EDR creates repeated Incidents for the same SONAR events
Article ID: 223827
Updated On:
Products
Issue/Introduction
Some employees work at home using f5vpn.exe to connect to production network. Endpoint Detection and Response (EDR) detects f5vpn.exe as malicious and EDR create incidents for these.
As description, EDR shows "System Network Configuration Discovery". Is there any solution to fix this issue?
Environment
EDR 4.5.0 or later
Cause
- The SONAR technology of Symantec Endpoint Protection (SEP) clients detected F5vpn.exe altering the hosts file. Note that in many environments, F5vpn.exe is an authorized executable permitted to perform this function.
- The SEP clients then forwarded these detection events to Endpoint Detection and Response (EDR).
- EDR organized these events into Incidents for your SOC analysts to review.
- The behavior of both SEP and EDR is by design.
Resolution
Options for configuring an exclusion to prevent repeated Incidents of the same type for the target executable:
- Add the SHA256 hash to the Allow List of EDR 4.5 or later, which will then transmit this to SEPM as as Exclusion policy.
- Add the certificate of the F5vpn.exe as a certificate exclusion within SEPM
- Add another type of exclusion within SEPM
Additional Information
- https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/managing-exceptions-in-v36686987-d51e6/creating-exceptions-for-virus-and-spyware-scans-v39814459-d51e102/excluding-a-certificate-from-scans-on-windows-clie-v121287469-d51e1883.html
- https://knowledge.broadcom.com/external/article?legacyId=TECH171061
Feedback
