A SEP client remains quarantined even after the EDR rescinds the quarantine because communications to the EDR are blocked by the "Symantec EDR Quarantine Firewall policy".

All SEPM and SEDR releases

"Symantec EDR Quarantine Firewall policy" does not have rules to permit:

• EDR ECC communications
• VPN communications
• Internal Certificate Authority (CA) communications based on Location

When a client machine is "Quarantined" or "Isolated", the SEPM and EDR should be able to connect to make policy changes or to perform troubleshooting.   Thus, it may be necessary to recover the VPN connection by adding "Allow" rules for the VPN traffic so that the client can communicate to the internal network, i.e. namely the SEPM and EDR. 

The following options are listed from "best to least" to regain access to a "Quarantined" SEP client:

Option 1 -  "Open External Firewall to access EDR"

• EDR: Required firewall ports - Port 443 for ECC so that the HI flag can be lowered

Option 2  - "Duplicate and modify the SEDR Quarantine Firewall policy - Add rules to allow VPN and SEPM communications."

Step 1 - Duplicate Rule "Symantec EDR Quarantine Firewall policy"

• • Select Policies - Side Tab
  • Right Click - the "Symantec EDR Quarantine Firewall policy"
  • Select the Export and save to a file
    • Note:  Copy and paste will not work since the policy is owned by the SEDR appliance.
  • Select the Import and then import the exported file.   Name the file to something like "Custom VPN - Symantec EDR Quarantine Firewall policy" and in the Description field add the statement:
    • "This policy is no longer managed by the EDR and will not be overwritten or removed if the EDR connection is changed or group inclusions are adjusted".
      •  Note:  Careful management of this policy needs to be done manually.

Step 2 - Add a new location "VPN Connected - Isolated"

• • Create conditions "Host Integrity - True" and "VPN connected" criteria
    
    

Step 3  - Add firewall rules to allow VPN and EDR traffic

Step 4 - Assign policy to all groups that the EDR manages

Option 3 - "Stopping SEP client / Connecting to VPN"

Warning:  If your system is potentially infected, it is recommended NOT TO USE THESE STEPS because the firewall is not running.

• Ensure the computer has been rescinded the Quarantine/Isolation
• Restart the computer
  • One of the first tasks for the SEP client is to check-in to the SEPM and EDR to get the current policy settings
• Run the "smc -stop" to stop SEP client from running
  • This stops the firewall from running
• Connect to the VPN.
• Run the "smc -start" command.
  • Note:  Run from Task Manager to use highest privileges
    Note:   If you perform the "smc -stop" and "smc -start" from the command line, you may need to use:
    • start smc -stop
    • start smc -start
  • Note:   Once the new policy is received by the client, the HI flag should rescind that activates the default group firewall policy.