Endpoint Protection

I am trying to add a process rgtpt.exe in centralized exception list in SEPM 11.0 conosle.

After adding the process as Truscan proactive threat scan, it is showig as action LOG only.

Due to this a huge traffic is generating for SEPM. I have tried to edit it, but I am not getting the option for IGNORE.

Could someone suggest me for this.

In your Exception policy, go to Add >> Windows Exceptions >> Application

A new windows will come up and you can search for this .EXE. Highlight the name, and under Action, set it to "Ignore". Click OK and OK again to save the policy

THanks Brian,

Sorry, In our organization, we have SEPM 11 version.

The options you have mentioned are for SEPM 12.1.

Regards

KK

Hello,

In case of SEPM 11.x, Try to enable Network Application Monitoring:

1. Login to the manager and go to Clients
2. Choose the group and Select the Policies tab
3. Under Policies Click Network Application Monitoring
4. Check the box that says, "Enable Network Application Monitoring."
5. From here, you can set the default policy when Endpoint Protection detects changes in an executable. Choose between Ask, Block the Traffic, or Allow and Log.

Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 11

http://www.symantec.com/docs/TECH104326

How to set up learned applications in the Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH102994

In case of SEPM 12.1, Creating an Exception for an Application

1. Login to the Symantec Endpoint Protection Manager (SEPM) and go to the Policies page.
2. On the Exceptions Policy page, click Exceptions.
3. Click Add > Windows Exceptions > Application.
4. In the View drop-down list, select All, Watched Applications, or User-allowed Applications.
5. Select the applications for which you want to create an exception.
6. In the Action drop-down box, select Ignore, or Log only.
7. Click OK.

Reference: 

How to create an application exception in the Symantec Endpoint Protection Manager

http://www.symantec.com/docs/HOWTO61213

Creating exceptions for Symantec Endpoint Protection

http://www.symantec.com/docs/HOWTO80919

Sorry.

Go into your Exception policy

Click Add >> Windows Exceptions >> Truscan Proactive Threat Scan Exceptions >> Detect Processes

Highlight exe and set the Action to Ignore

Click OK twice to save

If you pull the detected applications you can select that and add to centrallized exception

When a proactive threat scan on the client computer logs the detection, the detection becomes part of a list of known processes. You can select from the list when you create an exception for proactive threat scans. You can set a particular action for the detection. You can also use the proactive detection log under the Monitors tab in the console to create the exception.

Hi Rafeeq and Brian,

I have tried to add the process from dectected process list. For each machine, this application is generating a different hash algorithm or File finger print. and In our organization we have 35K clients machines, so unable to do so.

Mithum,

Sorry, Network application is not enable to in our organization.

Any other suggestions friends

Regards

KK

Hello,

If the File being detected by Symantec Endpoint Protection, check these Articles:

About managing false positives detected by TruScan proactive threat scans

You would have to Submit the Files to the Symantec Response Team on  the Following Sites:

https://submit.symantec.com/false_positive/

https://submit.symantec.com/essential

http://www.threatexpert.com/submit.aspx

Note: ThreatExpert is owned by Symantec.

Hope that helps!!

If you add as an exception from the TruScan PTP Detected Process list, than you immediately can can set a specific action (Log Only, Ignore, Quarantine, Terminate)

If you add as a Process exception (by .exe name), than the Action is set for you as "Log Only" and you don't have the ability to change.

Configuring an exception to force TruScan proactive threat scans to detect a process

By following the above, once you create the exception, it will than show up in the list after some time. You will than need to go back into the list of detected processes and add the exception. Than you will have the option to "ignore" You will need to do this each time the hash changes and add the necessary exception.

Hi Mithun,

It's an inhouse application built within  the organization.

I don't think, submitting a sample file to SRT will help me.

I am explaining it once again, where i am stucking,

In SEPM Console

Policie -> Centralized Excpetions -> Selec the sepecific policy where exlcusion need to be apply -> Edit the Policies -> windows -> Truscan Threat Protection  -> process -> type the name of the process rgtpt -> click ok

after that i am geting the action as Log only. There should be other options also like ignore terminate etc

If I am right

Regards

KK

When you add it by .exe name, Log Only will be the only option available. This is so SEP can detect it and add it to the Detected Processes list.

Once it shows up in the Detected Processes List, than you can add the exception and have the ability to change the Action.

It is a two-part process.

Every time the hash changes, an exception will need to be added. Since it is hash based, this is how it will need to work. The hash changing indicates the file changed in some way so PTP will catch it.

Thanks Brian,

It means I have to do it for all 35K machine.

What if I add the process as a file, with complete path.

Does PTP still scan this file.

Regards

KK

In 11.x, you can only add by process name. It will not take a directory exclusion.

In 12.1, you can add a directory to be excluded from SONAR scanning (SONAR replaces TruScan in 12.1)

My question is, how can the hash be different for 35k users? That is a lot of different versions of the software...

Hello,

For software developers, authors, and Independent Software Vendors (ISVs), the Symantec Software White-List program offers an opportunity to have their software added to a white-list of known good software maintained by Symantec to reduce the possibility of false positives.  Please note that Symantec offers this service to reduce false positives, but cannot guarantee that false positives will not occur.  Decisions made by Symantec are also subject to change depending on a variety of factors that include but are not limited to alterations in the software, distribution of the software, or vulnerabilities in the software to misuse by the publisher or others. Symantec may also change its classification criteria and policies over time to address the constantly evolving security landscape.  To submit software to participate in this program, please submit the candidate software to Symantec using the Software White-Listing Request form.

Software White-Listing Request Form: https://submit.symantec.com/whitelist/

Note: If an application for white-listing is approved it can take a number of weeks for the software in question to be white-listed.  The applicant will be notified after the white-listing process for that software is completed.  The applicant will be notified if the application is not approved.

Check this Article:

Software developer would like to add his/her software to the Symantec White-List.

http://www.symantec.com/docs/TECH132220

In your case there are 3 things you could do- 

1) Report a Suspected Erroneous Detection and Report a Suspected Erroneous Detection (False Positive)

Your selections:

• Detection occurred: While using an application

• Using product: Symantec Endpoint Protection 11.x or Symantec AntiVirus Corporate Edition

• Type of detection: SONAR (Behavioral Heuristics Detection)

2) Sign your files with Class-3 digital certificates (X.509) from a Certificate Authority if you need to publish softwares/files.

3) Also participate in white-listing program if needed http://www.symantec.com/docs/TECH132220

Hope that helps!!!

Thanks Brian,

I don't know, why this application is generating different hash for each machine.

As per my knowledage, there should be only two or three hases maximum for an application.

Thanks Mithum,

I will contact SRT team.

Regards

KK

Correct. Each version should have a different hash, but 35k is a bit much