About managing false positives detected by TruScan proactive threat scans

Article:HOWTO27058  |  Created: 2010-01-08  |  Updated: 2010-01-15  |  Article URL http://www.symantec.com/docs/HOWTO27058
Article Type
How To


Environment


About managing false positives detected by TruScan proactive threat scans

TruScan proactive threat scans sometimes return false positives. Proactive threat scans look for applications and processes with suspicious behavior rather than known viruses or security risks. By their nature, these scans typically flag the items that you might not want to detect.

For the detection of Trojan horses, worms, or keyloggers, you can choose to use the default action and sensitivity levels that Symantec specifies. Or you can choose to manage the detection actions and sensitivity levels yourself. If you manage the settings yourself, you risk the detection of many false positives. If you want to manage the actions and sensitivity levels, you should be aware of the impact on your security network.

Note:
If you change the sensitivity level, you change the total number of detections. If you change the sensitivity level, you might reduce the number of false positives that proactive threat scans produce. Symantec recommends that if you change the sensitivity levels, you change them gradually and monitor the results.

If a proactive threat scan detects a process that you determine is not a problem, you can create an exception. An exception ensures that future scans do not flag the process. Users on client computers can also create exceptions. If there is a conflict between a user-defined exception and an administrator-defined exception, the administrator-defined exception takes precedence.

See Configuring a Centralized Exceptions Policy.

Table: Plan for managing false positives outlines the tasks for creating a plan to manage false positives.

Table: Plan for managing false positives

Task

Description

Ensure that Symantec manages Trojan horse, worm, and keylogger detections.

Antivirus and Antispyware Policies include the Symantec-managed settings. The setting is enabled by default. When this setting is enabled, Symantec determines the actions that are taken for the detections of these types of processes. Symantec also determines the sensitivity level that is used to scan for them.

When Symantec manages the detections, proactive threat scans perform an action that is based on how the scan interprets the detection.

The scan applies one of the following actions to the detection:

  • Quarantine

    The scan uses this action for the detections that are likely to be true threats.

  • Log only

    The scan uses this action for the detections that are likely to be false positives.

Note:
If you choose to manage the detection action, you choose one action. That action is always used for that detection type. If you set the action to Quarantine, the client quarantines all detections of that type.

Ensure that Symantec content is current.

Verify that the computers that produce false positives have the latest Symantec content. The latest content includes information about processes that Symantec has determined to be known false positives. These known false positives are excluded from proactive threat scan detection.

You can run a report in the console to check which computers are running the latest version of the content.

See Monitoring endpoint protection.

You can update the content by doing any of the following actions:

  • Apply a LiveUpdate Policy.

    See About LiveUpdate Policies.

  • Run the Update command for the selected computers that are listed on the Clients tab.

  • Run the Update command on the selected computers that are listed in the computer status or risk log

Make sure that submissions are enabled.

Submissions settings are included as part of the Antivirus and Antispyware Policy.

Make sure that client computers are configured to automatically send information to Symantec Security Response about processes detected by proactive threat scans. The setting is enabled by default.

See Submitting information about scans to Symantec.

Create exceptions for the false positives that you discover.

You can create a policy that includes exceptions for the false positives that you discover. For example, you might run a certain process or application in your security network. You know that the process is safe to run in your environment. If TruScan proactive threat scans detect the process, you can create an exception so that future scans do not detect the process.

See Configuring a Centralized Exceptions Policy.



Legacy ID



349416


Article URL http://www.symantec.com/docs/HOWTO27058


Terms of use for this information are found in Legal Notices