The encryption feature is very good.
As we're just in the testing phase, we haven't explored many other features in-depth yet.
Symantec Endpoint Encryption is the #2 ranked solution in our list of top Endpoint Encryption tools. It is most often compared to Microsoft BitLocker: Symantec Endpoint Encryption vs Microsoft BitLocker
Symantec Endpoint Encryption is also known as Symantec Drive Encryption.
Download the Symantec Endpoint Encryption Buyer's Guide including reviews and more. Updated: September 2021
The encryption feature is very good.
As we're just in the testing phase, we haven't explored many other features in-depth yet.
When we started at that time, the engineers configured the solution only for our roaming users. Now, we have to reconfigure to SQL because we have almost 10,000 clients. We have to do this through SQL because we cannot keep a record of each client.
The agent can be improved on the solution. Right now, we have an Endpoint Protection agent as well as an encryption agent and another for the DLVs and other services. We would prefer a single agent for the entire product.
Endpoint Encryption should be the same as Endpoint Protection. However, for security purposes, we don't want to show to the client the hard drive encryption and all of those related features. If the solution could remove this visibility on the client level and keep it on the control level of the server, that would be better. We don't want to show to the user the security policies.
We haven't had any issues with the stability of the solution.
The scalability of the solution is fine.
We haven't had any issues with the solution yet, so we've never had to contact technical support.
The initial setup is not complex. It's very easy. Deployment time depends on the client and on the machine. Some machines take 24 hours, some machines take three days. Some machines even take up to a half-day. It depends on the hardware.
We had assistance with the integration.
We're using the on-premises deployment model.
I would rate the solution eight out of ten.
The primary use case is for protecting accounts.
We would like some advanced security protection features.
The stability has been good, so far.
The scalability is good.
The technical support is good.
The initial support was straightforward.
The solution has helped to increase staff productivity.
It is a good product.
The primary use case is to protect from data loss prevention in my company.
It has reduced the number of incidents related to the loss of information.
The precision that it has to identify all my assets.
I would like them to improve their support.
The stability is really good and nice. We don't have any issues with the stability, in particular.
You can get any size or use it in any size organization. So, scalability is not a problem.
It's a bit difficult to get good support. Their response times are really bad. I don't like it.
The initial setup was straightforward. It was fast, easy, and not intrusive on my company.
Symantec did the deployment.
This solution has helped to increase staff productivity.
The licensing costs yearly are $5000.
We had three vendors on our shortlist. I choose this vendor because it was a leader at that time, and it still is the leader right now.
I am happy with it and not looking to change vendors.
Try to look at many vendors. There are a lot of papers about solutions, especially this one. So, it's really nice.
I started my security program four years ago, and we now have a mature security program. We added this solution as the last part of our security program.
We use it to patch information systems.
It helps us put antivirus solutions in place and prevent malware from getting to our machines. It's a pretty clear-cut solution.
Semantic is out there doing the work, identifying viruses and malware that come out weekly. That's the real-world landscape and they're pushing that stuff out as quickly as they can. But I can only patch monthly. I don't know what the solution is there, besides being vulnerable for three weeks out of four. But there's got to be an option somehow.
The stability is 100 percent. We've never had a problem with downloading it or accessing it. It works as advertised. It's an extremely good product.
I can put it on anything I want. It's 100 percent scalable.
I've never had to use technical support.
The government requirement was to be using McAfee, and we're using Semantic and we just pushed back on it. I told them I have a solution, it's deployed, it's working. It's 100 percent. Why is the government specifying a solution for one particular vendor in an environment where there are many solutions out there? It actually got quite heated and they backed off on the requirement. I was really surprised at that. It's an argument I went into expecting to lose and they came back and said, "Okay, maybe you have a point." But it is a DoD requirement to use McAfee as the antivirus solution.
The initial setup was straightforward. We downloaded the software, put it on a disk, sneakernetted it over to an isolated network, dropped it in the drive, initialized it, and enabled it. It was pretty easy.
It's satisfying our requirements at a very high level. That's a return on investment. I don't have a metric, but the results are very good.
This solution was chosen for me. I didn't make the decision.
Last year at RSA, Malwarebytes had a booth. I was talking to the vendor and he had some very interesting research. I won't go into too much here, but he had a graph on how many threats McAfee misses, how many Symantec misses, and how good Malwarebytes is, of course. He was trying to sell their software. He said Malwarebytes is a stopgap between the two. We could use it as he suggested. The problem with that is that when you have multiple antivirus engines installed on a machine, they identify each other's threats and cancel out each other's work. It doesn't really work that way.
But I have to look at the results. We haven't had a malware incident as a result of the Semantic solution that we have on 95 percent of our machines. We actually have McAfee on two machines because they are for a different customer and it was easier to do that.
If you make the investment in tech, in updated hardware and software, there are other tools - here we are at RSA 2019, those tools are all over the place. There are other tools that are not single-point solutions. You can solve a whole lot of problems for a lot less money if you're using updated hardware and software rather than old stuff, end-of-life, where you just have one other thing that you have to take care of it. You can put an umbrella over everything with a bigger, newer, better product. But you have to have your hardware and software up to date, rather than the situation that my organization is in.
Semantic an excellent product. It's really just the timing that I mentioned earlier that doesn't work well for us.
On the other hand, we haven't had a breach. We haven't had any issues. We haven't had any incidences of malware popping up. But that's more due to the isolated aspect of our networks. We're not touching the outside, so it's really hard for anything to get in. But disks can be sneakernetted in, hard drives can be brought in, USBs can be brought in, mistakes can be made. Not everything is malicious. Sometimes there is just incompetence involved where somebody hooks up something that they're not supposed to and you have exposure. But we haven't seen any threats related to any of that kind of behavior. I can't really say that we have had a case where anything has gone bad.
In terms of security maturity, we're "mature" in the sense that we're ancient, using old equipment that has reached end-of-life. It's really from the old-age home, it's so mature. We're in dire need of tech refresh and I don't have the budget to support that. But if you unwrap that and look at it from the other side, what would we do without it?
But the real mitigator, the thing that's actually protecting us, is our isolation. We have isolated systems so nothing can get at us. If I get audited, I'd better have antivirus definitions loaded up, current ones. But it really has not affected our security maturity.
If it wasn't for the exception that I mentioned, Symantec Endpoint Encryption, would have been 100 percent successful and I would have to have given it a ten out of ten. With that exception, I have to knock it back to 90 percent, a nine out of ten because, as I said, we're exposed.
The primary use case is just endpoint protection. It is the basis of our whole infrastructure for security staff.
It ensures that we are kept on the same page of the latest version, as updates are being rolled out.
We can automate the solution. It is very simple, and we can handle remote people very easily.
The management console: Being able to quickly control who sees what, ensures we are on the latest version, and up-to-date.
We now have visibility on our metrics.
I would like them to have integration with a wider range of non-Symantec products.
It is the industry standard product with the common set of features, but we would like extra features added on.
It is pretty stable.
We are a small company. We have had no issues with the scalability nor do we anticipate issues as we grow.
The product works best with large companies, but if you will be opening multiple branches (scaling up), the product may be a fit for you.
The technical support is very good and responsive.
I don't know what they had before because I am new to this role.
At first, the initial setup was a little complex. Once I understood what I needed to do, it became straightforward. So, initially, there was a bit of a learning curve. For example, I needed to understand that I wasn't overpaying for the number of seats that we needed based on how we expected to scale up for that number of employees that we had.
We upgraded to the latest version within the last six months.
It can be expensive. However, if you plan to scale or are at a large enterprise company, this product could be what you need.
I used to work at Symantec, so the team chose the solution based on that. There wasn't a rigorous evaluation process. Though, I am sure that we also looked at Palo Alto Networks.
Give it a serious look.
Our security team is more on the immature side rather than the mature side, as we build thing out. This automated solution puts us at the base level where we can get better. We went from not being happy with what we had to this product.
