Endpoint Protection

 View Only

  • 1.  Truscan picking up valid application

    Posted Mar 08, 2013 11:30 AM

    Since turning on heuristic scans (aka bloodhound detection) in SEP 11, we occasionally get random email notifications for valid exes that are being picked up and then left alone one example is in the alert below:

    At least one security risk found:

    Risk name: (Unknown)

    File path: c:\impsql\progress\bin\prowin32.exe

    Event time: 2013-03-05 06:58:39 GMT

    Database insert time: 2013-03-05 07:00:43 GMT

    Action taken on risk: Details pending

    How can we stop this from happening, it doesn't do any harm but just alerts each time it finds it.  Can Symantec update defs if I send a copy of this file so it doesn't keep happening or is the only way to make a centralised exception for truscan proactive threats.



  • 2.  RE: Truscan picking up valid application

    Posted Mar 08, 2013 11:34 AM

    First, you can add an exception for the file. See this KB on how to do so:

    Creating exceptions for Symantec Endpoint Protection

    Article:HOWTO80919  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL http://www.symantec.com/docs/HOWTO80919

    You can send it to Symantec to have the app whitelisted. See here:

    https://submit.symantec.com/whitelist/isv/
     



  • 3.  RE: Truscan picking up valid application

    Posted Mar 08, 2013 11:37 AM

    About adjusting TruScan settings for legacy clients

    Article:HOWTO55257  |  Created: 2011-06-29  |  Updated: 2011-12-17  |  Article URL http://www.symantec.com/docs/HOWTO55257

     



  • 4.  RE: Truscan picking up valid application

    Broadcom Employee
    Posted Mar 08, 2013 11:37 AM

    check this link

    http://www.symantec.com/business/support/index?page=content&id=HOWTO27058

    submit the file to security response



  • 5.  RE: Truscan picking up valid application

    Broadcom Employee
    Posted Mar 08, 2013 02:15 PM

    Hi,

    In quality assurance circles at Symantec it is often stated that clean data (e.g. files from clean software) are to false positives as malicious data are to true positives. In simple terms this means that clean data helps us prevent false positives in the same way that we can’t write antivirus signatures or antivirus technology if we don’t have malicious data.

    Refer this blog to learn more about it: https://www-secure.symantec.com/connect/blogs/software-white-listing-program



  • 6.  RE: Truscan picking up valid application

    Posted Mar 11, 2013 04:27 AM

    I see that the links to whitelist apps are only for the original software authors/developers i.e. https://submit.symantec.com/whitelist/isv/.

    Is there a different link to use as a business user of the app or is it best to go back to the software vendor and request that they submit it to Symantec?
     



  • 7.  RE: Truscan picking up valid application
    Best Answer

    Posted Mar 11, 2013 04:49 AM

    You can upload the file for the false-positive detection check on the following portal:

    https://submit.symantec.com/false_positive/



  • 8.  RE: Truscan picking up valid application

    Posted Mar 11, 2013 04:51 AM

    I think you can still submit this as they verify the installer and whitelilst accordingly.



  • 9.  RE: Truscan picking up valid application

    Broadcom Employee
    Posted Mar 11, 2013 06:18 AM

    Hi,

    I would suggest to get it whitelisted from origianl software vendor only.