Video Screencast Help
Search Video Help Close Back
to help

Getting rid of false positive?

Created: 17 Feb 2010 | Updated: 19 Aug 2010 | 5 comments
reedmohn's picture
reedmohn
0 0 Votes
Login to vote

One of our clients is producing thousands of alerts about a Windows Indexing file (the indexing service generates the file again over and over....)
Virustotal says it's clean.
I submitted it to Symantec, they say it's clean.

No other computers react to the file.

Risk name is just  "ACG", which is not very telling, really...

But how do I stop this now? Has anyone had similar problems?
Last week the same thing happened, for a day, then stopped. Now it's on again...

We tried clearing the indexes, but this didn't help. It comes back.

Client is RU5, defs. feb 16th, rev 39.

Discussion Filed Under:
,

Comments 5 CommentsJump to latest comment

Rafeeq's picture
Rafeeq
Getting rid of false positive? - Comment:17 Feb 2010 : Link

create  centralized exception for that file 

http://service1.symantec.com/support/ent-security.nsf/docid/2008030423280248
send the file to symantec again saying that its detecting false, the file is jenuine, they wil correct in next virus defs.


Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq

0
Login to vote
  • Actions
reedmohn's picture
reedmohn
Getting rid of false positive? - Comment:17 Feb 2010 : Link

Thanks, but the file name is not constant. Last week it was a slightly different name (the files are named with a running number, it  seems).

I did point out to Symantec security response that it was a false positive, but they never commented on that.

I also find it strange that it is only this one computer that reacts to the file....

0
Login to vote
  • Actions
P_K_'s picture
P_K_ Trusted Advisor
Getting rid of false positive? - Comment:17 Feb 2010 : Link

Please submitt the file to Symantec Security Response and Open a Ticket with Support so that it can be dealt on High Priority

https://submit.symantec.com/websubmit/gold.cgi

https://submit.symantec.com/dispute/false_positive/

http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2005012415180263

Prachand MCSE-2012 Symantec Technical Specialist (SCTS)

0
Login to vote
  • Actions
reedmohn's picture
reedmohn
Getting rid of false positive? - Comment:17 Feb 2010 : Link

Ah.. thanks, that's news to me. I only knwe of the page for submitting it as a suspicious file.

Now submitted as a false positive, too!

0
Login to vote
  • Actions
Mick2009's picture
Mick2009 Symantec Employee
Getting rid of false positive? - Comment:18 Feb 2010 : Link

Hi Reedmohn,

The following article may help:

Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe

Specifically look at whether the detection is signature-based or heuristic.  What component is logging these detections?  If your bloodhound settings are configuraed at their highest level and it is resulting in what you have confirmed to be false positives, then you may wish to set them lower.

Thanks and best regards,

Mick

With thanks and best regards,

Mick

0
Login to vote
  • Actions