Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: OT: False Positives - Symantec Endpoint Protection

  1. #1
    Join Date
    Feb 2009
    Location
    Queens, NY, NY
    Posts
    6,508

    Default OT: False Positives - Symantec Endpoint Protection

    FYI - Our Off-Shore IT department just installed Symantec Endpoint Protection 14.2.4815.1101 over night, and it's blocking / deleting several of our DF19.1 executable programs because it fails some "Heuristic SONAR" testing. The only remedy I can find is to upload the file as a false positive, but that results in hours of frustration trying to get access back to the file that AV has locked out. As soon as I re-compile, the new file is blocked. When I stopped the AV process, it restarted itself.

    I'm honestly convinced some of these Anti-Virus systems are Viruses themselves.

    </rant>
    Michael Mullan.
    Danes Bridge Enterprises.

    ++++++++++++++++++++++++++++
    There is just today. Tomorrow is a concept
    that is mostly theoretical. -- GM Wylie
    ++++++++++++++++++++++++++++

  2. #2
    Join Date
    Feb 2009
    Location
    Somewhere in Vermont, USA - unless I'm not
    Posts
    9,459

    Default Re: OT: False Positives - Symantec Endpoint Protection

    I've never liked Symantec for this exact reason + they won't listen to reason when you tell them your issues.
    Garret

    All my life,I always wanted to be somebody. Now I see that I should have been more specific.


  3. #3
    Join Date
    Nov 2008
    Location
    Round Rock, TX
    Posts
    7,695

    Default Re: OT: False Positives - Symantec Endpoint Protection

    Hi Michael,

    I don't think uploading the file as a false positive will help. I did that for several EXEs months ago and the behavior hasn't changed. The best soltuion I have found is to exclude the workspace Programs folder from Norton's SONAR (not the scan, just the 24/7 live protection).

  4. #4
    Join Date
    Feb 2009
    Location
    South Florida
    Posts
    3,874

    Default Re: OT: False Positives - Symantec Endpoint Protection

    if it happens on a compile the issue is the way the linker works. It modifies the file and that is seen as an issue obviously. Only way around is to exclude it from the check.

    of course this is only a problem on a dev system
    Michael Salzlechner
    StarZen Technologies, Inc
    http.://www.starzen.com

    Development Blog
    http://www.salzlechner.com/dev

    DataFlex Package Manager (aka Nuget for DataFlex)
    http://windowsdeveloper.com/dfPackage

  5. #5
    Join Date
    Oct 2014
    Location
    Heerlen, NL
    Posts
    212

    Default Re: OT: False Positives - Symantec Endpoint Protection

    Quote Originally Posted by Michael Mullan View Post
    FYI - Our Off-Shore IT department just installed Symantec Endpoint Protection 14.2.4815.1101 over night, and it's blocking / deleting several of our DF19.1 executable programs because it fails some "Heuristic SONAR" testing. The only remedy I can find is to upload the file as a false positive, but that results in hours of frustration trying to get access back to the file that AV has locked out. As soon as I re-compile, the new file is blocked. When I stopped the AV process, it restarted itself.

    I'm honestly convinced some of these Anti-Virus systems are Viruses themselves.

    </rant>
    Hello Michael,

    I had this problem several times, and yes it is probably going to be frustrating to solve it. I had it with a webapp after installing a new DataFlex version and also with some of my applications. Eventually these problems where solved by sending in multiple examples of the file every time I compiled and got the blocking. Have you tried to contact falsepositives@symantec.com ? It is very sad my company doesn't want to switch to a different product but keeps using this failware.

    Regards,

    Leon Raafs

  6. #6
    Join Date
    Feb 2009
    Location
    Queens, NY, NY
    Posts
    6,508

    Default Re: OT: False Positives - Symantec Endpoint Protection

    I got the actual file whitelisted, which is what I wanted, but when it's re-compiled the MD5 hash will change, and I'll have to re-submit.

    If I turn off scanning for my PC I won't find out it's bad until it is way too late.

    :-(
    Michael Mullan.
    Danes Bridge Enterprises.

    ++++++++++++++++++++++++++++
    There is just today. Tomorrow is a concept
    that is mostly theoretical. -- GM Wylie
    ++++++++++++++++++++++++++++

  7. #7
    Join Date
    Mar 2009
    Posts
    16

    Default Re: OT: False Positives - Symantec Endpoint Protection

    It's not just Symantec. We are having several .exe's removed by Vipre.

    Ray Wirth

  8. #8
    Join Date
    Feb 2009
    Location
    Goteborg, Sweden
    Posts
    2,922

    Default Re: OT: False Positives - Symantec Endpoint Protection

    Michael,

    You are really pointing at a pickle here about anti-virus scanners. Q: Do you sign your executable's digitally? If so, does that make any difference?

    I have developed a "Digital sign" class that also checks that a digitally signed program has not been tampered with when started - else it exits.

    So one solution could be to use such a solution together with digitally signed programs and *then also* turn off the scanning for that Programs folder. That way you could still be sure that your program won't be the culprit if a virus is spreading through an organization. Perhaps not bullet proof, but at least manageable?
    Nils Svedmyr
    RDC Tools International
    www.rdctools.com

    "One morning I shot an elephant in my pyjamas. How he got into my pyjamas I'll never know"
    Groucho Marx

  9. #9
    Join Date
    Feb 2009
    Location
    Brazil
    Posts
    2,383

    Default Re: OT: False Positives - Symantec Endpoint Protection

    If I turn off scanning for my PC I won't find out it's bad until it is way too late.
    You dont need to turn it off....
    Just create a rule to skip the directory where your webapp.exe resides.. the AV will never touch it again.

    You know your app is not a virus, so you dont need to let your AV messing with it.
    Samuel Pizarro

  10. #10
    Join Date
    Feb 2009
    Location
    SW Connecticut/NY area
    Posts
    8,021

    Default Re: OT: False Positives - Symantec Endpoint Protection

    You know your app is not a virus, so you dont need to let your AV messing with it.
    But what if someone else messes with it?
    Bob Worsley
    203-249-2633
    rlworsley at gmail.com

    Do or do not. There is no try. — Yoda

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •