We use it to patch information systems.
Information System Security Manager at a aerospace/defense firm with 10,001+ employees
Helps us put antivirus solutions in place and prevent malware from infecting our machines
Pros and Cons
- "It helps us put antivirus solutions in place and prevent malware from getting to our machines."
- "I can only patch monthly. I don't know what the solution is there, besides being vulnerable for three weeks out of four. But there's got to be an option somehow."
What is our primary use case?
What is most valuable?
It helps us put antivirus solutions in place and prevent malware from getting to our machines. It's a pretty clear-cut solution.
What needs improvement?
Semantic is out there doing the work, identifying viruses and malware that come out weekly. That's the real-world landscape and they're pushing that stuff out as quickly as they can. But I can only patch monthly. I don't know what the solution is there, besides being vulnerable for three weeks out of four. But there's got to be an option somehow.
What do I think about the stability of the solution?
The stability is 100 percent. We've never had a problem with downloading it or accessing it. It works as advertised. It's an extremely good product.
Buyer's Guide
Symantec Endpoint Encryption
May 2025
Learn what your peers think about Symantec Endpoint Encryption. Get advice and tips from experienced pros sharing their opinions. Updated: May 2025.
856,873 professionals have used our research since 2012.
What do I think about the scalability of the solution?
I can put it on anything I want. It's 100 percent scalable.
How are customer service and support?
I've never had to use technical support.
Which solution did I use previously and why did I switch?
The government requirement was to be using McAfee, and we're using Semantic and we just pushed back on it. I told them I have a solution, it's deployed, it's working. It's 100 percent. Why is the government specifying a solution for one particular vendor in an environment where there are many solutions out there? It actually got quite heated and they backed off on the requirement. I was really surprised at that. It's an argument I went into expecting to lose and they came back and said, "Okay, maybe you have a point." But it is a DoD requirement to use McAfee as the antivirus solution.
How was the initial setup?
The initial setup was straightforward. We downloaded the software, put it on a disk, sneakernetted it over to an isolated network, dropped it in the drive, initialized it, and enabled it. It was pretty easy.
What was our ROI?
It's satisfying our requirements at a very high level. That's a return on investment. I don't have a metric, but the results are very good.
Which other solutions did I evaluate?
This solution was chosen for me. I didn't make the decision.
Last year at RSA, Malwarebytes had a booth. I was talking to the vendor and he had some very interesting research. I won't go into too much here, but he had a graph on how many threats McAfee misses, how many Symantec misses, and how good Malwarebytes is, of course. He was trying to sell their software. He said Malwarebytes is a stopgap between the two. We could use it as he suggested. The problem with that is that when you have multiple antivirus engines installed on a machine, they identify each other's threats and cancel out each other's work. It doesn't really work that way.
But I have to look at the results. We haven't had a malware incident as a result of the Semantic solution that we have on 95 percent of our machines. We actually have McAfee on two machines because they are for a different customer and it was easier to do that.
What other advice do I have?
If you make the investment in tech, in updated hardware and software, there are other tools - here we are at RSA 2019, those tools are all over the place. There are other tools that are not single-point solutions. You can solve a whole lot of problems for a lot less money if you're using updated hardware and software rather than old stuff, end-of-life, where you just have one other thing that you have to take care of it. You can put an umbrella over everything with a bigger, newer, better product. But you have to have your hardware and software up to date, rather than the situation that my organization is in.
Semantic an excellent product. It's really just the timing that I mentioned earlier that doesn't work well for us.
On the other hand, we haven't had a breach. We haven't had any issues. We haven't had any incidences of malware popping up. But that's more due to the isolated aspect of our networks. We're not touching the outside, so it's really hard for anything to get in. But disks can be sneakernetted in, hard drives can be brought in, USBs can be brought in, mistakes can be made. Not everything is malicious. Sometimes there is just incompetence involved where somebody hooks up something that they're not supposed to and you have exposure. But we haven't seen any threats related to any of that kind of behavior. I can't really say that we have had a case where anything has gone bad.
In terms of security maturity, we're "mature" in the sense that we're ancient, using old equipment that has reached end-of-life. It's really from the old-age home, it's so mature. We're in dire need of tech refresh and I don't have the budget to support that. But if you unwrap that and look at it from the other side, what would we do without it?
But the real mitigator, the thing that's actually protecting us, is our isolation. We have isolated systems so nothing can get at us. If I get audited, I'd better have antivirus definitions loaded up, current ones. But it really has not affected our security maturity.
If it wasn't for the exception that I mentioned, Symantec Endpoint Encryption, would have been 100 percent successful and I would have to have given it a ten out of ten. With that exception, I have to knock it back to 90 percent, a nine out of ten because, as I said, we're exposed.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Senior Security Analyst at a tech vendor with 11-50 employees
We can handle remote people very easily with it
Pros and Cons
- "The management console gives us the ability to quickly control who sees what, ensures we are on the latest version, and up-to-date."
- "I would like them to have integration with a wider range of non-Symantec products."
Buyer's Guide
Symantec Endpoint Encryption
May 2025
Learn what your peers think about Symantec Endpoint Encryption. Get advice and tips from experienced pros sharing their opinions. Updated: May 2025.
