Archive of previous release information

This topic contains information about previous releases of
Symantec Endpoint Security
. For information about the latest release, see What's new in
Symantec Endpoint Security
.
December 2020
Feature Area
What's New
ICDm
Automatically uninstall existing third-party security software
option is again available in the
Advanced Options > Software removal settings
for the Symantec Agent installation package.
Behavioral Isolation
The Behavioral Isolation policy is now supported on SEPM-managed 14.3 RU1 devices. If you target the policy to a SEPM-managed device that runs an older agent, the device ignores the policy.
EDR
Linux forensic support
You can now collect forensic data (processes, modules, users, groups, etc.) from Linux SEP devices.
Incidents information on Device details page
Customers can get information about open and closed incidents that are associated with any device or endpoint. This information is available on the new Device details page
Incidents
tab. If you select an individual incident, incident details appear on the flyout panel.
Module detection event type support - 8028
The Investigator now supports module detection type of events from the Windows agent.
Associated events support
Investigator now supports associated events. For instance, for the 8070 Compliance Scan event, the Events flyout panel provides a link to all associated 8071 events. In this case, the 8070 and 8071 events are linked by scan_uid field.
Aggregate/composite events
Investigator now has the capability to show the composite events for firewall events.
The new Investigator workspace provides enhanced capabilities:
  • Show composite events.
  • Show attributes of composite events in flyout.
  • Provide composite events tab accessible through a link in expanded rows.
The activity history page from Device Details is also updated with these enhancements.
Application Control
Vulnerability logic now uses new technology to assess applications. See How Symantec Endpoint Security calculates recommendations for applications
Vulnerability Remediation
A vulnerability remediation add-on is no longer available for purchase.
October 2020
Feature Area
What's New
ICDM
Device Control is now added to the list of technologies that administrators can choose for Allow List file exceptions.
Device purge now includes devices that are enrolled by Endpoint Protection Manager. Administrators will see decreasing device counts after these devices are offline for 30 days.
Note that devices that are managed by Endpoint Protection Manager rather than the cloud are marked for deletion when they go offline and purged in the 24 hours after the 30-day expiration.
Antimalware
The Antimalware policy now includes an option to randomize scans to avoid scan storms on devices. The administrator can choose to scan until the scan finishes, which is recommended to optimize scan performance. Or to scan for a certain number of hours with or without randomizing the start time and duration.
The Antimalware policy also includes an option to allow the retry of missed scheduled scans and to configure a retry interval.
EDR
Investigator:
Associated events support:
You can now see associated events on the investigator event details flyout panel. For instance, on the section for Compliance Scan event (event type - 8070) you can see all of the associated
Checked by the scan events
(event type - 8071) events.
Event details flyout panel:
You can now see event details and export those events with a consistent layout using the common flyout panel for all SES and SESC event grids.
Incidents:
Rules:
New
Restore default rules
option is available for incident rules.
Improved "Suspected Breach" algorithm:
Incidents created from an AAT and System Infected NDC conviction are now supported.
AdWare/Audit/PUA etc. are not considered.
Performance improvements:
Incident updates are faster, which in-turn improves DB Servicer CPU utilization
Roles and administrators:
 Custom users with permissions for View and Close incident, can now add comments and close the incident.
Export Grid:
Exported CSV files now contain translated Error codes in the Description.
Application Control
Vulnerability logic now uses new technology to assess applications. See How Symantec Endpoint Security calculates recommendations for applications
September 2020
Feature Area
What's New
ICDm
"Whitelist" and "Blacklist" are renamed to Allow List and Deny List for new policies and tasks.
EDR
Investigator:
Single events view combines Security and Other events
  • Added support for following Apps and Events categories into Investigator -> Security events.
  • Deprecated legacy “Other events” tabs. 
  • Updated Investigate KPI, timeline chart and Group by options to support new event types.
  • Added new Quick filter categories to support new event types for Application Activity and Audit events.
Device details page now supports full dump action for a device.
  • The option is disabled when multiple devices are selected.
Live Shell
  • Live Shell command is now available from the Device details page.
Incidents:
Performance improvements made to the incident update workflow.
Antimalware
The Antimalware policy now includes an option to tune scan performance, similar to scan tuning options in SEPM.
