What is the limitation on Allow and Deny list entries on the SEDR Appliance?
search cancel

What is the limitation on Allow and Deny list entries on the SEDR Appliance?


Article ID: 172776


Updated On:


Endpoint Detection and Response Advanced Threat Protection Platform


You want to know the limit on how many Deny or Allow list entries that Endpoint Detection and Response will accept.


SEDR version 4.1 and later will allow you to have 65,000 total entries in the Deny list or Allow list.  You will not be allowed to use more than 65,000 entries in your lists and an error will show stating that the policy limit is reached when attempting to add any more entries than the 65,000 limit.

Additional Information

As of version 4.8 the blacklist and whitelist names were updated to Deny list and Allow list.

The EDR Deny List feature is designed to allow an EDR user/SOC Analyst, when carrying out an investigation, to be able to put an interim restriction on suspicious files that are discovered as part of the investigation. Once the analyst has concluded their investigation and are resolving the incident, if the files were proven to be "innocent" they can be removed from the Deny list. If they proved to be malicious/suspicious they can acquire copies of the files (using the EDR "get file" function) and submit them to Symantec for analysis such that they will be automatically detected by SEP in the future, and when they are advised by Symantec the definition set the detection is included in, the analyst can remove the deny list entry.

Based on this workflow, there is not an expectation that the Deny List will need to cater for thousands of entries as that doesn't meet the rationale for the capability. Maintaining a large number of Deny list entries will also cause performance issues with SEDR Appliance.