Symantec Endpoint Protection

[godf]

Hi there. Symantec updates are always quarantined. Is there any was to add this programme to a safe list, so I don't have to keep manually restoring them?

 

Ta.

[ritchie58]

Hello godf, if using Immunet as a companion AV to another AV it's always advisable to add the complete Program Files directory into Immunet's "Exclusion List" in Settings to avoid such conflicts. Click on the System Tray icon to launch the GUI > click on Settings > scroll down to Add New Exclusion and click on that > click Browse and find the Program Files folder for Symantec and click on that > finally click Add Exclusion and then click Apply. That should do it. Also, add Immunet's Program Files directory into Symantec's Exclusion or Safe Programs list as well. That way they should play nice with each other. If Symantec uses any Temp file(s) while updating you may have to also exclude that/those as well. Let us know if you continue to have problems after adding these exclusions to Immunet.

 

Best wishes, Ritchie...

[godf]

Thanks for the advice.

 

It blocked this file too:

 

c:\Documnets and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\00000744

 

So I've added that folder to the exclusion list.

 

Also, over the last week these files were quarantined as trojans:

 

C:\WINDOWS\temp\TMPF2.tmp

C:\WINDOWS\temp\TMPC9E.tmp

 

Could they be related to Semantic too?

[ritchie58]

It's very possible that Symantec uses those Windows temp files to update. Malware can also uses temp files to gain access to your system. The best thing I can think to do is contact Norton support and find out for sure if their Endpoint Protection software does use those temp files. If so you may have to also exclude those files as well. Here is a link to Norton Support. http://www.symantec.com/business/support/index?page=home

[godf]

Okay. Thanks for the advice.

[ritchie58]

I do have a question. Did you exclude the whole Documents and Settings folder? If so, that's not such a hot idea as that will leave the whole folder more vulnerable to infection. Instead it would be best if you exclude just the complete file path for C:\Documnets and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\00000744

[godf]

I excluded: c:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\

 

Also, for general interest, on speaking to Symantec Support, they say the SEP only uses the temp folder during installation/removal: "SEP will write to the temp folder while doing an install/removal & these are not key files."

 

Thanks.

[ritchie58]

Glad to hear that those files are not mission cirtical. This is just an extrapolation on my part but perhaps those install files already contained malware defination signatures by Symantec that were being seen as possibly malicious by Immunet thus the quarantine response by one of Immunet's heuristic detection engines. A plausable scenario.

 

You can change Immunet's quarantine behavior. Enter Settings and scroll down to Quarantine Behavior. The setting for On Detection of Suspicious Files I personally have that set to "Ask Me" instead of the default "Automatic" setting. I think that just might help avoid any possible future conflicts in your case. That way you can decide for yourself if any more files get flagged as suspicious. Let's hope that doesn't happen but I would recommend you give that a try. If you find yourself in a situation where you're not sure a file is legit or malware Virustotal is a great site to use. You can have the file scanned by their on-line scanner or search their extensive library database. https://www.virustotal.com/en/ I use this site quite often myself during the course of my Moderator duties among other things.

 

Cheers, Ritchie...