While reviewing your SEP/SEDR integration, or integrating for the first time, you want to know which features in SEP are needed for the ATP or SEDR appliance to get the correct threat data to generate Incidents, perform ECC 2.0 functions, and blacklist files as expected.
You may seek to minimize the load on the client by disabling some SEP features. Before you decide which functions to disable, you need to know which SEP technologies that ATP or SEDR rely on for advanced detection.
The SEDR software requires the following SEP client features and functions to be enabled:
About the Symantec Endpoint Protection firewall
ATP Host Integrity and Quarantine Firewall policies are auto-applied when EDR 2.0 is enabled.
Enabling network intrusion prevention or browser intrusion prevention
Configuring client notifications for intrusion prevention and Memory Exploit Mitigation
Interaction between system lockdown and ATP: Endpoint blacklist rules
Automatically submitting suspicious files for virtual sandbox analysis
Enabling the Targeted Attack Analytics
Symantec Endpoint Protection Telemetry Submissions
Recommended security settings for Endpoint Protection:
Adjusting scans to increase protection on your client computers:
How to choose a client installation type
How Windows clients receive definitions from the cloud
How does Symantec Endpoint Protection use advanced machine learning?
How does the emulator in Symantec Endpoint Protection detect and clean malware?
Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security.
How to utilize SEP for Incident Response - Complete Index
Using SEPM Alerts and Reports to Combat a Malware Outbreak
Preventing PowerShell from running via Office
What You Can Do About PowerShell Threats