Standard Symantec Endpoint Protection is designed to block threats and manage endpoint health. It uses to block suspicious actions by files, but this is different from a dedicated FIM solution that audits every change (who, what, and when) to a specific file.
The IPS component in SEP acts as a behavior-monitoring engine. It watches system activity in real-time. Standard Symantec Endpoint Protection is designed to block
While SEP can perform FIM, it is important to understand that it is not its primary design goal. Here is how it compares to dedicated FIM tools: It watches system activity in real-time
In summary, Symantec Endpoint Protection does not include a standalone, feature-complete File Integrity Monitoring module. It does, however, offer powerful and logging features that can serve a similar purpose for general security hardening. For organizations that require rigorous, hash-based integrity checking for compliance, SEP is typically viewed as a complementary tool rather than a total replacement for a dedicated FIM solution. It does, however, offer powerful and logging features
You could schedule a daily “Custom Scan” to compute hashes of /etc/passwd and compare to a baseline. But that’s not real-time, not automated for alerting, and would not satisfy regulatory FIM requirements.