Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Download Insight Alert

Created: 27 Mar 2013 • Updated: 27 Mar 2013 | 6 comments

Hi,

 

I'm running the latest versions of SEPM and SEP client. My company develops application software and has recently made a change to a binary file which alerted Download Insight to produce the following dialogue box.

 

Untitled_0.jpg

 

This is the first time I've encounterd this issue so could I ask your best practice guidence.

Thanks 

Operating Systems:

Comments 6 CommentsJump to latest comment

W007's picture

Look this public kb

How the Insight Lookup process works

 

Article:TECH169282 | Created: 2011-09-09 | Updated: 2012-06-28 | Article URL http://www.symantec.com/docs/TECH169282

 

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

What I would recommend is adding the server you're downloading it from as a Trusted Domain. See this article:

How to exclude specific Web domains from the Download Insight verification in SEP 12.1

Article:TECH162264  |  Created: 2011-06-14  |  Updated: 2013-02-21  |  Article URL http://www.symantec.com/docs/TECH162264

 

There is also some additional reading on Download Insight you may want to check out:

Managing Download Insight detections

Article:HOWTO80966  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL http://www.symantec.com/docs/HOWTO80966

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

_Steve's picture

Many thanks for your responces.

Going back to the dialogue box above, on the Activity tab there is an option to Allow this File.

Would I be right in saying that once clicked the file becomes proven? 

.Brian's picture

I believe even if you Allow it, you still need to add it as an exception. Allowing it onlys allows you to download it in this one instance.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Another recommended article:

Insight Deployment Best Practices
Article URL http://www.symantec.com/docs/DOC5077

False Positive Prevention
SEP 12.1 will not detect known good files as malware. There are several ways to make sure your good files are known as ‘good’. The following steps will help prevent false positives when using SEP 12.1.

Step 1 – Using Digital Signatures
One of the easiest ways to identify that a file is ‘good’ is to know where it came from and who created it. An important factor in building confidence in a file being ‘good’ is to check its digital signature. Executable files without a digital signature
have a higher chance of being identified as ‘unknown’ or low-reputation.
• Custom or home-grown application should be digitally signed with class three digital certificates
• Customers should insist that their software vendors digitally sign their applications
Step 2 - Add to the Symantec White List
Symantec has a growing white list of over 25 million ‘good’ files. These files are used in testing signatures before they are published. Their hash values are also stored online and used to avoid false positives on the SEP client via real-time cloud lookups whenever a file is detected by any of our client security technologies (e.g., SONAR behavioral technology, a fingerprint, etc.). This white list is a powerful tool for avoiding false positives. Customers and vendors can add files to this list.
• Software vendors can request that their executable be added to the Symantec white list at https://submit.symantec.com/whitelist/ .....
 etc

With thanks and best regards,

Mick

AjinBabu's picture

Hi

Auto-Protect includes a feature that is called Download Insight, which examines the files that users try to download through Web browsers, text messaging clients, and other portals.

Supported portals include Internet Explorer, Firefox, Microsoft Outlook, Outlook Express, Windows Live Messenger, and Yahoo Messenger.

Download Insight determines that a downloaded file might be a risk based on evidence about the file's reputation. Download Insight is supported only for the clients that run on Windows computers.

By default, Download Insight does not examine any files that users download from a trusted Internet or intranet site. You configure trusted sites and trusted local intranet sites on the Windows Control Panel > Internet Options > Security tab. When the Automatically trust any file downloaded from an intranet site option is enabled, Symantec Endpoint Protection allows any file that a user downloads from any sites in the lists.

Note:

Download Insight recognizes only explicitly configured trusted sites. Wildcards are allowed, but non-routable IP address ranges are not supported. For example, Download Insight does not recognize 10.*.*.* as a trusted site. Download Insight also does not support the sites discovered by the Internet Options > Security > Automatically detect intranet network option.

Regards

Ajin