Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 7512 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CLBackup.exe false positive Suspicious Behavior detection

John-Parker

Hi All,

We use Commvault as our enterprise backup and I keep getting Suspicious behaviour detections on “c:\program files\commvault\Simpana\CLBackup.exe” “HIPS/FileWriteMod-003”

I acknowledge the detection and Authorize the application in the appropriate Anti-Virus and HIPS Policy – Suspicious Behaviour.

But with every new version increment of CLBackup.exe I have a new detection.

So far I have 6 versions of the authorized application of “CLBackup.exe”. I guess it’’’’s really not that many when you look at it but….

Is there any way to authorize the application so that a new version doesn’’’’t mean a new addition?

I understand that there may be security concerns with doing this but it’’’’s starting to get annoying.

Does anyone else use Commvault and if you do, how do you manage this?

Regards,

John

:45805


This thread was automatically locked due to age.
Parents
  • 0

    Hello John,

    the analysis of HIPS/FileWriteMod-003 says that an attempt has been made to write to critical Sophos files. Dunno what these critical Sophos files are and I don't think CLBackup.exe actually attempts to modify the contents but perhaps metadata. Depending on their attributes programs are considered trustworthy or not (otherwise you'd get lots of HIPS alerts). For an installer or occasionally used utilities a lack of trustworthiness it is acceptable - but not for a routinely used application.

    I'd suggest you send a sample. Likely you will be told the sample is clean and that you can authorize it. You can then follow up on the case to discuss alternate solutions (e.g. what changes would have to be applied to CLBackup.exe that it doesn't trigger a HIPS alert).

    Christian

    :45819
Reply
  • 0

    Hello John,

    the analysis of HIPS/FileWriteMod-003 says that an attempt has been made to write to critical Sophos files. Dunno what these critical Sophos files are and I don't think CLBackup.exe actually attempts to modify the contents but perhaps metadata. Depending on their attributes programs are considered trustworthy or not (otherwise you'd get lots of HIPS alerts). For an installer or occasionally used utilities a lack of trustworthiness it is acceptable - but not for a routinely used application.

    I'd suggest you send a sample. Likely you will be told the sample is clean and that you can authorize it. You can then follow up on the case to discuss alternate solutions (e.g. what changes would have to be applied to CLBackup.exe that it doesn't trigger a HIPS alert).

    Christian

    :45819
Children
No Data