Endpoint Protection

Hi folks,

I want to distribute new screen savers on our computers.
Unfortunately they are blocked by SEP's Auto-Protect. Below is the risk's details.
 

Risk Information:

Riskname : WS.Reputation.1
Privacy impact: Medium 
Performance impact: Medium 
Overall rating: Medium 
Download site: N/A 
Downloaded or created by: c:\program files (x86)\google\chrome\application\chrome.exe 
File or path: d:\userprofile\gerald.wellan\downloads\lafargeholcim en quality 3.scr   
Application: Screensaver created with InstantStorm 
Version: 2.0.0.0 
File size: 11930368 
Category set: Malware 
Category type: Insight Network Threat 
Hash: BF4615698DD182A229CAB3040CAECAE9780A8A52E819D38C54990E3B2907970B 
Hash algorithm: SHA-256 

Risk Detection:

Date found: 07/16/2015 14:28:48 
Description:  
Actual action: Quarantined 
Specified primary action: Quarantine 
Specified secondary action: Leave alone (log only) 
Detection source: Auto-Protect 
Risk detection method: Heuristic Detection 
URL tracking: On 
Source computer:  
Event type: Security risk found 
Database insert date: 07/16/2015 14:44:23 
Event client date: 07/16/2015 14:28:48 
Permitted application reason: Not on the permitted application list 

I know that the file path will differ for each machine. But, is there a way I can add this file into the exception policies by any EASY STEPS (from monitors, logs tab)???

Please advise.
Cheers!!!

You can add this file as an exception from the Risk log

Monitors >> Logs >> Risk Log

Check the box for the exception you want to add and under Action select "Add risk to Exceptions policy" and hit Apply

A new box will come up and you need to select which policy you want to add it to. Select Save Changes when done

Try submitting the screensaver file to symantec directly using the link below. they will run it through their system and if not found to be malicious will whitelist it in the next definiton release. Can take up to 72 hours for symantec to check the file. 

https://submit.symantec.com/whitelist/

do your screen savers get downloaded for Downloads folder ?

this is the path from the logs

d:\userprofile\gerald.wellan\downloads

as mentioned by GeoGeo better to submit it as false positive, if they are not able to add it under whitelist, they would clearly state the reason for it.

Check the appropriate exceptions policy:

Exceptions policy > Exceptions > Add > Windows Exceptions > Application

If your screen saver is listed in the applications list, you can create an exception (under Action). Path does not matter as this exception is hash-based.

Hi Brain,

When I do that, it allows me to add the file under exception only for one that specific user. 
I want this file to be added as an exception for all my 25K SEP clients.

Hi GeoGeo,

I had the thought of whitelisting it, however, prior to doing that, I wanted to know if there was any way to exclude it from the SEPM itself.

Hi greg12,

I dont see the file under the Application list.

If I have a hash of that file, is there a way I can exclude it from Exceptions policy?
Any other advise would be really appreciated?

Cheers!!!

When you added it, it should've shown the hash of the file. If that is the cash the hash is used and assuming you added it to the policy for all of your users, it should work just fine.

There is no option to manually add the hash (whish there was) this needs to be done via the Risk log.

Hi Brain,

When I view the risk log, I see the HASH value of the file (Please see my first comment under the heading Risk Information).

Can you let me know how to add the file using its hash?

When you add it (select Allow Application) from the Risk log it includes the hash. This is calculated automatically and added.

For example, I just added this in my policy:

Then just assign it to whichever policy and you should be good.

You cannot manually add the hash file though. It's all done via the Risk log.

Hi Sayed,

Not sure if there is I mean Brian possibly has a work around but I think the auto protect heuristics is based on symatec reputation database and as far as I've tested on my own SEPM not found anyway to exclude them by policy. Best result I've had is getting symantec to directly whitelist them in the def file and their database. 

Thanks, Brain. This is what I was looking for.

You're welcome, Sayed.