Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Folder Exclusions and Heruistic Detections

Created: 25 Jul 2013 | 11 comments

I have a question about Heuristic detections. We have a folder exclusion in place to prevent detections for a piece of software. So far this has worked great for several years now. However starting about a week ago the clients started picking up a file in this folder and classifying it as Trojan.ADH.2. I'm not clear as to why the client is targeting this file because the folder has been excluded. In the log the file location specified is the excluded directory so I'm not sure how this is happening. Any Ideas?

Operating Systems:

Comments 11 CommentsJump to latest comment

Brɨan's picture

Has it been excluded from ALL scans or just auto-protect and scheduled scans?

Since this is a heuristic detection it sounds like you also need to exclude it from SONAR.

Here are two helpful KBAs for doing so:

Excluding a file or a folder from scans

http://www.symantec.com/docs/HOWTO80920

Managing exceptions for Symantec Endpoint Protection

http://www.symantec.com/docs/HOWTO80869

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

What version of SEP are you running? Is that SEP 11.x OR SEP 12.1?

Trojan.ADH.2 is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers. 

Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 11.x

http://www.symantec.com/docs/TECH104326

Managing exceptions for Symantec Endpoint Protection 12.1

http://www.symantec.com/docs/HOWTO80869

How to set up learned applications in the Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH102994

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

I would be glad to answer your query.

It was wroking for many years and suddenly started detection of Trojan.ADH.2, do you feel it's a false positive?

Confirm it by submiting to Symantec.

https://submit.symantec.com/false_positive/

Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe
 
 
Can also submit the files to the Symantec Response team on the Following Sites:

http://www.threatexpert.com/submit.aspx

Note: ThreatExpert is owned by Symantec.

Best practices for responding to active threats on a network

http://www.symantec.com/docs/TECH122466

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ENG506RESQ's picture

Brian, I'm not sure what you mean. It's in the exclusion policy that's applied to the group that it's being detected in.

Your link appears to be written for SEP 12.x. This is SEP 11.x not 12.x.

Mithun, correct this is SEP 11.x.

I have not been able to add an exception for a known risk because Trojan.ADH.2 is not a known risk detection. My assumption was that this was a heuristic detection and as such I was only able to add an exception for folder not Trojan.ADH.2. I have subsequently added an exception for the exact file that's in that folder. My process for adding these exception matches the 11.x instructions you provided.

Chetan, yes, we've had this software running using centralized exceptions for around 3 years now. The last time the software was updated was back in November. However starting on July 19th, a week ago, the SEP started picking up one file in the excluded software folder and detecting it as Trojan.ADH.2. We have a large number of clients, in the 500ish range but only 5 detections so far.

This file isn't necesarily a false positive. It does perform a corporate task which could be classified by SEP malware. SEP already identifies the software by name and we did add a known risk exception using risk name.

So to sum up, We installed this softare 3 years ago. We added folder, file, and risk name exclusions to prevent it from being picked up by SEP. The last time we updated the software was November. Starting 1 week ago SEP started picking up one of the files in the excluded folder in a small number of workstations. It did not identify the file by the known risk name but instead catagorizes it as Trojan.ADH.2.

As temporary remediation I have turned off BloodHound detections to prevent any more detections until we can find out why this happened.

ENG506RESQ's picture

One other thing I should add is there are more than just that one file in the folder and none of them are being detected by SEP. Just the one file.

ENG506RESQ's picture

Another update. I now believe this to not be a Heuristic detection. Since I have disabled the BloodHound Heurisitic virus detection I have had another Single Risk Event for Trojan.ADH.2 and it's identiying the file again.

I need someone to tell me how to prevent SEP from picking this up.

Brɨan's picture

If you go into the SEPM, Monitors >> Risks, can you select the entry and add it to the exception policy?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ENG506RESQ's picture

I'm not sure how that's accomplished. In the monitors summary page, there's a list of new risks detected, but if I click on one it just takes me to the Symantec Risk Page for that risk. I don't see any function to add a detected risk to the exception policy. Am I missing something?

Brɨan's picture

Login to your SEPM and go to Monitors >> Logs

Set the Log Type to Risk and you can filter for the PC which this came up on. You should be able to check the box and click the + sign and add it accordingly the Exception policy.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ENG506RESQ's picture

Ahh, I see now. It's not exactly as you described but was in the same place.

When I attempted that a window came up that says Add Security Risk Centralized Exception and it has options for which policy to add it to etc... However at the top of this windows the risks field is blank and it says :

No risk names were detected in the selected events. Note: you cannot exclude viruses.
 

So I'm back in the same boat.

ENG506RESQ's picture

I've been doing some more testing and I think this is coming down to a simple issue of centralized exceptions. Sorry for the wall of words.

Here was what I tested. I took a fresh system and moved it to a test group with copies of all the current polices. I set all the polices changes back to their original settings from several days ago on just this group. From there I went and browsed the folder and examined the file that was being picked up and not a peep out of SEP. I tried copying the file to the desktop and SEP stepped on it immediately. So it seems that the exclusion policies are working perfectly even from before.

I have looked more closely at the 5 or so detections I had in the last week and I noticed that all 5 detections were special cases. 2 of them were brand new systems that were being setup so SEP was being installed new on them. Another 2 were each in their own seperate speciality exclusion policy group. Now these groups still had the folder in question excluded but they were not in the central exception policy group. And the 5th was an offline scan of a users hard drive which had legitimate infection on it. In this case the folder exception is invalid since the file was being detected on the F:\ drive.

Another thing to note is that we have this software excluded by Risk Name. The detections were not identifying this file as that Risk however, SEP was just calling it Trojan.ADH.2 which is why I was trying to exclude the Trojan.ADH.2 risk which it seems is impossible.

So here's my conjecture, Symantec redfined the Trojan.ADH.2 risk/virus/whatever, sometime before last week and this particular file which is part of a known risk started getting picked up as Trojan.ADH.2. I get the offline scan because it wasn't the C: drive, I get the two new systems as their centralized exception policy may not have been delivered yet after the install. What I don't get are the other two detections from the special exceptions groups that did in fact have the proper folder exclusions in place.