When reviewing the entity page of an executable on the Symantec Endpoint Detection and Response Appliance, you may want a Process Dump of the executable. Some executables may have this option greyed out on their Entity page.
In order for you to request a Process Dump for an executable, the backing file must have been seen as a process on an endpoint. Symantec EDR tracks this state for all files and enables the Process Dump button when this condition is fulfilled. To request related events when the process dump button is disabled, consider issuing an FDR search command. In addition to this requirement, the file also needs to reside on an Endpoint that is currently enrolled for ECC2.
You can verify that the executable has not taken any actions by performing an event search for the file's name in the event_actor.file.name field. Here is an example query: event_actor.file.name: winword.exe
If you do find an Event with this criteria, click on the device_name link in the event details to view the Endpoint's entity page and verify that the EDR status shows Enrolled.
Subscribing will provide email updates when this Article is updated. Login is required.