Hubbry Logo
search
logo
Symantec Endpoint Protection avatar
Symantec Endpoint Protection
Symantec Endpoint Protection
current hub
S

Symantec Endpoint Protection

logo
Community Hub0 Subscribers
Read side by side
Symantec Endpoint Protection
View on Wikipedia
from Wikipedia

Symantec Endpoint Protection
DeveloperBroadcom Inc.
Stable release
14.3 RU9 (Build 11216) / 24 June 2024; 16 months ago (2024-06-24)[1]
Operating systemWindows, macOS and Linux
PlatformIA-32 and x86-64
TypeAnti-malware, intrusion prevention and firewall
LicenseTrialware
Websitewww.broadcom.com/products/cyber-security/endpoint

Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers.[2]

Version history

[edit]

The first release of Symantec Endpoint Protection was published in September 2007 and was called version 11.0.[3] Endpoint Protection is the result of a merger of several security software products, including Symantec Antivirus Corporate Edition 10.0, Client Security, Network Access Control, and Sygate Enterprise Edition.[3] Endpoint Protection also included new features.[3] For example, it can block data transfers to unauthorized device types, such as USB flash drives or Bluetooth devices.[3]

At the time, Symantec Antivirus Corporate Edition was widely criticized as having become bloated and unwieldy.[2] Endpoint Protection 11.0 was intended to address these criticisms.[2] The disk footprint of Symantec Corporate Edition 10.0 was almost 100 MB, whereas Endpoint Protection's was projected to be 21 MB.[2]

In 2009, Symantec introduced a managed service, whereby Symantec staff deploy and manage Symantec Endpoint Protection installations remotely.[4] A Small Business Edition with a faster installation process was released in 2010.[5] In February 2011, Symantec announced version 12.0 of Endpoint Protection.[6] Version 12 incorporated a cloud-based database of malicious files called Symantec Insight.[6] Insight was intended to combat malware that generates mutations of its files to avoid detection by signature-based anti-malware software.[6] In late 2012, Symantec released version 12.1.2, which supports VMware vShield.[7]

A cloud version of Endpoint Protection was released in September 2016.[8] This was followed by version 14 that November.[9] Version 14 incorporates machine learning technology to find patterns in digital data that may be indicative of the presence of a cyber-security threat.[9] It also incorporates memory exploit mitigation and performance improvements.[10]

Features

[edit]

Symantec Endpoint Protection is a security software suite that includes intrusion prevention, firewall, and anti-malware features.[11] According to SC Magazine, Endpoint Protection also has some features typical of data loss prevention software.[12] It is typically installed on a server running Windows, Linux, or macOS.[13] As of 2018, Version 14 is the only currently-supported release.[14]

Endpoint Protection scans computers for security threats.[11] It is used to prevent unapproved programs from running,[11] and to apply firewall policies that block or allow network traffic.[15] It attempts to identify and block malicious traffic in a corporate network or coming from a web browser.[16] It uses aggregate information from users to identify malicious software.[12] As of 2016, Symantec claims to use data from 175 million devices that have installed Endpoint Security in 175 countries.[12]

Endpoint Protection has an administrative console that allows the IT department to modify security policies for each department,[11] such as which programs or files to exclude from antivirus scans.[12] It does not manage mobile devices directly, but treats them as peripherals when connected to a computer and protects the computer from any malicious software on the mobile devices.[12]

Vulnerabilities

[edit]

In early 2012, source code for Symantec Endpoint Protection was stolen and published online.[17] A hacker group called "The Lords of Dharmaraja" claimed credit, alleging the source code was stolen from Indian military intelligence.[18] The Indian government requires vendors to submit the source code of any computer program being sold to the government, to ensure that they are not being used for espionage.[17] In July 2012, an update to Endpoint Protection caused compatibility issues, triggering a Blue Screen of Death on Windows XP machines running certain third-party file system drivers.[19] In 2014, Offensive Security discovered an exploit in Symantec Endpoint Protection during a penetration test of a financial services organization.[20] The exploit in the Application and Device control driver allowed a logged-in user to get system access.[20] It was patched that August.[20] In 2019, Ofir Moskovitch, a Security Researcher discovered a Race Condition bug which involves 2 Critical Symantec Endpoint Protection Client Core Components: Client Management & Proactive Threat Protection and directly results in Protection Mechanism Failure that can lead to a Self-Defense Bypass, aka "SEMZTPTN" - Symantec Endpoint Minimized Timed Protection.[21]

Reception

[edit]

According to Gartner, Symantec Endpoint Protection 14 is one of the more comprehensive endpoint security products available and regularly scores well in independent tests.[10] However, a common criticism is that customers are "fatigued" by "near constant changes" in the product and company direction.[10] SC Magazine said Endpoint Protection 14 was the "most comprehensive tool of its type . . . with superb installation and documentation."[12] The review said EndPoint Protection had a "no-brainer setup and administration," but it does have a "wart" that support fees are "a bit steep."[12]

