Not all Suspicious File detections trigger a sandbox submission on the SEDR appliance
search cancel

Not all Suspicious File detections trigger a sandbox submission on the SEDR appliance

book

Article ID: 174734

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

When reviewing the Events on the SEDR Appliance, you may see many Event ID 4123 or 4099 Suspicious File Detections. If you review the Actions page, you do not see an automatic sandbox submission for each Event, even though you have enabled Automatic Submission under Global Settings.

Cause

In order for the file to be submitted automatically, the 4123 Event needs to have an HID level of 300, 400 or 500. If you are not enrolled in SEP Cloud, the 4099 event needs to have a file reputation of -5 or lower.. They also need to be a Portable Executable with a file name ending in ".exe" and have a file size under 10MiB. The automatic submission option will not submit the file if there has been a sandbox verdict within the last 7 days.

Note: The file reputation value is considered proprietary and cannot be viewed.

Resolution

  1. Review the Entity page for the file(s) referenced in the 4123 or 4099 to verify there is no prior sandbox verdict.
  2. Verify that the suspicious file detected ends in .exe and is under 10Mb, since that is the size limitation at the sandbox.
  3. Check that the HID level in the Event is 300, 400 or 500.