An administrator can choose one of the following options:
  • Best Scan Performance
  • Balanced Performance
  • Best Application Performance (default)
Application Control
The Application Control Configurator now includes a step to allow applications by publishers. The feature lets the administrator allow trusted certificates. All applications and files that are signed by the specified publisher are allowed to run.
August 2020
ICDm
  • Symantec Endpoint Security Enterprise is now SOC 2 Type 2 certified.
  • Symantec Endpoint Security Complete is now included in the
    Seat Count Usage Status
    widget on the Endpoint Security dashboard.
  • Report templates no longer automatically include the first administrator as an email recipient. The administrator must explicitly add recipient by modifying the report template.
  • The
    Security Headlines
    tab on the
    Home
    page now shows the daily Threat Landscape Bulletin.
Intrusion Prevention
  • IPS now also uses URL reputation. The policy option
    Enable URL reputation
    is on by default.
  • URL reputation filtering detects web threats based on the reputation score of a web page. Reputation scores range from -10 (bad) to +10 (good). Web pages with reputation scores below a specific threshold are considered threats and blocked.
EDR
Investigator:
  • Customize Columns and Toggle column (expanded row) selections now persist between sessions. This behavior applies to the
    Investigate, Command details, Incident details, Sandbox result
    pages.
  • On the command details page, the schema (columns) of EOC and FDR events can be saved as two different sets of data.
  • The
    Time fields
    on the events page are now filterable. For example, you can filter within the Time field by adding a date range.
  • You can now filter the
    Severity
    field from the Product section of the Event fly-out panel.
Save Search Queries:
  • Now save search query feature, also saves column selection as a part of query definition.
  • Open search will show those selected columns for the specific search
  • In Open search if user updates column selection and update the saved search query, this will also save those updated column.
Incidents:
AAT incidents:
  • Collect ACM events from event store related to an AAT incidents
  • These are events with threat.name = 'ACM.' or 'SONAR.ACM' and track as AAT incidents for 8 hours from trigger time
TAA incidents:
  • Collect ACM events from event store related to a TAA incident
  • These are ACM events that are MITRE enriched
We have changed the default setting for the multi-event incident rules and turned it off for all customers. Customers have the ability to enable this on their own.
Live Shell:
  • Usability improvements
    in Live Shell (LS) : LS now shows appropriate error message "Unable to process your request. Please try later."
  • Live Shell will now be disabled for agents lesser than 14.3 versions
  • Functional defects fixes
Endpoint Search Usability Enhancements:
New fields are now visible for the following events types. This enables user to fine tune their searches.
  • 8083: File Query Event : File attributes
  • 8084: Directory Query Event : Directory related attributes
  • 8085: Registry Key Query Event : only one param: Registry Key Path
  • 8086: Registry Value Query Event : Registry Value attributes
  • 8081: Process Query Event: Process related attributes
  • 8090: Service Query Event : Service related attributes
Sandbox:
  • Maximum file size submission to Cynic server is capped to 20 MB.
    Any sandbox submission request where a need for file submission to Cynic is required with file size greater than 20 MB will cause it to fail with error "File size limit has exceeded".
  • On the other hand SESC now
    supports large Sandbox response, i.e. greater than 5MB
    . This was limitation till 2020.07.
  • Sandbox event counter appears in hyperlink. On selecting the counter, sandbox results page opens with filtered events.
July 2020
Policy targeting (location awareness)
Policy target rules now support all conditions that are supported on SEPM. New conditions added for this refresh are as follows:
  • DNS lookup
  • ICMP ping request
  • Gateway address
  • WINS server address
  • Cloud connection
  • Trusted platform module (any/IBM/HP)
  • DNS server address
  • Wireless SSID
  • NIC description
  • DHCP connection DNS suffix
  • Network connection type
ICDm
  • Symantec Endpoint Security Complete now appears as a single product on the Subscriptions page rather than separate subscriptions for SEP, Cloud Connect Defense, Endpoint Detection and Response, Application Isolation, Application Control, or Endpoint Threat Defense for Active Directory.
  • A Symantec Endpoint Security Complete license is always applied to the default group. If a customer account has both Symantec Endpoint Security Enterprise (SESE) and Symantec Endpoint Security Complete (SESC) licenses, then any device under the account is considered part of the SESC license if any SESC features are turned on.
  • Integrated Cyber Defense (ICD) event schema for API use is now published in the
    Integrations
    page.
