Endpoint Protection

Hi all,

I excluded this list of sites from my proxy to allow access to Insight Servers

https://support.symantec.com/en_US/article.TECH162286.html

Although the access is enabled, I still receive every day a "FILE REPUTATION LOOKUP" notification via email.

All the notification are older than a week and I'm sure that every pc can correctly connect to reputation servers. I tryed to ack every notification but notification still appear...

Thanks in advance

See Chetan comments

This happens when the SEP client file reputation check operation is timing out as the external firewall blocks access to https://ent-shasta-rrs.symantec.com/mrclean

Try the following steps:

Note: Though these settings are not recommended I would suggest to try them to find out possible root cause.

On the Symantec Endpoint Protection Manager (SEPM):

1) Go to Policies > Virus and spyware protection > right click and edit the policy > Under Windows settings > protection technology > Download protection

2) Uncheck "Enable download insight to detect potential risk in downloaded files based on file reputation"

& Monitor subsequent alerts.

https://www-secure.symantec.com/connect/forums/file-reputation-lookup-alert

Hi James,

Thanks for your reply.

I can correctly connect to https://ent-shasta-rrs.symantec.com and I receive a "400 Bad Request: Unsupported request keyword or unknown static document name"

If I navigate via browser to https://ent-shasta-rrs.symantec.com/mrclean nothing appear. I don't understand if it's correct or it's a problem of my proxy.

I would like to keep active Insight on my computers.

Regards

To test connectivity with the Insight servers

1. Go to the following page: https://ent-shasta-mr-clean.symantec.com:443/incident-mrc/1

2. If the connection is working correctly, you will be re-directed to http://www.symantec.com

3. Go to the following page: https://ent-shasta-rrs.symantec.com/mrclean

4. If the connection is working correctly, you will see HTTP 400 Bad Request.
   There is no main page or redirect for this server.

How to test connectivity with Insight and Symantec Licensing servers

https://support.symantec.com/en_US/article.TECH163042.html

See Beppe Comments

https://www-secure.symantec.com/connect/forums/sep-clients-internet-access

All correct... but I still receive mail with notification older than a week!

Hello,

It usually occurs if they can't connect to due to a blip on the network for some reason.

There is no schedule you can set as it happens automatically when a file download attempt happens

Try this:

1. Go to the following page: https://ent-shasta-mr-clean.symantec.com:443/incident-mrc/1

2. If the connection is working correctly, you will be re-directed to http://www.symantec.com

3. Go to the following page: https://ent-shasta-rrs.symantec.com/mrclean

4. If the connection is working correctly, you will see HTTP 400 Bad Request.
   There is no main page or redirect for this server.

Check this Thread with similar issue -

https://www-secure.symantec.com/connect/forums/computer-reported-file-reputation-lookup-issues

Hi Mithun

Already tested, all correct.

does you have received notification specify system ?

see chetan comments

https://www-secure.symantec.com/connect/forums/computer-reported-file-reputation-lookup-issues

It could be that from time to time clients have an issue connecting but simply correct themselves.

SEP 12.1 RU6 has been released & it has a bug related to File repuation lookup alert, make sure you are no longer affected by the same.

File Reputation Lookup Alerts send malformed emails when triggered

Fix ID: 3713171

Symptom: File Reputation Lookup Alert notifications created after the install of Symantec Endpoint Protection Manager 12.1 RU5 sends incomplete emails when triggered and does not include details about why this email was sent.

Solution: File Reputation Lookup Alert notifications are now created correctly and generate the expected email report.

Reference: New fixes in Symantec Endpoint Protection 12.1.6

https://support.symantec.com/en_US/article.TECH230558.html

Upgrading or migrating to Symantec Endpoint Protection 12.1.6 (RU6)

http://www.symantec.com/docs/TECH230601

I would recommend to upgrade to 12.1 RU6.

I  have the same problem on 12.1.5. The original notification alert was triggered on 06/02. I received an email and then I went into the Endpoint console and acknowledged the event, figured that would be the end of it. Every day since then I have recevied the alert email again. The date and time of the notification keeps updating, but it still points back to the event time on 06/02, so it's not like the machine is continuing to have problems connecting and it's triggering new events. I am thinking I will just turn off the action to email system administrators if file reputation detection fails, but if this is definitely resolved in 12.1.6, then I will upgrade (even though we just installed 12.1.5 at the end of April at this particular site.)

SEP 12.1 RU6 has one fix related to lookup alerts but it's not exactly what you mentioned.

File Reputation Lookup Alerts send malformed emails when triggered

Fix ID: 3713171

Symptom: File Reputation Lookup Alert notifications created after the install of Symantec Endpoint Protection Manager 12.1 RU5 sends incomplete emails when triggered and does not include details about why this email was sent.

Solution: File Reputation Lookup Alert notifications are now created correctly and generate the expected email report.

Reference: New fixes in Symantec Endpoint Protection 12.1.6

https://support.symantec.com/en_US/article.TECH230558.html

Also if you checked default notifications it has file reputation lookup alert configured & condition is 1 computer with file reputation lookup issues. Here  you can change the settings as well. Screenshot is attached to the reference.

Is there any update?

I am using SEP 12.1.6 RU6 MP1. This should be the latest version. I am receiving daily notifications for 2 PCs in our network for this situation. Both notification event dates are the same dates as when I originally received them. These 2 PC's are going through a proxy to access the internet. I got all the Insight server URL's from a Symantec post and entered them in the proxy to allow access to. I did the connectivity test and both PC's can access the servers.

There must be a way to clear out these old notifications.