0471 – 92450-0

Symantec Endpoint Protection — Arm64 Work

| Metric | x64 Reference | ARM64 (emulated) | Delta | |--------|---------------|------------------|-------| | Boot time impact | +8 sec | +22 sec | +175% | | On-access scan (1 GB .zip) | 4.2 sec | 11.8 sec | +181% | | CPU usage (idle) | 0–2% | 5–9% | +250% | | Signature update (50 MB) | 12 sec | 34 sec | +183% |

Historically, SEP relied heavily on Kernel Extensions (Kexts). These are pieces of code that load directly into the operating system kernel. This gave SEP "God mode"—it could intercept any file operation, network packet, or process execution with zero latency.

After installation, verify that the ARM64-specific components are active. symantec endpoint protection arm64 work

Symantec Endpoint Protection (SEP) traditionally targets x86/x64 Windows and x86 Linux. If you're working with ARM64 devices (e.g., Windows on ARM, ARM64 Linux), here’s a concise summary and practical guidance.

For shops managing Macs with SEP:

| Product | Native ARM64 | SEP Migration Path | |---------|--------------|---------------------| | Microsoft Defender for Endpoint | Yes | Full native | | CrowdStrike Falcon | Yes | Sensor replacement | | SentinelOne | Yes | Agent replacement | | Trellix (ex-McAfee) | Yes | Partial |

Symantec Endpoint Protection (SEP) does not currently offer a native ARM64 client. Protection on Windows 11 ARM64 devices (e.g., Microsoft Surface Pro X/11, Lenovo ThinkPad X13s, MacBook Air/Pro with Apple M1/M2/M3 via Parallels/VMware) relies on the x86 emulation layer (CHPE/ARM64EC) provided by Windows. This results in functional but performance-limited endpoint protection. | Metric | x64 Reference | ARM64 (emulated)

| Component | ARM64 Native? | Emulation (x86) Required? | Status | |-----------|--------------|---------------------------|--------| | SEP Client (64-bit) | No | Yes | Runs via Windows Prism/ARM64 emulation | | LiveUpdate | No | Yes | Works; slower signature download/unpack | | Real-time Scanning | No | Yes | Functional; high CPU overhead | | Firewall (NDIS Filter) | Partial | No | ARM64 NDIS driver available only in SEP 14.3 RU9+ | | Trojans/Spyware scanning | No | Yes | Works | | Insight (SONAR) | No | Yes | Behavioral analysis impacted by emulation latency |

Critical Limitation: SEP’s kernel-mode drivers (e.g., sysfer.sys, eeCtrl64.sys) are x64 binaries and fail to load on ARM64 systems unless explicitly signed for ARM64. Broadcom does not provide ARM64 driver signatures for most versions. Critical Limitation: SEP’s kernel-mode drivers (e