Many type 4102 events are recorded for Heur.AdvML.C or other machine learning detections in SEDR Endpoint
search cancel

Many type 4102 events are recorded for Heur.AdvML.C or other machine learning detections in SEDR Endpoint

book

Article ID: 176271

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

After configuring the Symantec Endpoint Detection and Response Appliance SEP Policies to send the Private Cloud policies to your SEP client, they will begin to use the SEDR as their submission proxy. This causes the SEDR to record events that may not be recorded by the SEP client, either due to the signatures being marked silent or another process has exonerated the file/detection.

{"atp_protocol":"av","av":{"date_detected":"2019-10-xxx","date_quarantined":null,"extended_avping_info":"AwxxxxQ==","priority":null,"reason":null,"result":"completed","threat_categories":"3"},"avping_data":{"def_data_set":1,"def_sig_hashes":null,"detect_engine_id":56,"packer_info":[{"engine_id":1,"packer_family":171,"packer_subtype":0}],"signature_hits":0},"device_ip":"192.0.2.1","device_name":"<DEVICE_NAME>","device_time":"2019-10-21T17:26:17.616Z", "device_uid":"<DEVICE_UID>","feature_name":"SymantecEDR:Endpoint","feature_ver":"2014.2.0","file":{"accessed":null,"created":null,"folder":"CSIDL_SYSTEM_DRIVE\\","md5":null,"modified":null,"name":"<FILE_NAME>","sha2":"<SHA2>","size":null,"version":null},"id":0,"platform":{"country":"1","language":"English","processor":"<PROCESSOR>","scanner":"Symantec Endpoint Protection 14.2.3332.1000","system":"Windows"},"process":{"cmd_line":null},"product_name":"SymantecEDR:Endpoint","scan":{"signatures_version":"20xx0.004","technology":"AV-Exonerated"},"sep_mid":"<SEP_MID>","submission_retry_count":"0"}

Environment

SEP 14 MP1 or later and SEDR 4.x or ATP 3.x.

Cause

SEP 14 introduced a new Advanced Machine Learning feature that uses cloud reputation submissions. These submissions show as av-ping events sent through SONAR. For more information, review this document:

About Advanced Machine Learning in Endpoint Protection 14
https://knowledge.broadcom.com/external/article?articleId=164119

Resolution

These 4012 events may be informational, for example letting you know a packed file was found. SEDR will record these submissions as events into the SEDR database. They will also be forwarded to any Syslog or Splunk servers configured, as well as get picked up by any software using the API to gather events data.

It is not a best practice to create any kind of alerts for these events.

Powered by Wolken Software