How does the Advanced Download Protection (Download Insight) feature of Symantec Endpoint Protection (SEP) function?

Advanced Download Protection (Download Insight) is a new advanced protection feature included with the SEP client. This feature allows the SEP client to leverage Symantec's Cloud-based reputation database when files are downloaded or executed directly from popular Web browsers. 

Overview

• Download Insight scans all Portable Executable (PE) and MSI files (including .bat, .com, .dll, .drv, .exe, .msi, .ocx, .sys - etc.) when they are downloaded through or launched by a portal application.
• Web browsers like Internet Explorer and FireFox are supported portal applications
• Download Insight is a protection technology based solely on the reputation of files (No signature or behavioral analysis is performed by Download Insight)
• AutoProtect is the driver responsible for the reputation scanning functionality of Download Insight.
• Download Insight uses the SEP client's Client Intrusion Detection System (CIDS) to retrieve information about files being accessed

Download Insight detection flow

Download Insight scanning occurs as a normal part of the AutoProtect component when files are downloaded through a supported portal application. It's possible for an application to be detected as a possible threat by Download Insight and trigger local Antivirus definitions. In this instance, the threat will be remediated using the Eraser engine.

1. An executable file is created by a known portal application
2. The file is scanned by AutoProtect using the local SEP client's AntiVirus (AV) definitions
3. The file is scanned for Reputation
4. AutoProtect notifies the SEP client of the reputation results
5. The SEP client displays a notification that the file is being scanned/remediated
6. The SEP client initiates the remediation process (Eraser remediation for AV detections, CloudScan notification for reputation detections)
7. Once the remediation process is complete, a dialog box is presented to the user with the results of the scan

Note: Virus and Spyware Protection ONLY installations do not install the CIDS (IPS) driver which will reduce some of the functionality of Download Advisor. Download Advisor is locked at level 1 (in 14.3 RU5 and earlier only). Trusted Web Domain exclusions will be unavailable.

User Experience

• In most cases, it will take a long time (more than 10 seconds) for the detection/remediation process to complete
• While the detection/remediation work is taking place, a small notification is displayed at the bottom right corner of the screen once an anomaly is detect
• The default duration of this notification is 8 seconds and it disappears automatically
• Once the detection has been remediated, a dialog is displayed detailed information about the detection (URL, file name, detection information, and actions taken by the SEP client).