Endpoint Protection

A couple of days ago one of our customers was working with an application and the executable was quarantined. WS.Reputation.1 - Fewer than 5 users.

She was puzzled because she had been using the same version a few days prior and Symantec did not try to quarantine it.  The version number had not changed.  Can someone help me understand how this could have happened as I am at a loss?   

By the way, yesterday I upgraded to 12.1.6 MP4 so when this happened I was at MP3.  

 

This same application was quarantined late last year and we added an exception at that time.  The file was located in the Program Files directory.  Is there any way a wildcard can be used if I choose the Prefix Variable [Program_Files]?  The file name looks like this ... 

filename_2.4.36_x64[2.4.5897.26299].exe 

 

Also, there is no option to do wildcards, unfortunately.

The version wont matter. But Symantec's reputation rating on the file changed over the course of a day or so. All files are always being evaluated/re-evaluated.

submit the executable file to symantec via below link. 

https://submit.symantec.com/whitelist/

Select false positive detection than they will analyse the file.

You have mentioned that you have added an exception for the file from being scanned. There are different types of scans. Exceptions added for one type of scan may not be applicable fot other scans.

If you did not add an exceptionis for Auto-ptotect (under security-sacn), please add it and check if the issue persists. or you can also add an exception for the file from being scanned by ALL scans.

 

Alternatively, you may also submit the file to Symantec as a false positive so that your application will not be detected as an infection in the future.

check this below link to submit false positives.

https://submit.symantec.com/false_positive

 

Can you further explain ... Symantec's reputation rating on the file?  Is the file submitted and analyzed over a course of several days?  Also, can you tell me if there is a log file that can tell me when an exception was added?  I am trying to determine how many revisions have been added since the prior exception was added.

 

@seyad

The exceptions are added for Application Control, Security Risk and Sonar for All Scans

@Brian

The version that was quarantined has been used in our environment since February 23rd and then Symantec grabbed it on Saturday.  Customer wants an explanation ... 

Can anyone explain to me how a version that has been used on the network for more than one month can suddenly be quarantined?  Again, no changes to the exe.  I don't understand why and need to provide an explanation.  Any assistance is appreciated.

In your log, why did Symantec detect it? What is your Insight rating level set to? Default is 5.

If you need something "official" for your customer, you're best opening a support case so you have documented proof.

Viruses and malware are being released everyday with new coding. It may be possible that the coding of the viruses/malware is very similar to the file that your customer was using, and due to the low reputation rating from the file, it might explain why it got quarantined.

Each time there is a new definitions released, all files are re-evaluated and take action where needed based on the SEPM/policy settings.

Hope this answers your question.