Recommendation for Symantec EDR 4.x event data backup
search cancel

Recommendation for Symantec EDR 4.x event data backup

book

Article ID: 263108

calendar_today

Updated On: 11-29-2024

Products

Endpoint Detection and Response Endpoint Detection and Response Hardware

Issue/Introduction

The integrated Backup feature of Symantec EDR is implemented as a full snapshot of the database taken at a given time. Events collected by the Symantec EDR during the backup process are not included in the snapshot.

Depending on the database size, encryption setting, network transfer rate and resources available on the storage destination, the full backup process can take days to finish. That means the event data collected during the last successfully completed backup will be lost, should the Symantec EDR need to be redeployed.

The overall performance of Symantec EDR is affected by the backup process, as it generates a heavy load on the system. Furthermore, during the backup process, the SEPM gatherer process is halted meaning that no new machines can be enrolled in Symantec EDR.
https://knowledge.broadcom.com/external/article?articleId=252782

Resolution

To address the need of having a historical view of event data readily available, we recommend using SIEM integration with Symantec EDR.