Symantec end point False positives
Created: 30 Nov 2010 | 23 comments
How can I report a false possitive to symantec. I just got off the phone (I know hard to believe) with Foronics, and endpoint protection is quaranteening the deep freeze sever service and causing Me and countless others major headaches. I have run scans on the file in question and it passes, but as soon as I try to run the service sep quarantins it. I have set up exceptions for both the file and the temp file it creates, but to no affect.
Please Help!!!!!
Discussion Filed Under:
Comments
I am affraid you will need to
I am affraid you will need to contact Tech Support - they will tell you where to submit the file and will take care about the rest :) It's quite easy and painless.
--
Cheers,
Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator
I'm having the same problem.
I'm having the same problem. Exceptions are not working.
How did you set exception
How did you set exception (antivirs or truscan?) and for which kind of risk? You set it for files/folders or files' extensions?
--
Cheers,
Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator
Try applying the latest Rapid
Try applying the latest Rapid Release definitions before contacting support.
Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe
http://www.symantec.com/business/support/index?pag...
Thomas
I just applied the rapid
I just applied the rapid release defs and I get the same behavior.
I set the exceptions via the SEP Manager console and pushed the content to the client.
How exactly you set the
How exactly you set the exceptions?
--
Cheers,
Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator
I added the filename to
I added the filename to centralized exceptions.
I defined the file as a
I defined the file as a security risk file, action Ignore. I pushed the new policy to the affected computer and it has not done anything.
I have the same software installed on three different operating systems. XP Pro and Windows Server 2008 are affected. Windows 7 is not affected. The SEP client on the Windows 7 machine has not quarantined or deleted the file.
This is a huge problem. I cannot manage several hundred computers because of this.
I've contacted Faronics, maker of Deep Freeze, as well.
These 3 machines (7, XP and
These 3 machines (7, XP and 2008) have the same AV/AS policy? Could you tell me what this file is detected as? You can export a risk log from your SEP client and paste it here.
--
Cheers,
Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator
They're managed by two
They're managed by two different consoles. The Windows 7 and XP machines are on one and the server is on a separate one. The file is detected as an Infostealer. Here's the text of the risk log:
Filename,Risk,Action,Risk Type,Original Location,Computer,User,Status,Current Location,Primary Action,Secondary Action,Logged By,Action Description,Date and Time
DFServerService.exe,Infostealer,Cleaned by deletion,File,C:\Program Files\Faronics\Deep Freeze 7 Enterprise\,CULGHOST,DSSupport,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.,12/1/2010 7:17:56 AM
DFServerService.exe,Infostealer,Cleaned by deletion,File,C:\Documents and Settings\DSSupport\Local Settings\Temp\,CULGHOST,DSSupport,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.,12/1/2010 9:39:45 AM
DFServerService.exe,Infostealer,Cleaned by deletion,File,C:\Program Files\Faronics\Deep Freeze 7 Enterprise\,CULGHOST,DSSupport,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.,12/1/2010 10:28:38 AM
DFServerService.exe,Infostealer,Restart Required - Cleaned by deletion,File,C:\Program Files\Faronics\Deep Freeze Enterprise Server\,CULGHOST,SYSTEM,Deleted,Deleted,Restart Required - Clean security risk,Restart Required - Quarantine,Auto-Protect scan,The file was deleted successfully.,11/30/2010 4:09:37 AM
DFServerService.exe,Infostealer,Cleaned by deletion,File,C:\Documents and Settings\DSSupport\Local Settings\Temp\,CULGHOST,DSSupport,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.,11/30/2010 7:19:34 AM
DFServerService.exe,Infostealer,Restart Processing,File,C:\Program Files\Faronics\Deep Freeze Enterprise Server\,CULGHOST,DSSupport,Infected,C:\Program Files\Faronics\Deep Freeze Enterprise Server\,Delete,Leave alone (log only),Auto-Protect scan,Performing Post-Reboot Risk Processing.,11/30/2010 7:18:02 AM
DFServerService.exe,Infostealer,Cleaned by deletion,File,C:\Program Files\Faronics\Deep Freeze 7 Enterprise\,CULGHOST,DSSupport,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.,11/30/2010 9:30:38 AM
Thanks for helping!
Thanks for the log.It is
Thanks for the log.It is strange however that SEP is not taking into consideration your exclusions.
- you created exclusion from Central Exceptions - > Add -> windows exception -> file and gave the full path to the file, right?
- Have you tried to add also tamper protection exception (also from Centralized exception window)?
--
Cheers,
Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator
Yes, I did things just as you
Yes, I did things just as you describe. I'll try the tamper protection. BTW, this is not a new installation of any software. We've been working just fine for a long time with all the software. There haven't been any changes except the usual virus def updates and windows patches. I might not be surprised if it was a brand new version of Deep Freeze or something but this just came out of nowhere yesterday morning.
Tamper protection exception
Tamper protection exception did not work. SEP deletes DFServerService.exe as soon as I install the software.
The version of Deep Freeze on
The version of Deep Freeze on my Windows 7 box is slightly older, btw.
Submit samples
http://submit.symantec.com/<insert_entitlement>
So if you have a Basic contract, it would be: http://submit.symantec.com/Basic
A Technician will fill you in on the rest of the process. We'll analyze it and, generally in these scenarios, we'll hone the detection if it is found to be a False Positive. We can also potentially look at why the exclusions are not being honored. Time is of the essence here, get the submission in.
Thank you for patience and I hope that helps.
Tyler Frans - Principal Technical Support Engineer, Enterprise Support Services, Symantec
Will do. I'll figure out who
Will do. I'll figure out who at Cornell is authorized to do this sort of thing. I'm quite sure it's not me. :-)
Thanks for your help.
Submission Needed
A quick and unscientific search shows no submissions of the file DFServerService.exe in the past week - if anyone is still affected by this suspected false positive, even with the latest rapid release definitions, please do make a submission of this file and contact Technical Support. All the instructions afre in the thread above. Security Response will examine the file in depth and eitehr confirm the detection or confirm a False Positive.
Thanks and best regards,
Mick
With thanks and best regards,
Mick
DFServerService.exe still a security threat.........
Even with the latest virus definations that were released, Symantec Antrivirus 10.1.8 and Symantec Endpoint Protection 11 RU6 is still treating it like a security threat which clearly the DFServerService.exe isn't a security threat! I sitll have my exception in my 10.1.8 client and my Enpoint clients not to scan that folder but my concern with Symantec is when they are going to fix this. My confidence in their software is getting pretty thin with all the problems that I have had with Endpoint.
Please Submit the File
No sample has yet been received for analysis. Please take the time to do so now.
Thanks again,
Mick
With thanks and best regards,
Mick
I do have an support
I do have an support contract, where do I submit this request? Thanks
Submission
http://submit.symantec.com/<insert_entitlement>
So if you have a Basic contract, it would be: http://submit.symantec.com/Basic
Feel free to let me know the tracking number by personal message or in this thread, once the file is submitted.
With thanks and best regards,
Mick
submitted the request
I have submitted the request to Symantec and will wait for their response....... and when I went to virustotal.com and uploaded that file so that I can get a SHA256 key, it was clearly stating that Symatnec was treating this file as an InfoStealer.
Tracking Number?
Can you please add the tracking number and case number to this thread or send it via personal message?
Many thanks!
With thanks and best regards,
Mick
Would you like to reply?
Login or Register to post your comment.