Endpoint Protection

Question regarding the virus definitions in the new Standard client package in SEP 14. How do you understand this?

Installs only the latest virus and spyware definitions.

The standard client is approximately 80 percent to 90 percent smaller on disk than dark network Windows clients because they download only the latest definitions.

How are "the latest virus and spyware definitions" defined? For example today is Dec 5th, so will the virus definitions on the disk contain only what was added as detections in the virus defs with date Dec 4th and everything older will be on the cloud?

The latest rev. you see on the client is what's available on disk. Everything else is accessed in the cloud.

Then it means that if some particular infection was added to the virus definitions few days ago, it will not be present on the Standard client and it is at a risk (if it is let's say Thin Client / Windows Embedded OS which must be installed with Standard client, and doesn't have access to internet), correct?

Clients without Internet access should have the standard client installed. They should get the dark net client, which is for clients without Internet acess.

Actually for the Thin Clients (Windows Embedded OS) I meant Embedded/VDI client but it is the same as the Standard client in regards to the virus definitions.

And the combination Embedded/VDI client and no internet access makes it useless for installing on Thin Clients.

Then you're correct. The Embedded/VDI client for 14 only states that it uses content in the cloud (so it assumes client has Internet access). I'd suggest contacting support for further clarification or wait for an employee to comment on this thread with the knowledge they have.

It's correct that the Embedded/VDI 14 client uses the same set of definitions as a Standard Client, however please note that there are some additional space savings included with this client-type beyond definitions.  (For your reference, please note that this is from product help within the SEPM under Client Install Settings:)
 

The embedded/VDI client includes more size optimizations than the standard client:

Hi Matt,

As I can see, the only difference between the Embedded/VDI client in SEP 12 and SEP 14 is that 14 can use the definitions in the cloud.

But in our case where the Thin Clients don't have connection to Internet, then it will make no difference between 12 and 14 and in both cases the clients are at risk at the moment. Can you just confirm, if we take as an example the WannaCry attack, since the Embedded client installs only the latest virus definitions, does it mean it will not be protected against WannaCry or other detections which were discovered few days ago and will only contain the detections added in the latest virus defs?

Hi S_K,

The reduced size definitions remove very old threat detections that we have not had telemetry for within a certain period of time.  (I cannot share specifics around these metrics.)  Threats which have been active recently would still have signatures included in the reduced size definitions, or certainly major threats like Wannacry would have their detection included in these definitions.  For any threat where there is currently a major outbreak / concern (such as we saw with the Wannacry situation), that means we will be getting current telemetry for that threat, and therefore its signature would still be included in reduced size defs. 

Overall I would still suggest the Darknet client for any system which cannot leverage the cloud-based definitions. 

If your thin clients cannot accomodate a Darknet installation due to disk space, then Symantec's Critical Systems Protection (CSP) is a product you may wish to look into.  This product is designed for situations like what you have described here. 

I sincerely hope this information is helpful.  Please let me know if you have further questions I can assist with!  Thank you.

Thanks Matt, now it is a bit more clear