EDR creates repeated Incidents for the same SONAR events

book

Article ID: 223827

calendar_today

Updated On:

Products

Endpoint Security Complete Endpoint Detection and Response Endpoint Protection with Endpoint Detection and Response

Issue/Introduction

Some employees work at home using f5vpn.exe to connect to production network. Endpoint Detection and Response (EDR) detects f5vpn.exe as malicious and EDR create incidents for these. 

As description, EDR shows "System Network Configuration Discovery". Is there any solution to fix this issue?

Cause

- The SONAR technology of Symantec Endpoint Protection (SEP) clients detected F5vpn.exe altering the hosts file. Note that in many environments, F5vpn.exe is an authorized executable permitted to perform this function.
- The SEP clients then forwarded these detection events to Endpoint Detection and Response (EDR).
- EDR organized these events into Incidents for your SOC analysts to review.
- The behavior of both SEP and EDR is by design. 

Environment

EDR 4.5.0 or later

Resolution

Options for configuring an exclusion to prevent repeated Incidents of the same type for the target executable:

  • Add the SHA256 hash to the Allow List of EDR 4.5 or later, which will then transmit this to SEPM as as Exclusion policy.
  • Add the certificate of the F5vpn.exe as a certificate exclusion within SEPM
  • Add another type of exclusion within SEPM

 

Additional Information