Endpoint Protection

View Only

Back to discussions

Expand all | Collapse all

Getting rid of false positive?

1. Getting rid of false positive?

Recommend
Migration User
Posted Feb 17, 2010 07:54 AM

Reply Reply Privately
One of our clients is producing thousands of alerts about a Windows Indexing file (the indexing service generates the file again over and over....)
Virustotal says it's clean.
I submitted it to Symantec, they say it's clean.

No other computers react to the file.

Risk name is just "ACG", which is not very telling, really...

But how do I stop this now? Has anyone had similar problems?
Last week the same thing happened, for a day, then stopped. Now it's on again...

We tried clearing the indexes, but this didn't help. It comes back.

Client is RU5, defs. feb 16th, rev 39.
2. RE: Getting rid of false positive?

Recommend
Rafeeq
Posted Feb 17, 2010 07:59 AM

Reply Reply Privately
create centralized exception for that file

http://service1.symantec.com/support/ent-security.nsf/docid/2008030423280248
send the file to symantec again saying that its detecting false, the file is jenuine, they wil correct in next virus defs.
3. RE: Getting rid of false positive?

Recommend
Migration User
Posted Feb 17, 2010 08:02 AM

Reply Reply Privately
Please submitt the file to Symantec Security Response and Open a Ticket with Support so that it can be dealt on High Priority

https://submit.symantec.com/websubmit/gold.cgi

https://submit.symantec.com/dispute/false_positive/

http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2005012415180263
4. RE: Getting rid of false positive?

Recommend
Migration User
Posted Feb 17, 2010 09:11 AM

Reply Reply Privately
Thanks, but the file name is not constant. Last week it was a slightly different name (the files are named with a running number, it seems).

I did point out to Symantec security response that it was a false positive, but they never commented on that.

I also find it strange that it is only this one computer that reacts to the file....
5. RE: Getting rid of false positive?

Recommend
Migration User
Posted Feb 17, 2010 09:12 AM

Reply Reply Privately
Ah.. thanks, that's news to me. I only knwe of the page for submitting it as a suspicious file.

Now submitted as a false positive, too!
6. RE: Getting rid of false positive?

Recommend
Mick2009
Posted Feb 18, 2010 05:16 AM

Reply Reply Privately
Hi Reedmohn,

The following article may help:

Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe

Specifically look at whether the detection is signature-based or heuristic. What component is logging these detections? If your bloodhound settings are configuraed at their highest level and it is resulting in what you have confirmed to be false positives, then you may wish to set them lower.

Thanks and best regards,

Mick

Endpoint Protection

Getting rid of false positive?

Migration UserFeb 17, 2010 07:54 AM

RafeeqFeb 17, 2010 07:59 AM

Migration UserFeb 17, 2010 08:02 AM

Migration UserFeb 17, 2010 09:11 AM

Migration UserFeb 17, 2010 09:12 AM

Mick2009Feb 18, 2010 05:16 AM

1. Getting rid of false positive?

2. RE: Getting rid of false positive?

3. RE: Getting rid of false positive?

4. RE: Getting rid of false positive?

5. RE: Getting rid of false positive?

6. RE: Getting rid of false positive?