Symantec Endpoint Protection (SEP) incorrectly reports a clean, good file as being a threat. Learn how to submit a false positive (e.g. suspected erroneous detection) in this instance.
The criteria that Endpoint Protection uses to identify malicious code is constantly updated in response to emerging threats. Sometimes new or even legitimate software can be mistakenly classified as a threat.
Symantec regularly updates definitions to fix any misclassification to identify only malicious code.
File infectors can make alterations to applications that have been in safe, daily use. If there has been a recent outbreak or infection on the computer or network, it is highly likely that the application has been compromised and the detection is genuine.
Symantec recommends that you treat all detected files as being infected until Symantec Security Response verifies a false detection.
If a legitimate application is identified in error and no other outbreak is occurring, follow these best practices:
If a false positive detection on development builds of internal software or other reasons occurs, consider implementation of scan exceptions. Detections can be suppressed based on criteria such as folder or file extension.
CAUTION: Symantec recommends that you use all exceptions with extreme caution.
To submit a quarantined file for analysis, see Submit online suspicious files quarantined in Endpoint Protection.
After Symantec confirms the false positive and updates the definitions for Endpoint Protection, restore the false positive from quarantine.
For suspected Intrusion Prevention System (IPS) false positives, see Responding to suspected Intrusion Prevention System (IPS) false positives.