Follow the below procedures provided by Symantec Support.

Ports and hostnames used by Messaging Gateway

TECH94152

Last Updated October 04, 2019

Situation

• Symantec Messaging Gateway (SMG) scanner, control center, or combination server cannot access LiveUpdate.
• SMG does not allow an update to the latest version.

Cause

The SMG server cannot route correctly to the update servers due to external firewall.
 

Solution

The following table illustrates the firewall ports and hostnames used by Symantec Messaging Gateway products:

For customers wishing to secure the outbound communications from their SMG hosts, use these hostnames to define the allowed endpoints.

If firewalls that require an IP address only are needed, and the SMG hosts only require HTTPS access, Symantec recommends using a web proxy to facilitate this communication and to use the access control policy within the web proxy to control the allowed destinations.

The hosts that are required for normal operation are below. These hostnames in turn resolve to a number of different IP addresses and may change at times in the future:

• register.brightmail.com
• swupdate.brightmail.com
• probes.brightmail.com
• aztec.brightmail.com
• liveupdate.symantec.com
• liveupdate.symantecliveupdate.com
• definitions.symantec.com
• securityresponse.symantec.com
• rules.ara.brightmail.com

Once you completed the above procedures, follow below recommendations.

1. Check and investigate from Sonicwall Firewall (In our case SMG download is blocked by Gateway Antivirus)
2. Allow SMG update server IP 152.195.132.120 from your Gateway Antivirus

Now you have working Symantec Messaging Gateway

In this Article I'm going to show you how to Publish a project in  Workflow.

There are a number of options you can use

• Publish Locally
• Publish to Managed
• Create Publishing Installer
• Create SMP Solution Pack

Publish Project

Create Publishing Installer

Create SMP Solution Pack

• To be added...

You may need to override settings to publish locally:

Server Extensions - IsManaged

Links

Publishing a Workflow Project (Part 1) Video
https://www.symantec.com/connect/videos/publishing-workflow-project-part-1-video

Publishing a Workflow Project (Part 2) Video
https://www.symantec.com/connect/videos/publishing-workflow-project-part-2-video

Publishing a Workflow Project (Part 3) Video
https://www.symantec.com/connect/videos/publishing-workflow-project-part-3-video

Publishing a Workflow Project (Part 4) Video
https://www.symantec.com/connect/videos/publishing-workflow-project-part-4-video

Vishaka Kulkarni (Symantec Employee)
https://www.symantec.com/connect/user/vishaka-kulkarni

Issues

Workflow SMP Environment Publishing Error After Workflow Upgrade to 8.1 Ru5
TECH251590
https://support.symantec.com/us/en/article.tech251590.html

We have seen quite a few cases come in, so I figured I would post publicly.

With the SEDR 4.3 update, we introduced the ability to add multiple AD Domains for AD login to the web interface of SEDR. Since this update, the NetBIOS field is now required so we can determine which AD server to query for the login. If you have the NetBIOS name set before the update, there will be no problem. The issue is that many customers did not provide this field since it is not mandatory.

More information and a screen shot can be found here:

Unable to log in with AD credentials after the update to SEDR 4.3

https://support.symantec.com/us/en/article.tech257045.html

A new mobile remote access trojan (RAT) for Android called Monokle, has been reported using novel techniques to exfiltrate data. Monokle uses a range of intrusive capabilities to conduct various types of cyberattacks. The trojan is distributed to targets via fake apps camouflaged as genuine apps such as Google Play, Skype, UC Browser, Pornhub, etc

So far Monokle is directed only against Android devices. The researchers found several references to a planned iOS version, including unused commands and data transfer objects in its source code. Typically, victims are infected when they download trojanized versions of what appear to be legitimate Android applications that otherwise operate as intended...

The attacker can use Monokle to steal the following information:

• It has the ability to self-sign trusted certificates to intercept encrypted SSL traffic and does not require any root access to exfiltrate data.
• A phone's lock screen activity can be used to obtain passwords to steal personal information as well as gain access to third party apps
• It uses predictive-text dictionaries of the user to gain access to the target's topic of interest.
• If the attacker gains access to the root of the target's phone, it can install additional attacker-specified certificates to the trusted certificates allowing man-in-the-middle (MITM) attacks against TLS traffic.
• The attacker will be able to gain access to the target's contacts, calendar information, record audio and calls, take screenshots, photos, videos, etc.
• The attacker can also retrieve emails, browsing histories, accounts, passwords, screen recording, etc.
• Other capabilities include keylogging, deleting arbitrary files, executing arbitrary codes, rebooting the device.

