I wanted to check and see if anyone else is experiencing a large number of false positives associated with SONAR.SuspLaunch2

It's already identified three different services we run at our company as being malicious and quarantined them which in result took them offline.  I have since added an exception for each on of these files and restored the file to make it functional.

My concern though is that it could hit more services or it may have already hit more services and I have just not been made aware of them yet.

Anyway to basically setup a rule to ignore this specific type of Risk?  I don't want to disable SONAR completely nor do I want to lower the settings of SONAR if not necessary.  It's worked fairly well up until this one specific Risk it is identifying.

Thanks,

Mike

We have seen this pop up for us today as well. We use the Meraki PC agent and it just starting getting marked as a trojan which is false. 

Hi Mike,

Thanks for the post.  This is something that Symantec is aware of.  You'll be able to run LiveUpdate within an hour to update your PTP definitions- that should prevent the need to create any exclusions or revert to an earlier definition set. The Proactive Threat Protection definitions which remove the False Positive are September 13 2014 r12 or higher.

BTW, here are KBs on how to avoid a confirmed SONAR FP like this, until new definitions are available:

• Exclusion Guidelines for Symantec Endpoint Protection 12.1 
• How to Backdate Virus Definitions in Symantec Endpoint Protection Manager

Definitely do not disable PTP / SONAR altogether- it is a great technology for stopping threats that do not have AV or IPS definitions against them yet!

All the best,

Mick

What services? Windows related? What is this affecting?

I have also seen this at several sites today. Mick2009, can you create a write-up on what the signature SONAR.SuspLaunch2 originally was meant for, why we are seeing so many false-positives and how Symantec will prevent this kind of SONAR FP  from happening in the future?

Torb

Has anyone submited it as false positive ?

Handling and preventing SONAR false positive detections

http://www.symantec.com/business/support/index?page=content&id=HOWTO55273

Could you please let us know when the files are available !!

We just got our definitions.

What definitions introduced the new Engine?
The new engine was introduced in Proactive Threat Protection definition version 20140913011 (13 September 2014 r11)  
 

What definitions resolve this False Positive?
Proactive Threat Protection definition version 20140913012 (13 September 2014 r12) or higher rolls back to the earlier Engine.  These definitions are currently available via LiveUpdate. 

Hi again Mike,

More information is available in this new blog post:

SONAR.SuspLaunch False Positive with Sept 15th SONAR Release

https://www-secure.symantec.com/connect/blogs/sonarsusplaunch-false-positive-sept-15th-sonar-release

Please do update this thread with as to whether this has answered the question- the thread is still marked "needs solution."

With thanks and best regards,

Mick

Is there an automatic method to release the files from quarantine ?  We ahve many machine with this problem