Endpoint Protection client fails to capture a Forensic Report when the client is quarantined or isolated

book

Article ID: 184782

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When Symantec Endpoint Protection (SEP) and Threat Defense for Active Directory (TDAD) are utilized, a Forensic Report can be requested. However, if the SEP client is quaranited or isolated due to a Host Integrity failure or Endpoint Detection and Response Isolation request, the Forensic Report request will fail.

Cause

The SEP client's firewall policy will block TCP port 445 traffic by default when the client fails a Host Integrity check and is placed into a Quarantine Location.

Environment

Microsoft Windows

Resolution

The Quarantine Firewall policy applied to the quarantine location(s) in question can be edited to allow traffic for svchost.exe on local TCP port 445 where the remote IP matches the TDAD server.