search cancel

Protection Engine SSE logs show one or more Insight 17 errors.

book

Article ID: 175787

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

 

Insight is a technology included with Symantec Protection Engine (SPE) which performs SHA256 hash matching requests to external Symantec servers for Portable Executable (PE) files.  In some instances the process fails to complete with an error.

 

 

Scanner:  Insight 

ResultID:  17

RESULT_INSIGHT_INTERNAL_ERROR

 

Cause

 

When a scan request is sent to the Symantec Protection Engine there are several different evaluations performed against each file.  For the purposes of Insight the following occurs:

  1. Received file is SHA256 hashed and checked against the exclude from Insight list.
  2. File is passed to the AV scanning engine and processed with Virus definitions.
  3. A connection is made to external Symantec Insight servers and the SHA256 hash of the file is sent to determine if it is a known file

In nearly all circumstances a ResultID 17 indicates the external Symantec server had an issue completing the request.  As a response the server sends back RESULT_INSIGHT_INTERNAL_ERROR which Symantec Protection Engine assigns to the code pair Insight:17.

 

Resolution

 

There is an expectation that a small percentage of requests will not be successful resulting in an Insight ID 17 return.  Since the files are scanned prior to the Insight evaulation by AV definitions there is very little risk if the virus definitios are current.

The situation to be concerned about is as follows:

  • All Portable Executable (PE) files continuously fail with Insight ID 17.

 

If the above is true, it is recommended to contact Symantec Support.  There is a possibility of an Insight server outage or some currently unknown cause that can result in Insight ID 17 error returns.

By default Symantec Protection Engine logging does not log successful scans.  To determine if the above scenario applies please ensure that logging is set to "Verbose" level and that all Portable Executable (PE) files are resulting in Insight ID 17.