RSA, The Security Division of EMC, announces the release of RSA® NetWitness® Endpoint (formerly known as RSA ECAT) 4.2

Document created by RSA Link Team Employee on Aug 11, 2016Last modified by RSA Link Team Employee on Sep 14, 2016
Version 4Show Document
  • View in full screen mode

RSA is pleased to announce the general availability of RSA® NetWitness® Endpoint (formerly known as RSA ECAT) 4.2,  the newest release of RSA’s  endpoint detection and response tool that employs a combination of live memory analysis, continuous behavioral monitoring, and advanced machine learning to detect new and hidden threats that other solutions miss entirely. This release includes several exciting new features and improvements to RSA NetWitness Endpoint that enhances threat detection and visibility as well as overall improvement to the Analyst experience:


  • Support for Linux Agents - RSA NetWitness Endpoint users now gain deep visibility into Linux endpoints (including servers). This includes processes, drivers, executable files, and library inventories. Additionally, RSA has preconfigured 35+ IIOCs for Linux, available out-of-the-box, for immediate business benefit. Supported Linux operating systems include CentOS 6.x and 7.x and Red Hat Enterprise Linux 6.x and 7.x. The RSA NetWitness Endpoint Remote Agents Relay also supports Linux endpoints. Real-time monitoring is currently not supported.
  •   Community Shared Intelligence Through RSA Live Connect (Beta) - The RSA Live Connect service allows RSA NetWitness Endpoint users to enhance malware detection and analysis with community information aggregated from other participants in the service. This service provides access to statistics on hash reputation within the community, dates first/last seen, and proportions of decisions made by analysts within the community. Customer-identifiable information (including internal connection or domain information) will not be shared, and the data is encrypted in transit and at rest. To participate, users must have an RSA Live account.
  •  PowerShell Detection - RSA NetWitness Endpoint now provides an IIOC to detect early indicators of an attacker using PowerShell.
  •  Performance and Scalability Improvements - To further improve scalability and support for large deployments, the Modules pane on the IP List and IIOC windows, by default, limits the list to the top 10K modules, ordered by risk score or IIOC score. For the IP List window, the Modules pane lists Windows modules sorted by highest risk score and Mac modules sorted by highest IIOC score. For the IIOC window, the Modules pane lists Windows modules sorted by highest risk score and Mac or Linux modules sorted by highest IIOC score.
  • Installation Process Improvements – When upgrading, we have eliminated the requirement for users to update to interim releases or patches from older versions prior to updating to the latest release. Users can now update to the latest version of RSA NetWitness Endpoint directly from any previous 4.1.x version as well as or The new installer also performs prerequisite checks as well as verification that required resources are available before proceeding with the installation of RSA NetWitness Endpoint 4.2. 
  • Risk Score Changes - The risk score algorithm has been revised to allow for overrides on the basis of a defined hierarchy, thus refining the process for determining the risk score. There is a prioritized list of components that factor into the risk score and a hierarchy of rules that may override the risk score. For example, if a file was whitelisted but also reported as infected by YARA, the risk score would be 0 because the whitelisting rule has a higher priority. For complete details on the list of factors and rule hierarchy, see the topic Levels of IIOCS, IIOC Scores, and Risk Score in the RSA ECAT 4.2 User Guide.
  • OPSWAT and YARA Configuration - OPSWAT Metascan and YARA configuration moved to Monitoring and External Components in the UI, which greatly improves the configuration process. 


Recommendation for RSA NetWitness Endpoint customers:

Review the Release Notes for RSA NetWitness Endpoint 4.2 for more information about the updates made in this version and guidance about how to migrate from earlier versions. There is a separate Migration Guide available, which provides specific details about migration from all supported versions to RSA NetWitness Endpoint 4.2


For more information about RSA NetWitness Endpoint, visit:


For instructions on obtaining your RSA NetWitness Endpoint license, follow the instructions here:


For additional documentation, downloads, and more, visit the Netwitness Endpoint page on RSA Link.


EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.