Forrester said version 12.1 was the most complete endpoint security software product on the market, but the different IT security functions of the software were not well-integrated.[22] The report speculated the lack of integration would be addressed in version 14.[22] Network World ranked Symantec Endpoint Protection sixth in endpoint security products, based on data from NSS Labs testing.[23]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Symantec Endpoint Protection

View on Grokipedia
from Grokipedia
Symantec Endpoint Protection (SEP) is a comprehensive client-server endpoint security solution developed by Symantec Corporation, a subsidiary of Broadcom Inc., designed to safeguard laptops, desktops, servers, and mobile devices against malware, ransomware, zero-day threats, and advanced persistent attacks.[1] It employs multilayered defenses, including signature-based antivirus, behavioral analysis, intrusion prevention, and machine learning-driven detection, to proactively block threats across the attack chain while minimizing performance impact on protected systems.[2] Deployable in on-premises, cloud-based, or hybrid environments, SEP integrates with a centralized management console for policy enforcement and real-time monitoring, supporting both physical and virtual endpoints.[3] Originally launched in 2007 as version 11.0, SEP evolved from Symantec's earlier antivirus products to address the growing complexity of cyber threats, incorporating advanced features like adaptive protection and cloud intelligence over subsequent releases.[4] Following Symantec's acquisition by Broadcom in 2019, the platform has been enhanced with integrations such as mobile threat defense from the Skycure acquisition and Active Directory protection from Javelin Networks, consolidating into a single-agent architecture for unified endpoint management.[5] The current 14.x series, updated as recently as 2025, emphasizes AI-guided policy management, threat hunting, and automated response capabilities, maintaining SEP's position as an industry standard validated by independent testing for high efficacy against evolving risks.[6][7] Key components of SEP include the Endpoint Protection Manager for centralized administration, the Symantec Endpoint Agent for device-level enforcement, and ongoing security content updates delivered via Broadcom's Global Intelligence Network, which leverages global threat intelligence to ensure timely protection.[8] This integrated approach not only prevents breaches but also supports compliance with regulatory standards through features like device control, application control, and firewall management, making it suitable for enterprises of varying scales.[9]

History

Origins and Early Development

Symantec Corporation was founded in 1982 by Gary Hendrix, initially focusing on artificial intelligence and database management software. The company went public in 1989 and pivoted toward utility and security products amid growing demand for PC tools. In 1990, Symantec acquired Peter Norton Computing for its popular Norton Utilities, which propelled the company into the antivirus sector; this led to the development and 1991 launch of Norton AntiVirus, establishing Symantec as a leader in consumer malware protection.[10][11] By the early 2000s, Symantec had extended its antivirus expertise to enterprises through products like Symantec AntiVirus Corporate Edition, but evolving threats such as zero-day exploits and network-based attacks highlighted limitations of standalone solutions. To address this, Symantec pursued strategic acquisitions, including Sygate in 2005 for firewall and access control technologies, and WholeSecurity in 2005 for behavioral-based threat detection. These moves laid the groundwork for a unified enterprise platform, shifting focus from reactive antivirus to proactive, integrated endpoint security.[12][13][14] In July 2007, Symantec announced Symantec Endpoint Protection 11.0 as a cornerstone of its "Security 2.0" vision, which emphasized consolidated security to simplify deployment and management in enterprise environments. The product officially launched in September 2007, combining Symantec AntiVirus Corporate Edition's malware scanning, Sygate's firewall and intrusion prevention, WholeSecurity's heuristics for unknown threats, and additional client security features into a single agent. This integration represented key early milestones, including host- and network-based intrusion prevention systems (IPS), application/device control, and antispyware capabilities, all managed via a centralized console.[15][16] The development goals centered on reducing total cost of ownership by minimizing agent sprawl and administrative complexity, while bolstering defense through behavioral analysis and Symantec's Global Intelligence Network, which monitored threats across 120 million systems worldwide. This approach established Symantec Endpoint Protection as a comprehensive suite for enterprise endpoint defense, moving beyond traditional antivirus to address multifaceted risks.[15]

Acquisitions and Ownership Changes

Symantec's development of endpoint protection solutions was bolstered by strategic acquisitions, including the purchase of Altiris in 2007 for $830 million, which integrated advanced IT management and endpoint deployment tools into its portfolio.[17][18] This acquisition enhanced Symantec's capabilities in endpoint management, allowing for more comprehensive security and administrative controls in enterprise environments.[19] In August 2019, Broadcom announced its acquisition of Symantec's enterprise security business, including Endpoint Protection, for $10.7 billion in cash, with the deal closing on November 4, 2019.[20][21] Following the acquisition, the business operated as the Symantec Enterprise division under Broadcom, led by Art Gilliland as Senior Vice President and General Manager, marking a shift from Symantec's standalone structure to integration within Broadcom's broader software portfolio.[21] Post-acquisition, Symantec Endpoint Protection underwent rebranding to Symantec Endpoint Security in certain contexts, reflecting alignment with Broadcom's enterprise-focused strategy.[22] The integration emphasized long-term growth over short-term revenue pressures, with enhancements in cloud-native capabilities to support scalable deployment across hybrid environments.[23] Strategically, this ownership change prioritized enterprise scalability and deeper AI integration, such as advanced incident prediction features that leverage machine learning to anticipate cyber threats, thereby strengthening resilience for large-scale operations.[24][22]

