search cancel

'Invalid Credentials' showing in the ATP interface for SEP correlation

book

Article ID: 163493

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

When making a change to the blacklist, you notice that the SEP correlation status now shows Invalid Credentials in red.

  • ATP 2.2 will label the SEP Manager connection with the status "Invalid Credentials"
  • ATP 2.3 will not stop the SEPM Manager connection, mark the SEP Manager connection state as "Invalid Credentials", or label the state of ATP overall as "Critical". Instead, the failure of attempts to send fingerprint data to SEP Manager will be logged at a low level with an event similar to the following:
    2016-05-17 23:52:32,244 ERROR BlackListFiles - Failed to apply fingerprint 
    list to SEPM domain : F190593BC0A8026400342410509F3173  Response was 
    :InboundJaxrsResponse{ClientResponse{method=POST, 
    uri=https://192.168.2.100:8446/sepm/api/v1/policy-objects/fingerprints/, 
    status=400, reason=Bad Request}}

Environment

Advanced Threat Protection: Endpoint connected to at least one SEPM server for correlation

Cause

This error message is misleading. The actual issue is that the ATP was not able to update the System Lockdown settings when an MD5 hash is added to the blacklist. This can happen when an ATP appliance is osrestored or reset to factory settings after it has already created the 'ATP Blacklisted files' list.

Resolution

Symantec will address the underlying cause for this behavior more fully addressed in a future version of the ATP software.

To workaround the behavior, do one of the following:

  • Upgrade ATP Platform to version 2.3
  • Perform manual workaround (see below for steps)

 

To manually workaround

  1. In the SEP Manager under Client -> My Company/Group -> System Lockdown, delete the ATP Blacklisted files fingerprint list.
  2. Disable System Lockdown
  3. Delete the 'ATP Blacklisted files' list from each policy group.
  4. Under Policies -> Policy Components -> File Fingerprint Lists, confirm that the list is no longer showing
  5. Once it is completely removed, wait an hour or re-enter the credentials for the controller connection before adding another MD5 hash to the blacklist.