Advanced Threat Protection logs SONAR detections with invalid hash data that the Endpoint Protection client does not detect

book

Article ID: 171616

calendar_today

Updated On:

Products

Endpoint Protection Advanced Threat Protection Platform

Issue/Introduction

When looking at SONAR detections (Event 4100) in Advanced Threat Protection (ATP), you notice some SONAR detections have incorrect hash values.  (Either md5, sha1, or sha2)  These detections seem to be for non-malicious files. 

SONAR detected malicious file explorer.exe with heuristic signature SONAR.SuspPE!gen35

SONAR detected malicious file powershell.exe with heuristic signature SONAR.Powershell!gen6

When you click 'Submit to VirusTotal' you get an error:

You don't have authorization to view this page.

HTTP ERROR 403

Cause

The Endpoint Protection (SEP) client will occasionally submit files based on silent detections. The SEP client will not log these detections as risks because they are meant for statistical analysis.  Currently, ATP does not recognize that these are silent submissions and incorrectly reports them as threats. For more information on how Symantec uses telemetry data, see "Symantec Endpoint Protection Telemetry Submissions."

In addition, the SEP client will use "dummy" hash values on these silent submissions.  ATP attempts to correct the hash data, but still provides invalid hash values. 

Environment

ATP 3.0 or later

Resolution

This issue is resolved in ATP 3.2. Please upgrade to the lates version of the ATP / SEDR software.