search cancel

Exceptions discovered for hashes that are known indicators of compromise


Article ID: 226935


Updated On:


Endpoint Protection Endpoint Detection and Response


Reporting indicates that some hashes known to be Indicators of Compromise (IoC) appear in Symantec Endpoint Protection (SEP) clients registry as exclusions. 


These are placed by the Endpoint Detection and Response (EDR) deny list.

The deny list is implemented in SEP policy as a series of exclusions. 

Unlike exclusions generated from the SEPM, these exclusions are configured to quarantine or delete the matching files, if they are  found. 

The SEP clients implement these exceptions in a series of registry keys, on which some security software scans and reports. 


If you see these exclusions in the registry, verify in the SEP exclusion policy that they were placed by EDR.