Endpoint Protection

SEPM 14.  I'm having hundreds of false-positive detections on Heur.AdvML.B across my enterprise.  Most of it is in custom code developed and used internally.

I know what Heur.AdvML.B is.  I know all about the Machine Learning and Reputation-based detection.  I know how to upload files to be whitelisted, and I've done that for several.  I know how to exclude individual files, folders, and applications/hashes in the SEPM policy.

I'm looking for the most effective ways to prevent Heur.AdvML.B detections.  I'd like instructions on two items -

1) Change the Action for "Heur.AdvML.B" detection to Alert-Only

2) Disable detection for "Heur.AdvML.B" entirely.

In the Exceptions Policy, Known Risks, this doesn't show up as a Known Risk that I can exclude.  When right-clicking on one of the detected items in the Monitor-Risks view, Add Exception, when I try to add an exception for the Risk there's a message that this detection cannot be excluded by Risk.

The only thing related that I've found is in teh "Virus and Spyware Protection" Policy, under Global Scan Options, there is an option for "Enable Bloodhound Heuristic virus detection".  Will disabling Bloodhound prevent Heur.AdvML.B detections?  Is there a more granular way to handle it?

I very much appreciate any help you can give on this.

 

Configuration options are here:

http://www.symantec.com/docs/HOWTO125816

http://www.symantec.com/docs/TECH236704

There are other factors to be aware of included in this KB article as well.

I appreciate your response, I've read through the articles and they definitely give me a place to start, so thanks.

Is there a way to determine whether I need to be checking in SONAR or in Bloodhound?

https://support.symantec.com/en_US/article.TECH236704.html describes enabling/disabling/tuning Bloodhound, and https://support.symantec.com/en_US/article.HOWTO80987.html#v45103447 describes switching SONAR to Log mode, but I'm not sure how to tell which technology is flagging the false-positives.

Here is one of the Risk Details...

Risk Information

Risk name:	Heur.AdvML.B
Risk severity:	1
Discovered:	05/18/2016 00:00:00
Download site:	N/A
Downloaded or created by:	N/A
File or path:	D:\customapps\Tomcat\kss_save\BEV\BEV2.7\MCSBEV_2_7_interface_packages.zip>>MATLAB Code\work\compiled files\McsPkg.dll
Application:	McsPkg.dll
Version:
File size:	216533
Category set:	Malware
Category type:	Heuristic Virus
SHA-256 Hash:	C290654DFDB525EF8A7A6F7195FE52A3C2B2A8973E85054F6DED44CC28EA4D0B
SHA-1 Hash:	3FAC1DC5A6D1A2F5B287673256EA886AB1867CDD
MD5 Hash:	CAF6C4E4779C3D4CFE056854DD016B7A
Company:	N/A
Certificate issuer:	N/A
Certificate signer:	N/A
Certificate SHA-1 thumbprint:	N/A
Certificate serial number:	N/A
Signature timestamp:	N/A

 

Risk Detection

Date found:	02/27/2018 00:27:39
Description:
Actual action:	Cleaned by deletion
Specified primary action:	Clean
Specified secondary action:	Quarantine
Detection source:	Scheduled scan
Risk detection method:	Heuristic Detection
URL tracking:	Off
Source computer:
Event type:	Virus found
Database insert date:	02/27/2018 00:28:46
Event end date:	02/27/2018 00:27:39
Event client date:	02/27/2018 00:27:39
Permitted application reason:	Not on the permitted application list
Intensive Protection Level:	N/A

 

Risk Reputation

First seen:	Reputation was not used in this detection.
Reputation:	Reputation was not used in this detection.
Prevalence:	Reputation was not used in this detection.
Performance impact:	High
Overall rating:	High
Detection reason:	Antivirus engine
Minimum sensitivity level:	N/A

 

Side effects

Status	Operation	Data Type	Location
Successful	Clean By Deletion	File	D:\customapps\Tomcat\kss_save\BEV\BEV2.7\MCSBEV_2_7_interface_packages.zip>>MATLAB Code\work\compiled files\McsPkg.dll

To disable ML you need to configure bloodhound. If you want «log only» you need to activate the cloud portal. Sonar detections start with Sonar (sonar.something) and are detections by the behavior engine, not machine learning.

To disable ML you need to configure bloodhound. If you want «log only» you need to activate the cloud portal. Sonar detections start with Sonar (sonar.something) and are detections by the behavior engine, not machine learning.

Thanks very much, I'll go ahead with Bloodhound configuration.

Unfortunately as I'm mostly working on airgapped networks I won't be able to take advantage of any cloud portals.  I certainly do hope Symantec will consider the needs of higher-security networks that do not connect to the Internet and add the ability to fully manage their product without a Cloud.

I have done the same configuration about 1 month ago.

Really a nightmad on SEP14, and you have make the good decision which is no using cloud.

It is a mess of it and leak of Symantec engineer support about the issues.

I will going to disable it as it is totally useless.

I have this problem a month ago. Does this mean only solution is to disable Bloodhound? Mmm... quite unusual workaround.

Has anybody tried adding Heur.AdvML.B as an exception?