SEDR removes the groups from its Group Inclusion list when receiving a 500 error from SEPM

book

Article ID: 176120

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

Symantec Endpoint Detection and Response (SEDR) removes the groups from its Group Inclusion list when receiving a 500 level error from the configured Symantec Endpoint Manager (SEPM) Controller.

Log entries similar to the following occur in central_manager.log of SEDR:

INFO org.springframework.scheduling.concurrent.ScheduledExecutorFactoryBean#0-1 (UpdateGroupsTask.java:run:100) [1873631950] - Starting process to pull all groups from SEPM...
ERROR org.springframework.scheduling.concurrent.ScheduledExecutorFactoryBean#0-1 (GetGroups.java:getSepmGroups:166) Could not parse GetGroupsResponse because class javax.ws.rs.ProcessingException: Error reading entity from input stream.: java.net.SocketException: Connection reset
INFO org.springframework.scheduling.concurrent.ScheduledExecutorFactoryBean#0-1 (UpdateGroupsTask.java:run:159) Group Removed from Sepm Removing same from managed list:My Company\Container1\Container2\Container3

 

Cause

When the SEDR appliance receives an unexpected HTTP 500 response when requesting group information from SEPM, SEDR will abort the operation and assume the group no longer exists in SEPM. Manually editting the Group Inclusions setting for the SEPM Controller is the only way to add the groups back in.

Resolution

This issue is resolved in SEDR 4.2.1. Please upgrade to repair this issue.