Endpoint Protection

 View Only

  • 1.  application is detected as suspicious alerts SONAR.Heur.RGC!g194

    Posted May 12, 2016 03:30 AM

    Hi,

    We have a in-house developed application. While running this application it is getting as SONAR.Heur.RGC!g194. Before yesterday, application was running fine.

    It compiles some files and creates and exe. Every time a new name, location and hash value is created. it's the creation process that triggers the SEP alert.

    Tried to add application exclusion but didn't worked as hash value get changed every time.

    Any Suggestions?

    Regards

    KK

     

     



  • 2.  RE: application is detected as suspicious alerts SONAR.Heur.RGC!g194

    Posted May 12, 2016 04:35 AM

    Hi  KK_4984,

    Thanks for the post.  First question: are you certain that these files are clean?  If so, then the following article will help:

    Best Practice when Symantec Endpoint Protection is Detecting a File that is Believed to be Safe
    http://www.symantec.com/docs/TECH98360

    Are the .exe's always the same or do they change?  If they are the same, submit them to the False Positive portal.  If they change, then use exclusions to avoid detection on the folder into which the created files are placed. 

    Please do keep this thread up-to-date with you progress!

    With thanks and best regards,

    Mick



  • 3.  RE: application is detected as suspicious alerts SONAR.Heur.RGC!g194

    Posted May 12, 2016 06:56 AM

    HI Mick,

     

    Yes, the .exe's are keep changing. We have already sbumitted the file to Symantec. But its a inhouse application. Tried to exclude the folder which is provided in the list. it is still not working.

     

    Any other suggestions.

     

    Thanks & Regards

    KK



  • 4.  RE: application is detected as suspicious alerts SONAR.Heur.RGC!g194

    Posted May 12, 2016 07:23 AM

    Are these all under the same directory? If so, put in a folder exclusion and under 'Specify the type of scan that excludes this folder' make to add SONAR



  • 5.  RE: application is detected as suspicious alerts SONAR.Heur.RGC!g194

    Posted May 12, 2016 09:00 AM

    Hi Brian,

    There are multiple sub directories under one directory. I have tried to place an folder exclusion but it is also not working.

    Any other suggestions?

     

    Thanks 

    KK



  • 6.  RE: application is detected as suspicious alerts SONAR.Heur.RGC!g194

    Posted May 12, 2016 09:25 AM

    Did the clients pickup the new policy change with the exception in it? Is the directory that you excluded still showing in the path of the detection that was made?