Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

Exception for "Suspicious Executable Image"

Updated: 08 Jul 2010 | 5 comments
SysAdmin@Dana's picture
SysAdmin@Dana
0 0 Votes
Login to vote
This issue has been solved. See solution.

An end user using an online college sports recruiting site is frequently disconnected from the site by Symantec with the notification "HTTP Suspicious Executable Image download".

The action is recorded in their Client Management Security Log.

The user is certain the site is legit.  Is there a chance of a false positive?

Is there a way to add an exception for the site/IP in question?

   Thanks in advance!

Discussion Filed Under:
, , , ,

Comments

Vikram Kumar-SAV to SEP's picture
07
Jun
2010
0 Votes 0
Login to vote
Vikram Kumar-SAV to SEP
Symantec Employee
Accredited

Go to SEPM -Policies-

Go to SEPM -Policies- Intrusion Prevention 
Edit Intrusion Prevention Policy
Go to Exception
Click on ADD

Select 
22819
HTTP Suspicious Executable Image download

Click Next
Under Action select - Allow and Log

VMWARE-- SEP 12.1 vs McAfee vs Trend Micro

Thomas K's picture
07
Jun
2010
1 Vote +1
Login to vote
Thomas K
Admin
Accredited

Before creating an exception,

Before creating an exception, enter the site URL in Safe Web and see if any threats are reported.

http://safeweb.norton.com/

Thomas

Koosah's picture
07
Jun
2010
0 Votes 0
Login to vote
Koosah
Symantec Employee
Accredited

If you feel this is a false

If you feel this is a false positive you can collect a wireshark packet capture when the sig is enabled then when disabled and call support to create a case so you dont have to disable the signature. Would be better to make sure the issue is really not present. Notable sites have been hacked and could cause damage to your machines so this site is not exempt.

Symantec Technical Specialist

Please don't forget to mark which thread solved your issue!

SysAdmin@Dana's picture
07
Jun
2010
0 Votes 0
Login to vote
SysAdmin@Dana

Vikram - Thank you for your

Vikram -
Thank you for your instructions.  Is there no way to exclude the one remote IP only?

Thomas  -
The site is ncsasports.org.
Safe Web says it's safe.  The three community reviews have the tone of others having trouble as well.

iofractal -
The site allows users to upload content, including profile pictures.  I'm guessing some user uploaded an executable as their profile pic.

All -
Thinking outloud here, mostly: what is best practice in this case?  I don't want to exclude protection from this type of threat, but the site is legit and users need access; it's the socially contributed content that appears to be the threat.

Vikram Kumar-SAV to SEP's picture
07
Jun
2010
2 Votes +2
Login to vote
Vikram Kumar-SAV to SEP
Symantec Employee
Accredited

You can exclude IP also Go to

You can exclude IP also

Go to SEPM -Policies- Intrusion Prevention 
Edit Intrusion Prevention Policy
Settings
Enable Exclude Hosts 
Then add the IP address for that machine.

VMWARE-- SEP 12.1 vs McAfee vs Trend Micro

SOLUTION

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
270,008