Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP 12 - Insight - Can Reputation Data Be Transferred via GUP?

Created: 04 Dec 2012 • Updated: 05 Dec 2012 | 19 comments
This issue has been solved. See solution.

Hi,

Looking at new Insight information - keen to use GUP's to get this information instead of each client getting from the web.

Is this possible yet or not?

Is reuptation based on the file (header, size, content..etc?) or the course URL or both?

Thanks

Comments 19 CommentsJump to latest comment

Rafeeq's picture

It needs to go out for the reverse look up. Not possible from gup as of now

recent discussion here

https://www-secure.symantec.com/connect/forums/doe...

.Brian's picture

GUPs can only provide content for AV, PTP, and NTP as of this time.

perhaps you can add as an idea for future use.

Shared Insight Cache may be of some use to you:

https://www.symantec.com/business/support/index?pa...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
Davinci_uk's picture

Thanks all,

does SONAR rely on Insight being emabled as well for reputation info or does that get its own data as well?

thanks in advance

.Brian's picture

SONAR relies on its own set of defs as well but does include some insight lookups for heuristics

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

SONAR has the following dependencies:

  • Download Protection must be installed.

  • Auto-Protect must be enabled.

    If Auto-Protect is disabled, SONAR loses some detection functionality and appears to malfunction on the client. SONAR can detect heuristic threats, however, even if Auto-Protect is disabled.

  • Insight lookups must be enabled.

    Without Insight lookups, SONAR can run but cannot make detections. In some rare cases, SONAR can make detections without Insight lookups. If Symantec Endpoint Protection has previously cached reputation information about particular files, SONAR might use the cached information.

Reference:

How Symantec Endpoint Protection protection features work together

http://www.symantec.com/docs/HOWTO55268

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Davinci_uk's picture

Also I have looked everywhere in Virus and spyware polcy - cannot see anywhere to disable the lookup component.  Only how to enable/disable the whole of Downlaod protection?

SMLatCST's picture

Disabling of the Insight lookups is done via the "External Commuhnications Settings" of a group

SMLatCST's picture

Oh, yeah and as far as SONAR goes, I'm afraid Insight is the only location for reputation information.  Disabling a SEP client's ability to check Insight does mean that the behavioural rules used by SONAR will not categorically know if a process is "known-good" so you may experience more false positives.

Davinci_uk's picture

Found it in global scan options.

OK, so can you disable Insight, but still have Download Insight enabled?

Mithun Sanghavi's picture

Hello,

Under AV/AS policy >>

Global Scan Option you can Enable / Disable the Insight.

Insight allows scans to skip trusted good files. The scan can skip the files that Symantec trusts as good (more secure) or that the community trusts as good (less secure). If you enable this option, you might improve scan performance.

Where as from Download Protection 

You can enable or disable Download Insight and change how sensitive Download Insight is to potentially malicious files. You can also specify the additional criteria that Download Insight uses when it makes a decision about a file. Use these settings to help control the number of false positive detections.

Download Insight requires Auto-Protect. If Auto-Protect is disabled and Download Insight is enabled, Download Insight cannot function. On the client, the status details indicate the Download Insight malfunction.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Davinci_uk's picture

So disabling Download Insight, Insight and SONAR will pretty much just be AV via defs like oldskool way?

Whats the difference with Insight settings - "Symantec Trusted" and "Symantec and Community Trusted"?

Is one based on defs and the other the reputation? Is there difference in file sizes?

Sorry for questions guys - upgrading SEP and a lot of low bandwidth and/or sensitive networks I am working with, so need to have it all covered.

If there is a guide in this area I shall leave you in peace!

Thanks

.Brian's picture

You can disable individually:

Also, check this Insight deployment guide:

https://www.symantec.com/business/support/index?pa...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SMLatCST's picture

Just to clarify, the Global Scan Options only apply to scheduled and on-demand scans (which is why the SIC options are here too).

The Insight related settings in this section defines which files are skipped by scans because they are classed by Symantec (or Symantec + Commuunity) as "known-good" files.  This settings controls what Insight information is used, not whether or not Insight is used at all.  Enabling.Disabling Insight in general is controlled via the "External Communitions Settings" of a group as I mentioned before.

As far as teh difference between the two, both are based off of reputation data.  "Symantec trusted" generally means Symantec have seen the source and know it to be clean.  "Community trusted" are ones that have a good rep.

http://www.symantec.com/docs/HOWTO80992

Mithun Sanghavi's picture

Hello,

Whats the difference with Insight settings - "Symantec Trusted" and "Symantec and Community Trusted"?

This is a an explanation taken from www.symantec.com/docs/HOWTO55250

  • Symantec and Community Trusted

    This level skips files that are trusted by Symantec and the Symantec Community.

  • Symantec Trusted

    This level skips only files that are trusted by Symantec.

Symantec Community are all the users of Symantec products. So the files signed by Community as Trusted, are in the category "Community Trusted".

Please keep in mind that the suggested security option is "Symantec Trusted" from Symantec.

Some more links to this explaination:

How Symantec Endpoint Protection uses reputation data to make decisions about files

http://www.symantec.com/docs/HOWTO55275

To know more check this Whitepaper on Symantec Insight on 

https://www-secure.symantec.com/connect/downloads/insight-deployment-best-practices-whitepaper

Symantec Download Insight, check this Video:

https://www-secure.symantec.com/connect/videos/symantec-download-insight-symantec-endpoint-protection-121

Hope this helps you!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Davinci_uk's picture

Thank you all for the quick and helpful responses!

How do I assign the solution without annoying someone? :-)

.Brian's picture

You pick the one that helped you the most. Don't worry about annoying anyone, it will be a big help to users in the future if they are searching for the answer to the same.similar problem.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ian_C.'s picture

Firstly, you should mark the post that answers your original thread question the best. If other questions come up during the discussion, I believe they should not be marked as the answer, as they do not pertain to the subject of the thread.

Besides marking the most relvant post as your answer, you always have the option of voting on answers by giving them a Thumbs up / down as seen at the bottom right of every post.

Please mark the post that best solves your problem as the answer to this thread.