Endpoint Protection

11.0.6 installed on server/clients... This is another heavy hitter that comes up every day... Java files... specifically the zip files under the cache... for example: \Application Data\Sun\Java\Deployment\cache\......................\xxxxxx.zip>>sunos\xxxxxxx.class Now I understand that java files can potentially contain virulent code, but for the most part the antivirus appears to be pulling the flag on these files and labelling them as a 'Downloader' even though they are legit. Is there a way to minimize these particular detections so there are less false positive detections on these zip files?

In AV/AS policy remove the option scan inside the compressed files.As it is in compressed it cannot do any harm for the system.if you uncheck also as soon as it is extracted SEP will detect it..
---------------------------------------------------------------------------------------
If you are beliving this as a faults positive submit it to symantec
Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe

Here are 2 articles which may be useful for False Positive settings.

Title: 'How to increase the sensitivity of Proactive Threat Protection in Symantec Endpoint Protection 11.x'
Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009120214031748?Open&seg=ent

Title: 'Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe'
Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2010010319585948?Open&seg=ent

Another article that tells that files in compressed format cannot harm the computer till the time they are uncompressed.

Title: 'Auto-Protect does not scan within compressed files'
Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2000111509105448?Open&seg=ent

I've seen many infections in the same folder java\Deployment\cache in many machines lately.  Symantec Security Response came back as below on my submissions. Not sure what they meant, they haven't told it's infected or nor. Any idea about this ? Is it like this, as SEP is unable to scan a file which is more compressed it's declaring it as a suspicious file ?

---------------------------------------------------------------------------
Customer Notes
---------------------------------------------------------------------------

These java files are detecting as Downloader by SEP.

---------------------------------------------------------------------------
Developer Notes
---------------------------------------------------------------------------

java class.zip is a container file of type.
324878e7-471172fb is a container file e.g. archive, email ZIP. This file
is contained in  java class.zip.
324878e7-471172fb.idx is a data file. This file is contained in  java
class.zip.

---------------------------------------------------------------------------

I have a somewhat similar problem.  During our weekly scheduled scan of workstations, SEP (RU6A) is deleting various java class files.  In our case, the class files being deleted are not inside of compressed files.  Unfortunately, a file with no extension in the same folder as the deleted class file is being left behind (Left alone).  This causes the workstations in question to appear as "still infected" in our SEP console.  And that status never changes despite subsequent weekly scans that come back clean.