Version Timeline

Symantec Endpoint Protection version 11.0 was released in September 2007 as the initial unified endpoint security suite, combining antivirus, antispyware, and firewall capabilities into a single client.[25] This version marked Symantec's shift toward integrated protection for enterprise endpoints, with subsequent maintenance releases like MR1 in December 2007 addressing initial stability issues.[25] Support for version 11.0 ended on January 5, 2015, after which no further updates or definitions were provided.[26] Version 12.x began with the release of 12.0 in February 2011, introducing early cloud-based management options through integration with Symantec's Insight service for enhanced threat intelligence sharing.[27] Subsequent updates, such as 12.1 RU4 in October 2013, expanded support to include mobile devices alongside traditional desktops and servers.[28] The 12.x series received ongoing rollups until 2016, but version 12.1 reached end of standard support on April 3, 2019, with extended support concluding on April 3, 2021, leading to deprecation around 2020.[29] Version 14.0, released in November 2016, represented a major overhaul incorporating Insight Network Threat Analysis for improved network-level threat detection.[30] The series evolved through multiple updates, with version 14.3 launching in May 2020 and reaching 14.3 RU8 by August 2023.[6] Ongoing enhancements continued into 14.3 RU10 in February 2025.[6] In 2025, releases such as 14.3 RU10 Refresh in April included ERASER Engine enhancements to version 119.1.7.8 for better performance and compatibility, alongside expansions in operating system support for Windows 11 and macOS Ventura.[31][7] These updates reflect Broadcom's influence following its 2019 acquisition of Symantec's enterprise security business, prioritizing cloud-native integrations.[6] End-of-life milestones for older versions, including the full deprecation of 12.1 in 2020, prompted migrations to the 14.x lineage to maintain compatibility with modern endpoints.[32] As of November 2025, version 14.3 remains the active branch, with support extending through at least December 31, 2025, for base 14.3.[6]

Product Overview

Under Broadcom, the platform is increasingly referred to as Symantec Endpoint Security, integrating advanced AI for real-time threat blocking. Targeted Attack Analytics (TAA) employs cloud-based AI algorithms to monitor endpoints for suspicious patterns, triggering real-time alerts, blocking, and remediation—such as automatic ransomware rollback using clean snapshots—upon detection.

Core Components

Symantec Endpoint Protection (SEP) is built around a modular architecture that includes client-side agents, management consoles, and backend services to deliver endpoint security across diverse environments. The primary components enable real-time protection, policy enforcement, and centralized oversight, forming the foundational building blocks of the suite.[33] The agent software serves as the client-side component installed on individual endpoints, such as desktops, laptops, and servers, to provide on-device security enforcement and scanning capabilities. It communicates with management servers to receive policies and updates, ensuring consistent protection without requiring constant connectivity. This lightweight agent is designed for minimal performance impact while handling core security tasks locally.[33] Centralized management is facilitated by the Symantec Endpoint Protection Manager (SEPM), an on-premises server application that includes a web-based console for administrators. SEPM handles policy creation, distribution, client registration, and event monitoring, often paired with an embedded database or a Microsoft SQL Server for larger deployments exceeding 5,000 endpoints. It supports remote access for multiple administrators, enabling scalable oversight in enterprise settings.[33] For organizations preferring cloud-based or hybrid models, the Symantec Endpoint Security (SES) cloud console provides a fully managed platform as an alternative to SEPM. This web-accessible interface allows policy deployment, device management, and monitoring directly from the cloud, integrating seamlessly with on-premises components for flexible architectures. SES emphasizes a single-console approach to streamline operations across distributed environments.[2] Backend services underpin the suite through integration with Symantec's Global Intelligence Network, which aggregates threat data from millions of endpoints worldwide to enhance collective defenses. Additional elements like LiveUpdate Administrator and Group Update Providers (GUPs) facilitate the distribution of security definitions and content updates, with GUPs acting as intermediaries to offload traffic from the primary management server and support remote clients efficiently.[33] As of 2025, SEP maintains broad compatibility with major platforms, including Windows, macOS, and Linux operating systems, as well as virtualized environments such as VMware and Hyper-V. This cross-platform support ensures the agent and management components function consistently across physical, virtual, and cloud-hosted endpoints.[2]

