Video Screencast Help

Unable to exclude a file based only on file name and not path

Created: 19 Mar 2013 | 6 comments

I've written this up multiple times - and will try again since support closed the case with no effort at all to resolve it. They simply CLOSED the case! (but that's a topic that's going to be a very interesting discussion with our sales engineer very soon - support, or lack there-of)

SEP (and you can include the home product Norton 360, as the behave the same in this area) Latest SEP, RU2 (but that does not matter in this case)

We use a product for web-based meetings called BlueJeans. It's an IE plug-in. The wonderful and great thing is that it's tight, lean, and does NOT use JAVA, for which we are very thankful. Upon first use, you visit the site, get the file which installs and you have BlueJeans plug-in in IE and can join or participate in online meetings - video and audio.
The company periodically releases updates (don't they all) - typically monthly. Because of the updates being small and specialized - meaning they are only for that product, and come rather frequently - they will never build what SEP and Norton 360 call "reputation". They will always be seen by SYMANTEC as having "few users". Now keep in mind, SEP and Norton 360 track Symantec CUSTOMERS that use these other files, NOT who in the whole world, even NON-Symantec customers use a file. So I constantly see SEP blocking these files because "fewer than 5 Symantec customers" use the file. Uh, that may be the case, but trust me, when the huge Wall Street firms and banking customers and other gov't agencies use a file, it's not exactly high risk or unknown. However, because the Symantec products see these files as not being common, well-known, few customers use it, and it has no long-term reputation (because it's only a month old or LESS), SEP will block it.

Now the fun starts! "Download Insight" says it blocks it - it says it's not based on heuristics. Ah, but the deails of the log entry say it was based on heuristics. It says I can exclude the file - no, I cannot. And the reason I cannot is because SEP, in it's finite wisdom (finite in this area, meaning short-sighted) will ONLY ALLOW SUCH A FILE TO BE EXCLUDED IF you have the FULL PATH and file name. Now, how can you exclude a full path - when that full path and file name will vary with every download, and every user, and every user session.
Why do I say it will vary - two reasons -
It's under the USER PROFILE, and since no two users have the same user name (wouldn't that be fun!), the path will always vary
AND
It's first in the WEB CACHE. Think about it a second - where does IE put the cache files? Well, of course under the user profile (there's 1 variable) but further, down the line in a folder with a name like C15VKA9T or some such random name. Hmmm, this means with each user the path will vary, but pick just a single user - today the path will be in the web cache folder named ABCDEF and later today if I do this again, it may be in folder MNOPQR.

So, how can I exclude a file based on the file path? I cannot. What about just excluding based on name? SEP doesn't make that easy at all - and if you figure out a place, well, kicker number 2 - the file name MUST BE STATIC. It will not be. It will always be "BLUEJEANSPLUGIN.3.010.4.exe" where the last part is the version.
SEP, again in its finite wisdom, will not allow wildcards or variables in any exclusions.

So, we are stumped - how to keep SEP from blocking and REMOVING these plugin files?

This is not application and device control - not application control, it's SEP finding a high-risk in a file because it simply doesn't know about it.
If SEP doesn't know about a file reputation, it will block it and it won't let you slap it and say "no, I know better than you, these are safe".

* side note, Norton 360 has the same issue with a well-known machine embriodery applicatin from Viking sewing machine company - it comes on the CD that comes with the embroidery/sewing machine, and Norton 360 will block it and will NOT allow you to do a thing with it. You can't exclude it because it's on a removable device! So, to use the Viking Sewing Machine Company embriodery tool install, you must fully disable Norton 360 - trust me, I've got 3 or 4 hours in that one, too.*

Symantec needs to give us administrators a way to exlude a file that WE KNOW is safe, and allow us to do it on ANY source or ANY drive, and allow the use of variables or wildcards. The product is simply too harsh in this area. I need to exclude files based on a file name, regardless of the location (CD, thumbdrive, local C drive, network drive, etc.) AND exclude based on a name with a wildcard, or path with a variable.
Until I'm shown a way or given a way to do this, I have to acutally DISABLE protection in SEP (and Norton 360, but this is SEP for now) And that is really secure, isn't it.........
The old products I could tell SEP to ignore a file - didn't need a full path, just went into the log entry and clicked ignore, restore, whatever. There is no such option these days.

Nearly forgot - can't exclude based on "trusted domain" as the company uses Amazon cloud services, thus, the path will be 934frt543.cloudfront.com,  the domain will be "cloudfront.com" and do we REALLY want to trust that WHOLE domain??  And at this point, and I've been throught his too, a trusted domain can't be FTP, can't be HTTPS, must be HTTP, and can't be a url, but a domain.

Now to find out why Symantec support took weeks to repsond to my opening 2 cases, and then after they finally responded, ended up closing one with no resolution and no even working on it........

Operating Systems:

Comments 6 CommentsJump to latest comment

.Brian's picture

Can you get it escalated past fist level support? Usually we get it to a duty manager and kick it over to our account manager who handles the rest.

In all honesty, I'm not sure this is possible since the file name changes and same with the path. Exceptions don't allow the use of wildcards.

I always end up adding as an exception AFTER it has been caught.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Stoffl's picture

Hi!

I have a very similar Problem. We have an Application which writes a EXE to the users Temp Folder. SONAR will block this App.

But i can't make an Application Exception for every Userpath. And an Exception without the Path, only based on the Filename is not possible.

