Endpoint Protection

 View Only

  • 1.  Insight Lookup and Auto-Protect

    Posted Aug 11, 2012 06:42 AM

    How do Auto-Protect and Insight Lookup work together (if any)?

    Manual and scheduled scans are using Insight lookup. It's possible to define its sensitivity. And there is Download Insight, an integral part of Auto-Protect. These are features I understand.

    However, what happens if Auto-Protect encounters a suspicious file that wasn't downloaded (so that Download Insight didn't run)? Is Auto-Protect using Insight Lookup?

    When I was testing it with fresh .exe files, A-P didn't send anything to Symantec. However, when I executed the new file, there was a lookup, but I think it was triggered by SONAR.

    Here is a citation of the Insight FAQ that confused me a bit:

    3 B.
    Each time the user performs a traditional virus scan of their computer (e.g., a weekly scan) or our AutoProtect real-time component scans a file, it will first determine if the file appears to be suspicious. If the file does not appear to be suspicious, no reputation lookup is performed. On the other hand, if the file does appear to be suspicious to our heuristics/fingerprint scanner, SEP looks up its reputation.

    That sounds as if Auto-Protect seems to use Insight Lookup, but why isn't it possible to adjust Insight Lookup in the Auto-Protect settings (only in the Administrator-defined scan settings)?


    Thanks in advance
    Greg

     



  • 2.  RE: Insight Lookup and Auto-Protect

    Posted Aug 11, 2012 08:31 AM

    This should help:

     

    How Symantec Endpoint Protection protection features work together

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55268

     

    https://www-secure.symantec.com/connect/forums/how-does-sep-121-scanning-engine-work



  • 3.  RE: Insight Lookup and Auto-Protect

    Posted Aug 11, 2012 09:01 AM

    Check this artical may be help..

    How Symantec Endpoint Protection Small Business Edition protection features work together

    http://www.symantec.com/business/support/index?page=content&id=HOWTO54897

     

    Check this fourms also.....

    https://www-secure.symantec.com/connect/forums/download-insight-exceptions

     

    Please try these Symantec Article below:

    Excluding a trusted Web domain from scans http://www.symantec.com/docs/HOWTO55211

    How to exclude specific Web domains from the Download Insight verification in SEP 12.1?

    http://www.symantec.com/docs/TECH162264

    Managing Download Insight detections http://www.symantec.com/docs/HOWTO55252

    NOTE: Download Insight has the following dependencies:

    • Auto-Protect must be enabled

      If you disable Auto-Protect, Download Insight cannot function even if Download Insight is enabled.

    • Insight lookups must be enabled

      Symantec recommends that you keep the Insight lookups option enabled. If you disable the option, you disable Download Insight completely.

    Note: If Download Protection is not installed, Download Insight runs on the client at level 1. Any level that you set in the policy is not applied. The user also cannot adjust the sensitivity level.

    Even if you disable Download Insight, the Automatically trust any file downloaded from an intranet website option continues to function for Insight Lookup.
     

     

     

     

     

     
     


  • 4.  RE: Insight Lookup and Auto-Protect

    Posted Aug 12, 2012 09:01 PM

    ok, so what's the difference between SONAR and Download insight ?



  • 5.  RE: Insight Lookup and Auto-Protect

    Broadcom Employee
    Posted Aug 12, 2012 09:45 PM

    Auto-Protect includes a feature that is called Download Insight, which examines the files that users try to download through Web browsers, text messaging clients, and other portals.

    Supported portals include Internet Explorer, Firefox, Microsoft Outlook, Outlook Express, Windows Live Messenger, and Yahoo Messenger.

    Download Insight determines that a downloaded file might be a risk based on evidence about the file's reputation. Download Insight is supported only for the clients that run on Windows computers

    http://www.symantec.com/business/support/index?page=content&id=HOWTO54885

     

    SONAR

    SONAR is part of Proactive Threat Protection on your client computers. You manage SONAR settings as part of a Virus and Spyware Protection policy.

    You configure SONAR settings for the clients that run Symantec Endpoint Protection version 12.1. SONAR settings also include TruScan proactive threat scan settings for legacy clients. Many of the settings can be locked so that users on client computers cannot change the settings

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55215



  • 6.  RE: Insight Lookup and Auto-Protect

    Trusted Advisor
    Posted Aug 13, 2012 06:47 AM

    Hello,

    Check this Article: Information on Symantec Endpoint Protection Scans

    SONAR is part of Proactive Threat Protection on your client computers. SONAR is the abbreviation for Symantec Online Network for Advanced Response. Unlike virus signatures, SONAR examines the behavior of applications to decide whether they are malicious. 

    Check this Article: http://www.symantec.com/docs/HOWTO55268

    How Symantec Endpoint Protection protection features work together

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55268

    Hope that helps!!!



  • 7.  RE: Insight Lookup and Auto-Protect

    Posted Aug 13, 2012 10:52 AM

    Thank you all for you postings.

    However, I am unsure about Auto-Protect and Insight Lookup. In most documents only Download Insight is mentioned in combination with A-P.

    What I want to know is whether A-P uses Insight Lookup, i.e., does it consult Symantec's Insight database when it encounters a suspicious file (e.g., found by Bloodhound). If so, it's strange that it's not possible to adjust the sensitivity of Insight Lookup for A-P (only for Administrator-defined scans).

    Thanks in advance for relieving my confusion smiley



  • 8.  RE: Insight Lookup and Auto-Protect
    Best Answer

    Posted Aug 13, 2012 11:49 AM

    AutoProtect does use Insight for corroboration, but its only for some of the heuristic signatures (Suspicious.Cloud signatures are a good example).  If the AV detection is hash based, then there is no lookup.  If the AV detection is behavioural or attribute based and the confidence in the detection is not 100% then the client will query Insight to determine what Symantec know about the file.

    Exoneration levels (whether the detection is acted upon or not) are hard coded for different families of signatures, you cannot fine tune them at this point.

    hth



  • 9.  RE: Insight Lookup and Auto-Protect

    Posted Aug 13, 2012 01:55 PM

    Thank you, that's all what I wanted to know!