search cancel

Advanced Threat Protection logs SONAR detections with invalid hash data that the Endpoint Protection client does not detect


Article ID: 171616


Updated On:


Endpoint Protection Advanced Threat Protection Platform


When looking at SONAR detections (Event 4100) in Advanced Threat Protection (ATP), you notice some SONAR detections have incorrect hash values.  (Either md5, sha1, or sha2)  These detections seem to be for non-malicious files. 

SONAR detected malicious file explorer.exe with heuristic signature SONAR.SuspPE!gen35

SONAR detected malicious file powershell.exe with heuristic signature SONAR.Powershell!gen6

When you click 'Submit to VirusTotal' you get an error:

You don't have authorization to view this page.



ATP 3.0 or later


The Endpoint Protection (SEP) client will occasionally submit files based on silent detections. The SEP client will not log these detections as risks because they are meant for statistical analysis.  Currently, ATP does not recognize that these are silent submissions and incorrectly reports them as threats. For more information on how Symantec uses telemetry data, see "Symantec Endpoint Protection Telemetry Submissions."

In addition, the SEP client will use "dummy" hash values on these silent submissions.  ATP attempts to correct the hash data, but still provides invalid hash values. 


This issue is resolved in ATP 3.2. Please upgrade to the lates version of the ATP / SEDR software.