Endpoint Protection

 View Only

  • 1.  Reputation scans / notifications

    Posted Nov 13, 2014 08:32 AM

    Hi everyone,

    I work for a company that does alot of in-house development of applications.  As such, we've run into issues where SEP has quarantined critical business systems on servers due to low reputation.  In an attempt to avoid turning off SONAR entirely on our servers, I was looking into instead changing the reputation scanner behavior to log only on "high risk" detections.  However I would like it to create a notification when it does so.

    It appears a new notification condition was recently added to the preconfigured list called "File Reputation Lookup alert".  I'm guessing it's new, as it's not listed in the  http://www.symantec.com/docs/HOWTO55128  article.

    So my questions are these...

    1) Will changing the SONAR policy action from "Quarantine" to "Log" have the effect of not quarantining low-reputation files found during scheduled scans?

    2) Will the "File Reputation Lookup Alert" notification condition trigger based on these logged detections?

    Thanks in advance for the advice! 



  • 2.  RE: Reputation scans / notifications

    Posted Nov 13, 2014 08:36 AM

    If you know that the detection type is coming from SONAR then yes it should work. Are you sure it is? Maybe a screenshot would help.

    Also, yes, it should disaply in the alert that it was detected but logged only.

    The other thing you can do is create a Single risk event alert and configure it specifically for SONAR events by choosing it from the scan type



  • 3.  RE: Reputation scans / notifications

    Posted Nov 13, 2014 09:30 AM

    SONAR is a behavioural scan and it does flag few items as false positive. Since the scan is for exes I would suggest to create exclusions for your inhouse apps and leave the rest as it is.

    Handling and preventing SONAR false positive detections

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55273



  • 4.  RE: Reputation scans / notifications

    Posted Nov 13, 2014 10:49 AM

    I'm assuming it was SONAR at least that quarantined them.  Sometimes the reporting in SEP leaves alot to be desired if you want to really dig into something. 

    They were flagged as WS.Reputation.1, I can't find any info on what scan flagged them.



  • 5.  RE: Reputation scans / notifications

    Posted Nov 13, 2014 10:58 AM

    WS.Reputation.1 is download insight. See these articles on managing:

    Symantec Endpoint Protection Download Insight is blocking an internally developed program

    Managing Download Insight detections



  • 6.  RE: Reputation scans / notifications

    Posted Nov 13, 2014 11:02 AM

    That's the odd thing though.  This wasn't a download.  It was an exe that's been running on the server for some time.  SEP just suddenly, and out of the blue quarantined it under that WS.Reputation.1 flag.



  • 7.  RE: Reputation scans / notifications

    Posted Nov 13, 2014 11:10 AM

    And this was caught by auto-protect, correct?