How the Insight Lookup process works
|Article:TECH169282|||||Created: 2011-09-09|||||Updated: 2013-11-18|||||Article URL http://www.symantec.com/docs/TECH169282|
You want to understand how Insight Lookup (CloudScan or Cloud Scan) works in Symantec Endpoint Protection 12.1.
Symantec Insight uses reputation security technology that tracks billions of files from millions of systems to identify new threats as they are created. Based on advanced data mining techniques, Insight seeks out changing encryption and mutating code. Insight separates files at risk from those that are safe, for faster and more accurate malware detection.
Insight Lookup occurs during any user/admin-defined scan that can be created. Some caveats do apply.
Insight Lookup normally applies to running processes, not files. For instance, in a cloud scan, processes are scanned rather than files.
An Insight Lookup can be manually forced on a file via a user initiated Right-Click Scan directly on the target file. Note that right-click scanning does not provide the Insight Lookup behavior that is equivalent to what happens when accessing files via portals.
When a right-click scan is initiated on a selected file, a cloud connection to Symantec can occur if deemed appropriate by the SEP client, but this is strictly used to check for known bad files, so it's a close equivalent to checking the file against the very latest AV/AS definitions Symantec has available (even before Symantec has published them to customers via certified definitions). The right-click scan does NOT do an Insight lookup that provides detection against unknown samples (i.e. new and mutating threats that are not currently on the Symantec blacklist).
Right click scans on folders or drives do NOT scan using Insight Lookup, this is to prevent performance issues.
To exclude an application or file from Insight Lookup, you must set an Application Exclusion.
To do this from the SEPM, a client must have already detected the file at least once and forwarded the information to the SEPM so that it shows in the application list. Because of this, it is recommended to install SEP on a client that has a representation of all the applications in the customer's environment and run a full scan so that the SEPM will have information about them. By doing this, you will be allowed to correctly set a Application Exclusion for the file.
To set the exclusion in the SEPM:
Go to Policies
Edit your Exceptions policy
Select Windows Exceptions
Locate the application you wish to exclude on the list and select it
Set the Action to Ignore
To set the exclusion from the SEP client:
Click Change Settings
Click Configure Settings for Exceptions
Select Application Exception
Browse to and select the file you wish to exclude
Article URL http://www.symantec.com/docs/TECH169282