search cancel

Supported ATP incident response features by SEP version

book

Article ID: 162720

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

Symantec Advanced Threat Protection (ATP) integrates with clients that use Symantec Endpoint Protection (SEP) version 12.1 RU 6 MP3 or later with full EDR functionality. However, for the clients that use a version between SEP 12.1 RU5 and 12.1 RU6 MP 3, some functionality may be limited depending upon the version of the client.

Cause

 

 

Resolution

The following table describes the incident response features that are supported for each SEP version. 

SEP Version Get File Submit to Cynic Delete File Isolating endpoint (quarantine) Blacklisting Endpoint Searches1
SEP 12.1 RU6 MP3 Yes Yes Yes Yes Yes

Yes

Wildcards are only supported for the filepath, filename, and registry tokens.

SEP 12.1 RU6 Yes Yes Yes Yes Yes

Yes

Does not support file name searches or wildcards.

SEP 12.1 RU5 No No No Yes Yes

Yes

Does not support file name searches or wildcards.

1Because of the limited functionality of earlier versions of SEP, performing searches in a mixed environment may not produce the desired results. Symantec recommends that as a best practice, you perform database searches first. Since ATP collects its information from the control point sensors, you're very likely to find the results that you're looking for. More importantly, database searches produce results quickly. If you want to perform endpoint searches, Symantec recommends that you create SEPM client groups based on the SEP version that those clients run. When you perform an endpoint search on that SEPM group, you can better understand what results you can expect.

See the Symantec Advanced Threat Protection Security Operations Guide or online Help for more information about performing endpoint searches and how to write successful search expressions.