Hello,

I just upgrades from Enpoint Protection SBE 12.0 to 12.1. But now my Clients can disable the Endpoint Protection. I locked  all Settings in the Policy's. But it seems only new Clients where I deploy the new software are not able to switch off Antivirus.

What can I do?

S. Zimmer

P.S. sorry for the english, but iIm from germany.

Did you try this document?

How to block a user's ability to disable Symantec Endpoint Protection on Clients

http://www.symantec.com/business/support/index?page=content&id=TECH102822&locale=en_US

I use Symantec Endpoint Protection 12.1 Small Business Edition and there is no Option Location-specific Policies. I think only the Enterprise Edtion has this option.
 

Are the users logged in as a local admin?

There are some more locks in the policies with SEP12.1

I would just double check you have locked all the "enable" options.  The one that generally gets missed is the Browser Intrusion Prevention option in the IPS policy (I think you should still that in SBE).

User are no-Admin. (no Local or Domain). Only local "Power User".

But hey, why setting so many locks? Can't there be an Option to restrict all settings? Why should normal User switch some of thes points?

For Sonar protection, the look keeps open. No look possible.

It seems that the "option" Power User is the Problem. But why this policy works before with this User Option in Version 12.0 SBE?

Hello,

You can determine the level of interaction that you want users to have on the Symantec Endpoint Protection client. Choose which features are available for users to configure. For example, you can control the number of notifications that appear and limit users' ability to create firewall rules and virus and spyware scans. You can also give users full access to the user interface.

The features that users can customize for the user interface are called managed settings. The user does not have access to all the client features, such as password protection.

To password-protect the client

1. In the console, click Clients.

2. Under Clients, select the group for which you want to set up password protection.

3. On the Policies tab, under Location-independent Policies and Settings, click General Settings.

4. Click Security Settings.

5. On the Security Settings tab, choose any of the following check boxes:

   • Require a password to open the client user interface

   • Require a password to stop the client service

   •  Require a password to import or export a policy

   • Require a password to uninstall the client

6. In the Password text box, type the password.

   The password is limited to 15 characters or less.

7. In the Confirm password text box, type the password again.

8. Click OK.

Check this Article which may helps you with all the Information you are looking for:

How do you lock down SEP client interface so that end users cannot disable components or modify settings.

http://www.symantec.com/docs/TECH136678

How to block a user's ability to disable Symantec Endpoint Protection on Clients

http://www.symantec.com/docs/TECH102822

How to restrict users from making configuration changes to the Symantec Endpoint Protection client.

http://www.symantec.com/docs/TECH102370

Hope this helps!!!

Hi Paul,

Yes you're definitely right. The one that generally gets missed is the Browser Intrusion Prevention option in the Intrusion Prevention Policy.

I had the same problem but it was fixed when I was locked that option.

Thank you.

Regards,

Geneviere