Uploading Advanced Threat Protection (ATP) and Endpoint Detection and Response (SEDR) log evidence to Support's evidence servers


Article ID: 178883


Updated On:


Endpoint Detection and Response Advanced Threat Protection Platform




In the interest of security, Symantec employs Secure FTP servers for file uploads. This is to provide evidence for support personnel to review in determining the cause of an issue.

Starting with Advanced Threat Protection (ATP) version 2.2.0, the gather_evidence command will allow the uploading of logs using the credentials provided by technical support.

To Upload Log Evidence:

  1. Log in as the 'admin' user to the ATP or SEDR where the logs are located that need to be uploaded, be it for a scanner, manager, or all-in-one appliance.

  2. Run the command gather_evidence while providing the following parameters:

Required parameters:
-u | --username={ mft_user } (password will be prompted)
-c | --case-number={ mft_case_number }

Optional parameters:
--proxy-tunnel (used for HTTP tunnels)
--proxy-user={ ftp_proxy_user } (password will be prompted)
-v | --verbose

gather_evidence -u [email protected] -c 10542214 -v
gather_evidence -u [email protected] -c 10542214 -v --proxy-tunnel --proxy-uri=''
gather_evidence -u [email protected] -c 10542214 -v --proxy-tunnel --proxy-uri='' --proxy-user='user'

  1. A prompt will appear for the password. Please provide the password received in the Request for Evidence email
    IMPORTANT: Please note if using the "-v|--verbose" option on ATP versions 2.2 and 2.3, the password will be shown on the screen.

The mft_user and mft_case_number values are provided in an email from [email protected] Please note that these values are case sensitive.

It is not recommended to copy/paste directly from this document, as the hyphen ( - ) character is often mistranslated when pasting into an SSH session.