When looking at SONAR detections (Event 4100) in Advanced Threat Protection (ATP), you notice some SONAR detections have incorrect hash values. (Either md5, sha1, or sha2) These detections seem to be for non-malicious files.
ATP 3.0 or later
SONAR detected malicious file explorer.exe with heuristic signature SONAR.SuspPE!gen35
SONAR detected malicious file powershell.exe with heuristic signature SONAR.Powershell!gen6
When you click 'Submit to VirusTotal' you get an error:
You don't have authorization to view this page.
HTTP ERROR 403
The Endpoint Protection (SEP) client will occasionally submit files based on silent detections. The SEP client will not log these detections as risks because they are meant for statistical analysis. Currently, ATP does not recognize that these are silent submissions and incorrectly reports them as threats. For more information on how Symantec uses telemetry data, see "Symantec Endpoint Protection Telemetry Submissions."
In addition, the SEP client will use "dummy" hash values on these silent submissions. ATP attempts to correct the hash data, but still provides invalid hash values.
This issue is resolved in ATP 3.2. Please upgrade to the lates version of the ATP / SEDR software.
Subscribing will provide email updates when this Article is updated. Login is required.