Some employees work at home using f5vpn.exe to connect to production network. Endpoint Detection and Response (EDR) detects f5vpn.exe as malicious and EDR create incidents for these.
As description, EDR shows "System Network Configuration Discovery". Is there any solution to fix this issue?
- The SONAR technology of Symantec Endpoint Protection (SEP) clients detected F5vpn.exe altering the hosts file. Note that in many environments, F5vpn.exe is an authorized executable permitted to perform this function.
- The SEP clients then forwarded these detection events to Endpoint Detection and Response (EDR).
- EDR organized these events into Incidents for your SOC analysts to review.
- The behavior of both SEP and EDR is by design.
EDR 4.5.0 or later
Options for configuring an exclusion to prevent repeated Incidents of the same type for the target executable: