Video Screencast Help

Download Insight

Created: 27 Mar 2012 | 14 comments

I've read through most of the articles, kbs, and manuals for Download Insight. The problem we're having is that one of our apps is installed from a website on our local Intranet, and it downloads and installs updated apps, patches, etc., and it always get flagged as WS.Reputation.1.

I've created exceptions for the file in the Central Exceptions policy. I've created a website/domain exception. I've told the AV policy to trust all Local Intranet sites, and the site is listed in the Local Intranet Zone.

The only thing that seems to help is to drop Download Insight down to level 3, and I don't really like having to do that. Is there another way to allow a file on the local Intranet without having to drop the Insight protection level? Again, I've done the exceptions and checked the local Intranet option in the AV policy.

My techs would like to be able to install their users' apps without SEP blocking the download.

Comments 14 CommentsJump to latest comment

pete_4u2002's picture

you should be posting your queries in SEP forum not in encryption.

you need to add it whitelist

check this link

http://www.symantec.com/business/support/index?page=content&id=TECH132220

dsmith1954's picture

Sorry, guess I clicked a little too high. Meant to click on Endpoint Protection instead of Endpoint Encryption.

So even though I'm not an ISV I can submit a file to be whitelisted?

dsmith1954's picture

I can't answer very many of those questions honestly. We are not an ISV, nor do we publish software. We are end users of this product.

dsmith1954's picture

Is there not a way to get an application recognized by Symantec as being good? You'd think that with the number of times we've installed applications using the vendor-supplied setup, that Insight would recognize it as being safe by now.

Is there a solution to this or do I have to sit on the phone with the vendor to get them to submit this app to Symantec for whitelisting?

_Brian's picture

http://www.symantec.com/business/support/index?pag...

https://submit.symantec.com/whitelist/isv/

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Hi dsmith1954,

WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories. 

If you believe that a program has been incorrectly classified by the Symantec reputation-based security system, then you may submit a dispute using this Web form.

Check following links for more details

http://www.symantec.com/security_response/writeup....

http://www.symantec.com/security_response/print_wr...

I hope it will help you !!!

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

dsmith1954's picture

At the end are questions I can't answer.

  • We have enabled sending info to Symantec for reputation.
  • We have files downloaded from Local Intranet sites automatically trusted.

At what point does a file get a good reputation? This setup file is used at automotive dealerships around the country. You'd think it would have a good detection rate by now.

_Brian's picture

In the AV policy for Insight under Actions have you tried setting "Log Only" for unproven files?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

dsmith1954's picture

I tried that. Still doesn't work. The only thing that seems to work is to drop the level down to 3.

Chetan Savade's picture

Hi,

Symantec collects information about files from its global community of millions of users and its Global Intelligence Network. The collected information forms a reputation database that Symantec hosts. Symantec products leverage the information to protect client computers from new, targeted, and mutating threats.

The data is sometimes referred to as being "in the cloud" since it does not reside on the client computer. The client computer must request or query the reputation database.

How Symantec Endpoint Protection uses reputation data to make decisions about files

http://www.symantec.com/docs/HOWTO55275

What's included in a Reputation Request made by the SEP 12.1 Reputation Engine?

http://www.symantec.com/docs/HOWTO59336

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

dsmith1954's picture

Apparently that isn't working for this file. We have automotive dealerships that use UCS for Automotive Inventory Management. They use an .exe downloaded from a server internal to our network to 1) install their software and 2) to keep it updated.

I'm sure our dealerships are not the only dealerships in the country that use this software, or that use Symantec Endpoint Protection, so either I've got something configured wrong, or Download Insight isn't working as advertised for this .exe.

Excluding the internal website or the file, even with the ignore option, still generates a notification. Either it was ignored, or that it was blocked again. Dropping down to a level 3 keeps the file from being blocked, but it still generates a report.

dsmith1954's picture

There's also a new file that has been showing up lately from MPI (http://www2.mpifix.com) that is used in their training videos. MPI is an authorized licensee of GM, Ford and Chrysler service and repair information, so I would expect their files to be registered in Download Insight by now. Instead, Download Insight quarantines the files.

Turns out that SONAR, and not Download Insight, is quarantining this file.

Chetan Savade's picture

Hi,

Have you submited to Symantec as a false positive?

You would have to Submit the Files to the Symantec Response Team on  the Following Sites:

https://submit.symantec.com/false_positive/

https://submit.symantec.com/websubmit/gold.cgi

http://www.threatexpert.com/submit.aspx

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<