Endpoint Protection

We are seeing alot of false positives with this new SEP 14. Scans are deleting legit files and all are detected as

Heur.AdvML.A

That's new Advanced machine learning capability. Did you add any exclusions?

Hi nhaydon,

Thanks for the post.  This article may help:

Best Practice when Symantec Endpoint Protection is Detecting a File that is Believed to be Safe
http://www.symantec.com/docs/TECH98360

I recommend submitting those known-safe files detected as Heur.AdvML.A to our False Positives portal.

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

Same problem here, Heur.AdvML.A on random file, like:

Citrix Reciever DLL

File or path:C:\Program Files (x86)\Citrix\ICA Client\picn2620.dll
MD5 Hash:C0046ADD97A77033AF9B5929AF7160F7

Notepad++ installer

Application: npp.6.9.2.Installer.exe
MD5 Hash: C0C9A1FD2C110723E5D18E00CFE79453

OpenVPN Client

Application:    openvpn-install-2.3.10-I603-x86_64.exe
MD5 Hash:    EEFDD84E1488E4F8AE9858C783CF49E3

This may be of interest:

Machine Learning: New Frontiers in Advanced Threat Detection
https://www.symantec.com/connect/blogs/machine-learning-new-frontiers-advanced-threat-detection
 

WEBINAR: Tackle Unknown Threats with Symantec Endpoint Protection 14 Machine Learning
https://www.symantec.com/connect/blogs/webinar-tackle-unknown-threats-symantec-endpoint-protection-14-machine-learning

As mentioned above, it's the new Advanced Machine Learning capability in SEP v14. It need to 'learn' what is good and what is bad files. Over the time, it will improve & get better for everyone using SEP v14.

You can help Symantec by submitting the files to them so they can mark it as safe.

their "advanced machine learning" doesn't sound very Advanced.

There is no reason for this attitude. As already mentioned, these need to be excluded.

I get it but I really dont have time to submit all my false positives to Symantec.

In the case, you can manually exclude these files, or wait until Symantec is aware about it and will update itself. Whichever works best for you.

Andrea 

  Thanks for the feedback and the hashes. I will take this up with our engine team asap. 

Balaji

Heur.AdvML.A  is a new machine learning based detection that it protects our customer, I am so sorry to hear it is causing your troubles.  As with any heuristic ML technology that does not use reputation - it can sometimes trigger on files that resemble malware that were previously undetected.  We are working on fine-tuning the ML models hence feedback like this is very helpful. 

In the interim - I suggest you consider locally whitelisting any false detections.  I have attached a screenshot of the interface below. 

Thanks,

Balaji 

SEP Product Director

This screenshot looks to be from Norton.  I am running into this same exact issue.  All of my technicians are receiving daily virus alerts on their phone system support tool installation files.  I have over 500+ files that are falsly identified and submitting these one by one is not a viable or efficient option.  I've already opened a ticket for this this issue and it appears that the tech support agent I'm working with does not know what machine learning is.

Justin - thanks for pointing that out. It was an oversight. I have provided the correct screenshots from both the SEP client and the SEPM policy manager below - 

SEPM Configuration Page

Would submitting false positives via the link above help with fine tuning the ML models?  I have many false positives (installs, zip files, exe's, etc) that are flagged and causing issues with our employees workflow that I need to do something here to fix this issue shortly or I will have to roll these computers back to 12.1.6.  My dilemma is here is that I cannot exclude file hashes.  There are duplicates for a lot of the false positives I am seeing (due to technicians using the same tools) but each technician may store them in different folders on the hard drive.  Therefore I'd have to build multiple exclusions for each individual instance of this file being detected.  I can't even be proactive which is really disappointing.

There was an idea from a Symantec employee 3 years ago stating that file hash exceptions should be added to the product.  Has there been any thought to this or progress?

I am willing to talk or work with anyone at any time to help resolve this issue.  Just let me know how I can help.  If you need a case number to look at, mine is 11364966.  So far I haven't received anything that would help my issue other than a suggestion to use the whitlisting capability of system lockdown.  This will not work for us as we do not have a generic list of applications or files on any of our computers since we are a support provider for a range of business class telecommunication systems and products.

It will be helpful if aside from adding it to exception list which can be tedious most of the time in situations like this, users can have the ability to either override the action to a non-aggressive action for that specific detection only or for this new feature of SEP.  As mentioned above in the post it is still learning in the backend which meant there is still a high degree of possibility that it is wrong on its detections. Expectation is that even if it is on log only action it is still sending 'ping' information and on some occassion probably even the file content itself which Symantec can analyze within their backend processing. I also hope symantec can crawl opensource tools such as notepad++, openvpn and other similar tools to ensure they get whitelisted everytime a new build for these tools are released.

It will be helpful if aside from adding it to exception list which can be tedious most of the time in situations like this, users can have the ability to either override the action to a non-aggressive action for that specific detection only or for this new feature of SEP.  As mentioned above in the post it is still learning in the backend which meant there is still a high degree of possibility that it is wrong on its detections. Expectation is that even if it is on log only action it is still sending 'ping' information and on some occassion probably even the file content itself which Symantec can analyze within their backend processing. I also hope symantec can crawl opensource tools such as notepad++, openvpn and other similar tools to ensure they get whitelisted everytime a new build for these tools are released.

Justin - I have sent you an email on this. We welcome all feedback to improve the ML engine in SEP14. 

I also hope symantec can crawl opensource tools such as notepad++, openvpn and other similar tools to ensure they get whitelisted everytime a new build for these tools are released.

I don't agree with that - there has been a few cases where open source software has been 'hacked' to modify the codes and released to public. If this was whitelisted automactilly, it would cause nightmare for us IT admin guys!

If you select "Allow Application" from the "Monitor-> Risk" page it will exclude by hash and SEP won't care about the files location.