Countermeasures:

• Do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from the reputed application market only.
• Install and maintain updated antivirus solution on android devices. Scan the suspected device with antivirus solutions to detect and clean infections.
• Prior to downloading/installing apps on android devices (even from Google Play Store), Always review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
• Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
• In settings, do not enable the installation of apps from "Untrusted Sources".
• Exercise caution while visiting trusted/untrusted sites for clicking links.
• Install Android updates and patches as and when available from Android device vendors.
• Users are advised to use device encryption or encrypting external SD card feature available with most of the Android OS.
• Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
• Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
• Confirm that the banking app you’re using is the official, verified version.
• If anything looks awry or suddenly unfamiliar, check in with your bank’s customer service team.
• Use two-factor authentication if it’s available.
• Make sure you have a strong AI-powered mobile antivirus installed to detect and block this kind of tricky malware if it ever makes its way onto your system.

It has been reported that a malware named “Clipsa” is spreading. The malware mainly spreads in the form of executable files masquerading as an installer for media players. The malware is capable of performing the following functions:

• Steals administrative credentials from unsecured WordPress sites.
• Mine and steal cryptocurrencies by replacing crypto addresses present in a clipboard via clipboard hijacking.
• Scans internet and launches brute-force attacks on Wordpress sites.
• This leads to the degradation of system performances due to excessive use of resources in cryptocurrency mining.
• May use the compromised websites as secondary command and control servers to host malicious files or upload stolen data.

Indicator of Compromise:

File system changes:

• C:\Users\user\AppData\Roaming\AudioDG\condlg.exe
• C:\Users\user\AppData\Roaming\AudioDG\zcondlg.exe
• C:\Users\user\AppData\Roaming\WinSys\coresys.exe
• C:\Users\user\AppData\Roaming\WinSys\xcoresys.exe
• C:\Users\user\AppData\Roaming\AudioDG\log.dat
• C:\Users\user\AppData\Roaming\AudioDG\obj\
• C:\Users\user\AppData\Roaming\AudioDG\udb\
• C:\Users\user\AppData\Local\Temp\xxxxxxxx.exe
• C:\Users\user\AppData\Roaming\Host\svchost.exe
• 65923_VTS.asx
• setup.bin

Command and control servers:

• poly.ufxtools[.]com
• industriatempo.com[.]br
• robertholeon[.]com
• deluxesingles[.]com
• naijafacemodel[.]com
• www.quanttum[.]trade
• www.blinov-house[.]ru
• ssgoldtravel[.]com
• www.greenbrands[.]ir
• new.datance[.]com
• besttipsfor[.]com
• chila[.]store
• globaleventscrc[.]com
• ionix.co[.]id
• mahmya[.]com
• mohanchandran[.]com
• mutolarahsap[.]com
• northkabbadi[.]com
• poly.ufxtools[.]com
• raiz[.]ec
• rhsgroup[.]ma
• robinhurtnamibia[.]com
• sloneczna10tka[.]pl
• stepinwatchcenter[.]se
• topfinsignals[.]com
• tripindiabycar[.]com
• videotroisquart[.]net
• wbbministries[.]org

File hashes:

• 2922662802EED0D2300C3646A7A9AE73209F71B37AB94B25E6DF57F6AED7F23E
• FD552E4BBAEA7A4D15DBE2D185843DBA05700F33EDFF3E05D1CCE4A5429575E5
• A65923D0B245F391AE27508C19AC1CFDE7B52A7074898DA375389E4E6C7D3AE1
• B56E30DFD5AED33E5113BD886194DD76919865E49F5B7069305034F6E0699EF5
• F26E5CA286C20312989E6BF35E26BEA3049C704471FF68404B0EC4DE7A8A6D42

Best Practices

• Monitor and block network traffic and systems making connections to the above-mentioned domain/IPs at the firewall, IDS, web gateways, routers or other perimeter-based devices.
• Delete the file system and registry changes made by the malware.
• Disable the Autorun functionality in Windows
  http://support.microsoft.com/kb/967715
• Keep up-to-date patches and fixes on the operating system and application software.
• Keep up-to-date Antivirus and Antispyware signatures at desktop and gateway level.
• Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through the browser.
• Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.
• Consider encrypting the confidential data as the ransomware generally targets common file types.
• Exercise caution while visiting links to Web pages.
• Do not visit untrusted websites.
• Use strong passwords and also enable password policies.
• Enable firewall at desktop and gateway level.
• Protect yourself against social engineering attacks.

