Symantec Endpoint Protection Arm64 Work ((full)) -

Symantec Endpoint Protection (SEP) provides native support for ARM64 architectures across Windows, macOS, and Linux, primarily starting with version 14.3 RU7. However, management and feature availability vary significantly by platform. Windows on ARM Support

Broadcom introduced native ARM64 support for Windows in SEP 14.3 RU7.

Management Limitations: Native ARM support is currently limited to unmanaged (self-managed) or cloud-managed clients (via the Integrated Cyber Defense Manager or ICDm). There is no support for managing ARM endpoints through an on-premises Symantec Endpoint Protection Manager (SEPM).

Operating Systems: Supported on Windows 11 GA builds (21H2, 22H2).

Unsupported Features: While most protection features work, the following are not supported on Windows ARM: Custom Application Behavior Threat Defense for Active Directory (AD) Web and Cloud Access Protection Exploit Protection

Legacy Browser Protection (IE/Firefox-based) in Intrusion Prevention Policies Application Control macOS (Apple Silicon) Support

Symantec offers robust support for Apple’s M-series chips, with compatibility added incrementally by processor generation: Supported From Apple M1 SEP 14.3 RU2 Apple M2 SEP 14.3 RU5 Apple M3 SEP 14.3 RU8 Apple M4 / M5 SEP 14.3 RU9 symantec endpoint protection arm64 work

Unlike Windows ARM, the Mac agent can be managed by either on-premises SEPM or the cloud console. Linux ARM64 Support

Broadcom provides ARM64/aarch64 installers for specific Linux distributions, managed through the seplpkg (SEP Linux Packager) tool.

Supported Platforms: RHEL 8, RHEL 9, and Ubuntu (16, 18, 20) support ARM64/aarch64 architecture.

Kernel Support: SEP for Linux relies on specific kernel modules. From 14.3 RU8, cloud-managed agents use LiveUpdate to automatically upgrade these modules.

Discontinued Support: As of version 14.3 RU9, support for older distributions (RHEL 6, CentOS 6, Ubuntu 14, Debian 9, SLES 12) has been removed. Installation Notes

ARM-Specific Packages: For Windows, ARM packages are available within the "Full_Installation" download of SEP. For cloud users, you must specifically select the Windows ARM architecture when downloading the agent package from the console. Installation Steps

Prerequisites: For Windows 10/11 versions starting with 14.3 RU8, ensure Microsoft Trusted Signing (formerly Azure Code Signing) is installed for the client to function correctly.

---

Installation Steps

1. Download the correct client package:

   • Do not download the "ARM64" installer (it does not exist for Windows). Download the standard SEP_Win_64-bit_Client.exe.

2. Enable emulation on Windows:

   • Go to Settings > System > For developers.
   • Ensure "End Task" is enabled, but more importantly, verify that Windows is set to allow x86/x64 emulation (it is on by default).

3. Run the installer (Silent or Interactive):

   • Launch the EXE. Windows PRISM will transparently translate the installer.
   • Silent deployment: Use Setup.exe /s /v"/qn REBOOT=ReallySuppress" via SCCM or Intune. This works, but ensure the package runs under emulation context.

4. Post-Installation Validation:

   • Open Task Manager → Details tab.
   • Look for ccSvcHst.exe (Symantec service). Under the "Architecture" column, it will display "x86" (not ARM64).
   • Check COH32.exe (the core scanner) – also x86.
   • Verify real-time protection: Download the EICAR test file. It should be quarantined instantly. If so, SEP is "working."

Native vs. Emulated: The Performance Divide

Before diving into SEP’s status, it’s critical to understand Windows on Arm’s two operating modes: Download the correct client package:

1. Native Arm64: The application is compiled specifically for the Arm instruction set. It runs at full speed, with minimal battery drain.
2. Emulated (x86/x64): Windows on Arm includes a built-in emulator (Prism) that allows traditional Intel-compiled apps to run. Performance is acceptable for lightweight utilities but can suffer latency and CPU overhead for real-time security scanning.

Where does SEP sit? As of the latest release cycles (SEP 14.3 RU9 and later), the core antivirus and firewall components do not have a native Arm64 build. Broadcom continues to ship a 64-bit Intel (x64) package.

The Road Ahead: Native Arm64?

The pressure is mounting. With Qualcomm’s Snapdragon X Elite promising to rival Apple’s M-series chips, enterprises are beginning large-scale Arm64 deployments.

Broadcom’s official support stance (as of their latest knowledge base articles) is:

“Symantec Endpoint Protection for Windows is supported on Windows 11 Arm64 devices only when running the x64 version of the client via emulation. There is no native Arm64 client at this time.”

However, internal code sleuths and recent job postings from Symantec/Broadcom suggest that a native Arm64 port is in early development. The company cannot ignore the market shift forever, especially as Microsoft begins offering native Arm64 builds of Defender for Endpoint.

When to Use SEP on ARM64 (And When to Run Away)

macOS on Apple Silicon (M1/M2/M3)

• Native Support: Yes (partial). SEP for Mac version 14.3 RU5 and later includes a universal binary that contains both x86_64 and arm64 code.
• How it works: The installer automatically deploys the arm64 slice on Apple Silicon. Key components (system extension, network filter) run natively. However, the management console plugin may still rely on Rosetta 2 for older Java components.
• Known issues: VPN tunneling (when using SEP’s built-in VPN) historically had stability issues on M1, but RU7 resolved most.
• Verdict: Production-ready for macOS ARM64. Broadcom officially lists Apple Silicon support in the release notes.

6.2 Broadcom Roadmap (Unofficial)

• No public commitment to a native ARM64 SEP client as of April 2026.
• Focus remains on x64 and Linux ARM64 (for servers), not Windows ARM64 endpoints.
• Recommendation: For new ARM64 deployments, migrate to Microsoft Defender for Endpoint (P2) with SEP’s management via MDE integration.

1. The State of Support (SEP vs. SES)

To understand ARM64 support, you must distinguish between the legacy product and the modern product:

• Symantec Endpoint Protection (SEP) 14.3: This is the traditional, on-premises focused agent. While 14.3 introduced improved support for "Windows on ARM," it was historically limited. It often relied on emulation (x86/x64 emulation) to run the management interface and some drivers, which resulted in performance overhead.
• Symantec Endpoint Security (SES) 14.3 R2+ / SES Enterprise: This is the modern, cloud-managed (or modern on-prem management) solution. Broadcom has focused all new architecture development here. Native ARM64 support is fully realized in the SES client.

2. Compatibility Matrix (Verified)

| Component | ARM64 Native? | Emulation (x86) Required? | Status | |-----------|--------------|---------------------------|--------| | SEP Client (64-bit) | No | Yes | Runs via Windows Prism/ARM64 emulation | | LiveUpdate | No | Yes | Works; slower signature download/unpack | | Real-time Scanning | No | Yes | Functional; high CPU overhead | | Firewall (NDIS Filter) | Partial | No | ARM64 NDIS driver available only in SEP 14.3 RU9+ | | Trojans/Spyware scanning | No | Yes | Works | | Insight (SONAR) | No | Yes | Behavioral analysis impacted by emulation latency |

Critical Limitation: SEP’s kernel-mode drivers (e.g., sysfer.sys, eeCtrl64.sys) are x64 binaries and fail to load on ARM64 systems unless explicitly signed for ARM64. Broadcom does not provide ARM64 driver signatures for most versions.