Endpoint Protection

Hi guys , Can you please tell me when the SEP clients Sends a query or submission requst to either a SEPM or Symantec whenever a file is executed to check its reputation or when any scan is run on the endpoints that requires a lookup to check the reputation then  usually what is the approximate size of this request? 

Thanks 

What's included in a Reputation Request made by the SEP 12.1 Reputation Engine? 

Thanks for the info Brian . Just I need to check one more thing . I read somehwere dont remember exactly when and where that SEP client mantains takes hashes of all of the files in its local hash table/Database that resides on the agent and when it performs some kind of scan it will only re-scan those files for whom the hash has been changed , are you aware of something like that or if you can please share some more details about it in the form of KB article.

Thanks 

I've not read anything like that.

Thanks.

Hello,

yes, it is correct, this is the Insight feature.

You control it in your AV policy under Global Scan Options.

Insight allows scans to skip digitally signed files and trusted good files. Some files contain typical vulnerabilities. After those files are scanned initially, subsequent scans can skip the files since vulnerability definitions rarely change. Insight also uses file reputation data to skip trusted files. You can configure the level of trust. If you select Symantec and Community Trusted, scans skip more files (less secure). If you select Symantec Trusted, scans skip fewer files (more secure).

When scans skip files, the scan performance might improve.

This is documented in the product's guide, under chapter "Adjusting scans to improve computer performance" as well as in this public article:

https://support.symantec.com/en_US/article.HOWTO80964.html

Hi Beppe , thanks for your reply. Can you please share with me how can we access this internal table that is keeping hashes of all of the files?

Thanks 

Hello,

you can't and I don't think there are valid reasons to do it.