Endpoint Protection

Does download insight look at every file that get's executed?  Does it talk to the Symantec cloud and compare the signature, or does it do it locally on the machine?

Does SEP run the AV traditional signature scan on every file or only the ones that pass/fail the download insight lookup?

Does SEP remember each file that it scanned on the local system?  If so, does it note the hash and only rescan the file when the hash has changed?

I've heard about several of these features, but I don't fully understand the scan process.

Hello,

Check this Article on Symantec Scans - Information on Symantec Endpoint Protection Scans

Symantec Insight is a reputation-based security technology that leverages the anonymous software adoption patterns of Symantec’s hundreds of millions of users to automatically discover and classify every single software file, good or bad, on the Internet. Based on advanced data mining techniques, Insight seeks out mutating code separating out risky, low-reputation files from those that are safe.

To know more check this Whitepaper on Symantec Insight on 

https://www-secure.symantec.com/connect/downloads/insight-deployment-best-practices-whitepaper

Incase, you want to check the Symantec Download Insight, check this Video:

https://www-secure.symantec.com/connect/videos/symantec-download-insight-symantec-endpoint-protection-121

You might want to customize Download Insight settings for the following reasons:

• Increase or decrease the number of Download Insight detections.

  You can adjust the malicious file sensitivity slider to increase or decrease the number of detections. At lower sensitivity levels, Download Insight detects fewer files as malicious and more files as unproven. Fewer detections are false positive detections.

  At higher sensitivity levels, Download Insight detects more files as malicious and fewer files as unproven. More detections are false positive detections.

• Change the action for malicious or unproven file detections.

  You can change how Download Insight handles malicious or unproven files. The specified action affects not only the detection but whether or not users can interact with the detection.

  For example, you might change the action for unproven files to Ignore. Then Download Insight always allows unproven files and does not alert the user.

• Alert users about Download Insight detections.

  When notifications are enabled, the malicious file sensitivity setting affects the number of notifications that users receive. If you increase the sensitivity, you increase the number of user notifications because the total number of detections increases.

  You can turn off notifications so that users do not have a choice when Download Insight makes a detection. If you keep notifications enabled, you can set the action for unproven files to Ignore so that these detections are always allowed and users are not notified.

  Regardless of whether notifications are enabled, when Download Insight detects an unproven file and the action is Prompt, the user can allow or block the file. If the user allows the file, the file runs automatically.

  When notifications are enabled and Download Insight quarantines a file, the user can undo the quarantine action and allow the file.

Note: If users allow a quarantined file, the file does not automatically run. The user can run the file from the temporary Internet folder. Typically the folder location is drive:\\Documents and Settings\username\Local Settings\Temporary Internet Files.

Also See: Customizing Download Insight settings.

Managing Download Insight detections

How Symantec Endpoint Protection protection features work together

http://www.symantec.com/docs/HOWTO55268

Hope that helps!!

Attachment(s)

Insight FAQ version 2_0_0.pdf   437 KB 1 version