Endpoint Protection

Hi,

I'm getting a false detection of "Suspicious.Lop" by SEP (11.0.5) while unpacking a ZIP file with some locally developed software.
I've added a central exception to ignore this "security risk" to my policy and this got pushed to all clients (I see the exception in the Windows registry), but the behaviour of the Auto-Protect scan does not change.

What am I doing wrong? :-}

Thanks in advance & regards,
H. Deeken

Restart the client and see any difference is present.. 

where did you add your exceptions too?
 did you give the complete path or used wildcards?
can you paste the exclusions in sep or in the registry you see...
check if you have excluded it correct

http://service1.symantec.com/support/ent-security.nsf/docid/2008030423280248

http://service1.symantec.com/support/ent-security.nsf/docid/2008093008072448

@AravindKM

I did restart the client several times during debugging, no change.

@Rafeeq

I did not create an exception for a filesystem object (file or directory) but for a "Bekanntes Sicherheitsrisiko" (I've got the german version here, I guess the english text would be something like "known security risk").
I got to choose the Name from a list and had 2 choices for the action, either log only or ignore.

Here's the excerpt from the client registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\AdminRiskExceptions\23935]
"FirstAction"=dword:00000011
"ThreatName"="Suspicious.Lop"
"Owner"=dword:00000003
"ProtectionTechnology"=dword:00000001
"SecondAction"=dword:00000011

put the zip file in a c:\test folder
create a centralized exception for this folder
try to extract it, check if you are stil getting the error msg. 

the folder exception worked as expected.

But this does not solve my problem. I can't work with filesystem based exceptions, because I can't predict where a user might access these files.
The "threat" is not detected based on a specific signature, but based on heuristics. I'm looking for a way to either influence these, so that our software is not falsely detected, or just turn them off.

Have you try this procedure

1. Open SEPM
2. Click Policies, Centralized Exceptions
3. click add > TrueScan Proactive Threat Scan Exceptions > Process
4. Just follow this format *filename.* regardless of the path, drive, folder, the file is, it will simply allow that application.

any development on your SEPM?

not yet. I'll try your way today

1. Log into the SEPM and click Policies.
2. Under View Policies click Centralized Exceptions.
3. Under Tasks click Add a Centralized Exception policy... This will create and open a new Centralized Exceptions Policy.
4. In the left pane, click Centralized Exceptions.
5. Click the Add button to open a drop-down menu. Move the cursor over TruScan Proactive Threat ScanExceptions to open a second drop-down menu.
6. Select one of the two options: Detected Processes
7. Check if your process is listed here, if so just add it to your exclusion
8. you can try the same in monitors tab for detected process.

 

@Rafeeq

As far as I understand, TruScan acts on running processes, not on objects in the filesystem.
I get an alert when the file is written to disk, and it clearly states Auto-Protect-Scan.

Should this work regardless?

check if u find the process in the list 

No, I don't see the process in the list. Probably because I never ran the software, just unpacked it to a directory.

run it once, it would detect if so create an exclusion 

I have a ZIP archive, containing locally created software. When I unpack the archive, Auto-Protect-Scan detects "Suspicios.Lop" and moves two of the executables to quarantine. As soon as I move them back out of quarantine, they are detected again and moved back.
I have the contents of the ZIP archive unpacked on a network share. If scanning of network drives is enabled in the policy, the same thing happens when I just enter the directory in Windows Explorer.

I can't run any of these executables and I don't think that TruScan is the culprit here.

Create a folder exception for c:\<one folder name> and extract your software to this folder and try. 

@AravindKM

Did that already, see above.

@AravindKM

Sorry, I missunderstood. I did unpack the ZIP in C:\Test and did run the executable, but nothing showed in SEPM.

Log into the SEPM and click Policies. Under View Policies click Centralized Exceptions. Under Tasks click Add a Centralized Exception policy... This will create and open a new Centralized Exceptions Policy. In the left pane, click Centralized Exceptions. Click the Add button to open a drop-down menu. Move the cursor over Security Risk Exceptions to open a second drop-down menu. Select Know Risk. Here select "Suspicious.Lop" and click ok. ------------------------------------------------------------------------------ You can also submit this file to Symantec as a false positive..

I did add an exception this way before starting this thread. That's the one being ignored by the client.

When I come back to office I will attach screenshot process on how to exempt file using centralized exceptions