Secure Web Gateway - Content Analysis Policy Best Practices

Improvement
This best practices document improves upon Symantec's previous content scanning recommendations for integrating Content
Analysis appliances with the Secure Web Gateway (SWG) solution, which includes ProxySG, Advanced Secure Gateway, and
SWG virtual appliances. These best practices provide a more secure and customizable policy model for bypassing content scan-
ning to lower risk and improve user experience, as well as ways to save resources by excluding low-risk/high-volume traffic.

Previous versions of documentation include policy examples based partly on weak selectors such as Content-Type and Con-
tent-Length HTTP headers and User-Agent headers. Rules using an unconditional bypass (for example, bypassing based
on only one of these elements) create a security concern, because an attacker that owns a client or server can fake all of these
elements and then bypass content scanning. These older documents are deprecated in favour of the current recommendations.

Different deployments have different requirements for security, performance, and user experience: although scanning all or most
of the traffic is desirable from a security perspective, full scanning policy puts more load on attached Content Analysis instances
and might impact the user experience. Furthermore, some applications such as stock tickers and streaming media comprise
never-ending streams, which must be excluded from scanning to work as expected.

For reference, deprecated content scanning recommendations consist of two core documents:

l Integrating the ProxySG and ProxyAV Appliances

http://www.symantec.com/docs/DOC10027

l Integrating Content Analysis with other Blue Coat Products: ProxySG and Malware Analysis
http://www.symantec.com/docs/DOC10466

In addition, details are available in KB articles such as TECH242686, which describes slowness/latency when turning on ICAP
scanning:

l http://www.symantec.com/docs/TECH242686

Although you can refer to the previous documents in conjunction with the current recommendations, Symantec's intention
is to remove them when a more comprehensive update of ProxySG - Content Analysis Policy Best Practices Improvement
is released.

Scope of this document

The model and policy discussed in this document are intended for SWG virtual appliances, forward proxy deployments of
ProxySG, and Advanced Secure Gateway appliances. Only ICAP Response Mode scanning (inbound traffic scanning) is con-
sidered. As such, this policy should not be applied to reverse proxy or WAF deployments of ProxySG and Advanced Secure Gate-
way appliances.
In addition, the following elements are briefly covered in this document:

l "Data Trickling" on page 14

l "Deferred Scanning" on page 15
The following elements are explicitly not in scope of this document:

l Deployment guidelines and workflow.

l ICAP load balancing, ICTM, plain vs. secure ICAP processing.
l ICAP error code policy (such as permitting password protected archives or files exceeding the maximum file size).
l ICAP mirroring, which allows "detect only" without preventing malicious content to be served to the client. This policy
action serves requested content directly to a user while simultaneously scanning that content via a configured external
ICAP service. This prevents issues with some types of streaming content that would suffer from the latency introduced by
the ICAP scan, degrading users' experience as they wait for content to be completely scanned.
4 | Secure Web Gateway - Content Analysis Policy Best Practices Improvement

Common CPL Gestures for Content Scanning Policy

The following policy gestures can be used for configuring content scanning policy.

Type/Category Setting CPL Gesture/

Content Analysis Setting

Destination Destination IP/Subnet/Port url.domain

Request URL/Domain/Host/Port/Path url.host

Request URL url.path

Request URL Category url.port

Request URL Threat Risk Level url.category

Protocol Scheme url.threat_risk.level

Web Application Name client.protocol

Web Application Group request.application.name

request.application.group
HTTP Request Headers User-Agent request.header.User-Agent
HTTP Response Headers and Payload Apparent Data Type (True File Type) http.response.apparent_data_
type
Content-Type (MIME Type)
response.header.Content-Type
File Extension

Resolved Country url.extension

Content Length supplier.country
HTTP Response Version url.path.suffix

response.header.content-
length.as_number

Client Protocol Detection
Content Analysis AV Scanning Beha-
vior Settings
Protocols such as streaming, https,
http, ftp
Maximum Individual File Size
Maximum Total Uncompressed Size
Maximum total # of Files in Archive
http.response.version
streaming.client=yes
streaming.client=windows_
media, etc.
Content Analysis settings
Refer to the Content Analysis Admin-
istration Guide (2.2.x).

