Advanced Threat Protection Action: Delete File from Endpoints

book

Article ID: 162826

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

When a file is selected for deletion in Advanced Threat Protection (ATP), it is not actually deleted, but will be Quarantined by the selected Endpoint.

The "Delete File From Endpoints" dialog mentions this:

Resolution

When a file is selected to be deleted in ATP, the following will occur:

The Client's Symantec Endpoint Protection Manager (SEPM) will issue an Evidence of Compromise (EoC) Scan to find the selected file:

 

 

The SEP Client receives the command on its next heartbeat:

 

 

The Client sends the first results back to SEPM. SEPM issues the Quarantine command via the same EoC mechanism:

 

 

The SEP Client runs the second EoC command and Quarantines the file:

 

 

 

If the file was Quarantined in error, it can be restored from the SEP Client's Quarantine:

Attachments