search cancel

Advanced Threat Protection 2.0 Error Revoking Blacklisted File

book

Article ID: 162727

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

Revoking a Blacklisted File from the File Entity Page in ATP 2.0 fails.

Advanced Threat Protection (ATP)


 

The error displayed is: "An error occurred while deleting blacklist":

Cause

The problem can occur if the SHA256 Hash Value for the File was deleted from the Policies Page. When a file gets added to the Blacklist from the File Entity Page, both its MD5 and SHA256 Hashes will be added to the Policy automatically:

 

It is possible to delete the SHA256 Rule Value, leaving only the MD5 Value active:

If the Policy only contains the MD5 Value, the Revoke Blacklist action will fail with the above mentioned error message.

Note:

This problem only applies to the Blacklist option. Adding a file to the Whitelist will only add a file's SHA256 value and will not result in the error as described here.

Resolution

Delete the remaining MD5 Value from the Blacklist Policies page will effectively Revoke this item.

Note:

The problem will only occur if the SHA256 Value was deleted separately form the Blacklist Policies page. Deleting the MD5 but leaving the SHA256 Value will result in a successful Revoke Blacklist Action. 

Attachments