Maximum Archive Layers

 Secure Web Gateway - Content Analysis Policy Best Practices Improvement | 5

Exercise caution when using the following conditions, as they can be easily manipulated by an attacker. Symantec recom-
mends that you bypass only specific file extensions and MIME-Types with specific threat risk levels or those requested
from a specific URL host/domain/category.

Weak Policy Condition Example Values

Content-Type (MIME Type) video/(x-|)flv, video/(x-|)flash, application/x-stream-
ingmedia
File Extension .flv, .swf, .ismc, .f4m, .m3u8
Content Length >= 100MB
User-Agent Winamp, iTunes
 New Risk-Based Content Scanning Model
The following is a suggested model for setting different security and performance levels based on an organization's risk tolerance.

Security Level/ Basic Security Medium Security High Security Minimum Required License
Policy Condition Types SGOS Version

Performance Level High Performance Medium/High Per- Low Performance

formance
Risk Tolerance High Tolerance Medium Tolerance Low Tolerance
Safety Net (Always Scan) Security Categories, Category none/File Storage/Email, all URLs with Risk
Level >=5 1
Policy Condition Types for Content Scanning Bypass
URL Category 1 Radio/Audio Streams, Audio/Video Clips, None/Custom-Defined WebFilter license/subscription or
TV/Video Streams Intelligence Services sub-
scriptions
URL Threat Risk Level 2 Risk levels 1-2 None/Custom-Defined SGOS 6.6 Intelligence Services Advanced
Web Application Name 1 Software/Security Software/Security None/Custom-Defined WebFilter license/subscription or
Updates: Updates: Intelligence Services sub-
Microsoft, Apple, Microsoft, Apple, scriptions
Symantec Updates Symantec Updates

Low Risk/High
Volume Apps

High Volume/Low
Risk Content:
YouTube, Vimeo,
Facebook
Web Application Group 3 Custom (such as Custom None/Custom-Defined SGOS 6.7.2 CASB Audit AppFeed
“Collaboration”
apps)
True File-Type JPG, GIF, PNG, None/Custom-Defined
TIF, ICO
Streaming Client 4 windows_media, real_media, quicktime, None/Custom-Defined SGOS 6.5
ms_smooth adobe_hds, apple_hls
URL Domains Custom defined: Stock Tickers, AV Signature Update Domains
Delete on abandonment Enabled
 Security Level/ Basic Security Medium Security High Security Minimum Required License
Policy Condition Types SGOS Version

SGOS ICAP Settings
ICAP Trickling Enabled
ICAP Deferred Scanning Enabled
Content Analysis Thresholds
Maximum File Size > 100 MB > 500 MB Maximum (> 5GB)
Maximum Number of Files in 10,000 50,000 Maximum (100,000)
Archive
Maximum Total Uncompressed 1000 MB > 2048MB Maximum (> 5GB)
Size
Maximum Archive Layers 16 (default) 16 (default) Maximum (depends on engine;
40-100)

1 Rules based on URL Category and Web Application Name require a valid BCWF license or Intelligence Services Basic or Advanced Subscription, and SGOS 6.5.x.
2 Rules based on URL Threat Risk Level require an Intelligence Services Advanced Subscription and SGOS 6.6.x.
3 Rules based on URL Web Application Groups require a CASB Audit AppFeed subscription and SGOS 6.7.2.
4 Streaming Protocol Detection requires
SGOS 6.5.x and handoff enabled for the protocol used. To enable protocol handoff, edit the streaming protocol. Refer to "Limiting
Bandwidth" in the SGOS Administration Guide (6.7.x) for details.
8 | Secure Web Gateway - Content Analysis Policy Best Practices Improvement

Download the Policy Template

Symantec provides two policy templates to bypass content scanning for low risk/high volume content: a WebFilter template
and an Advanced Intelligence Services template.

These policy templates are designed to bypass content scanning for low risk/high volume content, which is determined by
various detection mechanisms such as URL Threat Risk Levels, URL Category, URL, Web Application, Application Group,
and streaming detection and file types. The templates also provide a framework to customize these predefined conditions,
allowing you to add more entries to bypass traffic from content scanning. Each template includes installable CPL policy and
documentation comments.

