Endpoint Protection

[TRACKING]: Symantec Security Response Automation: Tracking #12416992

simple batch file which is converted to exe using quickbatch file compiler is detected  as Trojan Horse in SEP 11, same don't detect in Symantec corporate edition 9
You can download & check http://www.abyssmedia.com/quickbfc/ & just compile & check blank file to exe ..it will detect as virus, I upload this to symantec but got response like this

Developer notes:
 symantec.zip is a container file of type  ZIP
empty.exe Our automation was unable to identify any malicious content in this submission.
 The file will be stored for further human analysis  This file is contained by   symantec.zip
adobe.exe Our automation was unable to identify any malicious content in this submission.
 The file will be stored for further human analysis  This file is contained by   symantec.zip

can anybody help how to stop this Fault Detection...

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan Horse
File: C:\Documents and Settings\Administrator\Desktop\quick batch file\4.exe
Location: C:\Documents and Settings\Administrator\Desktop\quick batch file
Computer: INFEMS-BA-170
User: pcadmin
Action taken: Pending Side Effects Analysis : Access denied
Date found: Wednesday, August 26, 2009  3:51:52 PM

Follow this doc and create a centrlized exception for your batch program

http://service1.symantec.com/support/ent-security.nsf/docid/2008030423280248

I tried using user exception list in SEP 11 client, I want only this on my system. not for entire organisation....

if I add .bat file to exception wat if virus comes from other source in form of bat file.

If u add exception for .bat file antivirus will not scan the files with .bat extension

out file is .exe if I add that extension to exception list then my system will be full of virus. is there any other alternate method,

last time I had similar problem SEP was detecting as Trojan, I submitted that file to symantec, then later on I think they released the updates then for few months it was not detecting as trojan , from past 2 weeks it started detecting as Trojan, funny thing is if I convert batch file to exe in which symantec corporated edition is installed it will not detect at all, if I scan that converted exe file in SEP 11 its not detecting as Trojan & even the exe files which was converted earlier...

why  false detection in SEP 11 while coverting batch to exe ?? & why its not detecting as Trojan which is converted to exe

Use a centralized exception

on your machine,you can create  centralized exception

this exception would be for that particular application and for entire, *.exe.

you need to mention the complete path for it..


Log into the Symantec Endpoint Protection Manager and click Policies.

2)Under View Policies click Centralized Exceptions.

3) If you have a Centralized Exceptions policy, edit the policy. Otherwise, follow step 4 to create it.

4) Under Tasks click Add a Centralized Exception policy... This will create and open a new Centralized Exceptions Policy.

5) In the left pane, click Centralized Exceptions.

6) Click the Add button to open a drop-down menu. Move the cursor over Tamper Protection Exception and select it

7) Enter the file name:  complete path for your file name  in the File field.
8)Save the policy by clicking OK and make sure it is assigned to the appropriate client groups.

Well...why it's being detected in SEP and not in SAV is the difference between *scan engines* because virus definitions are same [if up to date ] engines and detection technology may vary..from version to version.

I've used quickBFC and the compiled file is detected not only by SEP but many other AV vendors.You may find this in abyssmedia forums... 
Why ..because many malware author use this tool too to create and *join* files together.It's a very polpular *joiner*. I am not saying that it's a bad program..but it's misused.
 
Here in your case you dont have to set exception for *.exe [all exe files] but the *actual file* by specifying the full path in centralized exception....

"C:\Documents and Settings\Administrator\Desktop\quick batch file\4.exe"

What else you could do is create a *spearate folder*  and exclude *the folder*in centralized exception and then you can drop those  *converted exe files* in that folder.But this is a temporary solution.

If you want to exclude it only for *your system* then you have to create a *separate group in SEPM*, *move* your system to that group,*copy* all the policy and then *modify* the centralized exception policy according to your need.[as mentioned above]

The permanent resolution would be open a ticket with symantec tech support,inform about the false positive and request to include it in the *whitelist*.In the next update [in few days] you'll get it resolved. 


