Video Screencast Help

Hosts File Change - Access denied SONAR

Created: 02 Oct 2013 • Updated: 02 Oct 2013 | 8 comments

Hi,

Am receiving "CRITICAL: NETWORK VIRUS DETECTED" in below path as Hosts File Change  - Access denied SONAR

c:\program files (x86)\xyz\posloader.exe

This is a valid application path in xp & win7 clients and need to know how can i rectify this.

Operating Systems:

Comments 8 CommentsJump to latest comment

Brɨan's picture

Add it as a SONAR exception

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Lokeshth's picture

Hello Brian,

Eager to know why this path has been treated as a CRITICAL: NETWORK VIRUS DETECTED as this is a application path and why this is not considered as critical\virus for all the machines in the network?

Brɨan's picture

Are there different versions of this app? SONAR uses the file hash

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Lokeshth's picture

No, app is the same version for all Operating systems.

Affected OS are win xp & win7

Mithun Sanghavi's picture

Hello,

What version of SEP are you running?

Check these Articles:

Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"

http://www.symantec.com/docs/TECH164391

Symantec Endpoint Protection 12.1: Blocked System Change Events produce unexpected messages

http://www.symantec.com/docs/TECH161646

Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

https://www-secure.symantec.com/connect/articles/creating-dns-or-host-file-change-exception-symantec-endpoint-protection-manager-121-ru1-mp1

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Brɨan's picture

You can submit this app to the false positive and whitelisting

https://submit.symantec.com/false_positive/

https://submit.symantec.com/whitelist/

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Brɨan's picture

Have you been able to get this sorted out by adding an exception/whitelisting?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.