Some conditions in the template require specific licenses or SGOS versions. See the “Minimum SGOS Version” and
“Required License” columns in "New Risk-Based Content Scanning Model" on page 6.

Refer to the following table to determine the template that is appropriate for your deployment. Download the appropriate file
in the Download Files section at http://www.symantec.com/docs/DOC10919.

Template version Use this template if...

WebFilter You are running SGOS 6.5.x or
earlier.
This template does not support the newer URL Threat Risk Levels and Applic-
ation Group methods, or provide Risk Level-based scanning exemptions. As a OR
result, this template requires more customization for bypassing low-risk / trusted
You are running SGOS 6.6.x and later
web applications and sites.
but do not have valid Advanced Intel-
Symantec recommends upgrading from WebFilter to Advanced Intelligence Ser- ligence Services and CASB Audit
vices to fully leverage risk-based scanning. subscriptions.
Advanced Intelligence Services You are running SGOS 6.6.x and later
and have valid Advanced Intelligence
The template leverages URL Threat Risk Levels to provide more granularity and
Services and CASB Audit sub-
ease of use to bypass low-risk content regardless of the URL category or web
scriptions.
application.

If you have a CASB Audit AppFeed subscription, you can bypass scanning
based on more than 21,000 web applications and more than 200 web application
groups.

About the Policy Template

Refer to the following information about the policy template.

To view the policy correctly, open the template file with a source code editor such as Notepad ++.

Security Levels
The policy model contains three predefined security levels: Basic, Medium, and High. Each level is prefaced as follows:
 Secure Web Gateway - Content Analysis Policy Best Practices Improvement | 9

; ###########################
; # BASIC SECURITY PROFILE #
; ###########################
You can enable only one of the three security levels.

Conditions in the template are named with the convention condition-name_Level_security-level, such
as Web_Apps_No_ICAP_Level_Basic and Web_Apps_No_ICAP_Level_Medium. When customizing the tem-
plate, pay careful attention to the condition name to ensure you are modifying the correct policy.

Safety Net Feature

The policy model incorporates a "safety net” which ensures that traffic to risky or known-bad destinations is always con-
tent-scanned, regardless if the content would have been bypassed by a custom setting (for example, if a custom filetype or
custom URL is defined in policy).

By default, this feature is enabled by the Must-Scan-Destinations condition and policy action of OK. This ensures
that subsequent rules which would disable content scanning are not reached in policy evaluation.

The Must-Scan-Destinations condition includes a set of URL, URL Categories, Application Names, Application
Groups, and URL Threat Risk Levels; these are considered risky if the server URL has a high URL risk level, is cat-
egorized with a security category, or is categorized as an oft-abused web application to deliver parts of the attack kill chain
such as File Storage.
10 | Secure Web Gateway - Content Analysis Policy Best Practices Improvement

Customize the Policy Template

Before customizing the policy, make sure you have checked your licensing and SGOS requirements based on a risk-based
model and downloaded the appropriate appropriate policy template.

1. Read the README section in the policy template.

2. Enable the appropriate security level (as determined using the risk-based model).

Uncomment the policy macro CPL line pertaining to the security level you want to use, and comment out the other
two. The respective policy lines are located after the initial README section. Refer to the following example of
policy with the medium security level enabled:
<cache>
;policy.ICAP_Content_Scan_Basic_Security
policy.ICAP_Content_Scan_Medium_Security
;policy.ICAP_Content_Scan_High_Security

This CPL only bypasses scanning for the selected traffic; it does not activate ICAP response scanning.

3. Adjust the definitions and rule set for the security level you want to use.

Conditions in the template are named with the convention condition-name_Level_security-level,

such as Web_Apps_No_ICAP_Level_Basic and Web_Apps_No_ICAP_Level_Medium. Pay careful attention
to the condition name to ensure you are modifying the correct policy.

