Endpoint Protection

 View Only
Expand all | Collapse all

how to disable "disable symantec endpoint protection" but....

Migration User

Migration UserFeb 18, 2012 08:39 AM

Migration User

Migration UserFeb 18, 2012 08:45 AM

  • 1.  how to disable "disable symantec endpoint protection" but....

    Posted Feb 13, 2012 10:35 AM

    how to make client's "disable symantec endpoint protection" unactive but they can still do the settings such as auto protec, disable firewall, etc?



  • 2.  RE: how to disable "disable symantec endpoint protection" but....

    Broadcom Employee
    Posted Feb 13, 2012 01:00 PM

    Hi,

    To prevent user from disabling SEP features check following article

    https://www-secure.symantec.com/connect/articles/how-disable-sep-features-client-gui-sep-121

    Public KB also available 

    http://www.symantec.com/business/support/index?page=content&id=TECH168990

    I hope it will help you !!!



  • 3.  RE: how to disable "disable symantec endpoint protection" but....

    Posted Feb 15, 2012 06:37 AM

    But I want the user client still be able to control the auto protect, firewall, etc. If I follow the steps that you gave, I can't do that.



  • 4.  RE: how to disable "disable symantec endpoint protection" but....

    Posted Feb 15, 2012 07:07 AM

    Hi Jagad,

    Also close all the locks on SEPM policies...to privent user controle on sep........



  • 5.  RE: how to disable "disable symantec endpoint protection" but....

    Broadcom Employee
    Posted Feb 15, 2012 07:53 AM

    Hi jagad pramudito,

    It's not possible to inactive Disable Symantec Endpoint Protection and allow to modify other features like Auto protect, firewall.

    Disable Symantec Endpoint Protection will become unactive only after blocking all the features.



  • 6.  RE: how to disable "disable symantec endpoint protection" but....

    Posted Feb 15, 2012 10:12 AM

    Disable Symantec Endpoint protection option in systray is available only for Admins.

    You can lock / unlock the required option in the AV policy & client user interface utility so that the user can enable / disable AV / PTP / NTP features....

     

    Hope this helps.



  • 7.  RE: how to disable "disable symantec endpoint protection" but....

    Posted Feb 16, 2012 04:18 AM

    Please do the following and mark as a solution if it works:

    To prevent users from disabling Symantec Endpoint Protection (SEP) on their client:

    Step 1: Remove the right to disable Network Threat Protection:

    1. Open the Symantec Endpoint Protection Manager.
    2. Click Clients.
    3. Select the group that contains the clients you want to be affected.
    4. Click Policies.
    5. Expand Location-specific Settings.
    6. Click Tasks to the right of "Client User Interface Control Settings", then click Edit Settings.
    7. Select Server control or Mixed control if it is not already set to one of these.
    8. Click Customize.
      • If Server control is enabled this will open the Client User Interface Settings dialog.
      • If Mixed control is enabled this will open the Client User Interface Mixed Control Settings dialog.

         
    9. Uncheck Allow users to enable and disable Network Threat Protection.
    10. Click OK> OK.



    Step 2: Remove the right to disable Threat detection:

    1. Open the Symantec Endpoint Protection Manager.
    2. Click Clients.
    3. Select the group that contains the clients you want to be affected.
    4. Click Policies.
    5. Expand Location-specific Policies
    6. Click Antivirus and Antispyware policy.
    7. Click File System Auto-Protect, then lock this feature by clicking the lock symbol next to Enable File System Auto-Protect.
    8. Click Internet Email Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Internet Email Auto-Protect.
    9. Click Microsoft Outlook Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Microsoft Outlook Auto-Protect.
    10. Click Lotus Notes Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Lotus Notes Auto-Protect.
    11. Click TruScan Proactive Threat Scans, then lock this feature by clicking the lock symbol next to Scan for trojans and worms and Scan for keyloggers.
    12. Click OK.

    For Symantec Endpoint Protection 12.1, additional policies must be locked. 

    1. In the Virus & Spyware Protection policy, click Sonar, then lock this feature by clicking the lock symbol next to Enable Sonar.  
    2. In the Instrusion Prevention policy, click Settings, then lock both lock symbols next to Enable Network Intrusion Prevention and Enable Browser Intrusion Prevention.  


    Step 3: Clients update policy:
    Clients will receive the policy according to their Communication Settings (they will be prompted to check in within a few seconds if in Push Mode; they will check in on their next scheduled heartbeat in Pull Mode).

    You can prompt the heartbeat on the client:

    1. Right-click the Symantec Endpoint Protection system tray icon.
    2. Click Update Policy. The client will request the new policy from the manager


    Once the policy has been updated the user will not be able to disable the Antivirus/Antispyware or the Network Threat Protection features.

    Regards



  • 8.  RE: how to disable "disable symantec endpoint protection" but....

    Posted Feb 18, 2012 08:37 AM

    what do you mean? Can you give me specific explainations?



  • 9.  RE: how to disable "disable symantec endpoint protection" but....

    Posted Feb 18, 2012 08:39 AM

    the steps that u're given didn't help at all



  • 10.  RE: how to disable "disable symantec endpoint protection" but....

    Posted Feb 18, 2012 08:45 AM

    is there no other solutions?



  • 11.  RE: how to disable "disable symantec endpoint protection" but....

    Posted Feb 21, 2012 04:31 PM

    Hi,

    Does anyone know what else I would need to do for the Symantec Endpoint Protection service in the 'service.msc' to NOT be greyed out ? I'm using SEPM and SEP 12.1.

    What I've done the following so far.

    1. In SEPM > Cleints > Policies > General Settings > Tamper Protection > unlocked and removed the check mark

    2. Virus and Spyware Policies > unlocked "Auto Protect", Download and Sonar (still checked). Email Scans are all disabled. Advanced Options are locked.

    Thank you

    RK



  • 12.  RE: how to disable "disable symantec endpoint protection" but....

    Posted Feb 21, 2012 08:33 PM

    The only way to do this in SEP 11 was through the policy.  However in SEP 12.1 we have the services greyed out function built into the client so that even if you are in the services.msc you will not be able to stop the service."

     

    This is as designed. SEP services controls have been modified for security reasons.



  • 13.  RE: how to disable "disable symantec endpoint protection" but....

    Broadcom Employee
    Posted Feb 22, 2012 03:49 AM

    Hi jagad pramudito,

    I don't understand you do you want to give an acces to disable PTP, Firewall etc .

    However at this point I don't see any other solutions for same. 



  • 14.  RE: how to disable "disable symantec endpoint protection" but....

    Posted Mar 03, 2012 10:17 PM

    Being able to restart the services is very often the solution to many issues.

    I have added a password to allow SEP to be turned off on the client machines, although I must drill down through the command prompt to do so on a Windows 7 machine (I read that this should be capable of being done from the start menu).

    In SEP 11 the file path was short and easily accessible from the command prompt. In 12.1 it is much more cumbersom as the file path is very long.

     

    Is there a way to add a password to restart the services as well?

     

    Thanks,

    Little SEP Dude



  • 15.  RE: how to disable "disable symantec endpoint protection" but....

    Posted Mar 06, 2012 06:21 PM

    Yes, I can add a password protection feature on the SEP services.