Virtualized applications cause Symantec Endpoint Protection 11 Proactive Threat Protection "Bloodhound.Sonar.1" false positives (VMWare ThinApp)
|Article:TECH160667|||||Created: 2011-05-23|||||Updated: 2013-01-31|||||Article URL http://www.symantec.com/docs/TECH160667|
Symantec Endpoint Protection 11 clients with their Proactive Threat Protection (PTP) sensitivity slider set to 100% have reported False Positives with certain virtualized applications.
These SEP 11 PTP false positives only occur when using virtualized applications like Siebel, Firefox, IE6, etc. When these detections do occur, they do not list the Filename, Original Location, Detected Process, or Path. After the client forwards its event logs to SEPM, from Policies > New centralized exceptions policy > Centralized Exceptions > Add > Windows Exceptions > TruScan Proactive Threat Scan Exceptions > Detected Processes, the File Fingerprint shows as: 1:0000000000000000000000000000000000000000001, with the hash not being unique. This makes it challenging when other virtualized applications use the same hash.
Virtualized applications are created with VMware’s ThinApp.
Should PTP FP's of this nature arise, lower the sensitivity to 70% or disable PTP.
Note as well that SEP 12.1 PTP is not affected by this issue.
Article URL http://www.symantec.com/docs/TECH160667