ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Many type 4102 events are recorded for Heur.AdvML.C or other machine learning detections in SEDR Endpoint


Article ID: 176271


Updated On:


Endpoint Detection and Response


After configuring the Symantec Endpoint Detection and Response Appliance SEP Policies to send the Private Cloud policies to your SEP client, they will begin to use the SEDR as their submission proxy. This causes the SEDR to record events that may not be recorded by the SEP client, either due to the signatures being marked silent or another process has exonerated the file/detection.

{"atp_protocol":"av","av":{"date_detected":"2019-10-xxx","date_quarantined":null,"extended_avping_info":"AwxxxxQ==","priority":null,"reason":null,"result":"completed","threat_categories":"3"},"avping_data":{"def_data_set":1,"def_sig_hashes":null,"detect_engine_id":56,"packer_info":[{"engine_id":1,"packer_family":171,"packer_subtype":0}],"signature_hits":0},"device_ip":"10.x.x.5","device_name":"xxxx","device_time":"2019-10-21T17:26:17.616Z", "device_uid":"baxx9048","feature_name":"SymantecEDR:Endpoint","feature_ver":"2014.2.0","file":{"accessed":null,"created":null,"folder":"CSIDL_SYSTEM_DRIVE\\","md5":null,"modified":null,"name":"xxxxx.exe","sha2":"fb0xxxfb7d","size":null,"version":null},"id":0,"platform":{"country":"1","language":"English","processor":"xxx","scanner":"Symantec Endpoint Protection 14.2.3332.1000","system":"Windows"},"process":{"cmd_line":null},"product_name":"SymantecEDR:Endpoint","scan":{"signatures_version":"20xx0.004","technology":"AV-Exonerated"},"sep_mid":"29xxx77","submission_retry_count":"0"}


SEP 14 introduced a new Advanced Machine Learning feature that uses cloud reputation submissions. These submissions show as av-ping events sent through SONAR. For more information, review this document:

About Advanced Machine Learning in Endpoint Protection 14


SEP 14 MP1 or later and SEDR 4.x or ATP 3.x.


These 4012 events may be informational, for example letting you know a packed file was found. SEDR will record these submissions as events into the SEDR database. They will also be forwarded to any Syslog or Splunk servers configured, as well as get picked up by any software using the API to gather events data.

It is not a best practice to create any kind of alerts for these events.