Exclusion Guidelines for Symantec Endpoint Protection 12.1


Article ID: 155148


Updated On:


Endpoint Protection


You want to ensure that Symantec Endpoint Protection 12.1 will not detect a file heuristically.


Due to the constant changes in the threat landscape, Symantec has taken an aggressively proactive stance toward protecting the endpoints its software runs on from new and unknown threats. This is manifest primarily through the addition of new heuristic technologies in our Norton and Symantec Endpoint Protection (SEP) product lines. 

While aggressive detection allows us to better protect our users from threats, as with any heuristic detection, there is a risk of a False Positive (FP) detection. Additionally, as our heuristics are designed based on both the total set of known good files and the total set of known bad files we have, user file space that our products have never seen before present an unknown risk of false positives. In an enterprise with a large Symantec Endpoint Protection deployment, this could lead to loss of critical business functionality if an internal application or core business application was mistakenly detected by Symantec. 

Symantec will always work to urgently address any and all reported false positives, but for large organizations running managed deployments and also running in-house or industry-specific applications, we want to provide clearer exclusion guidelines, so that Symantec Endpoint Protection Manager (SEPM) administrators can make informed decisions about how to handle widespread false positive detections in their environments.


If you are running Symantec Endpoint Protection 12.1, and you are seeing detections of the following types:


                * Bloodhound.SONAR.*

                * SONAR.*

                * Suspicious.*

                * Proactive Threat Protection

                * Client Protection


... on any of your internal or business critical applications, we would recommend that you exclude the file(s) in question in addition to reporting the detections to us via our False Positive Submission form.

Exclusion can be done many different ways, but we would recommend that administrators always make the prudent choice and go with the narrowest scope of exclusion that will address the issue at hand. Exclusions can be done by:

                * file hash

                * file name

                * detection name

                * detection class

                * directory


Directory exclusions in particular should be used very sparingly, as excluding a directory from scanning can make an internal outbreak scenario of an actual worm or virus significantly worse than it would normally be.


Please keep the above in mind when dealing with false positives or suspected false positives within your organization, and if you have questions or need further guidance or assistance please don't hesitate to contact Symantec support.