SEDR - Submissions to sandbox may fail with error "Unsupported SEP version"
search cancel

SEDR - Submissions to sandbox may fail with error "Unsupported SEP version"


Article ID: 238616


Updated On:


Endpoint Detection and Response


Sometimes an operation such as Submit to Sandbox will fail with an error showing "UNSUPPORTED SEP VERSION" in the event meta data.


Release : 4.6.8


The error message is misleading. An unenrolled endpoint has continued to send event data to the EDR and the submit to Sandbox was run from this event, without that endpoint being part of a group that EDR has a managed policy for.


The client is not managed. Ensure that the workstation is a supported client type (OS version and type) and that it is a member of a SEPM group that your EDR policy includes. This is a different symptom of the same issue described in this KB article: EDR displays an IP address but no other information about an endpoint

Additional Information

You should not change the policies that EDR creates directly on the SEPM. If an unenrolled or previously enrolled endpoint has had it's External Communications Policy changed on the SEPM, this can cause events to appear on the EDR without that endpoint being managed by the EDR. This could also be caused by an de-enrollment of a client because of a fault, without the External Communications Policy being changed. Any time the SEPM connector fails without being removed manually from the EDR, this situation may arise.