ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Bulk delete of policies in Endpoint Detection & Response (EDR)

book

Article ID: 222715

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

Over time, you may have created many Allow (whitelist) or Deny (blacklist) policies for your Endpoint Detection & Response appliance. There may come a time when you need to remove multiple policies at once, or 'Bulk delete'.

Cause

  • EDR has no option in the WebGUI to select multiple policies, for 'bulk deletion'. (See version applicable below)
  • The Command Line Interface does not have any methods to manage these types of policies, see Using the Symantec EDR command-line interface
  • Restoring a configuration with any export/import controls from the WebGUI only restores policies in an additive manner, it does not delete policies already present.
  • A full restore may not be a option.

Environment

Release : 4.6.8

Resolution

Broadcom has exposed a set of Application Programming Interface's for 'on premise' EDR. You can find the API documentation here: https://apidocs.securitycloud.symantec.com/.

Among the methods available are the following API commands:

  • Create Allow List Policies
  • Create BlackList Policies
  • Delete BlackList Policy
  • Update Policy Comment
  • Create Deny List Policies
  • Delete Deny List Policy
  • Update Deny Policy Comment

These methods are the only current ways to bulk delete 'Allow' or 'Deny' policies in the EDR Appliance.
Broadcom API's are not part of product standard support, see the Broadcom® Software Broadcom Maintenance Policy Handbook, and are intended for customers wishing to develop their own interfaces to our products.

Additional Information

If you are actually looking for information on importing policies see the EDR Help documentation page with the title of 'Importing Policies.'  If you experience problems importing policies see the Troubleshooting error message: "Aborted importing policies. Error occured while serializing JSON object ..." while importing EDR Deny and Allow Lists article.