Endpoint Protection

I have a user that is trying to download and install a legitimate application. The file is able to be downloaded. On executing, the app seems to create an executable in a randomly-named temp folder. Because the temp folder is randomly created, I am not able to provide a full path to the executable for exclusion purposes.

How can I deal with files like this?

Error message snippets:

At least one security risk found:

Risk name: Trojan.Gen.8
File path: C:\Users\username\AppData\Local\Temp\is-KSG9M.tmp\PTDownloader.exe

At least one security risk found:

Risk name: Trojan.Gen.8
File path: C:\Users\username\AppData\Local\Temp\is-OV65Q.tmp\PTDownloader.exe

At least one security risk found:

Risk name: Trojan.Gen.8
File path: C:\Users\usernamel\AppData\Local\Temp\is-16R5O.tmp\PTDownloader.exe

At least one security risk found:

Risk name: Trojan.Gen.8
File path: C:\Users\username\AppData\Local\Temp\is-5QRS1.tmp\PTDownloader.exe

These are all multiple attempts to download the same file. How can I allow the users to download this file?

Well you could exclude C:\Users\username\AppData\Local\Temp\ directory if this is an isolated instance. Not really secure though.

Outside of that you could use the Application to Monitor section in the Exception policy. Add the filename and once it is dectected you can than manually add it to the exclusion list as a file. Similar to this:

https://www.symantec.com/connect/forums/allow-exe-many-different-file-paths#comment-11757381

Hi Bulbous,

I definitely do not recommend exclusing temp locations from scanning- that is one place that malware likes to run.

If you are confident that "PTDownloader.exe" is a safe application, please do submit it to the False Positive portal for examination.  You can create exclusions for it by name or hash- this is more precise than excluding a whole directory!

Best Practice when Symantec Endpoint Protection is Detecting a File that is Believed to be Safe
http://www.symantec.com/docs/TECH98360