Video Screencast Help

SONAR - False Positives for Windows OS Components

Created: 29 Oct 2012 • Updated: 29 Oct 2012 | 4 comments
This issue has been solved. See solution.

We are starting to see more false positives for Microsoft operating system files from the source: Heuristic Scan.

 

I believe this is now called SONAR by Symantec.

 

I’d rather not add the false positives as exceptions as that would exclude them from scanning – even if they become infected.

 

I don’t see a way to tweak the sensitive of the Heuristic scanning as we were able to do in previous versions using TruScan.

 

Below are examples of the false positives we have received – below that are the settings for SONAR.  Please let me know what can be changed to decrease the amount of SONAR false positives.

 

False Positives:

 

Risk name: Microsoft® Windows® Operating System
File path: c:\windows\syswow64\rundll32.exe
File path: c:\windows\system32\notepad.exe

File path: c:\windows\system32\drvinst.exe

File path: c:\windows\system32\services.exe

File path: c:\windows\system32\svchost.exe

 

SONAR Settings:

 

High risk detection: Quarantine

Low risk detection: Log

 

DNS change detected: Block

Host file change detected: Block

 

High risk detection: Block

Low risk detection: Log

 

Environment Info:

 

2003 Standard

SEP 12.1.1101

XP (32-bit) & W7 (32 & 64-bit) Clients

Comments 4 CommentsJump to latest comment

_Brian's picture

I'm surprised to see those MS services as being detected...Check the log to see exactly what for. These are due to DNS change detected or Host file change detected.

I had the same issue and had to turn those off.

Check these:

About SONAR

https://www.symantec.com/business/support/index?pa...

Monitoring SONAR detection results to check for false positives

https://www.symantec.com/business/support/index?pa...

 

Handling and preventing SONAR false positive detections

https://www.symantec.com/business/support/index?pa...

SOLUTION
Mithun Sanghavi's picture

Hello,

Check these Articles - 

Symantec Endpoint Protection 12.1: Manager Risk distribution summary report lists "Microsoft Windows Operating System" as a risk name

http://www.symantec.com/docs/TECH161493

Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"

http://www.symantec.com/docs/TECH164391

Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

http://www.symantec.com/docs/TECH194108

Symantec Endpoint Protection 12.1 SONAR - Proactive Threat Protection or Download Insight False Positive Corrections

http://www.symantec.com/docs/TECH168849

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

fraunkd's picture

Hi Brian81,

Thank you for your response. 

You were correct in regards to the false positives being detected under the DNS & Host file change detected settings.

Surprised this info is not displayed in the actual alert.

I believe others are starting to post replies now, but I’m going to take the path of least resistance at this point and simply disable the DNS & Host file settings and move on to bigger fires.

 

Thank you.

_Brian's picture

You can create exceptions but whatever works best for you

Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above

https://www.symantec.com/business/support/index?pa...