Video Screencast Help

Clearing False Positive

Created: 18 Apr 2013 • Updated: 22 Apr 2013 | 4 comments
This issue has been solved. See solution.

I want to start out by saying that I am completely a noob at managing an Endpoint Server.  I have learned a lot from just working my way through some issues, but I have ran into an issue that I can't seem to remedy on my little bit of knowledge or google. 

We run Endpoint Protection Manager Ver RU1 MP1 and manage just over 200 machines with it.  I have been able to edit policies to better fit our needs and so forth, again by either figuring out on my own or internet searches.  The problem that I am having is that I have a machine that keeps showing up as still infected and I know the file that is showing as a threat is not.  The file is from an installation CD for a software that was installed on the machine. 

The software is k+can commander.  It is a software for programming and resetting ECU's on automobiles.  I have tried to create an exception to allow the software as safe, but the policy doesn't seem to help. 

Any suggestions?


Operating Systems:

Comments 4 CommentsJump to latest comment

Rafeeq's picture

Exclude your file from all types of scan. 

Creating exceptions for Symantec Endpoint Protection

Add the commander.exe as per this document.

Excluding a file or a folder from scans
and also submit the file as false postivie to symantec so that they can correct in next release.
ᗺrian's picture

You can create an exception for this file:

Creating exceptions from log events in Symantec Endpoint Protection Manager

padding: 1px;padding-bottom: 3px ;font: 12px Arial; text-align: left;">Article:HOWTO80928 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 0px;font: 12px Arial; text-align: left;">Created: 2012-10-24 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Updated: 2013-01-30 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Article URL

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture


Is the D drive an external drive or internal drive?

You could try opening the Risk Logs from the SEPM and try adding an exception to the Files.

SEPM>> Monitors>> Logs >> Select Log type as "Risk" and Select the "Time range" and click on view Log.

Check the Screenshot (as shown below)



Submit the file to the Symantec Security Response Team as "False Positive" on

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture


I think you should request the software vendor to get his software white listed.

Software developer would like to add his/her software to the Symantec White-List.

Check this Symante Blog as well:

Go throught the follwoing helpful articles:

Handling and preventing SONAR false positive detections

Monitoring SONAR detection results to check for false positives

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<