Resolving suspected false positives in Endpoint Protection Cloud

book

Article ID: 170263

calendar_today

Updated On:

Products

Endpoint Protection Cloud

Issue/Introduction

Attention Customers of Symantec Endpoint Protection Small Business Edition (SEP SBE) and Symantec Endpoint Protection Cloud (SEP Cloud)

These products will be discontinued on November 2, 2020. On this date, the product will stop protecting the endpoints, and access to the console no longer will be available. We recommend that customers migrate to Symantec Endpoint Security Enterprise.

For more information, see Transitioning to Symantec Endpoint Security Enterprise Guide.

Resolve a suspected erroneous detection (false positive) when Symantec Endpoint Protection Cloud (SEPC) incorrectly reports a clean, good file as being a threat.

Cause

The criteria that Endpoint Protection Cloud uses to identify malicious code is constantly updated in response to emerging threats. Sometimes new or even legitimate software can be mistakenly classified as a threat.

Symantec regularly updates definitions to fix any misclassification to identify only malicious code.

Resolution

Before you begin

File infectors can make alterations to applications that have been in safe, daily use. If there has been a recent outbreak or infection on the computer or network, it is likely that the application has been compromised and the detection is genuine.

Symantec recommends that you treat all detected files as being infected until Symantec Security Response verifies that the detection is false.

If you believe that a legitimate application is falsely identified, and there is no other outbreak, follow these best practices:

 

1. Create exclusions.

If you experience a false positive detection on development builds of internal software or for other reasons, create a file or folder exclusion in your Security policy to suppress detections. For more information on the types of exclusions see Available scan exclusions.

CAUTION: Symantec recommends that you use all exclusions with extreme caution.

 

2. Submit file to Symantec for investigation.

  1. Review the recommended submission guidelines.
  2. Submit false positives at https://symsubmit.symantec.com/false_positive.
    You do not have to open a support case for submissions. The submissions are handled outside of support. You will receive an email follow-up when the analysis is completed.

 

3. Restore the file(s).

After the files have been confirmed clean and the updated definitions are released, the client should restore the file to its original location if it hasn't already been replaced. If the file is needed sooner, it should be restored from a known clean backup.