Archive of previous release information

This topic contains information about previous releases of
Symantec Endpoint Security
. For information about the latest release, see:
Late August 2021
Feature Area
What's New
Host Integrity
New Host Integrity policy allows customers to define custom compliance criteria for Windows devices in their environment.
The policy includes custom requirements for a Host Integrity check. Devices automatically get targeted with a Quarantine policy if they fail a Host Integrity check. Administrators can also set a schedule for the Host Integrity check and configure end user notifications.
The following options are supported for custom requirements:
  • Utility or registry functions, such as OS type or registry key
  • If...Then statements for specifying custom conditions
The minimum agent version required is SEP 14.3 RU1-MP1. See:
August 2021
Feature Area
What's New
Adaptive Protection
Made enhancements to the Adaptive Protection policy to include options from the Adaptive Protection - Behavioral Insights and Policy Tuning heatmap.
  • Quick-Tune
    button - Sets all application behaviors with zero prevalence to deny.
  • More Filters
    option - Filters the application behavior list by behavior prevalence or policy action.
  • Group by
    option - Shows the application behavior list by application or by behavior.
  • Bulk action to allow, monitor, or deny all application behaviors in the list. Administrators can filter the list and use the bulk action rather than individually setting actions for each application behavior.
  • Show policy on heatmap
    option - Opens the heatmap for the current policy.
For more information, see:
System status
New System Status and Support icon in the console top banner shows account information, links to Support resources, and a link to subscribe to maintenance and downtime notifications.
New Report Recipients tab provides a central place for administrators to manage and configure recipients across reports. Reports Recipients lets administrators:
  • Add or delete report recipients in bulk.
  • View or edit report emails that a single recipient receives.
  • Easily identify non-administrator recipients. These recipients do not have console sign-in credentials and always receive a report as an attachment.
Also updated report templates as follows:
  • Added option to bulk add report recipients.
  • Report templates list shows total count of recipients shown with each report.
For more information, see:
page shows cloud console user session events (sign-in, sign-out). Sign-in events are shown for Broadcom Okta authentication and SAML authentication.
Incidents are now linked to the incident rule that created the incident. This makes it easier to disable rules that might be particularly noisy.
The timeline graph no longer displays process terminate events and only displays process start times.
July 2021
Feature Area
What's New
SES Mobile (Mobile on ICDm)
Applicable mobile OS types are now indicated for each option in the Network Integrity policy. Android and iOS icons have been added to each option that applies to these OS types.
For more information, see:
Mac agent
Mac 14.3 RU2 agent now available with support for Apple M1 chips.
Endpoint Detection and Response (EDR)
Policy Attribute Update
Reduced 40 percent of EDR events by not sending all process termination events.
The policy attribute
Process Terminate Activity
is removed.
Existing customers will be notified through a policy upgrade. New customers do not see this attribute.
Mac Agent Support in Investigate
You can now investigate the threats on Mac devices that are protected by SEP 14.3 RU2 agents.
The following functionality is supported:
  • EOC Search
    You can now Trigger/Cancel/Delete EOC searches on Mac devices having SEP version equal to or greater than 14.3. This functionality provides you with the ability to retrieve EOC search events with type ID - 8083.
  • Remediation
    Only file remediation is supported. You can trigger the Quarantine File command from all the supported paths:
    File Details
    EOC result
    , and
    Device > Activity History
  • Cancel
    You can now cancel EOC search commands and remediation commands.
For more information, see:
Alert Updates
  • Alert for incident creation time
    Alerts when the incident creation time exceeds a threshold and indicates that there might be a problem with incident ingestion.
  • PVC alert for incident and search databases
    Captures situations where the PVC disk size has increases beyond the threshold setting.
June 2021
Feature Area
What's New
Adaptive Protection - Behavioral Insights and Policy Tuning heat map
The heat map widget is now available to all SESC customers for cloud enabled devices. The widget shows the prevalence of potentially suspicious behaviors by trusted applications in your environment. You can use the widget to monitor behaviors and make changes to your Adaptive Protection policy.
  • Heat map details include Symantec recommendations for policy actions. Details also show any adaptations (customer-specific exclusions) automatically applied.
  • The heat map appears on the
    Adaptive Protection
    dashboards and is available to add to any custom dashboard.
For more information, see:
  • Adaptive Protection automatically applies adaptations (customer-specific exclusions) to policy actions for certain trusted application behaviors.
  • Adaptations are shown in the popup details for an application behavior in the Adaptive Protection - Behavioral Insights and Policy Tuning heat map.
The Adaptive Protection policy was previously named Behavioral Isolation.
For more information, see:
Mobile Protection
The following mobile protection capabilities are now available in the cloud console:
  • Mobile device enrollment
    End users can self-enroll their iOS and Android devices.
    Administrators can deploy the SEP Mobile application using Microsoft Intune or VMware Workspace ONE. See:
    About protecting your mobile devices
  • Mobile device details
    Mobile device details are now available on the
    page. The details include device security status, which is based on configuration vulnerabilities, indicators of compromise and malicious network activity. See:
    Viewing device details
  • Policy management
    Network Integrity policy now supports VPN and SRP (Selective Resources Protection). See:
  • Events and alerts
    Mobile event details are now included on the
    page. Mobile alert details are included on the
    Incidents and Alerts
    page. See:
    Understanding incidents, events, and entities
  • Discovered Items
    Android application reputation is now included on the
    tab. See:
    Using Discovered Items
  • Quick Setup
    Enroll mobile devices on the
    Quick Setup > Endpoint Security
    page. See:
    Getting started with Symantec Endpoint Security
Antimalware policy
A new automatic Quarantine Scan runs by default when new definitions arrive.
You can edit the scan to configure the following options:
  • Whether to use the default or a custom folder.
  • The number of days to keep quarantine files or backup files.
For more information, see:
Network Integrity policy
The Network Integrity policy now includes configuration to specify domains for Selective Resources Protection (SRP). The specified domains are protected when any threat is detected on a device in the domain and a VPN tunnel cannot be established.
SRP is currently only supported for iOS devices.
For more information, see:
Endpoint Detection and Response
Usability enhancements:
  • Incidents:
    Added a quick filter for RRS logs on the
  • Cynic:
    Shows Sandbox result as Malicious for a malicious hash with no execution events. EDR also informs you when associated events are not available on the
    Sandbox Results
    tab and
    Sandbox Summary
    section of the file details page.
Investigator updates for SES Mobile:
You can search for threat indicator (IOC) events generated for SES Mobile applications (Android and iOS). This feature provides the ability to retrieve SEP mobile events with type ID 8061.
  • A new Quick Filter called
    Threat Indicator
    has been added.
  • You can also add
    OS Type
    Device Type
    to the custom filter list to narrow the search.
For more information, see:
Windows Forensics support from Investigator:
Windows Forensics is now available and includes advanced information about running processes, network connections, and user accounts. You are now able to collect forensic information from endpoints and search for forensics events in the Investigator search results.
  • This feature lets you initiate FORENSICS commands similar to Full Dump and Process dump.
  • The progress of the forensics commands can be viewed on the
    Search Status
  • You can now retrieve forensics events with type IDs 8081 and 8090.
For more information, see:
More visibility into network activity:
Network statistic (netstat) events from the Endpoint Activity Recorder show advanced information including the protocol used and amount of data uploaded/downloaded.
  • You can visualize a summary of the entire network session.
  • By default this policy is enabled for the Netstat feature and the Protocol list. Events with ID 8007 can be searched in the Investigator view.
New file metadata visibility:
File metadata events from the Endpoint Activity Recorder show suspicious behavior and MITRE techniques used within scripts before they execute.
Incident responders can get additional context about files such as LNK files, script files, and docs with MACROS. This allows you to more accurately assess the risks of suspicious files being introduced to your environment
  • LNK file shows target command to be executed when launched.
  • Script files and documents with MACROS are sent when suspicious commands are observed and/or when behaviors mapped to the MITRE ATT&CK framework are observed
For more information, see:
May 2021
Feature Area
What's New
ICDm - Device Details
Added ability to define a custom name (alias) to a managed device by editing the original name of this device. See:
Incidents and Events
The Incidents Public API now queries incident events to support incident associate events.
You can now only execute one Forensic command at any given time.
Weekly Estimation
column on the
Incident Rules
page provides an estimate count of the number of times any single threat ID was observed in the customer environment for the last 7 days.
  • The rules are by default displayed in descending order of
    Weekly Estimation
  • Weekly Estimation
    is only applicable for the AAT Rules, not applicable to System Rules.
  • For System Rules, a "---" will be shown for the estimation.
SEP Mobile
SEP Mobile tenants are now automatically provisioned.
April 2021
Feature Area
What's New
ICDm Home page changes
Dashboard views are consolidated and available on a single page for easy viewing. The fully customizable
page replaces the existing product, feature, and custom dashboards
Existing custom dashboards are migrated to the new design. Some widgets are no longer available.
  • The
    tab is removed.
  • Widgets now appear on the
    page and are categorized by security area rather than product feature.  You can select from several out-of-the-box default views for these categories.
    • Default
    • IT Operations
    • Attack Surface Reduction
      (Symantec Endpoint Security Complete only)
    • Threat Protection
    • Threat Analytics
    • Security Operations
      (Symantec Endpoint Security Complete only)
  • You can also create a custom view from the
    page and set it as the default.
  • KPI bars are now shown as widgets. Some journey line or quick setup content is available on the
    Quick Setup
    tab in the left navigation panel.
  • Some widgets were retired and no longer appear on default or custom views. These include Learn More or Quick Links widgets.
  • SEP 14 widgets were also removed and are no longer available:
    • Cumulative Actions Taken and Unresolved
    • Top 5 Suspicious Detections by Prevalence
    • Suspicious Detections by Risk
    • SEP 14.2 Key Performance Indicators
  • Application Isolation KPIs are no longer available, and the following Application Isolation widgets were removed:
    • Top 5 Devices without Isolation Protection
    • Top End User Feedback
    • Isolation Coverage for Vulnerable Apps
    • Isolation Coverage for Suspicious Detections
    • Top Apps Showing Isolation Violations
  • Any existing custom dashboard that includes only retired widgets is removed.
For more information, see:
ICDm - Licensing and Subscriptions
Target Limits
option allocates a fixed number of seats in a particular domain to help track any overages. See:
ICDm - Discovered Items
Discovered Items > Applications
tab now appears for all customers.
System policy
A new option in the System Policy is available to submit suspicious files pseudonymously to Symantec to enhance threat protection intelligence. See:
General settings for System policy
Added the following enhancements:
  • The Incidents event grid now links all actors within the same attack with an identifier, the correlation_uid. The attack chain includes Process Launches and Process Injections and will eventually handle Proxied Execution such as a process making WMI calls.
  • You can now get lineage incidents by the incident ID.
  • Range-query support is now available when searching by Priority_ID.
  • Public facing documentation for the Incident API has also been updated.
Breach Assessment
You can now directly download and use the Breach Assessment tool to generate reports on any Active Directory (AD) misconfigurations or vulnerabilities that exist in your AD environment.
The tool uses the capability of Threat Defense for Active Directory and provides a comprehensive report of the assessment findings. See:
Application Control
Application Control rules now support application versions.
March 2021
Feature Area
What's New
API Documentation portal
Users can now search for specific APIs in the API Documentation portal. See:
You can now generate an OAuth credential through
Integrations > Client Application Management
in the cloud console.
  • The
    Security Headlines
    tab now includes a Protection Bulletin.
Client Application Management
  • Client Application Management now includes an option to generate an
    OAuth Credential
    . You can use the credential in the API Documentation portal.
  • Added ability to configure privileges for a client application. The privileges of a client application can be edited by the owner of this client application or by the Super Administrators and Domain Administrators.
  • By default, users with
    privilege (Super Administrators, Domain Administrators) can view and manage all client applications in the current domain and users without
    privilege (all other roles) can view and manage only the client applications that they have created.
Detection and Response
New features or enhancements include the following:
  • New event source support for AMSI and ETW.
    • 8015 - ETW Activity (Monitored Source)
    • 8018 - AMSI Activity
    • Added new Investigator, Incidents, and quick filter support for these event types.
  • Granular EDR recorder rules on CDM
    • Highly repetitive and mundane events can be recorded differently from unusual or unexpected events. You can now exclude events based on event type, operation, actor, and target. Previously, only file hash and file path could be excluded.
    • You can create up to 100 custom exclusions per customer domain. You can also set exclusion priority and order.
    • You can now set the following process monitor options in the Detection and Response policy: Do not record, Record but do not submit, Record and submit, Disable Monitoring.
  • Improvements to Live Shell performance and security
    • Live Shell is scalable and more secure.
    • EDR now supports a higher number of simultaneous Live Shell sessions.
    • You can now download the complete session history in compressed format.
    • The web socket session from the console is also authenticated to provide more secure communication.
  • Improvements to EDR public APIs
    • Incidents and associated events can now be extracted.
Antimalware policy
New features or options include the following:
  • New automatic scheduled scans
    • Defwatch Scan
      Enabled by default. Runs a scan when new definitions arrive on a device.
    • Startup Scan
      Disabled by default. Runs a scan when a user logs on.
  • New scheduled scan options
    • Scan custom extensions. You can also restore deleted default and custom extensions.
    • Configure custom scheduled scans to scan custom folders.
    • Enable or disable the scanning of files inside compressed files or folders on the new
  • Auto-Protect now includes an option to exclude custom processes.
For more information, see:
February 2021
Feature Area
What's New
The API documentation portal has been redesigned to be easier to use and test APIs. See:
New Threat Intelligence API allows for real-time enrichment of files and network addresses. The API requires a subscription to Symantec Endpoint Security Complete. See:
ICDm updates include the following:
  • Improved performance and responsiveness of policy list and group pages.
  • You can now export grid data on additional pages to CSV files.
  • Product tabs were removed from the top banner of the cloud console.
  • The
    page design was updated for better user experience. The page now shows product subscription details in the same page view with separate tabs for Usage, Licenses, and Licensed Groups.
For more information, see:
Checking your subscription status
A new public API lets you retrieve incidents and their details.
The API provides the ability to fetch incidents within a specified time range.
The API also supports Lucene queries.
Antimalware policy
  • New options are available in the Antimalware policy under
    Advanced Scheduled Scan Settings.
    • Delay a scheduled scan when a device is running on batteries.
    • Run a scheduled scan when the scan author is not logged in.
  • You can now configure a scheduled scan to scan only selected file extensions.
  • Administrators can configure a scan to scan only selected folders from a list of supported folders.
  • The policy now includes a scheduled USB scan that the administrator can enable or disable.
  • Auto-Protect options now include a setting to allow Windows Defender to run before Auto-Protect runs. The option is off by default.
For more information, see:
Symantec Agent for Mac 14.3 RU1 (cloud refresh)
The Symantec Agent for Mac 14.3 RU1 (cloud refresh) includes the following enhancements:
  • Scan exclusions now supports files, folders, mapped drives, and external drives.
  • An option that requires users to specify a password before they can uninstall the Symantec Agent for Mac.
  • Smaller enhancements and fixes such as improved support for Cisco VPN and improved stability of the Symantec Agent for Mac.
  • The Symantec Agent for Mac is not supported on an ARM platform. SES blocks the installation and displays an error message.
December 2020
Feature Area
What's New
Automatically uninstall existing third-party security software
option is again available in the
Advanced Options > Software removal settings
for the Symantec Agent installation package. See:
Behavioral Isolation
The Behavioral Isolation policy is now supported on SEPM-managed 14.3 RU1 devices. If you target the policy to a SEPM-managed device that runs an older agent, the device ignores the policy.
Linux forensic support
You can now collect forensic data (processes, modules, users, groups, etc.) from Linux SEP devices. See:
Incidents information on Device details page
Customers can get information about open and closed incidents that are associated with any device or endpoint. This information is available on the new Device details page
tab. If you select an individual incident, incident details appear on the flyout panel.
Module detection event type support - 8028
The Investigator now supports module detection type of events from the Windows agent.
Associated events support
Investigator now supports associated events. For instance, for the 8070 Compliance Scan event, the Events flyout panel provides a link to all associated 8071 events. In this case, the 8070 and 8071 events are linked by scan_uid field.
Aggregate/composite events
Investigator now has the capability to show the composite events for firewall events.
The new Investigator workspace provides enhanced capabilities:
  • Show composite events.
  • Show attributes of composite events in flyout.
  • Provide composite events tab accessible through a link in expanded rows.
The activity history page from Device Details is also updated with these enhancements.
Application Control
Vulnerability logic now uses new technology to assess applications. See:
Vulnerability Remediation
A vulnerability remediation add-on is no longer available for purchase.
October 2020
Feature Area
What's New
Device Control is now added to the list of technologies that administrators can choose for Allow List file exceptions.
Device purge now includes devices that are enrolled by Endpoint Protection Manager. Administrators will see decreasing device counts after these devices are offline for 30 days.
Note that devices that are managed by Endpoint Protection Manager rather than the cloud are marked for deletion when they go offline and purged in the 24 hours after the 30-day expiration.
The Antimalware policy now includes an option to randomize scans to avoid scan storms on devices. The administrator can choose to scan until the scan finishes, which is recommended to optimize scan performance. Or to scan for a certain number of hours with or without randomizing the start time and duration.
The Antimalware policy also includes an option to allow the retry of missed scheduled scans and to configure a retry interval.
Associated events support:
You can now see associated events on the investigator event details flyout panel. For instance, on the section for Compliance Scan event (event type - 8070) you can see all of the associated
Checked by the scan events
(event type - 8071) events.
Event details flyout panel:
You can now see event details and export those events with a consistent layout using the common flyout panel for all SES and SESC event grids.
Restore default rules
option is available for incident rules.
Improved "Suspected Breach" algorithm:
Incidents created from an AAT and System Infected NDC conviction are now supported.
AdWare/Audit/PUA etc. are not considered.
Performance improvements:
Incident updates are faster, which in-turn improves DB Servicer CPU utilization
Roles and administrators:
 Custom users with permissions for View and Close incident, can now add comments and close the incident.
Export Grid:
Exported CSV files now contain translated Error codes in the Description.
Application Control
Vulnerability logic now uses new technology to assess applications. See:
September 2020
Feature Area
What's New
"Whitelist" and "Blacklist" are renamed to Allow List and Deny List for new policies and tasks.
Single events view combines Security and Other events
  • Added support for following Apps and Events categories into Investigator -> Security events.
  • Deprecated legacy “Other events” tabs. 
  • Updated Investigate KPI, timeline chart and Group by options to support new event types.
  • Added new Quick filter categories to support new event types for Application Activity and Audit events.
Device details page now supports full dump action for a device.
  • The option is disabled when multiple devices are selected.
Live Shell
  • Live Shell command is now available from the Device details page.
Performance improvements made to the incident update workflow.
The Antimalware policy now includes an option to tune scan performance, similar to scan tuning options in SEPM.
An administrator can choose one of the following options:
  • Best Scan Performance
  • Balanced Performance
  • Best Application Performance (default)
Application Control
The Application Control Configurator now includes a step to allow applications by publishers. The feature lets the administrator allow trusted certificates. All applications and files that are signed by the specified publisher are allowed to run.
August 2020
  • Symantec Endpoint Security Enterprise is now SOC 2 Type 2 certified.
  • Symantec Endpoint Security Complete is now included in the
    Seat Count Usage Status
    widget on the Endpoint Security dashboard.
  • Report templates no longer automatically include the first administrator as an email recipient. The administrator must explicitly add recipient by modifying the report template.
  • The
    Security Headlines
    tab on the
    page now shows the daily Threat Landscape Bulletin.
Intrusion Prevention
  • IPS now also uses URL reputation. The policy option
    Enable URL reputation
    is on by default.
  • URL reputation filtering detects web threats based on the reputation score of a web page. Reputation scores range from -10 (bad) to +10 (good). Web pages with reputation scores below a specific threshold are considered threats and blocked.
For more information, see:
  • Customize Columns and Toggle column (expanded row) selections now persist between sessions. This behavior applies to the
    Investigate, Command details, Incident details, Sandbox result
  • On the command details page, the schema (columns) of EOC and FDR events can be saved as two different sets of data.
  • The
    Time fields
    on the events page are now filterable. For example, you can filter within the Time field by adding a date range.
  • You can now filter the
    field from the Product section of the Event fly-out panel.
Save Search Queries:
  • Now save search query feature, also saves column selection as a part of query definition.
  • Open search will show those selected columns for the specific search
  • In Open search if user updates column selection and update the saved search query, this will also save those updated column.
AAT incidents:
  • Collect ACM events from event store related to an AAT incidents
  • These are events with = 'ACM.' or 'SONAR.ACM' and track as AAT incidents for 8 hours from trigger time
TAA incidents:
  • Collect ACM events from event store related to a TAA incident
  • These are ACM events that are MITRE enriched
We have changed the default setting for the multi-event incident rules and turned it off for all customers. Customers have the ability to enable this on their own.
Live Shell:
  • Usability improvements
    in Live Shell (LS) : LS now shows appropriate error message "Unable to process your request. Please try later."
  • Live Shell will now be disabled for agents lesser than 14.3 versions
  • Functional defects fixes
Endpoint Search Usability Enhancements:
New fields are now visible for the following events types. This enables user to fine tune their searches.
  • 8083: File Query Event : File attributes
  • 8084: Directory Query Event : Directory related attributes
  • 8085: Registry Key Query Event : only one param: Registry Key Path
  • 8086: Registry Value Query Event : Registry Value attributes
  • 8081: Process Query Event: Process related attributes
  • 8090: Service Query Event : Service related attributes
  • Maximum file size submission to Cynic server is capped to 20 MB.
    Any sandbox submission request where a need for file submission to Cynic is required with file size greater than 20 MB will cause it to fail with error "File size limit has exceeded".
  • On the other hand SESC now
    supports large Sandbox response, i.e. greater than 5MB
    . This was limitation till 2020.07.
  • Sandbox event counter appears in hyperlink. On selecting the counter, sandbox results page opens with filtered events.
July 2020
Policy targeting (location awareness)
Policy target rules now support all conditions that are supported on SEPM. New conditions added for this refresh are as follows:
  • DNS lookup
  • ICMP ping request
  • Gateway address
  • WINS server address
  • Cloud connection
  • Trusted platform module (any/IBM/HP)
  • DNS server address
  • Wireless SSID
  • NIC description
  • DHCP connection DNS suffix
  • Network connection type
For more information, see:
  • Symantec Endpoint Security Complete now appears as a single product on the Subscriptions page rather than separate subscriptions for SEP, Cloud Connect Defense, Endpoint Detection and Response, Application Isolation, Application Control, or Endpoint Threat Defense for Active Directory.
  • A Symantec Endpoint Security Complete license is always applied to the default group. If a customer account has both Symantec Endpoint Security Enterprise (SESE) and Symantec Endpoint Security Complete (SESC) licenses, then any device under the account is considered part of the SESC license if any SESC features are turned on.
  • Integrated Cyber Defense (ICD) event schema for API use is now published in the
  • SES getting started flow now includes advanced options for installation package configuration.
Application Control
The Application Control Configurator now lets you close the wizard during rule generation and return later to finish policy creation. You get notified when the rule generation completes. See:
Incident Management:
  • Incident enrichment is updated to include the latest MITRE content.
  • The time required to enable/disable all incident rules is reduced from 12 seconds to 3-4 seconds.
  • You can now toggle all Incident rules on and off.
  • You can now perform the following remediation actions from the Incident Actions bar, Incident Graph entity node, and Incident Entities:
    • Quarantine/Un-quarantine device
    • Blacklist/Whitelist file
    • Quarantine file
For more information, see:
  • You can now add exclusions for App Isolation events with type ids: 8040, 8031, 8032, 8027(PPRC, PPST)).
  • Multiple enhancements are added in the Investigator View.
    • The AND operator is now automatically inserted between multiple filters.
    • You can easily toggle operators between AND and OR (hover over the operator to show the toggle).
    • You can now negate any filter in a filter expression. Enumerated values now appear in drop-down menus for easy selection.
    • Multi-byte characters are now supported.
    • Multi-byte characters now appear when exporting results.
    • The "not equal to" (!=) operator can be used in the module normalized path field.
    • The left panel can be collapsed to provide space for additional columns in the results.
    • You can now quickly search the Quick Filters without having to expand each category.
  • Event details for endpoint search, EOC search, Full dump and Process dump results now appear in the fly-out panel.
  • Requests per endpoint for Endpoint search and FDR events is increased to a maximum of 500.
  • The Investigate page now loads in fewer than 5 seconds.
For more information, see:
June 2020
Behavioral Isolation
Edit Policy
option for Behavioral Isolation events lets you edit the Behavioral Isolation policy that generated the event.
Application Isolation dashboard has improved performance.
Policy Targeting (location awareness)
Policy target rules now support the following condition types to improve customers' security posture:
  • Registry
  • DHCP server address
In addition, you can also now choose Host group as the address type for a Computer IP Address condition.
  • Endpoint Security dashboard now reflects correct seats for workstations, servers, and bridged endpoints.
  • Alerts rules page is now consistent with My Tasks and Playbooks.
  • Alert rules now show the condition to provide insights into the determining factors that generate alerts.
Application Control
  • New limits to the number of Application Control policy rules:
    • Application Control policies cannot contain more than 100K rules.
    • An Application Control policy that contains more than 30K rules cannot targeted to device groups that use Application Isolation policies.
  • Improved performance in App Control Dashboard and KPIs.
Live Shell:
The Live Shell feature lets you run a PowerShell session on the endpoints in your network directly from the ICDM console. You can execute most PowerShell commands and scripts to aid the investigation of attacks and to extract forensic data.
  • The ability to omit bridged clients and clients that have FDR disabled from the selection browser for EDR commands.
  • Additional attributes for Mac FDR events in the fly-out panel.
  • Enhanced investigation support:
    • List/array and Serial fields are filterable.
    • Attributes with enumerated values show allowable values when constructing custom filters.
  • You can toggle between "AND" and "OR" operators when building filters.
  • Additional improvements include:
    • Performance enhancements.
    • Fewer page reloads when navigating the UI.
    • Command events and results are displayed when switching between command types
Sandbox submissions:
  • Submit files to the sandbox directly from the File entity page.
  • Execute
    Get File
    Quarantine File
    actions directly from the Discovered items page.
  • Search endpoints directly from a Process dump.
EDR Provisioning
  • A
    duplicate key
    exception is no longer generated when provisioning a customer that already has EDR rules enabled.
Incident management
  • Incident Handler performance is improved.
  • Fixes have been applied to various features.
May 2020
Behavioral Isolation
Behavioral Isolation policy lets you configure actions to take when trusted applications such as Microsoft Word or Adobe Reader perform suspicious behaviors. The policy provides the following benefits:
  • Identifies suspicious behaviors and maps the behaviors to the MITRE attack matrix, which offers additional insights and attack potential.
  • Provides easy management of suspicious behaviors with options to block, monitor (log), or ignore if the behaviors are legitimate.
  • Reduce the attack surface of your environment.
Policy Targeting (location awareness)
  • Policy targeting rules are now available to allow administrators to apply policies based on a set of conditions. This feature is similar to location awareness in SEPM. Policy targeting allows a different set of security policies to be applied when a client computer is connecting to the network.
  • If the conditions match, the client computer automatically applies the associated policies based on the rule that specifies the conditions. By default, two policy target rules are available:
    • Default rule with no conditions.
    • Quarantine rule that is automatically applied to any quarantined devices. Administrators can create additional rules.
  • Currently supported conditions are user and computer IP address (IPv4/IPv6, IP subnet mask, IP range).
Surface Attack
Reduce surface attack in your environment using the
Breach Assessment
tool to assess and secure the Active Directory. See:
  • In
    My Tasks
    you can use filters.
    • The custom filter searches the tasks for a particular component, such as Endpoint Protection Response.
    • The quick filter lets you search on the severity, security feature, or the type of task, such as a management task or security task.
    • You can mark a task as done, or a task you can ignore. The
      tab displays which tasks are pending or completed.
    • The task filters appear on the
      My Tasks
  • You can now search for playbooks using
    Quick Filter
    on the
  • On the
    Managed Devices
    page, administrators can now filter devices based on Endpoint Detection and Response (EDR) feature status.
  • The
    tab was removed and the content moved to the
  • You can now sync devices from Azure Active Directory and view them on the
    • Imported devices appear under
      Devices > Unmanaged Devices
    • Imported groups appear under
      Devices > Device Groups
  • You can now download Symantec Agent installation packages for Windows Server and Linux.
  • You can set a custom dashboard as the default dashboard.
  • ICDm licensing changes:
    • You can apply a license once for any domain and the license applies to all domains for the entire account.
    • If a specific product was not enabled in a pre-existing domain, the product is not automatically enabled. You must still apply at least one license in the domain to enable the product.
  • Subscription updates
    • Server protection is now included with a Symantec Endpoint Security subscription.
    • Customers do not have to purchase separate licenses to protect Microsoft or Linux servers.
New functionality includes the following:
  • View and drill down the event splurge on the new
    Event Time Line
  • You can filter events based on 12 categories using the
    Group By
  • You can perform following integrated remediation actions from
    • Get File
    • Quarantine File
    • Submit to Sandbox
  • View the Security Events in new workspace of Investigate menu.
  • Use new Quick Filters such as
    App Isolation
    App Control
    , or
    Sandbox Detections
    to search for suspicious events.
  • Perform
    Full Dump
    to search for all the events on an endpoint.
  • Perform
    Evidence of Compromise
    search for events on the endpoints.
  • Quickly view the events based on the new Dashboard
    MITRE tactics
    MITRE ATT&CK Technique
    widgets and KPIs to view the endpoints on which
    Endpoint Activity Recorder
    is enabled or disabled.
  • Mac support improves visibility across all endpoints:
    • Endpoint Activity recorder policy now supports macOS
    • Investigator view shows all security events and FDR events from macOS
    • Incidents now support macOS
April 2020
  • On the
    Device Details
    page, you can now review the status of protection features and the versions of protection features and content.
  • The cloud console sign in now uses Okta authentication instead of Norton Secure Login. Two-factor authentication is now required by default and cannot be turned off.
  • A new notification banner shows expiring licenses.
  • Digital hub customers now see correct information on the
  • Integration with Content Analysis (CASMA) is no longer supported. In late May, cloud-based sandbox analysis will replace CASMA.
  • Introduced
    My Tasks
    to execute preconfigured workflows on-demand on multiple devices in your environment. See:
  • You can view more details of different tasks that are generated in the
    My Tasks
    tab. View details such as the status, security control and the alert that triggered a task.
  • Enhanced alert rule with options to configure alert notifications and threshold as needed.
Coming soon
A Behavioral Application Isolation policy will soon be available in the console. The policy specifies whether to allow or block potentially risky behavior that is exhibited by a set of trusted applications.
March 2020
  • Super Administrators can now add the following Command privileges to custom roles:
    • Run LiveUpdate
    • Quick Scan and Full Scan
    • Quarantine/ Unquarantine
    • Reboot
    • Lock and rollback engine
  • SEP Mobile is now accessible from the main navigation of the
February 2020
  • New
    Security Headlines
    tab on the Home page features links to insights and tweets from security experts.
  • Administrators now receive email notifications about the new agent version releases.
Vulnerability Remediation
  • Remediation of vulnerabilities is now supported for the additional products:
    • Google Chrome
    • Mozilla Firefox
    • Mozilla Firefox ESR
    • Mozilla Thunderbird
    • Adobe Flash
Endpoint Detection and Response (EDR)
  • FDR Search
    FDR Search facilitates querying event data directly from the endpoints in your environment.
    • You can carry out FDR Search from the
    • The
      Search Details
      page now shows FDR searches and event details.
    • Search limits are set as follows:
      • You can run only 100 searches for a customer in a domain.
      • You can run an FDR search for only 10 Endpoints or Devices.
      • The maximum number of events for an endpoint is currently limited to 500.
        If the event count exceeds 500, refine the search query to get the required set of events.
    For more information, see:
  • Shared Queries
    • You can now label the existing saved queries as shared. The shared query names should be unique in a domain.
    • A user with access to the
      tab can use shared queries from the
      Shared Queries
      tab of the
      Save Query
    • Only Super administrators and Domain administrators can edit or delete shared queries.
    For more information, see:
  • Dashboard
    • Added the
      Incidents by Detection Type and Severity
      widget to the Dashboard. See:
  • Other
    • The
      Close Incident
      Comment Incident
      are now separate privileges.
January 2020
The Symantec Agent notification service URL has changed to:
  • (use if you have agents in Europe)
  • (Continue to allow until further notice)
You must allow these URLs if you use proxies in your environment. See:
The Launchpad domain is no longer created for new customers. Launchpad is a special domain for pre-release features. For existing customers, Launchpad is now hidden. Customers who had enrolled a
Symantec Endpoint Protection Manager
or enabled a paid license for Application Control or Application Isolation in Launchpad can recover the domain by contacting Support.
The following are new ICDm features:
  • You can rename domains. See:
  • You can delete multiple policies at the same time.
  • You can export device group data from the tree view.
EDR dashboard
You can now monitor the current status of the incidents and the number of affected endpoints on the Endpoint Detection and Response (EDR) dashboard. You can view the following:
  • Total number of open incidents and their priority (High, Medium, Low).
  • Total number of closed incidents and their priority (High, Medium, Low).
  • Top 5 Incidents by Priority and Affected Endpoints.
For more information, see:
Role-based access to EDR actions.
You can now perform the following actions with the Security Analyst role:
  • Run Process Dump
  • Full dump
  • Incidents Comment and Close
For more information, see:
Investigation enhancements
  • You can now run the following commands:
    • Send to VT/Query VT
    • Scan an endpoint
  • You can now add or remove columns from the event details view.
  • You can now export events (up to 10000 events) to a .csv file.
  • You can now search for Incidents based on the Incident Comments.
Performance Improvements
  • Improved timing to show search results by optimizing the TAA events query.
  • Added batch support while publishing a TAA incident.
  • Improved matching heuristics for TAA event search using actor.uid and process.uid.
File Entities Discovery
  • Data Center Security (DCS) is installed on the default group. This lets you view files and the installed apps of the managed endpoints in the ICDm console.
Fixed Issues
  • Fixed the incident rules that were creating noisy results
December 2019
  • Mobile Device Management (MDM): You can now manually start or schedule automatic device synchronization. You can see scheduled sync interval, last sync status and next sync time.
  • The
    tab and
    Policies Groups
    tab no longer include the
    Policy Status
    column or the
    Publish Policy
    Make Draft
  • You can delete and search for domains. The limit on the number of domains you can create increased from 10 to 50.
FDR Actions:
  • Process Dump:
    • On the
      details page, you can now submit an FDR process dump to fetch the events related to a particular process, and add them to the events store.
    • You can now monitor the execution of Process dump commands.
    • You can cancel Process dump commands.
    • You can now search process dump results using Lucene queries.
    • The ability to export Process dump results has been added.
  • You can now trigger Quarantine, Un-quarantine, Quick Scan, Full Scan, and Process Dump actions directly from the Investigation view.
Incident Visualization:
  • High Risk nodes are color-coded red in the incident graph.
  • Incident responders can now see malicious files on chosen endpoints.
  • Incident responders can now see the endpoints related to a chosen file.