Today is a big deadline in work. The point when weeks of work move from development to production (via numerous sprints/releases to UAT). The culmination of the development team and my efforts over the last two months. As with most IT projects the last two weeks have been a bit fraught, testing us as we prepare to launch a new suite of Cognos reports.
Today is also the day my Thinkpad has decided to corrupt its master boot record (MBR). Preventing my laptop from loading its operating system. Thankfully Microsoft (and third parties) provide bootable utilities to repair MBRs. However…………
Master Boot Record Corrupt. FAIL!
My MBR failure is complicated by IBM (sensibly) requiring us to use Symantec’s PGP Whole Disk Encryption (WDE). PGP’s WDE protects our laptops, and any sensitive data on them, in the event laptops are lost or stolen. As a mobile worker, and someone regularly on the move, WDE is a nice saftey blanket. Yes, I know it has venerablities and yes, if someone really wants the data on my laptop they will get it. But for additional security and if the laptop is lost it provides some reassurance. It’s also company policy, there is no point in fighting it.
Update: I was wrong about PGP being crackable. Support are able to sort a forgotten password because we run a support server and since 9.7 there are backups in place to recover a forgotten password. But there is still no known published way to crack PGP WDE. E.g. If you can’t decrypt the hdd, the data is lost. On one hand this makes me feel safer about the loss of a laptop and on the other it makes me glad I have most of my data/files backup up. A reminder that I also need a better backup solution for a hdd failure.
With the entire hard disk drive (hdd) encrypted I can’t use a utility program to fix the MBR. The utilities require you to boot from them and in so doing they skip PGP’s BootGuard. BootGuard lets the OS use the encrypted hdd. Until the hdd is decrypted the utilties can’t access the MBR, it’s encrypted and the booting hdd doesn’t even appear. Thankfully, I keep my PGP up to date and the right recover CD handy. Recovery Images can be downloaded here:
Key to know which version of PGP you have. If you can boot into PGP’s BootGuard screen it’s easy to find out: Selecting ‘advance’ instead of ‘continue’ from the options will display the version and other options to assist in recovery. Since a similar failure in 2009 I keep a note of the PGP version I’ve installed (including any service packs). Just incase PGP’s BootGuard also fails to load. It’s not unheard of for both MBR and PGP BootGuard to be corrupted at the same time. Not knowing which version of PGP 9 I’d installed, combined with the bad sectors that caused the HDD to fail, resulted in my old drive being scrap.
Symantec provide a guide for how to recover from this situation here:
With the matching version of the recovery disk in place I booted off the recovery CD and tried to let Windows boot itself. In rare cases it’s possible that using the Recovery CD instead of the BootGuard installed on the machine will let Windows boot. Sadly this wasn’t the case, I still had an MBR issue. Back to the drawing board, the next step is a longer one: Rebooting off the Recovery CD, entering my password and then pressing ‘D’ to decrypt the entire hdd. We’re now at 90% having started at 9am this morning.
The laptop hdd is 250gig capacity, of which 80gig was in use. I’m hoping the first 80gig takes the longest to decrypt. Ideally the final170gig will be a lot quicker, as it’s empty disk space. I’ll leave it over night and then all being well use MS’s MBR fixer tomorrow. If anything goes wrong or the laptop gets disrupted during the decrypt, all data is lost. Not the most relaxing situation to be in but I have 90% of my data backed up. All my work is stored on IBM’s cloud and I only stand to lose several recently archived locally emails. The main loss will be time in having to rebuild my Thinkpad. As a worst case this isn’t too bad, but fingers crossed I can full decrypt the hdd and recover my current MBR.
Update: Sadly my 80gig and free space decrypting quicker theory has been proved wrong. It’s now at 38% left to go and hopefully will be sorted in the early hours of Tuesday morning (3.5 days to decrypt 250gig). Keeping everything crossed it keeps going and finishes, allowing me to fix the MBR and recover all my data / Laptop. Decryption takes a fraction of the time if the hdd is mounted as a slave on another system. Lesson learnt! From now on I’ll run two hdd and regularly clone (more on this to come in another post).
93% – Not going anywhere for a while…………..
