Standard Symantec Endpoint Protection is designed to block threats and manage endpoint health. It uses to block suspicious actions by files, but this is different from a dedicated FIM solution that audits every change (who, what, and when) to a specific file.
In the traditional on-premises version of SEP, File Integrity Monitoring is achieved through two primary mechanisms:
You could schedule a daily “Custom Scan” to compute hashes of /etc/passwd and compare to a baseline. But that’s not real-time, not automated for alerting, and would not satisfy regulatory FIM requirements. Standard Symantec Endpoint Protection is designed to block
For FIM, you need Symantec Critical System Protection / Data Center Security or an independent third-party tool.
However, for users of the newer cloud platform, dedicated FIM features are more prominent. But that’s not real-time, not automated for alerting,
If you have migrated to Broadcom’s cloud-based , the FIM capabilities are more robust and easier to configure.
If you’re looking to implement this for a specific compliance standard or environment, let me know: If you have migrated to Broadcom’s cloud-based ,
The IPS component in SEP acts as a behavior-monitoring engine. It watches system activity in real-time.
Preventing malware or attackers from modifying critical operating system files (like hosts files or system32 drivers).
SEP’s primary mechanism for file oversight is its policy. This feature allows administrators to monitor and restrict how files are accessed or modified. For instance, an administrator can create rules to log attempts to modify critical system files or sensitive data directories. When paired with the System Lockdown feature—which only allows approved applications to run—SEP provides a high degree of control over the file environment.
The you're aiming for (e.g., PCI DSS, HIPAA)