ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Decommissioning Symantec EDR

book

Article ID: 223603

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

You are planning to remove an Endpoint Detection and Response appliance from your environment and need guidance in what things to consider.

Cause

Before Deactivating the EDR, you want to consider connected applications like SEP, Splunk, OAuth. The goal is to avoid issues post shutdown that require the same EDR to be recommissioned online.

Environment

Release : All versions of EDR

Resolution

When removing the SEPM Controller connection, EDR sends a removal command that restores the Insight policy to the default Insight policy. 

EDR might not delete the Symantec EDR Quarantine Policy or Symantec EDR Host Integrity Policy. These should be disabled manually if they exist post removal of the SEPM connection.

For other connectors, EDR is not required to be online in order to remove the receiving end of their functions, such as Splunk. Other considerations depend on the Administrators policy and preference only.
Environmental considerations and cleanup (DHCP reservations, DNS entries, User accounts etc.) are not considered here.