Are Advanced Threat Protection platform or Symantec Endpoint Detection and Response appliance software FIPS compliant?
search cancel

Are Advanced Threat Protection platform or Symantec Endpoint Detection and Response appliance software FIPS compliant?

book

Article ID: 150939

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform Endpoint Protection with Endpoint Detection and Response

Issue/Introduction

 You may have a requirement for Windows servers and/or clients to be in FIPS mode.

Environment

Release : SEP 14.3.x, EDR 4.6.x

Windows 10 and Windows Server 2012 and newer will have this registry key enabled:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy "Enabled"=dword:00000001

Resolution

The ATP and SEDR appliances are not FIPS compliant under any software version. SEP Clients on FIPS-mode-enabled Windows will not be able to Enroll in the appliances for the ECC 2.0 feature.

Some window servers stay with 'Not connected' when connecting to EDR, on the EDR console it shows 'authentication pending, If FIPS mode is enabled.

There may be several other clients of the same group in SEPM that are connected to EDR from the same network segment.

In Client debug logs:

2021/12/17 13:44:39.621 [2552:3696] edrmanagement: Failed to get Dynamic\EDR\Management\CMP\Config\enabled property. Use default value = 0x1(true)..
2021/12/17 13:44:39.624 [2552:3696] edrmanagement: Data 'Reenrolling' is not found. Use default value '0'
2021/12/17 13:44:41.213 [2552:4820] <SetHIContentInfo>: g_CVEHandler is null!

Disable FIPS mode.

Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
Change Enabled value to 0.

 

 Unsupported features and limitations in the FIPS 140-2 level 1-compliant mode 

 

Additional Information

FIPS support: Symantec EDR 4.8 supports using Symantec Endpoint Protection (SEP) 14.3 RU8 on Windows operating systems configured in FIPS-compliant mode. Previous versions of the Symantec EDR did not support network connectivity from SEP endpoints where the agent is configured to only support FIPS encryption algorithms. Symantec EDR 4.8 supports HTTPS network connections from FIPS-enabled SEP endpoints and HTTPS connections to FIPS-enabled SEPM and SEPM database servers, as necessary. HTTPS services that Symantec EDR uses for other external connections support negotiating a FIPS compliance algorithm with the remote device. HTTPS services that you only use for "on box" service connections (from one Symantec EDR appliance service to another Symantec EDR appliance service) that may accept non-FIPS compliant HTTPS algorithms are documented.