Investigation Enhancements:
  • You are now able to search Investigate results with file reputation ranges "Good\Bad\Unknown."
  • You are now able to perform token based search for text fields from the Investigate menu.
  • Enforce maximum number of events for an EDR incident.
  • Double-byte support for incidents.
  • Enforcing JVM heap memory settings for micro services.
November 2019
Endpoint Detection and Response enhancements
Investigate Search - Event results grid enhancements
  • You want to quickly narrow search results to those that either match a specific field value, or exclude results that don't match a specific field.
    This release adds the ability to easily filter for a value, or filter out a value. When you expand a row on the results grid, hover over an event field to display a
    icon and a
    icon. Click the
    icon to filter for a value; click the
    icon to filter out a value.
  • You want to see at a glance which fields have null or empty values.
    Fields with null or empty values are now displayed with a long dash (—).
  • You want to see all dates in the fields as your local dates.
    Dates for all fields now show the local date.
  • Expanded event rows no longer show duplicate values.
Investigate Search - Filter
  • You want to be able to use special characters such as [ ] " . ! { } ~ ( ) \ : and ^ in a free-form search.
    With this release, you can now perform a word search (surround the word in double quotes) for words that contain special characters.
  • Boolean values are no longer case-sensitive.
  • You can now specify a Windows file path within a Regex query.
Incidents Page
  • You want to see the non-HTTP network events for IPS Incidents in the Incident Graph.
    The Incident Graph now shows IPS incident > non-HTTP network events.
  • The Incident
    value is now updated during Incident Update.
  • The AVE Incident Rule now excludes blocked events.
  • Only relevant incidents are now created by App Isolation block events on CDM.
  • Null incidents no longer appear for firewall block events on CDM.
Symantec Endpoint Security
  • Pre-installation checks are now implemented for Symantec Agent.
    Availability of R3 URL and SPOC URL is checked before Symantec Agent installation and if these URLs are not available, the installation will fail with a proper error.
  • Vulnerability Remediation enhancements
    • Added ability to activate or deactivate remediation for multiple vulnerabilities at once.
    • Added ability to activate the remediation for a vulnerability that does not have the remediation available. If the remediation for such vulnerability is activated, the fix will be deployed as soon as it becomes available.
    • The
      Other Events
      tab shows audit events for activate and deactivate actions. You can view information about the person who has performed these actions and the time when the action has occurred.
    • The
      Activate Remediation
      shows the number of affected devices and the number of vulnerabilities that will be fixed.
    • While viewing the details of a vulnerability, the list of other vulnerabilities is also shown on the left. You can easily select and view the details of other vulnerabilities.
    • Multiple UI improvements.
  • Application Isolation and Application Control enhancements and fixes
    • Updated operating system rules to improve policy performance.
    • Symantec rules now take precedence.
    • Multiple minor policy improvements.
October 2019
Symantec Endpoint Security
The Symantec Endpoint Protection 15 product name changed to Symantec Endpoint Security. You can purchase a subscription for any of the following solutions:
  • Symantec Endpoint Security
    Core protection; Secure Connection (was Cloud Connect Defense); Mobile Security.
  • Symantec Endpoint Security Complete
    Core protection; Secure Connection; Mobile Security; Application Control and Application Isolation; EDR; Threat Defense for Active Directory, and Vulnerability Remediation (requires a separate license).
Endpoint Security
core protection features, Secure Connection, Application Control, Application Isolation, EDR, and Vulnerability Remediation appear on the
tab and the
tab. Other features appear on additional tabs that appear when you active a trial or paid subscription.
  • The Cloud Connect Defense (CCD) product is now a selectable feature in the Symantec Endpoint Security and Symantec Endpoint Security Complete solutions. Cloud Connect Defense is renamed to "Rogue Wireless Network Protection, Network Integrity, and Smart VPN." The CCD client is renamed as the Symantec Agent.
Enhancements of the Symantec Agent Installation Package page include:
  • Ability to select the Secure Connection features to be installed as part of the Symantec Agent. Installation of Secure Connection features is possible with all deployment methods (i.e., installation package, email invite, push enroll).
  • Enrolling devices from the Installation Package page is now available for Windows 10 S Mode, iOS, and Android devices.
On the Managed Devices and Device Groups pages, you can:
  • Sort by all but the following fields: IPv4 address, MAC address, status reason, VM vendor and Alert.
  • Search in all but the following fields: IPv4 address, Last Updated, VM vendor and Alert.
  • Search for devices installed in virtual or physical environments.
  • Select multiple devices and enable commands on them. For example, you can quarantine or delete multiple devices, or move them to another group
  • View the connection status and status reason for devices connected to Symantec Endpoint Protection Manager.
  • On the
    Unmanaged Devices
    page, you can now export discovered devices to a CSV file. Exporting up to 50K devices is supported.
  • You can enable or disable Mobile Device Management (MDM). Note that when you disable Mobile Device Management, all saved MDM provider settings are deleted.
Enhancements of the
  • If a vulnerability is associated with multiple applications that have different CVSS scores, the
    CVSS Score
    column displays the highest score.
  • Reporting vulnerabilities for the products that have no version specified.
  • The numbers of Key Performance Indicators (KPI) are updated every time you change the filter.
    column is added to the vulnerabilities grid.
  • Vulnerabilities for more versions of Mozilla products are reported (Firefox: 49.0 and later, Firefox ESR: 45.4.0 and later, Thunderbird: 45.1.0 and later).
  • Vulnerabilities by Severity
    report is now available. The report shows the vulnerabilities count by severity and details of each vulnerability.
  • Redesigned the welcome page to improve overall customer experience.
  • The Events page now includes the following enhancements:
    • Improved searching and filtering in events workspace.
    • Drill-down support from other work spaces to events workspace.
    • "Group by" support for additional attributes.
  • You can select the Cloud Connect Defense (CCD) product as a feature in the Symantec Endpoint Security and Symantec Endpoint Security Complete solutions. Cloud Connect Defense is renamed to "Rogue WiFi network protection, network integrity, and smart VPN." The CCD client is renamed as the Symantec Agent.
