Symantec Endpoint Security pros and cons

What I like most about Symantec is the intrusion detection module. If you are scanning the environment, it will flag a possible intruder and tell you the IP and where the attack is coming from. Traditional antivirus solutions will never flag that. If you have a traditional SIEM, you might be able to pick that up. Symantec is a holistic endpoint security solution, so when you scan an endpoint, Symantec will let you know that something is happening to it.

There is no other endpoint solution that will help you in preventing lateral-movement attacks on Active Directory. And Active Directory is one of the more critical assets within an organization.

With a single console, you get control over Mac, Windows, iOS, and Android. This control is most valuable.

I like the endpoint detection and response. That's the best feature. I also like the fact that we don't need to use a file on the computer, whereas some anti-malware solutions work with a file on the endpoint. Symantec is a very good option compared to solutions from other vendors.

The dashboard view and reporting are valuable. It is stable and easy to integrate, and it provides custom options.

We use the Symantec Global Intelligence Network (GIN), and it's an excellent feature as Symantec is a leader in security solutions. The product has all the security features we require as an organization, including intelligent features such as notification alerts and predicting future attacks. The threat intelligence and detection are excellent, and the solution provides great visuals and logs so that we can analyze any attacks on our servers. GIN is a powerful tool in terms of detection capability across endpoints, email, and web traffic, as it can scan them with its advanced threat intelligence. The product can detect threats, report them to us, and quarantine them.

The mobile application is valuable. You are able to see the reports of intrusions and the like on mobile devices. That is one of the coolest aspects.

The application and device control functionality is good. We are able to see which applications are installed using the product management dashboard.

The solution, especially in older versions, is quite stable.

If there is exposure, we need to investigate the source of the attack, e.g., whether it came from the network or externally. We view the firewall logs, and if there has been exposure, then we use the Application Isolation feature. When there is an attack with on-prem, that system will go into isolation mode, removing connectivity to other internal systems. We also restrict the WLAN part to avoid that system broadcasting to other networks.

Symantec's application security module needs some improvement. You need to create a lot of fingerprints for application security. For instance, let's say I have different brands of ATMs in my environment, like Wincor and NCR. I use GRG to deploy an application control to whitelist some applications. I have to get the exact image of the different models of ATMs. When I tested in the past, some machines would not connect to the server without that.

In a few cases, when we enable the IPS/IDS feature, there are performance-related issues on the end devices. If we run quite a few features of Symantec, especially the IPS/IDF, it consumes a lot of processing and memory capacity.

If there is a suspicious file, it is put into a sandbox where Symantec does an analysis. After the analysis, Symantec marks the file as a risk, but it doesn't blacklist or block the file. If a file is already known to be harmful, I would like them to automatically block or blacklist it to reduce the damage.

One suggestion I have for both regular and mobile would be to collect all the information about installed software, such as versions, and give that information to the manager to help with software management. That would be a huge advantage for everyone who administers these tools.

Nowadays, threats are changing, and they are moving more towards script control and zero-day attacks. So, we would like to have more control similar to an EDR solution. Symantec Endpoint Protection has certainly come a long way as a traditional antivirus, but because the threats are changing, we would like to have more EDR features so that we have a detailed view of the source from where the infection entered the environment and whether it has tried to connect any other endpoint. It should provide such a detailed view for investigation. It should protect against zero-day threats, etc. These are the key enhancements that can make it a complete solution for any enterprise. Currently, we have seen organizations going for two solutions: antivirus and EDR. With both these capabilities, it would be a complete package.

Installation of the tool on a workstation requires some technical knowledge, which could be more straightforward.

We communicate with our local partners and they give us the license key. Then, we have to go to the portal and apply it, but sometimes it doesn't work. We then have to create a new administrative account and migrate all our endpoints. That is the only major issue we have been battling with.

It would be helpful if this product provided patch management functionality.

The support needs to be better. When we upgrade, we can run into issues, and it's hard to get the help we require.

The device can be outdated. More enhancement of network and discovery would help already great features.