SONAR False Positive
Created: 30 Oct 2012 | 11 comments
The issue described below is on all Windows XP SP3 machines and Symantec Endpoint Protection 12.1 RU1.
We have an in house developed application that was recently changed/upgraded and deployed to about 500 machines. What is weird is about 75% of the machines detected the application as a (Unknown) Trojan Worm by SONAR, and the other 25% were fine with the application. I verfied that all 500 have the same policies definitions etc.
Is this normal for SONAR to do something like this?
Discussion Filed Under:
Comments 11 Comments • Jump to latest comment
I've seen same issue as well, you're best bet is to open a support ticket with Symantec for them to investigate.
You can have your app whitelisted:
Software White-Listing Request
https://submit.symantec.com/whitelist/
You can also add the exception:
Handling and preventing SONAR false positive detections
https://www.symantec.com/business/support/index?pa...
Monitoring SONAR detection results to check for false positives
https://www.symantec.com/business/support/index?pa...
SEP Knowledge Base
Endpoint SWAT
We created an exception which fixed the issue. I am just curious as to why SONAR would detect it on some machines and not others.
Support could not answer my question. Does anyone else know why this happens?
Did support even have an answer?
SEP Knowledge Base
Endpoint SWAT
No support did not have an answer. They just kept going back to asking about the exception and if that worked.
That's unfortunate as I would think they would know or have the means to investigate a level deeper.
My thought was definitions revisions were different or the client whitelist may have not yet been updated on the clients where it was being flagged but from reading your original post, it seems all are uniform.
Aside from that, I'm not really sure and anything else would just be speculation.
SEP Knowledge Base
Endpoint SWAT
Hello,
Behavioral detections are based on things like
- file versioning
- digital signatures
- file size
- type of file packing/encoding used
- the age of the file
- what actions the file takes
- and more...
Few Articles on SONAR:
About SONAR
http://www.symantec.com/docs/HOWTO55254
About the files and applications that SONAR detects
http://www.symantec.com/docs/HOWTO55292
Handling and preventing SONAR false positive detections
http://www.symantec.com/docs/HOWTO55273
How Symantec Endpoint Protection uses reputation data to make decisions about files
http://www.symantec.com/docs/HOWTO55275
In case, you want to Whitelist an Application, then check this Article:
Software developer would like to add his/her software to the Symantec White-List.
http://www.symantec.com/docs/TECH132220
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
Mithun,
We have already created a hash based exception. This application changes fairly often (every 3 months or so) and whitelisting that frequently does not makes sense.
I am going to see if our developer can digitally sign the executable that is getting quarantined, or I will try the application monitor tool.
Hello,
In your case there are either of the 3 things you could do-
1) Report a Suspected Erroneous Detection and Fill the Insight Dispute Submission Form by following the steps below:
2) Sign your files with Class-3 digital certificates (X.509) from a Certificate Authority if you need to publish softwares/files.
3) Also participate in white-listing program if needed http://www.symantec.com/docs/TECH132220
Hope that helps!!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
But what about an explanation as to why some clients are flagged and others are not?
SEP Knowledge Base
Endpoint SWAT
I will be talking to the person assigned to our case tomorrow. I will be asking him about it then (again).
Hi Prindte,
This article may also help:
With thanks and best regards,
Mick
Would you like to reply?
Login or Register to post your comment.