Cookie Annoyance
Updated: 21 May 2010 | 7 comments
This issue has been solved. See solution.
Hey folks,
Our periodic scans flag machines as infected in the SEPM console when a Tracking Cookie is quarantined/deleted. I would like to either:
a) for the Tracking.Cookie threat detection, not to subsequently flag machines as infected in SEPM
or
b) ignore the Tracking.Cookie threat altogether
In Centralized Exceptions policy, I have tried to add Security Risk Exceptions -> Known Risks but Tracking.Cookie does not appear.
While I'm at it, I can't find the EICAR test string either. I have a group of users that regularly work with this and would like to stick them in a client group without their machines constantly getting flagged. Thanks for any input.
discussion Filed Under:
Comments
Eicar test files
Eicar test files http://www.eicar.org/anti_virus_test_file.htm
Tracking cookies are not consider a Threat and therefore are not removed when placed on the hard drive.When performing a full scan, these cookies can and will be detected by the scan and as long as the user goes to that site during the day this risk will be found and removed.
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Hi Prachand, Once SEP removes
Hi Prachand,
Once SEP removes the cookie, it reports the computer as "infected" and shows up as infected in reports. if the threat is found and removed, why would it still call the machine infected in SEPM?
Also, I should have been more specific. I can't find an entry in Centralized Exceptions to *ignore* EICAR test string as a non-threat. I understand that defeats the purpose in terms of testing anti-virus, but we get many detections and false infected flags because of it.
Blaine Baker
Information Security Administrator
SEPM, go to Admin > Servers >
SEPM, go to Admin > Servers > Local Site > Properties > Database tab, and Make surek "Delete EICAR events". is checked
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Hi Prachand, I already had
Hi Prachand,
I already had that setting enabled. I continue to get these detections and they flag the machines as infected, so I have to go in and mark them cleared. It's a lot of extra hassle. Attached screenshots from SEPM reports.
Blaine Baker
Information Security Administrator
@UltraMagnus The option to
@UltraMagnus
The option to ignore the tracking cookie is under the Centralized Exceptions policy. Add it as a Known Security Risk Exception and set it to log when detected
I get 5-10 of these a day but just don't want to set it as an exception quite yet but this should work for you.
Endpoint Knowledge Base
Security Best Practices
As I mentioned in the first
As I mentioned in the first post, I do not have "Tracking Cookie" listed as an option in the known risks. it just goes from TraceSweeper to Trackware.7FaSStSearch and there is no Tracking Cookie entry at all.
Blaine Baker
Information Security Administrator
I'm not sure what happened,
I'm not sure what happened, but the entry is now in the centralized exceptions, except it says "Tracking Cookies" plural. *very* weird but I'm glad it's there anyway. I'll credit Brian81 since that's where the exception was, even though I didn't have it listed for me until recently :P
Blaine Baker
Information Security Administrator
Would you like to reply?
Login or Register to post your comment.