Endpoint Protection

 View Only

  • 1.  Incorrect Risk Details

    Posted May 08, 2011 08:14 AM

    I installed the new SEP 12 Beta as an unmanaged client. I ran a full scan and it found numerous files it considers malicious. However, when clicking on a file within the results for Risk Details, I found that the Risk Details is sometimes inaccurate. For example, I got numerous "Suspicious.Cloud.2". Most had an action of "Restart Required - Quarantined". Double clicking any of those came up with the same file size and hash even though they were for unrelated files. Corrective action all had mention of Removing QBCFMonitorService (note, the hash that came up for all was for this file).

    On this note, I should mention QBCFMonitorService is a trustworthy file from Intuit Quickbooks, so I do not know why Symantec found this false positive.



  • 2.  RE: Incorrect Risk Details

    Posted May 08, 2011 11:57 PM

    You can create an exception fior this, for the time being, and contact Symantec Technical support, on https://support.broadcom.com, to do a false positive enquiry.

    Alternatively, if you know your technical contact ID, then, you can submit the file samples your selves, to https://submit.symantec.com/gold.



  • 3.  RE: Incorrect Risk Details

    Trusted Advisor
    Posted May 09, 2011 08:35 AM

    Hello,

    Suspicious.Cloud.2 is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers. 

     

    Suspicious.Cloud.2
     
     
     
    For this, you can create an Bloodhound heuristics virus detection Exception.
     
     
    Also, Follow this Symantec Knowledgebase Articles:
     
     
    Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe

     

     
     
    Restoring a false positive file detection from the Symantec Endpoint Protection quarantine
     
     
     
    About managing false positives detected by TruScan proactive threat scans
     
     
     
     


  • 4.  RE: Incorrect Risk Details

    Posted May 10, 2011 07:10 AM

    Thank you for this information. I understand I can have these whitelisted, but the main issue I was intending to bring up is that the file hashes shown are incorrect when different files are found with the same virus name and action. Obviously, I would be using the file hash to contact Symantec about a false positive, so this is critical to actually be accurate.



  • 5.  RE: Incorrect Risk Details

    Trusted Advisor
    Posted May 10, 2011 07:34 AM

    Hello,

    If a file is Modified, it would have a different Hash #.

    Before you contact Symantec, i would recommend you to submit the Files to the Symantec Security Response Team.

    You would have to Submit the Files to the Symantec Response Team on  the Following Sites:

    https://submit.symantec.com/false_positive/

    https://submit.symantec.com/websubmit/gold.cgi

    http://www.threatexpert.com/submit.aspx

    Note: ThreatExpert is owned by Symantec.

     

     



  • 6.  RE: Incorrect Risk Details

    Posted May 10, 2011 09:00 AM

    Marc, can you post a screenshot of what you are seeing when SEP does the detections please?

    Also if you can post the full details screen (which shows the hash) this will give us more information.

    thanks!