About backing up and restoring Symantec EDR data
You can back up the
Symantec Endpoint Detection and Responsedata from an all-in-one appliance or management platform appliance to a remote computer. (Network scanners do not store data; therefore, they do not require backups.) The backup can then be used to restore the events on the same appliance or on a different, but compatible appliance. For example, when you upgrade to a new
Symantec EDRappliance, you can back up the old model and restore the events to the new model.
You can restore the backups that are made on Symantec Advanced Threat Protection (ATP) version 3.1 and later and
Symantec EDR4.0 and later.
As a best practice, you should include backing up
Symantec EDRas part of your network backup scheme. Another best practice is to back up appliance data before you update an all-in-one appliance or management platform appliance.
You can back up
Symantec EDRin the following ways:
- Schedule backups in theEDR appliance consoleinSettings>Global. You specify the backup file location on a remote computer.
- Run the CLIbackupcommand from the system console. You can specify a backup file location on a remote computer.
Symantec EDRdata to an all-in-one appliance or a management platform by running the CLI
restorecommand from the system console.
Event data can be backed up and restored. However, configuration of the appliance is not restored using the restore command. A backup stores most of the configuration data for the management platform in text form. As a best practice, Symantec recommends that you use the
--encryptkeyword when using the
backupcommand from the command line to secure your configuration data. You can view the text contents of a backup if you want to re-enter configuration data into the
EDR appliance console.
Symantec EDRsaves the backup file with the current date and time in the following format:
Symantec EDRsaves a backup on December 5, 2015 at 13:57:52 hours as:
The product version consists of the major, minor, revision, and build numbers. The hour follows the 24-hour format.
You can rename the backup file without affecting the restore process. Do not attempt to edit the backup file.
When you perform a backup,
Symantec EDRlogs an event in the System Activity Log. The log lists the start and the end time of the backup, the success or failure, the files that are backed up, and additional information.