How do I configure SEP client features and policies for ATP 3.x or SEDR 4.x to be fully functional?
search cancel

How do I configure SEP client features and policies for ATP 3.x or SEDR 4.x to be fully functional?


Article ID: 173094


Updated On:


Endpoint Detection and Response Advanced Threat Protection Platform


While reviewing your SEP/SEDR integration, or integrating for the first time, you want to know which features in SEP are needed for the SEDR appliance to get the correct threat data to generate Incidents, perform ECC 2.0 functions, and blacklist files as expected.


You may seek to minimize the load on the client by disabling some SEP features. Before you decide which functions to disable, you need to know which SEP technologies that ATP or SEDR rely on for advanced detection.


The SEDR software requires the following SEP client features and functions to be enabled:

Firewall enabled for endpoint isolation to function:

About the Symantec Endpoint Protection firewall

ATP Host Integrity and Quarantine Firewall policies are auto-applied when EDR 2.0 is enabled.

IPS for alerting "System Infected", "Multiple Attacks" as well as "Memory Exploits":

Enabling network intrusion prevention or browser intrusion prevention

Configuring client notifications for intrusion prevention and Memory Exploit Mitigation

Application and Device Control - System Lock down:

Interaction between system lockdown and ATP: Endpoint blacklist rules


Additional recommended settings for improving the detection of targeted and new threats:

ATP/SEDR appliance settings:

Automatically submitting suspicious files for virtual sandbox analysis

Enabling the Targeted Attack Analytics

SEP clients need telemetry submissions enabled for the Targeted Attack Analytics and Advanced Attack Techniques features to work:

Submitting Symantec Endpoint Protection telemetry to improve your security

SEP policy configuration:

Recommended security settings for Endpoint Protection:

Adjusting scans to increase protection on your client computers:

SEP client installation type should be Standard client so that it utilizes cloud based definitions

How to choose a client installation type

How Windows clients receive definitions from the cloud

How does Symantec Endpoint Protection use advanced machine learning?

How does the emulator in Symantec Endpoint Protection detect and clean malware?

SEP Application Control:

Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security.

Preventing PowerShell from running via Office  

What You Can Do About PowerShell Threats