It has been reported that the malware named as Lilu/Lilocked having ransomware capabilities targeting Linux machines is spreading. The infection vector used by the ransomware is currently unknown. However, some of the functionalities of the malware are as follows:

• Target Linux servers and gain their root access.
• Locked files after encryption with “.lilocked” extension.
• Shows ransomware note to the victim and demands 0.03 bitcoin or $325 in the Electrum Wallet for the decryption key.
• It encrypts or targets only specific file types such as HTML, SHTML, JS, CSS, PHP, INI and other image file formats and does not encrypts or affect system files.

Files encrypted by the ransomware are shown below:

Ransomware note shown to the user is shown below:

Portal demanding ransomware from the victim is shown below:

Best Practices

• Users are advised to disable their RDP if not in use, if required it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through the browser.
• Consider encrypting the confidential data as the ransomware generally targets common file types.
• Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
• Change default credentials at device startup and ensure that passwords meet the minimum complexity.
• Control access to the devices with Access List
• Configure devices to "lock" or log out and require a user to re-authenticate if left unattended
• Identify systems with default passwords and implement the abovementioned measures. Some the systems that need to examined are Routers, switches, web applications and administrative web interfaces, ICS systems, Telnet and SSH interfaces
• Implement account lockout policies to reduce the risk of brute-forcing attacks.
• Telnet and SSH should be disabled on the device if there is no requirement of remote management
• Configure VPN and SSH to access device if remote access is required.
• Configure certificate-based authentication for telnet client for remote management of devices
• Implement Egress and Ingress filtering at the router level.
• Report suspicious entries in Routers to your Internet Service Provider
• Keep up to date Antivirus on the computer system
• Unnecessary port and services should be stopped and closed.
• Enable and monitor perimeter device logs to detect scan attempts towards critical devices/systems

It has been reported that the variants of a worm named “phorpiex” is spreading. The worm mainly targets the Windows operating systems and spreads by means of removable devices and instant messaging software. The malware may also arrive on the system as a result of drive-by-download or files created by other malware. The malware is capable of performing the following functions:

• Allows backdoor access and control
• Creates hidden folders in removable drives containing a copy of malware and creates shortcut pointing to those hidden folders.
• Malware checks for messaging software in the computer such as AIM, Google Talk, ICQ, Paltalk, Windows Live Messenger, Xfire chat, if found, then worm sends a malicious link using these messenger automatically.
• Make network connections to the IRC server and receive commands from the remote server indicating malicious actions to be performed
• Change firewall settings to authorize itself to access the internet without any barrier.
• Act as a platform for sending phishing emails containing other malware such as GandCrab.
• Malware uses anti-analysis techniques and terminates itself if analysis tools are found running.

Indicators of Compromise:

File system changes:

• Malware upon spreading via removable drives makes a copy of itself in the following directory:
  • %USERPROFILE%\M-1-52-5782-8752-5245
  • C:\Users\$USERNAME\%TEMP%
  • C:\Windows
• File names used by the malware while copying it are:
  • windsrcn.exe
  • winmgr.exe
  • winsam.exe
  • winsam.exe
  • winsrvc.exe
  • winsvc.exe
• It creates “autorun.inf” file in the root directory of the targeted drive to spread itself via removable drives.