Before starting a decrypt via the recovery CD I googled alternative options. If you have a second machine with the same version of PGP installed you can plug the hdd in as a slave (via a USB caddy) and use PGP on the local machine to decrypt the hdd. This is the fastest way, sadly I don’t have another machine with PGP installed.
Update: Plugging the hdd in via a USB caddy / as a slave in a second machine is a lot faster because the Recovery CD is limited to 16 bit processing. If in Windows / Linux or OSX the decryption process can be run at 32bit and takes a fraction of the time. With hind sight waiting for SC to get home and pinching her work laptop would have been a better bet. It’s at 83% now with a very slim chance of being finished by Sunday. At least it’s still going. No physical hdd errors, yet!
I used to backup an image of my machine but Windows 7 made this harder and since upgrading I’ve taken to using IBM’s could to backup all of my work and accepting that if I had a failure I’d need to get an additional machine from IBM and rebuild it. Having now tested this theory it doesn’t work!
The new plan
The Plan comes in two flavours: Get a smart phone and improve laptop & return to weekly disk cloning.
1. Smart Phone: 99% of my work calls are handled by VOIP but I’ve been toying with getting a smart phone for work as a backup access to my work email, calendar, instant messaging and terminal services. Four key components of my day job that I’m currently without due to my laptop decrypting (and being corrupt). As a result I’ve bitten the bullet and ordered the Asus Fonepad. It’s not the best spec but a Galaxy Note II is out of the question at the moment. I hardly make calls on my work phone thanks to VOIP. If I did have to make a call I always have my iPhone5 with free minutes to make an emergency work call while out and about. The concept of a 7inch tablet that doubles as an emergency phone (and can be used with my headset) for £180 delivered was too good to get hung up on the negatives (slower processor and you’d look like a sketch from Trigger Happy TV if you tried to make a call in public on it!). I’ll post more on this when it arrives.
2. SSD and Weekly Cloning: My boss has an SSD drive and the boot times + smoothness of operation have always appealed. I’ve been waiting since I had a reason to rebuild the laptop to get one and this is it. I’ve ordered a Kingston Value 120gig drive after reading this review:
The time it takes to boot my Thinkpad always frustrates me. Even since upgrading from 4 to 8 gig of RAM it’s still sometimes hangs while paging and under heavy loads. Hoping the SSD will also prove more reliable. My Thinkpads travel a lot, the one before clocked over 100k miles. Combined with being on 5 days a week, most weeks of a year, it’s no wonder hdd fails / issues like this occur. With no moving parts an SSD should prove more reliable. It also means I can keep my current drive as a spare (if it’s not beyond repair) and regularly clone the SSD as a backup. More on this to come after the SSD swap and hopeful recovery. A new backup strategy is required (feel free to suggest any ideas in comments, or to laugh at my expense).
For now the Thinkpad is slowly chugging away decrypting and I’m off out to recover and watch Knee High Perform: https://www.kneehigh.co.uk/show/tristan_yseult.php
Thanks to my teams’ efforts and with lots of phone calls the release has gone to UAT and we’ll go live first thing Monday morning. Wish me luck and for a working Thinkpad asap :) .
The following measurements were taken with a Lenovo Thinkpad W500 with 8Gb ram & running Windows 7 SP1+fixes. The CPU is a 2.5 Ghz core duo.
Whilst not intending to do a thorough controlled test, I thought it would be interesting to see what the effect of Symantec PGP encryption might be on I/O performance
Here’s my SSD before encryption
And here’s the same afterwards
Write speed has roughly been quartered whilst read speed is a little over half
Given this is an SSD the overall throughput is still decent, though this came with a significant increase in CPU – in fact this is now the limiting factor it seems, with the “System” (ie kernel) showing maxed out CPU whilst previously this CPU wasn’t noticeably high
With the hard drive the before measurements were :
Pretty consistent and average for a hard drive. Now adding encryption
Nowhere near such a bad effect – less consistency, but due to the lower data rates the cpu load was lower, and not so close to being maxed out.
This was all done on an idle machine – so the biggest impact will be heavy UI when the system is busy. I expect bootup to be quite a bit slower for this reason