When making a change to the blacklist, you notice that the SEP correlation status now shows Invalid Credentials in red.
Advanced Threat Protection: Endpoint connected to at least one SEPM server for correlation
ATP 2.2 will label the SEP Manager connection with the status "Invalid Credentials"
ATP 2.3 will not stop the SEPM Manager connection, mark the SEP Manager connection state as "Invalid Credentials", or label the state of ATP overall as "Critical". Instead, the failure of attempts to send fingerprint data to SEP Manager will be logged at a low level with an event similar to the following:
This error message is misleading. The actual issue is that the ATP was not able to update the System Lockdown settings when an MD5 hash is added to the blacklist. This can happen when an ATP appliance is osrestored or reset to factory settings after it has already created the 'ATP Blacklisted files' list.
Symantec will address the underlying cause for this behavior more fully addressed in a future version of the ATP software.
To workaround the behavior, do one of the following:
Upgrade ATP Platform to version 2.3
Perform manual workaround (see below for steps)
To manually workaround
In the SEP Manager under Client -> My Company/Group -> System Lockdown, delete the ATP Blacklisted files fingerprint list.
Disable System Lockdown
Delete the 'ATP Blacklisted files' list from each policy group.
Under Policies -> Policy Components -> File Fingerprint Lists, confirm that the list is no longer showing
Once it is completely removed, wait an hour or re-enter the credentials for the controller connection before adding another MD5 hash to the blacklist.
Subscribing will provide email updates when this Article is updated. Login is required.