Endpoint Protection

Hi,

         I'm running SEP12.1 & recently I upgraded a few client machines from SAV 10.1 to SEP 12.1 & I found that the application "sut_wf_client.exe" & " sut_srv.exe" is treated as Risk "Suspicious.mh.690".

        Is it a known risk or a new False Positive ?

        Appreciate for all your assitance

Regards,

Gajanan

.

Hello,

Suspicious.MH690 is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers. 

I would suggest you to submit these files to the Symantec Security Response Team on 

https://submit.symantec.com/essential

And, I would suggest opening a case with Symantec and providing us with the tracking number on that submission. 

Once the Symantec Security Response Team checks the file, they could say if this file is False Positive or not.

This file has been detected purely on the file reputation with Symantec.

Hi,

Thanks for your response.

I have submitted these files to the Symantec Security Response Team & the tracking no. is 24981073 & also created a support ticket with case number 418-088-593. Pl note that as per your inputs, I have notified the tracking number to the customer care.

I'm looking forward to an update from the Symantec Security Response Team to check the files attached to confirm it a False Positive or not.

This file has been detected purely on the file reputation with Symantec.

In the meantime, please let me know what do you mean by the below :
"""This file has been detected purely on the file reputation with Symantec."""

I look forward to your update.

Regards,
Nirav Bhayani.

Hello,

I appreciate you submitting the files to the Symantec Security Response Team.

Symantec Security Response Team would work on this submission.

In reference to the Line - """This file has been detected purely on the file reputation with Symantec.""", you check this Article:

How Symantec Endpoint Protection uses reputation data to make decisions about files

http://www.symantec.com/docs/HOWTO55275

Hope that helps!!

Hi Mithun.

Thanks for passing over the link. But, I could see the 2 statements contradicting :

""Once the Symantec Security Response Team checks the file, they could say if this file is False Positive or not. "" Do you mean that the SSR Team will review it and let us know the results of a file being FP or not ? Yes or No.

""" This file has been detected purely on the file reputation with Symantec.""" Did you check the file OR Are you confirming that these files are pure/virus free ?

Regards,
Nirav Bhayani

Hello,

In your case, the file either be a Threat or could be clean file.

It is being detected as Suspicious by the Sonar protection. Check this Article:

Symantec Endpoint Protection 12.1 SONAR - Proactive Threat Protection or Download Insight False Positive Corrections

http://www.symantec.com/docs/TECH168849

So, to check if the files are Clean or Threat, then a way is to submit these to the Symantec Security Reponse Team.

So, here are the answers - 

""Once the Symantec Security Response Team checks the file, they could say if this file is False Positive or not. "" Do you mean that the SSR Team will review it and let us know the results of a file being FP or not ? Yes, they would send you the reply to the submission on your email address provided.

""" This file has been detected purely on the file reputation with Symantec.""" Did you check & Are you confirming that these files are pure/virus free ?

No. I did not check. Check the writeup of Suspicious.MH690.

Secondly, here are few articles on Sonar and False positive handling.

Managing SONAR

http://www.symantec.com/docs/HOWTO55215

Handling and preventing SONAR false positive detections

http://www.symantec.com/docs/HOWTO55273

Hope that helps!!

Hi Nirav ,

Mithun is correct

And your idea about analysis of file is pretty close

""Once the Symantec Security Response Team checks the file, they could say if this file is False Positive or not. "" Do you mean that the SSR Team will review it and let us know the results of a file being FP or not ?

There are many steps which are taken in to consideration first before excluding / additing or Whitelisting the file .

As this is released with New set of definitions ie from Live updates .So yes there will be a review and analysis done in order to maintain Security patch up to date .

Note : FYI , The analysis or review done by our Team is Strictly Confidential.

Hi Nirav,

Can you check now and see if those two files are still being detected?

Also: can you confirm if you have SONAR, Download Insight etc enabled?

Hi Mick,

Apologies for a delay in response.

As requested by you, I have checked and found that - 

Sonar is Disabled

Download Insight is Enabled

Apart from this, it would be great if you can let me know the time frame for the Security Response Team takes to review the file. I'm asking this as I haven't heard back from them yet.

Regards,

Nirav Bhayani

I think depends on your support level, silver/gold?

normally it should be in few hours, if it's complex/new code then might take 1-2 days

Thanks for your response.

Out support contact with Symantec is Basic.

I've contacted SSR Team on Friday,  01-June-2012.

I dont think we would hardly take Support into consideration if the issue is Urgent . Mithun or Mike might be able to provide more updates , however as far as i am aware Symantec is Customer Centric and your type of Contract wont come in to Picture.

Any update yet?

AFAIK the only way to follow up is by opening a case and ask support to follow up the tracking number with Security Respond team. (how convenient is that?)

Hi,

Thanks for the follow-up.

I had already created a support case (418-088-593) and Security Response Team Tracking Number (24981073) & Symantec False Positive Tracking Number (2810529).

I am also informed by the Symantec FP Incident Response team that they are unable to reproduce the issue and had requested below information for further analysis :

* The message or a screen shot of the message received
* A specific URL to download the software
* Exact instructions on how to recreate issue
* Symantec product and version being used for detectionSyantec Support Teachnician has also

Symantec Support Technician has also requested me to collect SST logs using the SEP support tool from the affected machine.

Once, we provide them with this information, they would get a better picture for their analysis.

Hope this information helps.

Would also appreciate if any help from your end.

Regards,

Nirav Bhayani.

Hi again Nirav,

Actions taken 1 June should have resolved that detection.  If it is still occuring/still being detected, please do continue to work with your case owner as per above. 

Thanks and best regards,

Mick