Endpoint Protection

We are about to start deploying SEP on our computers.  I noticed today that an on-demand (user-initiated) full scan on one of our test machines found a "tracking cookie."  The scan flagged it as a security risk and then deleted it.  Since we're not sure if we want to delete these cookies automatically, I checked the policy that governs on-demand scans on the affected computer and found that for Security Risks, the First Action is "quarantine." 

So, unless I'm misreading things, it looks like the response to Tracking Cookies found by Adminstrator-defined scans is not governed by the Antivirus/Antispyware policy.  Is it controlled elsewhere?  Is there a way for an administrator to configure that response?

And while we're on the subject of tracking cookies: is there a way to tell whether such a cookie is perfectly benign (as most of them are), and when it is malicious, and possibly a sign that the computer has been compromised?  When we start using SEP in production, I suspect that this question will come up.

Tracking Cookies are used by Legitmate web sites to track how many times you access their sites.  Web sites that use this type of cookie usually require a log in to access the site. 
 
When performing a full scan, these cookies can and will be detected by the scan and as long as the user goes to that site during the day this risk will be found and removed.
 

 Prachand,

I'm sorry, but that isn't an answer.  The user asked a specific question:

"it looks like the response to Tracking Cookies found by Adminstrator-defined scans is not governed by the Antivirus/Antispyware policy.  Is it controlled elsewhere?  Is there a way for an administrator to configure that response?"

This was also asked by MitchNussbaum two days ago:

"If we don't want the cookie to be deleted, which policy do we modify to change SEP's action?"


We are having the same issue.  I don't find the answer in the SEP manuals or the GUI.  Where is that setting configured?

Check this discussion
https://www-secure.symantec.com/connect/forums/question-about-tracking-cookie-message 

http://www.symantec.com/connect/idea/symantec-needs-better-way-handle-cookies

I've been fumbling with this issue for a while; and it finally occurred to me that a Centralized Exceptions policy might help.  So I created a new policy, clicked the "Add" button,  and went to Security Exceptions --> Known Risks.  "Tracking Cookies" were on the drop-down list, so I added them to the policy as an "Exception Item."  I'll watch for a while, and see if this stops the on-screen notifications I've been receiving on every scan.

It might be nice to have a more granular exception, which would allow notifications for certain cookies but not for others, but I'm not sure how I would manage that sort of policy.  So, for now, I'll except all tracking cookies and see how that works for me.

Hi,

I think the tracking cookies may come under "Trackware" type of threats.

Please take a look at the screenshot below:





Policies-> Antivirus / Antispyware policy-> File System Autoprotect-> Actions-> Trackware

Check the box for override actions. And then you can choose the first action to be left alone.

Best,
Aniket

Our policy for Security Risks specifies "Quarantine Risk" as the first action.  Symantec was deleting the tracking cookies, so the action was not being controlled by this policy, and changing this policy would not change anything. 

And when I looked more closely at the logs, I found the cookies were being deleted by TruScan., not AutoProtect.  When I looked at our TruScan settings, I noticed that we can specify actions for commercial keyloggers and commercial remote control operations (I have them both set to "Log"), but not for other threats detected by TruScan.

So it looks like a Centralized Exceptions policy is the only tool available to me right now.  Fortunately, it seems to be working now.  I deployed the policy yesterday afternoon, and I haven't seen any Tracking Cookie notifications this morning.

Hey Mitch,
I acknowledge that I am not addressing your original question, but it is good to hear that you were able to use Centralized Exceptions to overcome your issue with the tracking cookie notification.  I assume that you used "Windows Exceptions-->Security Risk Exceptions-->Known Risks-->Tracking Cookie.  This is one way, but what if the tracking cookie never existed in the first place?

If you modify your Internet Explorer privacy settings to block third party cookies, then SEP will not encounter them and have to perform clean-up after-the-fact.  Tracking cookies are not malicious as you know, but they could potentially be a privacy concern.

Tracking Cookie: http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2006-080217-3524-99

Below are the privacy settings in effect on my machine.  I list this as a possible configuration change in your environment and not as a best practice.  This change should be easy to implement via GPO.

IE 8:
Tools-->Internet Options
Privacy tab
Advanced button

My users are getting a scan window every 4 hours, interrumping their work.

How can I configure SEPM in order that no cookie is scaner and no cookie is deleted? I don't want to show a pop-up window to the user every time a new definition is download.

Is this posible? Touching the Internet Explorer configuration is not an option.
Many thanks
Oliver

Open your Centralized Excpetions policy

Select the Centralized Exceptions tab

Click Add ---> Security Risk Exceptions ---> Known Risks

Scroll down to Tracking Cookie and tick the box

This should get you what you need.

Thanks! Will be testing it.

The above steps didn't help me, and I am not able to get rid of the trojan fake av alert after the full scan, in spite of me removing the virus from the location and verifying it twice. The virus is gone but the alert keeps coming back

Please comment on this and its important for me to get this fixed

Thanks in advance.
Amala

If the alert keeps coming back then I bet there are still traces of the virus. Have you tried using the Norton Power Eraser tool?

Norton Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.

http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default