Registry Changes:

In subkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows Update"
With data: "%USERPROFILE%\M-1-52-5782-8752-5245\winsvc.exe"

Malware Hashes:

• c3727564b74452f0f7eae38ad8f13808
• f6b48dc6144f175c75c6c142ae8d3ffe
• b6fffc0fca2276a76ecec891039bdaa1
• 7ba150c8808edf187a1ccf8d0532d0732fff2bbe28f76d6e2f02f8196669dd06
• 0b4996c03b059d1a10349f715b6b21ad9926912faae834581f0c96b24ff1b33f
• 9f3f80167c5d39efb9e81507efec6d9bdc5e31323f9d6d89630374c7fe490f33
• ef1563a962d2d86ceb1dd09056f87fcab4c32e3ca6481c51950d3b6db49d1087
• 5bf79a111467a85abe57f1f3e92f2279b277cccae53ed28c584267717ba372f8
• 2035ef02a014f9ae2a21d39c98604ca4863d77c47dcc12d31bb9b7b2d3e5fc98
• 3df16261b28f30683dce6a66331452f4ddc1d3472fb194ff5b505270a8f64311

Network Communication:

• 185[.]189[.]58[.]222
• zfdiositdfgizdifzgif[.]ru
• uwgfusubwbusswf[.]ru
• auoegfiaefuageudn[.]ru
• 92[.]63[.]197[.]106 :5050
• 112[.]126[.]94[.]107 :5050
• 123[.]56[.]228v49 :5050
• 220[.]181[.]87[.]80 :5050
• 185[.]189[.]58[.]222 :5050

Countermeasures:

• Monitor and block network traffic and systems making connections to the above-mentioned domain/IPs at the firewall, IDS, web gateways, routers or other perimeter-based devices.
• Delete the file system and registry changes made by the malware.
• Disable the Autorun functionality in Windows
  http://support.microsoft.com/kb/967715
• Keep up-to-date patches and fixes on the operating system and application software.
• Keep up-to-date Antivirus and Antispyware signatures at desktop and gateway level.
• Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through the browser.
• Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.
• Consider encrypting the confidential data as the ransomware generally targets common file types.
• Exercise caution while visiting links to Web pages.
• Do not visit untrusted websites.
• Use strong passwords and also enable password policies.
• Enable firewall at desktop and gateway level.
• Protect yourself against social engineering attacks.

‘Your files have been encrypted!’ These five words have the potential to instill alarm as the realization dawns that your system has fallen victim to ransomware. How it happened and what happens next, rather depends upon the precautions that may or may not have been taken beforehand. And as we will explore in this article, taking some basic steps in advance could help save a lot of problems later.

Ransomware

Ransomware is a type of malware that has become a significant threat to U.S. businesses and individuals during the past two years. Most of the current ransomware variants encrypt files on the infected system/network (crypto-ransomware), although a few variants are known to erase files or block access to the system using other methods (locker ransomware). Once access to the system is blocked, the ransomware demands a ransom in order to unlock the files, frequently $200 - $3,000 in bitcoins, though other currencies and gift cards are occasionally reported. Ransomware variants almost always opportunistically target victims, infecting an array of devices from computers to smartphones.

Infection Vectors

The majority of ransomware is propagated through user-initiated actions such as clicking on a malicious link in a spam e-mail or visiting a malicious or compromised website. In other instances, malware is disseminated through malvertising and drive-by downloads, which do not require user engagement for the infection to be successful.

While almost all ransomware infections are opportunistic, disseminated through indiscriminate infection vectors such as those discussed above, in a few very rare instances cyber threat actors specifically target a victim. This may occur after the actors realize that a sensitive entity has been infected or because of specific infection attempts. The Federal Bureau of Investigation (FBI) refers to these instances as extortion, rather than ransomware, as there is almost always a higher ransom amount that coincides with the strategic targeting. This was the case in spring 2016 when several hospitals infected with strategically targeted ransomware made the news.

Additional Capabilities

In the past year, ransomware variant features have expanded to include data exfiltration, participation in distributed denial of service (DDoS) attacks, and anti-detection components. One variant deletes files regardless of whether or not a payment was made. Another variant includes the capability to lock cloud-based backups when systems continuously back up in real-time (a.k.a. during persistent synchronization). Other variants target smartphones and the Internet of Things (IoT) devices.

Although not as common, some variants claim to be from a law enforcement agency and that the user owes a “fee” or “fine” for conducting illegal activities, such as viewing pornography. In an effort to appear more legitimate these variants can use techniques to identify the victim’s rough geographic location in order to use the name of a specific law enforcement agency. No U.S. law enforcement agency will ever remotely lock or disable a computer and demand a fine to unlock it.

