You can back up the Symantec Endpoint Detection and Response data from an all-in-one appliance or management platform appliance to a remote computer. (Network scanners do not store data, therefore they do not require backups.) The backup can then be used to restore the events on the same appliance or on a different, but compatible appliance. For example, when you upgrade to a new Symantec EDR appliance, you can back up the old model and restore the events to the new model.
In Symantec EDR version 3.1, you cannot restore data from previous Symantec EDR versions. You can restore the backups that are made on Symantec EDR version 3.1 and later.
As a best practice, you should include backing up Symantec EDR as part of your network backup scheme. Another best practice is to back up appliance data before you update an all-in-one appliance or management platform appliance.
You can back up Symantec EDR in the following ways:
Schedule backups in the EDR appliance console in Settings > Global. You specify the backup file location on a remote computer.
Run the CLI backup command from the system console. You can specify a backup file location on a remote computer.
You restore Symantec EDR data to an all-in-one appliance or a management platform by running the CLI restore command from the system console.
Event data can be backed up and restored. However, configuration of the appliance is not restored using the restore command. A backup stores most of the configuration data for the management platform in text form. As a best practice, Symantec recommends that you use the --encrypt keyword when using the backup command from the command line to secure your configuration data. You can view the text contents of a backup if you want to re-enter configuration data into the EDR appliance console.
For example, Symantec EDR saves a backup on December 5, 2015 at 13:57:52 hours as:
The product version consists of the major, minor, revision, and build numbers. The hour follows the 24-hour format.
You can rename the backup file without affecting the restore process. Do not attempt to edit the backup file.
When you perform a backup, Symantec EDR logs an event in the System Activity Log. The log lists the start and the end time of the backup, the success or failure, the files that are backed up, and additional information.