I keep getting the following error during/after scheduled scans:
reputation check timed out during unproven file evaluation, likely due to network delays.
What is causing this?
The client wasn't able to submit the file for a reputation check. Could've been a network blip on the client end.
You can setup an alert to check for these:
Under Monitors >> Notifications
Add a notification for the one called "File reputation lookup alert"
Also, make sure you have them enabled, see here:
Enabling or disabling client submissions to Symantec Security Response
This happens when the SEP client file reputation check operation is timing out as the external firewall blocks access to https://ent-shasta-rrs.symantec.com/mrclean
Try the following workaround:
On the Symantec Endpoint Protection Manager (SEPM):
1) Go to Policies > Virus and spyware protection > right click and edit the policy > Under Windows settings > protection technology > Download protection
2) Uncheck "Enable download insight to detect potential risk in downloaded files based on file reputation"
See mithun comments
Download Insight will still be involved, even for scheduled scans as it needs to check repuation of a file:
How Symantec Endpoint Protection uses reputation data to make decisions about files
Does Symantec Endpoint Protection 12.1 Always Use Reputation to Detect Malicious Files?
With the specific configuration that had been put in place, this is "working as designed."
Manual and Scheduled scans can use full internal (IRON) and cloud-based community/symantec Reputation information as part of their scans, when configured to do so. (When "Insight Lookup" is enabled, these scans use the latest definitions from the cloud and the Insight reputation database to make decisions about files. If you disable Insight lookups, Insight Lookup uses the latest definitions only to make decisions about files.) Some more information can be found in Customizing the virus and spyware scans that run on Windows computers
Why would this be download insight if it's happening durning scheduled scans (middle of the night when people aren't working or downloading things)?
We have "Let computers automacitcally forward selected anonymous security information to Symantec" disabled but "Allow Insight lookups for threat detection" is enabled.
So far I have migrated about 130 clients to SEP 12 and have seen this on about 30 clients each night at scheduled scan time. All the clients have the same internet access and are in the same policies.
Scheduled scans still reeach out to the reputation database. For whatever reason (network issues, clients issues, etc.) they cannot reach out.