Why does SEDR submit to the sandbox and create Incidents for Allow listed files?

book

Article ID: 172702

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

When reviewing the Incidents that Symantec Endpoint Detection and Response (SEDR) is creating, you notice they include Events from Endpoint clients for files you have added to the Allow list. You may also see Sandbox submissions for these files in the Actions menu.

Resolution

The ATP/SEDR SHA2 Allow list only applies to Network detections and Endpoint Insight queries. It does not preclude these files from being correlated along with other events into an Incident, matching known threat feeds, or being submitted to the configured Sandbox.

If you need to ignore all Endpoint detections for this file, you will need to create a Recorder Rule specifying 'Do Not Record' under the Recorder Policies.

Creating a Recorder policy