Endpoint Protection

Hello Everyone,

Since upgrading clients to 12.1.5, I am now seeing more WS.Reputation.1 Security Risk events.  I first noticed this because the number of Spyware and Risks count is higher than it used to be on my Home page.  I also now see a large number of New download risks when I used to see virtually none.  Autoprotect detects exes but the action is left alone.  The risk name is WS.Reputation.1 Security Risk.  Once the exe is detected, it continues to show up on the list.  I tried blocking the application, but that didn't help.  If I allow the application, it seems to disappear off of the list, but that's not what I want to do.  I would rather block anything with a poor or non-existent reputation and get these lingering detections off of the Still Infected and New download risks lists.

Thanks in advance for any help.

 

Bob

 

What is the application and where is it being downloaded from?

Various applications (about 20 different examples) from various web sites.  Sorry about the general answer.  Would one example help?

Assuming these are legit, you should be able to easily block the application from within the Monitors >> Logs >> Risks page. Did this not work?

Hi Bob,

What version of SEP were you using before?  If it was SEP 11, then SEP 12.1's Insight features are brand new. Here's a good video:

Symantec Endpoint Protection 12: Insight
http://www.symantec.com/tv/products/details.jsp?vid=1323877255001

These videos are also good at explaining the differrnce components of SEP 12.1:

http://www.symantec.com/endpoint-protection/videos/

 

Please update the thread with more details?

Many thanks,

Mick

 

Hi,

WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.

You can create an exception for an application that your users download. You can also create an exception for a specific Web domain that you believe is trustworthy.

See Specifying how Symantec Endpoint Protection handles an application that scans detect or that users download.

If you believe that a program has been incorrectly classified by the Symantec reputation-based security system, then you may submit a dispute using this Web form.

I have read many articles about download insight, created a test environment to learn how it works and behaves but I am still struggling.  My production environment shows that the number of unproven files detected is about 1600.  The number seems to grow even though it appears that the same 20 files just get redetected over and over day after day. The SEPM also says that I have 20 computers that are infected and all 20 are because of reputation.  In all 20 cases, the action is "Left Alone."  I would prefer to have SEP quarantine these and log the event.  If it turns out that the app is legit, I would like to use the logs to create the exception.  Is this achievable?

Also, half of the detected files are exes in the recycle bin.  Is there a way that I can have SEP just quarantine or delete these files that are being flagged constantly because of reputation so that the computers no longer show up as infected?

If you open the detail on it does it say why it was detected.

You either need to increase the sensitivity level or adjust the setting for their use in the Symantec Community

And one more question.  In my testing, I download an exe using FF or IE, and after a few seconds SEP creates a popup with the message "There is not enough information about this file to recommend it."  Then SEP deletes the file.  However, I cannot find any event in the SEP client logs or on the SEPM that shows that SEP did delete the download.  How can I tell when download insight is blocking downloads?

Should show in the SEP risk log

Hi Brian,

 

Here's part of the detail of an exe in a recycle bin that has been redetected for weeks.

 

Risk Detection

Date found:	05/21/2015 07:36:19
Description:
Actual action:	Left alone
Specified primary action:	Leave alone (log only)
Specified secondary action:	Leave alone (log only)
Detection source:	Auto-Protect
Risk detection method:	Heuristic Detection
URL tracking:	On
Source computer:
Event type:	Security risk found
Database insert date:	05/21/2015 07:37:29
Event client date:	05/21/2015 07:36:19
Permitted application reason:	Not on the permitted application list

 

Risk Reputation

First seen:	Symantec has known about this file approximately 2 days.
Reputation:	There is some evidence that this file is trustworthy.
Prevalence:	This file has been seen by fewer than 5 Symantec users.
Performance impact:	Medium
Overall rating:	Medium
Detection reason:	The file is an unproven file.
Minimum sensitivity level:	Unproven file detection

This is because you have 'Unproven Files' set to Leave alone (log only).

Go in your AV policy >> Download Protection. On the Actions tab check under Unproven files. Adjust this setting to some other action.

After some further investigating and experimenting, I have answered most of my questions.  The first problem I had was my misunderstanding of how Download Insight is invoked.  I realized that it may not really intervene until the downloaded software is executed.  Once I figured out that the popup from Download Insight appears after I try to execute the software, I was able to manipulate through policy change how SEP responds.  I set the policy to "5" and changed the setting for unknown software to log, prompt, quarantine and delete to see what would happen.  I then saw the corresponding reputation events in the risk log on the local client and on the SEPM.  My next step is to get approval to implement the policy to delete unknown files in production.  I believe that once I do this, these files that continue to get redetected will be deleted.  

The challenge for me to understand the functionality was the two sets of popups I have seen when trying to download unknown software.  One set is invoked when I try to install software that was successful downloaded.  Another set of popups sometimes appears temporarily which indicates that the download itself was blocked.  Both sets reference download insight.  I included a screen print of each to show the two examples.