  • SES getting started flow now includes advanced options for installation package configuration.
Application Control
The Application Control Configurator now lets you close the wizard during rule generation and return later to finish policy creation. You get notified when the rule generation completes.
EDR
Incident Management:
  • Incident enrichment is updated to include the latest MITRE content.
  • The time required to enable/disable all incident rules is reduced from 12 seconds to 3-4 seconds.
  • You can now toggle all Incident rules on and off.
  • You can now perform the following remediation actions from the Incident Actions bar, Incident Graph entity node, and Incident Entities:
    • Quarantine/Un-quarantine device
    • Blacklist/Whitelist file
    • Quarantine file
Investigator:
  • You can now add exclusions for App Isolation events with type ids: 8040, 8031, 8032, 8027(PPRC, PPST)).
  • Multiple enhancements are added in the Investigator View.
    • The AND operator is now automatically inserted between multiple filters.
    • You can easily toggle operators between AND and OR (hover over the operator to show the toggle).
    • You can now negate any filter in a filter expression. Enumerated values now appear in drop-down menus for easy selection.
    • Multi-byte characters are now supported.
    • Multi-byte characters now appear when exporting results.
    • The "not equal to" (!=) operator can be used in the module normalized path field.
    • The left panel can be collapsed to provide space for additional columns in the results.
    • You can now quickly search the Quick Filters without having to expand each category.
  • Event details for endpoint search, EOC search, Full dump and Process dump results now appear in the fly-out panel.
  • Requests per endpoint for Endpoint search and FDR events is increased to a maximum of 500.
  • The Investigate page now loads in fewer than 5 seconds.
June 2020
Behavioral Isolation
The
Edit Policy
option for Behavioral Isolation events lets you edit the Behavioral Isolation policy that generated the event.
Application Isolation dashboard has improved performance.
Policy Targeting (location awareness)
Policy target rules now support the following condition types to improve customers' security posture:
  • Registry
  • DHCP server address
In addition, you can also now choose Host group as the address type for a Computer IP Address condition.
ICDm
  • Endpoint Security dashboard now reflects correct seats for workstations, servers, and bridged endpoints.
  • Alerts rules page is now consistent with My Tasks and Playbooks.
  • Alert rules now show the condition to provide insights into the determining factors that generate alerts.
Application Control
  • New limits to the number of Application Control policy rules:
    • Application Control policies cannot contain more than 100K rules.
    • An Application Control policy that contains more than 30K rules cannot targeted to device groups that use Application Isolation policies.
  • Improved performance in App Control Dashboard and KPIs.
EDR
Live Shell:
The Live Shell feature lets you run a PowerShell session on the endpoints in your network directly from the ICDM console. You can execute most PowerShell commands and scripts to aid the investigation of attacks and to extract forensic data.
Investigation:
  • The ability to omit bridged clients and clients that have FDR disabled from the selection browser for EDR commands.
  • Additional attributes for Mac FDR events in the fly-out panel.
  • Enhanced investigation support:
    • List/array and Serial fields are filterable.
    • Attributes with enumerated values show allowable values when constructing custom filters.
  • You can toggle between "AND" and "OR" operators when building filters.
  • Additional improvements include:
    • Performance enhancements.
    • Fewer page reloads when navigating the UI.
    • Command events and results are displayed when switching between command types
Sandbox submissions:
  • Submit files to the sandbox directly from the File entity page.
  • Execute
    Get File
    and
    Quarantine File
    actions directly from the Discovered items page.
  • Search endpoints directly from a Process dump.
EDR Provisioning
  • A
    duplicate key
    exception is no longer generated when provisioning a customer that already has EDR rules enabled.
Incident management
  • Incident Handler performance is improved.
  • Fixes have been applied to various features.
May 2020
Behavioral Isolation
Behavioral Isolation policy lets you configure actions to take when trusted applications such as Microsoft Word or Adobe Reader perform suspicious behaviors. The policy provides the following benefits:
  • Identifies suspicious behaviors and maps the behaviors to the MITRE attack matrix, which offers additional insights and attack potential.
  • Provides easy management of suspicious behaviors with options to block, monitor (log), or ignore if the behaviors are legitimate.
  • Reduce the attack surface of your environment.