Deployment and Management Models

Symantec Endpoint Protection supports multiple deployment models to accommodate diverse organizational needs, including on-premises, cloud-based, and hybrid configurations. The on-premises model utilizes the Symantec Endpoint Protection Manager (SEPM) server, providing full administrative control over endpoints in environments such as air-gapped or restricted networks where internet connectivity is limited or prohibited.[34] This approach is particularly suitable for government or high-security settings requiring extensive client configuration options without reliance on external services.[34] In the cloud-based model, Symantec Endpoint Security Cloud enables scalable, subscription-based management through a centralized cloud console, eliminating the need for on-premises infrastructure and reducing deployment complexity.[2] This option delivers unified visibility across devices, supports remote locations, and incorporates advanced features like automated threat response, making it ideal for organizations seeking minimal server overhead and rapid scalability.[2] The single-agent architecture simplifies administration for Windows, Mac, Linux, and mobile endpoints, with protection extended via global threat intelligence.[2] A hybrid approach combines on-premises SEPM with the Symantec Endpoint Security cloud console, allowing organizations to manage legacy or unsupported operating systems through SEPM while leveraging cloud capabilities for modern endpoints.[34] This model facilitates gradual migration to full cloud management and requires SEPM domain enrollment along with Symantec Endpoint Protection clients version 14.3 MP1 or later for compatibility.[34] Agents and select policies are handled via the cloud, while earlier clients remain under SEPM control, offering flexibility for transitional environments.[34] Installation processes for Symantec Endpoint Protection involve deploying the management server and agents tailored to the chosen model. For the SEPM server, extraction of the installation file to a physical disk followed by running Setup.exe initiates the process, including license acceptance, folder selection, and post-installation configuration of the server and database.[35] Agent rollout supports methods such as creating redistributable installation packages for deployment via Active Directory Group Policy Objects (GPO), Symantec IT Management Suite, or direct device installation; inviting users via email links for self-installation; network discovery and push deployment for unmanaged devices (Windows only); and integration with Unified Endpoint Management (UEM) tools for importing and enrolling devices.[36] These approaches enable scalability for enterprise environments, with best practices recommending client-to-server ratios and database sizing to handle large numbers of endpoints efficiently.[37] Auto-updates can be configured post-installation to maintain agent currency without manual intervention.[36] Policy management across models emphasizes centralized control and customization. In the on-premises SEPM, default policies are generated during installation and can be tailored to specific environments, enabling administrators to enforce security settings on client computers through various policy types.[38] For cloud and hybrid setups, Symantec Endpoint Security uses policy templates and groups to apply multiple policies simultaneously to devices or groups, with role-based access controlling tasks like creation, upgrades, and exports.[39] Version history tracks changes with comments, and automated updates from Symantec periodically refresh templates, allowing seamless upgrades to incorporate the latest protections as of 2025 releases.[39]

Features

Threat Detection and Prevention

Symantec Endpoint Protection employs a multi-layered approach to threat detection and prevention, combining traditional and proactive mechanisms to identify and block malware, network-based attacks, and unauthorized activities at the endpoint level.[3] Signature-based detection forms the foundational layer of antivirus protection, relying on a database of virus definitions to scan files and identify known threats such as viruses, worms, Trojans, spyware, bots, adware, and rootkits. These definitions are updated frequently through LiveUpdate, typically multiple times per day, to ensure protection against the latest identified malware signatures.[3][40][41] Heuristic and behavioral analysis complements signature-based methods by monitoring file and application behaviors in real time to detect suspicious patterns indicative of unknown or evolving threats. This includes tracking over 1,400 specific file behaviors during execution to identify anomalies, such as ransomware attempts involving file encryption or the use of double executable file names, as seen in variants like CryptoLocker.[42][3][43][44] The Intrusion Prevention System (IPS) provides network-level defense by inspecting traffic for exploits and blocking malicious activities during the infestation and data exfiltration phases. As a secondary layer after the firewall, IPS uses signature-based rules to prevent known attacks and extends protection to zero-day threats by analyzing packet payloads for anomalous patterns.[3][45][46] Firewall integration enhances endpoint security through a host-based rules engine that controls inbound and outbound traffic based on predefined policies. Administrators can configure rules specifying allowed hosts, ports, and applications, effectively blocking unauthorized connections and social engineering attempts that could lead to ransomware infiltration.[47][3][48] Real-time protection operates through on-access scanning, which examines files as they are opened, executed, or downloaded to prevent threats from activating. This includes immediate analysis using signature matching and behavioral checks, ensuring proactive blocking without relying solely on scheduled scans.[49][3]

