Policy updates sent to SEPM for Allow/Deny list entries
search cancel

Policy updates sent to SEPM for Allow/Deny list entries

book

Article ID: 219040

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

  • SEDR Version: 4.5 continuously pushes SEPM Exceptions Policies.
  • Continuous policy changes in SEPM sent from EDR.
  • EDR allow/deny list entries cause policy changes in the SEPM and cause endpoint operating systems to crash.

Environment

EDR 4.5

Cause

The MDR indexes used by EDR are not functioning properly.  This causes EDR to experience problems recognizing that the endpoints are enrolled with the correct policy.  As a result EDR tries to distribute new policies which are not needed and can cause the  SEPM or endpoints to stop functioning correctly.

Resolution

The engineering team is committed to resolving this issue and is currently investigating a long term fix.  

Workaround:

  • Remove the SEPM controller connection.
  • Wait for 24 hour to ensure the index for the EDR component clears.
  • Re-add the SEPM controller connection in the EDR web user interface.

Solution:

This process is normally taken care of automatically in SEDR 4.5 and newer.  It is possible that it does not take place automatically.  You can use the following steps to verify whether or not the indexes for MDR are too large.  If this process does not work the only resolution at this time is to use the workaround listed above this.

The following steps will require admin level CLI access which is available by default when you connect to EDR via the command line.

  1. To find a large index or indexes:
    • mdr_index_tool --list
    • Any indexes that have reached 10000000 have reached 10 mb in size.  These must be inspected and defragmented.  Larger indexes will be listed last on the list.
  2. Defragment larger MDR index(es).  Please note: This means any that are larger than 10MB (any that have a size of 10000000 or larger).
    1. mdr_index_tool --inspect 'MDR index name'
    2. mdr_index_tool --defrag 'MDR index name'
    3. If you have multiple indexes to inspect please use a comma as a delimiter.
      • Example:
        mdr_index_tool --inspect 'MDR index name','MDR index name'
        NOTE: There are no spaces between the index names and the comma.

PLEASE NOTE: If the above steps do not resolve your issue the solution is to remove the SEPM controller connection, wait 24 hours, and then re-configure the SEPM controller connection. 

Additional Information

For information on configuring the SEPM controller connection please visit the documentation page Configuring the SEPM Controller for your version of EDR.