856,873 professionals have used our research since 2012.
Consultant at a tech company with 10,001+ employees
Vendor
Aug 20, 2013
Master Boot Record (MBR) Corruption and PGP Whole Disk Encryption (WDE)
Today is a big deadline in work. The point when weeks of work move from development to production (via numerous sprints/releases to UAT). The culmination of the development team and my efforts over the last two months. As with most IT projects the last two weeks have been a bit fraught, testing us as we prepare to launch a new suite of Cognos reports.
Today is also the day my Thinkpad has decided to corrupt its master boot record (MBR). Preventing my laptop from loading its operating system. Thankfully Microsoft (and third parties) provide bootable utilities to repair MBRs. However…………
Master Boot Record Corrupt. FAIL!
My MBR failure is complicated by IBM (sensibly) requiring us to use Symantec’s PGP Whole Disk Encryption (WDE). PGP’s WDE protects our laptops, and any sensitive data on them, in the event laptops are lost or stolen. As a mobile worker, and someone regularly on the move, WDE is a nice saftey blanket. Yes, I know it has venerablities and yes, if someone really wants the data on my laptop they will get it. But for additional security and if the laptop is lost it provides some reassurance. It’s also company policy, there is no point in fighting it.
Update: I was wrong about PGP being crackable. Support are able to sort a forgotten password because we run a support server and since 9.7 there are backups in place to recover a forgotten password. But there is still no known published way to crack PGP WDE. E.g. If you can’t decrypt the hdd, the data is lost. On one hand this makes me feel safer about the loss of a laptop and on the other it makes me glad I have most of my data/files backup up. A reminder that I also need a better backup solution for a hdd failure.
With the entire hard disk drive (hdd) encrypted I can’t use a utility program to fix the MBR. The utilities require you to boot from them and in so doing they skip PGP’s BootGuard. BootGuard lets the OS use the encrypted hdd. Until the hdd is decrypted the utilties can’t access the MBR, it’s encrypted and the booting hdd doesn’t even appear. Thankfully, I keep my PGP up to date and the right recover CD handy. Recovery Images can be downloaded here:
https://www.symantec.com/business/support/index?page=content&id=TECH149679
Key to know which version of PGP you have. If you can boot into PGP’s BootGuard screen it’s easy to find out: Selecting ‘advance’ instead of ‘continue’ from the options will display the version and other options to assist in recovery. Since a similar failure in 2009 I keep a note of the PGP version I’ve installed (including any service packs). Just incase PGP’s BootGuard also fails to load. It’s not unheard of for both MBR and PGP BootGuard to be corrupted at the same time. Not knowing which version of PGP 9 I’d installed, combined with the bad sectors that caused the HDD to fail, resulted in my old drive being scrap.
Symantec provide a guide for how to recover from this situation here:
https://www.symantec.com/business/support/index?page=content&id=TECH149345
With the matching version of the recovery disk in place I booted off the recovery CD and tried to let Windows boot itself. In rare cases it’s possible that using the Recovery CD instead of the BootGuard installed on the machine will let Windows boot. Sadly this wasn’t the case, I still had an MBR issue. Back to the drawing board, the next step is a longer one: Rebooting off the Recovery CD, entering my password and then pressing ‘D’ to decrypt the entire hdd. We’re now at 90% having started at 9am this morning.
The laptop hdd is 250gig capacity, of which 80gig was in use. I’m hoping the first 80gig takes the longest to decrypt. Ideally the final170gig will be a lot quicker, as it’s empty disk space. I’ll leave it over night and then all being well use MS’s MBR fixer tomorrow. If anything goes wrong or the laptop gets disrupted during the decrypt, all data is lost. Not the most relaxing situation to be in but I have 90% of my data backed up. All my work is stored on IBM’s cloud and I only stand to lose several recently archived locally emails. The main loss will be time in having to rebuild my Thinkpad. As a worst case this isn’t too bad, but fingers crossed I can full decrypt the hdd and recover my current MBR.
Update: Sadly my 80gig and free space decrypting quicker theory has been proved wrong. It’s now at 38% left to go and hopefully will be sorted in the early hours of Tuesday morning (3.5 days to decrypt 250gig). Keeping everything crossed it keeps going and finishes, allowing me to fix the MBR and recover all my data / Laptop. Decryption takes a fraction of the time if the hdd is mounted as a slave on another system. Lesson learnt! From now on I’ll run two hdd and regularly clone (more on this to come in another post).
93% – Not going anywhere for a while…………..
Before starting a decrypt via the recovery CD I googled alternative options. If you have a second machine with the same version of PGP installed you can plug the hdd in as a slave (via a USB caddy) and use PGP on the local machine to decrypt the hdd. This is the fastest way, sadly I don’t have another machine with PGP installed.
Update: Plugging the hdd in via a USB caddy / as a slave in a second machine is a lot faster because the Recovery CD is limited to 16 bit processing. If in Windows / Linux or OSX the decryption process can be run at 32bit and takes a fraction of the time. With hind sight waiting for SC to get home and pinching her work laptop would have been a better bet. It’s at 83% now with a very slim chance of being finished by Sunday. At least it’s still going. No physical hdd errors, yet!
