Within the User Interface (UI) of Advanced Threat Protection (ATP) Platform, the system health state is "Needs Attention". When the mouse hovers over the system helathstate, ATP UI displays the Alert: "Device is encountering a large number of events. Some events will not be logged in the database."
- In Symantec Endpoint Protection Manager (SEPM), one or more client groups have an External Communication policy that points to the IP address of ATP UI as a Private Insight server.
"Device is encountering a large number of events. Some events will not be logged in the database."
This behavior may have multiple causes, including overly broad configuration of the Endpoint Data Recorder, and a large number of Insight lookups from widespread software updates amongst the SEP clients.
The SEDR 4.1 software includes improvements to increase the number of events that can be processed. If you see an error that incoming events have been dropped, please update to SEDR 4.1 to take advantage of these changes.
Further troubleshooting can be performed in the following ways:
Reduce the number of events from the Data Recorder feature
Prior to a widespread and complex software upgrade in the environment, temporarily remove ATP as a Private Insight server.
Upgrade to the latest version of Symantec Endpoint Detection and Response (SEDR) to obtain the latest fixes and performance improvements.
If symptoms persist, contact Symantec Technical Support for further assistance.
To reduce the number of events from the Data Recorder feature
In ATP Manager, click Settings > Global and scroll down to Endpoint Detection and Response, SEP Policies, and Endpoint Data Recorder.
Click the actions menu (three vertical dots) to the far right of the Symantec Endpoint Protection Manager connection that you want to update.
Click Recorder Configuration
Uncheck "Process Launch", then click Save.
For each SEPM where Data Recorder feature is enabled, add Data Recorder Exclusions for programs authorized for the environment which have a high number of ATP Detections for PowerShell activities
To add a Data Recorder exclusion
Within ATP UI, navigate to Settings> Global
Scroll down to Endpoint Detection and Response, SEP Policies, and Endpoint Data Recorder
For each SEPM connection where Data Recorder is enabled, click the vertical ellipses(...)
Click Recorder Exclusions
If you expect the content of the authorized file to remain static, click Add hash and description to open a dialog box for entering a SHA256 hash and description
After adding an entry, click Save Hash
If you expect the content of the authorized file to change over time as result of vendo updates, click Add the full path and filename to open a dialog box for entering the full path and filename of the file to be excluded.
After adding an entry, click Save Path
After all entries are added, click Save
Subscribing will provide email updates when this Article is updated. Login is required.