Advanced Threat Protection logs SONAR detections with invalid hash data that the Endpoint Protection client does not detect

TECH250289
Last Updated November 27, 2018
Copy Article Title/URL
Feedback
Subscribe

When looking at SONAR detections (Event 4100) in Advanced Threat Protection (ATP), you notice some SONAR detections have incorrect hash values.  (Either md5, sha1, or sha2)  These detections seem to be for non-malicious files. 

ATP 3.0 or later

SONAR detected malicious file explorer.exe with heuristic signature SONAR.SuspPE!gen35

SONAR detected malicious file powershell.exe with heuristic signature SONAR.Powershell!gen6

When you click 'Submit to VirusTotal' you get an error:

You don't have authorization to view this page.

HTTP ERROR 403

The Endpoint Protection (SEP) client will occasionally submit files based on silent detections. The SEP client will not log these detections as risks because they are meant for statistical analysis.  Currently, ATP does not recognize that these are silent submissions and incorrectly reports them as threats. For more information on how Symantec uses telemetry data, see "Symantec Endpoint Protection Telemetry Submissions."

In addition, the SEP client will use "dummy" hash values on these silent submissions.  ATP attempts to correct the hash data, but still provides invalid hash values. 

This issue is resolved in ATP 3.2. Please upgrade to the lates version of the ATP / SEDR software.

Source: ETrack
ID: 4165590
Source: ETrack
ID: 4173689
Source: ETrack
ID: 4175820
Source: ETrack
ID: 4175966

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation