Symantec ATP SEDR from 3.x to 4.1 version: High RAM usage in 8840

This is the exhausting, and longest case I have ever encounter. When the 4.1 version notified my ATP device, before I jump into upgrading it, I read the white-papers and the prerequisites to upgrade. After a month of upgrading it, I kept getting high RAM usage from monthly to weekly notifications. Experiencing RAM high usage problem in 8840. Even the system activity logs or the logs from the Symantec ATP administrator management interface can’t help at all. I had to raise a ticket to Symantec Support when the behaviour reoccurring.

The temporary solution from Symantec article is to reboot when the RAM usage warning appears.

Back and forth emails with Symantec Support, they themselves have no idea too.  Anyway, just to cut from the exhaustion and tolerance that I went through with the Support, so this is what they suggested is to gather the logs about the appliance health you have to do it this way.

After the Support got the logs (twice), they analyzed and informed me to wait for version 4.2 and it will resolve this issue. Version 4.2 release date 29th August 2019. Hopefully, it will.


  1. SSH or Terminal console from ATP Appliance
  2. A firewall is allowed SSH for the ATP Appliance
  3. VGA from ATP Appliance to the LCD monitor
  4. Raise a case to Symantec Support

SSH console

If you have enabled SSH for your Symantec ATP appliance, then you could run the command below via SSH in the same environment.

If you haven’t enabled SSH yet, then you could always go to the Symantec ATP Appliance and launch the terminal console, key in the login credential and run this command;

sshconfig enabled

ATP terminal console via LCD

  1. Login the ATP physical device with your ATP credential
  2. key in the following command
    • gather_evidence -u <your email address> -c <case number> -v
  3. It will prompt to enter a password, the password is given by Symantec support
  4. After that, it will show the progress dashboard about the reporting uploading to the Symantec support site

This takes an hour to or more complete the upload.


  1. -u is username
  2. -c is case number
  3. -v is verbose




Symantec ATP 3.x: Troubleshoot intrusion attack

If your environment is having Symantec ATP 3.x version and Symantec Endpoint Manager (SEPM 14), then you would probably face this situation before where ATP detected intrusion prevention.

So this blog would be about an attack which ATP detected as an intrusion and indeed ATP did block it instantly. The attack is unexpected overwrite of the SEPM file. However, there could some endpoints faced that their SEPM is disabled unexpectedly.

Hence, you may receive 5% of endpoints faced this attack. Yea, funny right? and another thing is that these endpoints are probably those turn on once awhile or not within the premises/environment often. Yes, you may guess it!

It was SEPM update. What causes the SEPM to disabled unexpectedly is failed IPS update and also possible the workstation didn’t get restarted often or properly.

You could run SymDiag on the endpoint device to get more details about the problem that the endpoint is facing, then you could find a resolution for this problem. Just reinstall the SEPM and run a scan and run SymDiag to make sure is working well.


Symantec ATP 4.x: High risk on Windows update en-us_win32.appx

Yes, Symantec ATP’s sandboxing does detect any bulk download and suspect it as a malicious download and you receive a high amount of high-risk endpoints prompt from ATP dashboard.

Sandboxing detected : en-us_win32.appx was downloaded from

By looking at the URL of this download is pretty legit is from Microsoft Windows Update. Windows Update especially with GPO and WSUS environment, which windows update is run based on a fixed schedule set.

Well, there are validation process you could run to confirm that it is not malicious;

  1. Go to the endpoint device (phisically) which ATP detected as high-risk
  2. Open up Windows Update Log file as Notepad
    • You can find it from C:\Windows\WindowsUpdate.log
  3. Next, compare Windows Update log file with ATP alert details, on the timing and patch file
  4. If it is right then it is a legit patch file from Microsoft
  5. Next to double confirm, use VirusTotal website to scan the patch file and the URL to make sure it is legit
  6. To triple confirm, raise a case to Symantec support for further assistance on this case.

What to know about Symantec ATP 4.x?

Before you upgrade your Symantec ATP from 3.x version to 4.x version, there are few things you need to be ready before perform ATP software update to avoid any hiccups.


  • No fallback plan may cause redeployment to occur
  •  Lower version of ATP does not have the capability to restore the backup
  1. Read the release notes for 4.x version
    1. Take pointers
  2. Setup Backup at Symantec ATP
  3. Backing up ATP as a fallback plan

Hence, this overall process of the update may take an hour or 2 hours.



  1.  How to setup FTP