Hi
I've seen a lot of suspicious.cloud detections that are false Positive. Is it possible to set this signature to log only? If I can set the signature to log only, I can whitelist files during the upgrade phase and then set it back to quarantine when all FP are taken care off.
It's not possible to test all applications with SEP 12.1 before full deployment as there will always be some custom apps that the customer don't have access to.
Torb
Suspicious.Cloud is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers.
http://www.symantec.com/security_response/writeup.jsp?docid=2009-090107-2618-99&tabid=3
Under SONAR detection you can fine tune to take care of this threat.
Are you sure this is a Sonar detection.
Sonar usally checks with insight before blocking to avoid FP.
This detection does not use Insight.
On the client I see the following:
Risk Detection: Heuristic Detection Detection Source: Definition Download
Heuristic can also be seen under global scan option for bloodhound heuritic, if it is agressive then you may reduce the sensitivity
Hello,
Suspicious.Cloud
I would also recommend you to submit the Files to the Symantec Security Response Team.
You would have to Submit the Files to the Symantec Response Team on the Following Sites:
https://submit.symantec.com/false_positive/
https://submit.symantec.com/websubmit/gold.cgi
http://www.threatexpert.com/submit.aspx
Note: ThreatExpert is owned by Symantec.
Hope this helps!!
Thanks for your replies. Bloodhound is set to default value and this is not a Download Insight issue. As a feature request it would be nice if suspicious.cloud is removed from reguler signatures and instead show up as a unique setting where it can be disabled or set to log only. I've seen everything from Adobe, Winkix and custom applications been stopped by this signature.
Is there anything else I might have missed?
I can't seem to exclude the risk either.
It would be nice if Symantec try to answer, we've got the same problem here with "Suspicious.Cloud.5" and "Suspicious.MH690".
Where can we reduce sensitivity of those new technologies ? (Which for now, only got false positives, and no real unknown malwares...).