Endpoint Protection

 View Only

  • 1.  How to exclude Suspicious.MLApp detected

    Posted Jun 08, 2011 06:48 AM

    We got some install routines who use a tool called MiniReg.exe. During install it will be extracted to different location c:\temp c:\user and so one.

    Since last week it will be deleted by SEP 11 as security risk detected: Suspicious.MLApp!

    I need to make a central exeption to allow this tool. Can someone help me?

    Thanks!



  • 2.  RE: How to exclude Suspicious.MLApp detected

    Broadcom Employee
    Posted Jun 08, 2011 07:01 AM

    Hi,

    I hope this articles will help you.

    Creating Centralized Exception Policies in Symantec Endpoint Protection Manage

    rhttp://www.symantec.com/business/support/index?page=content&id=TECH104326

    How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged

    http://www.symantec.com/business/support/index?page=content&id=TECH92553&locale=en_US



  • 3.  RE: How to exclude Suspicious.MLApp detected

    Trusted Advisor
    Posted Jun 08, 2011 08:22 AM

    Hello,

    Suspicious.MLApp is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers.

    You can surely create an Exception for the Threat detected by Following the Articles below:

     

    About centralized exceptions for TruScan proactive threat scans
     
     
    Configuring a Centralized Exceptions Policy
     
     
    However, Security Response may need to Examine the Original File.

     

    Here are Few steps to Follow:

    1) Submit the file to https://submit.symantec.com/false_positive/

    and justify why you think that file should be excluded from scanning.

    2) I would also suggest you to submit this File to the 

    https://submit.symantec.com/gold

    and get a Tracking number.

    3) Till, that time, you could try; Restoring a false positive file detection from the Symantec Endpoint Protection quarantine

     
    4) If the quarantined file cannot be successfully restored on a SEP client with the latest definitions, the best course of action is to open a case with Technical Support. 
     
    They will need you to submit the original (not quarantined) file: see if you have it on a CD or known good backup, then submit it from a Linux box, LiveCD, etc (computer not actively running SEP Auto-Protect).  Let Technical Support know the tracking number, and they will be able to investigate.

     

    Hope this helps!

     



  • 4.  RE: How to exclude Suspicious.MLApp detected

    Posted Jun 08, 2011 08:53 AM

    go to the scan option of AV; click on custom scan ; from the drop down menu u can de-select that particular detection.



  • 5.  RE: How to exclude Suspicious.MLApp detected

    Posted Jun 09, 2011 07:58 AM

    hi

    Thanks for your response. I submited the File as you said.

    I can't make a centralized exception

    We need to install the software but i'm not willing to make an exeption to the different temp-folders to which the softeware unpacks the file!!!

    Is there no way to make this file to a "Known Risk"??????

    Thanks for your help!

     

     



  • 6.  RE: How to exclude Suspicious.MLApp detected
    Best Answer

    Posted Jun 14, 2011 04:01 AM

    Install is working again! Thanks for yout input.



  • 7.  RE: How to exclude Suspicious.MLApp detected

    Trusted Advisor
    Posted Jun 16, 2011 02:07 PM

    Hello,

    To make this file a "Known Risk",  I would also suggest you to submit this File to the 

    https://submit.symantec.com/gold

    and get a Tracking number.

    The Symantec Security Response Team would check the file and would let you know if this threat is an Actual Threat or not.

    If the File came as "Threat", an Antivirus Definition would be created and this would be added in the Definition list.

    Once, the Definitions are loaded on your machines, these files would be detected as "Threats".

    Hope that answers!!!