Endpoint Protection

Hi All,

One of our packaged software installations being deliverd to our Windows 8 clients via SCCM2012 is being detected as a Trojan.Gen. I was going to put in a file exception for the msi. But the SEP file exceptions require a full path. The nature of the SCCM client is it changes to path name to the installation files, e.g.

Same installer msi but differnt paths

Computer 1 C:\Windows\ccmcache\4f\<installfile>.msi

Computer  2 C:\Windows\ccmcache\5p\<installfile>.msi

 Is there any way around this? I would prefer avoiding adding a folder exception at say the C:\Windows\ccmcache level as this is the only msi affected.

Thanks

You should create exclusion for the Installer name.msi, exclude the process all together.

since this is a genuine application , I would first submit for false positive

https://submit.symantec.com/false_positive/

wait for signature updates and then deploy the software..

Thanks Rafeeq,

I have submitted the request. See what happens.

Would be curious to see the outcome here, never had this issue come up with sccm.

It appears that a later release of your definitions has resolved the problem. We noticed that the workstations affected all had a older definition set. We forced an update and the installations was able to proceed.

The product we where tring to install was Cisco Jabber 9.7.3.18968. We have not had any issues with previous versions or any other application installations.

The detection was on these files below, the second is an interesting one with the characters appended to the end of the file name '>>_______'

C:\Windows\ccmcache\5w\CiscoJabberSetup.msi

C:\Windows\ccmcache\5h\CiscoJabberSetup.msi>>_________

I think you are using SCCM 2012. Because of content management the way it stores the packages are now different. yeah >> is quite interesting. Can you check if these are 32 or 64 bit Msi or different jabber versions , just trying to understand how these getting added to the cache.