Endpoint Protection

Hello guys,

we have getting mail notification from our SEPM server,the below is the notification

==============================================================================

Sent: Thursday, December 24, 2015 9:21 AM
To: IT Admins
Subject: FILE REPUTATION LOOKUP ALERT

Message from:
    Server name: IFSHOAVG01
    Server IP: 192.168.28.60
    Administrator Email:*****************************************
    Company Name: IFS
    
6 computer reported file reputation lookup issues. 

===============================================================================

i try the below solution but not work

* upgrade sepm to 12.1.6 mp3 from 12.1.5

*

Try the following steps:

Note: Though these settings are not recommended I would suggest to try them to find out possible root cause.

On the Symantec Endpoint Protection Manager (SEPM):

1) Go to Policies > Virus and spyware protection > right click and edit the policy > Under Windows settings > protection technology > Download protection

2) Uncheck "Enable download insight to detect potential risk in downloaded files based on file reputation"

* Allowing some link in our firwall :https://support.symantec.com/en_US/article.TECH162286.html

but nothing will work.

please help me...wht os solution for this?

Do these machines have internet access?

Go to the Clients page >> Policies tab >> External Communication Settings

Is everything checked here? If the PCs don't have Internet access then uncheck the Submission options.

yes all machines have internet access

can you post the exact message from the alert?

Hello shaabin,

Is this an on-going occurrence? This typically happens if a client's network connection drops briefly or is in a low bandwidth environment but does usually resolve itself.

Are there any environmental factors that could be affecting these machines that you know of? Do they use a proxy to get out to the Internet?

Regards,

Brian

Hi,

The File Reputation Detection notification is enabled by default..It alerts the administrators when a file is submitted to Symantec for a reputation check. SONAR and Download Insight use file reputation lookups and submit files to Symantec automatically.

Client computers submit information anonymously about detections. You can specify the types of detections for which clients submit information. You can also enable or disable submissions from client computers. Symantec recommends that you always enable submissions. In some cases, however, you might want to prevent your clients from submitting such information. For example, your corporate policies might prevent your client computers from sending any network information to outside entities.

If you disable submissions for a client and lock the settings, the user is unable to configure the client to send submissions. If you enable, select your submissions types and lock the settings, the user is not able to change your chosen settings. If you do not lock your settings, the user can change the configuration as desired.

If client submission is enabled refer the logs, Logs contain records about client configuration changes, security-related activities, and errors.

You can view the log data on the Logs tab of the Monitors page. The management server regularly uploads the information in the logs from the clients to the management server. You can view this information in the logs or in reports. Because reports are static and do not include as much detail as the logs, you might prefer to monitor the network by using logs.

The problem with this issue is that these ALERTS emails keep getting sent 'long after the fact' (in my case from 2 months ago, Internet connection went down briefly for 2 clients) and there seems no way stop the ALERTS emails. I've logged on to the SEP Manager console and acknowledged the ALERTS, emails are still being sent; I upgraded to SEP 12.1 RU6 on SEP Manager side, ALERT emails are still being sent. DOES ANYONE HAVE THE MAGIC FORMULA FOR ACKNOWLEDGING THESE ALERTS AND PREVENT ANY MORE EMAILS FROM BEING SENT??

File Reputation looks alert is one of the preconfigured notification. You should be able to disable notifications.

Navigate to SEPM --> Monitor --> Notifications --> Notifications Conditions

thank u guys

You are welcome! & Happy new year.
 

Keep in mind that disabling the alert doesn't solve the problem (if there really is one).

I have to agree with Brian on this one: why is it that disabling the alert is the only way to deal with this- what's the point of 'acknowledging' the alert to begin with?/what if there a future adverse condition that you may actually want to be notified about? (seems like a bug to me).

ok..i will observer that for two weeks and if anything let back to you.

so there is any other option than disable the notification alert??

Check the system log, do you see reputation checks being sent up to the cloud? If so, there may be an issue witht eh alert itself not clearing properly.