Symantec Endpoint Protection Client
Judd Eisenhauer
@DMobley_232 You don't mention what client checks are failing exactly, but setting the "Manage Endpoint Protection client on client computers" to "No" when using a third-party anti-malware solution would probably be a good idea.
@DMobley_232 What I meant was, you didn't mention which client checks fail. The Client Status dashboard (\Monitoring\Overview\Client Status) contains a Most Frequent Client Check Errors bar graph that should give you an idea which checks are failing most frequently.
As for the "Manage Endpoint Protection client on client computers" setting: this is set to "No" by default. Before you can even set this to "Yes", you need to install the Endpoint Protection point role in the site. None of this is required if you don't want to manage the Windows Defender using ConfigMgr, and both of these require a conscious decision by and effort from an administrator, so this is something that someone enabled in your site at some point in time.
I created a new client setting policy under Administration> Client settings that was deployed to the 15 computers with "NO" to Manage Endpoint Protection Client on client Computers. Within 24 hours, 75% of the test computers successfully passed client check.
@DMobley232 This is exactly as expected. As documented in Microsoft Defender Antivirus compatibility , "If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode".
However, in your client settings you've configured Defender to be enabled. As a result, the Configuration Manager Health Evaluation task (CcmEval) will check the status of the Defender service and, if it isn't enabled and/or running, will try to enable and/or start it. Obviously this fails because a third-party antivirus solution is installed.
The aforementioned document also states that "When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint". So for that, you don't need to enable the Defender management client settings in ConfigMgr at all. My recommendation would be to disable these settings, and to uninstall the Endpoint Protection point if no longer needed.
Your detective work seems spot on! When playing nice with a 3rd party like Crowdstrike, flipping the switch to "No" on "Manage Endpoint Protection Client on Client computers" often does the trick. It lets the external AV do its thing without unnecessary clashes.
Symantec (Norton) Endpoint Protection antivirus software is used by the Stony Brook University community to help guard against malicious viruses taking control of University-owned and personal computers. Stony Brook has a multi-year license to use and distribute the software to members of campus free of charge.
On a Windows computer, check the list of program files to see if Symantec Endpoint Protection is installed. If there is a gold shield in the system tray (next to your clock), then the software has already been installed.
Symantec Endpoint Protection is installed on University-owned machines by either Customer Engagement & Support or a departmental support technician. If the software is not running on your computer, please call your local technician or create a service ticket to have it installed for you.
Students, faculty, and staff may obtain Symantec Endpoint Protection for their personal computers at no extra charge by downloading the un-managed version from Softweb ( ). Whenever a new version of Symantec is rolled out, Stony Brook packages the upgrade and makes it available to the campus community via Softweb.
The managed version of Symantec Endpoint Protection found on Softweb is for University-owned computers, mostly used by employees. It is not for personal computers or mobile devices used to access the WolfieNet wireless network. University-owned computers with the managed version get their virus definitions updated every 4 hours. You know you have the managed version of Symantec AntiVirus if there is a gold shield with a green dot in your system tray.
The un-managed version of Symantec Endpoint Protection is for personal computers and mobile devices. Users with the un-managed version need to run their own scans. If you have a gold shield without a green dot in your system tray, then you know you're running the un-managed version of Symantec.
SB users with the managed version of Symantec Endpoint Protection are automatically set up to have their computers scanned weekly. Users with the un-managed version need to manually scan for threats. To manually run an anti-virus scan, open Symantec Endpoint Protection from Programs (Windows) or Application (Mac) and then click Scan (for Threats).
There is an option to run one of two scans, either an Active Scan which checks the most-commonly infected areas, or a Full Scan which checks the entire computer. The full scan takes much longer, so more time is needed if you are going to do this. It is best to run an active scan first and if anything turns up, then run a full scan.
LiveUpdate keeps your virus definitions up-to-date. It obtains Symantec program and protection updates for your computer by using your Internet connection. Program updates are usually created to extend the operating system or hardware compatibility, adjust a performance issue, or fix program errors. Symantec releases program updates on an as-needed basis. LiveUpdate locates and obtains files from a website, installs them, and then deletes the remaining files from your computer. Protection updates are the files that keep your Symantec product up-to-date with the latest threat protection technology. By default, LiveUpdate runs automatically at scheduled intervals. Based on your security settings, you can run LiveUpdate manually by going into the Symantec client and clicking on the LiveUpdate link in the sidebar. You might also be able to disable LiveUpdate or change the LiveUpdate schedule.
If Symantec detects a virus on your computer, you might be alerted with a pop-up message, but not always. Sometimes the threat will automatically be sent to your quarantine. Users with the managed version of Symantec will automatically have their quarantines emptied if a virus shows up there. Un-managed users should periodically check both their logs and their quarantine for threats. To do this, open the Symantec client and select View logs or View quarantine from the sidebar. When you click View Logs on the sidebar, click the "View Logs" button next to Antivirus and Antispyware Protection. Select "Risk Log" for a complete record of threats that have attempted to infiltrate your machine. You can delete any exploits that have been sent to your quarantine by highlighting those found in the quarantine and right-clicking "delete." If there is something in the quarantine, and its status says Left alone, then run a full scan and see if the full scan picks it up and removes it. If the full scan does not remove it, then you can go into "Safe Mode with Networking" by rebooting your machine and hitting F8 as soon as the machine starts back up. Choose "Safe Mode with Networking" when the menu comes up. From there, open the Symantec client and try running the full scan again.
Everone else should make sure they are running Windows Updates periodically to take care of exploits and make sure their Windows firewall is turned on since some viruses attempt to turn it off. To turn on your Windows firewall, go to the Start Menu > Control Panel > Windows Firewall and make sure it is turned on.
Yes. Windows users should first try to remove the software from their list of programs by going to Control Panel > Programs and Features (if using Windows 7 or 8) or Control Panel > Add or Remove Programs (if using Windows XP). Symantec EndPoint Protection and LiveUpdate will both need to be removed from the list of programs. If that does not work, use one of the removal tools found on Softweb under University Fixes & Solutions. Mac users can see the Uninstalling Your Norton Product for Mac instructions.
The SEP client combines various client security technologies under a single application. This helps protect your computer without sacrificing performance.
SEP scans local hard disks and monitors file access to detect potential threats. If SEP detects a threat, it blocks any unnecessary access until the threat has been resolved. On Windows and Mac computers, for added protection against network-related threats, SEP also provides intrusion prevention (IPS). Windows computers receive additional network protection in the form of proactive threat scanning and personal firewall capabilities.
To access installation guides for Windows, Mac and Linux clients, click on the tutorial links on the left sidebar. Frequently Asked Questions pages for each operating system are also available via the left sidebar.
The new version can be installed and managed from either the on-premises Symantec Endpoint Protection Manager or the Integrated Cyber Defense Manager (ICDm) cloud console. This agent release includes key innovations such as:
The Symantec agent--used by SEP, SES Enterprise, and SES Complete--enhances Apple macOS security and provides enhancements such as device control, network firewall and intrusion prevention to block threats from compromising the endpoint.
Now, with the release of the Mac agent, there is greater visibility into security incidents in the ICDm console. Incident handlers can dig deeper into an individual endpoint, looking for indicators of compromise such as what process was launched, files that were created, and other possibly unauthorized events. These are key steps toward surfacing and remediating problems, particularly when devices are off-premises and outside of firewalls and VPNs.
c80f0f1006