Endpoint Protection

I'm running SEP 11.0.4202.  Over the weekend SEP started flagging a critical program file in our payroll system as a trojan horse, and I believe this is a false positive.  (I've submitted the file to Symantec).  In order to be able to use our software, we need the file.

On the server in question, I disabled Auto Protect, then went into Centralized Exceptions and added the file in question.  For what it's worth, the file is AFWREG.FLL.  Now, my understanding is that SEP should ignore that file and not scan it anymore, but it quarantined it again.  I went through the process again, and this time it seems to be left alone, for now at least.

 Are you entering the exceptions in the SEP client, or from the SEPM console?  If you're trying to do it from the client, perhaps you have a policy enforced from SEPM that is preventing your exception from taking effect?  

I would probably add the exception to a policy from SEPM and assign it to the server group.  Update policy on the client, and then SEP should ignore that file.

I had the same problem with this file. After adding the exception and updating the policy, the problem was resolved.

Just wanted to point you towards our guide on creating centralized exceptions in case you haven't seen it yet. It is here: http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/f7602d481cc0cb8e882574020062b021?OpenDocument. You can also find more information when you view our "About centralized Eceptions Polcies" guide found here: http://seer.entsupport.symantec.com/docs/331021.htm.

Thanks
Grant

We had the same issue after receiving new def files yesterday. Also have a case open with Symantec. Hoping they get their signatures fixed soon, but the exception seems to be working for now.

It's a false positive, the file hadn't changed since 1997, you'll need to make an exclusion.
http://campaign.constantcontact.com/render?v=0015qcJ7P_42YgCfYDQ4QSKHp_iKIYe4WTmqPrxW2yC7pArChrA3YHHY2NJKpQ9xG9EySMTaCZHKkpwpWIvi0iBWDzs4Pu2TXTXqiU7Zgwe65L5AqVMabrC_OaYLf7zUvmR5kCfYu0b4l0Im46y2kJTcdJoouaFF1Oh

Please check if the client  is getting the exceptions or not

OK, I'll call this "resolved", thanks for the replies everyone.  I created an exception for the file, however, the exception is specific to the folder that the file resides in.  I copied the false positive file to another location, and it yanked it into quarantine.  I was thinking the exception would apply to the entire drive on the computer in question.  In any case, Symantec is going to be releasing corrected virus defs for the false positive in the next release.

Thanks all!

Will the next def file correct this false positive? I've gotten no feedback on my open case. Thanks!

 @Julie --Did you submit your False Positive file to symantec false postive site if yes then you must have a tracking number you call either call support or ask aSymantec employee and they can give update on that tracking number.

We have the same problem. Running Symantec Coroprate Antivirus.
I was able to get our Metaframe working, but it even sees the file on the authentic install cd as a virus.

As soon as any of our updated clients try to run the software, it kills the file.

Any false positive issues please submit the file here..you'll get a tracking number then follow up with symantec till you get a solution.
https://submit.symantec.com/dispute/false_positive/