Video Screencast Help

need more generic exclusion abilities - risk found reputation based

Created: 18 Feb 2013 | 6 comments

Major frustration as we attempt to get a browser plugin we are interested in to install and work. The problem is that when there is an update to the install file, SEP blocks it every single time. 
I have told SEP the source is a "TRUSTED DOMAIN" and we've added the domain the file comes from to IE as a trusted domain via GPO.
SEP seems to ignore this.

When I attempt to EXCLUDE the file as part of the actions possible it insists on a full file path which includes the user profile - which OBVIOUSLY is a dumb way to do it since that will differ with 350 users - there would be 350 paths to exclude. Can't do the file name as it's in the browser cache so it could have a [1] or [2] etc in the name, or could change depending on the mood IE is in on that give day. The file name will also vary due to the version being part of the name.
I need a way to exclude the file - period. I need a way to make it    %userprofile%\*\xyx*.msi or similar, or just plain IGNORE files called rbjnplugin???.MSI

If I tell it to exclude APP, it excludes the file hash, which is also worthless as that will change next month based on the update they provide.
With SEP, reputation based finds are the worst to try to exclude I've ever seen.

Why is SEP ignoring the "trusted domain" bit?
Why will it not allow wildcards in the file path or name?
IT says it's "not on the permitted application list" - DUH - how can it be?

Download site shown as N/A  ? Wrong. IE was there and downloaded the file. It's in SEP and it's in IE as a trusted domain. BLUEJEANS.com and www.BLUEJEANS.com so it's in there two ways (because neither alone worked)
SEP ignores every other file downloaded - even some fake AV apps that have attempted to get in, and yet it blocks a good IE plugin that I've given it a trusted domain for, and tried to exclude? Ironic - it allows stuff we want blocked, but blocks a plugin we really want badly - and allows me no known way to allow it.

 

Download site: N/A
Downloaded or created by: c:\program files\internet explorer\iexplore.exe
File or path: c:\users\user.name\appdata\local\microsoft\windows\temporary internet files\content.ie5\bro7pdy9\rbjnplugin_1.3.0.713[1].msi  
Application: rbjnplugin_1.3.0.713[1].msi
Version:  
File size: 5165056
Category set: Malware
Category type: Insight Network Threat

Risk Reputation

First seen: Symantec has known about this file approximately 5 days.
Reputation: There is some evidence that this file is trustworthy.
Prevalence: This file is used by fewer than 50 Symantec users.
Performance impact: Medium
Overall rating: Medium
Detection reason: The file is an unproven file.
Minimum sensitivity level: Unproven file detection

Can't they add a "ignore all files from this source" or "ignore all files matching this pattern"?
I guess the frustrating part is that the methods of excluding are incredibly limited, unlike other parts of SEP. This one seems to have had little thought as to how we would really need to be able to allow files through.  I can't possibly be the only one, and yet a search showed no similar posts on this.

Comments 6 CommentsJump to latest comment

ShadowsPapa's picture

>>SEP ignores every other file downloaded - even some fake AV apps that have attempted to get in, and yet it blocks a good IE plugin that I've given it a trusted domain for, and tried to exclude?<<

BTW - note I said "attempted to get in" above - my other rules block these things so we are still 2 weeks shy of 2 years MALWARE free........but I did find irony in that insight reputation based doesn't seem to catch those things like it does this trusted commercial plugin.

.Brian's picture

Yep, same issue for me. First I assume you've already seen this:

Managing Download Insight detections

Article:HOWTO80966  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL http://www.symantec.com/docs/HOWTO80966

 

I've gotten stuff to work by playing with the different levels but I don't want to sacrifice security. A lot of times I end up sending in as a false positive.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ShadowsPapa's picture

Yes, been down several roads, but doesn't mean I've not missed something - thus the forums can be handy as other eyes often can help. This is a very high priority. In fact, this is the most urgent task I've been given in a long time - make this puppy work, and make it work seemlessly and do it NOW.

This means that SEP can't interfere in any way, shape or form.
Guess what SEP is doing. Granted, over half is due to the strict security and controls I have set up, app control and such, but this "Insight" thing is making me crazy.
There's no good or decent way to exclude a file, regardless of the final location, regardless of the name or hash changing as new versions come out each month or so. This is a perfect case. Last month SEP really messed up a big test management had set up with dozens of users because it wouldn't allow the plugin to be downloaded no matter what I did. Within minutes calls from all over the state "it won't work". I had excluded the installation process, allowed the instal files and plugins to do what they needed, then WHAM, because of a file update, SEP blocked the download so the install could never even start. If I relax this download thing any more, I might as well totally disable it! I find it so bloody funny (not a humerous way, though) that SEP is stopping this one single harmless download because fewer than 5 people have "seen it", while it allows "av.exe" and such garbage to get into the cache (where I kiil it with MY rules)

I have www.bluejeans.com in the trusted domains - that didn't matter. It's also quite confusing at times as to WHAT actually blocked and quarantined this thing as it says insigt, then says heuristics and says autoprotect (or other things for that matter - generic risk category, but what actually stopped a file?)
 It says it was based on reputation - fewer than 5 users, etc. but then it says heuristics were used in detection. There's a contradiction as the link you supplied says this does *not* use heuristics, rather confusing to me. So, which is it?
Take a look at this -

no wonder the trusted domain doesn't work for us - SEP has no idea of the "Web Domain" - see, that's blank.
Then take a look at this......... it plainly says heuristics, but says "Insight" and "autoprotect".

............and yet here URL tracking is on. Circled or underlined in red, see why it can't be excluded? Those areas are different with each and every single test or use of the product if an update is needed. So why does SEP allow Google, Acrobat Reader, and hundreds of other things to freely download files and run them, even though the initial file name may change or vary, but won't allow this? We don't want Google stuff or Adobe stuff to automatically grab, update and run, we do want this to have free reign, but I've got over a full week, probably a full 60 hours on trying to make this work with SEP, and can't - my deadline is a mere 2 days away.

And if I choose "Add to exceptions policy", it insists on using the file hash and the specific exact path - and that will be different for all 350 users! And then, because it's in the web cache, it will vary with every visit, meaning it would be a different physical file path every single time any user used it.You can't possibly exclude based on this! But Symantec allows no other way at all to exclude. It's take it or leave it

I can't get a straight answer lately to the issue we see,  and in this case it appears that I may have to fully and totally disable the download protection. Ouch - no protection so we can download a single plugin file because exclusions won't work. Odd.

.Brian's picture

What you could do is temporarily disable Insight, download and install, than re-enable. I know it's not ideal and a waste of time but if you need this ASAP, it might just be quicker.

WS.reputation is not based a signature on the SEP  but more based off this massive database that stores the hash value of all downloaded files. It than assigns them a value based on their whether or not they're malicious, unknown, known, etc. However, it seems real picky, I have issues with this now and than and can never seem to get it to work unless I turn Insight off or lower the setting to 1 or 2. But I don't get many complaints so I never really waste the time troubleshooting. I just figure if SEP catches it than it can stay off my network.

I know Insight is part of auto-protect. This article gives more insight (no pun intended0

 

How the Insight Lookup process works

Article:TECH169282  |  Created: 2011-09-09  |  Updated: 2012-06-28  |  Article URL http://www.symantec.com/docs/TECH169282

 

With that being said, it is confusing because it is not on the permitted app list which I believe is than aprt of SONAR. I know you can submit as a false positive/whitelisting request.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ShadowsPapa's picture

oh boo - bad pun, intended or not,  but it did make me laugh.

The kicker - I'll never know when they are doing meetings, and the file may change - so their meetings would fail. To make that thought work, I'd have to know when every meeting between anyone was going to happen, disable the download protection, then re-enable after the meeting, and do it all again for the next meeting, same day or next day or next week. Makes for no time off! LOL

It catches these files every single time - probably because www.bluejeans.com isn't exactly on the Google top 10 list of visited sites, and if they change the plugin then reputation starts all over again, meaning there will NEVER be a file history and never be a lot of users making it a highly trusted file. And because of what it does - an IE plug-in making web connections and launching video and audio features, it will be seen as a risk.

We love it because it DOES NOT USE JAVA! And we are trying really hard to go on a Java-free diet when and where possible. JAVA is a pain in a part of the body the moderators here would not appreciate me mentioning. It's a huge security risk every month, it takes way too much horsepower to run - it sucks memory and processor, it's slow, and if you run multiple JAVA apps like me - all of these Cisco and Symantec consoles based on JAVA, machines need rebooted every so often or you find them running like a 286. So the whole IT staff here cheered when we saw this was a JAVA-FREE web meeting application and I'm not kidding. WOW, there is good in the world! Someone developed a meeting app with no JAVA. That takes skill, good programming abilities and thinking outside of the cookie-cutter script programming of today.

That being said - there's big pressure to make this work and get SEP to allow it to work. I can't for the life of me see why SEP's download safety is picking on the files from this company but lets stuff from Google, Adobe and worse come and go freely - even the "phone home and send all of your private information to Google and Adobe so they can use it against you" portions of their software is allowed to do anything, but a JAVA-free web-based meeting application is stopped cold at the gate every time.

JAunmc's picture

I'm having the same issue with another app.  Any luck finding a solution?