File Fingerprint lists from SEDR stop getting updated on the SEPM
search cancel

File Fingerprint lists from SEDR stop getting updated on the SEPM


Article ID: 163493


Updated On:


Endpoint Detection and Response


When making a change to an MD5 on the Deny list, you notice that the SEPM is not getting the new entries. Instead, the failure of attempts to send fingerprint data to SEP Manager will be logged at a low level with an event similar to the following:

[https-openssl-apr-<SEPM IP>-8446-exec-7216] ERROR c.s.s.s.c.e.h.GlobalControllerExceptionHandler - EXCEPTION: The file fingerprint "<File Name>" already exists, please use another name.


SEDR was not able to update the System Lockdown settings when an MD5 hash is added to the blacklist. This can happen when an SEDR appliance Operating System is restored or reset to factory settings after it has already created the 'ATP Blacklisted files' list.


Symantec has addressed the underlying cause for this behavior by naming the list a unique name.

To manually workaround

  1. In the SEP Manager under Client -> My Company/Group -> System Lockdown, delete the ATP Blacklisted files fingerprint list.
  2. Disable System Lockdown
  3. Delete the 'ATP Blacklisted files' list from each policy group.
  4. Under Policies -> Policy Components -> File Fingerprint Lists, confirm that the list is no longer showing
  5. Once it is completely removed, wait an hour or re-enter the credentials for the controller connection before adding another MD5 hash to the blacklist.