Endpoint Protection

Hi,

Looking at your whitelisting service I realise that it is inadequate for some companies needs.

I have the ability to update and publish software onto my website for customers to download on the same day as we make the code change.

If I submit it on your whitelisting service your whitelisting takes 7 days and is only for that specificversion of the software. I might have released 2,3,4 new versions since that last submission.

So, when our mutual customer updates their software your endpoint manager will delete it as soon as it's downloaded. I cannot add a 7 day delay as customers want to receive their software ASAP.

Do you have any other whitelisting services that are based on the digital certificate that an exe is signed with?

Your Endpoint Manager has deleted bessential usiness software from your clients servers at several locations on the same day.

I would like to find a solution for the problem and I think if I get my software whitelisted direct with you then that would be a good solution, however the service you offer currently is not sufficent for agile development houses.

Regards

Robert

The false positive submission is another option:

https://submit.symantec.com/false_positive/

Once you submit I would suggest getting a case open.

In the mean time, you'll need to add exception(s) for it.

Brian,

This is not a solution. The Endpoint manager has already deleted the file as soon as it was downloaded and overwrote the existing exe. 

The Endpoint Manager has rendered a business system inoperable.

What are the whitelisting services that are available? 

If it's only for an exe upload and for that one version then that is not sufficent. 

Robert

P.S. I'm not a customer, I am an ISV. 

I have asked my customer to file a false positive but like I said in my post the current whitelisting service is not sufficent for your customers needs or mine.

I'm relaying what I've had to do in the past (file a false postive and whitelisting request). And yes, I'm aware of the time lag between filing and getting a reasonable response/fix. I've also had to submit multiple times when the file hash changes. I'm only a customer so I don't know what additional options exist as an ISV, if any others. The SEPM does allow the file to be added as an exception even after detection and removal.

But I get this is tedious.

Brian,

I have filed on the false_postive form, thanks.

How do I get a case opened? I'm not a customer.

Robert

There is a whitelist request form specific to ISVs:

https://submit.symantec.com/whitelist/isv/

If this is the one you've tried previously, my apologies.

Being that you're not a customer they may not be able to help you directly. This should be opened from the customer who has the support entitlement.

I'll attempt to get this escalated though.

Brian,

Thanks. That's the one I used.

The problem is as per my original post. The whitelisting service is not adequate.

Another AV company for example has a whitelisting service based on code-signing certificate. For software that can have frequent updates that seems like a better solution for this problem.

ISV's can't wait for 7 days in the hope that symantec will add a version to their whitelist (or not) wihtout any feedback to the ISV. (Even with feedback it's totally unworkable as it stands)

 All I can do is get the end user to exclude folders from being protected which is bad practice as I'm sure you'll agree.

Appreciate any and all efforts for escalation of this.

Kindest Regards

Robert

Brian,

I appreciate your feedback. Many thanks.

This really is a post for a Symantec Employee to respond to as only someone working in the whitelisting department can really answer this. However for obvious reasons there isn't an easy way to contact them (if any).

I did telephone support in the US and was told that no-one could or was available to help.

Robert

Hi Robert,

Many thanks for the post.  Just to confirm: are you currently digitally signing your software?  That goes a good way toward proving its provenence and preventing Insight-related detections for new/unknown files.  Some more recommendations can be found in:

Insight Deployment Best Practices
Article URL http://www.symantec.com/docs/DOC5077  

As discussed above, customers can make False Positive submissions for files already in the field.  (FPs are processed far more quickly than the proactive Whitelisting program submissions.) They can also create exclusions for their environments if the software always installs to the same path.

Feel free to PM me the tracking numbers for some of your whitelisting submissions- I will take a quick look from this side to see if anything was amiss with their processing.

With thanks and best regards,

Mick

Mick,

Thanks. I will PM you and when I tried to open the pdf the website gave me this:-

An error occurred while processing your request.

Reference #50.61efd4d9.1490887011.72b64fc

Opened fine for me. 

https://symwisedownload.symantec.com//resources/sites/SYMWISE/content/live/DOCUMENTATION/5000/DOC5077/en_US/Insight_v1.pdf?__gda__=1491031372_a5d9bba2f63d17c55ec38a91bb7fb55f

Mick,

Sorry, Yes all exe's are Digitally Signed.

EPM doesn't like software downloading updates. That's when it really throws a hissy fit and deletes the downloaded file and the file that was doing the downloading.

Regards

Robert

Mick,

That link is much better, thanks.

I have PM'd you.

Robert