search cancel

The Process Dump option is greyed out for an executable on the SEDR Appliance Entity page

book

Article ID: 174014

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

When reviewing the entity page of an executable on the Symantec Endpoint Detection and Response Appliance, you may want a Process Dump of the executable. Some executables may have this option greyed out on their Entity page.

Cause

In order for you to request a Process Dump for an executable, the backing file must have been seen as a process on an endpoint. Symantec EDR tracks this state for all files and enables the Process Dump button when this condition is fulfilled.  To request related events when the process dump button is disabled, consider issuing an FDR search command.  In addition to this requirement, the file also needs to reside on an Endpoint that is currently enrolled for ECC2.

Resolution

You can verify that the executable has not taken any actions by performing an event search for the file's name in the event_actor.file.name field. Here is an example query: event_actor.file.name: winword.exe

If you do find an Event with this criteria, click on the device_name link in the event details to view the Endpoint's entity page and verify that the EDR status shows Enrolled.