With the implementation of Symantec Endpoint Protection 14.0 RU1 and later comes Endpoint Communications Channel (ECC) 2.0. Earlier versions of SEP use ECC 1.0. ECC 1.0 requires that Symantec Endpoint Detection and Response and endpoint communications rely on the heartbeat between SEPM and SEP endpoints. ECC 2.0 refers to the enhanced ECC features that provide direct communication between Symantec EDR and SEP endpoints for enhanced searching and management. ECC 2.0 also includes the verbose forensic activity information that the endpoint activity recorder provides.
The following tasks can now be performed in near real-time using ECC 2.0:
Copy to File Store | Download from File Store
Symantec EDR can get PE files from a SEP endpoint. Symantec EDR can even get any PE files that are in the endpoint's SEP quarantine.
To use ECC 2.0, your appliance must have at least 1TB of available hard disk space.
When Symantec EDR issues commands to endpoints that are offline, it periodically rechecks the status of the endpoint to determine if it has come back online. If the endpoint has come online, Symantec EDR issues the command. If a search or action is incomplete, queued, canceled, or timed-out, view the endpoint details page LAST SEEN TIME. This time indicates the last date and time of contact with the endpoint.