Advanced Security Capabilities

Symantec Endpoint Protection incorporates AI-powered detection through advanced machine learning (AML) models that identify anomalies in files and behaviors by analyzing subtle correlations and patterns derived from global telemetry data. These models, integrated into components like the Static Data Scanner and SONAR behavioral analysis, enable predictive threat hunting by learning from Symantec's intelligence network to anticipate and block emerging threats before they execute, achieving high detection rates such as 99% for online threats when combined with cloud-based validation.[50] Behavioral blocking in Symantec Endpoint Protection leverages Insight technology, a cloud-based reputation service that evaluates file reputations across a global network of billions of daily file interactions to provide zero-day protection against unknown threats. This system uses scoring heuristics and process execution rules to monitor and block malicious activities in real-time, correlating user, file, and network data to convict entire attack groups through lineage tracking and special signatures, thereby reducing false positives while enhancing detection of fileless and living-off-the-land attacks.[51] The Endpoint Detection and Response (EDR) capabilities offer real-time visibility and response to advanced persistent threats (APTs) by employing machine learning and behavioral analytics to detect suspicious activities on endpoints, such as unauthorized process launches or file modifications. EDR stores event data in a distributed database for forensic analysis, prioritizing incidents based on risk and enabling rapid triage through smart alerts, which supports proactive investigation and containment of APTs across Windows and macOS environments.[52] Device control features enforce granular restrictions on USB drives, peripherals like printers and modems, and other external hardware to prevent data exfiltration, allowing administrators to block read/write access or mounting based on device type and policy rules. These controls log detections and notify users, supporting both Windows and macOS platforms with options for allow/block lists that prioritize higher-order rules, thereby mitigating risks from unauthorized removable media without impacting approved operations.[53] In April 2025, Broadcom introduced Incident Prediction, an industry-first capability extending Adaptive Protection in Symantec Endpoint Security Complete. Trained on a catalog of over 500,000 real-world attack chains compiled by the Symantec Threat Hunter Team, Incident Prediction leverages AI to predict an attacker's next four to five moves with up to 100% confidence in some scenarios. It identifies and disrupts living-off-the-land (LOTL) attacks by automating policy adjustments to block anomalous use of legitimate software, preventing escalation and quickly reverting systems to normal operation. This predictive approach enhances real-time threat blocking by shifting from reactive to proactive defense, allowing automated mitigation without extensive manual intervention. Adaptive Protection, updated as of October 2025, uses machine learning to profile application behaviors against global threat telemetry, dynamically adjusting security policies to block or isolate high-risk actions (e.g., anomalous PowerShell usage) while permitting legitimate operations. It incorporates MITRE ATT&CK mappings and behavioral heat maps to reduce attack surfaces, particularly against LOTL techniques. These AI-driven features complement existing technologies like SONAR behavioral analysis (monitoring over 1,400 file behaviors in real time) and Insight reputation scoring from the Global Intelligence Network, enabling comprehensive real-time blocking of zero-day threats, ransomware, and advanced persistent threats with high efficacy, as evidenced by perfect or near-perfect scores in independent tests such as SE Labs evaluations.

Integration and Reporting Tools

Symantec Endpoint Protection provides robust API integrations that enable seamless connectivity with security information and event management (SIEM) tools such as Splunk, allowing organizations to collect server and client activity logs for centralized monitoring and analysis.[54] The product's REST APIs and Event Stream API support real-time event streaming to SIEM systems, facilitating the export of system events and security incidents for enhanced visibility across hybrid environments.[55] Additionally, compatibility extends to security orchestration, automation, and response (SOAR) platforms, including IBM QRadar SOAR, D3 SOAR, and Cortex XSOAR, where the APIs enable automated enrichment, investigation, and remediation actions such as querying endpoints for indicators of compromise.[56][57][58] The third-party ecosystem surrounding Symantec Endpoint Protection has been strengthened through Broadcom's integration of Symantec with Carbon Black, combining Symantec's prevention-focused tools with Carbon Black's endpoint detection and response (EDR) capabilities for extended threat detection and closed-loop analysis.[59] This partnership influences post-acquisition enhancements, enabling real-time detection, investigation, and prevention of advanced threats by leveraging Carbon Black Cloud's forensic features alongside Symantec's core protections.[60] Other integrations include compatibility with tools like Elastic and Datadog for log ingestion, further expanding the ecosystem for comprehensive security operations.[61][62] Reporting dashboards in Symantec Endpoint Protection offer customizable interfaces for incident analysis, compliance auditing, and integration with threat intelligence feeds, accessible via the Home page in the Symantec Endpoint Security console.[63] Users can tailor widgets to display key performance indicators such as open incidents, risk distribution over time, and top infection actors, drawing from event data collected across endpoints to support auditing and threat trend visualization.[63] Predefined and user-specific views in categories like Threat Analytics and Security Operations allow for the generation of quick reports on detection types, severity levels, and MITRE ATT&CK tactics, with logs exportable in formats compatible with external intelligence sources.[64] Automated workflows in Symantec Endpoint Protection include quarantine actions that isolate compromised devices from the network upon detecting malware or risks, configurable through policies in the management console to forward infected files centrally for analysis.[65] Rollback features support reverting virus definition updates via the Endpoint Protection Manager, allowing administrators to backdate protections in response to compatibility issues or false positives.[66] Alert notifications are generated for events like Auto-Protect detections and policy changes, with customizable options to notify users or administrators via email or the console, integrating with broader SOAR playbooks for automated responses.[67] Forensics tools in the 2025 versions of Symantec Endpoint Protection enable incident investigation through forensic data collection, which gathers device artifacts like process lists and file details when incidents are triggered.[68] Timeline views provide a scaled histogram of events over 24-hour periods, allowing analysts to reconstruct attack sequences and correlate activities for deeper insights into threats.[69] These capabilities, enhanced by Carbon Black integration, support post-incident analysis without native packet capture, focusing instead on endpoint-centric forensics.[60]

Vulnerabilities

Historical Security Issues

Symantec Endpoint Protection encountered notable security vulnerabilities prior to 2020, centered on privilege escalations and protective mechanism bypasses in its client software and management infrastructure. These issues stemmed from flaws in tamper protection and code validation processes, potentially enabling local attackers to undermine the product's defenses.[70] A key example is CVE-2019-12757, a local privilege escalation vulnerability that allowed attackers to bypass tamper protection and elevate access rights. This flaw affected Symantec Endpoint Protection versions prior to 14.2 RU2, requiring local access but exploitable when tamper protection was disabled. Broadcom addressed it in the November 2019 release of version 14.2 RU2, which introduced fixes to strengthen access controls.[71][70][72] CVE-2019-12758 represented another critical bypass, where improper DLL loading from the current working directory enabled the execution of unsigned malicious payloads, circumventing self-defense features. Impacting versions prior to 14.2 RU2, this vulnerability was demonstrated by researchers to facilitate defense evasion on affected systems. It was patched alongside CVE-2019-12757 in the 14.2 RU2 update, with recommendations to enable full tamper protection.[73][70][74] Early 2020 disclosures revealed additional flaws, including CVE-2020-5821, a DLL injection vulnerability in client versions prior to 14.3 RU1. These issues, part of a broader set affecting both clients and the Endpoint Protection Manager, were resolved through targeted Rollup Updates issued by Broadcom in March 2020.[75][76] The scope of these pre-2020 vulnerabilities primarily involved local privilege escalations and bypasses that could extend to the management server, risking unauthorized control over endpoint fleets in enterprise environments.[70][77] In response, Broadcom—following its November 2019 acquisition of Symantec's enterprise security division—mandated immediate patching for vulnerable installations and rolled out enhanced tamper protection in subsequent updates to mitigate recurrence of such bypasses.[70][75]

Recent Vulnerabilities and Responses

In recent years, Symantec Endpoint Protection (SEP) has faced several vulnerabilities primarily affecting its Windows agent and management components, with Broadcom issuing patches and advisories to mitigate risks. These issues, starting from 2020, highlight challenges in privilege management and remote access controls, prompting enhanced remediation measures.[78] One notable vulnerability is CVE-2022-37016, a privilege escalation flaw in the SEP Windows agent that allows attackers to access unauthorized resources. This critical issue, scored at CVSS 9.8, impacts versions up to and including 14.3.5. Broadcom addressed it through updates released in late 2022, recommending immediate upgrades to patched versions.[78] In 2025, the ERASER Engine in SEP encountered an elevation of privilege vulnerability identified as CVE-2025-3599, with a CVSS score of 7.5 (High). Affecting ERASER Engine versions prior to 119.1.7.8 on Windows agents, it could enable attackers to delete protected resources via network access. Broadcom issued a security advisory on April 29, 2025, and resolved the issue by upgrading to ERASER Engine 119.1.7.8 or later.[79] Broadcom's response strategies emphasize proactive defenses, including enforced auto-updates via the LiveUpdate mechanism to deliver patches and definitions automatically, minimizing unpatched exposure. Additionally, integration with vulnerability scanning tools within the SEP suite allows for ongoing assessment of endpoint risks. The company recommends adopting zero-trust architecture principles, as outlined in its Symantec Zero Trust Framework, to verify access continuously and limit lateral movement in the event of exploitation.[80][81] For ongoing monitoring, Broadcom integrates SEP with its security advisories portal, providing real-time notifications and proactive patching guidance to ensure timely responses to emerging threats.[82]

Reception

Critical Reviews and Ratings

Symantec Endpoint Protection, now part of Broadcom's portfolio, has been consistently recognized as a leader in professional analyst evaluations for endpoint protection platforms. Symantec was included as a vendor in the 2025 Gartner Magic Quadrant for Endpoint Protection Platforms. On Gartner Peer Insights, the product earns an average rating of 4.4 out of 5 from over 2,300 verified reviews, with users highlighting strong threat detection, intuitive management, and reliable performance, though some note challenges with deployment complexity in large-scale environments.[83][84] Independent testing labs have awarded high marks for detection efficacy and minimal disruptions. In AV-TEST Institute's 2025 evaluations for business Windows endpoints, Symantec Endpoint Security Complete achieved top-product status, scoring 6/6 in protection for 100% detection of known threats, alongside near-perfect usability but with minor deductions for system performance impact during intensive scans.[85][86][87] Market analyses underscore its strong position, with IDC identifying Symantec as a global leader in endpoint security market share. According to 2024 Datanyze data, it captures the second-largest share at 11.5% of the endpoint protection market, behind Trend Micro's 16.3%. Criticisms in reviews occasionally point to slower adaptation to emerging zero-day threats compared to cloud-native rivals like CrowdStrike, which prioritize real-time behavioral analysis, alongside noted complexity in configuration for non-expert administrators.[88][89][90]

User Experiences and Market Position

Users of Symantec Endpoint Protection frequently praise its reliability in threat detection, particularly for blocking ransomware through behavioral analysis and file-based protection mechanisms. On TrustRadius, reviewers highlight its effectiveness in managing large-scale deployments across enterprises, with central management tools enabling seamless policy enforcement and updates. For instance, a 2025 review noted its strong performance in restricting USB access and halting malware infections, contributing to an overall rating of 8.4 out of 10 from 175 users. Similarly, G2 users commend the software's consistent protection and lightweight background operation on modern hardware, averaging 4.4 out of 5 from over 500 reviews as of 2025.[91][92][92] However, common criticisms include high resource consumption on older hardware, which can lead to performance slowdowns, and a steep learning curve for customizing the management console. TrustRadius feedback points to challenges in integrating with cloud servers and occasional compatibility issues with specialized software, requiring additional configuration time. Deployment is generally straightforward for enterprises but may involve hurdles in hybrid setups, as noted in user experiences emphasizing the need for better live update processes.[91] In the market, Symantec Endpoint Protection holds a strong position as the second-largest vendor in the global endpoint security sector, capturing 11.5% share as of 2024 Datanyze data and continuing robust adoption into 2025, particularly among small and medium-sized businesses (SMBs) and large enterprises seeking comprehensive protection. Compared to Microsoft Defender for Endpoint, which excels in native Windows integration and cost efficiency for Microsoft-centric environments, Symantec offers broader multi-platform support but lags in seamless ecosystem alignment. Against SentinelOne, Symantec provides solid endpoint detection and response (EDR) capabilities, though SentinelOne is favored for faster autonomous remediation in dynamic threat scenarios.[4][93][93] Post-acquisition by Broadcom in 2019, adoption trends show a marked shift toward cloud-managed models, with hybrid environments experiencing significant growth in 2025 due to flexible deployment options that blend on-premises and cloud consoles. This transition supports secure workload migration and enhances scalability for organizations embracing remote and hybrid work, as evidenced by Broadcom's emphasis on cloud-based endpoint security for compliance and threat prediction.[2][94] In 2026, Symantec Endpoint Security receives mixed but generally positive feedback in enterprise contexts. On TrustRadius, it scores 8.5 out of 10, with users praising its reliable protection and compliance features, though some note management complexity. Gartner Peer Insights comparisons show Symantec Endpoint Security Complete at 4.4 stars (1624 reviews), trailing competitors like Fortinet's FortiClient at 4.8 stars (386 reviews) in some endpoint protection platform evaluations. Independent studies, such as a 2025 ResearchGate assessment, report virus detection rates up to 98% across devices, with strong performance against phishing and intrusions, and minimal system impact. Post-2019 Broadcom acquisition, the product line has seen integration with Carbon Black for enhanced EDR, but some users report slower innovation and pricing concerns on renewals. It remains a strong choice for large, regulated enterprises needing deep DLP and compliance tools, though criticized for steeper learning curve compared to more agile alternatives.

