With the implementation of Symantec Endpoint Protection 14.0 RU1 and later comes Endpoint Detection and Response (EDR) 2.0. Earlier versions of Symantec Endpoint Protection use EDR 1.0. EDR 1.0 requires that Symantec Advanced Threat Protection (ATP) and endpoint communications rely on the heartbeat between Symantec Endpoint Protection Manager and Symantec Endpoint Protection endpoints. EDR 2.0 refers to the enhanced EDR features that provide direct communication between ATP and Symantec Endpoint Protection endpoints for enhanced searching and management. EDR 2.0 also includes the verbose forensic activity information that the endpoint data recorder provides.
The following tasks can now be performed in near real-time using EDR 2.0:
Copy to File Store | Download from File Store
ATP can get PE files from a Symantec Endpoint Protection endpoint. ATP can even get any PE files that are in the endpoint's Symantec Endpoint Protection quarantine.
¹ You must enable the endpoint data recorder feature to perform data recorder searches, data dumps, and receive near-live responses from endpoints.
To use EDR 2.0, your appliance must have at least 1TB of available hard disk space.
When ATP issues commands to endpoints that are offline, it periodically rechecks the status of the endpoint to determine if it has come back online. If the endpoint has come online, ATP issues the command. If a search or action is incomplete, queued, canceled, or timed-out, view the endpoint details page LAST SEEN TIME. This time indicates the last date and time of contact with the endpoint.