Symantec Endpoint Protection on ARM64 Architecture

Installation Steps

  1. ARM64 processors use a Reduced Instruction Set Computer (RISC) architecture. Most traditional antivirus and EPP (Endpoint Protection Platform) software, including SEP, was written for the Complex Instruction Set Computer (CISC) architecture (x86/x64). Running x64 code on ARM64 requires a translation layer—in Windows, this is Microsoft’s PRISM emulator (similar to Rosetta 2 on Mac).

    B. The Components

    1. SEP Client (The UI): This is the user-facing interface. It runs natively on ARM64.
    2. Symantec Endpoint Protection Extension (The Engine):

      Known Issues in Symantec Endpoint Security - Broadcom TechDocs 25 Feb 2026 —

      : Support for ARM64 includes specialized content updates, including SONAR and Intrusion Prevention signatures tailored for these platforms. Broadcom support portal Summary Table: ARM64 Compatibility On-Premises (SEPM) Cloud (SES) Management Server Not Supported for ARM64 Windows ARM64 Agent Limited/No Direct Management Fully Supported macOS ARM64 Agent Fully Supported installation steps for a specific ARM64 device, or do you need help your on-premises manager to the cloud console?

      4.3 Policy Configuration (SMP)

      • Disable Network Threat Protection (firewall) if the ARM64 NDIS driver is missing.
      • Set Scan performance profile → "Low impact on system performance".
      • Disable Insight (SONAR) if false positives or performance degradation occurs.

      Feature Limitations: While most core protections work, certain advanced features like Custom Application Behavior, Threat Defense for AD, and Exploit Protection are currently unsupported on Windows ARM architecture. Apple Silicon (macOS ARM64)

      • File Copy Latency: On a native x64 laptop, SEP scans a folder of 1,000 files in ~2 seconds. On the same Arm64 laptop running emulated SEP, that scan took ~6-8 seconds. The emulation layer adds significant lag to every file system hook.
      • Battery Impact: Emulation consumes more power than native code. Running a constant real-time scanner via emulation can shave 10-15% off the vaunted battery life of an Arm laptop.
      • Driver Signing: Some advanced SEP features (like Early Launch Anti-Malware or specific NDIS filter drivers for firewall) require kernel-mode drivers. While emulation handles user-mode code, kernel drivers must be native. Broadcom has confirmed that some advanced network protection features are disabled or fall back to a less efficient mode on Arm64.