Endpoint Protection Small Business Edition

I have a network path with a file which is scanned false positive (e.g. \\server\path\false_positive.exe)

Is there a way to exclude this file/folder from beeing scanned in Enpoint Protection Small Business Edition (Cloud)?

Yes, see 'Creating custom exclusions' in the "Symantec Endpoint Protection Small Business Edition (cloud-managed) Administrator's Guide."

https://support.symantec.com/en_US/article.DOC7525.html

Thank you, but the Administrator's Guide only explains how to exclude a local path or a mapped drive.

But I'm searching for a possibility to exclude a network share (w/o a mapped drive): e.g. \\server\path\false_positive.exe

Unfortunately mapping the paths as a drive is not possible because we've got more shares than free drive letters.

Unfortunately, Symantec does not provide any mechanism for using a UNC when creating a custom exclusion.

You could click the Question mark icon in the PMC or the HostedEndpoint for your client and submit a feedback request asking that they consider it for a future edition of the product.

In the meantime, I'm going to ask some not so obvious questions:

Is the file flagged by SEP on the server - and is it truly a false positive?

Have you created a rule to exclude it on the server - and what are the results?

I'm going to suggest that you copy the file to a specific location on the client and write the exclusion for it as a test.

At least SEP would know that it should not flag the file; I don't think it would then flag it from the UNC location.

Let us know the answers and how it works.

I'm going to suggest that you copy the file to a specific location on the client and write the exclusion for it as a test.

Tested this and it doesn't change the behaviour on our network path. The copied local file is excluded from scan as expected but the same file in the network path is still killed by SEP.

If there is no appropriate solution in SEP the only way I see is to replace our soon expiring SEP with a working equivalent product of another software producer.

Unfortunately, Symantec does not provide any mechanism for using a UNC when creating a custom exclusion.

This is ridiculous, we are in 2016! UNC pathes isn't the new thing of the year. How is it possible that a business program isn't supporting somthing so fundamental. Can't believe it, UNC pathes are used almost among any business network for 10s of years!

Is the file flagged by SEP on the server - and is it truly a false positive?

The file is not flagged by SEP on the server because there is an exclusion for the Server already. Before that, it was flagged. And it is truly a false positive. It is part of the ERP software solution we use and it is recognized as Heur.AdvML.B and we have checked this multiple times even with the developer.

Have you created a rule to exclude it on the server - and what are the results?

Yes see answer above.

I'm going to suggest that you copy the file to a specific location on the client and write the exclusion for it as a test.

Testing that right now. I will write another post if this works or not.

Additional information:

The odd thing is that on some of our client computers the exe-file we are talking about (in the network path) is NOT recognized as a virus. All is working fine here. I checkt the software versions and virus definitions they are all the same (newest). I checked the policy, all computers belong to the same policy in SEP. I reinstalled SEP on the problematic computers without changing the result. These computers are completly mirrors, same set of software, same settings, same SEP policy.

This looks not very trustworthy to me when SEP finds a virus sometimes and sometimes it does not. Another thing is that right after reboot I can run the ERP software. But if I wait a minute after reboot and then run the ERP, it is killed by SEP. This can't be an acceptable behaviour.

Interesting,for some weird reason one of our computers with SEPSBE it keeps scanning our network drives, but we have the network drives excluded. Any idea how to fix this?

Suggest you follow this procedure before you rip and replace.  It is entirely possible that Symantec can offer a solution in time.

SUBMITTING A SAMPLE TO SYMANTEC SECURITY RESPONSE

https://support.symantec.com/en_US/article.TECH98526.html

I solved the problem by submitting the affected program files to: https://submit.symantec.com/false_positive

They were accepted for whitelisting.