Policy Targeting (location awareness)
  • Policy targeting rules are now available to allow administrators to apply policies based on a set of conditions. This feature is similar to location awareness in SEPM. Policy targeting allows a different set of security policies to be applied when a client computer is connecting to the network.
  • If the conditions match, the client computer automatically applies the associated policies based on the rule that specifies the conditions. By default, two policy target rules are available:
    • Default rule with no conditions.
    • Quarantine rule that is automatically applied to any quarantined devices. Administrators can create additional rules.
  • Currently supported conditions are user and computer IP address (IPv4/IPv6, IP subnet mask, IP range).
Surface Attack
Reduce surface attack in your environment using the
Breach Assessment
tool to assess and secure the Active Directory. Securing the Active Directory through breach assessments
ICDm
  • In
    My Tasks
    you can use filters.
    • The custom filter searches the tasks for a particular component, such as Endpoint Protection Response.
    • The quick filter lets you search on the severity, security feature, or the type of task, such as a management task or security task.
    • You can mark a task as done, or a task you can ignore. The
      Tasks
      tab displays which tasks are pending or completed.
    • The task filters appear on the
      Endpoint
      >
      My Tasks
      >
      Tasks
      tab.
  • You can now search for playbooks using
    Quick Filter
    on the
    Playbooks
    page.
  • On the
    Managed Devices
    page, administrators can now filter devices based on Endpoint Detection and Response (EDR) feature status.
  • The
    ICDm
    tab was removed and the content moved to the
    Endpoint
    tab
  • You can now sync devices from Azure Active Directory and view them on the
    Devices
    page.
    • Imported devices appear under
      Devices > Unmanaged Devices
      .
    • Imported groups appear under
      Devices > Device Groups
      .
  • You can now download Symantec Agent installation packages for Windows Server and Linux.
  • You can set a custom dashboard as the default dashboard.
  • ICDm licensing changes:
    • You can apply a license once for any domain and the license applies to all domains for the entire account.
    • If a specific product was not enabled in a pre-existing domain, the product is not automatically enabled. You must still apply at least one license in the domain to enable the product.
  • Subscription updates
    • Server protection is now included with a Symantec Endpoint Security subscription.
    • Customers do not have to purchase separate licenses to protect Microsoft or Linux servers.
EDR
New functionality includes the following:
  • View and drill down the event splurge on the new
    Event Time Line
    .
  • You can filter events based on 12 categories using the
    Group By
    option.
  • You can perform following integrated remediation actions from
    Action
    menu:
    • Get File
    • Quarantine File
    • Submit to Sandbox
  • View the Security Events in new workspace of Investigate menu.
  • Use new Quick Filters such as
    App Isolation
    ,
    App Control
    , or
    Sandbox Detections
    to search for suspicious events.
  • Perform
    Full Dump
    to search for all the events on an endpoint.
  • Perform
    Evidence of Compromise
    search for events on the endpoints.
  • Quickly view the events based on the new Dashboard
    MITRE tactics
    and
    MITRE ATT&CK Technique
    widgets and KPIs to view the endpoints on which
    Endpoint Activity Recorder
    is enabled or disabled.
  • Mac support improves visibility across all endpoints:
    • Endpoint Activity recorder policy now supports macOS
    • Investigator view shows all security events and FDR events from macOS
    • Incidents now support macOS
April 2020
ICDm
  • On the
    Device Details
    page, you can now review the status of protection features and the versions of protection features and content.
  • The cloud console sign in now uses Okta authentication instead of Norton Secure Login. Two-factor authentication is now required by default and cannot be turned off.
  • A new notification banner shows expiring licenses.
  • Digital hub customers now see correct information on the
    Subscriptions
    page.
  • Integration with Content Analysis (CASMA) is no longer supported. In late May, cloud-based sandbox analysis will replace CASMA.
  • Introduced
    Playbooks
    in
    My Tasks
    to execute preconfigured workflows on-demand on multiple devices in your environment.
  • You can view more details of different tasks that are generated in the
    My Tasks
    tab. View details such as the status, security control and the alert that triggered a task.
  • Enhanced alert rule with options to configure alert notifications and threshold as needed.
Coming soon
A Behavioral Application Isolation policy will soon be available in the console. The policy specifies whether to allow or block potentially risky behavior that is exhibited by a set of trusted applications.
