search cancel

Events reporting fDenyTSConnections reg key changes are not accurate in Description or missing


Article ID: 200340


Updated On:


Endpoint Detection and Response Endpoint Protection with Endpoint Detection and Response


When launching below command to disable RDP on a Windows endpoint with Symantec Endpoint Protection (SEP) client installed, the Symantec Endpoint Detection and Response (SEDR) either shows no event or has an event that in-accurately reports "RDP enabled"


Reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 1 /f


In EDR, "enriched_data.rule_description" field shows "RDP enabled"


Expected behavior:

In EDR, the event appears and enriched_data.rule_description=RDP disabled


This behavior is the result of an error in the global Intellifilter rules within the SEP Client.


To address this issue with a new set of IntelliFilter rules in an upcoming release of SEP, upgrade the SEP Manager to SEP 14.3 RU1 or later, then upgrade the SEP client(s) to SEP 14.3 RU1.