search cancel

How do I configure SEP client features and policies for ATP 3.x or SEDR 4.x to be fully functional?

book

Article ID: 173094

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

While reviewing your SEP/SEDR integration, or integrating for the first time, you want to know which features in SEP are needed for the SEDR appliance to get the correct threat data to generate Incidents, perform ECC 2.0 functions, and blacklist files as expected.

Cause

You may seek to minimize the load on the client by disabling some SEP features. Before you decide which functions to disable, you need to know which SEP technologies that ATP or SEDR rely on for advanced detection.

Resolution

The SEDR software requires the following SEP client features and functions to be enabled:

Firewall enabled for endpoint isolation to function:

About the Symantec Endpoint Protection firewall
https://knowledge.broadcom.com/external/article?articleId=151481

ATP Host Integrity and Quarantine Firewall policies are auto-applied when EDR 2.0 is enabled.
https://knowledge.broadcom.com/external/article?articleId=170905

IPS for alerting "System Infected", "Multiple Attacks" as well as "Memory Exploits":

Enabling network intrusion prevention or browser intrusion prevention
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/managing-intrusion-prevention-v36820771-d53e8657/enabling-network-intrusion-prevention-or-browser-i-v38557434-d53e10153.htmlhttps://support.symantec.com/en_US/article.HOWTO80887.html

Configuring client notifications for intrusion prevention and Memory Exploit Mitigation
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/managing-intrusion-prevention-v36820771-d53e8657/configuring-client-notifications-for-intrusion-pre-v37851222-d41e950.html

Application and Device Control - System Lock down:

Interaction between system lockdown and ATP: Endpoint blacklist rules
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/about-application-control-system-lockdown-and-devi-v36534292-d45e176/configuring-system-lockdown-v35628639-d45e1550/interaction-between-system-lockdown-and-blacklist-v110323249-d7e145.htmlhttps://support.symantec.com/en_US/article.HOWTO111075.html

 

Additional recommended settings for improving the detection of targeted and new threats:

ATP/SEDR appliance settings:

Automatically submitting suspicious files for virtual sandbox analysis
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-6/Settings/automatically-submitting-suspicious-files-for-virt-v125635278-d38e31214.html

Enabling the Targeted Attack Analytics
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-6/Settings/enabling-the-targeted-attack-analytics-v126152861-d38e48931.html

SEP clients need telemetry submissions enabled for the Targeted Attack Analytics and Advanced Attack Techniques features to work:

Submitting Symantec Endpoint Protection telemetry to improve your security
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/telemetry-submissions-v118681007-d3870e480.html

SEP policy configuration:

Recommended security settings for Endpoint Protection:
https://knowledge.broadcom.com/external/article?articleId=155348

Adjusting scans to increase protection on your client computers:
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/preventing-and-handling-virus-and-spyware-attacks-v40739565-d49e172/adjusting-scans-to-increase-protection-on-your-cli-v49387628-d49e687.html

SEP client installation type should be Standard client so that it utilizes cloud based definitions

How to choose a client installation type
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Managing-a-custom-installation/preparing-for-client-installation-v16742985-d21e7/how-to-choose-a-client-installation-type-v116286636-d21e918.html

How Windows clients receive definitions from the cloud
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/preventing-and-handling-virus-and-spyware-attacks-v40739565-d49e172/how-windows-clients-receive-definitions-from-the-c-v116346465-d49e1721.html

How does Symantec Endpoint Protection use advanced machine learning?
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/preventing-and-handling-virus-and-spyware-attacks-v40739565-d49e172/how-does-use-advanced-machine-learning-v120625733-d47e275.html

How does the emulator in Symantec Endpoint Protection detect and clean malware?
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/preventing-and-handling-virus-and-spyware-attacks-v40739565-d49e172/how-does-the-emulator-in-symantec-endpoint-protect-v121004909-d47e230.html

SEP Application Control:

Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security.
https://knowledge.broadcom.com/external/article?articleId=152443

Preventing PowerShell from running via Office
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=efd47c7c-776a-4eea-97cf-c6b78516a241&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments  

What You Can Do About PowerShell Threats
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=04e5603e-7349-4b42-ab82-560730b8e95c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments