NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Symantec Endpoint Protection

Certificate Date:  2018.12.10

Validation Report Number:  CCEVS-VR-VID10926-2018

Product Type:    Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Application Software Version 1.2

CC Testing Lab:  Acumen Security

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The Symantec Endpoint Protection client (hereafter referred to as the TOE or SEP) is a multifaceted endpoint threat control agent blending features of traditional antivirus, HIDS, host-based firewalls, etc., into a single software package. The SEP comprises a set of applications (.exe) and libraries (.dll), written in C++, running as native code on the operating system. It is composed of components which run in user space (the traditional “application”), as well as service providers which run in privileged mode in kernel space, essentially as drivers, to allow the software to control security-relevant functionality on the host operating system, such as blocking network traffic to malicious hosts, and shutting down host access to removable media. The platform for this evaluation will be the Windows Operating System.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Symantec Endpoint Protection Client (SEP Client) was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.  Acumen Security determined that the evaluation assurance level (EAL) for the product is EAL 1.  The product, when delivered configured as identified in the AGD, satisfies all of the security functional requirements stated in the Symantec Endpoint Protection Client 14.2 Security Target. The project underwent CCEVS Validator review. The evaluation was completed on 10 December 2018.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

Cryptographic Support

The TOE leverages the Windows built-in TLS v1.2 implementation. When establishing a session over TLS, the Windows built-in TLS v1.2 ensures the identifier presented in the exchange matches the correct reference identifier before proceeding with the connection. The Windows built-in TLS v1.2 also performs validation of TLS server certificates. If for any reason during session establishment the validity of a certificate cannot be performed successfully, the Windows built-in TLS v1.2 will not accept the certificate or establish the session.

The DRBG leveraged by the TOE is provided by the underlying Windows Operating System.

User Data Protection

In the evaluated configuration, the TOE does not store sensitive data on the drive. In addition, the TOE is restricted to use of only the underlying platforms network connectivity for client/server communications and content updates. These are triggered either by user action or via response to a SEP Manager request. While the TOE writes to the Windows event logs, it does not provide functionality to read the generated events.

Identification and Authentication

The TOE supports use of X.509 certificates for TLS communication between the TOE and SEP Manager. This is performed via the X509TrustManager.

Security Management

The TOE does not install with any default credentials and does not store any credentials on the system. The authentication mechanisms of the underlying platform are used to ensure only authorized users of that platform can gain access to the application and underlying platform functionality.

Configuration options are stored via native mechanisms (Windows Registry) and proprietary secure storage. Protection of these configuration options is provided using Access Control Lists (ACLs) and SymProtect (Symantec Tamper Protection). By default, the application is configured with file permissions which protect it and its data from unauthorized access


In the evaluated configuration, the TOE does not transmit any Personally Identifiable Information (PII) over the network.

Protection of the TSF

In the evaluated configuration, the TOE does not request memory mapping to any explicit address. However, the TOE does request allocation of memory regions for write and execute permissions. This allocation is performed using PAGE_EXECUTE_READWRITE. It is important to note that the application does not provide the user with the ability to write modifiable files to directories containing executable files.

The TOE is compiled with use of the GS flag to provide protection against stack-based buffer overflow. This provides buffer security checks during compilation of code by checking for risks such as buffer overruns on return addresses and potentially vulnerable parameters.

For updates to the TOE, SEP client implements its own functionality (LiveUpdate) to check for updates which are distributed as MSI files on the Windows platform. TOE updates are digitally signed for image validation. Checking of the software version can be performed through the TOE’s GUI as well as using the SWID tags provided with the application. Additional updates to the MSI include content updates and security updates which can be used to update the binary code to ensure up-to-date protection. If the application is uninstalled from the platform, all traces of the application will be purged from the platform.

For the TOE to function as defined within the protection profile, Windows Defender should be disabled on the underlying platform.

Trusted Path/Channels

During operation of the TOE, transmitted data is encrypted via HTTPS and TLSv1.2. TLS communication is provided via the Windows built-in TLS v1.2. LiveUpdate, the service used for transmission of security definitions, are sent via HTTPS.

Vendor Information

Symantec Corporation
Shirley Stahl
Site Map              Contact Us              Home