Managing Download Insight detections

Article:HOWTO80966  |  Created: 2012-10-24  |  Updated: 2014-09-21  |  Article URL http://www.symantec.com/docs/HOWTO80966
Article Type
How To


Subject


Managing Download Insight detections

Auto-Protect includes a feature that is called Download Insight, which examines the files that users try to download through Web browsers, text messaging clients, and other portals.

Supported portals include Internet Explorer, Firefox, Microsoft Outlook, Outlook Express, Google Chrome, Windows Live Messenger, and Yahoo Messenger.

Download Insight determines that a downloaded file might be a risk based on evidence about the file's reputation. Download Insight is supported only for the clients that run on Windows computers.

Note:

If you install Auto-Protect for email on your client computers, Auto-Protect also scans the files that users receive as email attachments.

See Managing scans on client computers.

Table: Managing Download Insight detections

Task

Description

Learn how Download Insight uses reputation data to make decisions about files

Download Insight uses reputation information exclusively when it makes decisions about downloaded files. It does not use signatures or heuristics to make decisions. If Download Insight allows a file, Auto-Protect or SONAR scans the file when the user opens or runs the file.

See How Symantec Endpoint Protection uses reputation data to make decisions about files.

View the Download Risk Distribution report to view Download Insight detections

You can use the Download Risk Distribution report to view the files that Download Insight detected on your client computers. You can sort the report by URL, Web domain, or application. You can also see whether a user chose to allow a detected file.

Note:

Risk details for a Download Insight detection show only the first portal application that attempted the download. For example, a user might use Internet Explorer to try to download a file that Download Insight detects. If the user then uses Firefox to try to download the file, the risk details show Internet Explorer as the portal.

The user-allowed files that appear in the report might indicate false positive detections.

You can also specify that you receive email notifications about new user-allowed downloads.

See Setting up administrator notifications.

Users can allow files by responding to notifications that appear for detections.

Administrators receive the report as part of a weekly report that Symantec Endpoint Protection Manager generates and emails. You must have specified an email address for the administrator during installation or configured as part of the administrator properties. You can also generate the report from the Reports tab in the console.

See Running and customizing quick reports.

Create exceptions for specific files or Web domains

You can create an exception for an application that your users download. You can also create an exception for a specific Web domain that you believe is trustworthy.

See Specifying how Symantec Endpoint Protection handles monitored applications on Windows clients.

See Excluding a trusted Web domain from scans on Windows clients.

Note:

If your client computers use a proxy with authentication, you must specify trusted Web domain exceptions for Symantec URLs. The exceptions let your client computers communicate with Symantec Insight and other important Symantec sites.

By default, Download Insight does not examine any files that users download from a trusted Internet or intranet site. You configure trusted sites and trusted local intranet sites on the Windows Control Panel > Internet Options > Security tab. When the Automatically trust any file downloaded from an intranet site option is enabled, Symantec Endpoint Protection allows any file that a user downloads from any sites in the lists.

Symantec Endpoint Protection checks for updates to the Internet Options trusted sites list at user logon and every four hours.

Note:

Download Insight recognizes only explicitly configured trusted sites. Wildcards are allowed, but non-routable IP address ranges are not supported. For example, Download Insight does not recognize 10.*.*.* as a trusted site. Download Insight also does not support the sites that are discovered by the Internet Options > Security > Automatically detect intranet network option.

Make sure that Insight lookups are enabled

Download Insight requires reputation data from Symantec Insight to make decisions about files. If you disable Insight lookups, Download Insight runs but detects only the files with the worst reputations. Insight lookups are enabled by default.

See Enabling or disabling client submissions to Symantec Security Response.

Customize Download Insight settings

You might want to customize Download Insight settings for the following reasons:

  • Increase or decrease the number of Download Insight detections.

    You can adjust the malicious file sensitivity slider to increase or decrease the number of detections. At lower sensitivity levels, Download Insight detects fewer files as malicious and more files as unproven. Fewer detections are false positive detections.

    At higher sensitivity levels, Download Insight detects more files as malicious and fewer files as unproven. More detections are false positive detections.

  • Change the action for malicious or unproven file detections.

    You can change how Download Insight handles malicious or unproven files. The specified action affects not only the detection but whether or not users can interact with the detection.

    For example, you might change the action for unproven files to Ignore. Then Download Insight always allows unproven files and does not alert the user.

  • Alert users about Download Insight detections.

    When notifications are enabled, the malicious file sensitivity setting affects the number of notifications that users receive. If you increase the sensitivity, you increase the number of user notifications because the total number of detections increases.

    You can turn off notifications so that users do not have a choice when Download Insight makes a detection. If you keep notifications enabled, you can set the action for unproven files to Ignore so that these detections are always allowed and users are not notified.

    Regardless of the notifications setting, when Download Insight detects an unproven file and the action is Prompt, the user can allow or block the file. If the user allows the file, the file runs automatically.

    When notifications are enabled and Download Insight quarantines a file, the user can undo the quarantine action and allow the file.

    Note:

    If users allow a quarantined file, the file does not automatically run. The user can run the file from the temporary Internet folder. Typically the folder location is drive:\\Documents and Settings\username\Local Settings\Temporary Internet Files.

See Customizing Download Insight settings.

Allow clients to submit information about reputation detections to Symantec

By default, clients send information about reputation detections to Symantec.

Symantec recommends that you enable submissions for reputation detections. The information helps Symantec address threats.

See Enabling or disabling client submissions to Symantec Security Response.



Article URL http://www.symantec.com/docs/HOWTO80966


Terms of use for this information are found in Legal Notices