Endpoint Protection

The issue described below is on all Windows XP SP3 machines and Symantec Endpoint Protection 12.1 RU1.

We have an in house developed application that was recently changed/upgraded and deployed to about 500 machines.  What is weird is about 75% of the machines detected the application as a (Unknown) Trojan Worm by SONAR, and the other 25% were fine with the application.  I verfied that all 500 have the same policies definitions etc.

Is this normal for SONAR to do something like this?

I've seen same issue as well, you're best bet is to open a support ticket with Symantec for them to investigate.

You can have your app whitelisted:

Software White-Listing Request

https://submit.symantec.com/whitelist/

You can also add the exception:

Handling and preventing SONAR false positive detections

https://www.symantec.com/business/support/index?page=content&id=HOWTO55273

Monitoring SONAR detection results to check for false positives

https://www.symantec.com/business/support/index?page=content&id=HOWTO55026

We created an exception which fixed the issue.  I am just curious as to why SONAR would detect it on some machines and not others.

Support could not answer my question.  Does anyone else know why this happens? 

Did support even have an answer?

No support did not have an answer.  They just kept going back to asking about the exception and if that worked.

That's unfortunate as I would think they would know or have the means to investigate a level deeper.

My thought was definitions revisions were different or the client whitelist may have not yet been updated on the clients where it was being flagged but from reading your original post, it seems all are uniform.

Aside from that, I'm not really sure and anything else would just be speculation.

Hello,

Behavioral detections are based on things like

Few Articles on SONAR:

About SONAR

http://www.symantec.com/docs/HOWTO55254

About the files and applications that SONAR detects

http://www.symantec.com/docs/HOWTO55292

Handling and preventing SONAR false positive detections

http://www.symantec.com/docs/HOWTO55273

How Symantec Endpoint Protection uses reputation data to make decisions about files

http://www.symantec.com/docs/HOWTO55275

In case, you want to Whitelist an Application, then check this Article:

Software developer would like to add his/her software to the Symantec White-List.

http://www.symantec.com/docs/TECH132220

Hope that helps!!

Mithun,

We have already created a hash based exception.  This application changes fairly often (every 3 months or so) and whitelisting that frequently does not makes sense.

I am going to see if our developer can digitally sign the executable that is getting quarantined, or I will try the application monitor tool.

But what about an explanation as to why some clients are flagged and others are not?

I will be talking to the person assigned to our case tomorrow.  I will be asking him about it then (again). 

Hello,

In your case there are either of the 3 things you could do- 

1) Report a Suspected Erroneous Detection and Fill the Insight Dispute Submission Form by following the steps below:

• Connect to the website: https://submit.symantec.com/false_positive/
• Select "When installing an application" OR " While using an application" and click on NEXT
• Select "Symantec Endpoint Protection 12.x " and click on NEXT
• Select "SONAR (Behavioral Heuristics Detection)"
• Click on the Button "Take me to the Insight Dispute Submission Form"
• Fill all the important Details (* marked in red)

2) Sign your files with Class-3 digital certificates (X.509) from a Certificate Authority if you need to publish softwares/files.

3) Also participate in white-listing program if needed http://www.symantec.com/docs/TECH132220

Hope that helps!!!

Hi Prindte, 

This article may also help:

Insight Deployment Best Practices
http://www.symantec.com/docs/DOC5077