References

  1. What is Symantec Endpoint Protection? - TechDocs
  2. Symantec™ Endpoint Security Solutions - Broadcom Inc.
  3. Symantec Endpoint Protection features - TechDocs
  4. Symantec Endpoint Protection: 2025 Full Review & Rival Comparison
  5. [PDF] Symantec®: A Rich History of Security Innovation - SHI
  6. Versions, system requirements, release dates, notes, and fixes for ...
  7. What's new for all releases of Symantec Endpoint Protection (SEP ...
  8. Symantec™ Endpoint Security | End-User Protection - Broadcom Inc.
  9. [PDF] Symantec Endpoint Protection 15
  10. The Demise Of Symantec - Forbes
  11. The evolution of Norton™ 360: A brief timeline of cyber safety
  12. Symantec Focuses On Compliance With Sygate Purchase - CRN
  13. Symantec buys antiphishing firm WholeSecurity | ZDNET
  14. The EDR That Became Legend | SECURITY.COM
  15. Symantec raises bar for Enterprise Security - Financial Mirror
  16. Step Up to SEP | BizTech Magazine
  17. Symantec to acquire Altiris in $830 mln deal - Reuters
  18. Symantec acquires Altiris | SC Media
  19. Symantec To Acquire Altiris - CRN
  20. Broadcom to Acquire Symantec Enterprise Security Business for ...
  21. Broadcom Completes Acquisition of Symantec Enterprise Security ...
  22. Broadcom Introduces Industry's First Incident Prediction Capability to ...
  23. [PDF] Driving the Future of Security Innovation White Paper - Broadcom Inc.
  24. Symantec's Strategy as a Broadcom Unit - BankInfoSecurity
  25. https://community.broadcom.com/symantecenterprise/viewdocument?DocumentKey=07c03a9a-577d-4fec-9e0f-f1fbd29bb1d2
  26. Symantec Endpoint Protection 11.0.x End of Support Life. - Security
  27. Symantec unveils Endpoint Protection 12 | IT Pro - ITPro
  28. Latest Symantec Endpoint Protection Released - SEP 12.1.RU4
  29. Symantec Endpoint Protection: SEP EOL - NorthStar.io
  30. https://www.telecompaper.com/news/symantec-unveils-endpoint-protection-14-platform--1169694
  31. Symantec Endpoint Protection Security Update
  32. End Of Life Support for SEP products and versions | Endpoint ...
  33. Symantec Endpoint Protection architecture components - TechDocs
  34. On-premises, hybrid, or fully cloud management options - TechDocs
  35. Installing Symantec Endpoint Protection Manager - TechDocs
  36. Installation Methods for the Agent Software - TechDocs
  37. Sizing and scalability best practices for Endpoint Protection
  38. Symantec Endpoint Protection Manager Policies - TechDocs
  39. Policies and Policy Groups - TechDocs - Broadcom Inc.
  40. Virus Definitions & Security Updates - Broadcom Inc.
  41. Update content and definitions on the clients - TechDocs
  42. What is Behavioral Analysis (SONAR) in Symantec Endpoint ...
  43. [PDF] The Symantec Approach to Defeating Advanced Threats | Insight
  44. Ransomware protection using Symantec Endpoint Security
  45. What is Intrusion prevention ? | Endpoint Protection
  46. [PDF] Network Intrusion Prevention System for Symantec Endpoint ... - scroll
  47. Managing the Symantec Endpoint Security firewall - TechDocs
  48. About firewall rule host triggers - TechDocs - Broadcom Inc.
  49. About the types of scans and real-time protection - TechDocs
  50. How does Symantec Endpoint Protection use advanced machine ...
  51. How behavioral security technologies provide protection against ...
  52. About Endpoint Detection and Response (EDR) in Symantec EDR ...
  53. Device Control Policy Settings - TechDocs - Broadcom Inc.
  54. Splunk Add-on for Symantec Endpoint Protection - Splunkbase
  55. Integrations - TechDocs - Broadcom Inc.
  56. Symantec Endpoint Protection - QRadar SOAR Apps - GitHub Pages
  57. [PDF] Symantec Technology Partner: D3 Security
  58. Symantec Endpoint Protection v2 - Cortex XSOAR
  59. [PDF] Symantec Technology Integration Partner: Carbon Black
  60. Unified Security: Why Broadcom Joined Symantec, Carbon Black
  61. Symantec Endpoint Protection Integration - Elastic
  62. Symantec Endpoint Protection - Datadog Docs
  63. Customizing the Home Page - TechDocs
  64. https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Getting-Started/monitoring-your-environment-using-dashboards-v118600519-d4155e419.html
  65. Quarantining or Unquarantining a Device - TechDocs - Broadcom Inc.
  66. How to Backdate Virus Definitions in Endpoint Protection Manager
  67. Types of alerts and notifications - TechDocs - Broadcom Inc.
  68. Capturing Forensic Data - TechDocs - Broadcom Inc.
  69. Event Timeline - TechDocs - Broadcom Inc.
  70. Symantec Endpoint Protection Multiple Issues
  71. CVE-2019-12757 Detail - NVD
  72. CVE-2019–12757: Local Privilege Escalation in Symantec Endpoint ...
  73. CVE-2019-12758 Detail - NVD
  74. Symantec Fixes Privilege Escalation Flaw in Endpoint Protection
  75. Symantec Endpoint Protection Multiple Issues
  76. Symantec Endpoint Protection Client 14.x < 14.2.5569.2100 Mult...
  77. DLL Hijacking Flaw Impacts Symantec Endpoint Protection
  78. CVE-2022-37016 Detail - NVD
  79. NVD - CVE-2025-3599
  80. Security Updates - Symantec Endpoint Protection - Broadcom Inc.
  81. [PDF] Symantec Zero Trust Framework Solution Brief - Broadcom Inc.
  82. Symantec Security Center - Broadcom Inc.
  83. Broadcom Reviews, Ratings & Features 2025 | Gartner Peer Insights
  84. Press Releases | Gen Digital
  85. It's a Sweep: Symantec Endpoint Protection 14 Leads in Latest ...
  86. Test Symantec Endpoint Security Complete 14.3 for Windows 11 ...
  87. Endurance test of 15 security solutions for corporate users - AV-TEST
  88. Worldwide Corporate Endpoint Security Software Forecast ... - IDC
  89. Endpoint Protection Market Share Report | Competitor Analysis
  90. CrowdStrike Falcon vs Symantec Endpoint Detection and Response ...
  91. Symantec Endpoint Security Reviews & Ratings 2025 - TrustRadius
  92. Symantec End-user Endpoint Security Reviews & Product Details - G2
  93. 10 Endpoint Protection Companies for 2025 - SentinelOne
  94. Moving from the Hybrid-Managed Symantec Endpoint Protection ...
User Avatar
No comments yet.