search cancel

Supported ATP incident response features by SEP version


Article ID: 162720


Updated On:


Symantec Products


Symantec Advanced Threat Protection (ATP) integrates with clients that use Symantec Endpoint Protection (SEP) version 12.1 RU 6 MP3 or later with full EDR functionality. However, for the clients that use a version between SEP 12.1 RU5 and 12.1 RU6 MP 3, some functionality may be limited depending upon the version of the client.





The following table describes the incident response features that are supported for each SEP version. 

SEP Version Get File Submit to Cynic Delete File Isolating endpoint (quarantine) Blacklisting Endpoint Searches1
SEP 12.1 RU6 MP3 Yes Yes Yes Yes Yes


Wildcards are only supported for the filepath, filename, and registry tokens.

SEP 12.1 RU6 Yes Yes Yes Yes Yes


Does not support file name searches or wildcards.

SEP 12.1 RU5 No No No Yes Yes


Does not support file name searches or wildcards.

1Because of the limited functionality of earlier versions of SEP, performing searches in a mixed environment may not produce the desired results. Symantec recommends that as a best practice, you perform database searches first. Since ATP collects its information from the control point sensors, you're very likely to find the results that you're looking for. More importantly, database searches produce results quickly. If you want to perform endpoint searches, Symantec recommends that you create SEPM client groups based on the SEP version that those clients run. When you perform an endpoint search on that SEPM group, you can better understand what results you can expect.

See the Symantec Advanced Threat Protection Security Operations Guide or online Help for more information about performing endpoint searches and how to write successful search expressions.