Beginning with Symantec Endpoint Protection Client for Linux 14.3 RU3, supported Linux versions can be configured to send Network events to Symantec Endpoint Detection and Response (EDR).

Red Hat Enterprise Linux (RHEL) versions 8.7 and 9.1 are not properly sending EDR network events.

There may be some events at the start of a session, but soon after, no events will be sent from the client.

• Symantec Endpoint Protection Client for Linux version 14.3 RU3 (and later)
• RHEL 9.1
• RHEL 8.7
• Endpoint Detection and Response with EAR policies properly configured to send network events

Broadcom Engineering has completed its investigation on the open source code for RHEL 9.1 and RHEL 8.7 and determined that a code defect in these distributions has caused the unwanted behavior. The impacted versions are
4.18.0-425.x (RHEL 8.7)
5.14.0-162.x (RHEL 9.1 and Rocky9U1)

There can be initial events sent from these kernel versions.

Broadcom recommends not to use the affected versions if reliable network events are desired. No other work has been undertaken for other potential issues, the effect of the third-party defect is only detailed with regard to EDR network events. There are no known workarounds or fixes.

Affected versions as of date of publishing:

This list may not be fully inclusive of every affected kernel and may be updated in the future.