integrity policy enabled.
– In the scan list, right-click any scan, and then click Scan Now.
To scan your Windows computer immediately from the Status page:
1. In the client, on the Status page next to Virus and Spyware Protection, click Options > Run Active Scan.
To scan your computer immediately from Windows:
1. In the My Computer window or the Windows Explorer window, right-click a file, folder, or drive, and then click Scan For
Viruses.
This feature is supported on both 32-bit and 64-bit operating systems.
About scan results

Scheduling a scan to run on demand or when the computer starts up

The pause feature lets you stop a scan at any point during the scan and resume it at another time. You can pause any
scan that you initiate.
Your administrator determines whether you can pause an administrator-initiated scan. If the Pause Scan option is not
available, your administrator disabled the pause feature. If your administrator has enabled the Snooze feature, you can
delay an administrator-scheduled scan for a set interval of time.
When a scan resumes, it starts from where the scan stopped.
NOTE
If you pause a scan while the client scans a compressed file, the client might take several minutes to respond to
the pause request.
To pause a scan you initiated:
1. When the scan runs, in the scan dialog box, click Pause Scan.
The scan stops where it is and the scan dialog box remains open until you start the scan again.
2. In the scan dialog box, click Resume Scan to continue the scan.
To pause or delay an administrator-initiated scan:
1. When an administrator-initiated scan runs, in the scan dialog box, click Pause Scan.
2. In the Scheduled Scan Pause dialog box, do one of the following actions:
• To pause the scan temporarily, click Pause.
• To delay the scan, click Snooze 1 hour or Snooze 3 hours.
Your administrator specifies the period of time that you are allowed to delay the scan. When the pause reaches the
limit, the scan restarts from where it began. Your administrator specifies the number of times that you can delay the
scheduled scan before this feature is disabled.
• To continue the scan without pausing, click Continue.
20
A scheduled scan on the client is an important component of threat and security risk protection. You should schedule a
scan to run at least one time each week to ensure that your computer remains free of viruses and security risks. When
you create a new scan, the scan appears in the scan list in the Scan for threats pane.
NOTE
If your administrator has created a scheduled scan for you, it appears in the scan list in the Scan for threats
pane.
Your computer must be turned on and Symantec Endpoint Protection Services must be loaded when the scan is
scheduled to take place. By default, Symantec Endpoint Protection Services are loaded when you start your computer.
For managed clients, the administrator may override these settings.
Consider the following important points when you set up a scheduled scan:
User-defined scans do If the user who defined a scan is not logged in, runs the scan anyway. You can specify that the client does
not require the user to be not run the scan if the user is logged off.
logged in
Multiple simultaneous If you schedule multiple scans to occur on the same computer and the scans start at the same time, the
scans run serially scans run serially. After one scan finishes, another scan starts. For example, you might schedule three
separate scans on your computer to occur at 1:00 P.M. Each scan scans a different drive. One scan scans
drive C. Another scan scans drive D. Another scan scans drive E. In this example, a better solution is to
create one scheduled scan that scans drives C, D, and E.
Missed scheduled scans If your computer misses a scheduled scan for some reason, by default tries to perform the scan until it
might not run starts or until a specific time interval expires. If cannot start the missed scan within the retry interval, it
does not run the scan.
Scheduled scan time might not use the scheduled time if the last run of the scan occurred at a different time because of the
might drift scan duration or missed scheduled scan settings. For example, you might configure a weekly scan to run
every Sunday at midnight and a retry interval of one day. If the computer misses the scan and starts up on
Monday at 6am, the scan runs at 6am. The next scan is performed one week from Monday at 6am rather
than the next Sunday at midnight.
If you did not restart your computer until Tuesday at 6am, which is two days late and exceeds the retry
interval, does not retry the scan. It waits until the next Sunday at midnight to try to run the scan.
In either case, if you randomize the scan start time you might change the last run time of the scan.
You can also create an on-demand or startup scan.

21
To schedule a user-defined scan:
2. Click Create a New Scan.
3. In the Create New Scan - What To Scan dialog box, select one of the following types of scans to schedule:
Active Scan Scans the areas of the computer that viruses and security risks most commonly infect.
You should run an active scan every day.
Full Scan Scans the entire computer for viruses and security risks.
You might want to run a full scan once a week or once a month. Full scans might affect your computer
performance.
Custom Scan Scans the selected areas of the computer for viruses and security risks.
4. Click Next.
5. If you selected Custom Scan, check the appropriate check boxes to specify where to scan, and then click Next.
The symbols have the following descriptions:
The file, drive, or folder is not selected. If the item is a drive or folder, the folders and files in it are also not selected.
The individual file or folder is selected.
The individual folder or drive is selected. All items within the folder or drive are also selected.
The individual folder or drive is not selected, but one or more items within the folder or drive are selected.
6. In the Create New Scan - Scan Options dialog box, you can modify any of the following options:
File Types Change which file extensions the client scans. The default setting is to scan all files.
Actions Change first and second actions to take when viruses and security risks are found.
Notifications Construct a message to display when a virus or security risk is found. You can also configure whether or
not you want to be notified before remediation actions occur.
Advanced Change additional scan features, such as displaying the scan results dialog box.
Scan Enhancements Change which computer components the client scans. The options that are available depend on what you
selected in step 3.
7. Click Next.
8. In the Create New Scan - When To Scan dialog box, click At specified times, and then click Next.
9. In the Create New Scan - Schedule dialog box, under Scan Schedule, specify the frequency and when to scan, and
then click Next.
10. Under Scan Duration, you can specify a length of time during which the scan must complete. You can also randomize
the scan start time.
11. Under Missed Scheduled Scans, you can specify an interval during which a scan can be retried.
12. In the Create New Scan - Scan Name dialog box, type a name and description for the scan.
For example, call the scan: Friday morning
22
13. Click Finish.

You can supplement a scheduled scan with an automatic scan whenever you start your computer or log on. Often, a
startup scan is restricted to critical, high-risk folders, such as the Windows folder and folders that store Microsoft Word
and Excel templates.
If you regularly scan the same set of files or folders, you can create an on-demand scan that is restricted to those items.
At any time, you can quickly verify that the specified files and folders are free from viruses and security risks. You must
run on-demand scans manually.
If you create more than one startup scan, the scans run sequentially in the order in which they were created. Your
administrator may have configured the client so that you cannot create a startup scan.
To schedule a scan to run on demand or when the computer starts up:
2. Click Create a New Scan.
3. Specify what to scan and any scan options for the scheduled scan.
4. In the Create New Scan - When to Run dialog box, do one of the following actions:
• Click At startup.
• Click On demand.
5. Click Next.
6. In the Create New Scan - Scan Name dialog box, type a name and description for the scan.
For example, call the scan: MyScan1
7. Click Finish.
Managing Download Insight detections on your computer

Auto-Protect includes Download Insight, which examines the files that you try to download through web browsers, text
messaging clients, and other portals. Auto-Protect must be enabled for Download Insight to function.
Supported portals include Internet Explorer, Firefox, Microsoft Outlook, Outlook Express, Windows Live Messenger, and
Yahoo Messenger.
NOTE
In the Risk log, the risk details for a Download Insight detection show only the first portal application that
attempted the download. For example, you might use Internet Explorer to try to download a file that Download
Insight detects. If you then use Firefox to try to download the file, the Downloaded by field in the risk details
shows Internet Explorer as the portal.
NOTE
Auto-Protect can also scan the files that users receive as email attachments.
23
Table 8: Managing Download Insight detections on your computer
Task Description
Learn how Download Download Insight determines that a downloaded file might be a risk based on evidence about the file's
Insight uses reputation reputation. Download Insight uses reputation information exclusively when it makes decisions about
data to make decisions downloaded files. It does not use signatures or heuristics to make decisions. If Download Insight allows a
about files file, Auto-Protect or behavioral analysis (SONAR) then scans the file when the user opens or runs the file.
How Symantec Endpoint Protection uses Symantec Insight to make decisions about files
Make sure that Insight Download Insight requires reputation data to make decisions about files. If you disable Insight lookups,
lookups are enabled Download Insight runs but cannot make detections. Insight lookups are enabled by default.
Understanding submissions to Symantec that improve protection on your computer
Respond to Download You might see notifications when Download Insight makes a detection. For managed clients, your
Insight detections administrator might choose to disable Download Insight detection notifications.
When notifications are enabled, you see messages when Download Insight detects a malicious file or an
unproven file. For unproven files, you must choose whether or not to allow the file.
Responding to Download Insight messages that ask you to allow or block a file that you try to download
Create exceptions for You can create an exception for an application that you download. You can also create an exception for a
specific files or web specific web domain that you believe is trustworthy.
domains By default, Download Insight does not examine any files that users download from a trusted Internet
or intranet site. Trusted sites are configured on the Windows Control Panel > Trusted Internet Sites
> Security tab. When the Automatically trust any file downloaded from an intranet site option is
enabled, the client allows any file that a user downloads from one of the trusted sites.
Download Insight only recognizes those trusted sites that you or your administrator have explicitly
configured.
Customize Download You might want to customize Download Insight settings for the following reasons:
Insight settings • Increase or decrease the number of Download Insight detections.
You can adjust the malicious file sensitivity slider to increase or decrease the number of detections. At
lower sensitivity levels, Download Insight detects fewer files as malicious and more files as unproven.
Fewer detections are false positive detections.
At higher sensitivity levels, Download Insight detects more files as malicious and fewer files as
unproven. More detections are false positive detections.
• Change the action for malicious or unproven file detections.
You can change how Download Insight handles malicious or unproven files. You might want to change
the action for unproven files so that you do not receive notifications for those detections.
• Get alerts about Download Insight detections.
When Download Insight detects a file that it considers malicious, it displays a message on the client
computer if the action is set to Quarantine. You can undo the quarantine action.
When Download Insight detects a file that it considers unproven, it displays a message on the client
computer. The message only appears if you set the action for unproven files to Prompt or Quarantine.
When the action is set to Prompt, you can allow or block the file. When the action is Quarantine, you
can undo the quarantine action.
You can turn off user notifications so that you do not have a choice when Download Insight detects a
file that it considers unproven. If you keep notifications enabled, you can set the action for unproven
files to Ignore to always allow these detections and not notify you.
When notifications are enabled, the malicious file sensitivity setting affects the number of notifications
that you receive. If you increase the sensitivity, you increase the number of user notifications because
the total number of detections increases.
Customizing Download Insight settings
Control what information By default, all managed clients send information about reputation detections to Symantec.
you submit about Symantec recommends that you keep submissions enabled for reputation detections. The information
reputation detections to helps Symantec address threats.
Symantec Understanding submissions to Symantec that improve protection on your computer
24
You might want to customize Download Insight settings to decrease false positive detections on client computers. You can
change how sensitive Download Insight is to the file reputation data that it uses to characterize malicious files. You can
also change the notification that Download Insight displays on client computers when it makes a detection.
NOTE
Auto-Protect must be enabled in order for Download Insight to function. If Auto-Protect is disabled, Download
Insight does not function even if Download Insight is enabled.
To customize Download Insight settings:
2. Next to Virus and Spyware Protection, click Configure Settings.
3. On the Download Insight tab, make sure that Enable Download Insight to detect potential risks in downloaded
files based on file reputation is checked.
If Auto-Protect is disabled, Download Insight cannot function even if it is enabled.
4. Move the slider to change the malicious file sensitivity.
NOTE
With only basic Virus and Spyware Protection installed, the malicious file sensitivity is automatically set to
level 1, and you cannot change the setting.
If you set the level higher, Download Insight detects more files as malicious and fewer files as unproven. Higher
settings, however, return more false positives.
5. Check or uncheck the following options to use as additional criteria for examining unproven files:
• Files with: x or fewer users, where x is by default 5. You can select another value from the drop-down list.
• Files known by users for: x or fewer days, where x is by default 2. You can enter any value
When unproven files meet this criteria, Download Insight detects the files as malicious.
6. Make sure that Automatically trust any file downloaded from an intranet website is checked.
7. Click Actions.
8. Under Malicious Files, specify a first action and a second action.
9. Under Unproven Files, specify the action.
10. Click OK.
11. Click Notifications, and specify whether or not to display a notification when Download Insight makes a detection.
You can customize the text of the warning message that appears.
12. Click OK.

By default, gives your computer the protection against the viruses and security risks that you need. If you have an
unmanaged client, you may want to configure some of the scan settings.
You can customize a user-defined scan, global scan settings, and Auto-Protect.
25
• To customize a user-defined scan
• To change global scan settings
• To customize Auto-Protect
To customize a user-defined scan:
2. In the Scan for threats page, right-click a scan and click Edit.
3. On the Scan Options tab, do any of the following tasks:
– To specify fewer file types to scan, click Selected extensions, and then click Extensions.
NOTE
User-defined scans always scan container files unless you disable the compressed file option on
the scheduled scan under Advanced Scanning Options, or you create exceptions for the container
extensions.
– To specify a first action and a second action that the client takes on an infected file, click Actions.
– To specify notification options, click Notifications.
– To configure advanced options for compressed files, backups, and tuning, click Advanced.
You can change the tuning options to improve your client computer performance.
4. Click OK.
To change global scan settings:
1. In the client, in the sidebar, click Change settings, and the next to Virus and Spyware Protection, click Configure
Settings.
2. On the Global Settings tab, under Scan Options, change settings for Insight or Bloodhound heuristic virus detection.
3. To view or create scan exceptions, click View List. Click Close after you view or create exceptions.
4. Under Log Retention or Internet Browser Protection, make any changes that you want.
5. Click OK.
To customize Auto-Protect:
1. In the client, in the sidebar, click Change settings.
3. On any Auto-Protect tab, do the following tasks:
• To specify fewer file types to scan, click Selected, and then click Extensions.
• To specify a first action and a second action that the client takes on an infected file, click Actions.
• To specify notification options, click Notifications.
4. On the Auto-Protect tab, click Advanced.
You can change options for the file cache as well as options for Risk Tracer and backups. You might want to change
these options to improve your computer performance.
26
5. Click Network to change settings for trusting files on remote computers and setting a network cache.
6. Click OK.
Configuring actions for malware and security risk detections

You can configure the actions that you want the client to take when it detects malware or a security risk. You can
configure a first action and a second action to take if the first action fails.
NOTE
If an administrator manages your computer and these options display a lock icon, you cannot change these
options because your administrator has locked them.
You configure actions for any type of scan in the same way. Each scan has its own configuration for actions. You can
configure different actions for different scans.
NOTE
You configure actions for Download Insight and behavioral analysis (SONAR) separately.
Preventing false positive detections for behavioral analysis (SONAR)
To configure actions for malware and security risk detections:
2. Next to Virus and Spyware Protection, click Configure Settings, and then on any Auto-Protect tab, click Actions.
3. Click Actions.
4. In the Scan Actions dialog box, select the category Malware or Security Risks.
You can also select a subcategory. By default, each subcategory is automatically configured to use the actions that are
set for the entire category.
The categories change dynamically over time as Symantec gets new information about risks.
5. To configure actions for a subcategory only, do one of the following actions:
• Check Override actions configured for Malware, and then set the actions for that subcategory only.
NOTE
There might be a single subcategory under a category, depending on how Symantec currently classifies
risks. For example, under Malware, there might be a single subcategory called Viruses.
• Check Override actions configured for Security Risks, and then set the actions for that subcategory only.
27
6. For a category or a subcategory, select a first and second action from the following options:
Clean risk Removes the virus from the infected file. This setting is the default first action for the Malware category.
Note: This setting is only available as a first action for the Malware category. This action does not apply to
security risks.
This setting should always be the first action for viruses. If the client successfully cleans a virus from a
file, you do not need to take any other action. Your computer is free of the detected virus and is no longer
susceptible to the spread of that virus into other areas of your computer.
In some instances, however, the cleaned file might not be usable. The virus might have caused too much
damage. Some infected files cannot be cleaned.
Note: does not clean the malware that is detected in Windows 8 style apps and files. deletes the detection
instead.
Quarantine risk Moves the infected file from its original location to the Quarantine. Infected files within the Quarantine
cannot spread viruses.
• For malware, this action moves the infected file from its original location to the Quarantine. This setting
is the default second action for malware.
• For security risks, this action moves the infected files from their original location to the Quarantine and
tries to remove or repair any side effects. This setting is the default first action for security risks.
Quarantine contains a record of all the actions that were performed. You can return the computer to the
state that existed before the client removed the risk.
Note: does not quarantine the malware that is detected in Windows 8 style apps and files. deletes the
detection instead.
Delete risk Deletes the infected file from your computer’s hard drive. If the client cannot delete a file, information about
the action that was taken appears in the Notification dialog box. The information also appears in the event
log.
This setting is the default second action for security risks.
Use this action only if you can replace the file with a backup copy that is free of viruses or security risks.
When the client deletes a risk, it deletes the risk permanently. The infected file cannot be recovered from
the recycle bin.
Note: Use this action with caution when you configure actions for security risks. In some cases, deleting
security risks can cause applications to lose functionality.
Leave alone (log only) Leaves the file as is and places an entry in the risk history to keep a record of it. Use this option to take
manual control of how the client handles malware or security risks.
Note: Malware may be able to spread to other parts of your computer or to other computers on the network
until you take further action.
Do not select this action when you perform large-scale, automated scans, such as scheduled scans. You
might want to use this action if you intend to view the scan results and take an additional action later. An
additional action might be to move the file to the Quarantine.
Your administrator might send a customized message that explains how to respond.
7. Repeat these steps for each category for which you want to set specific actions, and then click OK.
8. If you selected a security risk category, you can select custom actions for one or more specific instances of that
security risk category. You can exclude a security risk from scanning. For example, you might want to exclude a piece
of adware that you need to use in your work.
9. Click OK.
About excluding items from scans

28
Exceptions are files and other items that you want to exclude from scans. If you have scanned your computer and know
that certain files are safe, you can exclude them. In some cases, exceptions can reduce scan time and increase system
performance. Typically you do not need to create exceptions.
For managed clients, your administrator may have created exceptions for your scans. If you create an exception
that conflicts with an administrator-defined exception, the administrator-defined exception takes precedence. Your
administrator can also prevent you from configuring any or all types of exceptions.
Table 9: Exception types
Exception Type Description
File Applies to scheduled scans and manual scans, Auto-Protect, behavioral analysis (SONAR), and application
control.
Scans ignore the file that you select.
Folder Applies to scheduled scans and manual scans, Auto-Protect, behavioral analysis, and application control.
Scans ignore the folder that you select.
Known risks Applies to scheduled scans and manual scans, Auto-Protect, and behavioral analysis.
Scans ignore any known risk that you select.
Extensions Applies to scheduled scans and manual scans and Auto-Protect.
Scans ignore any files with the specified extensions.
Web domain Applies to Download Insight.
Download Insight ignores the specified trusted web domain.
Application Applies to scheduled scans and manual scans, Auto-Protect, behavioral analysis, and Download Insight.
Scans ignore, log, quarantine, or terminate the application that you specify here.
DNS or host file change Applies to behavioral analysis (SONAR).
Scans ignore, log, or block an application or prompt the user when a specific application tries to change
DNS settings or change a host file.
NOTE
If your email application stores all email in a single file, you should create a file exception to exclude the
Inbox file from scans. By default, scans quarantine viruses. If a scan detects a virus in the Inbox file, the scan
quarantines the entire Inbox. If the scan quarantines the Inbox, you cannot access your email.

You can exclude items from being scanned applications and files that you know are safe. You can also exclude some
items to improve the computer's performance.
For managed clients, your administrator may have created exceptions for your scans. If you create an exception that
conflicts with an administrator-defined exception, the administrator-defined exception takes precedence.
You can exclude items from security risk scans, exclude folders from behavioral analysis (SONAR) scans, and exclude an
application from all scans.
NOTE
On the Server Core installation of Windows Server 2008, the appearance of the dialog boxes might differ from
the ones that are described in these procedures.
To exclude items from security risk scans:
29
2. Next to Exceptions, click Configure Settings.
3. In the Exceptions dialog box, under User-defined Exceptions, click Add > Security Risk Exceptions.
4. Select one of the following exception types:
– Known Risks
– File
– Folder
– Extensions
– Web Domain
– For known risks, check the security risks that you want to exclude from scans.
To log an event when the security risk is detected and ignored, check Log when the security risk is detected.
– For files or folders, select the file or folder that you want to exclude, or enter a file or folder name.
Select the scan type (All scans, Auto-Protect, or Scheduled and on-demand) and then click OK.
If you run an application that writes many temp files to a folder, you might want to exclude the folder from Auto-
Protect. Auto-Protect scans files as they are written so you can increase computer performance by limiting the
exception to scheduled and on-demand scans.
You might want to exclude the folders that are not often used or that contain archived or packed files from
scheduled and on-demand scans. For example, scheduled or on-demand scans of deeply archived files that are not
often used might decrease computer performance. Auto-Protect still protects the folder by scanning only when any
files are accessed or written to the folder.
– For extensions, type the extension that you want to exclude.
You can only include one extension name in the text box. If you type multiple extensions, the client treats the entry
as a single extension name.
– For domains, enter a domain name or IP address that you want to exclude from Download Insight and SONAR
detection. You can specify a URL, but the exception uses only the domain name portion of a URL. If you specify a
URL, you can pre-pend the URL with either HTTP or HTTPS (case-insensitive), but the exception applies to both.
The exception allows you to download files from any location in the domain.
For Download Insight, wildcards are allowed, but non-routable IP address ranges are not supported. For example,
Download Insight cannot recognize 10.*.*.* as a trusted site. Download Insight also does not support the sites that
the Internet Options > Security > Automatically detect intranet network option discovers.
6. Click OK.
To exclude a folder from behavioral analysis (SONAR):
3. In the Exceptions dialog box, under User-defined Exceptions, click Add > SONAR Exception > Folder.
4. Select the folder that you want to exclude, check or uncheck Include Subfolders, and then click OK.
5. Click Close.
To exclude an application that makes a DNS or a host file change:
3. In the Exceptions dialog box, under User-defined Exceptions, click DNS or Host File Change Exception >
Application.
4. Select the application that you want to exclude, and then click OK.
30
To change how all scans handle an application:
3. In the Exceptions dialog box, under User-defined Exceptions, click Add > Application Exception.
4. Select the filename of the application.
5. In the Action drop-down box, select Ignore, Log Only, Quarantine, Terminate, or Remove.
6. Click OK.
7. Click Close.

About quarantined files
By default, tries to clean a virus from an infected file when it is detected. If the file cannot be cleaned, the scan places the
file in the quarantine on your computer. When the client moves an infected file to the quarantine, it encrypts the file. Since
the file is encrypted, you do not have access to the quarantined file. A file in the quarantine cannot infect other files on
your computer or other computers in the network. However, the quarantine action does not clean the risk. The risk stays
on your computer until the client cleans the risk or deletes the file.
After your computer is updated with new virus definitions, the client automatically rescans the quarantine. The latest
definitions might clean or repair the previously quarantined files.
• Most viruses can be quarantined. Boot viruses reside in the boot sector or partition tables of a computer; these items
cannot be moved to the quarantine. Sometimes the client detects an unknown virus that cannot be eliminated with the
current set of virus definitions.
• For security risks, scans move infected files to the quarantine and repair any side effects of the security risk.
• Download Insight and behavioral analysis (SONAR) can also quarantine files.
How scans respond to a virus or risk detection
Managing files in the quarantine
Because the quarantine handles the infected files on your computer, you can leave the files in the quarantine. However,
there are some actions that you may want to perform on a file in the quarantine. For example, if a file was quarantined in
error, you can restore the file from the quarantine. Or, if you need to conserve space on your computer, you can reduce
the time before the quarantine automatically deletes its contents.
To manage files in the quarantine:
1. In the client, in the sidebar, click View Quarantine.
2. In the View Quarantine window, select the file in the list of quarantined items.
3. Click one of the options and follow any on-screen instructions.
View Quarantine
31
You should keep Auto-Protect enabled for files and processes, Internet email, and email groupware applications. When
any type of Auto-Protect is disabled, the virus and spyware status appears red on the Status page.
On a managed client, your administrator might lock Auto-Protect so that you cannot disable it. Also, your administrator
might specify that you can disable Auto-Protect temporarily, but that Auto-Protect turns on automatically after a specified
amount of time.
NOTE
If you disable Auto-Protect, you also disable Download Insight even if Download Insight is enabled. In 14.3
or earlier, behavioral analysis (SONAR) also cannot detect heuristic threats; however, behavioral analysis
continues to detect host file and system changes.
WARNING
Symantec recommends that if you need to troubleshoot Auto-Protect on the client computer, you only disable it
temporarily.
To enable Auto-Protect for the file system:
1. In the client, on the Status page, next to Virus and Spyware Protection, do one of the following actions:
– Click Options > Enable Virus and Spyware Protection.
– Click Options > Disable all Virus and Spyware Protection features.
To enable Auto-Protect for email:
• On the Outlook Auto-Protect tab, check Enable Microsoft Outlook Auto-Protect.
Microsoft Outlook Auto-Protect is automatically installed on the computers that run Outlook.
• For versions earlier than 14.2 RU1, on the Internet Email Auto-Protect tab, check Enable Internet Email Auto-
Protect.
Internet Email Auto-Protect is not supported on server operating systems.
• For versions earlier than 14.2 RU1, on the Notes Auto-Protect tab, check Enable Lotus Notes Auto-Protect.
4. Click OK.
About the types of Auto-Protect

How to determine whether the client computer is protected using the Status page icons
Understanding submissions to Symantec that improve protection on

your computer
By default, the client periodically sends pseudonymous detection, network, and configuration information to Symantec.
Symantec uses this information to protect your client computers from new, targeted, and mutating threats. Any data you
submit improves Symantec's ability to respond to threats. Symantec recommends that you submit as much information as
possible.
Symantec makes every attempt to pseudonymize any information the client sends.
32
The pseudonymous information the client sends to Symantec benefits you by:
• Increasing the security of your network
• Optimizing product performance
In some cases, however, you might want to prevent the client from submitting some information. You can disable
submission of network information only rather than disabling all types of client submissions.
NOTE
Symantec recommends that you always keep client submissions enabled. Disabling submissions might
interfere with faster resolution of false positive detections on the applications that are used exclusively in your
organization. Without information about the malware in your organization, product response and Symantec
response to threats might take longer.
The data that Symantec telemetry collects may include pseudonymous elements that are not directly identifiable.
Symantec neither needs nor seeks to use telemetry data to identify any individual user.
To modify submissions to Symantec
1. Select Change Settings > Client Management.
2. On the Submissions tab, check Send pseudonymous data to Symantec to receive enhanced threat protection
intelligence. This option lets submit information about the threats that are found on your computer as well as
information about your network and configuration.
Symantec recommends that you keep this option enabled.
3. Select More options if you want to choose the types of information to submit.
4. Click OK.
You can also manually submit a file to Symantec from the Quarantine.
For more information about privacy, see the following document:
Privacy statement
About the client and the Windows Security Center

If you use Windows Security Center (WSC) on Windows XP with Service Pack 2 or Service Pack 3, you can see status in
WSC.
The following table shows the protection status reporting in WSC.
Table 10: WSC protection status reporting
Symantec product condition Protection status
is not installed NOT FOUND (red)

is installed with full protection ON (green)
is installed, and virus and security risk definitions are out of date OUT OF DATE (red)
is installed and Auto-Protect for the file system is not enabled OFF (red)
is installed, Auto-Protect for the file system is not enabled, and virus and security risk definitions are out of OFF (red)
date
33
Symantec product condition Protection status
is installed and ccSvcHst is turned off manually OFF (red)
The following table shows the firewall status reporting in WSC.
Table 11: WSC firewall status reporting
Symantec product condition Firewall status
Symantec firewall is not installed NOT FOUND (red)

Symantec firewall is installed and enabled ON (green)
Symantec firewall is installed but not enabled OFF (red)
Symantec firewall is not installed or enabled, but a third-party firewall is installed and enabled ON (green)
NOTE
In , the Windows Firewall is disabled by default.
If there is more than one firewall enabled, WSC reports that multiple firewalls are installed and enabled.

