About backing up and restoring
Symantec EDR
data

You can back up the
Symantec Endpoint Detection and Response
data from an all-in-one appliance or management platform appliance to a remote computer. (Network scanners do not store data; therefore, they do not require backups.) The backup can then be used to restore the events on the same appliance or on a different, but compatible appliance. For example, when you upgrade to a new
Symantec EDR
appliance, you can back up the old model and restore the events to the new model.
You can restore the backups that are made on Symantec Advanced Threat Protection (ATP) version 3.1 and later and
Symantec EDR
4.0 and later.
As a best practice, you should include backing up
Symantec EDR
as part of your network backup scheme. Another best practice is to back up appliance data before you update an all-in-one appliance or management platform appliance.
You can back up
Symantec EDR
in the following ways:
You restore
Symantec EDR
data to an all-in-one appliance or a management platform by running the CLI
restore
command from the system console.
Event data can be backed up and restored. However, configuration of the appliance is not restored using the restore command. A backup stores most of the configuration data for the management platform in text form. As a best practice, Symantec recommends that you use the
--encrypt
keyword when using the
backup
command from the command line to secure your configuration data. You can view the text contents of a backup if you want to re-enter configuration data into the
EDR appliance console
.
Symantec EDR
saves the backup file with the current date and time in the following format:
satp_backup_
product version_yyyyMMddHHmmss
.tar.gz
.
For example,
Symantec EDR
saves a backup on December 5, 2015 at 13:57:52 hours as:
satp_backup_2.0.0-1120_20151205135752.tar.gz
The product version consists of the major, minor, revision, and build numbers. The hour follows the 24-hour format.
You can rename the backup file without affecting the restore process. Do not attempt to edit the backup file.
When you perform a backup,
Symantec EDR
logs an event in the System Activity Log. The log lists the start and the end time of the backup, the success or failure, the files that are backed up, and additional information.