1Password files quarantined by Symantec [False positives]

etaggart

I'm running into an issue installing the latest beta versions of 4.0 And 6.0 on a corporate laptop running Symantec Endpoint Protection. For some reason SEP is seeing those 1password versions as threats and quarantining them when I try to install them. Unfortunately I'm not an admin of the machine and can't bypass SEP. I was able to install the earlier version of 1password, but really need the 6.0 beta as I just switched all my Mac & IOS devices to subcriptions. Any help would be appreciated.

---

1Password Version: 6.0 beta
Extension Version: Not Provided
OS Version: Win 7
Sync Type: Not Provided
Referrer: kb:undefined, kb-search:Symantec

MikeT

Hi @etaggart,

When you said bypass SEP, do you mean you can't add an exception? You don't need to disable SEP but you have to exclude the 1Password file before installing it with this guide.

Unfortunately, you have to report this as false positive with Symantec, we can't do much but report it as false positives as well. They're blocking us because our files are too new that no other Symantec users are using as well, so it's a behavioral rule that has a super high rate of false positives.

We've gotten in touch with them to whitelist 1Password based on our code signature and it should already be in effect by now but it seems like we need to get in touch with them again. /cc @AlexHoffmann

etaggart

Thanks, I was able to convince my SEP admin to add an exception for me. Right it appears that SEP doesn't have enough users seeing these files or reporting them yet so it errs on the side of caution and flags them as suspect. T

Now I just need to get my company to upgrade their proxy to support TLS 1.2 so I can connect to my.1password.com. :-)

Thanks! - Ed

MikeT

Hi @etaggart,

I'm glad your admin got it excluded for you. Hopefully, it won't be a while before your proxy can support TLS 1.2, which is really important for security reasons.

You're welcome and if there's anything else we can do for you, let us know.

etaggart

I submitted the false positive to Symantec. It should be white listed now.

In relation to submission [3986526].

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

Filename: AgileBits.OnePassword.Desktop__1_.msi
MD5: 0D448500AC7A2A97DE0C9D9B0C4BEEF1
SHA256: 67206163B0B1D06D3E0B948536415B06BB7BB34E21A23B122E9317142412004A
Result: Whitelisting for above file is taking effect from now on.

If detection persists, please contact support:
Norton: https://support.norton.com/sp/en/us/home/current/info
SEP: https://support.symantec.com/en_US/endpoint-protection.54619.html

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

If you are a software vendor and would like to upload your software for proactive whitelisting, please complete the following form: https://submit.symantec.com/whitelist/bcs/

For more information on best practices to reduce false positives:
http://www.symantec.com/content/en/us/enterprise/white_papers/b-to_increase_downloads-instill_trust_first_WP.en-us.pdf

For more information about our EAS program, please view http://symc.ly/EAS

Sincerely,
Symantec Security Response
http://securityresponse.symantec.com

MikeT

Hi @etaggart,

That's great to hear, thanks for letting us know. It seems they're still whitelisting based on the file hashes and not our code signature yet. We'll get in touch with them again to see if they can help us with this.