In 14.3 RU5, SONAR was renamed to behavioral analysis.
Behavioral analysis is the real-time protection that detects potentially malicious behavior when applications run on
your computers. Behavioral analysis uses heuristics as well as reputation data to detect emerging and unknown
threats. Behavioral analysis provides "zero-day" protection because it detects malicious behavior before traditional virus
and spyware detection definitions have been created to address the threats.
You manage behavioral analysis as part of Proactive Threat Protection. On managed clients, your administrator might lock
some of the settings.
Behavioral analysis is enabled by default as long as Proactive Threat Protection is enabled.
See: Enabling protection on the client computer
Table 12: Managing behavioral analysis
Steps Description
Step 1: Make sure that Behavioral analysis uses reputation data in addition to heuristics to make detections. If you disable Insight
Insight lookups are lookups (reputation queries), behavioral analysis makes detections by using heuristics only. The rate of
enabled (14.3 RU4 and false positives might increase, and the protection that behavioral analysis provides is limited.
earlier) Customizing Download Insight settings
Step 2: Prevent false You can also change the detection action for some types of threats that behavioral analysis detects. You
positive detections might want to change the detection action to reduce false positive detections.
34
Steps Description
Step 3: Create Behavioral analysis might detect the files or the applications that you want to run on your computer as
exceptions for potentially malicious when they are not. Also, in some cases, an application might become unstable or
applications that you cannot run when behavioral analysis injects code into the application to examine it.
know are safe You can add SONAR exceptions for the files, folders, or applications from:
• The System Change Detection tab.
• SONAR Exceptions on the Exceptions > Change Settings page.
• The Quarantine.
Step 4: Submit Symantec recommends that you send information about detections to Symantec Security Response. The
information about information helps Symantec address threats. Submissions are enabled by default.
behavioral analysis Understanding submissions to Symantec that improve protection on your computer
detections to
Symantec Security
Response (optional)

To reduce the rate of false positive detections, you can change the actions for detections to log only temporarily while you
monitor the detections.
NOTE
On managed clients, your administrator might lock these settings.
To prevent false positive detections for behavioral analysis
2. Next to Proactive Threat Protection, click Configure Settings.
3. On the Behavioral Analysis tab or System Change Detection tab, change the actions for high risk or low risk
detections to Log Only for a short period of time.
4. Click OK.
Checking your computer's security compliance with a Host Integrity

scan
A Host Integrity scan verifies that your computer meets certain security requirements before it connects to the network.
For example, the Host Integrity check may verify whether the operating system has the latest security patch. If your
computer does not meet a security requirement, the client may remediate your computer to make sure that it passes
the Host Integrity check. To remediate, the check automatically downloads and installs the necessary software. Your
administrator may send a message to have you remediate your computer.
The Host Integrity check runs when you start your computer and continues until the network connection ends. You can
also run a Host Integrity check manually.
Your administrator may have also configured the Host Integrity check to pass even if a specific requirement fails. You can
view the results of the Host Integrity checks in the client's Security log.
35
To check your computer's security compliance with a Host Integrity scan:
1. In the client, in the sidebar, click Scan for Threats.
2. In the Scan for threats dialog box, click Run Host Integrity Scan.
3. Click OK.
If a compliance failure prevents access to the network, you should regain access when you update your computer to
meet compliance requirements.
The scan results appear in the Security log.
Remediating your computer to pass the Host Integrity check

If the client does not meet a Host Integrity policy requirement, it responds in one of the following ways:
• The client downloads the software update automatically.
• The client prompts you to download the required software update.
To remediate your computer:
In the dialog box that appears, do one of the following actions:
• To see which security requirements your computer failed, click Details.
• To immediately install the software, click Restore Now.
You may or may not have the option to cancel the installation after it has started.
• To postpone the software install, click Remind me later in and select a time interval in the drop-down list.
The administrator can configure the maximum number of times you can postpone the installation.
Enabling Tamper Protection

Tamper Protection provides real-time protection for Symantec applications that run on servers and clients. It prevents
threats and security risks from tampering with Symantec resources. You can enable or disable Tamper Protection.
You can also configure the action that Tamper Protection takes when it detects a tampering attempt on the Symantec
resources on your computer.
By default, Tamper Protection is set to Block and do not log.
NOTE
On a managed client, your administrator might lock the Tamper Protection settings.
To enable Tamper Protection:
2. Next to Client Management, click Configure Settings.
3. On the Tamper Protection tab, make sure that Protect Symantec security software from being tampered with or
shut down is checked.
4. In the Action to take if an application attempts to tamper with or shut down Symantec security software list
box, click Log only, Block and do not log or Block and log.
5. Click OK.
36
Virus and spyware scans identify and neutralize or eliminate viruses and security risks on your computers. A scan
eliminates a virus or risk by using the following process:
• The scan engine searches within files and other components on the computer for viruses, Trojans, worms, and other
threats like security risks. Each threat has a recognizable pattern that is called a signature. The client uses a definition
file that contains a collection of known signature information. The scan engine compares each file or component to the
definitions file. If the scan engine finds a match, the file is infected or is malicious.
• The scan engine uses the definitions files to determine what kind of threat it is. The scan engine then takes action to
remediate. The scan engine may clean, delete, or quarantine the item that it detects as a threat. The scan engine may
also repair any side effects that result from the threat. The action it takes depends on the type of threat it detects.
• On standard or embedded/VDI clients that are connected to the cloud, scans access the full set of definitions in the
cloud.
NOTE
does not quarantine or clean any risk that is detected in Windows 8 style apps. deletes the risk instead.
The following table describes the components that the client scans on your computer.
Table 13: Computer components that the client scans
Component Description
Selected files The client scans individual files, based on the type of scan you select, or the type of scan that an
administrator schedules. You can also a scan an individual file or folder from Windows. For most types of
scans, you select the files that you want scanned.
Computer memory The client scans the computer’s memory. Any file virus, boot sector virus, or macro virus may be memory-
resident. Viruses that are memory-resident have copied themselves into a computer’s memory. In memory,
a virus can hide until a trigger event occurs. Then the virus can spread to the hard drive. If a virus is in
memory, the scan cannot clean it. However, you can remove a virus from memory by restarting your
computer when prompted.
Boot sector The client checks the computer’s boot sector for boot viruses. Two items are checked: the partition tables
and the master boot record.
Removable media A common way for some threats to spread is through removable media, such as a USB drive. The client
does not automatically scan removable media when you insert it, but you can scan it by right-clicking it from
Windows.
About viruses and security risks

scans for both viruses and for security risks. Security risks include spyware, adware, rootkits, and other files that can put
a computer or a network at risk.
Viruses and security risks can arrive through email messages or instant messenger programs. You can unknowingly
download a risk by accepting an End User License Agreement from a software program.
37
Many viruses and security risks are installed as "drive-by downloads." These downloads usually occur when you visit
malicious or infected websites. The application's downloader installs through a legitimate vulnerability on your computer.
The following table lists the type of viruses and risks that can attack a computer.
Table 14: Viruses and security risks
Risk Description
Viruses Programs or code that attach a copy of themselves to another computer program or file when it runs. When the
infected program runs, the attached virus program activates and attaches itself to other programs and files.
The following types of threats are included in the virus category:
• Malicious Internet bots
Programs that run automated tasks over the Internet. Bots can be used to automate attacks on computers
or to collect information from websites.
• Worms
Programs that replicate without infecting other programs. Some worms spread by copying themselves from
disk to disk, while others replicate in memory to reduce computer performance.
• Trojan horses
Programs that hide themselves in something benign, such as a game or utility.
• Blended threats
Threats that blend the characteristics of viruses, worms, Trojan horses, and code with server and Internet
vulnerabilities to initiate, transmit, and spread an attack. Blended threats use multiple methods and
techniques to spread rapidly and cause widespread damage.
• Rootkits
Programs that hide themselves from a computer's operating system.
Adware Programs that deliver advertising content.
Cookie Messages that web servers send to web browsers for the purpose of identifying the computer or user.
Dialers Programs that use a computer, without the user's permission or knowledge, to dial out through the Internet to a
900 number or FTP site. Typically, these numbers are dialed to accrue charges.
38
Risk Description
Hacking tools Programs that hackers use to gain unauthorized access to a user's computer. For example, one hacking tool
is a keystroke logger, which tracks and records individual keystrokes and sends this information back to the
hacker. The hacker can then perform port scans or vulnerability scans. Hacking tools may also be used to
create viruses.
Joke programs Programs that alter or interrupt the operation of a computer in a way that is intended to be humorous or
frightening. For example, a joke program might move the recycle bin away from the mouse when the user tries
to delete an item.
Misleading Applications that intentionally misrepresent the security status of a computer. These applications typically
applications masquerade as security notifications about fake infections that must be removed.
Parental control Programs that monitor or limit computer usage. The programs can run undetected and typically transmit
programs monitoring information to another computer.
Ransomware A category of malware that sabotages documents and makes then unusable, but the computer user can still
access the computer.
Remote access Programs that allow access over the Internet from another computer so that they can gain information or attack
programs or alter a user's computer.
Security assessment Programs that are used to gather information for unauthorized access to a computer.
tool
Spyware Standalone programs that can secretly monitor system activity and detect passwords and other confidential
information and relay it back to another computer.
Trackware Standalone or appended applications that trace a user's path on the Internet and send information to the
controller or hacker's system.
You can view information about specific risks in the Symantec Security Center.
The Symantec Security Response website provides the latest information about threats and security risks. The website
also contains extensive reference information, such as white papers and detailed information about viruses and security
risks.
About the types of scans

includes different types of scans to provide protection against different types of viruses, threats, and risks.
By default, runs an active scan every day at 12:30 P.M. also runs an active scan when new definitions arrive on the client
computer. On unmanaged computers, also includes a default startup scan that is disabled.
NOTE
Scans access the complete definitions set in the cloud.
On unmanaged clients, you should make sure that you run an active scan every day on your computer. You might want to
schedule a full scan once a week or once a month if you suspect that you have an inactive threat on your computer. Full
scans consume more computer resources and might affect computer performance.
39
Table 15: Scan types
Scan type Description
Auto-Protect Auto-Protect continuously inspects files and email data as they are written to or read from a computer.
Auto-Protect automatically neutralizes or eliminates detected viruses and security risks.
Auto-Protect also protects some email that you might send or receive.
On standard and embedded/VDI clients that are connected to the cloud, Auto-Protect also uses cloud
definitions.
Download Insight Download Insight boosts the security of Auto-Protect by inspecting files when users try to download them
from browsers and other portals.
Download Insight uses information from Symantec Insight, which collects information from millions of users
to determine the security reputations of files in the community. Download Insight uses a file's reputation
rating to allow or block a file or prompt the user to take action on the file.
Download Insight functions as part of Auto-Protect and requires Auto-Protect to be enabled. If you disable
Auto-Protect but enable Download Insight, Download Insight cannot function.
How Symantec Endpoint Protection uses Symantec Insight to make decisions about files
Administrator scans and For managed clients, your administrator might create scheduled scans or run scans on demand. On
user-defined scans unmanaged clients, or managed clients for which scan settings are unlocked, you can create and run your
own scans.
Administrator or user-defined scans detect viruses and security risks by examining all files and processes
on the client computer. These types of scans can also inspect memory and load points.
On standard and embedded/VDI clients that are connected to the cloud, these scans use cloud definitions.
The following types of administrator or user-defined scans are available:
• Scheduled scans
A scheduled scan runs on the client computers at designated times. Any concurrently scheduled scans
run sequentially. If a computer is turned off during a scheduled scan, the scan does not run unless it is
configured to retry missed scans. You can schedule an active, full, or custom scan.
You can save your scheduled scan settings as a template. You can use any scan that you save as a
template as the basis for a different scan. The scan templates can save you time when you configure
multiple policies. A scheduled scan template is included by default in the policy. The default scheduled
scan scans all files and folders.
• Startup scans and triggered scans
Startup scans run when the users log on to the computers. Triggered scans run when new virus
definitions are downloaded to computers.
• On-demand scans
On-demand scans are the scans that you start manually. You can run scans on demand from the Scan
for Threats page.
If the client detects a large number of viruses, spyware, or high-risk threats, an aggressive scan mode
engages. The scan restarts and uses Insight lookups.
ehavioral analysis Behavioral analysis can stop attacks even before traditional signature-based definitions are available to
(SONAR) address the threats. Behavioral analysis uses heuristics as well as file reputation data to detect emerging
and unknown threats.

Auto-Protect scans files as well as certain types of email and email attachments.
Auto-Protect works on your supported email client only. It does not protect mail servers.
40
NOTE
If a virus is detected as you open email, your email may take several seconds to open while Auto-Protect
completes its scan.
Table 16: Types of Auto-Protect
Type of Auto-Protect Description
File System Auto-Protect Continuously scans files as they are read from or written to your computer.
Auto-Protect is enabled by default for the file system. It loads at computer startup. It inspects all files for
viruses and security risks, and blocks the security risks from being installed. It can optionally scan files by
file extension, scan files on remote computers, and scan floppies for boot viruses. It can optionally back up
files before it attempts to repair the files, and terminate processes and stop services.
You can configure Auto-Protect to scan only selected file extensions. When Auto-Protect scans the
selected extensions, it can also determine a file's type even if a virus changes the file's extension.
Auto-Protect scans all files, even email attachments. If you do not enable Auto-Protect for email, your client
computers are still protected when File System Auto-Protect is enabled. Most email applications save
attachments to a temporary folder when users launch email attachments. Auto-Protect scans the file as it
writes to the temporary folder and detects any virus or security risk. Auto-Protect also detects the virus if
the user tries to save an infected attachment to a local drive or network drive.
Microsoft Outlook Auto- Downloads incoming Microsoft Outlook email attachments and scans for viruses and security risks when
Protect you read the message and open the attachment.
Microsoft Outlook Auto-Protect supports Microsoft Outlook 98 through Outlook 2016, for the MAPI or
Internet protocols. Microsoft Outlook Auto-Protect supports 32-bit and 64-bit systems.
During installation, installs Microsoft Outlook Auto-Protect if your administrator included it in the package
and Microsoft Outlook is already installed on the computer.
If you download a large attachment over a slow connection, mail performance is affected. You may want to
disable this feature if you regularly receive large attachments.
Note: You should not install Microsoft Outlook Auto-Protect on a Microsoft Exchange Server.
Internet Email Auto- Scans inbound Internet email body and email attachments for viruses and security risks; also performs
Protect outbound email heuristics scanning.
(Only available for client By default, Internet Email Auto-Protect supports encrypted passwords and email over POP3 and SMTP
versions earlier than 14.2 connections. Internet Email Auto-Protect supports 32-bit or 64-bit systems. If you use POP3 or SMTP
RU1.) with Secure Sockets Layer (SSL), then the client detects secure connections but does not scan encrypted
messages.
Note: For performance reasons, Internet Email Auto-Protect for POP3 is not supported on server operating
systems.
Email scanning does not support IMAP, AOL, or HTTP-based email such as Hotmail or Yahoo! Mail.
Lotus Notes Auto-Protect Scans incoming Lotus Notes email attachments for viruses and security risks.
(Only available for client Lotus Notes Auto-Protect supports Lotus Notes 7.x or later.
versions earlier than 14.2 During installation, installs Lotus Notes Auto-Protect if your administrator included it in the package and
RU1.) Lotus Notes is already installed on the computer.

When viruses and security risks infect files, the client responds to the threat types in different ways. For each threat type,
the client uses a first action, and then applies a second action if the first action fails.
41
Table 17: How a scan responds to viruses and security risks
Threat type Action
Virus By default, when the client detects a virus, the client takes the following actions:
• The client tries first to clean the virus from the infected file.
• If the client cleans the file, the client completely removes the risk from your computer.
• If the client cannot clean the file, it logs the failure and moves the infected file to the Quarantine.
Note: does not quarantine a virus that is detected in Windows 8 style apps and files. deletes the virus
instead.
Security risk By default, when the client detects a security risk, the client takes the following actions:
• The client quarantines the infected file.
• The client tries to remove or repair any changes that the security risk made.
• The client the client cannot quarantine a security risk, it logs the risk and leaves it alone.
In some instances, you might intentionally but unknowingly install an application that includes a security
risk such as adware or spyware. If such a security risk is detected, the client takes the following action:
• The client quarantines the risk immediately, if this action does not harm the computer or leave it in an
unstable state.
• Otherwise, the client waits until the application installation is complete before it quarantines the risk,
and then repairs the risk's effects.
Note: does not quarantine a security risk that is detected in Windows 8 style apps and files. deletes the
risk instead.
For each scan type, you can change the settings for how the client handles viruses and security risks. You can set
different actions for each category of risk and for individual security risks.
How uses Symantec Insight to make decisions about files

Symantec collects information about files from its global community of millions of users and its Global Intelligence
Network. The collected information is available to Symantec products in the cloud through Symantec Insight. Symantec
Insight provides a file reputation database and the latest virus and spyware definitions.
Symantec products leverage Insight to protect client computers from new, targeted, and mutating threats. The data is
sometimes referred to as being in the cloud since it does not reside on the client computer. must request or query Insight
for information. The queries are called reputation lookups, cloud lookups, or Insight lookups.
Insight reputation ratings
Symantec Insight determines each file's level of risk or security rating. The rating is also known as the file's reputation.
Insight determines a file's security rating by examining the following characteristics of a file and its context:
• The source of the file
• How new the file is
• How common the file is in the community
• Other security metrics, such as how the file might be associated with malware
Insight lookups
Scanning features in leverage Insight to make decisions about files and applications. Virus and Spyware Protection
includes a feature that is called Download Insight. Download Insight requires reputation information to make detections.
Behavioral analysis (SONAR) also uses reputation information to make detections.
To change the Insight lookups setting on
42
• On the Clients tab, go to Policies > Settings > External Communications > Client Submissions.
To change the Insight lookups setting on the Windows client
• Go to Change Settings > Client Management > Submissions.
On standard and embedded/VDI clients, the Insight lookups option also allows Auto-Protect and scheduled and manual
scans to look up file reputation information as well as definitions in the cloud. Symantec recommends that you keep the
option enabled.
WARNING
Download Insight, behavioral analysis (SONAR), and virus and spyware scans use Insight lookups for threat
detection. Symantec recommends that you always allow Insight lookups. Disabling lookups disables Download
Insight and impairs the functionality of SONAR heuristics (14.3 RU4 and earlier only) and virus and spyware
scans.
File reputation submissions
By default, a client computer sends information about reputation detections to Symantec Security Response for analysis.
The information helps to refine Insight's reputation database and the latest definitions in the cloud. The more clients that
submit information the more useful the reputation database becomes.
Symantec recommends that you keep client submissions for reputation detections enabled.
43
By default, the client provides an appropriate level of firewall protection that your computer needs. However, your
administrator may have changed some of the default firewall rules and settings.
If your administrator has given you the ability to modify your firewall protection, you can modify the firewall rules or firewall
settings.
The following table describes the firewall tasks you can perform to protect your computer. All of these tasks are optional
and can be performed in any order.
Table 18: Managing firewall protection
Task Description
Read about how the Learn how the firewall protects your computer from network attacks.
firewall works How a firewall works
Add and customize You can add new firewall rules or edit existing firewall rules. For example, you might want to block an
firewall rules application that you do not want to run on your computer, such as an adware application.
Managing firewall rules
You can also configure a firewall rule to allow applications to access the network or prevent the applications
from accessing the network.
Configure firewall settings In addition to creating firewall rules, you can also enable and configure firewall settings to further enhance
your firewall protection.
Enabling firewall settings
View firewall logs You can regularly check the firewall protection status on your computer to determine the following:
• The firewall rules that you created work correctly.
• The client blocked any network attacks.
• The client blocked any applications that you expected to run.
You can use the Traffic Log and the Packet Log to check the firewall protection status. By default, the
Packet log is disabled on managed clients.
About the logs
Enabling the Packet log
Allow or block For extra security, you can block network traffic from accessing your computer in the following situations.
applications and certain • You can block traffic when your computer's screensaver is on.
types of traffic • You can block traffic when the firewall does not run.
• You can block all traffic at any time.
Blocking traffic when the screensaver is active or the firewall does not run
• You can automatically allow or block, or ask you to allow or block access to the network by an
application that runs on your computer. You can also configure
Allowing or blocking applications from accessing the network
Enable or disable the You can disable Network Threat Protection temporarily for troubleshooting purposes. For example, you
firewall might need to disable it so that you can open a certain application.
44
How a firewall works
A firewall prevents any unauthorized users from accessing the computers and networks in your organization that connect
to the Internet.
In addition, a firewall performs the following tasks:
• Monitors the communication between your computers and other computers on the Internet
• Creates a shield that allows or blocks attempts to access the information on your computer
• Warns you of connection attempts from other computers
• Warns you of connection attempts by the applications on your computer that connect to other computers
The firewall reviews the packets of data that travel across the Internet. A packet is a discrete unit of data that is part of
the information flow between two computers. Packets are reassembled at their destination to appear as an unbroken data
stream.
Packets include the following information about the data:
• The originating computer
• The intended recipient or recipients
• How the packet data is processed
• Ports that receive the packets
Ports are the channels that divide the stream of data that comes from the Internet. Applications that run on a computer
listen to the ports. The applications accept the data that is sent to the ports.
Network attacks exploit weaknesses in vulnerable applications. Attackers use these weaknesses to send the packets that
contain malicious programming code to ports. When vulnerable applications listen to the ports, the malicious code lets the
attackers gain access to the computer.
Managing firewall rules on the Windows client

Firewall rules control how the firewall protects computers from malicious incoming traffic and applications. The firewall
checks all incoming packets and outgoing packets against the rules that you enable. It allows or blocks the packets based
on the conditions that you specify in the firewall rule.
NOTE
The client includes default firewall rules to protect your computer. However, you can modify the firewall rules for
additional protection if your administrator permits it, or if your client is unmanaged.
The following table describes what you need to know to manage firewall rules.
45
Table 19: Managing firewall rules
Task Description
Learn how firewall rules Before you modify the firewall rules, you should understand how firewall rules work:
work and what makes up • How to order rules to ensure that the most restrictive rules are evaluated first and the most general
a firewall rule rules are evaluated last.
See: About the firewall rule, firewall setting, and intrusion prevention processing order
• That the client uses stateful inspection, which keeps track of the state of the network connections.
See: How the firewall uses stateful inspection
• The firewall components that make up the firewall rule.
See: The elements of a firewall rule on the client
Add a new firewall rule You can:
• Add your own rules to the rules that installs by default.
See: Adding firewall rules on the client
• Customize a rule by changing any of the firewall rule criteria.
• Export and import firewall rules from another firewall policy.
See: Exporting or importing firewall rules on the client
• Copy and paste firewall rules.
The elements of a firewall rule on the client

When a computer attempts to connect to another computer, the firewall compares the connection type with the firewall
rules. You can use triggers such as applications, hosts, and protocols to define the firewall rules. For example, a rule can
identify a protocol in relation to a destination address. When the firewall evaluates the rule, all the triggers must be true for
a positive match to occur. If any trigger is false for the current packet, the firewall does not apply the rule.
As soon as a packet triggers a firewall rule, the firewall evaluates no further firewall rules. If the packet triggers no rule, the
firewall automatically blocks the packet and does not log the event.
A firewall rule describes the conditions in which a network connection may be allowed or blocked. For example, a rule
may allow network traffic between remote port 80 and the IP address 192.58.74.0, between 9 A.M. and 5 P.M. daily.
The following table describes the criteria that you use to define a firewall rule.
46
Table 20: Firewall rule criteria
Condition Description
Triggers • Applications
When the application is the only trigger that you define in an allow traffic rule, the firewall allows the
application to perform any network operation. The application is the significant value, not the network
operations that the application performs. For example, suppose you allow Internet Explorer and define
no other triggers. Users can access the remote sites that use HTTP, HTTPS, FTP, Gopher, and any
other protocol that the Web browser supports. You can define additional triggers to describe the
particular network protocols and hosts with which communication is allowed.
• Hosts
The local host is always the local client computer and the remote host is always a remote computer
that is positioned elsewhere on the network. This expression of the host relationship is independent
of the direction of traffic. When you define host triggers, you specify the host on the remote side of the
described network connection.
• Protocols
A protocol trigger identifies one or more network protocols that are significant in relation to the
described traffic.
The local host computer always owns the local port, and the remote computer always owns the remote
port. This expression of the port relationship is independent of the direction of traffic.
• Network adapters
If you define a network adapter trigger, the rule is relevant only to the traffic that is transmitted or
received by using the specified type of adapter. You can specify either any adapter or the one that is
currently associated with the client computer.
You can combine the trigger criteria to form more complex rules, such as to identify a particular protocol in
relation to a specific destination address. When the firewall evaluates the rule, all the triggers must be true
for a positive match to occur. If any one trigger is not true in relation to the current packet, the firewall does
not apply the rule.
Conditions • Schedule and screen saver state
The conditional parameters do not describe an aspect of a network connection. Instead, the conditional
parameters determine the active state of a rule. The conditional parameters are optional and if not
defined, not significant. You may set up a schedule or identify a screen saver state that dictates when
a rule is considered to be active or inactive. The firewall does not evaluate the inactive rules when the
firewall receives packets.
Actions • Allow or block, and log or do not log
The action parameters specify what actions the firewall takes when it successfully matches a rule. If the
rule is selected in response to a received packet, the firewall performs all actions. The firewall either
allows or blocks the packet and logs or does not log the packet.
If the firewall allows traffic, the traffic that the rule specifies can access your network.
If the firewall blocks traffic, the traffic that the rule specifies cannot access your network.
What is the order that the Symantec Endpoint Protection client processes
firewall rules?
This process continues until the firewall finds a match. After the firewall finds a match, the firewall takes the action that the
rule specifies. Subsequent lower priority rules are not inspected. For example, if a rule that blocks all traffic is listed first,
followed by a rule that allows all traffic, the client blocks all traffic.
You can order rules according to exclusivity. The most restrictive rules are evaluated first, and the most general rules are
evaluated last. For example, you should place the rules that block traffic near the top of the rules list. The rules that are
lower in the list might allow the traffic.
47
The best practices for creating a rule base include the following order of rules:
1st Rules that block all traffic.

2nd Rules that allow all traffic.
3rd Rules that allow or block specific computers.
4th Rules that allow or block specific applications, network services, and ports.
Table 21: Processing order
Priority Setting
First Custom IPS signatures

Second Intrusion Prevention settings, traffic settings, and stealth settings
Third Built-in rules
Fourth Firewall rules
Fifth Port scan checks
Sixth IPS signatures that are downloaded through LiveUpdate
Adding firewall rules on the client

When you add or change a firewall rule on the client, you must decide what effect you want the rule to have. For
example, you may want to allow all traffic from a particular source or block the UDP packets from a website.
Firewall rules are automatically enabled when you create them.
NOTE
You can add or change firewall rules on unmanaged clients, or if the administrator grants client control to
managed clients.
To add a firewall rule:
1. In the client, in the sidebar, click Status.
2. Beside Network and Host Exploit Mitigation, click Options > Configure Firewall Rules.
3. In the Configure Firewall Rules dialog box, click Add to open a blank rule.
NOTE
For managed clients, this action launches the rule creation wizard. The following steps describe configuring a
blank rule.
48
4. On the General tab of the blank rule, type a name for the rule, and then click either Block this traffic or Allow this
traffic.
5. To define the triggers for the rule, click on each tab and configure it as needed:
• General
• Hosts
• Ports and Protocols
• Applications
• Scheduling
For example, you may want to select to which network adapters this rule applies, to which hosts this rule applies, the
time period during which the rule is active or inactive, or to log the packet traffic.
NOTE
Use caution when you write to the Packet log, because a potentially large amount of data is logged.
The elements of a firewall rule on the client
6. Click OK.
Rules are enabled automatically. You must enable rules so that the firewall can process them.
7. To change the order of the rules click the up or down arrow.
8. Click OK.
Importing or exporting firewall rules on the client

You can share the rules with another client so that you do not have to recreate them. You can export the rules from
another computer and import them into your computer. When you import rules, they are added to the bottom of the firewall
rules list. Imported rules do not overwrite existing rules, even if an imported rule is identical to an existing rule.
The exported rules and imported rules are saved in a .sar file.
To export firewall rules on the client
3. In the Configure Firewall Rules dialog box, select the rules you want to export.
4. Right-click the rules, and then click Export Selected Rules.
5. In the Export dialog box, type a file name, and then click Save.
6. Click OK.
To import firewall rules on the client

3. In the Configure Firewall Rules dialog box, right-click the firewall rules list, and then click Import Rule.
4. In the Import dialog box, locate the file in .sar format that contains the rules you want to import.
5. Click Open.
6. Click OK.
49
You can enable the client's firewall settings to protect your computer against certain types of network attacks. Some of the
settings replace the firewall rules that you would otherwise need to add.
NOTE
Your administrator may not have made some of these settings available for you to configure.
The following table describes the types of firewall settings that you can configure to further customize your firewall
protection.
Table 22: Firewall settings
Category Description
Built-in rules for essential provides the built-in rules that allow for the normal exchange of certain essential network services. Built-in
network services rules eliminate the need to create the firewall rules that explicitly allow those services. During processing,
these built-in rules are evaluated before firewall rules so that the packets that match an active occurrence
of a built-in rule are allowed. You can define built-in rules for DHCP, DNS, and WINS services.
Traffic and stealth web You can enable various traffic settings and stealth web browsing settings to protect against certain
browsing types of network attacks on the client. You can enable traffic settings to detect and block the traffic that
communicates through drivers, NetBIOS, and token rings. You can configure settings to detect the traffic
that uses more invisible attacks. You can also control the behavior for the IP traffic that does not match any
firewall rules.
Network file and printer You can enable the client to either share its files or to browse for shared files and printers on your local
sharing network. To prevent network-based attacks, you can disable network file and printer sharing.
Enabling network file and printer sharing with the client installed
Attack detection and When the client detects a network attack, it can automatically block the connection to ensure that the client
blocking computer is safe. The client then automatically blocks all communication to and from the IP address of the
attacking computer for a period of time.
The IP address of the attacking computer is blocked for a single location.
Inbound traffic control You can configure the client to block inbound traffic and outbound traffic in the following situations:
• When your computer's screensaver is activated.
• When the firewall does not run.
• When you want to block all inbound traffic and outbound traffic at any time.
Blocking traffic when the screensaver is active or the firewall does not run
To enable firewall settings:

1. In the client, click Change Settings.
2. Beside Network and Host Exploit Mitigation, click Configure Settings.
3. On the Firewall tab, check the settings that you want to enable.
Click Help for more information on the settings.
4. Click OK.
Enabling network file and printer sharing with the client installed
You can enable the client to either share its files or to browse for shared files and printers on your local network. To
prevent network-based attacks, you can disable network file and printer sharing.
50
Table 23: Ways to enable network file and print sharing
Task Description
Automatically enable the If a firewall rule blocks this traffic, the firewall rule takes priority over the settings.
network file and printer To automatically enable network file and printer sharing and browsing
sharing settings on the
Microsoft Windows
Networking tab.
Manually enable network You can add the firewall rules if you want more flexibility than what the settings provide. For example, when
file and printer sharing by you create a rule, you can specify a particular host rather than all hosts. The firewall rules allow access to
adding firewall rules. the ports to browse and share files and printers.
You can create one set of firewall rules so that the client can share its files. You create a second set of
firewall rules so that the client can browse for other files and printers.
To manually enable network file and printer sharing and browsing
To manually enable other computers to browse files on the client computer
To automatically enable network file and printer sharing and browsing:

2. Beside Network and Host Exploit Mitigation, click Options > Change Settings.
3. On the Microsoft Windows Networking tab, click either one of the following settings:
– To browse other computers and printers in the network, click Browse files and printers on the network.
– To enable other computers to browse files on your computer, click Share my files and printers with others on the
network.
4. Click OK.
To manually enable network file and printer sharing and browsing:
2. Beside Network and Host Exploit Mitigation, click Options > Change Settings > Configure Firewall Rules.
NOTE
You can only see this setting if your administrator made this setting available or if you are running an
unmanaged client.
3. In the Configure Firewall Rules dialog box, click Add.
4. On the General tab, type a name for the rule and click Allow this traffic.
5. On the Ports and Protocols tab, in the Protocol drop-down list, click TCP.
6. In the Remote ports drop-down list, type the following:
88, 135, 139, 445
7. Click OK.
10. On the Ports and Protocols tab, in the Protocol drop-down list, click UDP.
11. In the Remote ports drop-down list, type the following:
88
12. In the Local ports drop-down list, type the following:
137, 138
13. Click OK.
51
To manually enable other computers to browse files on the client computer:
2. Beside Network and Host Exploit Mitigation, click Configure Settings
5. On the Ports and Protocols tab, in the Protocol drop-down list, click TCP.
88, 135, 139, 445
7. Click OK.
10. On the Ports and Protocols tab, in the Protocol drop-down list, click UDP.
88, 137, 138
12. Click OK.

You can configure to allow or block the application, or to ask you first whether to allow or block the application. This action
creates a firewall rule that specifies whether a running application on your computer may access the network. These rules
are called application-based firewall rules. For example, you can block Internet Explorer from accessing any websites
from your computer.
Table 24: Actions that the firewall takes when applications access the client or network
Action Description
Allow Allows the inbound traffic to access the client computer and the outbound traffic to access the network.
If the client receives traffic, the icon displays a small blue dot in the lower left-hand corner. If the client
sends traffic, the icon displays the dot in the lower right-hand corner.
Block Blocks the inbound traffic and the outbound traffic from accessing the network or an Internet connection.
Ask Asks you whether you want the application to access the network the next time you attempt to run the
application.
Terminate Stops the process.
To allow or block applications from accessing the network:

2. Beside Network and Host Exploit Mitigation, click Options > View Network Activity.
3. In the Network Activity dialog box, right-click the running application or service, and then select the action that you
want the client to take on that application.
If you click Allow, Block, or Ask, you create a firewall rule for that application only.
52
4. Click Close.

You can configure the conditions for when and how applications that already run on the client computer are allowed or
blocked. For example, you can specify that a video game application can access the network only during specific hours.
Application-based firewall rules are also called application settings.
NOTE
If there is a conflict between a firewall rule and an application-based firewall rule, the firewall rule takes
precedence. For example, a firewall rule that blocks all traffic between 1:00 A.M. and 8:00 A.M. overrides an
application-rule that allows iexplore.exe to run at all times.
To allow or block applications that are already running on the client:
2. Beside Network and Host Exploit Mitigation, click Options > View Application Settings.
3. In the View Application Settings dialog box, you can change the action by right-clicking the application and clicking
Allow, Ask, or Block.
4. To change other options about the application-based rule, click Configure.
5. In the Configure Application Settings dialog box, configure the restrictions or exceptions for this application.
If the action is set to Allow in step 3, any settings that you configure are restrictions to the rule. If you clicked Block,
the settings that you configure are exceptions to the rule.
For more information about these settings, click Help.
6. Click OK to accept the configuration changes.
7. To remove the rule that you put on the application, click the application name, and then click Remove. When you
remove the restrictions, the action that the client takes on the application is also erased. When the application or the
service tries to connect to the network again, you may be asked again whether to allow or block the application.
To remove all application-based firewall rules, Remove All.
53
8. Click OK to close the View Application Settings dialog box.
Blocking traffic when the screensaver is active or the firewall does not
run
You can configure your computer to block inbound traffic and outbound traffic in the following situations:
When your computer's You can configure your computer to block all the inbound and the outbound network neighborhood traffic
screensaver is activated when your computer’s screensaver is activated. As soon as the screensaver turns off, your computer
returns to the previously assigned security level.
To block traffic when the screensaver is activated
When the firewall does The computer is unprotected after the computer starts and before the firewall service starts or after
not run the firewall service stops and the computer turns off. This time frame is a security hole that can allow
unauthorized communication.
To block traffic when the firewall does not run
When you want to block You may want to block all traffic when a particularly destructive virus attacks your company's network or
all inbound traffic and subnet. You would not block all traffic under normal circumstances.
outbound traffic at any
Note: Your administrator may have configured this option to be unavailable. You cannot block all traffic on
time
an unmanaged client.
To block all traffic at any time
You can allow all traffic by disabling Network Threat Protection.

To block traffic when the screensaver is activated:
3. On the Microsoft Windows Networking tab, click Block Microsoft Windows Networking traffic while the screen
saver runs.
4. Click OK.
To block traffic when the firewall does not run:
3. On the Firewall tab under Traffic Settings, click Block all traffic until the firewall starts and after the firewall
stops.
If you disable Allow initial DHCP and NetBIOS traffic, the initial traffic that enables network connectivity is blocked.
4. Click OK.
To block all traffic at any time:
2. Beside Network and Host Exploit Mitigation, click Options > View Network Activity.
3. Click Tools > Block All Traffic.
4. To confirm, click Yes.
5. To return to the previous firewall settings that the client uses, uncheck Tools > Block All Traffic.
54
How intrusion prevention works
Intrusion prevention automatically detects and blocks network attacks. On Windows computers, intrusion prevention also
detects and blocks browser attacks on supported browsers. Intrusion prevention is the second layer of defense after the
firewall to protect client computers. Intrusion prevention is sometimes called the intrusion prevention system (IPS).
Intrusion prevention intercepts data at the network layer. It uses signatures to scan packets or streams of packets. It
scans each packet individually by looking for the patterns that correspond to network attacks or browser attacks. Intrusion
prevention detects attacks on operating system components and the application layer.
The following IPS capabilities are also enabled by default:
Table 25: IPS functionality
Type Description
Network intrusion prevention Network intrusion prevention uses signatures to identify attacks on client computers. For known attacks,
intrusion prevention automatically discards the packets that match the signatures.
Browser intrusion prevention Browser intrusion prevention monitors attacks on browsers, including Internet Explorer, Firefox, and
(Windows only) Chrome.
Firefox might disable the Symantec Endpoint Protection plug-in, but you can turn it back on.
Intrusion prevention uses attack signatures as well as heuristics to identify attacks on browsers.
For some browser attacks, intrusion prevention requires that the client terminate the browser. A
notification appears on the client computer.
For the latest information about the browsers that browser intrusion prevention protects, see:
Supported browser versions for browser intrusion prevention
URL reputation URL reputation detections identify threats from domains and URLs, which can host malicious content
like malware, fraud, phishing, and spam, etc. URL reputation blocks access to the web addresses that
are identified as known sources of the malicious content. The information from visited URLs is sent to
Broadcom to retrieve a reputation rating.
See: Configuring intrusion prevention
Configuring intrusion prevention on the Windows client

By default, intrusion prevention runs on your computer. Intrusion prevention intercepts data at the network layer. It uses
signatures to scan packets or streams of packets. It scans each packet individually by looking for the patterns that
correspond to network attacks or browser attacks. Intrusion prevention is the second layer of defense after the firewall to
protect client computers. Intrusion prevention is sometimes called the intrusion prevention system (IPS).
NOTE
Intrusion prevention and the firewall are part of Network Threat Protection. Network Threat Protection and
Memory Exploit Mitigation are part of Network and Host Exploit Mitigation.
To manage intrusion prevention:
1. Make sure that the latest IPS signatures are downloaded.
By default, the latest signatures are downloaded to the client. However you might want to download the signatures
manually immediately.
55
2. Keep intrusion prevention enabled.
You should keep intrusion prevention enabled at all times. logs intrusion attempts and events in the Security log.
might also log intrusion events in the Packet log if your administrator configured it to do so.
Viewing the logs
3. If you think the detection is a false positive, notify your administrator.
Do not assume that unexpected events are false positives.
Best Practice for Responding to Suspected IPS False Positives in Symantec Endpoint Protection
NOTE
Your administrator may have configured these options to be unavailable.
Enabling intrusion prevention
Intrusion prevention includes two types:
• Network intrusion prevention
Network intrusion prevention uses signatures to identify attacks on client computers. For known attacks, intrusion
prevention automatically discards the packets that match the signatures.
• Browser intrusion prevention
Browser intrusion prevention monitors attacks on Internet Explorer and Firefox. Browser intrusion prevention is not
supported on any other browsers. For the latest information about the browsers that browser intrusion prevention
protects, see: Supported browser versions for browser intrusion prevention.
You can also enable or disable notifications when the client detects a network attack.
To enable intrusion prevention:
3. On the Intrusion Prevention tab, make sure that the following options are checked:
• Enable Network Intrusion Prevention
• Enable Browser Intrusion Prevention
You can also configure browser intrusion prevention to only log detections, but not block them. You should only
use this configuration on a temporary basis as it decreases your computer's protection. For example, you would
configure log-only mode while you troubleshoot blocked traffic. After you review the Security log to identify and
exclude the signatures that block traffic, you disable log-only mode.
4. (Optional) To enable intrusion prevention notifications, on the Notifications tab, make sure that Display Intrusion
Prevention and Memory Exploit Mitigation notifications is checked.
5. Click OK.

Memory Exploit Mitigation (MEM) stops attacks on the commonly used applications that run on your Windows computer.
When the client detects an exploit attempt, it displays one or both of the following messages.
• Symantec Endpoint Protection: Attack: Structured Exception Handler Overwrite detected
The client blocks the exploit without terminating the application.
• Symantec Endpoint Protection will terminate your application
The client terminates the application from running.
56
If the application keeps terminating, perform the following steps:
1. Notify your administrator.
2. Determine whether a true exploit attacked the application, or the detection was a false positive.
– If an exploit attacked the application, check whether there is a patched version or a newer release of the infected
application that fixes the current vulnerability. After you or your administrator installs the patched application, rerun it
on the client computer to see if Memory Exploit Mitigation still terminates the application.
– If the detection is a false positive, temporarily disable Memory Exploit Mitigation. Notify your administrator or
Symantec Security Response about the false detection. Keep Memory Exploit Mitigation disabled until Symantec
fixes the problem. Then reenable Memory Exploit Mitigation.
To determine whether a detection was a false positive:
1. In the Security log, check that Memory Exploit Mitigation did terminate the application.
For example, you might see the following event: Attack: Blocked Structured Exception Handler Overwrite
attack against C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
Viewing the logs
2. Disable Memory Exploit Mitigation.
3. Rerun the application.
– If the application runs correctly, the detection was a false positive.
– If the application behavior is abnormal, such as it brings up another application, the detection was a true positive.
On managed clients, your administrator may prevent you from disabling Memory Exploit Mitigation.
To disable and reenable Memory Exploit Mitigation:
1. On the Status page next to Network and Host Exploit Mitigation, click Options.
2. In the drop-down menu, do one of the following tasks:
• Click Disable Memory Exploit Mitigation or Enable Memory Exploit Mitigation.
• Click Change Settings > Memory Exploit Mitigation tab, and check or uncheck Enable Memory Exploit
Mitigation.
57
Allowing or blocking malicious websites with Web and Cloud
Access Protection
Web and Cloud Access Protection (WCAP) protects your computer by categorizing applications and web sites, and then
allowing or denying access based on a WSS policy. You can enable or disable Web and Cloud Access Protection only if
you administrator unlocked this setting or you are running an unmanaged client. You may need to disable the feature if
you are unable to access a webpage due to a misconfigured WSS policy. Otherwise, keep WCAP enabled.
You cannot configure Web and Cloud Access Protection; you can only enable or disable it.
1. In the client, next to Web and Cloud Access Protection, click Options > Change Settings.
2. Check or uncheck Enable Web and Cloud Access Protection, and then click OK.
To check whether Web and Cloud Access Protection is running and connected, see: Verifying that the Web and Cloud
Access Protection tunnel method is enabled and connected on the Windows client
What is Web and Cloud Access Protection?

Web and Cloud Access Protection redirects network traffic from the Symantec Endpoint Protection client to the Symantec
Web Security Service, which allows or blocks the traffic based on policy rules that your WSS administrator sets up.
The secure connection to the Symantec Web Security Service enables the client to perform content filtering and threat
protection for all the network communication.
NOTE
Web and Cloud Access Protection was renamed from Network Traffic Redirection in 14.3 RU2.
How does Web and Cloud Access Protection work?
Web and Cloud Access Protection uses the following redirection methods:
• The PAC file method redirects web traffic only to the WSS through a Proxy Automatic Configuration (PAC) file. The
WSS provides secure proxy settings for your web browsers. Only web traffic is redirected to the WSS. Every time you
access a website using a web browser, the browser sends all web browser traffic through the nearest cloud-hosted
WSS as defined by the PAC file. Based on the predefined configuration, the Symantec WSS proxy can allow or block
the traffic.
• The Tunnel method redirects all the network traffic to the WSS through a VPN for traffic inspection. As soon as the
Symantec Endpoint Protection client is installed, it connects to a VPN which redirects all the network traffic through
the Symantec WSS proxy. The VPN is configured to be always on and it automatically reconnects in case it gets
disconnected due to machine restart, sleep, or hibernate. This method is available on 14.3 RU1 and later clients that
run on Windows 10 and later, 64-bit Intel devices only.
Verifying that the Web and Cloud Access Protection tunnel method is
enabled and connected on the Windows client
To verify that the Web and Cloud Access Protection tunnel method is enabled and connected on the Windows
client
1. On the Symantec Endpoint Protection (SEP) client, click Help > Troubleshooting > Web and Cloud Access
Protection.
58
If the Status field displays Connected, Web and Cloud Access Protection is enabled and connected.
If the panel does not appear, the tunnel method is disabled on the client.
– If you enabled SAML authentication on the WSS portal, then the SEP client shows a Web and Cloud Access
Protection - Login window with your company identity provider (IdP) page inside where the client users enter their
company credentials. An identity provider (IdP) is a service that stores and manages digital identities.
The following window is an example of what the client user sees. The blurred part of the window is unique to each
company where the user enters their credentials. The client user should click the Reload button if the login window
is frozen or blank.
59
NOTE
For the SAML authentication method to run correctly, you must download and install the Microsoft
Edge WebViewer Runtime2 as an administrator. Download the Microsoft Edge Webview2 Runtime
application, then right-click the application and click Run as administrator. For Windows 11 clients,
the WebView2 Runtime application is installed by default.
To use a Host Integrity policy template to install the WebView2 application, see: Troubleshooting Web and
Cloud Access Protection
2. On the client, browse to the following test URL: pod.threatpulse.com.
If is enabled, the client user should see the following message.
60
61
Managing the Windows client
By default, your client computer is protected and you should not need to configure the client. However, you may want to
modify your protection for the following reasons:
• Your computer runs an unmanaged client.
Once an unmanaged client is installed, only you have control over your computer's protection. An unmanaged client is
protected by default, but you may need to modify the computer's protection settings.
About managed clients and unmanaged clients
• You want to enable or disable one or more protection technologies.
• You want to verify that you have the latest virus definitions and security content.
• You have heard of a recent virus or security threat and want to run a scan.
Table 26: Tasks to configure the client
Step Description
Respond to alerts or Respond to messages that appear, asking you for input. For example, a scan might detect a virus or
notifications security risk and display the scan results that ask you to act on the detection.
Check the protection Regularly check the Status page to determine that all the types of protections are enabled.
status Enabling protection on the client computer
client status icons
Update virus definitions Check that the computer has the latest virus definitions and security content.
and security content • Check whether you have the latest protection updates. You can check the date and number of these
definitions files on the client's Status page, under each type of protection.
• Obtain the latest protection updates.
You can perform these tasks on a managed client if your administrator allows it.
Scan your computer Run a scan to see if the computer or your email application has any viruses. By default, the client scans the
computer when you turn it on, but you can scan the computer at any time.
Adjust protection settings In most cases, the default settings provide adequate protection for your computer. If necessary, you can
decrease or increase the following types of protection:
• Schedule additional scans
• Add firewall rules (unmanaged client only)
Run a compliance check Check whether your computer is compliant with your company's security policy.
Checking your computer's security compliance with a Host Integrity scan
View logs for detections Check the logs to see if your client has detected a virus or network attack.
or attacks Viewing the logs
62
Step Description
Update the security policy Check that the client received the latest security policy from a management server. A security policy
(Managed client only) includes the most current protection technology settings for your client.
client status icons
The security policy is updated automatically. However, to ensure that you have the latest policy, you can
update it manually.
Updating client policies
Managing the Windows client

By default, your client computer is protected and you should not need to configure the client. However, you may want to
modify your protection for the following reasons:
• Your computer runs an unmanaged client.
Once an unmanaged client is installed, only you have control over your computer's protection. An unmanaged client is
protected by default, but you may need to modify the computer's protection settings.
• You want to enable or disable one or more protection technologies.
• You want to verify that you have the latest virus definitions and security content.
• You have heard of a recent virus or security threat and want to run a scan.
Table 27: Tasks to configure the client
Step Description
Respond to alerts or Respond to messages that appear, asking you for input. For example, a scan might detect a virus or
notifications security risk and display the scan results that ask you to act on the detection.
Check the protection Regularly check the Status page to determine that all the types of protections are enabled.
status Enabling protection on the client computer
client status icons
Update virus definitions Check that the computer has the latest virus definitions and security content.
and security content • Check whether you have the latest protection updates. You can check the date and number of these
definitions files on the client's Status page, under each type of protection.
• Obtain the latest protection updates.
You can perform these tasks on a managed client if your administrator allows it.
Scan your computer Run a scan to see if the computer or your email application has any viruses. By default, the client scans the
computer when you turn it on, but you can scan the computer at any time.
Adjust protection settings In most cases, the default settings provide adequate protection for your computer. If necessary, you can
decrease or increase the following types of protection:
• Schedule additional scans
• Add firewall rules (unmanaged client only)
63
Step Description
Run a compliance check Check whether your computer is compliant with your company's security policy.
Checking your computer's security compliance with a Host Integrity scan
View logs for detections Check the logs to see if your client has detected a virus or network attack.
or attacks Viewing the logs
Update the security policy Check that the client received the latest security policy from a management server. A security policy
(Managed client only) includes the most current protection technology settings for your client.
client status icons
The security policy is updated automatically. However, to ensure that you have the latest policy, you can
update it manually.
Updating client policies
Understanding the Symantec Endpoint Protection client Status page

When you open the client, the top of the Status page displays various alert icons to indicate the protection status of the
computer. If there is further action you must take, the text that appears with the icons provides more information.
Table 28: Status page icons
Icon Description
Shows that each protection is enabled.
Warns you that virus definitions or security content on the client computer is out of date. To receive the most current virus
definitions or security content, you can run LiveUpdate immediately, if your administrator lets you.
This status may also indicate requires a restart.
A client computer with an active Host Integrity policy may also have the following issues:
• The client computer failed the Host Integrity security compliance check. To find out what you need to do to pass the
check, check the Client Management Security log.
• The client computer failed to download Host Integrity content.
Shows that one or more protections are disabled or that the client has an expired license. To enable a protection, click
Fix or Fix All.
See: client status icons
Hiding and displaying the notification area icon on the client

You can hide the notification area icon (also called the system tray icon) if necessary. For example, you can hide it if you
need more space on the Windows taskbar.
client status icons
To hide or display the notification area icon on the client:
64
NOTE
On managed clients, you cannot hide the notification area icon if your administrator has restricted this
functionality.
1. In the client, click Change settings.
2. On the Change Settings page, click Configure Settings next to Client Management.
3. In the Client Management Settings dialog box, on the General tab, under Display Options, uncheck or check Show
Symantec security icon in notification area.
4. Click OK.
To hide or display the notification area icon on all clients in a group:
NOTE
You must log on to as an administrator to perform these steps. These settings hide or display the notification
area icon and prevent the user from changing it.
1. Click Clients.
2. Click the group for which you want to hide or display the notification area icon, and then click Policies > Location-
specific Settings.
3. Next to Client User Interface Control Settings, click Tasks > Edit Settings.
4. Next to Server Control, click Customize.
5. Under General, click to enable or disable the option Display the notification area icon, and then click OK.
6. Click OK.
NOTE
If the group is already configured to use Mixed Control, follow the previous procedure, then click Mixed
Control > Customize. Next to Show/Hide notification area icon, click Server.

