False positive, how to set signature exclusion.

zSandman · ‎06-25-2010

How do I know which signature to exclude?

I'm getting a false positive on a file... I know for a fact that it's clean. I'd like to add this signature to exclusions because this file gets moved around some times and I don't want to have to add it to file exclusions every time I move it. Here's the detection log.

(I removed the file name)

c:\documents and settings\*******\desktop\*****.dll
____________________________
____________________________
On computer as of
6/25/2010 at 1:56:57 PM
Last Used:
6/25/2010 at 1:58:57 PM
Startup Item: No
Launched: No
____________________________
____________________________
Many Users
Hundreds of users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________
Origin

Downloaded from Not Available
____________________________
URL Not Available
UNTESTED

Source
********.dll
____________________________
File Actions
File: c:\documents and settings\*******\desktop\*********.dll
Removed
____________________________
File Thumbprint:
Not Available
____________________________

delphinium · ‎11-21-2008

Is there a reason to remove the file name?

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain

floplot · ‎04-11-2009

Hello zSandman

Welcome to the Norton Users Discussion Forum

If you have a file which you think is a false positive, you can submit it to Symantec for further analysis.

Please use this link if you think that a file is a false positive:
https://submit.symantec.com/dispute/

If there is a possibility that the file might be infected, please submit it to Symantec using this link:

https://submit.symantec.com/websubmit/retail.cgi

Another alternative which is fast you can use Threat Expert:

http://www.threatexpert.com/submit.aspx

(Thanks to Yaso for providing the links)

If it turns out that it is a false positive, they should adjust the definitions to reflect that.

Please let us know if this has helped.

Success always occurs in private and failure in full view.

AllenM · ‎12-14-2008

delphinium wrote:
Is there a reason to remove the file name?

Hi zSandman,

I agree, is there a reason to remove the filename?

Is this a file you have created or did it come from somewhere else? If not created by you, how do you know for sure it is safe?

As Floplot said this file should be submitted to Symantec for analysis and if it is truly safe they will make adjustments accordingly.

Best wishes.

Allen

Windows 7 Ultimate SP 1, 32 bit, 4 GB * NIS 2012 (19.8.0.14) * Ghost 15 * IE 9, Firefox, Safari.
Test laptop with W7 Home Premium 64 bit * NIS 2012 (19.8.0.14)

zSandman · ‎06-25-2010

The file name is antiwpa.dll, the reason I removed it is because I don't want this thread to get off topic.

It's not a virus and from reading other threads here it will not be excluded from Norton's detctions as a false positive, but that's not what I'm asking...

I'd like to know what signature should I exclude in NAV so this file doesn't get picked up radless of its location.