Restore your Symantec Endpoint Detection and Response backups using the command-line interface.
To restore data from a backup file using the CLI
On the management platform appliance or all-in-one appliance, run the restore command with the desired options.
For example, to restore data from a directory on a remote server using FTP, type:
restore --host=(hostname) --protocol=ftp --port=21 --user=(username) --password=(password) --path=<directory> --filename=<backup archive name> --ignorerunningcommands (ignore the warning prompt for in-progress commands detected when performing the restore)
Symantec EDR checks to see if there are any endpoint searches that are currently in progress when you begin a restore. If so, Symantec EDR displays a warning along with the option to either continue with, or cancel, the restore. If you continue with the restore, the results of those searches are added to your restored data when those searches are complete. (Depending on the availability of the endpoints, this process may take several days.) However, you cannot access the results of those searches because their Search Descriptions are overridden when the restore is complete.
As a best practice, cancel the restore, cancel the searches in the EDR appliance console, and then begin the restore again.
When you perform a restore, Symantec EDR logs an event in the System Activity Log. The log lists the start time and end time of the restore, its success or failure, the files that were restored, etc.
In version 3.1, if you attempt to restore a backup that is made on an earlier version, the following error appears in the command-line interface:
ERROR Fail running restore, result=Restore is not supported from pre ATP 3.1.0 version to the current version.
Click the following link for more information on the options for the restore command.