Endpoint Protection

 View Only

  • 1.  False Positives since v12.1

    Posted Oct 03, 2011 06:30 AM

    Since upgrading our clients to version 12.1 we are seeing a large number of false positive detections where files we have used for years are suddenly being quarantined. Nearly all of them are generic types, like Suspicious.Cloud.5 or BloodHound.x - are they all coming from Sonar maybe? Is there something we can do to resolve this without submitting files individually as this will be a huge task.

    Anyone else seen this kind of thing?

    Thanks in advance
     



  • 2.  RE: False Positives since v12.1

    Trusted Advisor
    Posted Oct 03, 2011 06:36 AM

     

    Hello,

    Suspicious.Cloud.5.D is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers. 

     

    Suspicious.Cloud.5
     
     
     
    You can try changing the Download Insight Detections. Check this Article:
     
    Customizing Download Insight settings
     
     
    Managing Download Insight detections
     
     
     
    Also, Follow this Symantec Knowledgebase Articles:
     
    Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe
     
     
    Restoring a false positive file detection from the Symantec Endpoint Protection quarantine
     
     
    About managing false positives detected by TruScan proactive threat scans
     
     
     

    I would also recommend you to submit the Files to the Symantec Security Response Team.

    You would have to Submit the Files to the Symantec Response Team on  the Following Sites:

    https://submit.symantec.com/false_positive/

    https://submit.symantec.com/websubmit/gold.cgi

    http://www.threatexpert.com/submit.aspx

    Note: ThreatExpert is owned by Symantec.

     

    Hope this helps!!



  • 3.  RE: False Positives since v12.1
    Best Answer

    Broadcom Employee
    Posted Oct 03, 2011 08:12 AM

    Hi,

    It's previously stated that in SEP 12.1 there might be possibility of false positive.

    As you stated " we are seeing a large number of false positive detections where files we have used for years are suddenly being quarantined " - lower down download protection level & monitor the situation. Default it's set to 5

    Check the Actions tab also, default action is quarantine.

    Screenshot is attached for reference.