Endpoint Protection

Hi All,

A customer provided some information today that indicated that some Custom Actions in our application's installation package are being detected.  They are .tmp files which appear in system processes when the custom action is running.  I think that is just the extracted widget running.  Most are written in VB.Net.

The user mentioned that he believes this was no longer an issue after definitions were updated.  He did an uninstall/reinstall on the machine after updating the definitions.  I don't know if that is a false positive or not as they may have allowed the .tmp file previously. ??

Does anyone know if this was ever a widespread problem?  We have numerous custom actions in our installation package and we haven't been notified of any issues such as this before.

Any information appreciated.

Being a custom app, it's possible. Did you submit as a false positive?

https://submit.symantec.com/false_positive/

Software developer would like to add his/her software to the Symantec white-list.

I'm not sure how that would be submitted.  I believe the file name would always be changing as it is randomly assigned at install runtime.

I don't think that having a .tmp exception would be good. ??

Not really unless the directory was specifically tied to that app. If there is an .exe you can submit that to see if anything shows.

Also, was it detected by SONAR or just Auto-protect? What was the detection name?

I believe the detection name was MSI677A.tmp.  I would have to get an install log from the user's system to tie that back to the specific Custom Action widget that entails.

I'm not quite sure at this time if it was SONAR or Auto-protect.

If you check the risk or SONAR log in SEPm it should show. But at this point would need to see some sort of log. Could've just been one particular sets of defs that was detecting it...

What specifically should I ask the customer for regarding SONAR/Auto-Protect?

I'm just curious to see what scan flagged it. If auto-protect, it would be a known definition. If SONAR, it uses heuristics and this would come down to submitting the file to Symantec to be added to their internal whitelist.

The user provided...

"This was detected by Auto-Protect, and reported that the file was successfully deleted."

You say that if its Auto-Product, it would be a known definition.  Would that be a fairly new addition to a definition as I would think our users would report this a lot more frequently.  We have many custom actions that run during our install.

Yes, it could've been that the latest release was detecting it.