need more generic exclusion abilities - risk found reputation based
Major frustration as we attempt to get a browser plugin we are interested in to install and work. The problem is that when there is an update to the install file, SEP blocks it every single time.
I have told SEP the source is a "TRUSTED DOMAIN" and we've added the domain the file comes from to IE as a trusted domain via GPO.
SEP seems to ignore this.
When I attempt to EXCLUDE the file as part of the actions possible it insists on a full file path which includes the user profile - which OBVIOUSLY is a dumb way to do it since that will differ with 350 users - there would be 350 paths to exclude. Can't do the file name as it's in the browser cache so it could have a  or  etc in the name, or could change depending on the mood IE is in on that give day. The file name will also vary due to the version being part of the name.
I need a way to exclude the file - period. I need a way to make it %userprofile%\*\xyx*.msi or similar, or just plain IGNORE files called rbjnplugin???.MSI
If I tell it to exclude APP, it excludes the file hash, which is also worthless as that will change next month based on the update they provide.
With SEP, reputation based finds are the worst to try to exclude I've ever seen.
Why is SEP ignoring the "trusted domain" bit?
Why will it not allow wildcards in the file path or name?
IT says it's "not on the permitted application list" - DUH - how can it be?
Download site shown as N/A ? Wrong. IE was there and downloaded the file. It's in SEP and it's in IE as a trusted domain. BLUEJEANS.com and www.BLUEJEANS.com so it's in there two ways (because neither alone worked)
SEP ignores every other file downloaded - even some fake AV apps that have attempted to get in, and yet it blocks a good IE plugin that I've given it a trusted domain for, and tried to exclude? Ironic - it allows stuff we want blocked, but blocks a plugin we really want badly - and allows me no known way to allow it.
|Downloaded or created by:||c:\program files\internet explorer\iexplore.exe|
|File or path:||c:\users\user.name\appdata\local\microsoft\windows\temporary internet files\content.ie5\bro7pdy9\rbjnplugin_126.96.36.1993.msi|
|Category type:||Insight Network Threat|
|First seen:||Symantec has known about this file approximately 5 days.|
|Reputation:||There is some evidence that this file is trustworthy.|
|Prevalence:||This file is used by fewer than 50 Symantec users.|
|Detection reason:||The file is an unproven file.|
|Minimum sensitivity level:||Unproven file detection|
Can't they add a "ignore all files from this source" or "ignore all files matching this pattern"?
I guess the frustrating part is that the methods of excluding are incredibly limited, unlike other parts of SEP. This one seems to have had little thought as to how we would really need to be able to allow files through. I can't possibly be the only one, and yet a search showed no similar posts on this.