Endpoint Protection

 View Only

  • 1.  Symantec blocking executable after restoration from quarantine

    Posted Feb 28, 2017 06:57 AM

    Hello, I want to submit a strange behavior in Symantec Endpoint Protection 14 build 1904 on Windows that could be a bug.

    Recently one executable file of an our internally developed program is being detected as SONAR.AM.Eg8 and afterwards quarantined.

    If I restore the quarantined file to the original location and afterwards I execute the same file, Symantec blocks the executable file without any warning message box or any popup.

    I know for sure that Symantec is blocking the file because if I disable Symantec Endpoint Protection and I execute the file again, the program starts.

     

    I wonder if I am the only one experiencing this weird behavior and if this is a known bug.



  • 2.  RE: Symantec blocking executable after restoration from quarantine

    Posted Feb 28, 2017 07:00 AM

    It looks like SONAR is making the detection on this. Have you tried just adding an exclusion for it? You shouldn't need to disable SEP.

    Handling and preventing SONAR false positive detections



  • 3.  RE: Symantec blocking executable after restoration from quarantine

    Posted Feb 28, 2017 09:06 AM

    Thank you Brian,

    the link you posted is really helpful.
    Anyway, if SONAR blocks the file and then I restore it from the quarantine, shouldn't it put it again in the quarantine instead of blocking the file without any warning?



  • 4.  RE: Symantec blocking executable after restoration from quarantine

    Posted Feb 28, 2017 09:07 AM

    Depends on how you have your actions configured to notify the end user.