Important information about upgrading
Upgrading Symantec EDR 4.6 before you upgrade to SEPM 14.3 RU2
A connect token is generated immediately after you install or upgrade to Symantec EDR 4.6, and that token is pushed to SEPM 14.3 RU1 as part of the private cloud policy. But SEPM 14.3 RU1 doesn't support the connect token. So the token is dropped. After you upgrade to SEPM 14.3 RU2, the Mac agent won't have the connect token needed to enroll with Symantec EDR.
If you install or upgrade to Symantec EDR 4.6 before you upgrade to SEPM 14.3 RU2 or make changes to SEPM Controller group inclusions, you must run the following command-line command to ensure that connection token is pushed to the SEPM private cloud settings and Mac endpoints can enroll with Symantec EDR.
Synapse Log Collector utility and Symantec EDR embedded database changes
Symantec Endpoint Protection Manager (SEPM) 14.3 RU1 updates its embedded database to Microsoft SQL Express. SEPM no longer supports the Sybase embedded database or the Synapse Log Collector. If SEPM detects the Sybase embedded database and Synapse Log Collector when you upgrade to SEPM 14.3 RU1, it uninstalls them.
Symantec recommends that you upgrade to Symantec EDR 4.5 or later first, then upgrade to SEPM 14.3 RU1. When performed in this order, Symantec EDR automatically re-establishes the database connection to SEPM’s Microsoft SQL Express embedded database. You might see a connection error while the re-configuration to the MS SQL Express embedded database occurs. If the issue persists, you can manually configure the MS SQL Express embedded database connection.
If you upgrade to SEPM 14.3 RU1 first before you upgrade to Symantec EDR 4.5 or later, SEPM uninstalls the Sybase embedded database and the Synapse Log Collector. Symantec EDR no longer receives logs from SEPM until you do either of the following tasks:
- Upgrade to Symantec EDR 4.5 or later (upon upgrade, Symantec EDR automatically configures the connection to the MS SQL Express embedded database). For the connection to be automatically re-established, you must also have SEPM Controller connection for same SEPM server.
- Edit the existing SEPM database connection and change the type to MS SQL. Or you can delete the existing connection to the SEPM embedded database and then configure a new connection to the MS SQL Express embedded database.
If you were not using the SEPM embedded database and instead had configured an external MS SQL Server database before you perform either upgrade, no changes are required.
If a self-signed certificate was used in the SEPM Sybase embedded database setup, the connection appears in the EDR appliance console as "Unencrypted".
Reconfigurations to the SEPM database are logged in the Symantec EDR Audit log.
If you are upgrading from
Symantec EDR4.3 or earlier and are using the Synapse Log Collector, and you are using SEPM 14.3 MP1 or earlier, you must reinstall the log collector with a new SEPMLogCollector.msi for Symantec EDR. Configure the log collector on the
Settings > Globalpage. The new log collector enables
Symantec EDRto perform enhanced correlation between Advanced Attack Technique-based incidents and SEP detections.
When you install the new log collector .msi file for
Symantec EDR4.5 or later, you receive this enhanced functionality. If you continue to use a log collector installed from a prior version of
Symantec EDR, the prior functionality still exists.
Migration of endpoint activity recorder exclusions to recorder rules
The endpoint activity recorder exclusions that you created when you configured the SEPM Controller in Symantec EDR 4.4 and earlier are migrated to the
Recorderpolicy tab. The migrated rules are designated as
Disable Monitoring Rules, and there is no limit as to how many rules can be migrated. However, you cannot create any additional
Disable Monitoring Rulesuntil the count of
Disable Monitoring Rulesis 200 rules or less.
Endpoint Activity Recorder Exclusionspage in Symantec EDR 4.4 and earlier is renamed to the
Endpoint Activity Recorder Rulesin Symantec EDR 4.5.
Changes to the single sign-on (SSO) feature
If you upgrade from Symantec EDR 4.3 and earlier, changes to the SSO feature require that you perform actions after migration to continue to use this feature.
- If you use Norton Secure Login (NSL):NSL is no longer supported. Upon migration, the SSO link on the EDR appliance console logon page and related settings on theSettings > Data Sharingpage no longer appear. To continue using SSO, configure a new identity provider (IdP) (for example, Okta).
- If you use any IdP other than NSL:
- In theEDR appliance consoleon the left navigation pane, clickSettings > Data Sharing.
- In theSingle Sign-Onsection, click the three vertical dots to reveal edit icons for each of the SSO configuration panels.
- ClickURLs for Identity Provider.
- Copy and paste theSymantec EDRURLs to the appropriate fields in your IdP administration console.
- Download the Symantec EDRsso.certand upload it to your IdP.
- Verify that the fields in the other panels are still the proper parameters for your IdP.
Understanding the upgrade path
If you run the Symantec Advanced Threat Protection (ATP) 3.1, 3.2 or
Symantec EDR4.0 or later, you can upgrade to