Endpoint Protection

Help!

We are in the process of upgrading to SEP 12.1 RU1 from SEP 11.x RU7.  We have found that once a machine is upgraded to 12.1, it starts detecting our inhouse apps (that are developed using Visual Studio OneClick technology) as Trojan Worms. These apps were not detected by 11.x.   These apps currently install into the users profile, with various path names, but do always have the specific application name. So there is no specific install directory.  It is differrent on each machine that installs it.  I have used the SONAR logs to add exceptions for each of the apps, but the issue is that these apps are constantly being changed and updated (sometimes twice a day), which causes the HASH to change.  The developers are screaming mad because they can't test new versions until I create an exception, and I am getting tired of creating exceptions.   This would be a never ending process.

What are our options?  How can I tell SEP to ignore these apps without sacrificing the detection capabilities of non-inhouse apps?  Somehow I have to get around the HASH issue, because the HASH will keep changing on these apps.  Or be able to have SONAR ignore certain file names.

Robert

Hi,

you need to create a group for the developers and disable SONAR or lower its sensitiveness. You cannot expect to have one only configuration for all kind of users and their needs.

Do not disable Sonar submit these files to Security response team  and get them Whitelisted with next release of Defs .

Note open up a case with Tech support provide sample and whitelisting will be done .

What are your settings for SONAR?

What do you do with a low/high detection? Aggressive mode enabled?

Hello,

I agree with Swapnil.

Please submit the File / Application on:

https://submit.symantec.com/false_positive/

and 

https://submit.symantec.com/whitelist/isv/

I would also request you to create a Case with Symantec Technical Support.

You can create a Case Online as well...

QuickStart Guide - Create and Manage Support Cases in SymWISE

http://www.symantec.com/docs/HOWTO31132

Hope that helps!!

SONAR settings are High/Quarantine, Low/Log.  Agressive is not enabled.

I can't just put the developers in a group by themselves, because once they publish the new revisions of their apps, all workstations begin to detect the new version.  Like I mentioned, for each new version of their app, I have to create an exception for it.

Wouldn't submitting the app to Symantec be the same thing?  Even if symantec white lists it, our developers could/would have already revised the app and caused it to have a new HASH.  These are new apps that are going through a lot of developement and changes, but they are being used by our users.

The developers are looking into the possiblity of signing the apps with some sort of internal cert.  Would that help to keep SEP from thinking it is a trojan?

Thanks for the replies,

Robert

I'm guessing that the SEP protection technology is highly sensitive on executables or scripts that downloads or modifies files as part of their command. And is also extremely paranoid of the files being placed on the client PC. Just my opinion.

Another user also have a similar problem: https://www-secure.symantec.com/connect/forums/exception-endpoint-protection-doesnt-work

Hello,

Behavioral detections are based on things like

For software developers/authors and Independent Software Vendors (ISVs) the Symantec Software White-List program offers you the opportunity to be added to a white list of known good software maintained by Symantec to reduce the possibility of false positives. 

Please note that Symantec offers this service to reduce false positives, but cannot guarantee that false positives will not occur.

Decisions made by Symantec are also subject to change depending on a variety of factors that include but are not limited to alterations in the software, distribution of the software, or vulnerabilities in the software to misuse by the publisher or others. Symantec may also change its classification criteria and policies over time to address the constantly evolving security landscape. 

Note: If an application for white-listing is approved it can take a number of weeks for the software in question to be white-listed. The applicant will be notified after the white-listing process for that software is completed. The applicant will be notified if the application is not approved.

https://submit.symantec.com/whitelist/isv/

Few Articles on SONAR:

About SONAR

http://www.symantec.com/docs/HOWTO55254

About the files and applications that SONAR detects

http://www.symantec.com/docs/HOWTO55292

Handling and preventing SONAR false positive detections

http://www.symantec.com/docs/HOWTO55273

Hope that helps!!

Every time the Hash value changes SEP will detect it as threat Sonar is built to do so eventually this stops and warn the administrator to remediate in actual virus scenarios .

If your dev team is in process or if this software is in process of pre dev then get all the Hash values whitelisted or get the product entirely developed first put it in testing lab check with sonar and then whitelist it if detected by SEP .This will save your time and whitelisting will be be done in 1 set of defs .

Hi everyone, what I think RC needs is to be able to have SONAR but be able to exclude Visual Studio OneClick and all its derivative works. All the inhouse programs that came from that platform. And I'd like to what Mithun has mentioned on the White-Listing program:

A blog by Thomas Parsons

https://www-secure.symantec.com/connect/blogs/software-white-listing-program

And a pdf of the WhiteList program details:

https://submit.symantec.com/whitelist/bcs/Customer%20White%20List%20Program%20Details.pdf

The reasons for the blocking could mean that the VS OneClick either has characteristics similar to a malware or may be used to promote malware in the wrong hands by means of malicious coding, vulnerability or exploits.

Hi, I'm currently investigating this false positive issue.

Were you ever able to sign these applications, and if so, did this solve the issue?

From what I gather so far, this would solve the problem.