About full dump and process dump

About full dump and process dump. You can retrieve (or "dump") endpoint activity recorder data from endpoints so that you can perform your own forensic analysis on the information. You can only perform a dump on the endpoints that are enrolled with Symantec EDR. When you perform a dump, you obtain all of the information that exists within the endpoint recorder data.
Prerequisite:
You must have the endpoint activity recorder enabled on the endpoint.
The size that you configure when you set up the endpoint activity recorder limits the amount of data that the endpoint activity recorder can store.
The types of dumps that you can perform are as follows:
  • Full Dump
    Data consists of all of the recorded events that occurred on the endpoint.
    The Full Dump may take a couple of hours to complete depending on the size of the data that is collected from the endpoint.
  • Process Dump
    Data consists of all of the recorded events that occurred on an endpoint relating to the processes that the requested file hash back. When you initiate a process dump, you select the endpoints from which you want to obtain endpoint activity recorder dump information for the file hash.