Endpoint Protection

 View Only
Expand all | Collapse all

Trojan.Gen.2

  • 1.  Trojan.Gen.2

    Posted Jan 08, 2016 08:17 AM

    We are developing Entrerprice Security application(Developled using .Net. Windows Application) for authentication purpose. Recently Symantec Endpoint protection threating as a Trojan. I would like to know in which scenarios Symantec threat as a trojen. Do we need to do any specific coding to protect the same or its just a Trojen.  Please find the details below,

     

    Scan type: Auto-Protect Scan
    Event: Risk Found!
    Security risk detected: Trojan.Gen.2
    File: C:\Program Files (x86)\App\Sample.exe
    Location: C:\Program Files (x86)\App
    Computer: LOCAL
    User: SYSTEM

    Kindly help.

     

     



  • 2.  RE: Trojan.Gen.2

    Posted Jan 08, 2016 08:25 AM

    Trojan.Gen.2 is more of a generic/newer detection signature. Here is a writeup on it:

    https://www.symantec.com/security_response/writeup.jsp?docid=2011-082216-3542-99

    In any event SEP detected it as a piece of code within it seems to have characteristics of malware. I would send this to them for whitelisting and report a false postive:

    https://submit.symantec.com/whitelist/

    https://submit.symantec.com/false_positive/

    If you can, sign your application.



  • 3.  RE: Trojan.Gen.2

    Posted Jan 08, 2016 08:30 AM

    Thanks for your quick response. But wondering why that specific application treating symantec as a trojen. Any specific reason.



  • 4.  RE: Trojan.Gen.2

    Posted Jan 08, 2016 08:36 AM

    SEP detected something in the code that matched one of its signatures. That's a question for someone in Symantec who would need to look at the code.



  • 5.  RE: Trojan.Gen.2

    Posted Jan 08, 2016 10:29 AM

    We have submitted the code. For now its resolved. we are able to open the applicaiton. But I would like to know the options for how we can mitigate this from happening again with future versions of our application.



  • 6.  RE: Trojan.Gen.2

    Posted Jan 08, 2016 10:45 AM

    Once submitted for whitelisting, Symantec will add it to their database.

    One major way would be to digitally sign your app. There are factors that SEP looks at such as:

    - file versioning

    - digital signatures

    - file size

    - type of file packing/encoding used

    - the age of the file

    - what actions the file takes

     



  • 7.  RE: Trojan.Gen.2

    Posted Feb 22, 2016 01:41 AM

    Hi Brian,

    Thanks for your message.We resolved some of the security issues with in our application and planning to release the new version. Could you please let us know the process to submit the new version. I have few queries below before submitting the new verison.

     

    1) What information do we need to provide in order to submit the new version.

    2) We could see there is an option to uploade the files. do you mean project files or something else.

    3) Is there any document available get more inforamtion on submition process(I have found https://submit.symantec.com/whitelist/bcs/Customer%20White%20List%20Program%20Details.pdf )

    Thank you.



  • 8.  RE: Trojan.Gen.2

    Posted Feb 22, 2016 05:39 AM


  • 9.  RE: Trojan.Gen.2

    Posted Feb 22, 2016 08:46 AM

    Helllo Praveen,

    I was looking answer for my second point.

    2) We could see there is an option to uploade the files. do you mean project files or something else.

    could you please give me clarity on this. Thanks in advance.



  • 10.  RE: Trojan.Gen.2

    Posted Feb 22, 2016 08:48 AM

    You need to upload those files which are being detected as malicious by SEP in order to kickoff the whitelisting process.



  • 11.  RE: Trojan.Gen.2

    Posted Feb 22, 2016 09:20 AM

    Hi VULVAJI,

    Many thanks for the post.

    I would like to know in which scenarios Symantec threat as a trojen.

    Unfortunately Symantec cannot reveal any details about what specific attributes, characteristics, behaviors, etc trigger detections.  To do so would enpower malware authors to bypass teh security.

    For suggestions on how to prevent False Positives I recommend 

    Insight Deployment Best Practices

    Article URL http://www.symantec.com/docs/DOC5077  

    Also see

     

    Adding software to the Symantec Whitelist
    Article URL: http://www.symantec.com/docs/TECH132220

    Software Whitelisting Program Frequently Asked Questions
    Article URL: http://www.symantec.com/docs/TECH232956

    Symantec Insider Tip: Successful Submissions!
    https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions
     

    With thanks and best regards,

    Mick



  • 12.  RE: Trojan.Gen.2

    Broadcom Employee
    Posted Feb 22, 2016 12:15 PM

    Prevention is better than cure. Therefore, with whitelisting, we request that you provide us with your files/software prior to releasing it to avoid experiencing any possible future false positive detection on any files within your software. If you are currently experiencing a false positive detection on one or more of your files then you should use the false positive portal.

    Symantec does not share data with third parties & customers also doesn't have an access to data.