search cancel

Why doesn't the Endpoint Activity Recorder rule prevent an incident being created for my application?

book

Article ID: 229504

calendar_today

Updated On:

Products

Endpoint Security Complete

Issue/Introduction

  • Why doesn't Symantec Endpoint Security Complete stop creating incidents when I create an Endpoint Activity Recorder rule for the application being used in my environment?
  • Symantec Endpoint Security Complete (SESC) creates 8027 or 8xxx events for a legitimate application and I have already created an Endpoint Activity recorder rule for it.

 

Environment

Symantec Endpoint Security Complete (Integrated Cyber Defense manager - ICDM).

  • Detection and Response policy type with Endpoint Activity Rules for a legitimate application.

Cause

  • Incident creation is managed by incident rules.  
  • Endpoint Activity Recorder rules are used to change which events are submitted from the specified condition in the rule.

 

Resolution

The Detection and Response policy type's Endpoint Activity Recorder rules in your environment will not prevent incidents from being created for 8xxx events.  It has no impact on incident creation only on event collection.  The product and policy are working as designed.

How can I prevent my application from generating an incident?

  1. Incident Rules can be disabled if a specific rule is generating false positives in your environment and no malicious incidents are being created for that rule.
    • See the SES documentation About incident rules or Incident Rules
  2. Creating exceptions in the relevant SESC policies may shape better what is collected and submitted to the cloud console.  This may include one or more of the following and may not be limited to the following policies:
    • App Control
    • Detection and Response
    • IPS
    • Whitelist
  3. Submit non-emergency false positives using the Incorrectly Detected by Symantec tab at https://symsubmit.symantec.com/
    You do not have to open a support case for non-emergency requests.
  4. Apply latest definitions to the SES agent.
  5. It is also recommended that you review the SES documentation on
    Using Adaptive Protection in the online technical documentation.

PLEASE NOTE that it is outside the scope of support to manage or create policy changes in a customer environment.  What policy changes may be required in your environment will differ from other customer environments.

Additional Information

How to access the online technical documentation:

  1. Navigate to https://support.broadcom.com
  2. Click Symantec Enterprise Security
  3. Click Enterprise Security and Management
  4. Click Endpoint Security (SES)
  5. Click on the Search this product field and enter your search terms