Intelligent Threat Cloud Service for client installation packages (Windows)
Version 14 includes three new sizes of client installation packages, based on which set of virus definitions they include:
Standard client: Designed for typical installations where clients have access to the cloud or the clients are version 12.1.6 and earlier. The standard client is 80% to 90% smaller than a dark network client installation package and includes the most recent virus definitions only. After installation, the client accesses the full set of virus definitions from the cloud.
Embedded client or VDI client: The embedded client replaces the reduced-size client that was introduced in version 12.1.6. The embedded client is smaller than the standard client and also includes the most recent virus definitions only. After installation, the client accesses the full set of virus definitions from the cloud.
Dark network client: Installs a full set of virus definitions and keeps the definitions locally rather than accessing them from the cloud. Use this client installation package if the client computers are in networks with no access to the cloud.
Generic Exploit Mitigation prevents common vulnerability attacks in typical software applications. Generic Exploit Mitigation installs with intrusion prevention and includes the following types of protection: Java exploit prevention, heap spray mitigation, and structured exception handling overwrite protection (SEHOP). The protections apply to the specific applications that are listed in the Intrusion Prevention policy. Symantec Endpoint Protection downloads the application list as part of its LiveUpdate content. To see the list of applications, open an Intrusion Prevention policy and then click Generic Exploit Mitigation.
You can enable or disable suspicious behavior detection if SONAR is disabled. Therefore, you can have behavior policy enforcement protection of applications on while SONAR scoring is off.
Scan files on remote computers option (Windows, Linux)
You can disable the option for SONAR or Auto-Protect to scan files on computers on other networks. Disabling this option increases performance. However, you should keep this option enabled as SONAR looks for worms such as Sality, which infects network drives. For Auto-Protect scans all files reduces and reduces the client computer's performance, you can enable the Only when files are executed option. To access these options, click Policies > Virus and Spyware Protection policy > SONAR or Auto-Protect.
Auto-Protect user mode reduces kernel memory usage and provides greater system health. In rare cases of crashes, the computer does not blue screen and is recoverable.
Emulator for packed malware
For Auto-Protect and virus scans, a new emulator improves scan performance and effectiveness by at least 10 percent. This anti-evasion technique addresses packed malware obfuscation techniques and detects the malware that is hidden inside custom packers.
Advanced Machine Learning (AML) on the endpoint for improved static detections
This new endpoint-based machine learning engine can detect malware based on static attributes. This technology enables Symantec Endpoint Protection to detect malware in the pre-execution phase, thereby stopping large classes of malware, both known and unknown. The AML engine works with the Symantec real-time cloud-based threat intelligence to provide best-in-class protection with low false positives.
Insight Lookup (Windows)
You can still enable or disable Insight Lookup for version 14 and legacy 12.1.x clients, but you cannot set the sensitivity level or action settings. Instead, Insight Lookup uses internal settings to optimize the scan because Download Insight detections are now completely handled by real-time protection. The new Enable Insight Lookup option on the Scan Details tab replaces the Insight Lookup tab in version 12.1.x. Open a Virus and Spyware Protection policy > Administrator-Defined Scans, choose either scheduled scans or on-demand scans, and then click Scan Details.
On standard and embedded/VDI clients, Insight Lookup now allows Auto-Protect, scheduled scans, and manual scans to look up both file reputation information and definitions in the cloud. However, the dark network clients include the full set of definitions and do not use Insight Lookup. You enable Insight Lookup in the Clients > Policies tab > External Communications > Submissions tab.
Scheduled and on-demand scans support the %systemdrive% and %userprofile% variables (Windows)
These scans let you select specific folders to be scanned rather than scanning all the files on the Windows client computer. The %systemdrive% variable indicates the location where the Windows operating system is installed. The %userprofile% variable corresponds to the user profile folders for the users who are logged on. You can also exclude these folders from being scanned by using an Exceptions policy.
Reports display an application's hash value you can use to block applications
You can use the hash value instead of an application's name to add to the policies that block applications. The hash value is unique whereas an application name may not be. To find the hash value, look in the Hash Type / Application Hash column in the following reports:
Risk reports: Infected and At Risk Computers; Download Risk Distributions; SONAR Detection Results; SONAR Threat Distribution; Symantec Endpoint Protection Daily Status Report; and Symantec Endpoint Protection Weekly Status Report
To view the Risk reports, click Reports > Quick Reports > Risk.
Home page > Activity Summary link
Client submissions and server data collection
You can enable Symantec Endpoint Protection to send information about detected threats and your network configuration to Symantec. Symantec uses this information for additional analysis and to improve the security features in the product.
Version 14 has several new types of client submissions that you can enable. You access these options by clicking Clients > Policies tab > External Communications > Submissions tab > More options.
The previously existing submission types are automatically submitted with the Send anonymous data to Symantec to receive enhanced threat protection intelligence option. In 12.1.6.x and earlier, this option was labeled Let computers automatically forward selected anonymous security information to Symantec.
You use the new Send client-identifiable data to Symantec for custom analysis option if you participate in a Symantec-sponsored program to get recommendations specific to your security network.
For server data collection, the Yes, I would like to help optimize Symantec's endpoint security solutions by submitting anonymous system and usage information to Symantec option is now labeled Send anonymous data to Symantec to receive enhanced threat protection intelligence. You access this option on the Admin > Servers > Edit Site Properties > Data Collection tab.
The installation wizard now displays the available hard drive space for local drives, but not the hard disk space for USB thumb drives or disc drives. The wizard does not let you install the management server unless the computer meets the minimum system requirements. The installation proceeds if the computer meets the recommended system requirements. The recommended minimum hard drive space the management server needs on a system drive is 40 GB. On an alternative drive, the management server needs 15 GB (system drive) and 25 GB (installation drive).