Endpoint Protection

 View Only

  • 1.  SONAR - False Positives for Windows OS Components

    Posted Oct 29, 2012 02:50 PM

    We are starting to see more false positives for Microsoft operating system files from the source: Heuristic Scan.

     

    I believe this is now called SONAR by Symantec.

     

    I’d rather not add the false positives as exceptions as that would exclude them from scanning – even if they become infected.

     

    I don’t see a way to tweak the sensitive of the Heuristic scanning as we were able to do in previous versions using TruScan.

     

    Below are examples of the false positives we have received – below that are the settings for SONAR.  Please let me know what can be changed to decrease the amount of SONAR false positives.

     

    False Positives:

     

    Risk name: Microsoft® Windows® Operating System
    File path: c:\windows\syswow64\rundll32.exe
    File path: c:\windows\system32\notepad.exe

    File path: c:\windows\system32\drvinst.exe

    File path: c:\windows\system32\services.exe

    File path: c:\windows\system32\svchost.exe

     

    SONAR Settings:

     

    High risk detection: Quarantine

    Low risk detection: Log

     

    DNS change detected: Block

    Host file change detected: Block

     

    High risk detection: Block

    Low risk detection: Log

     

    Environment Info:

     

    2003 Standard

    SEP 12.1.1101

    XP (32-bit) & W7 (32 & 64-bit) Clients



  • 2.  RE: SONAR - False Positives for Windows OS Components
    Best Answer

    Posted Oct 29, 2012 02:57 PM

    I'm surprised to see those MS services as being detected...Check the log to see exactly what for. These are due to DNS change detected or Host file change detected.

    I had the same issue and had to turn those off.

    Check these:

    About SONAR

    https://www.symantec.com/business/support/index?page=content&id=HOWTO80968

    Monitoring SONAR detection results to check for false positives

    https://www.symantec.com/business/support/index?page=content&id=HOWTO80749&actp=search&viewlocale=en_US&searchid=1351537212673

     

    Handling and preventing SONAR false positive detections

    https://www.symantec.com/business/support/index?page=content&id=HOWTO80987&actp=search&viewlocale=en_US&searchid=1351537212673



  • 3.  RE: SONAR - False Positives for Windows OS Components

    Trusted Advisor
    Posted Oct 29, 2012 03:27 PM

    Hello,

    Check these Articles - 

    Symantec Endpoint Protection 12.1: Manager Risk distribution summary report lists "Microsoft Windows Operating System" as a risk name

    http://www.symantec.com/docs/TECH161493

    Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"

    http://www.symantec.com/docs/TECH164391

    Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

    http://www.symantec.com/docs/TECH194108

    Symantec Endpoint Protection 12.1 SONAR - Proactive Threat Protection or Download Insight False Positive Corrections

    http://www.symantec.com/docs/TECH168849

    Hope that helps!!



  • 4.  RE: SONAR - False Positives for Windows OS Components

    Posted Oct 29, 2012 04:10 PM

    Hi Brian81,

    Thank you for your response. 

    You were correct in regards to the false positives being detected under the DNS & Host file change detected settings.

    Surprised this info is not displayed in the actual alert.

    I believe others are starting to post replies now, but I’m going to take the path of least resistance at this point and simply disable the DNS & Host file settings and move on to bigger fires.

     

    Thank you.



  • 5.  RE: SONAR - False Positives for Windows OS Components

    Posted Oct 29, 2012 04:13 PM

    You can create exceptions but whatever works best for you

    Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above

    https://www.symantec.com/business/support/index?page=content&id=TECH194108