search cancel

Advanced Threat Protection Action: Delete File from Endpoints


Article ID: 162826


Updated On:


Endpoint Detection and Response Advanced Threat Protection Platform


When a file is selected for deletion in Endpoint Detection and Response (EDR), it is not actually deleted, but will be Quarantined by the selected Endpoint.

The "Delete File From Endpoints" dialog mentions this:


When a file is selected to be deleted in ATP, the following will occur:

The Client's Symantec Endpoint Protection Manager (SEPM) will issue an Evidence of Compromise (EoC) Scan to find the selected file:



The SEP Client receives the command on its next heartbeat:



The Client sends the first results back to SEPM. SEPM issues the Quarantine command via the same EoC mechanism:



The SEP Client runs the second EoC command and Quarantines the file:




If the file was Quarantined in error, it can be restored from the SEP Client's Quarantine: