Decommissioning Symantec EDR

book

Article ID: 223603

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

You are planning to remove an Endpoint Detection and Response appliance from your environment and need guidance in what things to consider.

Cause

Before Deactivating the EDR, you want to consider connected applications like SEP, Splunk, OAuth. The goal is to avoid issues post shutdown that require the same EDR to be recommissioned online.

Environment

Release : All versions of EDR

Resolution

Decommissioning is complete when the SEPM connector is removed via the EDR Web UI. When removing the SEPM Controller connection, EDR sends a removal command that restores the Insight policy to the default Insight policy. All other policies from the EDR are removed. This restores the SEPM to pre-EDR specific configuration and ensures the EDR is not required to be powered on again.

For other connectors, EDR is not required to be online in order to remove the receiving end of their functions, such as Splunk. Other considerations depend on the Administrators policy and preference only.
Environmental considerations and cleanup (DHCP reservations, DNS entries, User accounts etc.) are not considered here.