March 2020
ICDm
  • Super Administrators can now add the following Command privileges to custom roles:
    • Run LiveUpdate
    • Quick Scan and Full Scan
    • Quarantine/ Unquarantine
    • Reboot
    • Lock and rollback engine
  • SEP Mobile is now accessible from the main navigation of the
    Endpoint
    tab.
February 2020
ICDm
  • New
    Security Headlines
    tab on the Home page features links to insights and tweets from security experts.
  • Administrators now receive email notifications about the new agent version releases.
Vulnerability Remediation
  • Remediation of vulnerabilities is now supported for the additional products:
    • Google Chrome
    • Mozilla Firefox
    • Mozilla Firefox ESR
    • Mozilla Thunderbird
    • Adobe Flash
Endpoint Detection and Response (EDR)
  • FDR Search
    FDR Search facilitates querying event data directly from the endpoints in your environment.
    • You can carry out FDR Search from the
      Investigate
      menu.
    • The
      Search Details
      page now shows FDR searches and event details.
    • Search limits are set as follows:
      • You can run only 100 searches for a customer in a domain.
      • You can run an FDR search for only 10 Endpoints or Devices.
      • The maximum number of events for an endpoint is currently limited to 500.
        If the event count exceeds 500, refine the search query to get the required set of events.
  • Shared Queries
    • You can now label the existing saved queries as shared. The shared query names should be unique in a domain.
    • A user with access to the
      Investigate
      tab can use shared queries from the
      Shared Queries
      tab of the
      Save Query
      menu.
    • Only Super administrators and Domain administrators can edit or delete shared queries.
  • Dashboard
    • Added the
      Incidents by Detection Type and Severity
      widget to the Dashboard.
  • Other
    • The
      Close Incident
      and
      Comment Incident
      are now separate privileges.
January 2020
Subproduct
Description
ICDm
The Symantec Agent notification service URL has changed to:
  • us.spoc.securitycloud.symantec.com
  • eu.spoc.securitycloud.symantec.com (use if you have agents in Europe)
From:
  • spoc.norton.com (Continue to allow spoc.norton.com until further notice)
You must allow these URLs if you use proxies in your environment.
The Launchpad domain is no longer created for new customers. Launchpad is a special domain for pre-release features. For existing customers, Launchpad is now hidden. Customers who had enrolled a
Symantec Endpoint Protection Manager
or enabled a paid license for Application Control or Application Isolation in Launchpad can recover the domain by contacting Support.
The following are new ICDm features:
EDR
EDR dashboard
You can now monitor the current status of the incidents and the number of affected endpoints on the Endpoint Detection and Response (EDR) dashboard. You can view the following:
  • Total number of open incidents and their priority (High, Medium, Low).
  • Total number of closed incidents and their priority (High, Medium, Low).
  • Top 5 Incidents by Priority and Affected Endpoints.
Role-based access to EDR actions.
You can now perform the following actions with the Security Analyst role:
  • Run Process Dump
  • Full dump
  • Incidents Comment and Close
Investigation enhancements
  • You can now run the following commands:
    • Send to VT/Query VT
    • Scan an endpoint
  • You can now add or remove columns from the event details view.
  • You can now export events (up to 10000 events) to a .csv file.
  • You can now search for Incidents based on the Incident Comments.
Performance Improvements
  • Improved timing to show search results by optimizing the TAA events query.
  • Added batch support while publishing a TAA incident.
  • Improved matching heuristics for TAA event search using actor.uid and process.uid.
File Entities Discovery
  • Data Center Security (DCS) is installed on the default group. This lets you view files and the installed apps of the managed endpoints in the ICDm console.
Fixed Issues
  • Fixed the incident rules that were creating noisy results
December 2019
Subproduct
Description
ICDm
  • Mobile Device Management (MDM): You can now manually start or schedule automatic device synchronization. You can see scheduled sync interval, last sync status and next sync time.
  • The
    Policies
    tab and
    Policies Groups
    tab no longer include the
    Policy Status
    column or the
    Publish Policy
    or
    Make Draft
    commands.
  • You can delete and search for domains. The limit on the number of domains you can create increased from 10 to 50.
EDR
FDR Actions:
  • Process Dump:
    • On the
      File
      details page, you can now submit an FDR process dump to fetch the events related to a particular process, and add them to the events store.