4. Customize bypass conditions as needed.

5. Save your changes to the file.
6. Ensure that recommended configuration settings outside of CPL policy are set appropriately:
a. (In the Management Console) Enable ICAP trickling. Select Content Analysis > ICAP > ICAP Feedback,
select ICAP Feedback VPM object, enable Trickle object data at end.
b. (In the Management Console) For an existing ICAP service, enable Defer scanning at threshold and set the
threshold to 80% (default) or lower.
c. (In Content Analysis) Configure scanning thresholds (for example, to enforce a maximum file size that can be
scanned). Select Services > AV Scanning Behavior and specify a connection timeout.
7. Ensure that existing policy has a rule to enable ICAP response scanning:

a. In a Web Content Layer, add a Content-Scanning object to enable ICAP response scanning:

b. Install the policy file in the local policy slot using the CLI command inline policy local. Alternatively,
install policy in a CPL Layer in the VPM.

8. Test the policy and refine it as needed. Then, deploy the policy to your production environment.
 Secure Web Gateway - Content Analysis Policy Best Practices Improvement | 11

(Recommended) Use Management Center to edit and deploy the policy. See "(Optional) Edit Policy in Management
Center" on the next page for details.

Do not configure setttings in Threat Protection > Malware Scanning. Doing so will override local policy.
12 | Secure Web Gateway - Content Analysis Policy Best Practices Improvement

(Optional) Edit Policy in Management Center

If you are running Symantec Management Center in your deployment, you can copy the policy model to Management
Center for review, and install it to managed devices. Doing so provides benefits such as:

l Support for creation and deployment of universal policies

l Ability to compare policy versions (revision control)
l Ability to back up and restore policy
l Consistency check to make sure that no policies are out of sync

In addition, the Single Pane Layout in Management Center's Policy Editor color-codes CPL and numbers lines for improved
readability. The following example of CPL in a policy object shows comments in green and layer headings in blue.

Example: Edit Policy Model in Management Center

This example describes copying the policy model into a CPL fragment for inclusion in a policy object.

For detailed information on creating and deploying policy using Management Center, refer to the Management Center Con-
figuration and Management Guide:
http://www.symantec.com/docs/DOC10660
 Secure Web Gateway - Content Analysis Policy Best Practices Improvement | 13

1. Log in to the Management Center web console.

2. Select Configuration > Shared Objects.
3. Click Add Object. Complete the wizard to add a CPL fragment.
4. Click Single Pane Layout to view the policy with line numbering and color coded sections. (By default, Modular
Layout is selected.)
5. Copy and paste the policy model from your source code editor to the CPL fragment.
6. Edit policy as needed and save it.
7. Select Configuration > Policy to create a new policy object or edit an existing one.
8. In Modular Layout, click inside the policy section where you want to include the CPL fragment.
9. Select Operations > Insert > Insert Include.
10. In the list of shared objects, select the CPL fragment you created and click OK.
11. To deploy policy to managed devices, refer to the Management Center Configuration and Management Guide for
instructions.
14 | Secure Web Gateway - Content Analysis Policy Best Practices Improvement

Appendix: Reference Information
Refer to the following topics for additional information:

l "Data Trickling" below

l "Deferred Scanning" on the facing page
l "SSL Interception Policy and Content Scanning" on page 16
l "Troubleshooting ICAP Response Mode Status via Access Logs" on page 16
l "Optional Policy Actions" on page 18

Data Trickling
Patience pages provide a solution to appease users during relatively short delays in object scans, but are less effective
when delays are longer. Scanning relatively large objects, scanning objects over a smaller bandwidth pipe, or high loads on
servers might cause connection timeouts and disrupt the user experience. To prevent such timeouts, you can allow data
trickling (data transfer at a very slow rate) to occur. The appliance begins serving server content without waiting for the
ICAP scan result. To maintain security, the full object is not delivered until the results of the content scan are complete and
the object is determined to not be infected.

The appliance supports multiple trickling modes:

l trickle at start - The appliance trickles bytes to the client at the beginning of the scan.
l trickle at end - The appliance trickles bytes to the client near the end of the scan.
l patience page -The appliance provides a patience page to the user if scanning does not complete within the specified
interval.
l no feedback - The appliance does not deliver bytes to the client until scanning completes.

