About SEP policies

Symantec EDR uses the following SEP policies to implement the actions and policies that you define in the EDR appliance console. 
Policy
Description
Host Integrity and Quarantine Firewall
Symantec EDR
requires
SEP
Host Integrity and Quarantine Firewall policies to isolate and rejoin endpoints from the console. You can specify if you want
Symantec EDR
to create these policies and push them out to managed endpoints.
Symantec EDR
does not override any existing policies. If
Symantec EDR
does not create these policies, you must create them yourself in
SEPM
.
SEP Client Submissions Monitoring
Symantec EDR can alert you when no advanced analytics events are detected for three consecutive days.  Lack of detection can occur when Symantec EDR is misconfigured.  This feature ensures that you do not miss potentially important incidents. If you disable the "Send pseudonymous data to Symantec to receive enhanced threat protection intelligence" option in SEPM (preventing SEPM from forwarding important detection events to Symantec EDR), uncheck this option to stop the Symantec EDR System Health notifications.
Private Cloud
When you configure communication with your
SEP
clients, you can perform the following tasks through
Symantec EDR
:
This policy also lets enable SEP endpoints to communicate with Symantec EDR, including performing Insight lookups, and to use Symantec public domain look-up servers when
Symantec EDR
is unavailable.
This feature is not available for clients running SEP 12.1.5 or earlier.
Exceptions
This SEP policy is automatically enabled by default (and cannot be disabled).  The policy applies Symantec EDR policies to SEPM exceptions policies.  When you configure communication with your SEP clients, you can perform the following tasks through Symantec EDR:
  • Allow file access based on its SHA256 hash
    The SHA256 allow list is applied on SEPM to configure exceptions for scans.
  • Deny file access based on its SHA256 hash
    The SHA256 deny list is applied on SEPM to terminate file execution or to block file access.
Since this feature pushes the deny list and allow list policies to all managed SEPMs, the amount of communication traffic might increase.  To optimize traffic volume, check
Include inherited subgroups automatically
on the
SEPM Group Inclusions
page and select the proper stand-alone and inherited subgroups from the SEPM Group list.
This feature requires SEPM 14.3 RUI1 or later.