Symantec EDR Doesn't Apply the Blacklist (fingerprint is not updated)

book

Article ID: 212313

calendar_today

Updated On:

Products

Advanced Threat Protection Platform

Issue/Introduction

when adding a file hash to EDR Deny list, the SEPM does not show that this file\domain\fingerprint has been blocked

 

Environment

SEPM and Symantec EDR

 

Resolution

Symantec is investigating at this time

If you encounter these symptoms, open a support case and attach the following pieces of evidence...

- a screenshot showing the Deny list entry in EDR (Policies> Deny)
- a screenshot showing the file fingerprint list within SEPM
- a diagnostic from the EDR appliance (see below)

- At the UI of the ATP Platform or SEDR appliance console, a screenshot of Settings> Appliances. Hover the mouse pointer over the status (Critical |Needs Attention|Healthy) at the top, to show any messages for the overall status.
- For each individual appliance on the Appliances list, click on the IP address to open the property sheet. Hover the mouse pointer over the circle around the appliance graphic on the left to display the health messages for the individual appliances.
- Because this issue may be specific to enrollment, a screenshot of the list of SEPM Controller Connections on Settings> Global
- For each SEPM Controller Connection, a screenshot showing the Enrollment Statistics by clicking in the ellipses (...) on the right side, then clicking Enrollment Statistics to display the Enrollment Statistics.
- At the CLI of the ATP Platform or SEDR appliance console, type: show -v
- Type: update status
- Type: df -h
- Type: show -i
- Type: status_check

 

To generate a diagnostic on the EDR appliance
   Title: HOWTO130439 - Generating SEDR diagnostics without internet connectivity
   URL: https://knowledge.broadcom.com/external/article?legacyId=howto130439