Endpoint Protection

 View Only

  • 1.  Excessive Web Traffic to ent-shasta-rrs.symantec.com

    Posted May 07, 2015 04:06 PM

    I understand that the end point client needs Internet access and why it is needed I am not worried about that part. My question is what would cause large amounts of connections from clients to this URL in short periods of time? When monitoring the proxy and my PC I found 50+ calls to this URL in just a few seconds. All I was doing was browsing a website, I am sure there were other background tasks going on but nothing out of the ordinary. I have seen this behavior on multiple PC's.

    Is this type of traffic normal?



  • 2.  RE: Excessive Web Traffic to ent-shasta-rrs.symantec.com

    Posted May 07, 2015 04:37 PM

    These could be Insight lookups as well as licensing related:

    http://www.symantec.com/docs/TECH163042



  • 3.  RE: Excessive Web Traffic to ent-shasta-rrs.symantec.com

    Trusted Advisor
    Posted May 08, 2015 03:08 AM

    Hello,

    This is the URL that SEP clients send reputation requests to.

    A client computer sends information about reputation detections to Symantec Security Response for analysis. The information helps to refine Insight's reputation database. The more clients that submit information the more useful the reputation database becomes.

    This is an Insight website: https://ent-shasta-rrs.symantec.com

     
    SEP Clients connect to the Insight website, this could not be disabled. This is by design.
     
    How to test connectivity with Insight and Symantec Licensing servers
     
     
    Required exclusions for proxy servers to allow Symantec Endpoint Protection to connect to Symantec reputation and licensing servers
     

    Data in a reputation request:

     
    SEP engine making the reputation request
    File name
    File path
    Hash of the file (SHA256 and MD5)
    File attributes
     
    Additional data, if applicable or available:
     
    Company name from signature
    Signature issuer
    URL (and corresponding IP address)

    Reference:

    What's included in a Reputation Request made by the SEP 12.1 Reputation Engine?

    http://www.symantec.com/docs/HOWTO59336

    You can disable the submission of reputation information. Symantec recommends, however, that you keep submissions enabled.

    Check this Article:

    How Symantec Endpoint Protection uses reputation data to make decisions about files

    https://support.symantec.com/en_US/article.HOWTO80989.html

    Insight determines a file's security rating by examining the following characteristics of the file and its context:

    • The source of the file

    • How new the file is

    • How common the file is in the community

    • Other security metrics, such as how the file might be associated with malware

    Regards,



  • 4.  RE: Excessive Web Traffic to ent-shasta-rrs.symantec.com

    Posted May 11, 2015 06:15 PM

    Thanks for your interest and feedback.

    Let me clarify some more -

    I am not concerned where the Endpoint is connecting to. I understand what the connection is made for. My issue is excessive connections, how many connections to these URLS are expected by one endpoint in what time period? I understand that this number may change based on user behavior but I would think there should be an average that would be expected.