Skip to Content

Configuring Symantec Endpoint Protection for Maximum Protection

Printer-friendly versionPrinter-friendly version

The following general best practices document for configuring and managing SEP 11.0 was prepared by the Symantec product team, and provided by Eric Holst, Senior Systems Engineer, Symantec Corporation.

See the attached files for additional documents.

Here is a general outline for configuring SEP to maximize protection from today's emerging threats:
(This outline is in order of easiest to implement first)

  1. Implement recommendations from SYMC Security Response:
  2. Validate that SEPM and SEP clients use latest definitions (Symantec publishes certified definitions 3 times daily)
  3. Configure "locked down" AV  policies so that end users can't change settings or disable SEP
  4. Enable TruScan (Behavioral Protection, AKA Proactive Threat Scan)
  5. Consider increasing Bloodhound Heuristics to Maximum (will increase chance of false positives, new Bloodhound signatures are initially only enabled when set to maximum, after the rules are fine tuned, they are later enabled at the default Bloodhound level)
  6. Enable IPS (initially deploy with Allow/Log exception before enterprise wide Block/Log policy)
  7. Enable Application & Device Control (Always thoroughly test AC/DC rules before widespread deployment)
  8. Block Autorun.inf from removable devices
  9. Protect SEP from being disabled and/or tampering
  10. Harden Internet Explorer against "drive by downloads"
  11. Monitor/Block devices
  12. Enable FW (needs to be carefully considered to not block necessary applications, again test before deployment)

Attached are two additional white papers on using AC/DC

Here are detailed Knowledge Base articles relevant to the recommendations above:

SEP Best Practices: General

SEP Best Practices: AntiVirus, Behavioral & Heuristic protection

SEP Best Practices: Network Threat Protection

SEP Best Practices: Application & Device Control
Attached is an Application Control policy file that can be imported into SEPM. These rules should be tested before widespread deployment!

Best Practices: Responding to Infections

Threat Landscape

20970640_GA_RPT_ISTR15_Government_04_10_v3_(2).pdf1.99 MB
Application and Device Control_V1.2.pdf1.74 MB
b-whitepaper_exec_summary_internet_security_threat_report_xv_04-2010.en-us.pdf1.73 MB
SEP 11 Best Practices.pdf1.77 MB
SEP_Protecting_SEP_Client_rev1.0.pdf362.45 KB
Why anti-virus is not enough.doc48.5 KB