Endpoint Protection

I have an application (multiple versions of it) on a number of PCs that performs daily backup operations.

Each day I receive a dozen or so notificaitons that I would like to stop.

At least one security risk found:

Risk name: (Unknown)

File path: c:\app\myapplication.exe

Source: Heuristic Scan

Action taken on risk: Left alone

Looking at the SONAR logs I see 2 different types of events.

Forced SONAR threat detected (Left alone)

and

Potential risk found (Left alone)

I have added exceptions for these files in every way I see possible, but the notificaitons and events persist.

There is an exception for c:\app\application.exe that applies to All clients | Exception type: File Exception - SONAR; Security Risk | Action: Ignore.

I have also added it as an application to watch, and then added all the various hash values from the different versions of the app as application exceptions with an Action of Ignore.

These notifications persist though. How can I properly exclude these files?

What version of SEP 12.1 is this? What you've done sounds correct:

About SONAR

Excluding a file or a folder from scans

Brian,

Thanks for the reply.

I was mistaken, nearly all are 12.1, these particular PCs that run this application are running embedded Windows and are running 11.0.7000.975.

Does that change the method for adding these exceptions?

SONAR is only applicable for 12.1 machines so the exceptions wouldn't apply to 11.x

I guess I'm confused then...  Why do I see these events in the SONAR logs then?

At least one security risk found:

Risk name: (Unknown)

File path: c:\app\myapplication.exe

Source: Heuristic Scan

Action taken on risk: Left alone

Looking at the SONAR logs I see 2 different types of events.

Forced SONAR threat detected (Left alone)

Potential risk found (Left alone)

And based on the information these are running 11, what is the proper way to add exceptions for these items?

So just to confirm, you're seeing SONAR alerts on 11.x clients?

I believe so.

My email notifications contain this:

At least one security risk found:

Risk name: (Unknown)

File path: c:\app\myapplication.exe

Source: Heuristic Scan

Action taken on risk: Left alone

When I log onto the SEP Remote Console, > Monitors > Logs > Log type: SONAR > View Logs...

I see a large number of events on these files on a dozen or so systems from several different types of events.

Potential risk found (Left alone) | Detection Type Unknown > Details >

Category set: Malware

Category type: Heuristic Virus
Actual action: Left alone
Specified primary action: Leave alone (log only)
Specified secondary action: Leave alone (log only)
Detection source: SONAR
Risk detection method: Unknown
URL tracking: Unknown
Source computer: 
Event type: Potential risk found
Permitted application reason: Not on the permitted application list

Forced SONAR threat detected (Left alone) Detection Type Unknown > Details >

Risk InformationRisk name: 
Risk severity: 1
Discovered: Unknown
Category set: Malware
Category type: Heuristic Virus

Actual action: Left alone
Specified primary action: Leave alone (log only)
Specified secondary action: Forced detection using file name
Detection source: SONAR
Risk detection method: Unknown
URL tracking: Unknown
Source computer: 
Event type: Forced SONAR threat detected
Permitted application reason: Not on the permitted application list

There are also a number of events for Risk sample submitted to Symantec for these files.

I have verfiied these PCs are running 11 and that the filename and application exceptions are present for these EXEs.