Endpoint Protection

An end user using an online college sports recruiting site is frequently disconnected from the site by Symantec with the notification "HTTP Suspicious Executable Image download".

The action is recorded in their Client Management Security Log.

The user is certain the site is legit.  Is there a chance of a false positive?

Is there a way to add an exception for the site/IP in question?

   Thanks in advance!

Go to SEPM -Policies- Intrusion Prevention 
Edit Intrusion Prevention Policy
Go to Exception
Click on ADD

Select 
22819
HTTP Suspicious Executable Image download

Click Next
Under Action select - Allow and Log

If you feel this is a false positive you can collect a wireshark packet capture when the sig is enabled then when disabled and call support to create a case so you dont have to disable the signature. Would be better to make sure the issue is really not present. Notable sites have been hacked and could cause damage to your machines so this site is not exempt.

Before creating an exception, enter the site URL in Safe Web and see if any threats are reported.

http://safeweb.norton.com/

Thomas

Vikram -
Thank you for your instructions.  Is there no way to exclude the one remote IP only?

Thomas  -
The site is ncsasports.org.
Safe Web says it's safe.  The three community reviews have the tone of others having trouble as well.

iofractal -
The site allows users to upload content, including profile pictures.  I'm guessing some user uploaded an executable as their profile pic.

All -
Thinking outloud here, mostly: what is best practice in this case?  I don't want to exclude protection from this type of threat, but the site is legit and users need access; it's the socially contributed content that appears to be the threat.

You can exclude IP also

Go to SEPM -Policies- Intrusion Prevention 
Edit Intrusion Prevention Policy
Settings
Enable Exclude Hosts 
Then add the IP address for that machine.