Endpoint Protection

Hello, I've recently upgraded our SEPM in 12.1 RU1 and my PC. The policy for download is set to maximum :

This afternoon, I received a mail (SPAM) with a link to download a zip file :

This mail smell SPAM at 500%, so I decide to clic on the link to go to the web page to see how SEP will react. Internet Explorer ask me if I want to 'Open' or 'Save as' a zip file. I clic on 'Save as'. And SEP let me download the zip file on my desktop. I extract the file in the zip :

Update.Pdf__________________________________________________________________.exe

I have submit the file to Symantec Response for analyse.

Now, I search on way to see if download insight is working properly. Is there a report to see what client checking as download file in Symantec Reputation Servers ?

Hello,

You might want to customize Download Insight settings for the following reasons:

• Increase or decrease the number of Download Insight detections.

  You can adjust the malicious file sensitivity slider to increase or decrease the number of detections. At lower sensitivity levels, Download Insight detects fewer files as malicious and more files as unproven. Fewer detections are false positive detections.

  At higher sensitivity levels, Download Insight detects more files as malicious and fewer files as unproven. More detections are false positive detections.

• Change the action for malicious or unproven file detections.

  You can change how Download Insight handles malicious or unproven files. The specified action affects not only the detection but whether or not users can interact with the detection.

  For example, you might change the action for unproven files to Ignore. Then Download Insight always allows unproven files and does not alert the user.

• Alert users about Download Insight detections.

  When notifications are enabled, the malicious file sensitivity setting affects the number of notifications that users receive. If you increase the sensitivity, you increase the number of user notifications because the total number of detections increases.

  You can turn off notifications so that users do not have a choice when Download Insight makes a detection. If you keep notifications enabled, you can set the action for unproven files to Ignore so that these detections are always allowed and users are not notified.

  Regardless of whether notifications are enabled, when Download Insight detects an unproven file and the action is Prompt, the user can allow or block the file. If the user allows the file, the file runs automatically.

  When notifications are enabled and Download Insight quarantines a file, the user can undo the quarantine action and allow the file.

Note: If users allow a quarantined file, the file does not automatically run. The user can run the file from the temporary Internet folder. Typically the folder location is drive:\\Documents and Settings\username\Local Settings\Temporary Internet Files.

Also See: Customizing Download Insight settings.

Managing Download Insight detections

Hope that helps!!

Hi Mithun, thanks for your answer. I want to understand why SEP didn't prevent me to download this file which must have a very, very, very, VERY low reputation. How can I check if download insight work ?

I have snoop network traffic between the PC which download the supect file and Internet, and I can't see any network  traffic expect the traffic with the server which hosted the suspect file.

Why there is no network traffic to Symantec servers ?

Hello,

At higher sensitivity levels, Download Insight detects more files as malicious and fewer files as unproven. More detections are false positive detections.

Check this:

Event at the highest sensitivity levels, SEP did'nt triggering alert for this file, which have very low reputation (in my opinion).

And I don't see any network traffic outgoing my PC to Symantec Servers. Why ?

As far as I know Download insight use Symantec database host on cloud servers. So why SEP client didn't ask the database for this file ?

I submit the file to Virus Total for analyse. Result 30% of AV identify it as a malware (except SEP)

SEP client trigger an alerte when I submit the file to Virus Total. It's just like Download insight act as a 'Upload Insight' :-)

You can test it by trying to download the cloudcar.exe file or other file with different rep.

http://renitenta.de/

DCourtel,

You downloaded a zip file, zip files wont trigger Download Insight as they are not PE files.

SONAR and AutoProtect would help to protect you against this file (as you have seen, when the file was accessed, we picked it up)

Thanks for this very usefull information. So a good news for Malware Authors, they just have to put their malware in a zip file to be indetected by Download insight :-)

For your information, I have downloaded this file on a test PC, download insight didn't trigger. Then I decide to run the malware to see if SONAR catch it. And no reaction from SONAR !

So my test PC is infected.

You said the SEP client triggered an alert when you uploaded the file to VirusTotal?

What was the alert?

Do you have the VT submission link? or your Symantec submission id?

Also, if you think the machine is infected, have you tried running the Symantec Power Eraser on the system?

It was an upload insight alert :-)

Because I submit the .EXE file so it was analyse by download insight.

I don't think we would alert on an upload with Insight - do you have the log data?