Endpoint Protection

As far as I can tell, when SEP quarantines a file, the file is altered so that you no longer have access to the original binary. Our SEP clients are setup within SEPM policy such that they are not able to disable SEP so I am unable to get the original file for the submission - as soon as I attempt a restore, SEP detects as a virus again and puts it back into quarantine.

When submitting a false positive report to the following site: https://submit.symantec.com/false_positive/ it asks to include the file in question. Can I include the SEP manipulated file and not the original?

Any other suggestions where I would not have to go to our SEPM administrator in order to change the policy?

Thanks,

   Jarvey

I would create a local exception for the file, restore, zip and submit.

SEP Client UI > Change Settings > Centralized Exceptions > Add

Is this file from your own software ? is this your owned software which is getting detected as false positive ?

The file is older software/ tools - puchased from a Vendor a long time ago and it is used in developing product at my company.  

It is being detected as Adware.gen - the file in question is an executable for a TFTP server. We have a dozen or so cases that showed up starting about 3 weeks ago. Funny thing is most who have restored did not trigger SEP to detect and quarantine. I will look into this but in the meantime I want to submnit it to Symantec for a review because I beleive it is a false positive.

regards,

  Jarvey

Hi Jarvey,

If the quarantined file cannot be successfully restored on a SEP client with the latest definitions, the best course of action is to open a case with Technical Support.  They will need you to submit the original (not quarantined) file: see if you have it on a CD or known good backup, then submit it from a Linux box, LiveCD, etc (computer not actively running SEP Auto-Protect).  Let Technical Support know the tracking number, and they will be able to investigate.

Hop ethis helps!

Mick