The SONAR technology within SEP 12 RU6 currently does not detect when an application captures a screenshot without user interaction according to Symantec Technical Support. The benefit of this would be stopping screen scraping malware that takes a screenshot of sensitive data and then sends it to an external entity. It's my understanding this technology already exists in products like Trusteer Rapport, as according to wikipedia it "includes anti-phishing measures to protect against misdirection and attempts to prevent malicious screen scraping; it attempts to protect users against the following forms of attacks: man-in-the-browser, man-in-the-middle, session hijacking and screen capturing. Also, according to this white paper from www.blackhat.com, an organization can secure a device against data exfiltration by identifying all the different threat vectors that threat actors can use to exploit devices. Correlate and analyze all the information from (excluded other items for brevity):
Applications. Understanding the behaviors and intent of applications (including the interfaces) on specific devices to identify immediate and long-term risky activities (e.g. time bombs); applications downloaded from “official” markets (e.g. Google Play, iTunes Store), as well as those that have been repackaged and side–loaded. Behavioral App Reputation technologies are best positioned to address this gap, but one must make sure that they are capable of detecting unknown keyloggers, screen scrapers and packaged privilege escalation exploits.
It's well known that screen scraping malicious software exists, and clearly the need is present to detect this type of malicious code. It's my hope Symantec agrees and pursues implementing this important prevention technology into their endpoint security product.