ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Submit false positives incorrectly detected by Endpoint Protection

book

Article ID: 178170

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You need to submit a false positive (e.g. suspected erroneous detection) when Symantec Endpoint Protection (SEP) incorrectly reports a clean, good file as being a threat.

Cause

The criteria that Endpoint Protection uses to identify malicious code is constantly updated in response to emerging threats. Sometimes new or even legitimate software can be mistakenly classified as a threat.

Symantec regularly updates definitions to fix any misclassification to identify only malicious code.

Resolution

Before you begin

File infectors can make alterations to applications that have been in safe, daily use. If there has been a recent outbreak or infection on the computer or network, it is highly likely that the application has been compromised and the detection is genuine.

Symantec recommends that you treat all detected files as being infected until Symantec Security Response verifies a false detection.

If a legitimate application is identified in error and no other outbreak is occurring, follow these best practices:

Step 1. Apply the latest Rapid Release virus definitions

  1. Download and apply the latest Rapid Release virus definitions, which may resolve the false positive detection.
  2. Scan the file again.
    If the file is still detected using the new Rapid Release definitions, proceed to the next step.

Step 2. Create exceptions

If a false positive detection on development builds of internal software or other reasons occurs, consider implementation of scan exceptions. Detections can be suppressed based on criteria such as folder or file extension.

CAUTION: Symantec recommends that you use all exceptions with extreme caution.

Step 3. Contact Symantec for investigation

Non-emergency false positives

  1. Review the recommended submission guidelines.
  2. Submit non-emergency false positives using the Incorrectly Detected by Symantec tab at https://symsubmit.symantec.com/
    You do not have to open a support case for non-emergency requests.

Emergency false positives

  1. Review the recommended submission guidelines.
  2. Submit emergency false positives using the Incorrectly Detected by Symantec tab at https://symsubmit.symantec.com/
  3. Contact Support, which can offer assistance with suspected false positives and provide faster resolution.
  4. Provide Support with the following information. Run SymDiag to collect this information automatically.
    • The version of Endpoint Protection in use.
    • The component that logs the detection (for example, Auto-Protect, Proactive Threat Protection, and Manual Scan)
    • The exact date and revision of definitions in use at the time of the detection.
    • If possible, calculate the MD5 (unique hash identifier) of the file in question.
    • (Not collected automatically) Details on the source of the application, such as the following:
      • Is this file or application commonly or commercially available?
      • Was the file or application developed in-house?
      • Is the file or application part of another software suite?

Step 4. Submit false positives from Quarantine

To submit a quarantined file for analysis, see Submit online suspicious files quarantined in Endpoint Protection.

Step 5. Restore false positives from Quarantine

After Symantec confirms the false positive and updates the definitions for Endpoint Protection, restore the false positive from quarantine.

Additional Information

For suspected Intrusion Prevention System (IPS) false positives, see Responding to suspected Intrusion Prevention System (IPS) false positives.