ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SEDR - Submissions to sandbox may fail with error "Unsupported SEP version"

book

Article ID: 238616

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

Sometimes an operation such as Submit to Sandbox will fail with an error showing "UNSUPPORTED SEP VERSION" in the event meta data.

Cause

The error message is misleading. An unenrolled endpoint has continued to send event data to the EDR and the submit to Sandbox was run from this event, without that endpoint being part of a group that EDR has a managed policy for.

Environment

Release : 4.6.8

Resolution

The client is not managed. Ensure that the workstation is a supported client type (OS version and type) and that it is a member of a SEPM group that your EDR policy includes. This is a different symptom of the same issue described in this KB article: EDR displays an IP address but no other information about an endpoint

Additional Information

You should not change the policies that EDR creates directly on the SEPM. If an unenrolled or previously enrolled endpoint has had it's External Communications Policy changed on the SEPM, this can cause events to appear on the EDR without that endpoint being managed by the EDR. This could also be caused by an de-enrollment of a client because of a fault, without the External Communications Policy being changed. Any time the SEPM connector fails without being removed manually from the EDR, this situation may arise.