Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Clearing False Positive

Created: 18 Apr 2013 • Updated: 22 Apr 2013 | 4 comments
This issue has been solved. See solution.

I want to start out by saying that I am completely a noob at managing an Endpoint Server.  I have learned a lot from just working my way through some issues, but I have ran into an issue that I can't seem to remedy on my little bit of knowledge or google. 

We run Endpoint Protection Manager Ver 12.1.1.1101.401 RU1 MP1 and manage just over 200 machines with it.  I have been able to edit policies to better fit our needs and so forth, again by either figuring out on my own or internet searches.  The problem that I am having is that I have a machine that keeps showing up as still infected and I know the file that is showing as a threat is not.  The file is from an installation CD for a software that was installed on the machine. 

The software is k+can commander.  It is a software for programming and resetting ECU's on automobiles.  I have tried to create an exception to allow the software as safe, but the policy doesn't seem to help. 

Any suggestions?

Thanks

Operating Systems:

Comments 4 CommentsJump to latest comment

Rafeeq's picture

Exclude your file from all types of scan. 

Creating exceptions for Symantec Endpoint Protection

 

http://www.symantec.com/business/support/index?page=content&id=HOWTO55204#v39814459

Add the commander.exe as per this document.

Excluding a file or a folder from scans

 
and also submit the file as false postivie to symantec so that they can correct in next release.
 
.Brian's picture

You can create an exception for this file:

Creating exceptions from log events in Symantec Endpoint Protection Manager

Article:HOWTO80928  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL http://www.symantec.com/docs/HOWTO80928

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Is the D drive an external drive or internal drive?

You could try opening the Risk Logs from the SEPM and try adding an exception to the Files.

SEPM>> Monitors>> Logs >> Select Log type as "Risk" and Select the "Time range" and click on view Log.

Check the Screenshot (as shown below)

Exceptions.JPG

OR

Submit the file to the Symantec Security Response Team as "False Positive" on

https://submit.symantec.com/false_positive

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
Chetan Savade's picture

Hi,

I think you should request the software vendor to get his software white listed.

Software developer would like to add his/her software to the Symantec White-List.

http://www.symantec.com/docs/TECH132220

Check this Symante Blog as well: www-secure.symantec.com/.../software-white-listing-program

Go throught the follwoing helpful articles:

Handling and preventing SONAR false positive detections

www.symantec.com/.../index...

Monitoring SONAR detection results to check for false positives

www.symantec.com/.../index...

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<