Exclusion Guidelines for Endpoint Protection
search cancel

Exclusion Guidelines for Endpoint Protection

book

Article ID: 155148

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You want to ensure that Endpoint Protection will not detect a file heuristically.

Resolution

Due to the constant changes in the threat landscape, Symantec has taken an aggressively proactive stance toward protecting the endpoints, on which its software runs, from new and unknown threats. This is manifest primarily through the addition of new heuristic technologies in Endpoint Protection. 

While aggressive detection allows us to better protect our users from threats, as with any heuristic detection, there is a risk of a False Positive (FP) detection. Additionally, as our heuristics are designed based on both the total set of known good files and the total set of known bad files we have, user file space that our products have never seen before present an unknown risk of false positives. In an enterprise with a large Endpoint Protection deployment, this could lead to loss of critical business functionality if an internal application or core business application was mistakenly detected by Symantec. 

Symantec will always work to urgently address any and all reported false positives, but for large organizations running managed deployments and also running in-house or industry-specific applications, we want to provide clearer exclusion guidelines, so that Symantec Endpoint Protection Manager (SEPM) administrators can make informed decisions about how to handle widespread false positive detections in their environments.

If you are running Endpoint Protection, and you are seeing detections of the following types:

    • Bloodhound.SONAR.*
    • SONAR.*
    • Suspicious.*
    • Proactive Threat Protection
    • Client Protection

On any of your internal or business critical applications, we would recommend that you exclude the file(s) in question in addition to reporting the detections to us via our submission site and submit the file(s) on the Incorrectly Detected by Symantec tab on the webpage.

Exclusion can be done many different ways, but we would recommend that administrators always make the prudent choice and go with the narrowest scope of exclusion that will address the issue at hand. Exclusions can be done by:

    • file hash
    • file name
    • detection name
    • detection class
    • directory

Directory exclusions in particular should be used very sparingly, as excluding a directory from scanning can make an internal outbreak scenario of an actual worm or virus significantly worse than it would normally be.

Please keep the above in mind when dealing with false positives or suspected false positives within your organization, and if you have questions or need further guidance or assistance please don't hesitate to contact Symantec support.