Endpoint Protection

  • Private Community
 View Only

  • 1.  binary/octet-stream download

    Posted Feb 06, 2014 12:31 PM

    I have just upgraded SEP from version 11.0.5 to 12.1.4013 on my WinXP SP3 machine. This is a managed installation. I have SEPM 12.1.4013 installed.

    Every few minutes, I see denied traffic from WinXP PC to the following IP addresses (I've discovered 2 IPs so far): 166.98.6.70, 143.127.102.40. Those IPs belong to Symantec. It appears SEP 12 is trying to download binary/octet-stream (content type) over http secure (port 443). I set my firewall to deny all octet-stream downloads (EXE, DLL etc) over HTTP, HTTPS and FTP from all internal machines (SEPM machine is allowed to download over FTP).

    What is SEP 12 trying to download? Why does SEP still try to get anything directly from the internet instead of the SEPM machine? How can I stop SEP from getting anything directly from the internet?



  • 2.  RE: binary/octet-stream download
    Best Answer

    Posted Feb 06, 2014 12:37 PM

    Do you have the download insight component enabled? It uses reputation so it will go out directly to check the Symantec database. See these:

    Required exclusions for proxy servers to allow Symantec Endpoint Protection to connect to Symantec reputation and licensing servers

    How to verify that a Symantec Endpoint Protection 12.1 client is able to communicate with the Symantec Reputation server

    143.127.102.40 resolves to ent-shasta-rrs.symantec.com.ntn.symantec.com so this is likely it or a submission



  • 3.  RE: binary/octet-stream download

    Posted Feb 06, 2014 12:40 PM

    Do you have this option enabled?

    http://www.symantec.com/business/support/index?page=content&id=HOWTO81000#v46376851



  • 4.  RE: binary/octet-stream download

    Posted Feb 06, 2014 01:09 PM

    Most of the settings are default settings so yes download insight is enabled. I take that it isn't possible to change that behavior (direct download from the web) other than turning off download insight?

    Another solution is to change my firewall rules to allow download from *.symantec.com. Is that good enough to allow SEP to download database? I guess I should give it a shot.



  • 5.  RE: binary/octet-stream download

    Posted Feb 06, 2014 01:10 PM

    Correct. You would need to turn off, only other way.

    See the first link I posted about the exclusions you would need.

    The main URL is https://ent-shasta-rrs.symantec.com but yea *.symantec.com will get them all.



  • 6.  RE: binary/octet-stream download

    Posted Feb 06, 2014 01:18 PM

    Right, if you turn it off then there is no use of using it.

    *.symantec.com should do fine.



  • 7.  RE: binary/octet-stream download

    Posted Feb 06, 2014 02:37 PM

    Thanks for the article (Required exclusions for proxy servers...). Adding ent-shasta-rrs.symantec.com and tus1gwynwapex01.symantec.com allows the HTTPS packets to go through. I'll use that article as a guide to add more exceptions if needed. Thanks to Rafeeq for your replies too.