Endpoint Protection

 View Only

  • 1.  Cannot whitelist program

    Posted May 02, 2016 03:57 PM

    The 'normal' process to 'whitelist' files through the link https://submit.symantec.com/false_positive/standard/

    In this link, a file or an url (that resolves the file) can be posted.

    I am currently trying to install Docker 1.1 ... and get the following error

    Scan type: Auto-Protect Scan

    Event: Security Risk Found

    Security risk detected: WS.Reputation.1

    File: c:\data\tools\docker\dockertoolbox-1.11.1.exe

    Location: Quarantine

    Action taken: Quarantine succeeded

    Date found: Friday April 29 2016  10:04:04 AM

    The name of the program is “DockerToolbox-1.11.1”, and the url is https://github.com/docker/toolbox/releases/download/v1.11.1/DockerToolbox-1.11.1.exe

    The issue ?

    The file is to BIG to be uploaded .... and when the URL is provided ... it seems to 'time-out' ... 

    In other words ... there is no way to white-list this file.

    I've tried to 'harvest' e-mail from Symantec to let them know about this specific problem and the fact that there is no way to submit whitelist for large files .... without sucess

    Hope that somebody out-there, from symantec, can help out.

    Thanks in advance

     



  • 2.  RE: Cannot whitelist program

    Posted May 02, 2016 04:49 PM

    You could try the software whitelist:

    https://submit.symantec.com/whitelist/

    however it generally pertains to software that you create.

    You can easily create an exclusion in the SEPM for that executable, however when the hash changes with a new build it will also trigger and need to be excluded again.



  • 3.  RE: Cannot whitelist program

    Posted May 03, 2016 04:46 AM

    Hi silmarils,

    Thanks for the post.  The "WS.Reputation.1" event is because the file has a poor or unknown reputation.  Here's a good article about Reputation-based security:

    How Symantec Endpoint Protection uses reputation data to make decisions about files
    http://www.symantec.com/docs/HOWTO80989

    You can create exceptions for these within your own environment. 

    Creating exceptions for Virus and Spyware scans
    http://www.symantec.com/docs/HOWTO80919

    It is possible to submit files larger than 100 MB for suspected False Positive investigation.  Open a case with Tech Support and they can assist.

    One important note: the False Positive submissions portal is not the same as the Whitelisting submissions portal.  Some details about the differences can be found in:

    Symantec Insider Tip: Successful Submissions!
    https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

     

    Hope this helps!  Please do update the thread with any additional questions or mark it solved if you have received your answer.

    With thanks and best regards,

    Mick