I am new to NIS 2009. When I did my first full scan several false positive showed up. I know they are so because they are from microsoft in recognized program folders and have been there years with no problems.
I need to learn how to handle these better.
1. If I choose to restore the file, I find it is immediately re- quarantined by autoprotect!
2. I do not want to exclude the risk signature , that will decrease my protection if the real risk shows up.
3. I discovered Scan exclusions -Auto Protect exclusions which allows one to choose a particular file to exclude from future scans, and I suppose that if I exclude the file, and then restore, that should work. But this is very awkward round about way to do things. You first have to drill down layers to find the exact name of the file. Then when you go to the auto protect exclusions, you have to search to the level of the file, which is time consuming and then discover you cannot find the file because it is Quarantined and not there! So you have to compromise and exclude say the entire folder. The restore it.
There must be a better way that I am missing that would allow the false positive to be identified at the quarantine level as a file to be ignored with the click of a button and then restored.
1. Disable AutoProtect(Turn off) from Norton 2009 program, just for temporary purpose - say 15 mins.
2. Check the location of the file under details (More Details option in Quarantine)and restore the file from Quarantine.
3. Exclude the file(only if you are 100% confident) by adding the file to both Manual Scan exclusions and AutoProtect exclusions list, so that the future scans won't quarantine it.
4. Re-enable AutoProtect, then run a full system scan to make sure that file is not again detected and quarantined as a threat.
You can disconnect from Internet as a precaution when you perform these steps since you are disabling the AutoProtect(Real time protection) from Norton program. Also, you can exclude the particular file here, no need to exclude the entire folder and thus there won't be any lapse of security.
Yogesh
Message Edited by yogesh_mohan on 02-25-2009 03:11 AM
I am new to NIS 2009. When I did my first full scan several false positive showed up. I know they are so because they are from microsoft in recognized program folders and have been there years with no problems.
I need to learn how to handle these better.
1. If I choose to restore the file, I find it is immediately re- quarantined by autoprotect!
2. I do not want to exclude the risk signature , that will decrease my protection if the real risk shows up.
3. I discovered Scan exclusions -Auto Protect exclusions which allows one to choose a particular file to exclude from future scans, and I suppose that if I exclude the file, and then restore, that should work. But this is very awkward round about way to do things. You first have to drill down layers to find the exact name of the file. Then when you go to the auto protect exclusions, you have to search to the level of the file, which is time consuming and then discover you cannot find the file because it is Quarantined and not there! So you have to compromise and exclude say the entire folder. The restore it.
There must be a better way that I am missing that would allow the false positive to be identified at the quarantine level as a file to be ignored with the click of a button and then restored.
Any help would be appreciated.
Greg
I would recommend number 3. There is no other way to exclude a file, it could be time consuming but you won't do this every day, right?
You can give a suggestion for a better way to exclude suspicious files in NIS 2010 suggestion box.