Your administrator can install the client as either a managed client (administrator-managed installation) or an unmanaged
client (standalone installation).
65
Table 29: Differences between a managed client and an unmanaged client
Client type Description
Managed client A managed client communicates with a management server in your network. The administrator configures
the protection and the default settings. The management server notifies the client, and the client downloads
the settings. Depending on the management server's communication settings, if the administrator makes a
change to the protection, the client downloads the change almost immediately.
Administrators can change the level at which you interact with the client in the following ways:
• The administrator manages the client completely. You are not required to configure the client. All the
settings are locked or unavailable, but you can view information about what the client does on your
computer.
• The administrator manages the client, but you can change some client settings and perform some
tasks. For example, you may be able to run your own scans and manually retrieve client updates and
protection updates.
• The administrator manages the client, but you can change all the client settings and perform all the
protection tasks.
The availability of the client settings, as well as the values of the settings themselves, can change
periodically. For example, a setting might change when your administrator updates the policy that controls
your client's protection.
Unmanaged client An unmanaged client does not communicate with a management server and an administrator does not
manage the client.
An unmanaged client can be one of the following types:
• A standalone computer that is not connected to a network, such as a home computer or a laptop. The
computer includes a client installation that uses either the default option settings or administrator-
preset settings.
• A remote computer that connects to the corporate network, which must meet security requirements
before it connects. However, Host Integrity is not supported on an unmanaged client.
The client has default settings when it is first installed. After the client is installed, you can change all the
client settings and perform all the protection tasks.
The following table describes the differences in the user interface between a managed and unmanaged client.
Table 30: Differences between a managed client and an unmanaged client by feature area
Feature area Centrally managed client Unmanaged client
Virus and Spyware Protection The client displays a locked padlock option The client does not display either a locked
and the option appears dimmed for the padlock or an unlocked padlock.
options that you cannot configure.
Proactive Threat Protection The client displays a locked padlock option The client does not display either a locked
and the option appears dimmed for the padlock or an unlocked padlock.
options that you cannot configure.
Client management and Network and Host The settings that the administrator controls All the settings appear.
Exploit Mitigation settings do not appear.

To check how much control you have to configure protection on your client, you first check whether your client is managed
or unmanaged. You can configure more settings on an unmanaged client than on a managed client.
66
To check whether the client is managed or unmanaged:
1. On the Status page, click Help > Troubleshooting.
2. In the Troubleshooting dialog box, click Management.
3. In the Management panel, under General Information, next to Server, look for the following information:
• If the client is managed, the Server field displays either the management server's address or the text Offline.
The address can be an IP address, DNS name, or NetBIOS name. For example, a DNS name might be
SEPMServer1. If the client is managed but not currently connected to a management server, this field is Offline.
• If the client is unmanaged, the Server field displays Self-managed.
4. Click Close.
67
Troubleshooting problems with a protection
You should always keep the protection technologies enabled.
WARNING
If you do disable a protection temporarily, reenable it to ensure that the computer remains protected.
You can also run the Symantec Diagnostic tool to help solve an issue. See: Troubleshooting and checking the health of
the Windows client with SymDiag
The following table lists issues that you may have when a protection is enabled. First check with your system
administrator about a possible cause and solution.
Protection type
Auto-Protect Problems installing an application.

Auto-Protect may cause the following issues:
• Auto-Protect might block you from opening a document. For example, if you op
• Auto-Protect may warn you about a virus-like activity that you know is not the w
warning, create an exception.
• Auto-Protect may interfere with Windows driver replacement.
• Auto-Protect might slow down the client computer.
If Auto-Protect causes a problem with an application, it is better to create an excep
Proactive Threat Protection You might want to disable Proactive Threat Protection for the following reasons:
• You see too many warnings about the threats that you know are not threats.
• The client computer may slow down.
Network and Host Exploit Mitigation Network and Host Exploit Mitigation may cause the following issues:
• You install an application that might cause the firewall to block it.
• A firewall rule or firewall setting blocks an application due to an administrator's
• The firewall or the intrusion prevention system causes network connectivity-rela
•
• You cannot open an application.
• An application terminates unexpectedly.
If you are not sure that Network and Host Exploit Mitigation causes the problem, yo
On a managed client, your administrator might lock Network and Host Exploit Mitig
• Whether the client allows either all traffic or all outbound traffic only.
• The length of time the protection is disabled.
• How many times you can disable protection before you restart the client.
Enabling intrusion prevention
Tamper Protection Typically, you should keep Tamper Protection enabled.
You might want to disable Tamper Protection temporarily if you get an extensive nu
processes. If you are sure that an application is safe, you can create a Tamper Pro
Enabling Tamper Protection
68
You should keep all types of protection enabled on your computer at all times, especially Auto-Protect.
On the client, when any of the protections are disabled:
• The status bar is red at the top of the Status page.
• The client's icon appears with a universal no sign, a red circle with a diagonal slash. The client icon appears as a full
shield in the taskbar in the lower-right corner of your Windows desktop. In some configurations, the icon does not
appear.
client status icons
On a managed client, your administrator can enable or disable a protection technology at any time. If you disable a
protection, your administrator may later enable the protection again. Your administrator might also lock a protection so that
you cannot disable it
To enable protection technologies from the On the client, at the top of the Status page, click Fix or Fix All.
Status page
To enable protection technologies from On the Windows desktop, in the notification area, right-click the client icon, and then
the taskbar click Enable Symantec Endpoint Protection.
To enable protection technologies from within In the client, on the Status page, beside the protection type, click Options > Enable
the client the <protection type>.
To enable the firewall 1. On the client, at the top of the Status page, next to Network and Host Exploit
Mitigation, click Options > Change Settings.
2. On the Firewall tab, check Enable Firewall.
3. Click OK.
About the logs on the Windows client

Logs contain information about client configuration changes, security-related activities, and errors. These records are
called events.
Security-related activities include information about virus detections, computer status, and the traffic that enters or
exits your computer. If you use a managed client, its logs can be regularly uploaded to the management server. An
administrator can use their data to analyze the overall security status of the network.
Logs are an important method for tracking your computer’s activity and its interaction with other computers and networks.
You can use the information in the logs to track the trends that relate to viruses, security risks, and attacks on your
computer.
For more information about a log, you can press F1 to view the help for that log.
Table 31: Client logs
Log Description
Control Log Contains the information about the Windows registry keys, files, and DLLs that an application accesses, as
well as the applications that your computer runs.
Debug Log Contains the information about the client, scans, and the firewall for troubleshooting purposes. Your
administrator may ask you to enable or configure the logs and then export them.
69
Log Description
Web and Cloud Access Contains diagnostic information about the Symantec Web Security Service (WSS) if it has started.
Protection Log
Packet Log Contains the information about the packets of data that enter or leave through the ports on your computer.
By default, the packet log is disabled. On a managed client, you cannot enable the packet log unless your
administrator allows it. On an unmanaged client, you can enable the packet log.
Risk Log Contains the entries about viruses and security risks, such as adware and spyware, which have infected
your computer. Security risks include a link to the Symantec Security Response webpage that provides
additional information.
Scan Log Contains the entries about the scans that have run on your computer over time.
Security Log Contains the information about the activities that can pose a threat to your computer. For example,
information might appear about such activities as denial-of-service attacks, port scans, and executable file
alterations.
The Security log also displays the results of a Host Integrity check.
System Log • Virus and Spyware Protection: Contains the information about system activities on your computer that
are related to viruses and to security risks. This information includes configuration changes, errors, and
definitions file information.
• Proactive Threat Protection: Contains the information about system activities on your computer that are
related to behavioral analysis (SONAR).
• Client Management: Contains the information about all of the operational changes that have occurred
on your computer.
The changes might include the following activities:
– A service starts or stops
– The computer detects network applications
– The software is configured
Tamper Protection Log Contains the entries about the attempts to tamper with the Symantec applications on your computer. These
entries contain information about the attempts that Tamper Protection detected or detected and thwarted.
Threat Log Contains the information about the threats that behavioral analysis (SONAR) detects when potentially
malicious behavior when applications run on your computer.. SONAR detects any files that act
suspiciously. Behavioral analysis also detects system changes.
Traffic Log Contains the events that concern firewall traffic and intrusion prevention attacks. The log contains
information about the connections that your computer makes through the network.
With Risk Tracer enabled, the Network and Host Exploit Mitigation logs can help you trace traffic back to
its source, and troubleshoot possible network attacks. The logs can tell you when your computer has been
blocked from the network and help you to determine why your access has been blocked.
For more information, see What is Risk Tracer?
Viewing the logs

You can view the logs on your computer to see the details of the events that have occurred.
To view a log:
1. In the client, in the sidebar, click View Logs.
2. Click a View Logs button, and in the drop-down menu, select the log that you want to view.
Some protection technologies might not appear, depending on your installation.
70
All Network and Host Exploit Mitigation logs and Client Management logs are enabled by default, except for the Packet
log. On unmanaged clients, you can enable and disable the Packet log.
On managed clients, your administrator might let you enable or disable the Packet log.
About the logs
To enable the Packet log:
1. In the client, on the Status page, beside Network and Host Exploit Mitigation, click Options, and then click Change
Settings.
2. Click Logs.
3. Check Enable Packet Log.
4. Click OK.
71
Dialog Help
Reference information about settings on the dialog boxes.
Use this section to browse through all the Help topics for the Symantec Endpoint Protection Windows Client dialog boxes.
Virus and Spyware Protection

This section includes help on the dialog boxes for the Change Settings > Virus and Spyware Protection page.
Virus and Spyware Protection Settings: Auto-Protect

Auto-Protect provides real-time protection for files on your computer. Whenever you access, copy, save, move, open, or
close a file, Auto-Protect scans it to ensure that a virus or security risk is not present. Auto-Protect is a powerful way to
guard your data against infection.
On a managed client, your administrator might lock some of these settings.
NOTE
Use exceptions if you want to exclude files or folders from scans.
Table 32: Auto-Protect file system options
Option Description
Enable File System You can enable or disable Auto-Protect for file protection.
Auto-Protect If you disable Auto-Protect, you also change the following protections:
• Download Insight does not function even if Download Insight is enabled.
• Behavioral analysis (SONAR) does not detect heuristic threats and appears to malfunction (14.3 RU4
or earlier). Detection of system changes or host file changes, however, continues to function.
File Types Specifies whether Auto-Protect should scan all file types or selected file extensions.
Note: Download Insight uses these settings as well.
File types includes the following options:
• All types: Scans all files on the computer, regardless of type.
• Selected: Select this option to scan only files with certain extensions.
• Extensions: Specifies that only certain file extensions should be included in the scan. You can add
entries for programs and the documents that use unlisted extensions. Only the file extensions that you
specify are scanned. Files with unlisted extensions are not scanned.
If you want to exclude files or folders from scans, create an exception. The exception applies to all the
scans that you run.
• Determine file types by examining file contents: Scans a specific, configurable group of the file
extensions that contain executable code, and all .exe and .doc files. The client reads each file's header
to determine its file type. It scans .exe and .doc files even if a virus changes their file extensions.
Actions Configures the actions for Auto-Protect to take when it detects viruses and security risks.
Notifications Specifies whether or not Auto-Protect should display a message when it detects a virus or security risk.
Also specifies what the contents of the message should be.
72
Option Description
Advanced Sets the advanced scan options such as startup and backup options, and file cache and Risk Tracer
options.
Options Options include the following:
• Scan for security risks
You can disable this option to stop Auto-Protect from scanning security risks.
• Scan files on remote computers
Enables or disables Auto-Protect scans for files on remote computers. By default Auto-Protect scans
files on remote computers only when files are executed.
• Only when files are executed
Disable this option to run Auto-Protect on all files on remote computers. If you disable this option,
however, you might affect your client computers' performance.
Virus and Spyware Protection Settings: Outlook Auto-Protect

Auto-Protect can scan attachments to Microsoft Outlook email.
Table 33: Auto-Protect options for Microsoft Outlook
Option Description
Enable Microsoft Enables or disables Auto-Protect for attachments to Microsoft Outlook email.
Outlook Auto-Protect
File Types Specifies whether Auto-Protect should scan all file types or selected file extensions.
File types includes the following options:
• All types: Scans all files on the computer, regardless of type.
• Selected: Select this option to scan only files with certain extensions.
• Extensions: Specifies that only certain file extensions should be included in the scan. You can add
entries for programs and the documents that use unlisted extensions. Only the file extensions that you
specify are scanned. Files with unlisted extensions are not scanned.
Actions Configures the actions for Auto-Protect to take when it detects viruses and security risks.
Notifications Specifies whether or not Auto-Protect should display a message when it detects a virus or security risk.
Also specifies what the contents of the message should be.
Advanced Sets the advanced scan options such as compression and connection settings.
Email Messages You can configure the following types of email messages:
• Insert warning into the email message: Adds an email warning to infected messages. You can
change the default text.
• Send email to the sender: Notifies the senders of infected messages. You can change the default text
of the message.
• Send email to others: Notifies any designated email addresses of infected messages. You can change
the default text of the message.
Virus and Spyware Protection Settings: Download Insight

You can enable or disable Download Insight and change how sensitive Download Insight is to potentially malicious files.
Use these settings to control the rate of false positive detections.
73
Table 34: Download Insight settings
Option Description
Enable Download Enables or disables Download Insight. Download Insight detects a malicious file or potentially malicious file
Insight to detect when you try to download the file from a browser or a text messaging client.
potential risks based on
Note: Download Insight requires Auto-Protect. If Auto-Protect is disabled and Download Insight is enabled,
file reputation
Download Insight cannot function. On the status page, the status details indicate the Download Insight
malfunction.
Specify download Sets the sensitivity for Download Insight detection of malicious files. You might want to adjust the slider to
protection level change the overall number of detections as well as the number of false positive detections.
Note: If you or your administrator installed basic Virus and Spyware Protection only, Download Insight
always uses sensitivity level 1. You cannot change the setting.
Download Insight determines that a downloaded file might be a risk based on evidence about the
file's reputation. Symantec collects information about files to determine their reputation and makes the
information available to Download Insight. The slider indicates a range of reputations, from most likely to be
malicious to least likely to be malicious.
You can adjust the slider to change the reputation level at which files are considered malicious or
unproven.
When you set the sensitivity level higher, Download Insight detects more files as malicious and considers
fewer files as unproven. At higher levels, Download Insight returns more false positive detections. Only the
files with the best reputations are allowed.
At lower sensitivity levels, Download Insight detects fewer files as malicious and returns fewer false positive
detections. However, more files are considered unproven.
Note: Move the slider to view a description of each level. Each description provides information about how
the level allows or blocks files and its potential false positive rate.
Click Actions to set the action that Download Insight takes on malicious files or unproven files.
Also detect files as Sets the additional requirements for the downloaded files that have the reputations that are higher than the
malicious based configured sensitivity setting. The files are considered unproven but are detected as malicious if they meet
on their use in the the additional requirements.
Symantec Community The additional requirements enable Download Insight to consider file usage in the Symantec Community.
Files that are used by fewer users might be potentially more harmful. Files that have recently appeared in
the Symantec Community also might be more potentially harmful.
The following options are available:
• Files with fewer than
Specifies the maximum number of users who use the file. The client detects any downloaded files that
are used by fewer than the specified number of users.
• Files known by users for less than
Specifies the maximum number of days that the file has been known in the Symantec community. The
client detects any downloaded files that are known by Symantec for less than the number of specified
days.
74
Option Description
Automatically trust any By default, Download Insight does not examine any files that you download from a trusted Internet or
file downloaded from intranet site. You configure trusted sites and trusted local intranet sites on the Windows Control Panel >
an intranet website Internet Options > Security tab.
When this option is enabled, allows any file that a user downloads from one of the trusted sites. After the
file is downloaded, other protection features can detect and take action on the file if necessary.
checks for updates to the Internet Options trusted sites list at user logon and every four hours. It also
checks for updates to the list when you turn on Automatically trust any file downloaded from an
intranet website after it has been disabled.
You can also create exceptions for specific Web domains.
Download Insight recognizes explicitly configured trusted sites only. Wildcards are allowed, but non-
routable IP address ranges are not supported. For example, Download Insight does not recognize 10.*.*.*
as a trusted site. Download Insight also does not support the sites that the Internet Options > Security >
Automatically detect intranet network option discovers.
Virus and Spyware Protection Settings: Global Settings

You can configure global virus and spyware options for the client.
Table 35: Global settings
Option Description
Scan Options You can configure the following options to apply to both manual scans and Auto-Protect:
• Enable Insight for
Insight allows scans to skip digitally signed files and trusted files. You can configure the level of trust to
use when Insight uses reputation data to skip files. If you select Symantec and Community Trusted,
scans skip more files (less secure). If you select Symantec Trusted, scans skip fewer files (more
secure).
When scans skip files, the scan performance might improve.
• Enable Bloodhound heuristic virus detection
Bloodhound isolates and locates logical regions of a file to detect a high percentage of unknown
viruses. In addition, the client detects unknown viruses by monitoring activity on your computer for the
behaviors that viruses typically perform. When a suspicious activity is detected, the client prevents the
action from continuing.
You can set the Bloodhound sensitivity level.
– Automatic is the default and uses advanced heuristics to make detections. It also uses some
experimental heuristics if detection submissions are enabled.
– Aggressive increases the sensitivity of the automatic Bloodhound Detection. If you select this level,
you are likely to see more false positive detections. This option is recommended only for advanced
users.
• Exceptions
You can view any exceptions that you create for scans by clicking View List.
Log Retention Specifies the time period after which items are deleted from the client logs
This option does not affect any log events that are sent to the management console. Use this parameter to
reduce the size of the logs on your computer.
Internet Browser Specifies a URL to use as the home page when a security risk hijacks your computer's home page
Protection The client uses this URL when it repairs the risk.
75
Scan Notification Options
You can configure notification and remediation options for Auto-Protect or user-defined scans.
For managed clients, your administrator may lock some of these settings.
NOTE
The remediation options apply only for Auto-Protect scans of the file system.
Table 36: Notification and remediation options
Option Description
Detection options The following options are available:

• Display a notification message when a risk is detected
Enables or disables notifications on infected computers when Auto-Protect or a user-defined scan finds
a virus or a security risk.
You can modify the type of information that you want to appear in the notification. You can use the
default text or you can delete text and type in your own text. If you right-click inside of the text box, you
can insert variable fields into the notification text. In the notification itself, the relevant text automatically
replaces the variable fields.
Message variables displays the default message variables and the variables that you can add.
• Display the Auto-Protect results dialog
Enables or disables the display of results on infected computers. This option is only available for Auto-
Protect for the file system.
Remediation options These options apply only to Auto-Protect for the file system. The client might need to terminate a process
or stop a service to remove or repair a risk.
The following options are available:
• Terminate processes automatically
If you enable this option, the client terminates processes automatically. If you disable this option,
prompts you before it takes action on a process.
• Stop services automatically
If you enable this option, the client stops services automatically. If you disable this option, the client
prompts you before it takes action on a service.
Note: You are always notified when a restart is required. You can then save data and close open
applications or opt out of the restart.
Table 37: Message variables
Field Description
LoggedBy The type of scan that detected the virus or security risk.
Event The type of event, such as “Risk Found.”
SecurityRiskName The name of the virus or security risk that was found.
PathAndFilename The complete path and name of the file that the virus or the security risk has infected.
Location The drive on the computer on which the virus or security risk was located.
Computer The name of the computer on which the virus or security risk was found.
User The name of the user who was logged on when the virus or security risk occurred.
76
Field Description
ActionTaken The action that was taken in response to detecting the virus or security risk. This action can be either the
first action or second action that was configured.
DateFound The date on which the virus or security risk was found.
Status The state of the file: Infected, Not Infected, or Deleted.
Filename The name of the file that the virus or the security risk has infected.
StorageName The affected area of the application, such as File System Auto-Protect.
ActionDescription A full description of the actions that were taken in response to detecting the virus or security risk.
Download Insight Actions

You can specify how Download Insight responds to malicious file detections and unproven file detections. You can
change what level of file reputation Download Insight uses to determine if a file is malicious or unproven by adjusting the
sensitivity slider.
Table 38: Download Insight actions
Option Description
Malicious files Configures the actions for the detections that Download Insight makes based on the protection level slider
setting. You can configure a first action to take and a second action to take if the first action fails.
The options available for If first action fails are based on the current selection for First action.
You can specify the following actions:
• Quarantine risk: Tries to move the file to the Quarantine on the client computer as soon as it is
detected. If notifications are enabled, you can choose to allow the file. If you choose to allow the file,
you can run the file from your temporary Internet folder. After a file is moved to the Quarantine, you
cannot run the file. However, you can perform additional actions on the file in the Quarantine.
• Delete risk: Tries to delete the file. The file is permanently deleted and cannot be recovered.
If Download Insight cannot delete the file, detailed information about the action appears in the System
log.
• Leave alone (log only): Allows access to the file and logs the event.
Unproven files Configures an action for Download Insight to take when it detects an unproven file.
The actions for unproven files are the same as for malicious files (Quarantine risk, Delete risk, Leave
alone (log only), with the following two additional possible actions:
• Prompt
Prompts the user to allow or block the downloaded file.
• Ignore
Allows the file on the client computer.
Download Insight Notification Options

You can configure notification options for Download Protection. The notification includes information about the security risk
detected.
On a managed client, your administrator might lock this setting.
77
Table 39: Download Insight notification options
Option Description
Display a notification Enables or disables the display of a notification message on an infected computer when Download Insight
message on the makes a detection.
infected computer When this option is enabled, you can modify the default message that appears when you allow a file that
Download Insight detects.
Early Launch Anti-Malware

provides an early launch anti-malware (ELAM) driver that works with the Microsoft ELAM driver to protect the computers
in your network when they start and before third-party drivers initialize. The settings are supported on Microsoft Windows
8 and Windows Server 2012.
Table 40: Early launch anti-malware options
Option Description
Enable Symantec Early Enables the early launch anti-malware (ELAM) driver.
Launch Anti-Malware When this option is enabled, the settings take effect only when the Windows ELAM driver is enabled.
check
When a potentially You can choose one of the following options:
malicious driver is • Log the detection as unknown so that Windows allows the driver to load
detected This log-only option configures the early launch anti-malware driver to report bad or bad critical drivers
as unknown drivers to Windows. logs the detection as a bad or bad critical driver, and then Windows
uses the action in its policy for unknown drivers. By default, Windows allows unknown drivers to load.
You might select this option if you get false positive detections that block important drivers.
• Use the default Windows action for the detection
You use the Windows Group Policy editor to view and modify the Windows ELAM settings. See your
Windows documentation for more information.
Auto-Protect Advanced Options

You can configure advanced options for Auto-Protect scans of the file system.
78
Table 41: Advanced options for File System Auto-Protect
Option Description
Changes requiring Specifies when Auto-Protect should be reloaded

Auto-Protect reload The following options are available:
• Wait until the computer is restarted
Stops and reloads Auto-Protect when the computer restarts.
• Stop and reload Auto-Protect
Stops and reloads Auto-Protect immediately.
Scan files when The following options are available:
• Scan when a file is accessed or modified
Scans the files when they are written, opened, moved, copied, or run. You can use this option for more
complete file system protection. This option might have a performance impact because Auto-Protect
scans files during all types of operations.
• Scan when a file is modified
Scans the files when they are written, modified, or copied. You can use this option for slightly faster
performance.
• Scan when a file is backed up
Scans a file during backup if another process tries to write to the file during the backup. The backup
process only reads the files during backup, so the backup process itself does not initiate the scan.
If you disable this option, Auto-Protect does not scan any file during a backup. Auto-Protect scans the
files that are restored from backup, however, regardless of this setting.
• Do not scan files when trusted processes access the files
Skips the files that are accessed by Windows Search indexer and other safe processes.
Other options The following options are available:
• Always delete newly created infected files
Enable this option to delete a new file that is infected regardless of the action that is configured for
the type of risk. This setting does not apply to the Auto-Protect detections of existing files that contain
viruses. Auto-Protect does not delete the infected files that already exist on the client computer unless
the configured action is Delete.
• Always delete newly created infected security risks
This option is only available when Always delete newly created infected files is enabled. Enable
this option to delete a newly created file that contains a security risk regardless of the action that is
configured for the type of risk. This setting does not apply to Auto-Protect detections of any existing
files that contain security risks. Auto-Protect does not delete any security risks that already exist on the
client computer unless the configured action is Delete.
File cache The following options are available:
• Enable the file cache
File caching decreases Auto-Protect’s memory usage and can help improve Auto-Protect scan
performance.
You might want to disable the file cache to troubleshoot problems.
• Rescan the cache when new definitions load
Rescans the file cache when new definitions arrive on the client computer. You might want to disable
this option to improve the computer performance.
79
Option Description
Risk Tracer The following options are available:

• Enable Risk Tracer
Enables or disables the identification of attacking IP addresses. Risk Tracer identifies the IP addresses
but does not block them.
• Resolve the source computer IP address
If this option is enabled, Auto-Protect looks up and records only the computer’s NetBIOS name. Auto-
Protect also reports who was logged on to the computer at delivery time.
• Poll for network sessions every
Enables or disables polling for network sessions.
Automatic enablement Specifies whether or not Auto-Protect is re-enabled after a certain number of minutes
The following option is available:
• When Auto-Protect is disabled, enable after
Enables Auto-Protect if it is disabled for the specified number of minutes. This option is useful if you
want to disable Auto-Protect on occasion. Valid values for the time range are 3 minutes to 60 minutes.
Backup options The following option is available:
• Back up files before attempting to repair them
As a data safety precaution, before you try to repair a file, you should enable this option. The original
virus-infected file is encrypted and then copied into the Quarantine folder. You can use this unrepaired
backup file to return the file to its original, infected state.
Note: Uncheck this option with caution, since it means the files that contain viruses are not backed up
before repairs are tried.
This setting applies only to virus-infected files. The client always backs up the files that it quarantines
and repairs, regardless of this setting.
Additional advanced The following command options are available:
options • Floppies: Configures the options for scans of floppy disks.
• Network: Configures the network scanning settings.
Floppy Settings
You can monitor for boot record viruses on floppy disks when they are first accessed. The safest setting is to clean the
virus from an infected floppy disk.
On a managed client, your administrator might lock these settings.
Table 42: Settings for checking floppies
Option Description
Floppy settings The following option is available:

• Check floppies for boot viruses when accessed: Enables or disables floppy disk scanning when
floppy disks are accessed for data.
• When a boot virus is found: When Auto-Protect finds a boot virus, select whether to clean a virus
from the boot record or leave it alone.
If you click Leave alone (log only), an alert is sent when a virus is detected but no action is taken.
Computer shutdown The following option is available:
settings • Check floppies when the computer shuts down: Enables and disables scanning floppies when the
computer is turned off.
80
Advanced Scan Options
Use these options to customize your scan settings.
Table 43: Advanced scan options
Advanced Option Definition
Compressed files You can set the following options:

options • Scan files inside compressed files
Enables the scanning of containers, such as Files.zip, and the contents of the containers, which are the
individual compressed files.
scans compressed files during on-demand, email, and scheduled scans. When this option is enabled
and you use the Extensions dialog to include only specified file extensions, continues to scan
container files and their contents even if you do not specify the container file extensions. You can
disable the Scan files inside compressed files option or create exceptions for specific container file
extensions so that scans do not scan them.
Because of the significant processing overhead, Auto-Protect does not scan the files that are within
compressed files on Windows computers. However, the files are scanned when they are extracted from
compressed files.
Note: You cannot stop a scan that is in progress on a compressed file. If you choose to stop the scan,
the client stops the scan only after it has finished scanning the compressed file.
• Number of levels to expand if there are compressed files within compressed files
Specifies the number of levels of nesting scans should support.
Backup options Automatically backs up a file before tries to repair it.
Dialog options Specifies whether or not a scan progress dialog box appears. You can also specify whether or not the scan
progress dialog box closes when the scan finishes.
When you select Show scan progress or Show scan progress if risk detected, the following options
appear:
• When a scan runs, the message link scan in progress appears.
You can click the link to display the scan progress.
• A link to reschedule the next scheduled scan also appears.
Tuning options Balances the scan performance optimization and its effect on other applications.
You can select one of the following options:
• Best Scan Performance
Optimizes the performance of the scan. Scans take less time to complete, but other applications on
your computer might run more slowly during scans. For computers with four or more CPUs, use this
option for the best overall performance.
• Balanced Performance
Balances the performance of a scan against the performance of other applications. Balances the scan
performance and the performance of other applications that run during scans.
• Best Application Performance
Optimizes the performance of other applications that are running on the computer. Scans take longer to
complete, but other applications on the computer might perform better during a scan. When this option
is set, scans can start but they only run when the client computer is idle.
If you configure an Active Scan to run when new definitions arrive, the scan is delayed for up to 15
minutes if the user is using the client computer.
Storage migration Specifies the options for the files that Hierarchical Storage Management (HSM) and offline backup systems
options maintain.
Note: Consult your HSM or backup vendor to select the appropriate settings.
81
Network Scanning Settings
You can configure options for Auto-Protect scans of network drives.
Table 44: Network scanning settings
Option Description
Trust files on remote Prevents Auto-Protect from performing duplicate scans on read-access files when network scanning is
computers running Auto- enabled.
Protect If this option is enabled on two clients, each client checks to see that the other's Auto-Protect settings are
as secure as its own. Each client then trusts the Auto-Protect scan on the other and does not rescan any
files.
For example, when client A accesses a file on a network drive on client B, client A's Auto-Protect checks
client B's Auto-Protect settings. If client B's Auto-Protect is trustworthy, client A's Auto-Protect does not
scan the file. If client B's Auto-Protect is not trustworthy, client A's Auto-Protect scans the file.
When you read files on a remote computer, however, Auto-Protect might not scan the files. By default,
Auto-Protect tries to trust remote versions of Auto-Protect. If the trust option is enabled on both computers,
the local Auto-Protect checks the remote computer's Auto-Protect settings. If the remote Auto-Protect
settings provide at least as high a level of security as the local settings, the local Auto-Protect trusts the
remote Auto-Protect. When the local Auto-Protect trusts the remote Auto-Protect, the local Auto-Protect
does not scan the files that it reads from the remote computer. The local computer trusts that the remote
Auto-Protect already scanned the files.
Disable this setting if you want to allow duplicate scanning.
Note: This functionality applies only to read access. When client A requests write access from client B,
client A’s Auto-Protect scans the file regardless of this setting.
The local Auto-Protect always scans the files that you copy from a remote computer
Network cache This option prevents Auto-Protect from scanning the same file more than once and may improve system
performance. You can set the number of files (entries) that Auto-Protect scans and remembers. You can
also set the timeout before the files are removed from the cache. After the timeout expires, Auto-Protect
scans the network files again if the client requests them from the network server.
Selected Extensions
When you configure a scan to scan only selected extensions, you can add extensions to the list or remove extensions
from the list.
Scheduled and manual scans always scan container file extensions, such as .zip, regardless of the extensions that you
select to scan. You can disable the Scan files inside compressed files option in the Advanced Scanning Options
dialog box to disable scans of container file extensions.
82
Table 45: Extensions options
Option Description
Use Defaults Returns the extensions list to its default state

Any extensions you added are removed, and any default extensions you removed are added.
Add common extension The following options are available:
types for • Programs: Selects all extensions for common programs.
• Documents: Selects all extensions for common documents.
Insert Warning
You can insert a warning into the body of an email message that is associated with an infected attachment. This warning
states that the client detected a virus in the original message. It also includes information about the infection, including the
action that the client took.
You can use this dialog box to customize the warning. You can use the default warning settings or you can delete text and
type in your own text. If you right-click inside of a text box, you can insert variable fields into the warning. In the warning
itself, the relevant text automatically replaces the variable fields.
Table 46: Warning text boxes
Option Description
Change the subject of Enables or disables the modification of the subject of the messages that are associated with infected file
the original message to attachments.
Message body Specifies the text to include in the message body.
Infection information Specifies what infection information should be included in the email message:
This infection information is also listed for each infected file:
• Name of the file attachment
• Name of the security risk
• Action taken (such as cleaned, moved to the Quarantine, Deleted, or left alone)
• File status (infected or not infected)
Email variable fields displays the variables you can add to a message.
Table 47: Email variable fields
Field Description
OriginalAttachmentName The name of the attachment that contains the virus or security risk.
Filename The name of the file that the virus or security risk infected.
PathAndFilename The complete path and name of the file that the virus or security risk infected.
83
Field Description
EmailSender The email address that sent the email with the infected attachment.
EmailRecipientList The list of addresses to which the email with the infected attachment was sent.
StorageName The affected area of the application. For example, Auto-Protect or Microsoft Outlook Auto-Protect.
EmailSubject The subject of the original message.
Send Email to recipient: Message

For supported email software, you can automatically send a message to the sender of an infected email message. This
message states that the client detected a virus in the original message. It also includes information about the infection,
including the action that the client took.
You can use this dialog box to customize the message subject and its contents. You can use the default message or
you can delete text and type in your own text. If you right-click inside of a text box, you can insert variable fields into the
message. In the message itself, the relevant text automatically replaces the variable fields.
NOTE
Not all variable fields are available in each text box.
Table 48: Email message text boxes
Option Description
Subject The subject of the infected message and overwrites the original subject.
Message body This content of the message, which appears at the top of the message.
Infection information The following infection information is listed for each infected file:
• Name of the file attachment
• Name of the security risk
• Action taken (such as cleaned, moved to the Quarantine, Deleted, or left alone)
• File status (infected or not infected)
Table 49: Email variable fields
Field Description
OriginalAttachmentName The name of the attachment that contains the virus or security risk.
Filename The name of the file that the virus or security risk infected.
PathAndFilename The complete path and name of the file that the virus or security risk infected.
84
Field Description
EmailSender The email address that sent the email with the infected attachment.
EmailRecipientList The list of addresses to which the email with the infected attachment was sent.
StorageName The affected area of the application. For example, Auto-Protect or Microsoft Outlook Auto-Protect.
EmailSubject The subject of the original message.
Send Email to Others: Others

You can automatically notify others about a virus or security risk infection.
Type the email addresses of the individuals who should be notified about a virus or security risk. The client sends an
email message that contains information about the virus infection to the addressees in the list. Click Add to add an email
address, or select the email addresses that you want to remove, and then click Remove.
Send Email to recipient: Email Server

To notify the sender of an infected message that was sent using Internet email, you must specify the mail server to send to
the message.
Table 50: Email server options
Option Description
Mail server Name of the mail server

Mail port Mail port to use to send the message
User name User name that is required to access the mail server and send messages
Password Password that the mail server requires
Reverse-path Reverse path information for your mail server. The reverse path is usually not necessary, but the mail
server might require it. You can insert the DNS name of the computer that should generate the message.
Scan Actions
You can configure actions when scans detect malware or security risks.
For Auto-Protect, on a managed client, your administrator might lock some settings.
85
Table 51: Scan action options
Detection type Action option
Malware You can configure a first action to take and a second action to take if the first action fails.
Note: By default, Auto-Protect automatically deletes newly created or saved infected files regardless of the
action options that you specify here.
Note: You can enable or disable the option in the Auto-Protect Advanced Options.
Actions for malware include the following:
• Clean risk: Tries to repair a file that is infected with a virus (first action only). This action has no effect
on Trojan horses or worms.
Note: does not clean any malware that is detected in Windows 8 style apps. deletes the malware
instead.
• Quarantine risk: Tries to move the infected file to the Quarantine on the infected computer as soon as
it is detected. When a file is in the Quarantine, you cannot execute it until you move the file back to its
original location.
Note: does not quarantine any malware that is detected in Windows 8 style apps. deletes the malware
instead.
• Delete risk: Tries to permanently delete the file. Use this option only if you can replace the infected
file with a virus-free backup copy. After the file is permanently deleted, you cannot recover it from the
recycle bin.
If the scan cannot delete the file, detailed information about the action appears in the Notification
dialog box and the client Risk log.
• Leave alone (log only): Denies any access to the file, displays a notification, and logs the event. Use
this option to take manual control of how the scan handles the detection. You can specify an action for
the detection in the Risk log.
Security Risks You can configure security risk actions as follows:
• Configure the same actions to take for all security risks.
• Configure the same actions for a whole category of security risks.
Click the category and then click Override actions configured for Security Risks.
• Configure individual security risk exceptions to the actions that you set for specific categories.
Note: By default, Auto-Protect automatically deletes newly created or saved security risks regardless of the
action options that you specify here.
Note: You can enable or disable the option in the Auto-Protect Advanced Options.
You can configure a first action to take and a second action to take if the first action fails.
Actions for security risks include the following:
• Quarantine risk: Tries to move any security risks to the Quarantine on the computer as soon as the
security risk is detected or completes its installation. tries to remove or repair any side effects of the
risk. Side effects include additional registry keys, modified registry key values, additions to .ini or .bat
files, or extra entries in hosts files. Side effects also include errors in a system driver or the effects of a
rootkit. After a security risk is moved to the Quarantine, you cannot run it. You can, however, perform
additional actions on the security risk. In some instances, you might need to restart the computer to
complete a removal or repair.
Note: does not quarantine the security risks that are detected in Windows 8 style apps. deletes the
security risks instead.
• Delete risk: Tries to permanently delete the security risk. Use this option only if you can replace the
files with a clean backup copy. You cannot recover permanently deleted files.
Use this action with caution. The deletion of security risks can cause applications to lose functionality.
If the client cannot delete files, detailed information about the actions that the client takes appears in the
Notification dialog box and the Risk log.
• Leave alone (log only): The risk is left alone and its detection is logged. Use this option to take manual
control of how the client handles a security risk. You can specify an action for the security risk in the
Risk log.
Note: In some instances, you might unknowingly install an application that includes a security risk such as86
adware or spyware. If Symantec has determined that blocking the risk does not harm the computer, then by
default the client blocks the risk. If the block action might make the computer unstable, the client waits after
the application installation. The client then performs the configured action on the security risk.
Create a New Scan
You can create new, custom scans for your computer that can run on demand, at a specified time, or at startup.
Table 52: Scan startup options
Startup option Description
On demand Runs the selected scan only on demand.

At specified times Runs the scan only at the specified time on the specified days.
At startup Runs the scan only when the system boots up or when a new user logs on.
Table 53: What to scan options
Scan option Description
Active Scans the memory and other common infection locations on this computer for viruses and security risks.
Full Scans the entire computer for viruses and security risks. Use this scan to look in the boot sector, in the
programs that are loaded into memory, and in all files and folders. A password may be required to scan
network drives.
Custom Scans only the specified files and folders.
Create New Scan - Select Folders and Files

For custom scans, use this window to define one or more targets for your scan. You can define an entire computer, a local
disk, one or more folders, or individual files.
Create New Scan - Scan Options

Use this dialog box to select scan options.
Table 54: Scan options
Option Description
File Types Configures whether you want to scan all file types or only selected file extensions.
Actions Configures actions for security risks when they are encountered.
Notifications Configures notification message options and remediation options for an infected computer.
Use the Client Management settings to enable or disable the popup notifications that appear on the
Windows 8 style user interface.
Advanced Sets advanced scan options such as scanning compressed files, backup options, dialog options, tuning
options, and storage migration options.
Scan Enhancements Specifies additional locations to search for viruses and security risks before scanning selected files and
folders.
87
Create New Scan - Scan Name
Use this window to enable, name, and describe the scan.
Table 55: General scan information
Field name Description
Scan name Type the name of the scan in this field.

Scan description Type a description of the scan in this field.
Enable the scan Check this check box to let the scan to run at its scheduled time.
Note: This check box is not available for on-demand scans.
Create New Scan - Schedule

You can set scan times, randomize scan start times, and specify the retry interval if scans are missed.
Table 56: Schedule options
Option Description
Enable Enables or disables the scan schedule

Scanning Schedule Specifies the frequency of the scan.
• Daily lets you select the time the scan runs each day. The actual time that the scan runs is based on
the last run time and the scan duration and missed scheduled scan settings.
• Weekly lets you select the time and day the scan runs each week. The actual time that the scan runs is
based on the last run time and the scan duration and missed scheduled scan settings.
• Monthly lets you select the time and day the scan runs each month. The actual time that the scan runs
is based on the last run time and the scan duration and missed scheduled scan settings.
might not use the configured time if the last run of the scan occurred at a different time because of the
scan duration or missed scheduled scan settings. For example, you might configure a weekly scan to run
every Sunday at midnight and a retry interval of one day. If the computer misses the scan and starts up on
Monday at 6:00 A.M., the scan runs at 6:00 A.M. The next scan is performed one week from Monday at
6:00 A.M. rather than the next Sunday at midnight.
If the computer did not start until Tuesday at 6am, which exceeds the retry interval by two days, the
computer does not retry the scan. The computer waits until the next Sunday at midnight to try to run the
scan.
In either case, if you randomize the scan start time you might change the last run time of the scan.
You can also enable or disable Perform this scan even when no users are logged on.
88
Option Description
Scan Duration Specifies how long a scan should run. You can specify any of the following options:
• Scan until finished
This setting is recommended in most cases to optimize scan performance.
• Scan for up to n hours
This setting lets you control scan times in environments where resources may be limited. If a scan does
not finished within the time period that is specified, the scan resumes at the next scheduled time. For
randomized scans, the scan resumes at a randomized time during the specified interval.
For example, if you configure the scan to run at 8:00 P.M. and set the duration for up to four hours,
a non-randomized scan starts or resumes at 8:00 P. M. For randomized scans, the scan starts or
resumes at a randomly selected minute between 8:00 P.M. and midnight.
If you set the frequency to Daily, the maximum scan duration is 23 hours. If you set the frequency to
Weekly, the maximum scan duration is 167 hours. If you set the frequency to Monthly, the maximum
scan duration is 671 hours.
If you choose to limit the scan time, you can also specify Randomize scan start time within this period.
Use this setting to scan virtual machines. Randomizing scans minimizes the chance of multiple scans
starting at the same time and requiring high resource use on the host computer.
Missed Scheduled You can specify a time interval to retry a scan that did not start as scheduled. For example, a scan might be
Scans missed because the computer was off. When the computer starts, retries the scan until the scan starts or
the retry interval expires.
Retry the scan within specifies the number of hours or days during which can retry a missed scan.
If you set the frequency to Daily, the maximum retry interval is 72 hours. If you set the frequency to
Weekly, the maximum retry interval is seven days. If you set the frequency to Monthly, the maximum retry
interval is 11 days. The defaults are the same as the maximums, except for weekly scans, which have a
default of three days.
Note: On unmanaged clients, the default retry interval for scans that are set to Daily is eight hours. You
might want to increase the interval to make sure that a missed scan is retried for a longer period of time.
Create New Scan - What to Scan

You can define the type of scan that you want to run.
Table 57: Scan types
Scan type Definition
Active Scan Scans the memory and other common infection locations on the computer for viruses and security risks.
You should run an active scan every day.
Full Scan Scans the entire computer for viruses and security risks, such as adware and spyware. Use this scan to
look in the boot sector, in the programs that are loaded into memory, and in all files and folders.
A password may be required to scan network drives.
You might want to run a full scan once a week or once a month. Full scans might affect your computer
performance.
Custom Scan Scans only the files and folders that you specify.
Create New Scan - When To Scan

When you create a new scan, you choose when to run the scan.
89
Table 58: Scan startup options
Option Definition
At specified times Runs this scan periodically on specified days and times.
At startup Runs this scan when the system boots up or when a new user logs on.
Your administrator might configure this option to be unavailable.
On demand Does not automatically run this scan. Runs this scan only when instructed.
Scan Tuning Options

Use this window to select a performance level for your scan.
Table 59: Performance levels
Performance level Definition
Best Scan Performance Optimizes the performance of the scans that run on the client computer
If you choose the top of the slider, scans take less time to complete, but other applications might run more
slowly during scans.
For computers with four or more CPUs, use this option for the best overall performance.
Balanced Performance Balances the performance of a scan against the performance of other applications
The middle of the slider balances scan performance with the performance of other applications that run
during scans.
Best Application Optimizes the performance of other applications that are running on the computer
Performance If you choose the bottom of the slider, scans take longer to complete, but other applications on the
computer might perform better during a scan.
Scan type or Symantec Endpoint Protection Detection Results

When the client does not detect any viruses in scanned files, the progress bar shows that the scan is complete.
If the client detects a virus during the scan, then the infection details appear in the results list.
NOTE
If the client for Windows detects a large number of viruses, spyware, or high-risk threats, an aggressive scan
mode engages. The scan restarts and uses Insight lookups.
90
Table 60: Infection details
Option Description
Icon The icon that indicates whether or not a file or risk is still a threat. A green check mark indicates that a risk
or file is no longer a threat. A red "x" indicates that a risk or file is still a threat.
Filename The name of the infected file.
Note: The language of the operating system on which you run the client might not be able to interpret
some characters in virus names. If the operating system cannot interpret the characters, the characters
appear as question marks in notifications. For example, some Unicode virus names might contain double-
byte characters. On those computers that run the client on an English operating system, these characters
appear as question marks.
Risk The name of the detected risk.

You can click on the risk name to display more information about the risk on the Symantec Security
Response website.
Action The action that the client performed on the risk, if any.
Risk Type The category of the detected risk.
Logged By The type of scan that detected the risk.
Original Location The path to the folder where the client detected the risk.
Computer The name of the computer where the client detected the risk.
User The name of the active user when the client detected the risk.
Status The state of the detected file.
Current Location The path to the folder of the infected file if it remains on the computer.
Primary Action The configured first action for the detected risk.
Secondary Action The configured second action for the detected risk.
Action Description An explanation of the action that the client performed on the detected risk, if any.
Date and Time Displays the date and time that the client detected the risk.
When a virus is detected, the client tries to complete the action that you designated. If the action fails, the client performs
the second action that was designated for that type of virus and scan.
You can right-click on the name of a detected risk to display a list of post-scan actions. Not all actions apply to every type
of risk.
Table 61: Actions
Option Description
Exclude Ensures that future scans ignore the virus or risk.

Clean Removes the virus from the infected file.
If the client successfully cleans a virus from a file, you don’t need to take any other action. Your computer is
free of viruses and is no longer susceptible to the spread of that virus into other areas of your computer.
When the client cleans a file, it removes the virus from the infected file, boot sector, or partition tables. This
removal process eliminates the ability of the virus to spread.
In some instances the cleaned file might not be usable. This unusable state is a result of the virus infection
and not a result of the clean action.
Some infected files cannot be cleaned.
91
Option Description
Delete Permanently Deletes the infected file from your computer’s hard drive.
Use this action only if you can replace the file with a backup copy that is free of viruses or security risks.
After the file is permanently deleted, it cannot be recovered from the recycle bin .
Note: Use this action with caution when you configure actions for security risks, because deleting security
risks might cause applications to lose functionality.
Undo action taken Reverts the action that the client performed on the detected risk.
This reversal is not always possible. For example, the client cannot restore a file that it deleted.
Move to Quarantine Does one of the following:
• For viruses, moves the infected file from its original location to the Quarantine. Infected files within the
Quarantine cannot spread viruses.
• For security risks, moves the infected files from their original location to the Quarantine and tries to
remove or repair any side effects.
Quarantine contains a record of all actions that were performed. This record lets you return the
computer to the state that existed before the client removed the risk.
Properties Displays more details about the detected risk.
Outlook Protection Advanced Options

Use this dialog box to determine whether to scan the contents of compressed files that are attached to Microsoft Outlook
messages. You can also set the depth at which to scan compressed files within compressed files.
Scan Notification Options

You can configure notification options for Auto-Protect scans of Outlook email. You can enable or disable the display of a
message when Auto-Protect finds a virus or a security risk.
For managed clients, your administrator may lock these settings.
Table 62: Notification options
Option Description
Detection options Display a notification message when a risk is detected

Enables or disables notifications on infected computers when Auto-Protect or a user-defined scan finds a
virus or a security risk.
You can modify the type of information that you want to appear in the message. You can use the default
text or you can delete text and type in your own text. If you right-click inside of the text box, you can insert
variable fields into the notification text. In the message itself, the relevant text automatically replaces the
variable fields.
Message variables displays the default message variables and the variables that you can add.
Table 63: Message variables
Field Description
LoggedBy The type of scan that detected the virus or security risk.
Event The type of event, such as “Risk Found.”
92
Field Description
PathAndFilename The complete path and name of the file that the virus or the security risk has infected.
Location The drive on the computer on which the virus or security risk was located.
Filename The name of the file that the virus or the security risk has infected.
StorageName The affected area of the application, such as Microsoft Outlook Auto-Protect.
ActionDescription A full description of the actions that were taken in response to detecting the virus or security risk.
Notification options
Use this window to select notification and remediation options.
Table 64: Notification options
Option Description
Detection options Displays a customized message on an infected computer.

Remediation options Automatically terminates processes or stops services when a virus is found.
Proactive Threat Protection

This section includes help on the dialog boxes for behavior analysis (SONAR) on the Change Settings > Proactive
Threat Protection page.
Behavioral Analysis
You can change how behavioral analysis handles certain types of detections. You might want to change these settings to
reduce the number of false positive detections.
Behavioral analysis is formerly known as SONAR.
93
NOTE
If Auto-Protect is disabled and behavioral analysis is enabled, a behavioral analysis malfunction error appears
on the status page. When Auto-Protect is disabled, behavioral analysis loses some functionality but it can still
detect heuristic threats. For complete behavioral analysis protection, you should enable Auto-Protect.
Option Description
High risk detection Configures the action for behavioral analysis detections of heuristic threats. Heuristic threats are
Low risk detection categorized as more likely to be malicious (high risk) or less likely to be malicious (low risk).
For low risk detections, you can disable any action. Behavioral analysis then only detects the applications
that are most likely malicious.
You can set the following actions:
• Remediate
Moves or tries to move the file that is associated with the detection to the local Quarantine on the
infected computer. Blocks the file and logs an event.
• Log: Allows the file and logs an event.
• Ignore: Allows the file and doesn't log an event.
When detection found Behavioral analysis can alert you when it makes a detection and the action is Quarantine or Remove. You
can select the following notifications:
• Show alert upon detection
• Prompt before terminating a process
• Prompt before stopping a service
Scan files on remote Enables or disables behavioral analysis scans on network drives.
computers
System Change Detection

You can configure how behavioral analysis (SONAR) reacts when it detects DNS or host file changes.
NOTE
Behavioral analysis does not take any action when an entity tries to open or access a host file. Behavioral
analysis only takes action when an entity, such as Internet Explorer, modifies a host file.
94
Table 65: System change detection options
Option Description
DNS change detected You can configure the following actions for Behavioral analysis to take when an application tries to change
Host file change the DNS settings or a host file on the client computer:
detected • Ignore
Ignores the detection. This is the default action. This action might result in many notifications on your
client computers.
• Prompt
Prompts the user to allow or block the change. This action might result in large log files.
• Log Only
Allows the change but creates a log entry for the event.
• Block
Blocks the change.
Note: If you set the action to Block for a DNS change, you might block access to important applications
such as a VPN client. If you set the action to Block for Host file change detected, you might block your
applications that need to access the host file.
View List Click to view any user-defined exceptions for system change detections.
Take Action
You can use this dialog box to execute the desired action on detected risks. When you try to take an action on a risk
that appears in the Symantec Endpoint Protection Detection Results dialog box, the client determines if the action is
possible. If the action is possible, then the risk appears in the Take Action dialog box. If you want to execute the action,
you must click the button in the upper right corner of the dialog box. The button label depends on the desired action and
may be one of the following:
• Start Undo
• Start Clean
• Start Delete
• Quarantine
If the action does not appear for a risk, then the risk does not appear in the dialog box. You can close the dialog box to
return to the Symantec Endpoint Protection Detection Results dialog box.
Network and Host Exploit Mitigation

This section includes help on the dialog boxes for the firewall, the intrusion prevention system, and memory exploit
mitigation on the Change Settings > Network and Host Exploit Mitigation page.
Network Activity
Use the Network Activity dialog box to view the applications and the services that run on the client and that access the
network.
95
Table 66: Network Activity menu commands or right-click options
Option Description
Tools menu commands Displays the following menu command:

Test Network Security: Displays the Symantec Security site, where you can scan your computer for
viruses and risks.
Your administrator might have configured this menu command not to appear.
View menu commands Displays items in the Running Applications panel in several formats. You can also display the following
additional information about an application:
• Applications Details
Displays the information about the application, such as the path and the version number.
• Connection Details
Displays the information about the application's connection with the network.
You can display the following additional types of traffic:
• Show Windows Services
Displays or hides the Windows services that the client runs.
• Show Broadcast Traffic
Displays the broadcast traffic. If you uncheck Show Broadcast Traffic, it displays the unicast traffic.
Broadcast traffic is the network traffic that is sent to every computer in a particular subnet, and is not
directed specifically to your computer. Unicast traffic is the traffic that is directed specifically to your
computer.
Incoming and Outgoing Displays the volume of the inbound traffic and the outbound traffic.
graphs
Incoming and Outgoing Displays real-time data about the last two minutes of the inbound traffic and the outbound traffic.
Traffic History graphs This display includes the traffic that is allowed and the traffic that is blocked. Green indicates the allowed
traffic, and red indicates the blocked traffic.
Attack History Graph Displays the number of attacks against your computer.
Running Applications Displays a list of the applications and services that currently access the network.
panel
Note: Applications that are named with Unicode supplementary characters appear as two question marks.
You can right-click the panel to get the same menu commands as in the View menu.
On an unmanaged client, if you right-click an application in this list, you can also run the following
commands on the application:
• Allow
The client allows the application to access the network.
• Ask
A notification asks you whether you want the application to access the network the next time you
attempt to run the application.
• Block
The client blocks the application from accessing the network.
• Terminate
The client stops the process.
If you click either Allow or Block, the application is added to the list in the View Application Settings
dialog box.
View Application Settings

The Applications list displays the applications and services that have accessed the network connection. The application
appears in the list if the client asks the user to allow or block the application.
96
You can also add an application if you right-click it in the Network Activity dialog box and click either Allow or Block.
Network Activity
You can configure restrictions for the application, such as specifying the IP addresses and ports that an application uses.
You can remove the restrictions on the application by removing the application from the list. When that application tries to
connect to the network again, a message appears that asks you to allow or block the application.
NOTE
If there is a conflict between a firewall rule and these settings you configure for an application in this list, the
firewall rule setting has priority.
Table 67: Application-specific settings
Option Description
Application Settings Displays the file name, version number, action, and path for the application or service.
You can configure the client to take one of the following actions on the application:
• Allow
Gives an application full access to the network.
• Block
Prevents any access by an application to the computer or the network.
Configure Lets you configure additional settings for the selected application.
Configure Application Settings

You can configure the settings for a specific application or service that runs on your computer. To configure settings for
a specific application is the same as when you create a firewall rule. The difference is that it uses simpler criteria and
applies to one application only.
NOTE
If there is a conflict between a firewall rule and these settings, the firewall rule setting has priority. For example,
you might allow Internet Explorer in this dialog box but block Internet Explorer in a firewall rule. Therefore, the
client always blocks Internet Explorer.
Table 68: Configuring application-specific settings
Option Description
Application name Displays the name of the selected application or service.

Trusted IP(s) for the Specifies the IP address or the IP address ranges that the application can access.
application You can choose IPv4 or IPv6 for the address type.
To select a range, enter the starting address, a hyphen (-), and then the ending address.
For example, for IPv6, enter:
FE80::2AA:FF:FE9A:4CA2-FE80::2AA:FF:FE9A:4CA9
Note: If you leave the Trusted IP(s) or port text fields blank, all traffic is allowed.
Remote server ports Specifies the remote TCP or the UDP ports or the ranges of remote ports that can be used for this
application.
The client blocks any unlisted ports.
97
Option Description
Allow outgoing Lets the application access the network.

connections
Local ports Specifies the local TCP or the UDP ports or the ranges of local ports that can be used for this application.
The client blocks any unlisted ports.
Allow incoming Lets the application run on the computer.
connections
Allow ICMP traffic Allows an outbound ICMP echo request (type:8, code:0) and an inbound ICMP echo reply (type:0, code:0).
Allow while screen saver Allows an application to access the network when the client computer runs the screen saver.
is activated
Enable scheduling Specifies the time periods when the restrictions for the application are either in effect or are ignored.
• During the period below
Enables the rule only during the specified time period.
• Excluding the period below
Enables the rule at any time except for the specified time period.
• Beginning at
Specifies the month, day, hour, and minutes that the time period starts.
• Duration
Specifies the number of days, hours, and minutes that the time period lasts.
Network and Host Exploit Mitigation: Firewall

Use this tab to enable firewall settings. These settings help detect and protect the client from the attacks that occur
through network traffic.
98
Table 69: Firewall settings
Options Description
Enable Firewall Enables or disables the firewall. If you disable the firewall, all traffic goes to and from the client. None of the
firewall rules or firewall settings are enabled.
Built-in Rules • Enable Smart DHCP
Allows only the outbound DHCP requests and inbound DHCP replies. Smart DHCP also allows DHCP
renew.
Alternatively, to use DHCP, you must create a firewall rule that allows UDP traffic on remote ports 67
(bootps) and 68 (bootpc).
The Dynamic Host Configuration Protocol (DHCP) is a protocol that assigns a dynamic IP address to
a device on a network. Dynamic addresses enable a device to have a different IP address every time
it connects to an enterprise network. DHCP supports both the static IP addresses and the dynamic IP
addresses. Dynamic addresses simplify network administration because the software keeps track of
IP addresses. Otherwise, the administrator must manually assign a unique IP address every time a
computer is added to an enterprise network. If a client moves from one subnet to another, DHCP can
make the appropriate adjustments to a client’s IP configuration.
• Enable Smart WINS
Allows the outbound WINS requests to and the corresponding inbound replies from assigned WINS
servers only.
If a computer sends out a WINS request and the response comes back within five seconds, the
communication is allowed. All other WINS packets are dropped.
Alternatively, to use WINS you must create a firewall rule that allows UDP packets on remote port 137.
WINS provides a distributed database that registers and queries dynamic mappings of NetBIOS names
for the computers and the groups that a network uses. WINS maps the NetBIOS names to the IP
addresses. WINS is used for NetBIOS name resolution in the routed networks that use NetBIOS over
TCP/IP. The NetBIOS names are a requirement to establish networking services in earlier versions
of Microsoft operating systems. The NetBIOS naming protocol is compatible with network protocols
other than TCP/IP, such as NetBEUI or IPX/SPX. However, WINS was designed specifically to support
NetBIOS over TCP/IP (NetBT). WINS simplifies the management of the NetBIOS namespace in TCP/
IP-based networks.
• Enable Smart DNS
Allows the outbound DNS requests to and the corresponding inbound replies from assigned DNS
servers only.
If a computer sends out a DNS request and the response comes back within five seconds, the
communication is allowed. All other DNS packets are dropped.
To use DNS, you can also create a firewall rule that allows UDP traffic for remote port 53 (domain).
99
Options Description
Traffic Settings • Enable NetBIOS protection

Blocks the NetBIOS traffic from an external gateway.
You can use Network Neighborhood file and printer sharing on a LAN and protect a computer from
NetBIOS exploits from any external network. This option blocks the NetBIOS packets that originate
from the IP addresses that are not part of the defined ICANN internal ranges. ICANN internal ranges
include 10.x.x.x, 172.16.x.x, 192.168.x.x, and 169.254.x.x, with the exception of the 169.254.0.x and
169.254.255.x subnets. The NetBIOS packets include UDP 88, UDP 137, UDP 138, TCP 135, TCP
139, TCP 445, and TCP 1026.
Note: NetBIOS protection can cause a problem with Microsoft Outlook if the client computer connects
to a Microsoft Exchange Server that is on a different subnet. You might want to add the IP address
of the server to the list of computers that intrusion prevention excludes. processes the excluded
computers list before it processes the built-in rules.
• Allow token ring traffic
Allows the client computers that connect through a token ring adapter to access the network, regardless
of the firewall rules on the client.
If you disable this setting, any traffic that comes from the computers that connect through a token ring
adapter cannot access the corporate network. The firewall does not filter token ring traffic. It either
allows all token ring traffic or blocks all token ring traffic.
• Enable anti-MAC spoofing
Allows the inbound and the outbound ARP (Address Resolution Protocol) traffic only if an ARP request
was made to that specific host. It blocks all other unexpected ARP traffic and logs it in the Security log.
Some hackers use MAC spoofing to try to hijack a communication session between two computers.
Media access control (MAC) addresses are the hardware addresses that identify the computers, the
servers, the routers, and so forth. When computer A wants to communicate with computer B, it may
send an ARP packet to the computer.
Anti-MAC spoofing protects a computer from letting another computer reset a MAC address table. If
a computer sends an ARP REQUEST message, the client allows the corresponding ARP RESPOND
message within a period of 10 seconds. The client rejects all unsolicited ARP RESPOND messages.
• Enable network application monitoring
Allows the client to monitor changes to the network applications that run on the client computer.
Network applications send and receive traffic. The client detects whether an application's content
changes.
• Block all traffic until the firewall starts and after the firewall stops
Blocks all inbound traffic to and outbound traffic from the client computer when the firewall does not run
for any reason.
The computer is not protected:
– After the client computer turns on and before the firewall service starts
– After the firewall service stops and the client computer stops
This time frame is a small security hole that can allow unauthorized communication. This setting
prevents unauthorized applications from communicating with other computers.
Note: When Network Threat Protection is disabled, the client ignores this setting.
• Allow initial DHCP and NetBIOS traffic
Allows the initial traffic that enables network connectivity. This traffic includes the initial DHCP and
NetBIOS traffic that allows the client to obtain an IP address.
• Enable denial of service detection
Denial of service detection is a type of intrusion detection. When it is enabled, the client blocks traffic if
it detects a pattern from known signatures, regardless of the port number or type of Internet protocol.
• Enable port scan detection
Monitors all incoming packets that any security rule blocks. If a rule blocks several different packets on
different ports in a short period of time, creates a Security log entry. Port scan detection does not block
any packets. You must create a security policy to block traffic when a port scan occurs.
100
Options Description
Unmatched IP Traffic Controls the incoming IP traffic and outgoing IP traffic that does not match any firewall rules. IP traffic
Settings includes the data packets that flow through IP networks and that use the TCP, UDP, and ICMP protocols.
Applications, mail exchanges, file transfers, ping programs, and Web transmissions are types of IP traffic.
You can configure the following IP traffic settings:
• Allow IP traffic
Allows any incoming traffic and outgoing traffic, unless a firewall rule states otherwise. For example,
if you add a firewall rule that blocks VPN traffic, the firewall allows all other traffic except for the VPN
traffic.
• Allow only application traffic
Allows the traffic to and from applications and blocks the traffic that is not associated with any
application. For example, the firewall allows Internet Explorer but blocks VPN traffic, unless a rule
states otherwise.
• Prompt before allowing application traffic
Displays a message that asks you whether to allow or block an application. For example, you may
want to choose whether or not to block media files. Or, you may want to hide broadcasts from the
NTOSKRNL.DLL process. The NTOSKRNL.DLL process can be an indication of spyware, because
spyware often downloads and installs the NTOSKRNL.DLL process.
Active Response Number of seconds to automatically block an attacker's IP address
Settings Automatically blocks the IP address of a known intruder for a configurable number of seconds.
If detects a network attack, it can automatically block the connection to ensure that the client computer is
safe. The client activates an Active Response, which automatically blocks all communication to and from
the attacking computer for a configurable period of time.
The IP address of the attacking computer is blocked for a single location.
101
Options Description
Stealth Settings • Enable TCP resequencing

Prevents an intruder from forging or spoofing an individual’s IP address.
Hackers use IP spoofs to hijack a communication session between two computers, such as computer
A and B. A hacker can send a data packet that causes computer A to drop the communication. Then
the hacker can pretend to be computer A and communicate with and attack computer B. To protect the
computer, TCP resequencing randomizes TCP sequence numbers.
OS fingerprint masquerading works best when TCP resequencing is enabled.
Warning! TCP resequencing changes the TCP sequencing number when the client service runs. The
sequencing number is different when the service runs and when the service does not run. Therefore,
the network connections are terminated when you stop or start the firewall service. TCP/IP packets use
a sequence of session numbers to communicate with other computers. When the client does not run,
the client computer uses the Windows number scheme. When the client runs and TCP resequencing
is enabled, the client uses a different number scheme. If the client service suddenly stops, the number
scheme reverts back to the Window number scheme and Windows then drops the traffic packets.
Furthermore, TCP resequencing may have a compatibility issue with certain NICs that causes the client
to block all inbound traffic and outbound traffic.
• Enable OS fingerprint masquerading
Prevents the detection of the operating system of a client computer. The client changes the TTL and
identification value of TCP/IP packets to prevent the identification of an operating system.
Note: OS fingerprint masquerading works best when TCP resequencing is enabled.
Warning! TCP resequencing may have a compatibility issue with certain NICs that causes the client to
block all inbound traffic and outbound traffic.
• Enable stealth mode Web browsing
Detects the HTTP traffic from a Web browser on any port and removes the following information: the
browser name and version number, the operating system, and the reference Web page. It stops Web
sites from knowing which operating system and browser the computer uses. It does not detect HTTPS
(SSL) traffic.
Warning! Stealth mode Web browsing may cause some Web sites not to function properly. Some
Web servers build a Web page that is based on information about the Web browser. Because this
option removes the browser information, some Web pages may not appear properly or at all. Stealth
mode Web browsing removes the browser signature, called the HTTP_USER_AGENT, from the HTTP
request header and replaces it with a generic signature.
Network and Host Exploit Mitigation: Notifications

This dialog box enables notifications to appear in the notification area icon in the following situations:
• Every time an IPS signature detects an intrusion prevention attempt. If the client detects a second attack when a
previous notification is displayed, you continue to see one notification only.
• Every time Memory Exploit Mitigation blocks an exploit or terminates an application from running. For example, you
may see the following notifications:
Symantec Endpoint Protection: Attack: Structured Exception Handler Overwrite detected
Symantec Endpoint Protection will terminate your application
On managed clients, your administrator might prevent you from configuring these settings.
Network and Host Exploit Mitigation Settings: Microsoft Windows Networking

Use this tab to specify the network adapter and network browsing rights.
102
Table 70: Microsoft Windows Networking options
Option Description
Select the adapter you Specifies the network interface card through which the network traffic passes.
wish to configure
Browse files and Enables you to browse other computers, devices, and printers in your network.
printers on the network
Note: If you disable this option, you cannot copy files from network locations.
Share my files and Allows other users in your network to browse files and folders on your computer.
printers with others on
the network
Block Microsoft Automatically blocks all Network Neighborhood traffic when your computer’s screen saver is activated. As
Windows Networking soon as you use the computer again, the protection returns to the previously assigned level.
traffic while the screen
saver runs
Configure Firewall Rules

Use this dialog box to add, edit, enable, delete, and change the order of the firewall rules that you create.
The firewall automatically checks all inbound traffic and outbound traffic against these rules, and allows or blocks the
traffic accordingly. Each rule specifies the conditions that must exist for the rule to take effect as well as the effect the rule
has. These conditions include designated applications, ports and protocols, hosts, and designated time periods.
NOTE
If there is a conflict between a firewall rule and a specific application's setting that you configure in the View
Applications List dialog box, the firewall rule setting has priority. For example, if you allow Internet Explorer in
the applications list but you block it in a firewall rule, then the client always blocks Internet Explorer.
Add or Edit Firewall Rule: General

Use this dialog box to set the rule name, the rule action, the network adapter trigger, and several other general options.
Table 71: General firewall rule options
Option Description
Rule name Name of the rule.

Be specific when you name the rule. For instance, “Block After 1 AM” is a better name for a rule than
“Rule1.”
Block this traffic Blocks the traffic that is specified by the rule so that it does not access your network.
Allow this traffic Lets the traffic that is specified by the rule access your network.
Apply this rule to the Applies the rule to the selected network adapter.
following network
adapter
103
Option Description
Apply this rule while Activates the rule depending on the state of the screen saver:
the screen saver is • On
The rule is activated only when the screen saver is on.
• Off
The rule is activated only if the screen saver is off and all other conditions are satisfied.
• Either On or Off
The rule is unaffected by the screen saver.
Record this traffic in Records the traffic that is affected by this rule in the Packet log.
the Packet Log You do not have to enable the Packet log for the client to record traffic.
Add or Edit Firewall Rule: Hosts

Use the host options to specify the source of the traffic that triggers the firewall rule. For example, you may want to allow
only the traffic from the computers that have an IP address range of 192.168.0.1 to 198.168.0.76.
Table 72: Host options
Option Description
All hosts Any IP address, MAC address, or subnet address and subnet mask.
MAC address The unique hardware address that identifies computers, servers, routers, and other network devices.
The 12-character MAC address uses the hexadecimal format of xx-xx-xx-xx-xx-xx. The xx represents 0-9
and A-F or a-f.
IP addresses IP address or IP address range.
Separate multiple IP addresses and multiple IP address ranges by using a comma (,). For example,
10.0.0.1, 192.168.0.1-198.168.0.76.
Subnet Specifies the following information about the subnet:
• Subnet IP address
IP address of the subnet.
• Subnet mask
Network and node parts of the address. The subnet mask format is nnn.nnn.nnn.nnn. For example, you
might use 255.255.255.0.
Add or Edit Firewall Rule: Ports and Protocols

You can define the network service that triggers the firewall rule. The service is based on its protocol, port, and the
direction of the traffic.
104
Table 73: Port and protocol options
Option Description
Protocol Applies the rule to one of the following protocols:

• All IP Protocols
Applies to any protocols on any port, for both the inbound and the outbound traffic.
• TCP
Packet filters that use TCP and UDP require you to define the originating and target port numbers of
inbound and outbound traffic. The port number identifies the application that runs over TCP and UDP.
In the client, you can define the remote ports and the local ports. Local and remote ports are commonly
used to set up host-based firewalls.
• UDP
For UDP communications, the client analyzes the first UDP datagram and applies the action that
is taken on the initial datagram to all subsequent UDP datagrams for the current program session.
Inbound or outbound traffic between the same computers is considered part of the UDP connection.
If you specify either the TCP or the UDP protocol, configure the local port, remote port, and traffic
direction.
– Remote ports
Computer that communicates with the client computer.
– Local ports
Client computer.
When the client computer connects to a remote desktop, the remote port is 3389 on port TCP. The
local port is the same, for both inbound traffic and outbound traffic.
If you do not select a port number, all ports trigger the rule. If you enter a port number for the local
port, but not for the remote port, then the specific local port you entered and all remote ports trigger
the rule.
– Stateful UDP
For stateful UDP traffic, when a UDP connection is made, the inbound UDP communication
is allowed, even if the firewall rule blocks it. The firewall uses stateful inspection to track the
connection information. For example, if a rule blocks inbound UDP communications for a specific
application, but you choose to allow an outbound UDP datagram, all inbound UDP communications
are allowed for the current application session. For stateless UDP, you must create a firewall rule to
allow the inbound UDP communication response. For the traffic that is initiated in one direction, you
do not have to create the rules that permit the traffic in both directions. TCP automatically includes
stateful inspection.
A UDP session times out after 40 seconds if the application closes the port.
• ICMP
Controls the messages that report the errors in traffic communication, such as Echo Reply.
• Specific IP Protocol
Any type and code between 0 and 255.
• Ethernet
Ethernet protocols are the group of LANs that the IEEE 802.3 covers.
Traffic direction Specifies the direction that the network traffic goes, in reference to your computer.
• Incoming
The traffic that goes to your computer.
• Outgoing
The traffic that comes from your computer.
• Both
The traffic that goes both to your computer and from your computer.
105
Add or Edit Firewall Rule: Applications
You can specify an application that triggers the firewall rule. For example, if you want to allow your computer to open
Internet Explorer and search for Web pages, you add iexplore.exe to the list. You must add the applications that are likely
to access your network connection or that you need to run regularly.
Table 74: Application options
Option Description
Display selected Displays only the applications that are checked in the File Name column.
applications only These applications trigger the rule.
Applications Lists the file name, version number, and path and executable name of the application or service you want
to allow or block.
The File Name column includes a check box. If you check the check box for the selected application, the
client either allows or blocks the application. The firewall rule ignores applications when the check box is
unchecked.
Add or Edit Firewall Rule: Scheduling

Use scheduling options to configure a time period when a rule is active or not active. For example, you may want the rule
to be inactive when you install new applications.
Table 75: Scheduling options
Option Description
Enable Scheduling Enables the scheduling feature.

During the time period Enables the rule to take place during a certain time period.
below
Excluding the time period Enables the rule to take place outside of a certain time period.
below
Beginning At Specifies the month, day, hour, and minute that the schedule begins.
Duration Specifies the number of days, hours, and minutes that a time period lasts.
For example, you may want the time period to start at 8 A.M. and end at 10 A.M. In the Beginning At group
box, set the Hour field to 08 (for 8 A.M.). In the Duration group box, set Hours to 2.
View Firewall Rules

Server rules are the rules that the administrator has configured for the client. Client rules are the rules that you create on
the client. The firewall processes server rules and client rules and settings in a particular order.
You can view the server rules, client rules, and client settings in one place. You can modify or change the order of a client
rule or client setting, but not a server rule. For server rules, you can view whether the client blocks, allows, or asks the
user to allow or block a specified type of traffic only.
You can only view this dialog box if the administrator has made that option available.
106
Table 76: Order that the firewall processes server rules and client rules
Priority User type
First Server rules with high priority levels as assigned by your administrator
Second Client rules
Third Server rules with lower priority levels
Fourth Client Network Threat Protection settings
Fifth Client application-specific settings
Network and Host Exploit Settings: Intrusion Prevention

Use this tab to configure intrusion prevention system settings. These settings help detect and protect the client from the
attacks that match known intrusion patterns.
Table 77: Intrusion prevention settings
Option Description
Enable Network Applies network IPS signatures and exceptions to IPS signatures to inbound and outbound traffic on the
Intrusion Prevention client.
Network attacks are logged in the Security log. You can configure notifications to appear if the client
computer detects an attack.
Typically, you should always enable this option. These option is enabled by default.
Enable URL Reputation Identifies threats from domains and URLs, which can host malicious content like malware, fraud, phishing,
and spam etc. The URL reputation feature blocks access to the web addresses that are identified as known
sources of the malicious content.
Available in 14.3 RU1.
Enable Browser Applies IPS web browser signatures to inbound and outbound browser traffic on the client.
Intrusion Prevention When this option is enabled, the client compares the browser signatures to inbound and outbound
traffic from browsers. Supported browsers include Internet Explorer and Firefox. Other browsers are not
supported. For information about specific browser versions, see:
Supported Browser versions for Browser Intrusion Prevention in Endpoint Protection
Browser attacks are logged in the Security log.
For some browser attacks, intrusion prevention requires that the client terminate the browser. A notification
appears on the client computer.
Typically, you should always enable this option. This option is enabled by default.
Log detections but do You can use this option to log the detections that Browser Intrusion Prevention makes without blocking any
not block traffic. This option can be helpful when you troubleshoot web connectivity issues.
You should disable log-only mode after a short period of time to provide the best protection for your
computer.
Memory Exploit Mitigation

Memory Exploit Mitigation stops vulnerability attacks on commonly used applications that run on your client computers.
To stop an exploit, Memory Exploit Mitigation sometimes needs to terminate an application. A message appears on your
computer to tell you that terminated the application.
107
Symantec Endpoint Protection will terminate your application
If you think that the detection is erroneous, uncheck Enable Memory Exploit Mitigation and rerun the application. Report
the false detection to your administrator, and then reenable Memory Exploit Mitigation protection.
On managed clients, your administrator might prevent you from changing this setting.
Web and Cloud Access Protection

This section includes help on for Web and Cloud Access Protection on the Change Settings > Web and Cloud Access
Protection page
Web and Cloud Access Protection Settings

Web and Cloud Access Protection redirects network traffic or web traffic only to the Symantec Web Security Service
(WSS). The rules on the WSS either allow or block the traffic on the client.
Option Description
Enable Web and Enables or disables Web and Cloud Access Protection on the client. This option is only available if the
Cloud Access Symantec Endpoint Protection administrator makes it available. However, you cannot configure the
Protection redirection method. You should keep this protection enabled unless you or the administrator need to
troubleshoot issues with the client.
Exceptions
This section includes help on dialog boxes for scan exceptions on the Change Settings > Exceptions page
Exceptions: User-defined Exceptions

Use this tab to exclude files, folders, risks, and processes from being scanned. For example, you might want to exclude a
file that you know is safe. Excluding a file from being scanned can improve the performance of a scan.
Table 78: Exception options
Exception Definition
Security Risk Exception Known risks, files, folders, and extensions to exclude from virus and spyware scans. You can also exclude
a trusted Web domain.
SONAR Exception Select a folder to exclude from SONAR. If you want to exclude a particular process, specify an application
exception instead.
108
Exception Definition
Application Exception Specifies an application to which you want to apply an action. The action overrides the default scan action
for the application. The exception applies to all scans.
You can specify any of the following actions:
• Ignore
Excludes the application from detection by future scans. This action is the default action.
• Log only
Adds an entry in the Proactive Threat Protection threat log when the application is detected.
• Quarantine
Quarantines the application when it launches.
• Terminate
Stops the application when it launches but does not remove it from the computer.
• Remove
Stops the application when it launches and removes it from the computer.
Note: The Quarantine, Terminate, and Remove actions apply when the specified application runs. The
Ignore and Log only action apply when detects the application.
DNS or Host File Create an exception for an application to make a DNS or host file change. Behavioral analysis (SONAR)
Change Exception typically prevents system changes like DNS or host file changes. You might need to make an exception for
a VPN application, for example.
Note: The DNS or host file change exception does not exempt the application from detection by behavioral
analysis. Behavioral analysis always detects the application if it exhibits potentially malicious behavior.
You can specify any of the following actions:
• Ignore
Excludes the application from detection when it makes a DNS or host file change.
• Prompt
Prompts the user to allow or block a DNS or host file change by the specified application.
• Block
Stops the application from making a DNS or host file change.
• Log only
Adds an entry in the scan logs when behavioral analysis detects a DNS or host file change that is made
by the specified application.
Note: Behavioral analysis applies the specified action when the application tries to make a host file change
or modify DNS settings. Behavioral analysis does not apply an action when the application only opens or
accesses a host file or a file that contains DNS settings.
Known Security Risk Exceptions

Use this dialog box to select the known security risks that virus and spyware scans should exclude. Higher ratings indicate
higher risk.
109
Table 79: Security risk exception options
Option Description
Security risk table The columns in the known security risk table display the following column headings:
• Security Risk
The names of known security risks. If you want to exclude a security risk, check the check box adjacent
to its name.
• Risk Category
The type of risk, such as Misleading Application.
• Overall Rating
The general assessment of the security risk's severity. This assessment is based on the combination of
the security risk's privacy rating, its performance rating, its stealth rating, and its removal rating.
• Privacy Impact Rating
The degree to which the security risk threatens your private information.
• Performance Impact Rating
The degree to which the security risk affects your computer's performance.
• Stealth Rating
The degree to which the security risk tries to hide to prevent detection and removal.
• Removal Rating
The degree to which the security risk makes itself easy to remove.
• Dependent Program
Whether or not applications might rely on the security risk to function properly.
Log when the security When the scan detects a known security risk, the scan records the detection in the Risk Log. The scan logs
risk is detected the detection even if the risk is excluded from the scan.
Security Risk Extension Exceptions

Use this dialog box to specify the file types that virus and spyware scans should exclude. You can add only one extension
at a time. You can include a space in an extension name.
If you want to add multiple extensions, type a single extension name and then add the extension. Repeat this step for
each extension that you want to add. Do not type multiple extensions in the Add text box. If you type multiple extensions,
the client treats the entry as a single extension name.
Table 80: Extension exceptions
Option Description
Add Adds an extension to the list of extensions that you want to exclude from the scans.
Note: Do not type the leading dot (.). For example, type exe instead of .exe
Remove Removes an extension from the list.
Trusted Web Domain Exception

You can exclude a Web domain from Download Insight detections and behavioral analysis (SONAR). When you exclude a
Web domain, files that you download from the Web domain are always allowed. Any allowed files, however, are scanned
by Auto-Protect and any administrator- or user-defined scans.
110
By default, Download Insight does not examine any files that users download from a trusted Internet or intranet site. You
configure trusted sites and trusted local intranet sites on the Windows Control Panel > Internet Options > Security tab.
You can disable the Download Insight setting for intranet sites in the Virus and Spyware Protection settings.
You must enter a single domain or IP address when you specify a trusted Web domain exception. You can specify only
one domain at a time. Port numbers are not supported. You must specify an IP address for an FTP location.
You can specify a URL, but the exception uses only the domain name portion of a URL. If you specify a URL, you can pre-
pend the URL with either HTTP or HTTPS (case-insensitive), but the exception applies to both.
For example, any one of the following entries produces the same exception:
• test.domain.com
• test.domain.com/mydocs
• HTTP://test.domain.com/mydocs
• https://test.domain.com
Regardless of whether you navigate to test.domain through HTTP or HTTPS, Download Insight and behavioral
analysis exclude the domain. If you navigate to any location within the domain (such as mydocs), you can download files
from that location.
When you specify an IP address, the exception applies to both the specified IP address and its corresponding host name.
For FTP locations, for example, you must specify an IP address. If you navigate to the FTP location through its URL,
resolves the host name to the IP address and applies the exception.
Quarantine
This section includes help for the View Quarantine page.
View Quarantine
Use this window to manage the files in the quarantine.
NOTE
The language of the operating system on which you run the client might not be able to interpret some characters
in risk names. If the operating system cannot interpret the characters, the characters appear as question
marks in notifications. For example, some Unicode risk names might contain double-byte characters. On those
computers that run the client on an English operating system, these characters appear as question marks.
Table 81: Quarantine options
Option Definition
Restore Restores a file to its original location and removes it from the quarantine. Restore the file if you think it was
incorrectly quarantined as a false positive. Occasionally, a clean file does not have a location to which to
be returned. For example, an infected attachment may have been stripped from an email and placed in the
quarantine. You must release the file and specify a location.
Delete Deletes the files from the quarantine. By default, the quarantine automatically deletes files after 30 days,
but your administrator may configure a different period of time.
Rescan All Rescans the files in the quarantine to determine if they can be cleaned, repaired, and restored. After
definitions are updated on the client, the client also rescans the files
Export Exports a list of files into a spreadsheet or a database for analysis.
111
Option Definition
Add Quarantines a file so that if the file has a virus or threat, it cannot infect your computer. When a scan
detects a threat, the client might not be able to perform the predefined actions when a detection occurs.
These predefined actions may include cleaning the file or quarantining the file. If the preset action cannot
complete, the client logs the event. You can manually import a file into the Quarantine through the client.
You can also use the entry in the Risk Log or the Scan Log to quarantine a file later.
Submit You can submit a potentially infected item from the Quarantine to Symantec Security Response for analysis
to make sure that it is not infected. Symantec Security Response also uses this data to protect against new
or developing threats.
The submission option is not available if your administrator disables these types of submissions.
Purge Options Removes items from the quarantine after a specified time interval or folder size. You can also specify
that the client removes items when the folder where the items are stored reaches a certain size. This
configuration prevents the buildup of files that you may forget to remove manually from these areas.
Note: Your administrator may specify the parameters by which items are allowed to stay in the Quarantine.
Items are automatically deleted from the Quarantine after those parameters are met.
Purge Options: Quarantine Items

Use this dialog box to schedule the client to automatically purge quarantined files.
Table 82: Quarantine purge options
Option Description
Length of time stored Delete quarantined items after the specified amount of time. You can adjust the number of days, months, or
exceeds years to wait before the client deletes an item.
Total folder size Automatically deletes quarantined items when a folder reaches its defined size limit. The client deletes the
exceeds oldest files in the folder until the size returns to its limit.
Purge Options: Backup Items

Use this dialog box to schedule the client to automatically purge backed up files.
Table 83: Backup purge options
Option Description
Length of time stored Enable this check box to delete backed up items after the specified amount of time. You can adjust the
exceeds number of days, months, or years to wait before the client deletes an item.
Total folder size Enable this check box to automatically purge backed up items to keep the folder within its defined size limit.
exceeds When the folder exceeds its limit, the client deletes the oldest files in the folder until the size returns to its
limit.
Purge Options: Repair Items

Use this dialog box to schedule the client to automatically purge repaired files.
112
Table 84: Repair purge options
Option Description
Length of time stored Enable this check box to delete repaired items after the specified amount of time. You can adjust the
exceeds number of days, months, or years to wait before the client deletes an item.
Total folder size Enable this check box to automatically purge repaired items to keep the folder within its defined size limit.
exceeds When the folder exceeds its limit, the client deletes the oldest files in the folder until the size returns to its
limit.
Client Management
This section includes help for the Client Management dialog box on the Change Settings > Client Management page.
Client Management Settings: General

You can use this tab to display the notification area icon, change your location, and update your user information.
Table 85: General options
Option Description
Show Symantec Displays or hides the product icon that appears in the Windows notification area.
security icon in client status icons
notification area
Use Windows toast for Appears only on client computers that run Windows 8. Enables or disables pop-up notifications that appear
critical alerts on the Windows 8 style user interface for detections and other critical events.
Configure Proxy Lets you set up a proxy server to use for external communications. If you use a proxy server, the client is
Options more secure, because the client does not communicate directly with the Internet.
Configure Reboot Lets you configure a schedule for restarting the computer.
Options
Location Options Displays a list of available locations.
You change the location to another location that is on the list. However, if any of the conditions are met for
another location, the client automatically and immediately switches to that location.
Applies to a managed client only.
User Information Lets you update your user information, if the administrator has enabled this option.
Applies to a managed client only.
Enable Application and You can enable or disable Application and Device Control rules. Application control protects your computer
Device Control by controlling the behavior of applications on your client computer. Device control protects your computer
from the hardware devices that you might plug into the computer, such as USB devices. In rare cases,
application control might interfere with some safe applications that you run and you might want to
temporarily disable this option. This option does not prevent application and device control from examining
processes and applications. The option only enables or disables the policy rules that your administrator
manages.
On managed computers, your administrator might prevent you from changing this option.
Proxy Server Settings

113
You may want to use a proxy server for external communications. No action is needed if you plan to use the default
setting, which is to use your browser settings for a proxy server. For example, if you use Internet Explorer as your default
Web browser, then you can use your Windows Internet Options for the proxy server.
NOTE
The proxy that you configure here is used for all external communications except LiveUpdate. If you want to use
your default Windows Internet Options settings as the proxy settings for LiveUpdate, no action is needed. If you
want to set up a proxy for LiveUpdate that does not use your defaults, you must configure it from the LiveUpdate
tab.
Use the proxy server settings to indicate the following information:
• I do not use a proxy server
You do not want to use an HTTP or an HTTPS proxy server.
• I want to use the proxy server specified by my client browser (default)
You want to use your default Windows Internet Options settings for a proxy server.
• I want to use custom proxy settings
You want to customize the HTTP or HTTPS settings for the proxy server that you want to use.
Table 86: HTTP and HTTPS proxy settings
Option Description
Host proxy Enter the proxy server address, if needed.

Port Enter the HTTP or HTTPS port on the server to use.
Authentication required If your proxy server requires a user name and password, you should check this option.
User name Enter the user name of the account to use for the proxy server.
Password Enter the password of the account to use for the proxy server.
NT LAN Manager Enter additional optional authentication through NT LAN Manager (NTLM). You must include the domain
Authentication name in the user name field, in the following format:
domain_name\user_name
The domain name cannot exceed 14 characters, and the user name cannot exceed 64 characters.
Note: If you select authentication for a system proxy or NT LAN Manager Authentication, any client
versions earlier than 14.2 RU1 may lose communication.
Reboot Options
The following table describes the use cases to help you understand which options to use in various situations.
114
Table 87: Reboot options
Option Description
Restart Computer • Immediately

Use this option when the client computer must be restarted without delay. Situations that may require
an immediate restart include malware remediation, schedule urgency, and proactive threat protection
against an imminent threat.
• At this time
Use this option when an immediate restart may affect work, or the restart can be safely delayed. Be
sure that you understand the implications of delaying a restart when an active threat is present.
• Randomize start time
Use this option to avoid conflicts with other scheduled tasks. Use the "Randomization hours" setting to
control the behavior of this option.
• Randomization hours
Use this control to change the behavior of the Randomize start time option. You can alter the default
randomization setting within a range of one to 8 hours.
Restart Type • Do not restart
Not recommended. This option places the responsibility for restarting the computer with the user. Be
sure that you understand the implications of using this option, especially if an active threat is present.
• No prompt
This option is typically used with the At this time option to suppress the restart prompt during times
when the user is away from the computer.
• Prompt with a countdown up to
Use this option to display a prompt informing the user that a restart is imminent. This option is
especially useful when used with the Immediately and At this time settings.
• Prompt and allow snooze up to
Use this option when the client computer must be restarted within a given period of time. This option
gives the user a chance to save data and exit programs, and ensures that the computer is restarted.
Restart Message You can specify a message that lets the user know that the computer must be restarted.
Other Options These options control the behavior of the client computer as it relates to other programs that may be
running at the time of the restart.
These options apply only to Windows clients. Mac clients always perform a hard restart.
• Hard restart
This option forces the client computer to restart regardless of any other activity occurring on the client
computer. In most cases, this option is not used except in extreme circumstances.
• Restart immediately if the user is not logged in
If the user is not logged in when the restart request is sent, this option forces an immediate restart and
overrides other pending restart actions.
Client Management Settings: Tamper Protection

Tamper Protection provides real-time protection for the Symantec applications that run on servers and clients. It protects
Symantec processes and internal objects from the attacks that non-Symantec processes such as worms, Trojan horses,
viruses, and security risks may make. Tamper Protection can block or log the attempts to modify the Symantec processes
or the internal software objects that synchronize Symantec threads and processes.
On managed clients, your administrator might lock these settings.
115
Table 88: Tamper Protection options
Option Description
Protect Symantec Enables or disables Tamper Protection.

security software from
being tampered with or
shut down
Action to take if an Specifies the actions to take if Tamper Protection detects a problem.
application attempts Select from the following actions:
to tamper with or • Log only
shut down Symantec This action logs the occurrence of unauthorized activity but lets the activity proceed.
security software
• Block and do not log
This action blocks the unauthorized activity but does not log the occurrence.
• Block and log
This action blocks the unauthorized activity and logs the occurrence.
Client Management Settings: LiveUpdate

You can use this dialog box to determine when and how to update content, such as virus definitions and IPS signatures.
On managed clients, you can only schedule LiveUpdate to run if your administrator has enabled you to do so.
Table 89: Options for the LiveUpdate update schedule
Option Description
Enable automatic Enables the client to run LiveUpdate at scheduled intervals.

updates
Frequency and Time Indicates how often the client downloads protection updates and product updates.
The options that are available depend on the frequency you selected:
• Continuously: No selection is available.
• Every: You can select the number of hours between updates.
• Daily: You can select the time of day at which the update starts.
• Weekly: You can select the day of the week and the time of day to start the update.
Retry Window If LiveUpdate fails, you can specify the time interval during which the client tries to run LiveUpdate again. If
the time interval is later than the next scheduled LiveUpdate download, the LiveUpdate waits to try to run
until the next scheduled time.
If LiveUpdate succeeds, LiveUpdate does not run again at the time interval that is specified here.
Randomization Options Enables you to minimize the effect of multiple clients trying to download updates at the same time. You can
configure the clients to download updates at random times. You can specify a range of time before or after
the update is scheduled to start for the download to occur. The range of time can be days or hours, which
depends on the frequency you selected.
Idle Detection Delays the scheduled updates until the computer is idle. Overdue jobs eventually run unconditionally.
If this option is disabled, scheduled LiveUpdate sessions always run at the scheduled time, regardless of
how busy the computer is.
Proxy Options Enables to you set up a custom proxy server to use for LiveUpdate.
116
Client Management Settings: LiveUpdate Proxy Server Settings: HTTP
You may want to use a proxy server for LiveUpdate. No action is needed if you plan to use your Windows Internet Options
settings for a proxy server.
• You want to disable the use of an HTTP or HTTPS proxy server.
• You want to use your default Windows Internet Options settings for a proxy server.
• You want to customize the settings for the proxy server that you want to use.
Table 90: HTTP or HTTPS proxy settings
Option Description
Server address Enter the proxy server address, if needed.

HTTP Port Depending on whether you use the HTTP protocol or the HTTPS protocol, enter the port to use in the
HTTPS Port appropriate text box.
Authentication required If your proxy server requires a user name and password, you should check this option.
Basic Authentication This option requires you to enter the user name and password for the account that you want to use for the
proxy server.
NT LAN Manager This option requires you to enter the user name and password for the account that you want to use for the
Authentication proxy server. You must also enter the name of the domain in which the server is located.
Client Management Settings: LiveUpdate Proxy Server Settings: FTP

You may want to use a proxy server for LiveUpdate. No action is needed if you plan to use your Windows Internet Options
settings for a proxy server.
• You want to disable the use of an FTP proxy server.
• You want to use your default Windows Internet Options settings for a proxy server.
• You want to customize the settings for the proxy server that you want to use.
Table 91: FTP proxy settings
Option Description
FTP host proxy Enter the address to use for the proxy server.
Port Enter the port to use for the proxy server.
Client Management Settings: Submissions

By default, client computers send pseudonymous information to Symantec to improve threat protection and stop threats
faster.
If your organization is part of a Symantec-sponsored custom analysis program, the data you submit improves Symantec's
ability to respond to threats and customize protection for your computer.
117
NOTE
Symantec recommends that you allow submissions.
Table 92: Submissions options
Option Description
Send pseudonymous sends information to Symantec that includes detection information as well as network and configuration
data to Symantec to information. Symantec pseudonymizes the client submission data so that the data is not directly identified
receive enhanced threat with a particular user. Symantec uses this information to improve product security by resolving false
protection intelligence positives and addressing malware attacks faster.
Symantec recommends that you keep this option on.
More Options You can enable or disable specific types of submissions. The types include file reputation data, process
data, network data, and configuration data
Allow Insight lookups Lets use Symantec's reputation database to make decisions about threats. The reputation database is
for threat detection called Symantec Insight. Queries to the database are called Insight lookups.
Download Insight, virus and spyware scans, and behavioral analysis (SONAR) use Insight lookups for
threat detection. Symantec recommends that you allow Insight lookups if possible. Disabling Insight
lookups disables Download Insight and may impair the functionality of behavioral analysis and virus and
spyware scans.
However, you can disable this option if you do not want to allow Symantec to query Symantec Insight. For
example, your company may require you to turn off external communications with the network so that data
never leaves your computer.
This option is enabled by default.
Troubleshooting
This section includes help for the Help > Troubleshooting panels.
Troubleshooting: Management/Cloud Management

This panel displays information about the client and the client's protection.
NOTE
Use this panel only if directed to do so by your administrator or Symantec Technical Support.
• If your administrator manages this client from the , this panel is called Management.
• If your administrator manages this client from the cloud, this panel is called Cloud Management.
If the Symantec Endpoint Protection Manager domain is enrolled in the cloud console, the Hybrid Management panel
also appears.
118
Table 93: Management options
Option Description
General Information • Server: The management server's IP address or DNS name. If the server is connected, the IP address
appears. If the client is managed but not currently connected to the server, the status appears as
Offline. If the client is unmanaged, the status appears as Self-managed.
• Group: The group to which the client belongs and from which it gets its protection.
• Last Connected: The date and time that the client last communicated with the management server.
• Host Integrity Status: If your client passed the Host Integrity check, the client accesses the network.
If your client fails the check, you may be asked to download software, or you may be redirected to a
different network.
• Location Awareness/Location: Different locations can have different security policies assigned to
them.
• Policy Serial Number: Serial number of the security policy that is downloaded from the management
server.
Communication Lets you import a communications file (.xml). You use the communications file to convert a managed client
Settings to an unmanaged client or an unmanaged client to a managed client. You receive the communications file
from your administrator.
Policy Profile Lets you update, import, or export the policy file to the client. The policy file contains the settings for
protecting your computer.
Troubleshooting Data Lets you save information about the client and the computer in a text file. The file also includes data about
general policy information, version numbers for definition files, and other information. You can email this file
to your administrator or Symantec Technical Support to help solve a problem you may have with the client
or computer.
Table 94: Cloud management options
Option Description
General Information • Cloud: The cloud server's address. If the server is connected, the address appears.
• Group: The group to which the client belongs and from which it gets its protection.
• Location Awareness/Location: Different locations can have different security policies assigned to
them.
Policies Lists the cloud-based policies that apply to and protect your client. This section does not display the -based
policies.
Troubleshooting: Hybrid Management

This panel appears when a Symantec Endpoint Protection Manager domain is enrolled in the Symantec Endpoint Security
cloud console. This panel displays the cloud-based policies that the client receives from the cloud.
Option Description
General The cloud server address. If the client does not connect to the server, this field displays Not Enrolled.
Information
Policies Lists the cloud-based policies that apply to the client. The policies that Symantec Endpoint Protection
Manager controls appear on the Management panel.
Policy Profile Requests the policy from the cloud console and updates it on the client. Use this option to manually update the
policy.
119
Troubleshooting: Versions
You can use this panel to view the version numbers of the client's protection engines and the protection definition files.
NOTE
Use this panel only if directed to do so by an administrator or Symantec Technical Support.
Table 95: Versions information
Option Description
Engines Displays the version numbers of installed components.

Definitions Displays the type, sequence number, and last-checked date of the currently installed virus definition files
and other definitions files.
Troubleshooting: Debug Logs

You can use this panel to configure and view the contents of the debug logs. Your administrator uses the information in
the logs to record information about the client and about the protection of your computer.
Client Management Debug Log Settings
NOTE
Use this panel only if directed to do so by your administrator or by Symantec Technical Support.
Client Management Debug Log Settings

You can use this dialog box to configure a debug log to collect troubleshooting information about the following areas of the
client:
• Connection with the server
• Firewall events
• Location switching
• Host Integrity compliance
You send this information to your administrator or Symantec Technical Support. The log file name is a text file called
debug.log.
WARNING
If you enable this debug log, the log can increase in size very quickly. Therefore, only specify a setting if an
administrator or Symantec Technical Support tells you to.
Table 96: Client Management debug log settings
Option Description
Debug On Enables the log to start recording data.

Debug level Records the scan events. The default value is 0 and is usually recommended for troubleshooting.
120
Option Description
Log level Records the firewall events. The log records information about blocked packets, including which rule that is
applied and which application sent the packet. The default value is 0 and records all possible events.
Log file size (KB) Increases or decreases the size of the log file. The default slog size is 256 KB. You might want to keep the
file size small to save space on the computer.
Troubleshooting: Windows Account

You can use this panel to view the profile of the current user.
NOTE
Use this panel only if directed to do so by Symantec Technical Support.
Table 97: Windows Account
Option Description
User The name, domain, and SID information of the user who is currently logged on.
Groups A list of the names, domains, and attributes of the Active Directory groups to which the user belongs.
Privileges A list of the names, display names, and attributes of the Active Directory privileges, or actions, that the user
can perform.
Symantec Endpoint Protection Debug Log Settings

You can use this dialog box to enable the client to collect troubleshooting information about scans. The log file name is a
text file called vpdebug.log.
WARNING
If you specify a setting, the log can increase in size very quickly. Therefore, only specify a setting if an
administrator or Symantec Technical Support tells you to.
Troubleshooting: Computer
You can use this panel to view configuration information for your computer.
NOTE
Use this panel only if directed to do so by Broadcom Technical Support.
Table 98: Computer information
Option Description
Operating System Displays the type and the version of the client operating system.
Computer Lists the total number of processors on the client computer along with the manufacturer and the type of
each processor.
Memory Lists the total and the available physical memory and virtual memory on the client computer.
Drive Space Lists each drive on the client computer along with its corresponding total drive space and free drive space.
121
Troubleshooting: Install Settings
Use this dialog box to check whether your client:
• Has the full-sized definitions or reduced-sized definitions. Reduced-size definitions are used on embedded or virtual
clients.
• Which protection technologies are installed on the client.
Troubleshooting: Client Upgrade

This panel displays information about the client upgrade.
Table 99: Client Upgrade options
Option Description
Release Channel Displays the release channel from which the client gets its updates. Possible values are:
• Previous release channel: Pushes the previous release build to clients.
• Latest release channel: Pushes the latest release build to clients.
Current Upgrade Displays the LiveUpdate sequence number for the currently installed client. This value also displays under
Sequence Help > About and Help > Troubleshooting > Versions.
Chosen Upgrade Date Displays a date for the next client upgrade when the administrator defines an upgrade date range.
Once the upgrade is available on LiveUpdate, selects a date from that range to upgrade the client
software.
Troubleshooting: Server Connection Status or Common Cloud Connection

Status
This panel displays the connection status between the client and the management server or the client and the cloud
server.
NOTE
Use this panel only if directed to do so by your administrator or Technical Support.
• If your administrator manages this client from the , this panel is called Connection Status.
• If your administrator manages this client from the cloud, this panel is called Common Cloud Connection Status.
If you have trouble with client and server communication, first check to make sure that there are no network problems
before you call Technical Support.
You might need to check the communication for any of the following reasons:
• The client might not receive security policy updates.
• The client does not to be appear to connect to the server. The green dot does not appear in the client icon on the
Windows notification area.
• Your virus definitions have not been updated in a long time.
• You want to check whether your client is managed or unmanaged. A managed client connects to the server but might
be offline. An unmanaged client never connects to a server.
122
Table 100: connection status options
Option Description
Status Displays whether or not the client is currently connected to a server using the following settings:
• Connected; The client is connected to a server.
• Not Connected: The client is not currently connected to a server.
Connect Now Tries to connect to the server. Use this option to test whether or not the client is connected.
Last Attempted Displays the day and time that the client last tried to connect to the server. For example, the client
Connection reconnects to the server each time that you restart the computer.
Last Successful Displays the day and time that the client last connected to the server successfully.
Connection
Server Name Displays the IP address or DNS name of the management server.
Port Number Displays the port number through which the server connects to the client. The Windows firewall might block
the port number.
If the client is not connected you can find out why by clicking Error Details. You can also see when the client last tried to
connect to the server, and when the client last successfully connected. This pane also displays the server's address or
DNS name and which port the server connects through.
Table 101: Cloud console connection status options
Option Description
Status Displays whether or not the client is currently connected to the cloud server based on the following
statuses:
• Connected: The client is connected to a server.
• Not Connected: The client is not currently connected to a server.
Cloud Connected Displays the day and time that the client last tried to connect to the cloud server. For example, the client
reconnects to the server each time that you restart the computer.
SPOC Connected Displays the day and time that the client last tried to connect to the SPOC server.
Connection Details • Cloud
Displays the IP address or DNS name of the cloud server.
• SPOC: A cloud server that bumps clients to do certain activities, like check for a security policy update.
The cloud tells SPOC to bump managed clients so that they check in.
Manual Enrollment Connects the Symantec Endpoint Protection client (called the Symantec Agent in the cloud) to the cloud
server. The agent must be enrolled to communicate with the cloud and therefore download policies from
the cloud. Use this option if you know that the cloud console manages the client but does not connect.
Troubleshooting: Subscription Status

This panel displays the expiration date of your subscription for each product that is installed on this client. For example,
You can have a subscription for one or three years.
Troubleshooting: Application Hardening

This panel shows whether the Application Hardening feature either protects your client device or only monitors it.
123
You must have a subscription for Symantec Endpoint Security and be enrolled in the cloud console for information to
appear.
Table 102: Application Hardening options
Option Description
Enrollment Status Indicates whether the client is enrolled with the cloud.
Prevention Mode • Prevention: Actively blocks behaviors as defined in the policy that your administrator defines.
• Monitoring: Watches and logs possible adverse actions. Does not take any action.
Pass-Through Mode • Enabled: Application Hardening loads its drivers, but ignores the policy and any detections. Enabling
this setting means that Application Hardening ignores Prevention Mode.
• Disabled: Application Hardening loads its drivers, reads the policy, and makes detections as defined by
Prevention Mode.
Troubleshooting: EDR Connection Status

Shows whether or not the client is connected to a Symantec Endpoint Detection and Response (EDR) server. Only
available when the policy specifies a Symantec EDR server.
Table 103: EDR Connection Status options
Option Description
Status • Connected: EDR is enabled and the client is connected to the Symantec EDR server. The name of the
connected Symantec EDR server appears.
• Not authenticated: Symantec EDR finished provisioning the client for enrollment and sent the logon
credentials to the management server. Symantec EDR is waiting for the client to authenticate to
complete the enrollment process.
• Not connected: EDR is enabled but the client is not connected to the on-premises Symantec EDR
server.
The connection between the client and Symantec EDR is not persistent. The client status moves from
Connected to Not connected when the client configuration must update and cannot connect to the
server. In most of the cases, the configuration includes FDR scheduled submissions.
The Symantec EDR policy configuration may take several minutes to update.
The Attempted Servers list appears. The Connect option is available.
• Disabled: EDR is disabled and the client does not connect to the Symantec EDR server.
Attempted Connection Shows the time when the client was successfully connected to a Symantec EDR server, or when the client
Successful Connection tried to connect to a Symantec EDR server.
Attempted Servers The list of EDR servers that appears when the EDR connection status is Not connected.
The policy from the management server for this client determines the priority of the EDR servers. When
the client is not connected, the list of EDR servers initially matches the priority order that appears in the
management server policy.
After you select Connect, the client refreshes the list to show the actual order of the Symantec EDR
servers as the client attempts them.
The client randomly chooses a server from the policy's first priority group, and then tries all the other
servers in that group. If no servers connect, the client tries the next priority group in the same way.
Last connection Shows the date and time of the last manual attempt to connect or authenticate.
attempt
124
Option Description
Currently connecting to Shows which Symantec EDR server the client is trying to connect to.
server
Troubleshooting: Web and Cloud Access Protection

Option Description
Status Displays the status of the Web and Cloud Access Protection component on the client:
• Enabled: Web and Cloud Access Protection is installed and enabled on the computer.
• Not Installed: Web and Cloud Access Protection is not installed on the computer.
• Disabled by policy. Web and Cloud Access Protection is installed and enabled on the computer, but
the Web and Cloud Access Protection policy is not enabled.
• Malfunctioning: Web and Cloud Access Protection is not running correctly. The WSS token may be
invalid.
• Tunnel Failed: Occurs when the Based on the console user traffic identification method is used. The
WSS Agent cannot make a connection with the logged on user.
Web and Cloud Access Protection requires a license for Symantec Web Security Services.
Username User that the status applies to.
Protocol Lists the protocol that Web and Cloud Access Protection uses.
Datacenter Lists the WSS datacenter that network traffic is redirected to and processed by.
Status message Provides information about the status of the Web and Cloud Access Protection component.
Reconnect Web and Cloud Access Protection should stay continually connected to the WSS. However, there are
situations where the connection gets interrupted. The Wi-Fi may go down, an Internet connection gets
disabled, or a data center fails. Regardless of what caused the outage, when service returns, the client
user must reconnect to WSS. If the client does not detect that the connection has been broken, click the
Reconnect option. If the client detects that the connection is broken, click the Fix button on the Status
page.
View Logs Displays diagnostic events for Web and Cloud Access Protection that are logged in the System Log and
uploaded to the Symantec Endpoint Protection Manager.
Logs
This section includes help for the dialog boxes on the View Logs page.
Troubleshooting: Logs
Use this panel to view the log for each type of protection. You can expand or condense each category of logs.
NOTE
If you are logged on to a managed client, some options in some of the logs may be unavailable. The availability
of these options depends on what your administrator allows.
Options that are inappropriate for a particular entry in any log may be unavailable.
125
Table 104: Client logs and description
Log Description
Scan Log The scans that have run on your computer over time.
Risk Log The viruses and security risks that have infected your computer. Security risks include a link to the
Symantec Security Response Web page that provides additional information.
Virus and Spyware The system activities on your computer that are related to viruses and security risks. This information
Protection System Log includes configuration changes, errors, and definitions file information.
Threat Log The threats that behavioral analysis (SONAR) detected on your computer. These include the commercial
applications that can be used for malicious purposes. Examples are Trojan horses, worms, or keyloggers,
or mass-mailing worms, viruses, and script-based threats.
Proactive Threat The system activities on your computer that are related to behavioral analysis.
Protection System Log
Tamper Protection Log The attempts to tamper with the Symantec applications on your computer. These entries contain
information about the attempts that Tamper Protection detected or detected and blocked.
Traffic Log The connections that your computer makes through the network.
Packet Log The packets of data that enter or leave through the ports on your computer.
Control Log The registry keys, files, and DLLs that an application accesses, as well as the applications that your
computer runs.
Security Log The activities that were directed toward your computer that can potentially pose a threat. Activities such as
denial-of-service attacks, port scans, and executable file alterations are examples.
Application Control Log Displays the use of unwanted and unauthorized applications in your environment and what behavior that
the client blocks. This log appears if the your system administrator manages Application Hardening policies
from the cloud console.
Client Management The operational changes that have occurred on your computer. Examples include activities such as when a
System Log service starts or stops, the computer detects network applications, or software is configured.
Virus and Spyware Protection Logs: Scan Log

The Scan log uses data from the System log to provide a complete picture of the scans that have been performed on your
computer. The information shows how frequently your computer has been scanned and which types of scans are run on
your computer. Actions that are inappropriate or that your administrator does not allow are unavailable.
You can use this log to see if a scan was stopped or interrupted in some way.
You can use this information to find infection trends, which you can respond to with better detection tactics. For example,
your job might involve a lot of time on the Internet on Fridays, and you might notice that infections occur most often on
Monday morning. You can then schedule a full scan to run every Monday at 8:00 A.M.
You can perform the following tasks in the Scan log:
• View a list of the scans that have occurred on your computer over time. Scans are displayed with additional relevant
information about the scans.
• Export the data in the log to a comma-delimited text file, for use in other applications.
• Right-click an entry and view its properties.
126
Table 105: Scan log columns
Column name Description
Started On The date and time that the scan started.

