Endpoint Protection

 Download Insight False Positive - Ignoring Policy

Gaven Henderson's profile image
Gaven Henderson posted Oct 19, 2022 06:31 PM
We have some home-grown software that keeps getting detected as Unproven.Insight.  Unfortunately, the file's location is always changing so I can't make an exception for it.  I modified the policy to Quarantine/Delete malicious files and Leave alone (log only) Unproven files.  As a result, it started identifying the EXE as infected and moving to the quarantine.  Under the gun, I change the Malicious files setting to Leave alone (log only) but it's still doing the same thing.  What am I missing?

Torsten Knorr's profile image
Torsten Knorr posted Oct 20, 2022 02:35 AM

1) If the software is digital signed, you can create an exception based on this.
2) You can send this peace of software to Symantec for Whitelisting, if it is publica available, only a link is necessary.
3) Did you checked that the client has the policy (policy serial number) which is assigned to this group?
4) You can made a prompt for Unproven Files, that the User decides, if he need the Software.
5) You can adjust the level for Reputation from 5 (default) to 2 or 1.

Gaven Henderson's profile image
Gaven Henderson posted Oct 20, 2022 06:53 PM
1.  Unfortunately no.
2.  The software is internal use only.
3.  Yes - the affected computer all have the current policies.
4.  The prompt was proving ineffective.  These computers are not actively attended and if they don't select to ignore in a short period of time it will automatically quarantine.  Even if there wasn't a time - that would still be too much of a nuisance.  I need SEP to simply ignore but log.
5.  That's not really a solution to this problem.  Even at 1 it will claim the file is infected.

Please review the screen shots I provided.  Did I not set the policy up properly to have the client log Unproven.Insight and do nothing else?
atb86's profile image
atb86 posted Oct 21, 2022 02:23 AM
You have to set the action to Ignore for Unproven files. Leave alone (log only) should deny access to the file, but not quarantine it. SEP doesn't have a pure log only/monitor mode.
Gaven Henderson's profile image
Gaven Henderson posted Oct 21, 2022 01:24 PM
Please forgive my ignorance but wouldn't that be functionally the same as disabling Download Insight all together?
atb86's profile image
atb86 posted Oct 23, 2022 09:26 AM
Unproven files are files that doesn't have a reputation in the database. You will get a lot of false positives on internal applications as they are unknown to Symantec.

My general recommendation is to set the slider to 5 or 6 and Unproven files to Ignore when dealing with a lot of internal applications if you can't handle them as described in the article provided below.

https://knowledge.broadcom.com/external/article/155316/endpoint-protection-download-insight-is.html