Endpoint Protection

Hi,
we use as Client Antivirus Protection Symantec Endpoint Protection Version 11.0.4 MR4
We use as RemoteControl in our Enterprise environment the Program DameWare Development Remote Control
All Clients have a file named c:/winnt/system32/dwrcst.exe or c:/windows/system32/dwrcst.exe
dwrcst.exe is the executabale for the service Dameware Remote Control to control the Clients from a Admin-Session

Since we use SEP 11 we had the Problem that all Clients detect wrongly this file as a Virus:
Event No: 48921
Event Type: Potential risk found
Source: AV - Heuristic Scan
Logger: AV - Heuristic Scan
Threat: Bloodhound.SONAR.1
Threat Category: unknown
Threat Type: Trojan_Horse
Discovered: 01.01.1970 00:00:00
File / Path: c:/winnt/system32/dwrcst.exe
Description: DameWare Development DWRCST
Actual Action: Left alone
Primary Action: Left alone
Secondary Action: Left alone
Source Computer: 0.0.0.0(IP: 0.0.0.0)

We have insert this filename %[SYSTEM]%dwrcst.exe in the Centralized Exceptions Policy, but it doesnt work.
Anyone a idea to solve this problem?

Greetings
Daniel

U can make the respective file in exclusion in centralised expection policy

Ajit

The next Question is:
Why did Symantec not detect this file as a commercial Remote Control Application?

This are the settings in the Antivirus-Policy:

Hi,

That screen capture is from TruScan and I believe AV real-time scan found Dameware. Those SEP components don't really speak to each other like they should :-)

Your exception looks to be configured correctly, but you could try to add C:\Winnt\System32\dwrcst.exe and C:\Windows\System32\dwrcst.exe if that variable doesn't work for some reason.

- Jukka

Okay, i changed the policy!
I give you a feedback next week (when most of our Clients have updated the policy...)

Submit the file to Symantec, explain the situation. If that doesn't help, contact them directly.
If it's a legit and commercial app - they need to know of any false positives. (and these folks seem to be legit all the way.)

 I've also seen folks use hacking tools to administer networks (BAD PRACTICE done mostly by "kids" or young people wanting FREE tools) then they #@$% about it being found as a bug. DUH.

But any legit admin tool or commercial application, let Symantec know about it............... you may not be alone.

We use Dameware and I have the same processes running alongside SEP through every version of SEP and every definition release and not had a single detection against any Dameware process.

I'd not exclude the possibility, but I'm guessing that a general false positive would have been spotted before now.
Personally, I wouldn't exclude until I was given the all clear after submitting for analysis.

Is it possible your image of Dameware has been hijacked?

Nick

I received a virus definition uprade yesterday, 5/17/09, and it's removing the dameware client software and not allowing me to connect to desktops.  I have 10.0-how can I configure an exception?

try to exclute it in TrueScan Proactive exception and also Khnown Risk ac (Remacc.Dwremote).

Changing the policy doesnt work, we have furthermore this false risk alarms!

How can i submit a file to Symantec?

Bloodhound malwares are unconfirmed malwares which are or rather potential malwares.
bpwrightwv detects it as malware and NickF doesn't...

Symantec should detect it as Commercial.apps

Yesterday i have found the online form for False Positive Submission
https://submit.symantec.com/false_positive/index.html
Now i waiting for the response!

DameWare program(C:\Windows\System32\dwrcsh32.dll, dwrcst.exe) is detected as Remacc.Dwremote with the definition 15th Sep 09 rev 3 Update the definition to 09/15/2009 rev 49 to resolve the issue Sequence Number: 100400 or Higher This definitions can be obtained from ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/symantec_antivirus_corp/rapidrelease/sequence/

Hi Suede, I know dhaberm submitted a possible "False Positive" in the past, but I recommend you to make the submission again. 

https://submit.symantec.com/dispute/false_positive/

Regards,
Thomas

DameWare is definitely a legitimate remote control application, but SEP is still detecting it as malware.

This is still an issue with 9/16/2009 r3 definitions.

Edit: Definition version: 110916c.

Thanks,
Suede Worthey

I was just going to change the policy and see if that works first...

I am just curious why it did not pick up on this until this afternoon. It had been working fine for weeks.

Thanks,
Suede

 It looks a false postive with the latest defs but I guess it should be fixed on the next defs update. If Symantec is aware of this.

So, in that case, how can I easily restore the clients to their original status once these files are no longer flagged as 'bad'? Will SEP automatically restore the settings it quarantined once the quarantined files are no longer considered a threat, or would I have to re-install DameWare on 1000 computers? I'd certainly not like the latter option.

Thanks,
Suede

 Will be happier to see if there is any other way rather than following the second one..

Come on Symantec pull your finger out!

Hi,
This issue should be fixed in the Next Live update.

I installed it myself and it is getting detected as  Remacc.Dwremote

So you can make a Security risk exception for Remacc.Dwremote

From Centralised exceptions- Security risk Exceptions- Known Risks

The detection for Remacc.Dwremote has been pulled in September 16th, 2009 rev.025 (Sequence 100419 or higher) Rapid Release definitions.