ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Exceptions discovered for hashes that are known indicators of compromise

book

Article ID: 226935

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Detection and Response

Issue/Introduction

Reporting indicates that some hashes known to be Indicators of Compromise (IoC) appear in Symantec Endpoint Protection (SEP) clients registry as exclusions. 

Cause

These are placed by the Endpoint Detection and Response (EDR) deny list.

The deny list is implemented in SEP policy as a series of exclusions. 

Unlike exclusions generated from the SEPM, these exclusions are configured to quarantine or delete the matching files, if they are  found. 

The SEP clients implement these exceptions in a series of registry keys, on which some security software scans and reports. 

Resolution

If you see these exclusions in the registry, verify in the SEP exclusion policy that they were placed by EDR.