Best Practice when Symantec Endpoint Protection is Detecting a File that is Believed to be Safe

Article:TECH98360  |  Created: 2010-01-03  |  Updated: 2014-12-04  |  Article URL http://www.symantec.com/docs/TECH98360
Article Type
Technical Solution


Issue



Symantec Endpoint Protection (SEP) is detecting a file which is believed to be part of a clean known application. How can it be confirmed whether this is a genuine detection or if it is a "False Positive"?

 


Cause



The criteria being used by SEP to identify malicious code are constantly updated and revised in response to the newest emerging threats. In some cases, legitimate software has been mistakenly classified as a threat. Definitions are subsequently refined and corrected to identify only malicious code.


Solution



Before you begin: It has often been the case that file infectors make alterations even to applications that have been in safe daily use for a long time. If there has been a recent outbreak or infection on the computer or network, it is highly likely that the application has been compromised and the detection is genuine. Symantec recommends that you treat all "detected" files as being infected, until your suspicion of a false detection is verified by Symantec Security Response.

If it is believed that a legitimate application is being identified in error, and no other outbreak is underway, best practice calls for the following steps to be taken:

Apply the Latest Rapid Release Definitions
New virus definitions may have already been released to resolve the False Positive detection. Apply the latest available Rapid Release definitions and scan the file once again.

For SEP clients:
Applying rapid release definitions to a Symantec Endpoint Protection (SEP) client.

If the file in question is still detected using the new Rapid Release definitions, proceed to the next step.

Contact Symantec for Investigation

Please do use the following portal for non-emergency false positives: https://submit.symantec.com/false_positive  Be sure to submit files within the recommended guidelines.  Note that it is not necessary to open a case with Technical Support for non-emergency requests.

In case of emergency, submit through the link above and contact Symantec's Technical Support.  Tech Support engineers can offer assistance with suspected false positives and help drive the issue to a faster resolution.

Please provide them with the following information (collected automatically by running a SymHelp diagnostic):

    1. Version of SEP that is in use, and component which is logging the detection (AutoProtect? PTP? Manual Scan?)
    2. Risk History and details of what the file is being detected as.
    3. Exact date and revision of definitions in use.
    4. If possible, calculate the MD5 (unique hash identifier) of the file in question
    5. (Not collected automatically) All available details on the source of the application in question- is it a common, commercially available file? Was it developed in-house? Is it part of another software suite?


Submitting False Positives from Quarantine
To submit a file for analysis, which was quarantined, the following article can then be used: How to submit suspicious files via the online submission form that have been quarantined by Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV)


Restoring False Positives from Quarantine
If the detection is confirmed to be a false positive, new AV definitions will be created. The following article can then be used:

Restoring a false positive from the Symantec Endpoint Protection quarantine




Legacy ID



2010010319585948


Article URL http://www.symantec.com/docs/TECH98360


Terms of use for this information are found in Legal Notices