Adaptive Protection policy settings

An Adaptive Protection policy specifies what action to take to address certain behaviors that are associated with a particular trusted application in your environment.
For example, you might want to apply a policy to specific device groups that exhibit a behavior, and apply a different policy to the other device groups that do not exhibit the behavior. In the policy that is applied to the groups that do not exhibit the behavior, you can set the application behavior to deny without impacting any business operation. In the policy that is targeted to the device group that shows the behavior, you can set the application behavior to monitor (allow).
The Adaptive Protection policy is supported on SEPM-managed 14.3 RU1 devices. SEPM-managed devices that run an older agent ignore the policy.
The default policy is automatically applied to your root groups that are entitled to Symantec Endpoint Security Complete.
  • This includes the Default group and any Azure Active Directory root groups.
  • For enrolled Symantec Endpoint Protection Manager devices, a new policy is created and applied to the My Company group.
  • The default policy gets applied only if no previous Adaptive Protection policy is applied to these groups.
In the policy application behavior list, you can search on an application name, behavior name, or MITRE technique.
The policy includes the following options:
Option
Description
Quick-Tune
Use this option to quickly block all zero prevalence items in the list. See:
Show policy on heatmap
Opens the
Adaptive Protection - Behavioral  Insights and Policy Tuning
heat map for this policy. See:
Behavior Activity Prevalence
and
Policy Settings
Filters the application behavior list by a combination of the behavior prevalence and the action set in this policy for the behavior application pair.
More Filters
Filters the application behavior list by Symantec recommendations or blocked behavior.
Group by
Groups the application behavior list by application or behavior.
Global option to
Allow
,
Monitor
, or
Deny
These global actions take effect on the items shown in the filtered list. If you have not filtered the list, the action applies to all application behaviors. A warning appears before the global action is applied.
For each item in the application behavior list, you can view the following:
  • Behavior
    A description of the application performing the behavior, such as
    Acrobat launching cmd.exe
    .
  • MITRE Technique
    Shows a link to the MITRE ATT&CK technique that describes and defines the behavior. The MITRE ATT&CK database is an industry wide standard for describing suspicious behaviors.
  • Action
    By default, all application behaviors are set to
    Monitor.
    Select any action to change the setting.
    The policy action applies to any behavior activity that matches the application behavior pair unless there is a matching adaptation. Adaptations are exclusions to the general policy action. You can see any adaptation in the Adaptive Protection heat map.
  • Prevalence
    Shows the prevalence of the application behavior in the devices to which this policy is applied. Typically, zero prevalence means that you can set this application behavior to
    Deny
    . You can get an overview of all the behavior prevalence by policy with the
    Adaptive Protection - Behavioral  Insights and Policy Tuning
    heat map on the
    Adaptive Protection
    dashboard.
You cannot apply an Adaptive Protection policy to a device group that uses an Application Isolation policy.
You get alerts in the cloud console on the
Alerts
page and a message in-policy when a new behavior signature or an existing behavior signature is available in the policy. A new application with a list of behaviors might also be added to the policy periodically through Live Update.
  • By default, application behaviors are set to
    Monitor.
  • Check the log events to determine whether or not to set a new application behavior to
    Deny
    . If you choose
    Deny,
    the application behavior is blocked and logged.
  • Use
    Allow
    to stop logging events for behaviors that you trust.
More information