Endpoint Protection

Hi

I upgraded our Symantec Endpoint Protetion installation to 12,1 RU6 MP5 yesterday - Afterwards i pushed out the client upgrade to our 3500 clients.

This morning i have 30-40 pc's claming that they are infected  by Suspicious.Cloud.7.L. Every single on is the same file:

C:\Program Files (x86)\Microsoft Office\Office15\PROOF\MSHY7DA.LEX

SHA-256
F7DCA9D7648C5EC78F5864D0D8FBDD8AD3ABBC4A9C5D112B86B12AE94A8A4EDC 

It thinks it's infected but leaves it alone?

How do i actually find out if this is a bad / good file - The number keeps growing since the file is on every single pc? 

Submit it to Symantec and they will check for you.

https://support.symantec.com/en_US/article.TECH102419.html

Thanks for the quick reply.

Done.

Hi Thomas,

Feel free to PM me the reference number you received after submitting to the False Positives portal (https://submit.symantec.com/false_positive/).  The SHA256 hash you mention is a DLL that has been known for years according to what I am seeing.

This is a good article about submissions in general:

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

With thanks and best regards,

Mick

Thanks - that FP report has been received and is being processed.

The hash checks out- you should be safe to create an exclusion for the file in your environemnt.

How to add a Security Risk Exception in the Symantec Endpoint Protection Manager http://www.symantec.com/docs/TECH103120

That should prevent any additional detections until the FP investigation is complete.

Confirmed!  That file is clean.  Detection has been removed.  &: )