Endpoint Protection

Hello,

we have the Endpoint protection v11 , we generate some files & send it  to external customers, recently the external customers complains that our files contain heuristic virus , they have Norton AV & th error is Suspicious.Cloud.2 with blocked action

what is that ? & Endpoint not find anything ? how to overcome this problem ?

Regards

Hello,

Suspicious.Cloud.2 is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers. 

Heuristic virus is nothing but a Suspicious file (not a threat, however the detection was made on suspicion). I believe, they have created a rule to block a file if found suspicious.

Have you installed Proactive Threat Protection Feature on your Symantec Endpoint Protection v.11?

Run a Full Scan on your machine on your machine.

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files. 
   For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.
   
   For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
2. Run a full system scan.

Also, I would also recommend you to submit the Files to the Symantec Security Response Team.

You would have to Submit the Files to the Symantec Response Team on  the Following Sites:

https://submit.symantec.com/false_positive/

https://submit.symantec.com/websubmit/gold.cgi

http://www.threatexpert.com/submit.aspx

Note: ThreatExpert is owned by Symantec.

Hope this helps!!

they answered me that  the file is safe , I don't know what are the next step ? now when I upgraded to version 12.1 my SEP detect the file as Suspicious.Cloud.2 so how can I resolve this problem as I'm sure the file is clean

You would have to Submit the Files to the Symantec Response Team on  the Following Sites:

https://submit.symantec.com/false_positive/

https://submit.symantec.com/websubmit/gold.cgi

http://www.threatexpert.com/submit.aspx

Note: ThreatExpert is owned by Symantec.

I sent & response was

---------------------------------------------------------------------------

Customer Notes

---------------------------------------------------------------------------

Hello

---------------------------------------------------------------------------

Developer Notes

---------------------------------------------------------------------------

filename.exe is not malicious.

---------------------------------------------------------------------------

This message was generated by Symantec Security Response automation.

Hi HossamAdel,

Suspicious.Cloud.2 is a reputation-based detection.  This SONAR technology has been in Norton products for a few years, and is now incorporated into SEP 12.1.  It is normal that it would not have been detected in SEP 11.  For more information, please see:

What is new in Symantec Endpoint Protection 12.1?
Article: TECH163413 | Created: 2011-06-28 | Updated: 2011-08-08 |
Article URL http://www.symantec.com/docs/TECH163413

The following article will help you to avoid seeing innocent files given suspicious reputations:

Handling and preventing SONAR false positive detections
Article: HOWTO55273 | Created: 2011-06-29 | Updated: 2011-11-17 |
Article URL http://www.symantec.com/docs/HOWTO55273  

Hope this helps! &: )

Mick

Addign a helpful reference.... For more information, see Symantec Security Response’s October 2010 whitepaper “Reputation-based Security: An Analysis of Real World Effectiveness” at http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/reputation_based_security.pdf