 

" Well...why it's being detected in SEP and not in SAV is the difference between *scan engines* because virus definitions are same [if up to date ] engines and detection technology may vary..from version to version. "

scan enignes are different, but why its not getting detected in  SEP which is converted on machine which is having SAV..

I have added folder to exception, but still same problem.....gave quickbfc program path ..no use...any other solution ( Locally on client machine, I don't want to add any separate group for my system)....I think Symantec tech support charge for their support..I have no idea about this...

you may try this

on the client machine

open the sep interface

click on change settings

click on antivirus and antispyware  configure settings,
click on fiesystem autoprotect, in the user defined centralzed exception..add the complete path of your quickbfc and the exe... lets see if this works..

Anil,

I did download the software and create a sample file however SEP did not find any virus or trojan alert, my virus defs are older( downloading the latest now )

So we  can conclude that its not the scan engine change...it should be virus defs.

As of now my defs are jan 19 2009 R2

I will dowload the latest and try following the steps as mentioned by you, If My SEP does not detect, I shall send you a screen shot...

Have a good day

 

Rafeeq did u check by downloading latest definitions...???? 101% it will detect as Trojan.

I downloaded from the site u mentioned and created sample file. But sep dint detect the file as Trojan... I am having latest updates also.... R u using any cracked qbfc... once i used cracked qbfc.. Files created from that software were detected as Trojan... Can u upload the file some where so that we can download and check the file.

I used trial version to convert  ....but still it detects..tried on other machines to...same problem..

I agree with SHP we both installed the software and nothing is being detected, it would be good if you can post the screen shot and let us know what exactly it is detection

this is the error...im getting ...same error on other machine which is having SEP 11, but in corporate edition no such detection...

 Hi Anil....

Try to upload the file to some sites(file upload sites) and put the link.... we can check it by downloading....

If I try to compile on SEP 11 Machine it shows error as Trojan, I created in corporate edition 9 it didn't show any such error, but scanned those files in SEP 11, but it didn't detect any virus.

Check the attachement in this

http://www.mediafire.com/?9aa17ufdwg

Pls check the link... i m getting home page of mediafire.... 

http://www.mediafire.com/download.php?9aa17ufdwgj

or

http://www.sendspace.com/file/c5c9ml

I downloaded and scanned it's not detecting as trojan....

Did any one tried to check..... 

it will not detect after getting compiled in corporate edition. means once u save the output file it will not detect any trojan, & if you scan the same file in SEP 11 it will not detect as Trojan
In SEP 11, once u click on complie & give output file, it detects as trojan

Whether the file's which u have uploaded are still detecting as trojan in SEP...?

no its not detecing....

I think you are not understanding my concern

will explain u clearly...

In SEP 11 when u try to save the output file it detects as trojan.( its not at all allowing to  create exe file)


In Corporated Edition, no such false detections, I am able to create exe file, if I copy created files to the system where is SEP 11 is installed its not detecting as Trojan.

My concern is why its not allowing to create exe file on SEP 11, if files are trojan then why its not detecing as trojan which is created in corporate edition.

I think no solution for this issue...

Since you are not able get a solution on Forum then Please call technical support on the local support no and get a case created so that  symantec and work to get a solution .

is there no way this forum can reach out this thread to symanetc guys...

you already , have lot of symantec employees here :)

 

good..then why I have to call techincal poeple..please some 1 help me..

So that they can look into the system and the file.It will be easier for them gather logs and escalate their findings to security response..so that you can get a exact and speedy resolution.

is it a paid service ??? if not can I have toll free number for Bangalore Area

If you have the licnse for SEP then also must have the support licenese..
When you would have bought the product you would have paid for the support as well..
The number is a national number ( toll free ) however you call might go to either pune/chennai or anywhere across the globe.

Toll-Free 000 800 4401 456 directly
http://www.symantec.com/business/support/contact_techsupp_static.jsp

ok thanks for the advice our SEP in our company is maintained by other people I will ask them. &100% its licensed

Once you call Symantec you can also guide them to this post ( if they are not aware ) to get a better understanding of your issue.