 

In the Exception which i can create based on the SONAR Protokoll, are the File Path, the File Name and teh File Hash. It would be very helpful to create an Exception based on the Filename, or better, based on the SHA Checksum ignoring the path!

Is this definitively not possible?

 

Thanks,

Chrisi

ShadowsPapa's picture

The problem with the exception after the catch is still the same, but worse. By then the meeting has started and it's had multiple hits, dozens of people can't attend the meeting. I still can't exclude it using name or path, the only possible way is hash - HOWEVER, that works then and only for that meeting. Next meeting or next month, it's an update (probably not always, but probably) and thus a different file hash/checksum.

The only consistant thing will be that it's in the web cache, and the file names will START WITH the company name. The end of the file name will be the version dot exe.
I've frantically, while apologizing to dozens of people, including the boss and his boss, shut SEP off, or excluded what I could as I could dropping all other duties for the afternoon.

In the case of a file from a CD - same sort of thing - it's not trusted because it's on a removable drive. (the home product, Norton 360 is as stubborn if not MORE stubborn - it removes the file, it won't quarantine! What the heck happened to quarantine in the consumer product? I want to "put it back" but there's no such option)

I love the fact that SEP, due in part to the fact I've hardened it and tightened things down through app and device control, has kept this agency virus-free for over 2 whole years now (must be a state record!!), but then there's the other side - to get there, it's impossible to allow files you know are safe, that you trust, because there are no provisions for variables or wildcards.
Why remove and not quarantine such files so at least we could tell the user how to recover/restore the file and move on. That feature is also gone, otherwise I'd again apologize for the big inconvenience, but at least publish a way to open SEP, find the quarantine area, and restore the file and exclude it.
Still not perfect, still not totally safe as they could learn how to do that with other files, but hey, it's better than me through the console totally disabling SEP to allow them to have meetings.

Odd in that in one page it says it was download insight, another says it was realtime protection, one place it says "was not found using heuristics" and yet in the log details "found using heuristics". I can't even tell what part of SEP found it! It won't specifically say, and when it does, it contradicts itself down the line.

(still like the product, and still like the home versions of products, but please give us some control back. Not all of us are home-type beginners who can't tweak under the hood. Defaults never cut it for me, never have. Outside of the box? Box? What box? There's a box?

.Brian's picture

I think you may have hit it on the head. Since Insight is reputation based service, it uses the hash to identify changes. So if this is always changing, it can be very problematic. I have yet to find some really solid documentation on how to handle this. Luckily, we have a process in place where any new apps go thru a round of testing before being deployed so I can catch all this stuff and add exceptions as I go.

What would be nice to is be able to add an exception based on the hash. Something that we can input ourselves after running the exe thru a hashchecker. Not after it has already been caught. Unless I'm completely missing it, I don't think it is possible yet.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SMLatCST's picture

The only thing I can suggest along a more proactive vein (and this depends on the amount of clout you have with the software vendor), is ask that they register with Symantec under the ISV scheme...

https://submit.symantec.com/whitelist/isv/

ShadowsPapa's picture

While I agree with you 100%, and believe ALL vendors should also be proactive in this respect, there is still a bit of a catch. I had thought of this first time around........and read the Symantec documents on the process, wanted to learn as much about it as possible so I could actually speak with the vendor with some knowledge. Symantec states that the process can take some time - even weeks. If they update the product - say it is each month, or ven every 6-8 weeks, Symantec says "can take several weeks" or words to that effect. I understand why - well, sort of, but weeks is kind if a bit much), that means by the time Symantec analyzed and "white listed" the file(s), they would be already moved on to the next update....... that one would be old news! So we'd be back to the problem, don't collect $200, dont' pass go.........

HOWEVER, that does not mean I'm not going to suggest they do the process and submit their files, and doesn't mean I won't try and they shouldn't try........ just that I have not a lot of hope after actually reading the process involved and the time it can take.  MAYBE, Symantec is stating "worst case" and don't want to promise that it takes only days when it normally does? Maybe they are hedging their bets, sort of like Scotty did in Star Trek - tell the captain "cap'n, this things a mess, the dilithium chamber is leaking and it's going to take at least 8 hours and then I can't guarantee it will even work", all the while he's expecting it to work completely and be done in 2 hours, not 8...... Scotty is the hero for working so quickly, and he's not having to apologize for it taking longer than he said.

I am working like Comnander Scott here, I expect to have a solution, however creative it may be, I expect to make this work and not inconvenience our users each time they have an online meeting, but it should not be this difficult.
I suspect that as it normally happens, the processes were first created and put into the consumer products to "try out, see how it flies" and then dropped into SEP. The only problem with that is that the consumer product is locked down, dumbed down, sort of like a Mac compared to a PC - you can tweak the heck out of Windows, Mac, not so much. You take it and accept it like it comes out of the box, no tweaking, no user servicable parts inside.
But SEP users need the ability to tweak, need abilities and options they (Symantec) may not want to include in Norton 360 for example. (I get frustrated with it, too - not that it doesn't work, but that it works TOO WELL and I cannot exclude SAFE files from a major manufacturer  - because they are on a CD and there is no reputation!) 

So, all that being said, I am still looking for a way to exclude the BlueJeans files from SEP's insight - even though I'm not so sure what exactly is really stopping their files because the logs contradict the documentation.
(and frustrated that the case was closed - after it took weeks to even contact me after I started the case online. Granted maybe SEP isn't broken - but in a way, to me, it is - I could at least get a "this is how you can work around that" sort of response?)