Endpoint Protection

 

We look after multiple sites for various clients and over the last couple of weeks we have stared getting reports of the virus name in the subject (Heur.AdvML.B) being detected on multiple PC's. Some of these PC's have no relation with another site as they are from different clients in different geographical locations. The reports are coming from both Windows 7 and Windows 10 (both 64bit & Pro) operating systems.

 

While the reports we receive state that the issue is resolved and that no action needs to be taken we then find that the following day we will receive another report for the same virus but a different TMP file name, some examples below:

 

c:\windows\temp\wax7ae1.tmp

c:\windows\temp\wax8938.tmp

c:\windows\temp\wax6fee.tmp

c:\windows\temp\wax845e.tmp

c:\windows\temp\wax7862.tmp

c:\windows\temp\wax87b3.tmp

c:\windows\temp\wax9d9f.tmp

c:\windows\temp\waxc902.tmp

 

Is this a true detection or a false positive?

 

And if it is a false positive what can we do to stop the detections?

 

The clients also receive the reports and are questioning why they are seeing so many alerts.

 

This is coming from the machine learning ability of SEP.  Do you know the source of these files? Are they being downloaded from the Internet? You may need to submit to Symantec for further analysis and engage support:

https://www.symantec.com/security-center/submit-virus-samples

I had a similar experience a while back. That time the wax files were related to a false positive old Secunia patch management cache file It stopped by it self when all the old files were deleted

Hi David,

Just wondering if you submitted any of those files to the False Positives portal, and what the findings were-?

Submit false positives detected by Endpoint Protection
http://www.symantec.com/docs/TECH98360

 

@Brian, we do not know teh source of the files and all users are locked down in AD so they cannopt download or install anything without Admin approval. We haven;t submitted any files as they are removed by SEP and the next day the file name is different but again, removed by Symantec.

Over the weekend we have only had two instances from the same site, the other sites have not yet reported anything which makes me more certain that this is a false positive. esopecially since we have been seeing it at multiple sites with no relation to one another other than they all run Windows OS and MS Office in one guise or another.

Obviosuly we'll keep an eye on it but I think TORB's experience may be what we will see too.

 

We also have have multiple false positive detection. We submitted many samples as false positive, but every time our developer changes something in the application (new version) we have false positive alerts again. Annoying...

Is code signing an option?

Adam

so far, my solution is add a folder exception for R&D, service engineers for the in house applications.

this is not a good practise, but at least solve the problem for the multiple increasing version they have.

 

regards,

Loh

I got a suggestion from Symantec to disable machine learning feature which Hueristic detection is base on advance machine learning.

I'm still testing and pending the new versions of application from software team.

But, maybe a isolate group for those R&D will be great

I have the same problem:

If we compile one of our applications written in Delphi, an Heur.AdvML.B is detected. It's really annoying for our developers.
The heuristic detection doesn't look very mature here.

My Problem is, that I don't have an idea how to help Symantec to improve it. Submitting single files as a false-positive avoids, that this single file is detected. But as soon as the sources are changed, the files is detected again.

Regards,
Michael