Endpoint Protection

Hi All,

We had lodged a request on July 28, 2014 regarding AV whitelisting for the product Desktop Central from Manage Engine. The incident number is 3829194. We are awaiting the status of the request that we had lodged. Contact us to the registered email address for any further clarifications

You'll need to call Symantec and open a case and get an update from them.

Thanks Brian, for your prompt reply. But I have a doubt. We requested for Whitelisting and received a reply from Symantec that they will state their stand about our request within 3 weeks. But we are yet to hear from Symantec. It is more than a month. For this update, Do I need to open another case and call them? 

you can call then with the same ticket number and if required they will open new ticket.

Hi Holmes Sherlock,

Thanks for the post.  The request that you mention, 3829194 was closed on 29 July.  A mail was sent from the "SoftwareWhite-ListRequests @ symantec.com" address.  Can you double-check your various mail folders for that response?

Please do keep this thread up-to-date with your progress!

With thanks and best regards,

Mick

Thanks a lot Mick...

Sorry for missing out the mail...

I would like you to help me out with few more things..

Our product Desktop Central provides computer management solutions and is based on Server-Client model. A Server is installed in a machine and its Agents are to be installed in the machines that are to be managed. Both the Server and Client has multiple executables(*.exe) which run in the computers based on the features. So if we need to white-list all these executables, what would be the best possible suggestion?
1) to exclude all the executables by their name? (which will be around 35)
2) to exclude the server/agent installed location in the hard disk?

Also, I would like to know the ground rule of your white-listing process. Can you kindly brief me it? Is the white-listing based on Digital Signature of the executables or any other means?

Appreciate your support..! :)

Hi Holmes Sherlock,

Thanks for the post.  Creating any exclusion opens a hole in the defenses.  Creating exclusions based on name or location opens relatively large holes.  (For example: a file can be named anything without changing its behavior.  If SEP is configured to ignore "goodfile.exe" then all that it is necessary for a malicious actor to do it rename "badfile.exe" into the excluded "goodfile.exe")

I always recommend going for the most precise solution: exclude based on file hash.  There is no way malware can change its hash into that of the known-good file!  If there are 35 hashes then it will take a few minutes to create the policy, but it should be swift enough to getthis in place and deployed to teh whole organization.

The Insight Deployment Best Practices is a document (Insight_v1.pdf) with an excellent section on False Positive Prevention. Check it out!

Insight Deployment Best Practices

Article URL http://www.symantec.com/docs/DOC5077 

Hi Mick, (You are the man..!)

That was very useful piece of info that you had given me. But, I think you had misunderstood my question. My objective is not to create an exclusion policy in SEP. But to request Symantec to white-list the executables that were used in Desktop Central so that it is automatically excluded in the SEPs used by our customers. To achieve this, do I have to upload every single executables in separate requests?

And also, I neeed you look into an important factor. 

I always recommend going for the most precise solution: exclude based on file hash.  There is no way malware can change its hash into that of the known-good file!

By your words, I believe you are talking about the checksum validation. And there lies another problem. Whenever we release an update to our product, the checksum of the executables tend to change. On such occasions, the white-list policy is broken right? Can you advice me on this? 

Thanks for the kind words.  There's some good advice on whitelisting in Symantec Insider Tip: Successful Submissions!

Q. I write code for a software company.  Is there any way to submit my latest build to Symantec, ahead of its public release, to make sure my customers won't experience False Positives on this new (and initially unknown) version?

A. Yes!  This article has all the details:

Software developer would like to add his/her software to the Symantec White-List.
Article URL http://www.symantec.com/docs/TECH132220
 

Note that this whitelisting portal is open for BCS customers and will require several weeks to process files.  Please allow ample time!  If the software is already publically available and is being detected by Symantec products, use the False Positive portal instead.

Hi Mick, 

That document was indeed very helpful. And I really appreciate you for your time and support. I will post my questions right away. Kindly feel free to reply inline

1. What is the basic parameter that you would use to whitelist an exe. Will that be checksum, or digital signature or any other?

2. My product has around 35 exes that run based on dependency. Do i need to raise 35 individual whitelisting requests to Symantec?

3. If you use checksum for validating and whitelisting an exe, then it would ruin the process. Because we frequently release updates to our product and the checksum of the exes tend to change. So, if you whitelist based on checksum, then the rule will be deprecated when we install the new update.

Thanks and Regards,

Holmes

Hi Holmes,

For security reasons, there are many specific details which I cannot reveal about what triggers (or avoids) our detections.  The best public advice is contained in the False Positive Prevention section of http://www.symantec.com/docs/DOC5077

Digitally signing files allows security vendors (as well as everyone else) verify where software has come from.  It is a big step toward preventing FPs, though of course it is not a rubber stamp by any stretch.  There are many malicous or grayware files which are digitally signed- and yep, they're detected.  &: )

Do submit the 35 files to ensure they will be examind and whitelisted (if they pass examination) before being publically released.  Be sure to zip them up for submission but no more than 9 files / 20 MB into one archive.

Hope this helps!

Mick

Hi Mick,

This helps me.. Will submit the files to Symantec for whitelisting. But my other question is still unanswered I suppose

If you use checksum for validating and whitelisting an exe, then it would ruin the process. Because we frequently release updates to our product and the checksum of the exes tend to change. So, if you whitelist based on checksum, then the rule will be deprecated when we install the new update.

In this case, for each update that we release, We should submit all the files again? That would be a tedious task for you and as well us since we release an update each week. Any suggestions? 

Thanks and Regards,

Krishna

Hi Krishna,

Yes, any time you release a new version it is recommended to submit it ahead of its public release.  Taking the measures in the document I shared, though, may eliminate the need.  It all depends on the nature of the software.

Hope this helps!

Mick

Hi Mick,

I get this view when i click on the link http://www.symantec.com/docs/DOC5077

Is it moved to another location? Or am I missing something

Regards,

Krishna

Click on "attachments" in the upper-right - a window will open with "Insight_v1.pdf"