ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Advanced Threat Protection Action: Delete File from Endpoints


Article ID: 162826


Updated On:


Endpoint Detection and Response Advanced Threat Protection Platform


When a file is selected for deletion in Advanced Threat Protection (ATP), it is not actually deleted, but will be Quarantined by the selected Endpoint.

The "Delete File From Endpoints" dialog mentions this:


When a file is selected to be deleted in ATP, the following will occur:

The Client's Symantec Endpoint Protection Manager (SEPM) will issue an Evidence of Compromise (EoC) Scan to find the selected file:



The SEP Client receives the command on its next heartbeat:



The Client sends the first results back to SEPM. SEPM issues the Quarantine command via the same EoC mechanism:



The SEP Client runs the second EoC command and Quarantines the file:




If the file was Quarantined in error, it can be restored from the SEP Client's Quarantine: