search cancel

'Invalid Credentials' showing in the ATP interface for SEP correlation


Article ID: 163493


Updated On:


Endpoint Detection and Response


When making a change to the blacklist, you notice that the SEP correlation status now shows Invalid Credentials in red.

  • ATP 2.2 will label the SEP Manager connection with the status "Invalid Credentials"
  • ATP 2.3 will not stop the SEPM Manager connection, mark the SEP Manager connection state as "Invalid Credentials", or label the state of ATP overall as "Critical". Instead, the failure of attempts to send fingerprint data to SEP Manager will be logged at a low level with an event similar to the following:
    2016-05-17 23:52:32,244 ERROR BlackListFiles - Failed to apply fingerprint 
    list to SEPM domain : F190593BC0A8026400342410509F3173  Response was 
    status=400, reason=Bad Request}}


Advanced Threat Protection: Endpoint connected to at least one SEPM server for correlation


This error message is misleading. The actual issue is that the ATP was not able to update the System Lockdown settings when an MD5 hash is added to the blacklist. This can happen when an ATP appliance is osrestored or reset to factory settings after it has already created the 'ATP Blacklisted files' list.


Symantec will address the underlying cause for this behavior more fully addressed in a future version of the ATP software.

To workaround the behavior, do one of the following:

  • Upgrade ATP Platform to version 2.3
  • Perform manual workaround (see below for steps)


To manually workaround

  1. In the SEP Manager under Client -> My Company/Group -> System Lockdown, delete the ATP Blacklisted files fingerprint list.
  2. Disable System Lockdown
  3. Delete the 'ATP Blacklisted files' list from each policy group.
  4. Under Policies -> Policy Components -> File Fingerprint Lists, confirm that the list is no longer showing
  5. Once it is completely removed, wait an hour or re-enter the credentials for the controller connection before adding another MD5 hash to the blacklist.