ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

EDR 4.6 Alerts (Post-Upgrade)

book

Article ID: 213933

calendar_today

Updated On:

Products

Endpoint Detection and Response Endpoint Protection with Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

Post-upgrade, our teams see a number of EDR alerts, some dating back months, associated with old Trojan/C2 activity. 

Cause

  1. After upgrade to EDR 4.6, EDR automatically enrolls for TAA with all of the SEPM licenses it can associate with the customer.
  2. EDR then receives any existing events that are already present in TAA.
  3. If those events would have generated an event if they had been received previously, EDR will generate an event when it receives those events after upgrade and auto-enroll. 

 

Environment

Release : 4.6.0

Component :Upgrade, TAA, and Incident creation

Resolution

To confirm the issue with UI logs

  1. On incidents, click on the Incident number of an incident
  2. If the Related Events have a timestamp from before the software upgrade, click the greater than symbol at the left of the row to expand the entry.
  3. In the details of the Related Event, find the log_time (when EDR received the events)
  4. If the event has a log_time after the software upgrade, this Incident may have been generated as a late hit from events received from TAA Auto-enroll.
  5. On Logging, click the System Activity tab
  6. Scroll through the System Activity events looking for the Stop All Services event from when admin team restarted EDR after the update
  7. To search for the auto-enroll event, scroll up from the Stop All Services event 
  8. If you have Incidents where the Related events have log_time from after the TAA auto-enroll and other timestamps from before the EDR 4.6 update, you have this issue.

 

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-6/what-s-new-in-4-3-v131146855-d38e74614.html