Endpoint Protection

 View Only

  • 1.  Too many false positives for the past few days on SAV, anything wrong with the Symantec Security Response Team?

    Posted Jul 07, 2009 01:30 PM
    Have you guys notice that there were too many false positives in SAV definitions for the past few days, SAV accidently detected Bloomberg software and others as Trojan horse and quarantined file. We submitted the sample to Symantec yesterday and they immediately responded that was false positive and would be corrected by a rapid release def, we got the rapid release and it still detected the files as Trojan. Do you notice the same issue? 


  • 2.  RE: Too many false positives for the past few days on SAV, anything wrong with the Symantec Security Response Team?

    Posted Jul 07, 2009 01:56 PM
    What do you have your bloodhound detection sensitivity set at?  Was it detected by AV or Proactive Threat Protection?


  • 3.  RE: Too many false positives for the past few days on SAV, anything wrong with the Symantec Security Response Team?

    Posted Jul 07, 2009 02:03 PM
    I have never faced a single event of false positives with symantec.


  • 4.  RE: Too many false positives for the past few days on SAV, anything wrong with the Symantec Security Response Team?

    Posted Jul 07, 2009 02:08 PM
    @chenh, If confirmed  to be a false positive then the good chances are that it would be corrected....They release quite a lot of RR's everyday....

    http://www.symantec.com/business/security_response/definitions/rapidrelease/index.jsp


    Ideally it should be out today or tomorrow(depending upon your support contract).


  • 5.  RE: Too many false positives for the past few days on SAV, anything wrong with the Symantec Security Response Team?

    Posted Jul 07, 2009 02:10 PM
    I have informed the Security Response Team of your issue. I will update here when I have more information.


  • 6.  RE: Too many false positives for the past few days on SAV, anything wrong with the Symantec Security Response Team?

    Posted Jul 07, 2009 03:39 PM
    @tekkid: The false positive was from SAV client. not SEP.

    @Sandeep Cheema, the good chance was the definition I got supposely corrected the false positive continued to quarantine the valid program files.  Here is the the Syamntec developer note:

    The sample(s) that you provided are not infected with a virus, worm, or Trojan, and do not contain malicious code. It appears to be a false identification. To solve the false identification problem, please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.

    Symantec is now building a new set of definitions to include the threat you have submitted. The approximate time to complete this process is one hour. We recommend checking the ftp site periodically over the next 60 to 90 minutes to download these definitions as soon as they are available.


    Virus definition detail:

    Sequence Number Greater Than: 97647
    Defs Version: 110706ai
    Extended Version: 07/06/2009 rev.35

    however, the updated def continues to false postive. I submitted one more time today, I was told the false positve will be corrected in another RP, I hope it does this time.