    • You can now monitor the execution of Process dump commands.
    • You can cancel Process dump commands.
    • You can now search process dump results using Lucene queries.
    • The ability to export Process dump results has been added.
  • You can now trigger Quarantine, Un-quarantine, Quick Scan, Full Scan, and Process Dump actions directly from the Investigation view.
Incident Visualization:
  • High Risk nodes are color-coded red in the incident graph.
  • Incident responders can now see malicious files on chosen endpoints.
  • Incident responders can now see the endpoints related to a chosen file.
Investigation Enhancements:
  • You are now able to search Investigate results with file reputation ranges "Good\Bad\Unknown."
  • You are now able to perform token based search for text fields from the Investigate menu.
Fixes
  • Enforce maximum number of events for an EDR incident.
  • Double-byte support for incidents.
  • Enforcing JVM heap memory settings for micro services.
November 2019
Endpoint Detection and Response enhancements
Investigate Search - Event results grid enhancements
  • You want to quickly narrow search results to those that either match a specific field value, or exclude results that don't match a specific field.
    This release adds the ability to easily filter for a value, or filter out a value. When you expand a row on the results grid, hover over an event field to display a
    +
    icon and a
    -
    icon. Click the
    +
    icon to filter for a value; click the
    -
    icon to filter out a value.
  • You want to see at a glance which fields have null or empty values.
    Fields with null or empty values are now displayed with a long dash (—).
  • You want to see all dates in the fields as your local dates.
    Dates for all fields now show the local date.
  • Expanded event rows no longer show duplicate values.
Investigate Search - Filter
  • You want to be able to use special characters such as [ ] " . ! { } ~ ( ) \ : and ^ in a free-form search.
    With this release, you can now perform a word search (surround the word in double quotes) for words that contain special characters.
  • Boolean values are no longer case-sensitive.
  • You can now specify a Windows file path within a Regex query.
Incidents Page
  • You want to see the non-HTTP network events for IPS Incidents in the Incident Graph.
    The Incident Graph now shows IPS incident > non-HTTP network events.
  • The Incident
    first_seen
    value is now updated during Incident Update.
  • The AVE Incident Rule now excludes blocked events.
  • Only relevant incidents are now created by App Isolation block events on CDM.
  • Null incidents no longer appear for firewall block events on CDM.
Symantec Endpoint Security
  • Pre-installation checks are now implemented for Symantec Agent.
    Availability of R3 URL and SPOC URL is checked before Symantec Agent installation and if these URLs are not available, the installation will fail with a proper error.
  • Vulnerability Remediation enhancements
    • Added ability to activate or deactivate remediation for multiple vulnerabilities at once.
    • Added ability to activate the remediation for a vulnerability that does not have the remediation available. If the remediation for such vulnerability is activated, the fix will be deployed as soon as it becomes available.
    • The
      Other Events
      tab shows audit events for activate and deactivate actions. You can view information about the person who has performed these actions and the time when the action has occurred.
    • The
      Activate Remediation
      shows the number of affected devices and the number of vulnerabilities that will be fixed.
    • While viewing the details of a vulnerability, the list of other vulnerabilities is also shown on the left. You can easily select and view the details of other vulnerabilities.
    • Multiple UI improvements.
  • Application Isolation and Application Control enhancements and fixes
    • Updated operating system rules to improve policy performance.
    • Symantec rules now take precedence.
    • Multiple minor policy improvements.
October 2019
Symantec Endpoint Security
The Symantec Endpoint Protection 15 product name changed to Symantec Endpoint Security. You can purchase a subscription for any of the following solutions:
  • Symantec Endpoint Security
    :
    Core protection; Secure Connection (was Cloud Connect Defense); Mobile Security.
  • Symantec Endpoint Security Complete
    :
    Core protection; Secure Connection; Mobile Security; Application Control and Application Isolation; EDR; Threat Defense for Active Directory, and Vulnerability Remediation (requires a separate license).
The
Endpoint Security
core protection features, Secure Connection, Application Control, Application Isolation, EDR, and Vulnerability Remediation appear on the
Endpoint
tab and the
ICDm
tab. Other features appear on additional tabs that appear when you active a trial or paid subscription.