Completed The date and time that the scan ended.
Logged By The type of scan that was run. For example, if this scan is a Startup scan, this column says Startup.
Computer The computer from which the scan was run. For example, if you scan a network drive from your local
computer, this field contains the name of your local computer. It is not the computer on which the drive is
physically located.
Status The current status of the scan, such as Scan Complete, Scanning, or Scan Aborted.
Total Files The total number of files that were scanned.
Infected The number of infections or anomalies that were found.
Trusted The number of files noted as trusted by Insight.
Virus and Spyware Protection Logs: Risk Log

The Risk log displays a list of the viruses and security risks that have infected your computer and additional information
about each infection. A status icon in the first column shows whether the risk is still present on the computer or has been
successfully removed. If the virus or security risk is still present, a red x appears. If a virus or security risk was removed, a
green check appears.
You can perform the following tasks in the Risk log:
Table 106: Risk log options
Option Description
Export Lets you save the log data to a comma-delimited text file that can be imported into other applications, such
as a spreadsheet.
Clean Lets you clean up the side effects of a risk that was found during a scan. This action effectively removes
the risk from your computer.
Delete Lets you delete a risk from your computer, if possible.
Undo Lets you undo an action, if possible.
Quarantine Lets you quarantine a risk that is found, if possible.
You can also right-click an entry to view its details.

NOTE
Risk details for a Download Insight detection show only the first portal application that attempted the download.
Table 107: Risk log columns
Filename The name of the file involved, if applicable.

Risk The name of the virus or security risk that was found.
Action The action that was taken on the virus or security risk.
127
Risk Type The type of threat or security risk that was found, such as virus, adware, spyware, or dialer.
Logged By The type of scan that was responsible for logging the event, such as Auto-Protect or Startup.
Original Location The location where the virus or security risk was found, if applicable.
Computer The computer that logged the risk detection. For example, if you work on a local computer and Auto-Protect
finds a virus in a remote file, Computer is your local computer.
User The user that was logged onto the computer when the virus or security risk was found.
Status The current infection status of the file. For example, the status can be infected, cleaned, or deleted. A file
that is quarantined usually has a status of infected, but the file is unable to harm your computer.
Current Location The location of the virus or security risk now. For example, the location can be In Quarantine.
Primary Action The first action that is configured to take for this virus or security risk or its category.
Secondary Action The second action that is configured to take for this virus or security risk or its category. The second
configured action is taken if the first action is unsuccessful.
Action Description A description of the action that was taken on the virus or security risk.
Date and Time The date and time that the virus or security risk was logged.
Virus and Spyware Protection Logs: System Log

The System log contains daily records of the virus and security risk activities that are related to protection on your
computer. These records, called events, include configuration changes, errors, and virus and security risk definitions file
information, and are displayed with additional information. Actions that are inappropriate or that your administrator does
not allow are unavailable.
By using the information in the System log, you can track the trends that are related to the viruses and security risks on
your computer. If several people use the same computer, you might be able to identify who introduces risks and help that
person to use better precautions.
You can perform the following tasks in the System log:
Table 108: System log options
Option Description
Export Saves the data as a comma-separated value (.csv) file.

Filter Lets you filter the display so that you see only one or a few types of events.
You can check the types of events that you want to display in your view of the log. All types of events
continue to be written to the System log.
You can also right-click an entry to view its properties.
Table 109: System log columns
Event The event that occurred.

Logged by The entity that was responsible for the logging of the event. For example, this entity can be a scheduled
scan or a system event like the loading of new virus definitions.
Computer The computer on which the event occurred.
128
User The user account that reported the event.

Description A description of the event that occurred.
Date and Time The date and time that the event was logged.
Proactive Threat Protection Logs: Threat Log

The Threat log lists the threats that a proactive threat scan has been detected and prevented on your computer, along
with additional information. Actions that are inappropriate or that your administrator does not allow are unavailable.
NOTE
The action options that are active depend on the actions that are appropriate for the selected log entry.
You can perform the following tasks in the Threat log:
Table 110: Threat Log options
Option Description

Terminate Ends a program or process that has been found on your computer.
Restore Restores the selected threat from the Quarantine.
This option is only active when you select a threat that has been quarantined.
Quarantine Moves the selected file to the Quarantine.
Add to DNS or Host File Allows the selected application to make a DNS or host file change.
Change Exception This option only appears when you right-click a detected application that tried to make a DNS or host file
change.
Table 111: Threat log columns
Filename The name of the file involved, if applicable.

Risk The name of the threat that was found.
Action The action that was taken on the threat.
Risk Type The type of threat that was found.
Logged By The type of scan that was responsible for logging the event.
Original Location The location where the threat was found, if applicable.
Computer The computer on which the threat occurred.
User The user that was logged onto the computer when the threat was found.
Status The current status of the threat. For example, the current status can be terminated or quarantined.
Current Location The location of the threat now. For example, the location can be In Quarantine.
Primary Action The first action that was configured to take for this threat.
Secondary Action The second action that was configured to take for this threat.
129
Action Description A description of the action that was taken on the threat.
Date and Time The date and time that the threat was logged.
Proactive Threat Protection Logs: System Log

In the System log, you can view the system events that are related to behavioral analysis (SONAR). Actions that are
inappropriate or that your administrator does not allow are unavailable.
You can perform the following tasks in the Proactive Threat Protection System log:
Table 112: System log options
Option Description

Filter Filters the System log data.
When you select this option, the Filter Events dialog box appears. You can select the items that you want to
appear in the System log.
Event A description of the event that occurred.

Logged by Shows SONAR as the feature that was responsible for logging the event.
Computer The computer that initiated or was responsible for the event.
User The user that was logged onto the responsible computer at the time of the event.
Description A description of the action that was taken on the threat.
Hardening Logs
The Application Hardening policies include Application Control and Adaptive Isolation, which your system administrator
manages from the cloud console.
Use the Application Control log to find the use of unwanted and unauthorized applications in your environment and what
behavior the client blocks. Your system administrator configures Application Hardening policies to restrict whether an
application launches and which system resources it can use. The policy uses rules and conditions that monitor for
specified files, folders, and processes.
130
NOTE
The Application Control and the Application Isolation events use the same log. Therefore, the Current log file
size is always identical. You view each log separately to filter the events only.
Column Description
Action Displays one of the following actions that the client takes on an application or process that tries to run.
• Allowed: The application or process runs. The client does not log an event.
• Blocked: The application or process does not run and the client logs an event.
• Log Only: Creates a log event when an application or process runs. Allows all applications and
processes to run.
When the Application Control policy is in monitor mode, the available actions are Blocked or Log Only.
Allowed applications do not log an event.
Description and Activity Displays the behavior that the client takes on a process or file when the client detects it. Look in the ICDm
schema for the definitions of these events. In the schema, look for the event ID and select it to find the
activities. For example, 8027 are process detection events (security events) that report the detection and
resolution of process threats or policy violations.
• 8027: Process Launch (Application Control)
• 22: Policy Override (Application Control)
Rule Name The rule name. This field is blank if the rule name does not exist.
Logged By Displays which Symantec technology produced the event, Application Control.
Caller Process ID The signature of the caller process that triggers the event.
Caller Process The path of the caller process that triggers the event. For example, suppose a rule blocks programs from
writing to a folder. If you then try to save a document to that folder, the logged event displays winword.exe
as the caller process.
Target Available soon.
Command Line The command arguments or the whole command line for a running process.
Filter System Log

Use this dialog box to specify the types of events that you want to view in the System log for viruses and security risks.
Entry types with unchecked check boxes do not appear in the System log. This filter controls only your display of the log.
All types of events continue to be written into the log.
Client Management Logs: System Log

The System log records all operational changes, such as service start times and stop times, network application detection,
software configuration modifications, and software execution errors. It also logs communication with the server, including
connections and downloads. All the information that is provided in the System log also appears in real time in the
message area. The System log is especially useful for troubleshooting problems with the client.
You can perform the following tasks in the System log:
• View a list of the system events whenever your computer is connected to a network.
• Clear all the entries from the log.
• Export the data in the log to a tab-delimited text file, for use in other applications.
• Filter the entries, either based on a time range or based on severity.
131
Column Description
Date and Time Specifies the date and the time that the event was logged.
Severity Specifies the following levels of severity information:
• Error
Indicates a problem with the source computer.
• Warning
Indicates a potential problem.
• Information
Provides the additional information about an event that involves the client, or provides the information
about the communication with the server.
Summary Describes the event.
Client Management Logs: Security Log

The Security log records suspicious activity, such as port scanning, virus attacks, or denial-of-service attacks. The
Security log is the most important log on the client.
You can perform the following tasks in the Security log:
• View security-related events.
• Export the data in the log to a tab-delimited text file, for use in other applications.
• Switch between a local view and a source view. To view the columns for source ports and hosts and destinations ports
and hosts, you can select Source View from the View menu.
• Filter the entries, either based on a time range or based on severity.
• Back trace the data packets that were used in attempted attacks to locate their origin. Note that not every entry can be
back traced.
• Stop the client from blocking the attacks from other computers.
Table 115: Security log columns
Column Description
Event Type The type of security alert, such as a denial-of-service attack, executable file, or virus attack.
Severity The severity level of the attack, which includes the following options:
• Critical
• Major
• Minor
• Information
132
Column Description
Direction The direction in which the traffic traveled relative to the client computer:
• Incoming
Most attacks are inbound because they originate on another computer.
• Outgoing
Attacks like Trojan horses are considered outbound because they have been downloaded to your
computer and are already present.
• Unknown
Traffic that has been blocked or dropped from an active response or because the application
executable changed.
Protocol The type of protocol. For example, the protocol can be UDP, TCP, or ICMP.
Remote Host or Source The host of the current view, which includes the following fields:
Host • Remote Host (Local View)
IP address of the remote computer.
• Source Host (Source View)
IP address of the source computer.
Remote port The TCP port number, UDP port number, or ICMP type or code of the remote computer.
Remote MAC or Source The MAC address of the current view, which includes the following fields:
MAC • Remote MAC (Local View)
MAC address of the remote computer. If the address is outside the subnet, it is the MAC address of the
router.
• Source MAC (Source View)
MAC address of the source computer.
Local Host or The host of the current view, which includes the following fields:
Destination Host • Local Host (Local View)
IP address of the local computer
• Destination Host (Source View)
IP address of the destination computer.
Local Port The TCP port number, UDP port number, or ICMP type or code of the local computer.
Local MAC or The MAC address of the current view, which includes the following fields:
Destination MAC • Local MAC (Local View)
MAC address of the local computer.
• Destination MAC (Source View)
MAC address of the destination computer.
Application The name of the application that is associated with the attack.
Signature ID The ID of the intrusion prevention signature that the attack triggered. You can use the signature ID to look
up the signature online.
Signature Sub-ID The sub-ID of the intrusion prevention signature that the attack triggered.
Signature name The name of the signature that the attack triggered.
Intrusion URL The URL that is associated with a browser attack.
X-Intrusion-Payload The URL to which the attack redirected the browser.
URL
User The user or the computer that sent or received the traffic.
User Domain The name of the server domain where the client is logged on.
Location The location that was in effect at the time of the attack.
For example, the location can be Office, Home, or VPN.
Occurrences The number of occurrences of the attack method.
133
Column Description
Begin Time The time that the attack began.

End Time The time that the attack ended.
Tamper Protection Log

You can use this log to view information about Tamper Protection events. You can view this log to see details about
Tamper Protection detection when a tamper attempt occurs.
You can perform the following tasks in the Tamper Protection log:
• View the list of the Tamper Protection-related events.
• Export the data in the log to a comma-delimited text file, for use in other applications.
• Right-click an entry and view its properties.
Actions that are inappropriate or that your administrator does not allow are unavailable.
Table 116: Tamper Protection log columns
Option Description
Computer The computer on which the tamper attempt occurred.

User The name of the user that was logged onto the computer at the time of the tamper attempt.
Action Taken The action that Tamper Protection took.
Object Type The type of object involved, if appropriate.
Event The event that took place.
Actor The identity of the entity that attacked, if applicable.
Target The entity that was the target of the tamper attempt, if applicable.
Target Process The process that was the target of the tamper attempt, if applicable.
Date and Time The date and time that the tamper attempt was logged.
Network and Host Exploit Mitigation Settings: Logs

Use this tab to configure the Control log, Packet log, Client Management Security log, and the Traffic log . You can set the
log size, specify how many days that entries are recorded in each log and clear the logs.
Table 117: Log tab options
Option Description
Maximum log file size Specifies the maximum size for the log file, in kilobytes (KB). After you reach the maximum size, the oldest
entries are removed and replaced with the most current entries. You can set the size from 64 KB to 15,000
KB (or 15 MB).
Note: It is recommended to keep the log file size as small as possible.
Save each log entry for Specifies the number of days to keep the entries in the log before removal.
Clear Log Clears all entries from the log.
134
Option Description
Enable Packet Log Records the packet information in the Packet log.
Client Management Logs: Control Log

The Control log records the results of the Application and Device Control policy that is applied to the client. The
Application and Device Control policy protects the registry and the specific files or directories. It also controls processes,
DLLs, and application execution.
The Control log records the activities specific to an application’s behavior. It records the registry keys, files, and DLLs that
an application accesses as well as the applications that it runs. If an application performs an activity that is not allowed, it
is blocked. For example, a Web server that serves Web pages should not copy files to your system folder.
NOTE
Two log entries might appear in the Control log for a single event. For example, two entries might appear if an
application reads and then tries to write a file. Two entries also appear if an application writes and then tries to
delete a file.
Table 118: Control log options
Column Description
Date and Time The date and the time that the event was logged.
Severity Level The severity of the behavior.
Action The action the client takes if the rule is not met.
When a system process tries to perform an operation on the target, the client takes one of the following
actions on the application or device:
• Block
• Allow
• Continue
The rule is triggered but the client ignores the event and logs it.
• Terminate
The client terminates the process.
Test Mode Test administrators may use this information.
Description Description of the behavior on the client.
API The name of the API that caused the logging of this behavior.
Rule Name The name of the rule that caused the logging of this behavior.
IP Address The IP address from which the application or process triggered the rule.
Caller Process ID The ID of the application or process that triggers the logging.
Caller Process The name of the application or process that sent the error.
Device Instance ID The parameters that were used in the API call.
The parameters are converted to STRING and separated by a space character.
Target The target that the process or the application acted upon.
File Size The size of the file upon which the application or process acted.
The file size might appear as 0 bytes rather than the actual file size. Typically, the file size appears as 0
bytes when the application control rule triggers before a process creates or writes a file.
User The name of the computer or the user.
135
Column Description
User Domain The name of the server domain where the client is logged on.
Location The name of the location where the application has logged on.
Network and Host Exploit Mitigation Logs: Traffic Log

Use the Traffic log to view information about firewall events, including a network attack or an intrusion attempt. The log
displays a list of the incoming traffic and the outgoing traffic whenever your computer is connected to a network.
The following table displays the tasks that you can perform by using the Traffic Log menu commands.
Table 119: Traffic Log menu commands
Menu Description
File Lets you perform the following tasks:

• Clear
Removes all the entries from the log.
• Export
Saves all of the log entries to a tab-delimited text file, for use in other applications.
• Change Settings (unmanaged client only)
Displays the dialog box that enables you to modify the Network Threat Protection settings.
• Options (managed client only)
• Exit
Closes the log.
Edit Lets you perform the following tasks:
• Copy
Copies the selected log entries to the clipboard.
• Select All
Selects the displayed log entries. You can then copy and paste the entries to another application.
View Lets you switch between different logs or different views by using the following commands:
• Traffic Log or Packet Log
Displays either log.
• Local View and Source View
The columns in the log change depending on whether you choose the local view or source view.
The local view shows the content from the perspective of the local port and the remote port. This
perspective is more commonly used in a host-based firewall. The source view displays the content from
the perspective of the source port and the destination port. This perspective is more commonly used in
a network-based firewall.
Local view and source view displays the columns that appear in both Local View and Source View.
Filter Displays the log entries that were recorded within a certain number of days or by severity.
Action Lets you perform the following tasks:
• BackTrace
Locates the origin of the data packets. You might want to locate the originating host in the data packets
that were used in attempted attacks. Note that not every entry can be back traced.
• Stop Active Response
Allows the traffic that the client previously blocked from the selected host.
• Stop All Active Response
136
On a managed client, you might not be able to access all of these features. Actions that are inappropriate for a particular
entry are unavailable.
The following table displays the table columns that appear in both the local view and source view.
Table 120: Local view and source view
Column Description
Action The action that the client takes on the traffic. The client either blocks or allows traffic.
Severity The severity level of the traffic, from 1 to 10.
Direction The direction of the traffic, either incoming or outgoing.
Protocol The type of protocol, either UDP, TCP, or ICMP.
Remote Host or Source The computer that hosts the current view, which includes the following fields:
Name of the remote computer.
Name of the source computer.
Remote MAC or Source The MAC address of the current view, which includes the following fields:
MAC • Remote MAC (Local View)
MAC address of the remote computer. If outside the subnet, it is the MAC address of the router.
• Source MAC (Source View)
MAC address of the source computer.
Remote Port or Source The port of the current view, which includes the following fields:
Port • Remote Port (Local View)
Port and ICMP type on the remote computer (appears only in Local View).
• Source Port (Source View)
Port and ICMP type on the source computer (appears only in Source View).
Local Host or The host of the current view, which includes the following fields:
IP address of the local computer.
Local MAC or The MAC address of the current view, which includes the following fields:
Destination MAC • Local MAC (Local View)
MAC address of the local computer. If outside the subnet, it is the MAC address of the router.
• Destination MAC (Source View)
MAC address of the destination computer.
Local Port or The port of the current view, which includes the following fields:
Destination Port • Local Port (Local View)
Port that is used on the computer for this packet.
• Destination Port (Source View)
Port that is used on the destination computer for this packet.
Application The path and name of the application that is associated with the traffic.
User The user’s logon name.
User Domain Specifies the name of the server domain where the client is logged on.
Location The Location, such as Office, Home, or VPN, that was in effect at the time of the traffic.
137
Column Description
Occurrences The number of packets that the traffic sends between the start time and end time.
Begin Time The time that the traffic starts to match the rule.
End Time The time that the traffic no longer matches the rule.
Rule The rule that determined the passing or blockage of this traffic.
If entries in the Network and Host Exploit Mitigation logs and the Client Management logs have more information
available, it appears in the following locations:
• Description information appears in the lower left-hand pane of the log view.
• Data information appears in the lower right-hand pane of the log view.
Network and Host Exploit Mitigation Logs: Packet Log

The Packet log captures every packet of data that enters or leaves a port on your computer. The Packet log displays
intrusion attempts.
You can perform the following tasks in the Packet log:
• View a list of the incoming traffic events and the outgoing traffic events whenever your computer is connected to a
network.
• Export the data to a tab-delimited text file, network monitor format, or NetXray format, for use in other applications.
• Switch between a local view and a source view. To view the columns for source ports and hosts and destinations ports
and hosts, you can select Source View from the View menu.
• Filter the entries by selecting a time range.
• Back trace the data packets that were used in attempted attacks to locate their origin. Note that not every entry can be
back traced.
The log view includes information in the lower left pane about the actual data packet. The pane in the lower right corner
shows the data on the type of packet that is logged.
If you or your administrator disables the Packet log, the log stops recording information. The Packet log is disabled by
default.
On a managed client, you might not be able to access all of these features. Actions that are inappropriate for a particular
entry are unavailable.
Table 121: Packet log columns
Column or field Description
Date and Time The date and time that the packet was logged.
Remote Host or Source The computer that hosts the current view, which includes the following fields:
Name of the remote computer.
Name of the source computer.
138
Column or field Description
Remote Port or Source The port in the current view, which includes the following fields:
Port • Remote Port (Local View)
Port on the remote host that sent the packet or received the packet.
• Source Port (Source View)
Port on the source host that sent the packet or received the packet.
Local Host or The IP address in the current view, which includes the following fields:
IP address of the local computer.
Local Port or The port in the current view, which includes the following fields:
Destination Port • Local Port (Local View)
Port that is used on the computer for this packet.
• Destination Port (Source View)
Port that is used on the destination computer for this packet.
Direction The direction in which the packet traveled:
• Incoming
• Outgoing
Action The action that the computer took.
• Blocked
• Allowed
Application The name of the application that is associated with the packet.
Rule The information about the intrusion prevention rule or the firewall rule that was applied to this packet.
Back Trace Information

Use this dialog box to find detailed information about the IP address of the hop from which the traffic event started.
Note that the originating hop's IP address lists the owner of the router through which the traffic connected. It does not
necessarily list the true IP address.
NOTE
Your network configuration can cause the back trace feature not to work.
Table 122: Back tracing fields
Option Description
Hop Hop number

A hop is a transition point that a packet of data travels through from one computer to another on a network.
A router is a common transition point.
IP Address IP address of each computer or router through which the traffic traveled.
Name Computer that originated the traffic event.
Time (ms) Time, in milliseconds, it took to find the hop's IP address.
Who is >> More detailed information about the remote IP address, such as the organization name and contact
information.
139

Client Guide Windows SEP14.3RU6

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Client Guide Windows SEP14.3RU6

Uploaded by

Copyright:

Available Formats

Symantec Endpoint Protection Windows Client Guide

Updated: November 2022

Table 1: Frequently asked questions on how to protect your computer

Checking whether the client is managed or unmanaged

About the technologies that uses to protect your computer

Table 2: Types of protection

Table 3: Ways to update content on your computer

To update the content on a schedule with LiveUpdate:

Table 4: Types of alerts and notifications

client status icons

About scan results

Responding to a virus or a risk detection

In some cases, the action might not be available.

Responding to Download Insight messages that ask you to allow or

Responding to messages that ask you to allow or block an application

To respond to a message that asks you to allow or block an application:

Allowing or blocking applications that are already running on the client

Responding to expired license messages

Table 5: Types of licenses

License type Description

Responding to messages to update the client software

Table 6: Managing scans

Scanning your client computer immediately

About scan results

Pausing and delaying scans

You can also create an on-demand or startup scan.

The individual file or folder is selected.

Scheduling a scan to run on demand or when the computer starts up

Managing Download Insight detections on your computer

Customizing virus and spyware scan settings

Configuring actions for malware and security risk detections

About excluding items from scans

Table 9: Exception types

Exception Type Description

Excluding items from scans

Managing quarantined files on your computer

Managing scans on your computer

About the types of Auto-Protect

Understanding submissions to Symantec that improve protection on

About the client and the Windows Security Center

Table 10: WSC protection status reporting

Symantec product condition Protection status

is not installed NOT FOUND (red)

is installed and ccSvcHst is turned off manually OFF (red)

The following table shows the firewall status reporting in WSC.

Table 11: WSC firewall status reporting

Symantec product condition Firewall status

Symantec firewall is not installed NOT FOUND (red)

Managing behavioral analysis (SONAR)

Table 12: Managing behavioral analysis

Preventing false positive detections for behavioral analysis (SONAR)

Managing behavioral analysis (SONAR)

Checking your computer's security compliance with a Host Integrity

Remediating your computer to pass the Host Integrity check

Enabling Tamper Protection

Table 13: Computer components that the client scans

About viruses and security risks

Table 14: Viruses and security risks

About the types of scans

Scan type Description

About the types of Auto-Protect

Table 16: Types of Auto-Protect

Type of Auto-Protect Description