Symantec Endpoint Protection (SEP) 11 is getting long in the tooth. It was a huge step forward. But I’m starting to look forward to the next release. Symantec released a small business edition with version 12. So I’m calling the next version of SEP, SEP12.1. That isn’t official. Here’s a list of what I’d like to see in SEP11
Full 64 Bit Feature Parity
Enough is enough. With the release of Windows 7, 64 bit is starting to be adopted by regular users. Some companies have made 64 bit the standard for their Windows 7 corporate rollout.
Symantec does not currently support application and device control on 64 bit. Companies don’t want to have different levels of security for 32 versus 64 bit computers. We use the Device control part of Symantec to disable the wireless card when a wired connection is present. I see that as critical functionality. This is causing us to be unable to use 64 bit laptops. Further the helpdesk wanting to hold down complexity seems to be against 32 bit laptops and 64 bit desktops. To avoid twice the testing they want all 32 or 64 bit computers.
I can no longer find the knowledge base article, but I recall there being less keylogger protection in 64 bit SEP11 due to kernel protections by Microsoft. Not sure that one could be fixed without hooking the kernel outside of approved APIs. (not a good idea).
As I mentioned, I use Application and Device Control to disable wireless cards when wired connected. This is an important security consideration to prevent the client from being attacked by someone in the parking lot while they are on our network.
The problem with the current method (besides the 64 bit issue I covered in the last section), is Symantec leaves it up to the SEPM administrator to manually add the device ID for each device they wish to block. This is decidedly not cool. Each time we start bringing in a new laptop model I need to update the block rule with the new device ID. It’s not just wireless cards. I’d like EVDO/3G wireless modems disabled as well. Symantec should be doing this in a more automatic way.
Symantec Endpoint Protection 11 does not understand IPv6. With the built-in firewall you can only allow it or block it at the protocol level. You can not have rules based on source/destination addresses/ports. I don’t think I need to belabor the point. IPv4 address exhaustion is months away according to some reports. Some ISPs are already conducting IPv6 tests with end users.
To the Cloud
Symantec did rather well in Gartner’s December 2010 Endpoint Protection Magic Quadrant. I believe the in the cloud protection was even mentioned. The problem is in the cloud reputation scoring is currently only available for home users. I believe all of Symantec’s major competitors already use this sort of community scoring as an extra layer of protection, and have for some time.
With in the cloud protection, there is a community based reputation score assigned to files so they can be treated appropriately.
I understand Symantec is a big company, but it needs to innovate protection, not lag behind while using other parts of the company (consumer) as test beds for new engines and new techniques.
I know that Symantec Endpoint Protection was a big step up over Symantec Antivirus 10 in terms of performance. But that was many years ago. According to some comparison numbers Endpoint Protection could use some speed improvements. Not near the top of my list but worth mentioning.
Single Agent/ Single Console
Those of us using GuardianEdge for encryption are hoping to have a unified point of management. One agent to upgrade. One less thing to update, one less place to look for reports.
Some of these items are already listed at Symantec Ideas. Some of them, like IPv6, are already known to be in the next major release. At Symantec Connect, you can use the Ideas section to suggest a new feature or functionality, and vote or comment on other people’s suggestions.
I dont have a lot of complaints about SEP. I do hope that a few of these things get cleared up in the next version.