CLBackup.exe false positive Suspicious Behavior detection

Question

Hi All,

We use Commvault as our enterprise backup and I keep getting Suspicious behaviour detections on “c:\program files\commvault\Simpana\CLBackup.exe” “HIPS/FileWriteMod-003”

I acknowledge the detection and Authorize the application in the appropriate Anti-Virus and HIPS Policy – Suspicious Behaviour.

But with every new version increment of CLBackup.exe I have a new detection.

So far I have 6 versions of the authorized application of “CLBackup.exe”. I guess it’’’’s really not that many when you look at it but….

Is there any way to authorize the application so that a new version doesn’’’’t mean a new addition?

I understand that there may be security concerns with doing this but it’’’’s starting to get annoying.

Does anyone else use Commvault and if you do, how do you manage this?

Regards,

John

This thread was automatically locked due to age.

QC · Accepted Answer

Hello John, the analysis of HIPS/FileWriteMod-003 says that an attempt has been made to write to critical Sophos files . Dunno what these critical Sophos files are and I don't think CLBackup.exe actually attempts to modify the contents but perhaps metadata. Depending on their attributes programs are considered trustworthy or not (otherwise you'd get lots of HIPS alerts). For an installer or occasionally used utilities a lack of trustworthiness it is acceptable - but not for a routinely used application. I'd suggest you send a sample . Likely you will be told the sample is clean and that you can authorize it. You can then follow up on the case to discuss alternate solutions (e.g. what changes would have to be applied to  CLBackup.exe that it doesn't trigger a HIPS alert). Christian :45819