How to Mitigate the Risk of Ransomware Infections

These recommendations are not comprehensive but provide general best practices.

Securing Networks and Systems

• Have an incident response plan that includes what to do during a ransomware event.
• Backups are critical. Use a backup system that allows multiple iterations of the backups to be saved, in case a copy of the backups includes encrypted or infected files. Routinely test backups for data integrity and to ensure it is operational.
• Use antivirus and anti-spam solutions. Enable regular system and network scans with antivirus programs enabled to automatically update signatures. Implement an anti-spam solution to stop phishing emails from reaching the network. Consider adding a warning banner to all emails from external sources that reminds users of the dangers of clicking on links and opening attachments.
• Disable macros scripts. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications.
• Keep all systems patched, including all hardware, including mobile devices, operating systems, software, and applications, including cloud locations and content management systems (CMS), patched and up-to-date. Use a centralized patch management system if possible. Implement application white-listing and software restriction policies (SRP) to prevent the execution of programs in common ransomware locations, such as temporary folders.
• Restrict Internet access. Use a proxy server for Internet access and consider ad-blocking software. Restrict access to common ransomware entry points, such as personal email accounts and social networking websites.
• Apply the principles of least privilege and network segmentation. Categorize and separate data based on organizational value and where possible, implement virtual environments and the physical and logical separation of networks and data. Apply the principle of least privilege.
• Vet and monitor third parties that have remote access to the organization’s network and/or your connections to third parties, to ensure they are diligent with cybersecurity best practices.
• Participate in cybersecurity information-sharing programs and organizations, such as MS-ISAC and InfraGard.

Securing the End-User

• Provide social engineering and phishing training to employees. Urge them not to open suspicious emails, not to click on links or open attachments contained in such emails, and to be cautious before visiting unknown websites.
• Remind users to close their browsers when not in use.
• Have a reporting plan that ensures staff knows where and how to report suspicious activity.

Responding to a Compromise/Attack

• Immediately disconnect the infected system from the network to prevent infection propagation.
• Determine the affected data as some sensitive data, such as electronically protected health information (ePHI) may require additional reporting and/or mitigation measures.
• Determine if a decryptor is available. Online resources such as No More Ransom! can help.
• Restore files from regularly maintained backups.
• Report the infection. It is highly recommended that SLTT government agencies report ransomware incidents to MS-ISAC. Other sectors and home users may report to infections to local Federal Bureau of Investigation (FBI) field offices or to the Internet Crime Complaint Center (IC3).

Hi all,

SEP v14.2.2.1 has been released and is available for download. This version is also known as v14.2 RU2 MP1

You can find the PDF of the Release Notes at https://support.symantec.com/us/en/article.doc11636.html

Check out the new addition to this release version, which are:

* The Integrations policy includes a new option, Allow direct traffic when WSS protection is not available. You use this option to give users access to the web if user authentication with the WSS cloud proxy (ProxySG) fails. This situation occurs if the administrator sets up WSS Traffic Redirection, but not the WSS roaming users.

* The Syslog logs for Splunk differentiate whether a scan is a full system scan, quick scan, a manual scan, or a scheduled scan. The logs also show the location information.

* Updated the REST API to include location IDs and location names.

* Support was added for email addresses and distribution lists with special characters.

* Upgraded multiple third-party components to newer versions.

And here's what has been fixed and component versions - https://support.symantec.com/us/en/article.info5618.html

Looks like a good update. For best result, make sure you update SEPM and then roll out the latest clients to all PCs/Macs/Linux.

For anyone who has to implement Microsoft's Extended Software Updates (ESU) for Windows 7 computers. 

The attached document is a set of instructions for you to create a Custom Inventory and SQL to report on which PCs within your inventory have used the ESU Activation key.

Hi Connect Community,

Connect will be migrating to Broadcom.com on March 2.  Before that happens, here are a few actions you should take by February 14 for a smooth transition:

Between today – February 14: Ensure that you have logged on to your Connect Accountin the last 24 months in order for your account information to be auto-transferred and auto-populated into the Broadcom Community.

Before February 14: If your current Rewards Points balance is at 100 points or more, you need to cash in your points. After this date, the points will become invalid for gift cards. Even if you have recently cashed in points – please check back before this date to ensure you’ve spent them all.

Important: Your lifetime “Rank and Reputation” points will transfer with your account and you will continue to accumulate these, based on participation.

Why do you need to do this by February 14?

February 15: Symantec.com/Connect becomes “Read Only” while we migrate user and forum information to the new website. You will still be able to search existing data for topics, solutions, and other information. If you have an issue you need help with during this transition time please call support or open a support case online.

What's New and What's Changed in Symantec Data Loss Prevention 15.x
DOC10601
https://support.symantec.com/us/en/article.doc10601.html

Enforce Server and platform features
Table 1-5 New and changed Enforce Server and platform features for Symantec Data Loss Prevention 15.7

New incident reporting APIs based on REST
Data Loss Prevention 15.7 makes available a set of public RESTful APIs for incident reporting.
You can use the REST APIs to integrate incident data with other applications to provide dynamic reporting, create a custom incident remediation process, or support business processes that rely on DLP incidents.
The new REST APIs replace the capabilities of the Incident Reporting and Update API, which was based on SOAP technology. REST APIs are generally better performing and easier to use that SOAP-based APIs. While the SOAP-based APIs for incident reporting are still supported, new integrations requiring custom incident reporting should leverage theREST-based APIs. The Incident Reporting and Update SOAP APIs are deprecated in Data Loss Prevention 15.7.
For more information about the incident reporting REST APIs, refer to the DLP 15.7 REST API documentation.

Symantec™ Data Loss Prevention 15.7
REST API Guide
https://apidocs.symantec.com/home/DLP15.7

SOAP-based Incident Reporting and Update API, and Incident Data Views
The SOAP-based version of the Incident Reporting and Update API and Incident Data Views are deprecated.

With the release of DLP 15.7 a new REST API has been added to Enforce.

• DLP - API
• DLP - API - REST
  • https://apidocs.symantec.com/home/DLP15.7

From that I've started to write a new PowerShell Module to interact with this REST API.

You can find the code on GitHub:

• PoShSymcDLP

Methods

• Query Incidents
• Update one more more incidents
• Get all possible values of prevent action statuses or protect action statuses
• Get all Incident Status values. These are custom defined statuses
• Editable Incident Attributes
• Get Incident History
• Static Incident Attributes
• Logoff

It's open to PRs and any help you can provide.

RoadMap

• Add Tests (Pester)
• Documentation (platyPS)
• Publish to the PowerShellGallery 

---

What's New and What's Changed in Symantec Data Loss Prevention 15.x
DOC10601
https://support.symantec.com/us/en/article.doc10601.html

Enforce Server and platform features
Table 1-5 New and changed Enforce Server and platform features for Symantec Data Loss Prevention 15.7

New incident reporting APIs based on REST
Data Loss Prevention 15.7 makes available a set of public RESTful APIs for incident reporting.
You can use the REST APIs to integrate incident data with other applications to provide dynamic reporting, create a custom incident remediation process, or support business processes that rely on DLP incidents.
The new REST APIs replace the capabilities of the Incident Reporting and Update API, which was based on SOAP technology. REST APIs are generally better performing and easier to use that SOAP-based APIs. While the SOAP-based APIs for incident reporting are still supported, new integrations requiring custom incident reporting should leverage theREST-based APIs. The Incident Reporting and Update SOAP APIs are deprecated in Data Loss Prevention 15.7.
For more information about the incident reporting REST APIs, refer to the DLP 15.7 REST API documentation.

Symantec™ Data Loss Prevention 15.7
REST API Guide
https://apidocs.symantec.com/home/DLP15.7

SOAP-based Incident Reporting and Update API, and Incident Data Views
The SOAP-based version of the Incident Reporting and Update API and Incident Data Views are deprecated.

• Follow steps provided by Symantec from article “How to upgrade computers encrypted with Symantec Endpoint Encryption to a Windows 10 release”
• Article is available from https://support.symantec.com/us/en/article.howto125875.html
• or Followbelow recommendations.

Now you can update Windows 10 and start the encryption once Windows Update is completed.