search cancel

Symantec EDR Doesn't Apply the Blacklist (fingerprint is not updated)


Article ID: 212313


Updated On:


Advanced Threat Protection Platform


when adding a file hash to EDR Deny list, the SEPM does not show that this file\domain\fingerprint has been blocked



SEPM and Symantec EDR



Symantec is investigating at this time

If you encounter these symptoms, open a support case and attach the following pieces of evidence...

- a screenshot showing the Deny list entry in EDR (Policies> Deny)
- a screenshot showing the file fingerprint list within SEPM
- a diagnostic from the EDR appliance (see below)

- At the UI of the ATP Platform or SEDR appliance console, a screenshot of Settings> Appliances. Hover the mouse pointer over the status (Critical |Needs Attention|Healthy) at the top, to show any messages for the overall status.
- For each individual appliance on the Appliances list, click on the IP address to open the property sheet. Hover the mouse pointer over the circle around the appliance graphic on the left to display the health messages for the individual appliances.
- Because this issue may be specific to enrollment, a screenshot of the list of SEPM Controller Connections on Settings> Global
- For each SEPM Controller Connection, a screenshot showing the Enrollment Statistics by clicking in the ellipses (...) on the right side, then clicking Enrollment Statistics to display the Enrollment Statistics.
- At the CLI of the ATP Platform or SEDR appliance console, type: show -v
- Type: update status
- Type: df -h
- Type: show -i
- Type: status_check


To generate a diagnostic on the EDR appliance
   Title: HOWTO130439 - Generating SEDR diagnostics without internet connectivity