Endpoint Protection

SEP and SEPM 12.1.6.

I know that to get Repudiation Check content I need to be connected to the Internet.  I know we can't have a firewall blocking the connection in order to get content.  I know that proxies can get in the way.

I am dealing with an airgapped network that has absolutely no Internet connectivity.  This network is not going to get repudiation file information.

I need to determine how to make the SEP client and SEPM server stop attempting to do repudiation file downloads, and stop alerting me that the repudiation content updates are failing.

Anyone out there able to help?

You need to disable the Download Insight component. This is what SEP uses to check file reputation using the cloud.

In addition go the Clients page and select the Policies tab. Then select the External Communication Settings link. You can uncheck "Allow Insight lookups for threat detection"

I have a single set of top-level policies, and my client groups inherit the policy.

Under Policies -> Settings -> External Communication Settings, the "Allow Insight lookups for threat detection(recommended)" is un-checked.

When you say "disable the Download Insight component", I presume you mean that needs to happen at the client.  Is there a way to use the SEPM server to disable that component?  Otherwise a command line that I can automate?

In the "Virus and Spyware Protection Policy", I see that the Download Protection ->Download Insight -> "Enable Download Insight to detect potential risks in downloaded files based on file reputation" is also un-checked.

In the "Virus and Spyware Protection Policy", I see that SONAR -> Sonar Settings -> Enable SONAR is checked.  The description for SONAR includes "SONAR uses heruistics as well as reputation data to detect...".  Do I need to disable SONAR as well?  I'd like to have heuristics enabled, just without the reputation data downloads.

Under Policies -> Settings -> External Communication Settings, the "Allow Insight lookups for threat detection(recommended)" is un-checked.

When you say "disable the Download Insight component", I presume you mean that needs to happen at the client.  Is there a way to use the SEPM server to disable that component?  Otherwise a command line that I can automate?

These are the only two options I know of to disable the reputation checks. SONAR shouldn't need to be disabled if download insight is already disabled, it just won't use the reputation checks and only heuristics.

Hi,

I don't think you should disable SONAR here.  Allow Insight lookups for threat detection(recommended) is unchecked & you still get alerts?

There are some pre-defined notifications by default including 'file reputation detection'. Delete that notification if possible.

SEPM --> Monitor --> Notifications --> Notification conditions

It alerts the administrators when a file is submitted to Symantec for a reputation check. SONAR and Download Insight use file reputation lookups and submit files to Symantec automatically.

The File Reputation Detection notification is enabled by default.

In the "Virus and Spyware Protection Policy", got to "Global scan options" and uncheck "Enable Insight".

You might also want to disable all the settings that might create external traffic under Policies -> Settings -> External Communication Settings.