What's new for Symantec Endpoint Protection 14.3 RU1?
This section describes the new features in this release.
- Includes the new Symantec Mac Agent and the Symantec Linux Agent that can be installed and managed from either the on-premises Symantec Endpoint Protection Manager or the Integrated Cyber Defense Manager cloud console. See:
- Prevents new and unknown threats on the macOS by monitoring file behaviors in real time. The new Mac Agent includes these behavioral protection capabilities. Behavioral protection, or SONAR, uses artificial intelligence and advanced machine learning for zero-day protection to effectively stop new threats. See:
- Prevents web threats based on the reputation score of a web page. The Intrusion Prevention policy includes URL reputation filtering, which blocks web pages with reputation scores below a specific threshold. Reputation scores range from -10 (bad) to +10 (good). TheEnable URL Reputationoption is enabled by default.
- You can force Symantec Endpoint Protection to learn an application based on the application's hash value. In the Exceptions policy, clickWindows Exceptions>Application>Add an Application by Fingerprint.
- Protects endpoints and users from web-based attacks on malicious sites using the Network Traffic Redirection feature. Network Traffic Redirection redirects all network traffic (any port) or just web-based traffic (ports 80 and 443) to the Symantec Web Security Service, which allows or blocks network traffic and SaaS application access based on the enterprise policy. The Network Traffic Redirection policy has a new redirection method called the tunnel method. The tunnel method automatically redirects all Internet traffic to the Symantec WSS, where the traffic is allowed or blocked based on the Symantec Web Security Service policies. The tunnel method is considered an early adopter release feature. You should perform thorough testing with your applications against your WSS policies. See:
- The Integrations policy was renamed to the Network Traffic Redirection policy.
- Provides support for MITRE-enriched events in Symantec EDR. Leverage the MITRE ATT&CK framework to provide context into what is happening in your environment.
- Provides support for the following Symantec EDR events, which expose more visibility into the endpoints:
- AMSI events provide visibility of threat actor methods that can evade traditional command-line interrogation methods.
- ETW events provide visibility into events happening on managed Windows endpoints.
- Includes the ability to run both the Windows Defender and Symantec Endpoint Protection on the same computer. The Auto-Protect scan runs after Windows Defender and can detect any threats that Windows Defender misses. TheCoexist with Windows Defenderoption ensures that Auto-Protect runs in case Microsoft Defender is disabled. To disable the option, click the Virus and Spyware Protection policy >Miscellaneous>Miscellaneoustab.
- Attack chain mitigation is now supported for hybrid-managed clients.
Symantec Endpoint Protection Manager
- The embedded database was updated to the Microsoft SQL Express database. The SQL Server Express database stores policies and security events more efficiently than the default embedded database and is installed automatically with the Symantec Endpoint Protection Manager. See:
- During the installation or upgrade of the Symantec Endpoint Protection Manager, the Management Server Configuration wizard:
- Automatically installs LiveUpdate content.
- Provides an option to use TLS certificate for secure communication between SQL Server and the Symantec Endpoint Protection Manager.
- LiveUpdate uses a new engine inSymantec Endpoint Protection Manager, which is optimized to run on the cloud console. The new engine no longer supports the FTP method or LAN method to specify an internal LiveUpdate server to download content to the Symantec Endpoint Protection Manager. See:
- TheAutomatically uninstall existing third-party security softwareoption that was not available in 14.3 MP1 is available again in 14.3 RU1 with an updated version. This option is used to uninstall third-party security software. To access this option, clickAdminpage >Packages>Client Install Settings. See:
- The Client Deployment Wizard that is used to deploy client packages must have its credentials verified and able to connect to the Symantec Endpoint Protection Manager. If the verification process fails, the client deployment process stops to keep Active Directory user accounts from being locked. See:
- The Computer Status logs and reports now lets you select a range for theClient versionandIPS versionfields. TheProduct versionfilter was renamed toClient version.
- TheDisable the notification tray iconoption is available for clients that run on a terminal server and that cause high CPU usage and memory usage. You can now disable the notification area icon, also known as the system tray icon, to prevent multiple instances of user session processes (like SmcGui.exe and ccSvcHost.exe) from running. For clients that run on a terminal server, theDisable the notification area iconoption overrides the registry key setting in HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\LaunchSMCGui. In lieu of manually changing this key, it is now managed via policy. As a best practice, move clients that are on a terminal server in the same group before you upgrade. For clients that do not run on a terminal server, keep this setting disabled. This option takes place only after the client smc service is restarted. You enable this option on theClients>Policiestab >General>General Settingstab.
- Updated the whitelist and blacklist mode to reflect the allow and block functionality. On theClientspage >Policiestab >System Lockdowndialog box, the application file lists changed fromWhitelist ModeandBlacklist ModetoAllow ModeandDeny Mode.
- On theAdminpage >Serverstab >Configure External Logging>Generaltab, theMaster Logging Serveroption changed toPrimary Logging Server.
- TheSystemlog type >Administrativelog and theAuditlog lists the computer name.
- Client firewall logs are collected so that you get fewer notifications on the cloud console.
- Replaced the Oracle Java SE with the OpenJDK.
- Updated the third-party components JQuery to a newer version.
Client and platform updates
- The Windows client supports Windows 10 20H2 (Windows 10 version 2009).
- The Mac client supports macOS 11 (Big Sur) on an Intel Core i5 processor and later.
- Moved the legacy Mac client installation packages to the AdditionalPackages folder.
- TheRisk severityandRisk Distribution by Severityoptions were removed from notifications and reports.
- TheCASMAtab andAnalyzecommand were removed, as this functionality was deprecated in 14.3.
- The Mac client no longer supports macOS 10.13 or 10.14.x.
- You can no longer view exclusions in the registry. For 14.3 RU1 and earlier, to view exclusions, see:
The Symantec Endpoint Protection Manager Help is now online and located at:
The database schema has the following changes.
Added the ENRICHED_DATA column.
Removed the following columns from each table:
Added the following columns:
Added the following columns:
Removed the following columns:
Added the ENRICHED_DATA column.