  • The Cloud Connect Defense (CCD) product is now a selectable feature in the Symantec Endpoint Security and Symantec Endpoint Security Complete solutions. Cloud Connect Defense is renamed to "Rogue Wireless Network Protection, Network Integrity, and Smart VPN." The CCD client is renamed as the Symantec Agent.
Enhancements of the Symantec Agent Installation Package page include:
  • Ability to select the Secure Connection features to be installed as part of the Symantec Agent. Installation of Secure Connection features is possible with all deployment methods (i.e., installation package, email invite, push enroll).
  • Enrolling devices from the Installation Package page is now available for Windows 10 S Mode, iOS, and Android devices.
On the Managed Devices and Device Groups pages, you can:
  • Sort by all but the following fields: IPv4 address, MAC address, status reason, VM vendor and Alert.
  • Search in all but the following fields: IPv4 address, Last Updated, VM vendor and Alert.
  • Search for devices installed in virtual or physical environments.
  • Select multiple devices and enable commands on them. For example, you can quarantine or delete multiple devices, or move them to another group
  • View the connection status and status reason for devices connected to Symantec Endpoint Protection Manager.
  • On the
    Unmanaged Devices
    page, you can now export discovered devices to a CSV file. Exporting up to 50K devices is supported.
  • You can enable or disable Mobile Device Management (MDM). Note that when you disable Mobile Device Management, all saved MDM provider settings are deleted.
Enhancements of the
Vulnerabilities
page:
  • If a vulnerability is associated with multiple applications that have different CVSS scores, the
    CVSS Score
    column displays the highest score.
  • Reporting vulnerabilities for the products that have no version specified.
  • The numbers of Key Performance Indicators (KPI) are updated every time you change the filter.
  • TITLE
    column is added to the vulnerabilities grid.
  • Vulnerabilities for more versions of Mozilla products are reported (Firefox: 49.0 and later, Firefox ESR: 45.4.0 and later, Thunderbird: 45.1.0 and later).
  • Vulnerabilities by Severity
    report is now available. The report shows the vulnerabilities count by severity and details of each vulnerability.
ICDm
  • Redesigned the welcome page to improve overall customer experience.
  • The Events page now includes the following enhancements:
    • Improved searching and filtering in events workspace.
    • Drill-down support from other work spaces to events workspace.
    • "Group by" support for additional attributes.
  • You can select the Cloud Connect Defense (CCD) product as a feature in the Symantec Endpoint Security and Symantec Endpoint Security Complete solutions. Cloud Connect Defense is renamed to "Rogue WiFi network protection, network integrity, and smart VPN." The CCD client is renamed as the Symantec Agent.
  • You can now select multiple devices and enable commands on them on
    Managed Devices
    and
    Device Groups
    tabs. For example, you can quarantine or delete multiple devices, or move them to another group.
EDR
  • Customers now have a single view of endpoint activity recorder, Advanced Attack Technique events, and SEP events.
  • New and improved search tools provide unified, advanced search across all events. Search tools include:
    • Time-based filtering on relative ranges (e.g., "Last Week," and absolute ranges (start-end dates and times).
    • Pre-defined "quick filters" that filter for key items like MITRE tactics, detection technology, dual-use tools and many more.
    • User-specified custom filters built from any event data fields.
    • Ad-hoc, text-based filter creation using industry-standard Lucene Parser Syntax.
    • The ability to save queries.
  • A new
    Incidents
    tab under
    Alerts and Events
    in the left navigation bar. The tab provides a list of all incidents that a security analyst should investigate further along with a description that explains the detection, the priority, and the number of impacted endpoints. Incidents are generated based on SEP, TAA, AAT and FDR events
  • Detailed views of individual incidents, events, and involved entities (endpoints, files, domains, etc.).
  • Graphical representation of incidents that show the relationships between the elements of the incident.
  • The ability to comment on incidents by multiple investigators, and to close the commenting upon incident resolution.
  • Policy-based endpoint data recording configuration that includes:
    • Ability to assign the policy to specific device groups.
    • Scheduling when data is sent to EDR.
    • The types of data sent to EDR.
  • Streamlined EDR provisioning and on-boarding using the same device groups you've created for other endpoint security solutions.
August 2019
  • Symantec Endpoint Security
    -enabled devices that have been offline for more than 30 days are automatically deleted from the cloud. This allows you to enable licenses on more devices.
  • A Device type filter lets you sort devices that are either workstations or servers on the Devices page.
