Adaptive Protection policy settings
An Adaptive Protection policy specifies what action to take to address certain behaviors that are associated with a particular trusted application in your environment.
For example, you might want to apply a policy to specific device groups that exhibit a behavior, and apply a different policy to the other device groups that do not exhibit the behavior. In the policy that is applied to the groups that do not exhibit the behavior, you can set the application behavior to deny without impacting any business operation. In the policy that is targeted to the device group that shows the behavior, you can set the application behavior to monitor (allow).
The Adaptive Protection policy is supported on SEPM-managed 14.3 RU1 devices. SEPM-managed devices that run an older agent ignore the policy.
The default policy is automatically applied to your root groups that are entitled to Symantec Endpoint Security Complete.
- This includes the Default group and any Azure Active Directory root groups.
- For enrolled Symantec Endpoint Protection Manager devices, a new policy is created and applied to the My Company group.
- The default policy gets applied only if no previous Adaptive Protection policy is applied to these groups.
In the policy application behavior list, you can search on an application name, behavior name, or MITRE technique.
The policy includes the following options:
Use this option to quickly block all zero prevalence items in the list. See:
Show policy on heatmap
Adaptive Protection - Behavioral Insights and Policy Tuningheat map for this policy. See:
Behavior Activity Prevalenceand
Filters the application behavior list by a combination of the behavior prevalence and the action set in this policy for the behavior application pair.
Filters the application behavior list by Symantec recommendations or blocked behavior.
Groups the application behavior list by application or behavior.
Global option to
These global actions take effect on the items shown in the filtered list. If you have not filtered the list, the action applies to all application behaviors. A warning appears before the global action is applied.
For each item in the application behavior list, you can view the following:
- BehaviorA description of the application performing the behavior, such asAcrobat launching cmd.exe.
- MITRE TechniqueShows a link to the MITRE ATT&CK technique that describes and defines the behavior. The MITRE ATT&CK database is an industry wide standard for describing suspicious behaviors.
- ActionBy default, all application behaviors are set toMonitor.Select any action to change the setting.The policy action applies to any behavior activity that matches the application behavior pair unless there is a matching adaptation. Adaptations are exclusions to the general policy action. You can see any adaptation in the Adaptive Protection heat map.
- PrevalenceShows the prevalence of the application behavior in the devices to which this policy is applied. Typically, zero prevalence means that you can set this application behavior toDeny. You can get an overview of all the behavior prevalence by policy with theAdaptive Protection - Behavioral Insights and Policy Tuningheat map on theAdaptive Protectiondashboard.
You cannot apply an Adaptive Protection policy to a device group that uses an Application Isolation policy.
You get alerts in the cloud console on the
Alertspage and a message in-policy when a new behavior signature or an existing behavior signature is available in the policy. A new application with a list of behaviors might also be added to the policy periodically through Live Update.
- By default, application behaviors are set toMonitor.
- Check the log events to determine whether or not to set a new application behavior toDeny. If you chooseDeny,the application behavior is blocked and logged.
- UseAllowto stop logging events for behaviors that you trust.