Hi all,

I am not sure if I have set this up incorrectly or this is how it is designed, so thought I'd ask here...

On the SEPM console, there is a clickable link for 'New Download Risks' - clicking on 'View Details'. You will see a graph.

One is for 'User-allowed per domain'

The other one is 'Total Detections Per Doman'

Often, I will have 'Not Available' when I wanted to find out what was allowed, the filename, etc. All I have are blank. See screenshot.

Am I missing a setting to get the details to appear?

Thanks all.

Hello,

Managing Download Insight detections http://www.symantec.com/docs/HOWTO55252

Thanks, here's my answers...

>> Auto-Protect must be enabled

Yes, all clients have AutoProtect enabled.

>> Insight lookups must be enabled

It's enabled as well.

All clients have Proactive Threat Protection, Download Protection (including Insight) with SONAR Protection enabled via Policy

>>You can find URLs for the Web domains that you want to exclude by viewing the Download Risk Distribution report.

I had a look & ran the report - they still show up as 'Not Available' for Web Domain. Same with Applications. So clearly, it's not logging the domain/URL/other details for some reasons...

I can confirm that under Virus & Spyware Protection policy, under Advanced Options -> Miscellaneous -> Log Handling tab, I have all events are checked to collect logs from all clients to SEPM.

So, what else have I missed?

Thanks for the reply & details.

Tony

This may not be from a download necessarily. There are other times when auto-protect scans a file it will check against the reputation database to help make a determination and if convicted it will take action. So this could potentially be misleading. I see this from time to time even when I know the file was not downloaded.

Hello,

The user-allowed files that appear in the report might indicate false positive detections.

You can create an exception for an application that your users download. You can also create an exception for a specific Web domain that you believe is trustworthy.

By default, Download Insight does not examine any files that users download from a trusted Internet or intranet site. You configure trusted sites and trusted local intranet sites on the Windows Control Panel > Internet Options > Security tab. When the Automatically trust any file downloaded from an intranet site option is enabled, Symantec Endpoint Protection allows any file that a user downloads from any sites in the lists.

Symantec Endpoint Protection checks for updates to the Internet Options trusted sites list at user logon and every four hours.

Note: Download Insight recognizes only explicitly configured trusted sites. Wildcards are allowed, but non-routable IP address ranges are not supported. For example, Download Insight does not recognize 10.*.*.* as a trusted site. Download Insight also does not support the sites that are discovered by the Internet Options > Security > Automatically detect intranet network option.

We've only this week raised a support case over this "N/A origin" issue.

It's been in SEP for years, but until this past week, we had no compelling business reason to follow it up with so many more critical defects. Now a customer has some legit HP software (add-ons, DLLs etc) being detected by Download Insight (end-user is getting the window prompt), but with its origin as N/A....which we do not believe is acceptable.

There is of course always an Origin. Case is stiill in log collecting stage, being run by a colleague of mine.

Hi Steven,

Has support resolved your case yet? If so, what was the solution?

Thanks,

Tony

Not even close. The case has been raised by a colleague of mine, and it's still in the early stages where the support rep is working with 'backline' to get their head around it, at least that's how I see it.

Best case scenario it "might" be figured out over the next few months, with a hopeful solution in RU7. Too optimistic of me perhaps?

Thanks. Mind sharing the case number, so I can raise my own case with a reference to yours? Hopefully with more people reporting this, they will look into this.

Cheers

Case #08791855

The response we got overnight I have chosen to escalate, it's simply not good enough. As I understand it, this "component" appears to be severely flawed in its design.

You're NOT alone... We also having this same exact issue with SEPM.  I'm going to open up a case with Symantec and reference your case #.

Thanks. The more people report this, the more that Symantec wll be aware of this issue.

Our case # is 09390205.

Our case # is 

Case

09483892

Hope to have an update on this by Symantec.

Did you ever get an update from Symantec on this?