  • You can now select multiple devices and enable commands on them on
    Managed Devices
    Device Groups
    tabs. For example, you can quarantine or delete multiple devices, or move them to another group.
  • Customers now have a single view of endpoint activity recorder, Advanced Attack Technique events, and SEP events.
  • New and improved search tools provide unified, advanced search across all events. Search tools include:
    • Time-based filtering on relative ranges (e.g., "Last Week," and absolute ranges (start-end dates and times).
    • Pre-defined "quick filters" that filter for key items like MITRE tactics, detection technology, dual-use tools and many more.
    • User-specified custom filters built from any event data fields.
    • Ad-hoc, text-based filter creation using industry-standard Lucene Parser Syntax.
    • The ability to save queries.
  • A new
    tab under
    Alerts and Events
    in the left navigation bar. The tab provides a list of all incidents that a security analyst should investigate further along with a description that explains the detection, the priority, and the number of impacted endpoints. Incidents are generated based on SEP, TAA, AAT and FDR events
  • Detailed views of individual incidents, events, and involved entities (endpoints, files, domains, etc.).
  • Graphical representation of incidents that show the relationships between the elements of the incident.
  • The ability to comment on incidents by multiple investigators, and to close the commenting upon incident resolution.
  • Policy-based endpoint data recording configuration that includes:
    • Ability to assign the policy to specific device groups.
    • Scheduling when data is sent to EDR.
    • The types of data sent to EDR.
  • Streamlined EDR provisioning and on-boarding using the same device groups you've created for other endpoint security solutions.
August 2019
  • Symantec Endpoint Security
    -enabled devices that have been offline for more than 30 days are automatically deleted from the cloud. This allows you to enable licenses on more devices.
  • A Device type filter lets you sort devices that are either workstations or servers on the Devices page.
July 2019
  • The
    Endpoint Security
    Dashboard separates out the devices as workstations or servers.
  • A Device type filter lets you sort devices that are either workstations or servers on the Devices page.
  • The Application Control Configurator now gives you the option to save your work and resume at a later time.
  • The Application Control policy now shows rules grouped by application or file used to create each rule.
  • Symantec-signed applications and files are included by default in the Allow list and cannot be moved to the Block list.
  • Windows Deployment Image Servicing and Management (DISM.exe) is allowed to run out of temp folders in the default configuration of the platform policy.
Late June 2019
  • Significantly enhanced the Device Integrity Computer Status report with the following additional columns to support compliance reporting:
    • Antimalware content information, including the version number and time the virus definitions were last updated.
    • Scan-related information, including the most recent scan time and virus detections.
    • Device-related information, such as the operating system, version number, and IP address of the device.
    • Management-related fields, such as sign-on user name and the time the device was enrolled.
  • Added support for MD5 hashes in the Blacklist policy, so that you can import hashes from other security products that do not support SHA-256. See:
    Managing denied items and allowed items from the central list
  • A
    Policy Components
    tab was added to the
    page as a central location for shared policy components. The
    Host Groups
    Manage External Devices
    pages moved from the
    page to the
    page >
    Policy Components
    tab. See:
  • You can unlock certain policies so that client users can override the policy’s settings on the device.
  • The
    Alerts and Events
    page shows Tamper Protection events for 14.2 RU1 MP1 and later clients. You can filter Tamper Protection events and export them in the CSV format.
  • The Device Integrity security control displays a
    Key Performance Indicator
    that shows which devices are not getting new content and which devices have a LiveUpdate failure. See:
  • The
    Block UPnP Discovery
    firewall rule is configured to not log events to minimize the number of events that the client sends to the cloud.
  • The client upgrade settings in the default System policy uses the
    Latest Release
    option for the Testpad and production domains and the
    option for the Launchpad domain. See:
June 2019
  • You can specify the language for the installation package for
    Symantec Endpoint Security
    . For the direct installation package or for push install, automatic detection of the target device's language is enabled by default. See:
  • Package names for the redistributable installation package now refer to the product-independent Symantec Agent.
  • You can generate on-demand or schedule Computer Status Data reports and Device Integrity Comprehensive reports for client count by group and the client version, which include cloud-managed and on-premises clients.
  • Use a new signature subset for servers to provide a protection profile that is optimized for servers. In addition,
    Symantec Endpoint Security
    introduces a new operational mode option for Intrusion Prevention: Out-of-band scanning. This mode changes the processing model for networking traffic. See:
  • Importing policies from
    Symantec Endpoint Protection Manager
    14.2 RU1 now provides additional information on the summary screen: policy type,
    Symantec Endpoint Protection Manager
    name, domain name, and site name. The same information appears during pre-import, along with the time the policy was last updated. See:
May 2019
  • A new policy Import Wizard is available to migrate policies from on-premises into the cloud. Upload your
    Symantec Endpoint Protection Manager
    policies and the wizard converts them into the appropriate cloud policies. The wizard is located at the end of the
    Endpoint Security
    Quick Setup and as a new task under
    My Tasks
    . See:
  • The Intrusion Prevention policy includes a new signature subset for servers to provide a protection profile that is optimized for servers. In addition,
    Endpoint Security
    introduces a new operational mode option for Intrusion Prevention: Out-of-band scanning. This mode changes the processing model for networking traffic. Symantec recommends that you test out-of-band scanning before you deploy it to your production environment, as performance characteristics vary depending on the workload. See:
  • In the Firewall policy, you can create a prepopulated list of hosts that you can access from any firewall rule in any firewall policy. Use the new 'Add from Host Group' option to include the hosts in this group. See:
  • In the Firewall policy, you can identify an application based on the application's size or with an MD5 or an SHA-256 hashing algorithm.
  • A new Quarantine Device command removes most network access from a device. The device can continue to communicate with the cloud and receive content updates for remediation, but users cannot access network resources. Administrators use the command when a device is compromised to prevent the spread of malware. Administrators can un-quarantine the device after remediation or when the device is no longer deemed to be a threat.
  • Added a new filter for Tamper Protection security events in the Event view.