Symantec recommends trickling data at end. This mode provides the best user experience and is a more secure approach
than bypassing traffic entirely from content scanning.

The policy discussed assumes that trickling at end is enabled and configured globally, as follows:

For best security, review all options carefully.

 Secure Web Gateway - Content Analysis Policy Best Practices Improvement | 15

Alternatively, use the response.icap_feedback( ) CPL gesture to configure feedback options during scanning.

For details, refer to the Content Policy Language Reference (6.7.x) and Integrating Content Analysis 2.2 with other Blue
Coat Products.

Deferred Scanning
The deferred scanning feature helps to avoid network outages due to infinite streaming. Infinite streams are connections
such as webcams or Flash media (traffic over an HTTP connection) that conceivably have no end. Characteristics of infin-
ite streams may include no content length, slow data rate, and long response time. Because the object cannot be fully
downloaded, the ICAP content scan cannot start; however, the connection between the appliance and Content Analysis
remains open, causing a wastage of finite connection resources. With deferred scanning, ICAP requests that are unne-
cessarily holding up ICAP connections are detected and deferred until the full object has been received.

Symantec recommends using the default threshold or lower.

The default setting of any newly added ICAP response mode service is to activate deferred scanning at a threshold of
80%. Use 80% or a lower value (such as 50%) if many infinite/slow downloads are seen. The policy discussed assumes
that Deferred Scanning is enabled, as follows:
16 | Secure Web Gateway - Content Analysis Policy Best Practices Improvement

For more details, refer to the Content Policy Language Reference (6.7.x) and Integrating Content Analysis 2.2 with other
Blue Coat Products.

SSL Interception Policy and Content Scanning

The SSL interception policy used has a direct impact on the amount of content-scanned traffic. Non-intercepted HTTPS
traffic is not subject to any ICAP processing, including content-scanning. For example, enabling SSL interception in a net-
work with a 50% SSL encryption rate will double the amount traffic to be scanned by Content Analysis.

Symantec recommends that you review the usage statistics of the attached Content Analysis instances before enabling
SSL interception on a proxy deployment with activated content scanning.

Troubleshooting ICAP Response Mode Status via Access Logs

Use access log token rs-icap-status to determine if a object has been scanned or not.
 Secure Web Gateway - Content Analysis Policy Best Practices Improvement | 17

To view the access log configuration, issue the following CLI:

>enable
Enable Password: password
#show access-log format bcreportermain_v3
Settings:
Format name: bcreportermain_v3
Type elff "date time time-taken c-ip cs-username cs-auth-group x-
exception-id sc-filter-result cs-categories cs(Referer)
sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host
cs-uri-port cs-uri-path cs-uri-extension s-ip sc-bytes
cs-bytes x-virus-id x-bluecoatapplication-name x-bluecoat-applic-
ation-operation cs-threat-risk x-bluecoat-transaction-uuid
x-icap-reqmod-header(X-ICAP-Metadata) x-icap-respmod-header(X-ICAP-
Metadata) rs-icap-status"
Multiple-header-policy log-last-header
The previous command is also available in configuration mode. To enter config mode, issue the following CLI:

#configure terminal
Enter configuration commands, one per line. End with CTRL-Z.
#(config)
To set the log format for the specified log:

#(config access-log)edit log log-name

#(config log log-name)format-name bcreportermain_v3
ok
To enable logging for ICAP to the specified log, use the following CPL:

;ICAP Troubleshooting
access_log.log-name(yes)

Examples of Log Output

This log entry indicates that content was not scanned because URL Threat Risk Level = 1:

2017-10-24 14:19:41 104 192.168.1.57 Guest_192.168.1.57 Internet_

Standard - OBSERVED "Search Engines/Portals" - 200
TCP_NC_MISS GET text/javascript;%20charset=UTF-8 https www.google.de
443/complete/search - 192.168.1.211 778 739 -
"Google Search" "none" 1 fe67d04211ad2411-0000000000091507-
0000000059ef4bfd - - ICAP_NOT_SCANNED
This log entry indicates that content was scanned, but no malware was found and no modification was needed:

