Endpoint Protection

 View Only

  • 1.  Clearing False Positive

    Posted Apr 18, 2013 08:10 AM
      |   view attached

    I want to start out by saying that I am completely a noob at managing an Endpoint Server.  I have learned a lot from just working my way through some issues, but I have ran into an issue that I can't seem to remedy on my little bit of knowledge or google. 

    We run Endpoint Protection Manager Ver 12.1.1.1101.401 RU1 MP1 and manage just over 200 machines with it.  I have been able to edit policies to better fit our needs and so forth, again by either figuring out on my own or internet searches.  The problem that I am having is that I have a machine that keeps showing up as still infected and I know the file that is showing as a threat is not.  The file is from an installation CD for a software that was installed on the machine. 

    The software is k+can commander.  It is a software for programming and resetting ECU's on automobiles.  I have tried to create an exception to allow the software as safe, but the policy doesn't seem to help. 

    Any suggestions?

    Thanks



  • 2.  RE: Clearing False Positive

    Posted Apr 18, 2013 08:39 AM

    Exclude your file from all types of scan. 

     

    Creating exceptions for Symantec Endpoint Protection

     

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55204#v39814459

    Add the commander.exe as per this document.

     

    Excluding a file or a folder from scans

     
    and also submit the file as false postivie to symantec so that they can correct in next release.
     


  • 3.  RE: Clearing False Positive

    Posted Apr 18, 2013 08:46 AM

    You can create an exception for this file:

    Creating exceptions from log events in Symantec Endpoint Protection Manager

    Article:HOWTO80928  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL http://www.symantec.com/docs/HOWTO80928

     



  • 4.  RE: Clearing False Positive
    Best Answer

    Trusted Advisor
    Posted Apr 18, 2013 11:42 AM

    Hello,

    Is the D drive an external drive or internal drive?

    You could try opening the Risk Logs from the SEPM and try adding an exception to the Files.

    SEPM>> Monitors>> Logs >> Select Log type as "Risk" and Select the "Time range" and click on view Log.

    Check the Screenshot (as shown below)

    Exceptions.JPG

    OR

    Submit the file to the Symantec Security Response Team as "False Positive" on

    https://submit.symantec.com/false_positive

    Hope that helps!!



  • 5.  RE: Clearing False Positive

    Broadcom Employee
    Posted Apr 19, 2013 05:27 AM

    Hi,

    I think you should request the software vendor to get his software white listed.

    Software developer would like to add his/her software to the Symantec White-List.

    http://www.symantec.com/docs/TECH132220

    Check this Symante Blog as well: www-secure.symantec.com/.../software-white-listing-program

    Go throught the follwoing helpful articles:

    Handling and preventing SONAR false positive detections

    www.symantec.com/.../index...

    Monitoring SONAR detection results to check for false positives

    www.symantec.com/.../index...