Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe
|Article:TECH98360|||||Created: 2010-01-03|||||Updated: 2011-08-11|||||Article URL http://www.symantec.com/docs/TECH98360|
Symantec Antivirus or Symantec Endpoint Protection is detecting a file which is believed to be part of a clean known application. How can it be confirmed whether this is a genuine detection or if it is a "False Positive"?
The criteria being used by SAV and SEP to identify malicious code are constantly updated and revised in response to the newest emerging threats. In some cases, legitimate software has been mistakenly classified as a threat. Definitions are subsequently refined and corrected to identify only malicious code.
Before you begin: It has often been the case that file infectors make alterations even to applications that have been in safe daily use for a long time. If there has been a recent outbreak or infection on the computer or network, it is highly likely that the application has been compromised and the detection is genuine. Symantec recommends that you treat all "detected" files as being infected, until your suspicion of a false detection is verified by Symantec Security Response.
If it is believed that a legitimate application is being identified in error, and no other outbreak is underway, best practice calls for the following steps to be taken:
Apply the Latest Rapid Release Definitions
New virus definitions may have already been released to resolve the False Positive detection. Apply the latest available Rapid Release definitions and scan the file once again.
For SAV clients:
Using Rapid Release virus definitions to update Symantec AntiVirus 10.x or Symantec Client Security 3.x clients and servers
For SEP clients:
Applying rapid release definitions to a Symantec Endpoint Protection (SEP) client.
If the file in question is still detected using the new Rapid Release definitions, proceed to the next step.
Contact Symantec Technical Support for Investigation
Please do use the following portal for non-emergency false positives: https://submit.symantec.com/false_positive
In case of emergency, Symantec's Technical Support engineers can offer assistance with suspected false positives and help drive the issue to a faster resolution.
Please provide them with the following information:
- Version of SAV or SEP that is in use, and component which is logging the detection (AutoProtect? PTP? Manual Scan?)
- Risk History and details of what the file is being detected as.
- Exact date and revision of definitions in use.
- 4. If possible, calculate the MD5 (unique hash identifier) of the file in question using the Microsoft File Checksum Integrity Verifier utility, or other utility.
5. All available details on the source of the application in question- is it a common, commercially available file? Was it developed in-house? Is it part of another software suite?
Once those materials have been reviewed, Technical Support will provide (if necessary) instructions on how the file can be submitted to Security Response for examination.
Submiting False Positives from Quarantine
To submit a file for analysis, which was quarantined, the following article can then be used: How to submit suspicious files via the online submission form that have been quarantined by Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV)
Restoring False Positives from Quarantine
If the detection is confirmed to be a false positive, new AV definitions will be created. The following articles can then be used:
For SAV clients:
Restoring a false positive from the Symantec Antivirus quarantine
Article URL http://www.symantec.com/docs/TECH98360