Houston Security User Group

 View Only
Expand all | Collapse all

Download Insight

Migration User

Migration UserMay 02, 2012 07:10 PM

  • 1.  Download Insight

    Posted Mar 27, 2012 11:47 AM

    I've read through most of the articles, kbs, and manuals for Download Insight. The problem we're having is that one of our apps is installed from a website on our local Intranet, and it downloads and installs updated apps, patches, etc., and it always get flagged as WS.Reputation.1.

    I've created exceptions for the file in the Central Exceptions policy. I've created a website/domain exception. I've told the AV policy to trust all Local Intranet sites, and the site is listed in the Local Intranet Zone.

    The only thing that seems to help is to drop Download Insight down to level 3, and I don't really like having to do that. Is there another way to allow a file on the local Intranet without having to drop the Insight protection level? Again, I've done the exceptions and checked the local Intranet option in the AV policy.

    My techs would like to be able to install their users' apps without SEP blocking the download.



  • 2.  RE: Download Insight

    Broadcom Employee
    Posted Mar 27, 2012 01:31 PM

    you should be posting your queries in SEP forum not in encryption.

    you need to add it whitelist

    check this link

    http://www.symantec.com/business/support/index?page=content&id=TECH132220



  • 3.  RE: Download Insight

    Posted Mar 27, 2012 02:38 PM

    Sorry, guess I clicked a little too high. Meant to click on Endpoint Protection instead of Endpoint Encryption.

    So even though I'm not an ISV I can submit a file to be whitelisted?



  • 4.  RE: Download Insight

    Posted Mar 27, 2012 02:57 PM

    I can't answer very many of those questions honestly. We are not an ISV, nor do we publish software. We are end users of this product.



  • 5.  RE: Download Insight

    Posted Mar 28, 2012 01:30 PM

    Is there not a way to get an application recognized by Symantec as being good? You'd think that with the number of times we've installed applications using the vendor-supplied setup, that Insight would recognize it as being safe by now.

    Is there a solution to this or do I have to sit on the phone with the vendor to get them to submit this app to Symantec for whitelisting?



  • 6.  RE: Download Insight

    Broadcom Employee
    Posted Apr 02, 2012 07:08 AM

    Hi dsmith1954,

    WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories. 

    If you believe that a program has been incorrectly classified by the Symantec reputation-based security system, then you may submit a dispute using this Web form.

    Check following links for more details

    http://www.symantec.com/security_response/writeup....

    http://www.symantec.com/security_response/print_wr...

    I hope it will help you !!!



  • 7.  RE: Download Insight

    Posted May 02, 2012 07:10 PM

    Thanks



  • 8.  RE: Download Insight

    Posted Aug 02, 2012 11:26 AM

    http://www.symantec.com/business/support/index?page=content&id=TECH132220

    https://submit.symantec.com/whitelist/isv/



  • 9.  RE: Download Insight

    Posted Aug 07, 2012 10:43 AM

    At the end are questions I can't answer.

    • We have enabled sending info to Symantec for reputation.
    • We have files downloaded from Local Intranet sites automatically trusted.

    At what point does a file get a good reputation? This setup file is used at automotive dealerships around the country. You'd think it would have a good detection rate by now.



  • 10.  RE: Download Insight

    Posted Aug 14, 2012 06:53 PM

    In the AV policy for Insight under Actions have you tried setting "Log Only" for unproven files?



  • 11.  RE: Download Insight

    Posted Aug 16, 2012 09:21 AM

    I tried that. Still doesn't work. The only thing that seems to work is to drop the level down to 3.



  • 12.  RE: Download Insight

    Broadcom Employee
    Posted Aug 16, 2012 09:55 AM

    Hi,

    Symantec collects information about files from its global community of millions of users and its Global Intelligence Network. The collected information forms a reputation database that Symantec hosts. Symantec products leverage the information to protect client computers from new, targeted, and mutating threats.

    The data is sometimes referred to as being "in the cloud" since it does not reside on the client computer. The client computer must request or query the reputation database.

    How Symantec Endpoint Protection uses reputation data to make decisions about files

    http://www.symantec.com/docs/HOWTO55275

    What's included in a Reputation Request made by the SEP 12.1 Reputation Engine?

    http://www.symantec.com/docs/HOWTO59336



  • 13.  RE: Download Insight

    Posted Aug 16, 2012 10:44 AM

    Apparently that isn't working for this file. We have automotive dealerships that use UCS for Automotive Inventory Management. They use an .exe downloaded from a server internal to our network to 1) install their software and 2) to keep it updated.

    I'm sure our dealerships are not the only dealerships in the country that use this software, or that use Symantec Endpoint Protection, so either I've got something configured wrong, or Download Insight isn't working as advertised for this .exe.

    Excluding the internal website or the file, even with the ignore option, still generates a notification. Either it was ignored, or that it was blocked again. Dropping down to a level 3 keeps the file from being blocked, but it still generates a report.



  • 14.  RE: Download Insight

    Posted Aug 16, 2012 11:55 AM

    There's also a new file that has been showing up lately from MPI (http://www2.mpifix.com) that is used in their training videos. MPI is an authorized licensee of GM, Ford and Chrysler service and repair information, so I would expect their files to be registered in Download Insight by now. Instead, Download Insight quarantines the files.

    Turns out that SONAR, and not Download Insight, is quarantining this file.



  • 15.  RE: Download Insight

    Broadcom Employee
    Posted Aug 16, 2012 12:02 PM

    Hi,

    Have you submited to Symantec as a false positive?

    You would have to Submit the Files to the Symantec Response Team on  the Following Sites:

    https://submit.symantec.com/false_positive/

    https://submit.symantec.com/websubmit/gold.cgi

    http://www.threatexpert.com/submit.aspx