Endpoint Protection

 View Only

  • 1.  suspicious.cloud

    Posted Oct 14, 2011 04:11 AM

    Hi

    I've seen a lot of suspicious.cloud detections that are false Positive. Is it possible to set this signature to log only?
    If I can set the signature to log only, I can whitelist files during the upgrade phase and then set it back to quarantine when all FP are taken care off.

    It's not possible to test all applications with SEP 12.1 before full deployment as there will always be some custom apps that the customer don't have access to.

     

    Torb



  • 2.  RE: suspicious.cloud

    Broadcom Employee
    Posted Oct 14, 2011 04:20 AM

    Suspicious.Cloud is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers.

    http://www.symantec.com/security_response/writeup.jsp?docid=2009-090107-2618-99&tabid=3

    Under SONAR detection you can fine tune to take care of this threat.



  • 3.  RE: suspicious.cloud

    Posted Oct 14, 2011 06:09 AM

    Are you sure this is a Sonar detection.

    Sonar usally checks with insight before blocking to avoid FP.

    This detection does not use Insight.

    On the client I see the following:

    Risk Detection: Heuristic Detection
    Detection Source: Definition Download



  • 4.  RE: suspicious.cloud

    Broadcom Employee
    Posted Oct 14, 2011 06:23 AM

    Heuristic can also be seen under global scan option for bloodhound heuritic, if it is agressive then you may reduce the sensitivity



  • 5.  RE: suspicious.cloud

    Trusted Advisor
    Posted Oct 14, 2011 06:57 AM

    Hello,

    Suspicious.Cloud is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers. 

    Suspicious.Cloud

     
    You can try changing the Download Insight Detections. Check this Article:
     
    Customizing Download Insight settings
     
     
    Managing Download Insight detections
     
     
     
    Also, Follow this Symantec Knowledgebase Articles:
     
    Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe
     
     
    Restoring a false positive file detection from the Symantec Endpoint Protection quarantine
     
     
    About managing false positives detected by TruScan proactive threat scans
     
     
     

    I would also recommend you to submit the Files to the Symantec Security Response Team.

    You would have to Submit the Files to the Symantec Response Team on  the Following Sites:

    https://submit.symantec.com/false_positive/

    https://submit.symantec.com/websubmit/gold.cgi

    http://www.threatexpert.com/submit.aspx

    Note: ThreatExpert is owned by Symantec.

     

    Hope this helps!!



  • 6.  RE: suspicious.cloud

    Posted Oct 14, 2011 09:27 AM

    Hi


    Thanks for your replies.

    Bloodhound is set to default value and this is not a Download Insight issue.

    As a feature request it would be nice if suspicious.cloud is removed from reguler signatures and instead show up as a unique setting where it can be disabled or set to log only.

    I've seen everything from Adobe, Winkix and custom applications been stopped by this signature.

    Is there anything else I might have missed?

    I can't seem to exclude the risk either.

     



  • 7.  RE: suspicious.cloud

    Posted Nov 02, 2011 10:22 AM

    It would be nice if Symantec try to answer, we've got the same problem here with "Suspicious.Cloud.5" and "Suspicious.MH690".

    Where can we reduce sensitivity of those new technologies ? (Which for now, only got false positives, and no real unknown malwares...).