Endpoint Protection

 View Only
  • 1.  Error Logs

    Posted Nov 24, 2014 08:57 AM

    I keep getting the following error during/after scheduled scans:

    reputation check timed out during unproven file evaluation, likely due to network delays.

    What is causing this?



  • 2.  RE: Error Logs

    Posted Nov 24, 2014 08:59 AM

    The client wasn't able to submit the file for a reputation check. Could've been a network blip on the client end.

    You can setup an alert to check for these:

    Under Monitors >> Notifications

    Add a notification for the one called "File reputation lookup alert"

    Also, make sure you have them enabled, see here:

    Enabling or disabling client submissions to Symantec Security Response



  • 3.  RE: Error Logs

    Broadcom Employee
    Posted Nov 24, 2014 08:59 AM

    Hello,

    This happens when the SEP client file reputation check operation is timing out as the external firewall blocks access to https://ent-shasta-rrs.symantec.com/mrclean

    Try the following workaround:

    On the Symantec Endpoint Protection Manager (SEPM):

    1) Go to Policies > Virus and spyware protection > right click and edit the policy > Under Windows settings > protection technology > Download protection

    2) Uncheck "Enable download insight to detect potential risk in downloaded files based on file reputation"

     

    See mithun comments

    https://www-secure.symantec.com/connect/forums/reputation-check-timed-out#comment-9464361



  • 4.  RE: Error Logs

    Posted Nov 24, 2014 09:03 AM

    Download Insight will still be involved, even for scheduled scans as it needs to check repuation of a file:

    How Symantec Endpoint Protection uses reputation data to make decisions about files

    Does Symantec Endpoint Protection 12.1 Always Use Reputation to Detect Malicious Files?

    With the specific configuration that had been put in place, this is "working as designed."  

    • SEP 12.1 Auto-Protect does not use full reputation with every scan: it can use reputation to block malicious downloads as part of the optional "Download Insight" feature.  
    • SEP 12.1 scheduled/manual scans can use reputation, if configured to do so.  
    • Also, SEP 12.1 SONAR (TruScan/PTP) can use reputation as part of its defences.

     

    Manual and Scheduled scans can use full internal (IRON) and cloud-based community/symantec Reputation information as part of their scans, when configured to do so. (When "Insight Lookup" is enabled, these scans use the latest definitions from the cloud and the Insight reputation database to make decisions about files. If you disable Insight lookups, Insight Lookup uses the latest definitions only to make decisions about files.)  Some more information can be found in Customizing the virus and spyware scans that run on Windows computers 



  • 5.  RE: Error Logs

    Posted Nov 24, 2014 09:03 AM

    Why would this be download insight if it's happening durning scheduled scans (middle of the night when people aren't working or downloading things)?



  • 6.  RE: Error Logs

    Posted Nov 24, 2014 09:15 AM

    We have "Let computers automacitcally forward selected anonymous security information to Symantec" disabled but "Allow Insight lookups for threat detection" is enabled.

     

    So far I have migrated about 130 clients to SEP 12 and have seen this on about 30 clients each night at scheduled scan time.  All the clients have the same internet access and are in the same policies.



  • 7.  RE: Error Logs

    Posted Nov 24, 2014 09:16 AM

    Scheduled scans still reeach out to the reputation database. For whatever reason (network issues, clients issues, etc.) they cannot reach out.