search cancel

Events reporting fDenyTSConnections reg key changes are not accurate in Description or missing

book

Article ID: 200340

calendar_today

Updated On:

Products

Endpoint Detection and Response Endpoint Protection with Endpoint Detection and Response

Issue/Introduction

When launching below command to disable RDP on a Windows endpoint with Symantec Endpoint Protection (SEP) client installed, the Symantec Endpoint Detection and Response (SEDR) either shows no event or has an event that in-accurately reports "RDP enabled"

 

Reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 1 /f

 

In EDR, "enriched_data.rule_description" field shows "RDP enabled"

 

Expected behavior:

In EDR, the event appears and enriched_data.rule_description=RDP disabled

Cause

This behavior is the result of an error in the global Intellifilter rules within the SEP Client.

Resolution

To address this issue with a new set of IntelliFilter rules in an upcoming release of SEP, upgrade the SEP Manager to SEP 14.3 RU1 or later, then upgrade the SEP client(s) to SEP 14.3 RU1.