search cancel

Why does SEDR submit to the sandbox and create Incidents for Allow listed files?


Article ID: 172702


Updated On:


Endpoint Detection and Response Advanced Threat Protection Platform


When reviewing the Incidents that Symantec Endpoint Detection and Response (SEDR) is creating, you notice they include Events from Endpoint clients for files you have added to the Allow list. You may also see Sandbox submissions for these files in the Actions menu.


The ATP/SEDR SHA2 Allow list only applies to Network detections and Endpoint Insight queries. It does not preclude these files from being correlated along with other events into an Incident, matching known threat feeds, or being submitted to the configured Sandbox.

If you need to ignore all Endpoint detections for this file, you will need to create a Recorder Rule specifying 'Do Not Record' under the Recorder Policies.

Creating a Recorder policy