What to do if you suspect a Scheduled or Manual Scan may be falsely quarantining files

Article:TECH99489  |  Created: 2001-01-12  |  Updated: 2004-01-17  |  Article URL http://www.symantec.com/docs/TECH99489
Article Type
Technical Solution


Environment

Issue



You recently updated your virus definitions. When a manual or scheduled scan is run, various files are flagged as infected and sent to the Quarantine Bin. These may be system files, various program files or different file types from any source.


Solution



When you see a lot of files being quarantined, a likely problem is that the virus definitions you are using (or the definition set you recently applied), was damaged or corrupted during the transfer. This does not occur often. However, a particular definition set will occasionally cause false detections.

If you are using Symantec AntiVirus Corporate Edition 8.x, you should update your virus definitions by completely replacing your old virus definitions manually. This is most easily done with a new XDB file. Go to the Symantec Web site. Download and roll out the latest XDB file. For help obtaining and using the latest XDB file read the section titled "Copying an .xdb file" in the document How to update virus definitions for Symantec AntiVirus Corporate Edition.

If you are using Norton AntiVirus Corporate Edition 7.x, update the definitions using the Intelligent Updater. For information on how to use the Intelligent Updater, read the document How to update virus definitions for Norton AntiVirus Corporate Edition.

Unquarantine the files that were flagged as being infected by a virus that you suspect to be false positives (incorrectly detected as being virus infected), Rescan the files once you have replaced your old virus definitions. If the files are no longer labeled infected, then your prior virus definitions were giving a false positive, and your files are not infected. It is safe to leave these files unquarantined. However, if the files are still found to be infected, send the files to Symantec Security Response using the procedure below.

To submit a virus sample to Symantec Security Response
  1. Select the file that you want to submit in the right pane of the Quarantine window.
  2. Click Submit Item. The Scan and Deliver wizard appears.
  3. Click Next to scan the file.(Regardless of whether the file is reported as being infected, it can still be submitted for analysis. However, if there is no detection with the new virus definitions, then you can conclude that the previous definition set was generating a false detection.)
  4. At the prompt "Would you like to submit this file today?", click Yes to submit, and then click Next.
  5. Continue through the wizard, and fill out the contact information in the next three dialog boxes, clicking Next when each is complete.
  6. Verify that the information for accuracy in the Review dialog box, and if correct, click Next.
  7. Click Finish at the Thank You dialog box. Your virus sample will be sent to Symantec Security Response. You will be notified of the results by email.

If the Symantec Security Response indicates that the files are not infected, then the new virus definitions are still providing a false positive for these files. Contact your support agent to report this. If the Symantec Security Response indicates that these files are infected, leave these files in quarantine and check the Symantec Security Response Web site for information about this infection.






Legacy ID



2001101213393148


Article URL http://www.symantec.com/docs/TECH99489


Terms of use for this information are found in Legal Notices