Symantec Web Gateway disconnected a connection. A report shows that SWG incorrectly identified the connection, either as an application type different from the actual application type, as a malicious web site, a phone home attempt, or a botnet command and control (C&C) channel. You seek steps for reporting this behavior to Symantec so that the detection information will be changed in the nightly database updates.
- Collect evidence which demonstrates the behavior
- Contact technical support to relay this evidence to Engineering
To collect evidence which demonstrates the behavior
- To identify the endpoints of the connection, run an initial Custom Report which shows SWG incorrectly identify the connection.This Custom Report must show both the Local IP Address column and the Distant IP Address column.
- Start a packet capture within the User Interface of SWG appliance. Make sure to filter for the IP address of each endpoint shown in the Custom Report on the line where the false positive occurs.
- Reproduce the behavior ( do whatever it was that caused the false positive ). Be sure to record three instances of the behavior.
- Stop the packet capture and save the packet capture files locally.
- Collect a Custom Report which shows SWG incorrectly identify the connection (either export the report or save a screenshot). This Custom Report must show both the Local IP Address column and the Distant IP address column, and show three instances of the behavior.
- If the detection type is "Botnet", also collect a Botnet Report which shows SWG incorrectly identify the connection.