RSA Announces the Release of RSA NetWitness® Endpoint 4.3

Document created by RSA Link Team Employee on Jan 30, 2017
Version 1Show Document
  • View in full screen mode

RSA, a Dell Technologies business, is pleased to announce the newest release of RSA’s endpoint detection and response tool, RSA NetWitness Endpoint 4.3. Through a combination of live memory analysis, continuous behavioral monitoring, and advanced machine learning, RSA NetWitness Endpoint detects new and hidden threats that other solutions miss entirely.


This release includes exciting new features and improvements to RSA NetWitness Endpoint that enhances threat detection, visibility, and response actions.


Machine Containment

The Machine Containment feature allows an analyst to apply containment to a machine that may be compromised. This blocks the ability of a machine to connect to the network, allowing the analyst to observe the malware in action while protecting the larger environment. Analysts are able to control the spread of an attack and investigate the malware behavior post-containment.


Expanded Agent Support

Mac support for NetWitness Endpoint agents now extends to El Capitan (10.11) and Sierra (10.12). Also, qualified agent support is added for Microsoft Windows Server 2016. Additionally, the risk score, previously only applied to files on Microsoft Windows machines, has been extended to files on Mac and Linux machines.


New Suspicious Event Detection IIOCs

There are many new Instant Indicators of Compromise (IIOCs) for suspicious non-malware event detection added for this release. These IIOCs are designed to target suspicious activities that may be indicative of hacking, initiated by a threat actor. RSA NetWitness Endpoint 4.3 can go well beyond “just malware” to detect user-initiated behavior that may be threatening to organizations.


Live Feedback

The Live Feedback function gathers NetWitness Endpoint license and deployment-related information, as well as relevant usage metrics, to help RSA improve product support and planning. All data collected is for RSA’s use only and shall be protected with the applicable license agreement.


Following installation of or updating to NetWitness Endpoint 4.3, a user with L2 or Admin privileges will be prompted, upon first login, to accept participation in Live Feedback. In addition to license information (which is collected by default), the Live Feedback function can also collect data concerning OS versions of agents/servers, operational state of the product, and type of deployment. For complete details, see the “Live Feedback” topic in the RSA NetWitness Endpoint 4.3 User Guide.



The NetWitness Endpoint User Guide, Installation Guide, User Interface, and installer have been rebranded from ECAT to NetWitness Endpoint. Note that this does not include the Agent Packager, default installation paths and folders, service names, and some internal functions.


Recommendations for RSA NetWitness Endpoint customers:


Review the Release Notes for RSA NetWitness Endpoint 4.3 for more information about the updates made in this version.


Documentation is available for download through the following links:


  • RSA NetWitness Endpoint 4.3 Installation Guide can be found here.
  • RSA NetWitness Endpoint 4.3 User Guide can be found here.
  • RSA NetWitness Endpoint 4.3 Release Notes can be found here.


For additional documentation, downloads, and more, visit the RSA NetWitness Endpoint page on RSA Link.


For more information about RSA NetWitness Endpoint, visit:


For instructions on obtaining your RSA NetWitness Endpoint license, follow the instructions here:



EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.