What's new in
Symantec Endpoint Detection and Response

Symantec EDR is discontinuing support for Symantec EDR Cloud and EDR Cloud Manager.
Symantec EDR provided this cloud-managed component to support various use cases, such as heterogeneous OS coverage and roaming client visibility.
Symantec is concluding its support for Symantec EDR Cloud and EDR Cloud Manager.  The core features of the EDR Cloud console are migrated to ICDm as part of Symantec Endpoint Security Complete.  Contact your sales representative for more information.
Increased Symantec EDR appliance console logon password complexity.
This release hardens the secure access to the Symantec EDR appliance console by local account users.  Now when users create passwords, they must meet stronger, minimum requirements.
The minimum password criteria is as follows:
  • Eight characters long
  • One capital letter
  • One lowercase letter
  • One number
  • One non-alphanumeric character
Administrators can also configure passwords to expire anywhere from 1 to 365 days.  The default expiration period is 120 days.
If you upgrade from an earlier version, current passwords are accepted.  When those passwords expire and users change them, they must meet the new minimum password criteria.  Password expiration is set to 120 days when you upgrade to Symantec EDR 4.5. 
Share saved search queries.
Database > Events
searches to use again.  Share your searches and use searches others have shared.  Tag your most frequently used searches as favorites.
Block access to non-PE files.
Add the SHA256 hash value and file size for non-PE file types (that is, any non-executable file types) to the Symantec EDR deny list policy.
The deny list policy is propagated to every group that the SEPM Controller manages.  SEP blocks users and processes from reading and opening the matching non-PE file.  An attempt to open the non-PE file generates a deny list detection event.
You must be running Symantec Endpoint Protection 14.3 RU1 or later to block non-PE files.
Collection and enrichment of AntiMalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) events.
Configure Symantec EDR to collect the following events to expose more visibility into the endpoints:
  • AMSI events provide visibility of threat actor methods that can evade traditional command-line interrogation methods.  
  • ETW events provide visibility into events happening on managed Windows endpoints.
You can also forward AMSI and ETW events to a third-party console.
Create Recorder policy rues to reduce the volume of these events that you know are safe.
You must be running Symantec Endpoint Protection 14.3 RU1 or later to block non-PE files.
More MITRE event enrichment.
Symantec EDR has more MITRE-enriched events.  This enhancement lets you use the MITRE ATT&CK framework to provide context into what is happening in your environment.
MITRE enrichment enhancements now included endpoint recorder events that are pulled from full dumps.  Enrichment also includes SEP detections, STAR submissions, and the new as AMSI and ETW events.
4123: Endpoint Detection (file) event includes SHA256 hash blocking events.
As of Symantec EDR 4.5 and SEPM 14.3 RU1 and later, this event includes SHA256 hash blocking events.
New policy for Recorder rules.
Recorder policy rules specify which actors/processes are monitored, recorded on the endpoint activity recorder, sent to Symantec EDR, or not recorded at all. Or you can choose to not monitor an actor/process event at all because you know it is benign.  You can define rules at the rules event-type level, and/or specific actor /actor command line/target/target command line/action level.
Benefits of Recorder policy rules are as follows: 
  • Increase data retention periods on your endpoints for more valuable data by ignoring low-value, predicted event data.
  • Reduce network bandwidth consumption of low-value event data.
  • Make more significant events easier to find by reducing the volume of events to search through.
  • Reduce the incidents of false-positive incidents.
Your endpoints must be running Symantec Endpoint Protection14.3 RU1 to use this feature.
Record file open events.
Record anytime a user or system process attempts to read a non-executable file.
Selecting this option can result in a large volume of events being recorded.  Create Recorder rules to limit where on your file system you want these types of events detected.
Synapse Log Collector utility and Symantec EDR embedded database support changes.
Symantec Endpoint Protection Manager (SEPM) 14.3 RU1 updates its embedded database to Microsoft SQL Express. SEPM no longer supports the Sybase embedded database or the Synapse Log Collector. If SEPM detects the Sybase embedded database and Synapse Log Collector when you upgrade to SEPM 14.3 RU1, it uninstalls them.
See Important information about upgrading for important information that you should know before you upgrade to SEPM 14.3 RU1 about establishing (or re-establishing) your SEPM database connection.
If you do not use the embedded database and Synapse Log Collector before you perform the upgrade (you use the MS SQL database), no changes are required.
Renaming Blacklist and Whitelist policies.
The Blacklist policy is now referred to as the deny list policy.  The Whitelist policy is referred to as the allow list policy.  These changes appear in the EDR appliance console, the API, and in the product documentation.
Search for correlated events.
Use the new
field to view the events that are grouped based on the same attack chain according to SONAR.
Update broadcom.com in Symantec EDR Firewall Quarantine policy
Symantec Endpoint Protection firewall policy rules have been updated to include
as an allowed domain.