I used to backup an image of my machine but Windows 7 made this harder and since upgrading I’ve taken to using IBM’s could to backup all of my work and accepting that if I had a failure I’d need to get an additional machine from IBM and rebuild it. Having now tested this theory it doesn’t work!
The new plan
The Plan comes in two flavours: Get a smart phone and improve laptop & return to weekly disk cloning.
1. Smart Phone: 99% of my work calls are handled by VOIP but I’ve been toying with getting a smart phone for work as a backup access to my work email, calendar, instant messaging and terminal services. Four key components of my day job that I’m currently without due to my laptop decrypting (and being corrupt). As a result I’ve bitten the bullet and ordered the Asus Fonepad. It’s not the best spec but a Galaxy Note II is out of the question at the moment. I hardly make calls on my work phone thanks to VOIP. If I did have to make a call I always have my iPhone5 with free minutes to make an emergency work call while out and about. The concept of a 7inch tablet that doubles as an emergency phone (and can be used with my headset) for £180 delivered was too good to get hung up on the negatives (slower processor and you’d look like a sketch from Trigger Happy TV if you tried to make a call in public on it!). I’ll post more on this when it arrives.
2. SSD and Weekly Cloning: My boss has an SSD drive and the boot times + smoothness of operation have always appealed. I’ve been waiting since I had a reason to rebuild the laptop to get one and this is it. I’ve ordered a Kingston Value 120gig drive after reading this review:
https://www.hardocp.com/article/2013/01/28/kingston_ssdnow_v300_120gb_ssd_review/#.Uc1wrj7F1SU
The time it takes to boot my Thinkpad always frustrates me. Even since upgrading from 4 to 8 gig of RAM it’s still sometimes hangs while paging and under heavy loads. Hoping the SSD will also prove more reliable. My Thinkpads travel a lot, the one before clocked over 100k miles. Combined with being on 5 days a week, most weeks of a year, it’s no wonder hdd fails / issues like this occur. With no moving parts an SSD should prove more reliable. It also means I can keep my current drive as a spare (if it’s not beyond repair) and regularly clone the SSD as a backup. More on this to come after the SSD swap and hopeful recovery. A new backup strategy is required (feel free to suggest any ideas in comments, or to laugh at my expense).
For now the Thinkpad is slowly chugging away decrypting and I’m off out to recover and watch Knee High Perform: https://www.kneehigh.co.uk/show/tristan_yseult.php
Thanks to my teams’ efforts and with lots of phone calls the release has gone to UAT and we’ll go live first thing Monday morning. Wish me luck and for a working Thinkpad asap :) .
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Architect at a tech company with 10,001+ employees
Vendor
Aug 11, 2013
Quick comparison of disk performance before and after full disk encryption
The following measurements were taken with a Lenovo Thinkpad W500 with 8Gb ram & running Windows 7 SP1+fixes. The CPU is a 2.5 Ghz core duo.
Whilst not intending to do a thorough controlled test, I thought it would be interesting to see what the effect of Symantec PGP encryption might be on I/O performance
Here’s my SSD before encryption
And here’s the same afterwards
Write speed has roughly been quartered whilst read speed is a little over half
Given this is an SSD the overall throughput is still decent, though this came with a significant increase in CPU – in fact this is now the limiting factor it seems, with the “System” (ie kernel) showing maxed out CPU whilst previously this CPU wasn’t noticeably high
With the hard drive the before measurements were :
Pretty consistent and average for a hard drive. Now adding encryption
Nowhere near such a bad effect – less consistency, but due to the lower data rates the cpu load was lower, and not so close to being maxed out.
This was all done on an idle machine – so the biggest impact will be heavy UI when the system is busy. I expect bootup to be quite a bit slower for this reason
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Download our free Symantec Endpoint Encryption Report and get advice and tips from experienced pros
sharing their opinions.
Updated: May 2025
Product Categories
Endpoint EncryptionPopular Comparisons
Microsoft BitLocker
Digital Guardian
ESET Endpoint Encryption
McAfee Complete Data Protection
Trend Micro Endpoint Encryption
Voltage SecureData Enterprise
WinMagic SecureDoc
Sophos SafeGuard
ZENworks Suite
Buyer's Guide
Download our free Symantec Endpoint Encryption Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What are the main pros and cons of the various Endpoint Encryption solutions on the market?
- How does Microsoft BitLocker compare with Symantec Endpoint Encryption?
- Which encryption solution is better: ESET Endpoint Encryption or Symantec Endpoint Encryption?
- Which full disk encryption software should we chose?
- What is the difference between "data protection in transit" vs "data protection at rest"?
- What is the best email encryption software for small enterprises using Office 365?
- When evaluating Endpoint Encryption, what aspect do you think is the most important to look for?
- What should one take into account when replacing PGP with Microsoft BitLocker?
- Why do organizations need endpoint encryption?
- What are the main pros and cons of the various Endpoint Encryption solutions on the market?