2017-10-24 14:20:24 108 192.168.1.57 Guest_192.168.1.57 Internet_

Standard - OBSERVED"Computer/Information Security"
http://www.eicar.org/85-0-Download.html 200 TCP_MISS GETimage/gif
http analytics.eicar.org 80 /piwik.php php 192.168.1.211
257 855 - "none" "none" 2fe67d04211ad2411-000000000009151f-
18 | Secure Web Gateway - Content Analysis Policy Best Practices Improvement

0000000059ef4c28 - "{ %22expect_sandbox%22: false }"

ICAP_NO_MODIFICATION
This log entry shows that content that was scanned, malware was detected, and ICAP replaced content with an exception
page:

2017-10-24 14:20:18 205 192.168.1.57 Guest_192.168.1.57 Internet_Stand-

ard virus_detected DENIED"Computer/Information
Security" http://www.eicar.org/85-0-Download.html 200 TCP_DENIED GET-
text/html;%20charset=%220%22 http www.eicar.org 80
/download/eicar.com com 192.168.1.211 1328626 "Blacklisted file"
"none" "none" 2 fe67d04211ad2411-000000000009151c-
0000000059ef4c22 - "{%22file_reputation%22: 10, %22expect_sandbox%22:
false }" ICAP_REPLACED

Optional Policy Actions

The following policy actions are commented out in the policy templates, which means they are not compiled. Though not
used by default, these actions are documented to provide additional options if they are useful in your deployment

ICAP Mirroring
; Sample Policy object for ICAP Mirroring
; ICAP mirroring presents a "detect-only" possibility without pre-
venting
; malicious content to be served to the client. This policy action
serves
; requested content directly to a user while simultaneously scanning
; that content via a configured ICAP external service

; define cache policy ICAP_Content_Scan_Mirror

;<Cache>
; response.icap_mirror(yes) response.icap_service( cas1, fail-closed
)
;end

HTTP Range Header Stripping

; Strip HTTP Range Headers
; This should be enabled to protect against downloading ZIP files in
multiple chunks
; which may contain content that may not be detected if split into mul-
tiple chunks.
; Enabling this rule will delete the HTTP Request Header "Range".

; Define Action
; define action strip_range_headers
; delete(request.header.Range)
 Secure Web Gateway - Content Analysis Policy Best Practices Improvement | 19

; end

; Policy Example
; <Proxy>
; action.strip_range_headers(yes)
20 | Secure Web Gateway - Content Analysis Policy Best Practices Improvement

Supporting Documentation
Title Overview Reference
SGOS Administration Reference information and procedures http://www.symantec.com/docs/DOC10459
Guide (6.7.x) to configure SGOS version 6.7.x. The
audience for this document is network
administrators who are responsible for
managing ProxySG appliances.
Content Policy Lan- Reference for writing CPL to specify http://www.symantec.com/docs/DOC10455
guage Reference policy rules for the ProxySG appliance.
(6.7.x)
Content Analysis Reference information and procedures http://www.symantec.com/docs/DOC10914
Administration and to configure Content Analysis 2.3.x.
Reference Guide
(2.3.x)
Integrating the Legacy documentation. http://www.symantec.com/docs/DOC10027
ProxySG and
ProxyAV Appliances
Integrating Content Ana- Legacy documentation. http://www.symantec.com/docs/DOC10466
lysis with other Blue
Coat Products:
ProxySG and Malware
Analysis
Management Center How to configure and use Symantec http://www.symantec.com/docs/DOC10660
Configuration and Man- Management Center to centrally man-
agement Guide age all of your Network Protection/ Web
(1.11.1.1) and Cloud Security/ Blue Coat devices.
 Secure Web Gateway - Content Analysis Policy Best Practices Improvement | 21

Legal Notice
Copyright © 2018 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat,
and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other
countries. Other names may be trademarks of their respective owners. This document is provided for informational pur-
poses only and is not intended as advertising. All warranties relating to the information in this document, either express or
implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change
without notice.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE
EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS
DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS,
TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE
SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND
MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY
STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE
THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE
REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO
YOU.

Symantec Corporation
350 Ellis Street
Mountain View, CA 94043

www.symantec.com

2/16/2018