Resolving suspected false positives in Endpoint Protection Cloud
Last Updated June 14, 2019
Resolve a suspected erroneous detection (false positive) when Symantec Endpoint Protection Cloud (SEPC) incorrectly reports a clean, good file as being a threat.
The criteria that Endpoint Protection Cloud uses to identify malicious code is constantly updated in response to emerging threats. Sometimes new or even legitimate software can be mistakenly classified as a threat.
Symantec regularly updates definitions to fix any misclassification to identify only malicious code.
Before you begin
File infectors can make alterations to applications that have been in safe, daily use. If there has been a recent outbreak or infection on the computer or network, it is likely that the application has been compromised and the detection is genuine.
Symantec recommends that you treat all detected files as being infected until Symantec Security Response verifies that the detection is false.
If you believe that a legitimate application is falsely identified, and there is no other outbreak, follow these best practices:
1. Create exclusions.
If you experience a false positive detection on development builds of internal software or for other reasons, create a file or folder exclusion in your Security policy to suppress detections. For more information on the types of exclusions see Available scan exclusions.
CAUTION: Symantec recommends that you use all exclusions with extreme caution.
Submit false positives at https://submit.symantec.com/false_positive. You do not have to open a support case for submissions. The submissions are handled outside of support. You will receive an email follow-up when the analysis is completed.
3. Restore the file(s).
After the files have been confirmed clean and the updated definitions are released, the client should restore the file to its original location if it hasn't already been replaced. If the file is needed sooner, it should be restored from a known clean backup.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe