Symantec Endpoint Protection (SEP) is detecting a file which is believed to be part of a clean known application. How can it be confirmed whether this is a genuine detection or if it is a "False Positive"?
The criteria being used by SEP to identify malicious code are constantly updated and revised in response to the newest emerging threats. In some cases, legitimate software has been mistakenly classified as a threat. Definitions are subsequently refined and corrected to identify only malicious code.
Before you begin: It has often been the case that file infectors make alterations even to applications that have been in safe daily use for a long time. If there has been a recent outbreak or infection on the computer or network, it is highly likely that the application has been compromised and the detection is genuine. Symantec recommends that you treat all "detected" files as being infected, until your suspicion of a false detection is verified by Symantec Security Response.
If it is believed that a legitimate application is being identified in error, and no other outbreak is underway, best practice calls for the following steps to be taken:
Apply the Latest Rapid Release Definitions
New virus definitions may have already been released to resolve the False Positive detection. Apply the latest available Rapid Release definitions and scan the file once again.
For SEP clients:
Applying rapid release definitions to a Symantec Endpoint Protection (SEP) client.
If the file in question is still detected using the new Rapid Release definitions, proceed to the next step.
If you are experiencing false positive detections on development builds of internal software (or for other reasons) you may consider configuring exceptions to suppress detections based on various criteria such as by folder or file extension. Information on configuring exceptions in SEP is available here. Please use all exceptions with caution!
Contact Symantec for Investigation
Please do use the following portal for non-emergency false positives: https://submit.symantec.com/false_positive Be sure to submit files within the recommended guidelines. Note that it is not necessary to open a case with Technical Support for non-emergency requests.
In case of emergency, submit through the link above and contact Symantec's Technical Support. Tech Support engineers can offer assistance with suspected false positives and help drive the issue to a faster resolution.
Please provide them with the following information (collected automatically by running a SymDiag diagnostic):
- Version of SEP that is in use, and component which is logging the detection (AutoProtect? PTP? Manual Scan?)
- Risk History and details of what the file is being detected as.
- Exact date and revision of definitions in use.
- If possible, calculate the MD5 (unique hash identifier) of the file in question
- (Not collected automatically) All available details on the source of the application in question- is it a common, commercially available file? Was it developed in-house? Is it part of another software suite?
Submitting False Positives from Quarantine
To submit a file for analysis, which was quarantined, the following article can then be used: How to submit suspicious files via the online submission form that have been quarantined by Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV)
Restoring False Positives from Quarantine
If the detection is confirmed to be a false positive, new AV definitions will be created. The following article can then be used:
For suspected IPS False Positives, please see Best Practice for Responding to Suspected IPS False Positives in Symantec Endpoint Protection.