Endpoint Protection

Dear all,

We submit our executables to symatec every time we compile to the ISV Whitelist.

Today we have tried to submit a new version of the executable to the ISV Whitelist only to find the message on the https://submit.symantec.com/whitelist/isv/  webpage

 

Symantec no longer offers software vendors a proactive whitelisting partnership.

 

If your software is currently detected by Symantec and you wish to report a false positive, please use below option

 

 

So, I know for a fact that every time my client who has SEP 12 gets a new version of my exe files the symatec software deletes it.

 

How can my clients be able to use my software as I know for a fact symantec makes a false positive 100% of the time.

 

Regards

Robert

They gave this option:

http://www.symantec.com/docs/TECH98360

https://submit.symantec.com/false_positive/

If that doesn't work, call them and find out what the new process is.

Hi Brian,

False Positve report is too late. The Endpoint Manger has rendered a critical software system inoperable as it typiclly deletes/quarantines the exe file in question.

Submitting a false positive report afterwards is too late. Plus that will not get an end user up and running again without IT support to get the file out of quarantine.

After we first had a customer with this issue we found out about the ISV whitelisting program and have been subitting each and every build to the whitelist. This can happen on a daily basis during heavy demand periods. When a customer downloads the new software thier EPM won't delete it straight away!

The fact they have closed this facility is very disapointing. 

The document (http://www.symantec.com/docs/TECH98360) states to use exceptions with extreme caution but the exception is not very flexible and it may end up having to exclude whole folders which is obviously a security risk.

I am not a cutomer, only an ISV so I guess I cannot call anyone unless you know a team that deals with whitelisting?

What are my options?

I don't have much else to offer since the direction needs to come from Symantec directly. Since you're not a customer this makes it much more difficult in terms of contacting them. Hopefully, a Symantec will see this thread and provide guidance/steps to take going forward.

Brian,

I really appreciate you taking the time to respond.

Hi Robert,

Thanks for the post.  Submitting False Positives is currently the only way for the appropriate Symantec team to come in contact with your files.  They are the ones who can perform an in-depth root cause analysis and (if necessary) try to find a permanent resolution.

Feel free to PM me the numbers if if have some suspected False Positives submitted at the moment.  I'll make sur ethey get teh proper attention.

This decision is very disappointing. This feature was one that set Symantec/Norton apart from all other security software. We will now have to rethink our strong recommendations of  Symantec products for our customers (and family and friends).

With each new release of our software there have been long delays when loading it. We found that Norton Internet Security is analysing new releases causing the delay. When our applications were whitelisted we did not observe this delay.

Symantec, please reconsider this decision and reinstate this service.

Symantec just updated their KB article in regards to this:

http://www.symantec.com/docs/TECH132220

I'm just passing it along so don't shoot the messenger.

Depending on your customer install base, you should also look into IEEE AMSS. AMSS has a service called Clean file Metadata eXchange (CMX) that is used by most major AV vendors to whitelist files submitted by trusted software vendors. Costs a bit, but might be worth it if your install base is big enough. http://standards.ieee.org/develop/indconn/icsg/amss.html

Kevin H,

I do not recommend security solutions to clients but I was thinking that my client should change vendors when the problem of false positives first came to light. I then found out about whitelisting thanks to Brian and the admins and went down that route. Now I'm back to square one where critical software can be rendered useless by SEP. The end user has to now exclude a whole folder which is in itself insecure!

 

Brian,

  No shots are heading in your direction. I wonder if other vendors are doing the same?

 

Torb,

  Thanks for the heads up. I'll sign up as a provider (it's free byt he looks of it) and see where that gets me. I'll update this post when I know more

 

Regards

Robert

Mick,

I'm an ISV and not a symantec corporate customer.

Can Symantec not see that submitting a false positive is too late? 

The reason I was whitelisting was that SEP was deleting my exe file from customers computers. They would then have to get an IT person with correct access levels to restore the file. An IT person might not be avaialble to do this. 

If you suggest that the client has to submit a false positive then the software system has been rendered inoperable for a period and steps have had to be taken to get the system working again even before the false positive is then reported to you. You are basically forcing SEP users to exclude scanning/insight from the whole folder containing my software but any other files that are placed in that folder are also excluded from scans. Thus you are creating a weak spot. They are also not going to get any more false positives because they are not scanning the software etc at all.

 

Kind Regards

Robert

 

Here are some additional resources and guidance for vendors. 

White Paper: To Increase Downloads, Instill Trust First

Why security software misfires, and 6 things software authors can do about it