Endpoint Protection

 View Only

  • 1.  "... computer reported file reputation lookup issues"

    Posted Apr 30, 2015 09:11 AM

    Just about every day SEPM sends an email alert saying a few computers have "reported file reputation lookup issues". Its not all of the computers and its usually a differnt mix of several computers every time.

    This means that a few computers had issues connecting to Symantec to download some Insight reputation files right?

    So I have two questions:

    Is there a specific URL I can browse to on client machines to confirm they have connectivity to Symantec's file repurtation database?

    When do SEP clients connect to this database and can I set that to a fixed schedual (like can file reputation DB at 4:00am every day for updates)



  • 2.  RE: "... computer reported file reputation lookup issues"

    Broadcom Employee
    Posted Apr 30, 2015 09:13 AM

    Hi,

    Thank you for posting in Symantec community & would be glad to anwer your query.

    We have specific article for that:

    How to test connectivity with Insight and Symantec Licensing servers

    http://www.symantec.com/docs/TECH163042

    To test connectivity with the Insight servers

    1. Go to the following page: https://ent-shasta-mr-clean.symantec.com:443/incident-mrc/1

    2. If the connection is working correctly, you will be re-directed to http://www.symantec.com

    3. Go to the following page: https://ent-shasta-rrs.symantec.com/mrclean

    4. If the connection is working correctly, you will see HTTP 400 Bad Request.
      There is no main page or redirect for this server.

    Note: If the client uses a proxy server with authentication, you must create trusted Web domain exceptions for the URLs in these procedures.



  • 3.  RE: "... computer reported file reputation lookup issues"
    Best Answer

    Posted Apr 30, 2015 09:13 AM

    It usually occurs if they can't connect to due to a blip on the network for some reason.

    There is no schedule you can set as it happens automatically when a file download attempt happens

    Try this:

     

    1. Go to the following page: https://ent-shasta-mr-clean.symantec.com:443/incident-mrc/1

    2. If the connection is working correctly, you will be re-directed to http://www.symantec.com

    3. Go to the following page: https://ent-shasta-rrs.symantec.com/mrclean

    4. If the connection is working correctly, you will see HTTP 400 Bad Request.
      There is no main page or redirect for this server.

     



  • 4.  RE: "... computer reported file reputation lookup issues"

    Trusted Advisor
    Posted Apr 30, 2015 09:27 AM

    Hello,

    This happens when the SEP client file reputation check operation is timing out as the external firewall blocks access to https://ent-shasta-rrs.symantec.com/mrclean

    Try the following workaround:

    On the Symantec Endpoint Protection Manager (SEPM):

    1) Go to Policies > Virus and spyware protection > right click and edit the policy > Under Windows settings > protection technology > Download protection

    2) Uncheck "Enable download insight to detect potential risk in downloaded files based on file reputation"

    How to test SEP 12.1 components for functionality

    Required exclusions for proxy servers to allow Endpoint Protection to connect to reputation and licensing servers

    https://support.symantec.com/en_US/article.TECH162286.html

    Hope that helps!!



  • 5.  RE: "... computer reported file reputation lookup issues"

    Broadcom Employee
    Posted Apr 30, 2015 09:28 AM

    There is one more article which can be of your interest.

    Required exclusions for proxy servers to allow Endpoint Protection to connect to reputation and licensing servers

    http://www.symantec.com/docs/TECH162286



  • 6.  RE: "... computer reported file reputation lookup issues"

    Posted Apr 30, 2015 10:01 AM

    Thanks for answering my question. Just want to confirm, this ONLY happens when a client downloads a file via a web browser?

    I was reading about insight and it says it checks files that are downloaded via popular web browsers, but I'm pretty sure some of the computers listed in the email alert werent downloading anything with web browsers (some were servers no one was logged in to).

     

     



  • 7.  RE: "... computer reported file reputation lookup issues"

    Posted Apr 30, 2015 10:14 AM

    Correct. That is my understanding of how it works.



  • 8.  RE: "... computer reported file reputation lookup issues"

    Broadcom Employee
    Posted Apr 30, 2015 11:21 AM

    Nope, that's not correct.

    Insight Lookup occurs during any user- or administrator-defined scan. Some caveats do apply.

    Insight Lookup normally applies to running processes, not files. For instance, in a cloud scan, processes are scanned rather than files.

    You can force an Insight Lookup with a right-click scan directly on the target file. Note that a right-click scan does not provide the Insight Lookup behavior that is equivalent to what happens when accessing files via portals (applications that can download and execute files).

    When a right-click scan is initiated on a selected file, a cloud connection to Symantec can occur if deemed appropriate by the Symantec Endpoint Protection (SEP) client. This scan is strictly used to check for known bad files, so it's a close equivalent to checking the file against the very latest virus and spyware protection definitions Symantec has available, even before Symantec has published them to customers via certified definitions.

    The right-click scan does not do an Insight lookup that provides detection against unknown samples (i.e. new and mutating threats that are not currently on the Symantec blacklist). Right-click scans on folders or drives do not scan using Insight Lookup to prevent performance issues.