July 2019
  • The
    Endpoint Security
    Dashboard separates out the devices as workstations or servers.
  • A Device type filter lets you sort devices that are either workstations or servers on the Devices page.
  • The Application Control Configurator now gives you the option to save your work and resume at a later time.
  • The Application Control policy now shows rules grouped by application or file used to create each rule.
  • Symantec-signed applications and files are included by default in the Allow list and cannot be moved to the Block list.
  • Windows Deployment Image Servicing and Management (DISM.exe) is allowed to run out of temp folders in the default configuration of the platform policy.
Late June 2019
  • Significantly enhanced the Device Integrity Computer Status report with the following additional columns to support compliance reporting:
    • Antimalware content information, including the version number and time the virus definitions were last updated.
    • Scan-related information, including the most recent scan time and virus detections.
    • Device-related information, such as the operating system, version number, and IP address of the device.
    • Management-related fields, such as sign-on user name and the time the device was enrolled.
  • Added support for MD5 hashes in the Blacklist policy, so that you can import hashes from other security products that do not support SHA-256. Managing denied items and allowed items from the central list
  • A
    Policy Components
    tab was added to the
    Policies
    page as a central location for shared policy components. The
    Host Groups
    and
    Manage External Devices
    pages moved from the
    Settings
    page to the
    Policies
    page >
    Policy Components
    tab.
  • You can unlock certain policies so that client users can override the policy’s settings on the device.
  • The
    Alerts and Events
    page shows Tamper Protection events for 14.2 RU1 MP1 and later clients. You can filter Tamper Protection events and export them in the CSV format.
  • The Device Integrity security control displays a
    Key Performance Indicator
    that shows which devices are not getting new content and which devices have a LiveUpdate failure.
  • The
    Block UPnP Discovery
    firewall rule is configured to not log events to minimize the number of events that the client sends to the cloud.
  • The client upgrade settings in the default System policy uses the
    Latest Release
    option for the Testpad and production domains and the
    Prerelease
    option for the Launchpad domain.
June 2019
  • You can specify the language for the installation package for
    Symantec Endpoint Security
    . For the direct installation package or for push install, automatic detection of the target device's language is enabled by default.
  • Package names for the redistributable installation package now refer to the product-independent Symantec Agent.
  • You can generate on-demand or schedule Computer Status Data reports and Device Integrity Comprehensive reports for client count by group and the client version, which include cloud-managed and on-premises clients.
  • Use a new signature subset for servers to provide a protection profile that is optimized for servers. In addition,
    Symantec Endpoint Security
    introduces a new operational mode option for Intrusion Prevention: Out-of-band scanning. This mode changes the processing model for networking traffic.
  • Importing policies from
    Symantec Endpoint Protection Manager
    14.2 RU1 now provides additional information on the summary screen: policy type,
    Symantec Endpoint Protection Manager
    name, domain name, and site name. The same information appears during pre-import, along with the time the policy was last updated.
May 2019
  • A new policy Import Wizard is available to migrate policies from on-premises into the cloud. Upload your
    Symantec Endpoint Protection Manager
    policies and the wizard converts them into the appropriate cloud policies. The wizard is located at the end of the
    Endpoint Security
    Quick Setup and as a new task under
    My Tasks
    .
  • The Intrusion Prevention policy includes a new signature subset for servers to provide a protection profile that is optimized for servers. In addition,
    Endpoint Security
    introduces a new operational mode option for Intrusion Prevention: Out-of-band scanning. This mode changes the processing model for networking traffic. Symantec recommends that you test out-of-band scanning before you deploy it to your production environment, as performance characteristics vary depending on the workload.
  • In the Firewall policy, you can create a prepopulated list of hosts that you can access from any firewall rule in any firewall policy. Use the new 'Add from Host Group' option to include the hosts in this group.
  • In the Firewall policy, you can identify an application based on the application's size or with an MD5 or an SHA-256 hashing algorithm.
  • A new Quarantine Device command removes most network access from a device. The device can continue to communicate with the cloud and receive content updates for remediation, but users cannot access network resources. Administrators use the command when a device is compromised to prevent the spread of malware. Administrators can un-quarantine the device after remediation or when the device is not longer deemed to be a threat.
  • Added a new filter for Tamper Protection security events in the Event view.