search cancel

After upgrading to 14.3 RU5 Unproven.Insight detections are noticed in the environment

book

Article ID: 253496

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After upgrading to Symantec Endpoint Protection 14.3 RU5 an increase of Unproven.Insight detections are being quarantined in the environment.

Environment

Symantec Endpoint Protection 14.3 RU5

Cause

Prior to 14.3 RU5, if Network Intrusion Prevention was not installed the Download Insight (DI) sensitivity level would be restricted to <1>.  At DI sensitivity level <1> only items with an ultra-high confidence level of malicious are detected and blocked. 

In 14.3 RU5, this restriction was eliminated which means DI now follows the level defined within the policy. In most cases, this means the level is now at <5>. This means that unproven files may be detected by DI.

Resolution

There are options available to tune DI to meet the environment's needs:

  • For Unproven Files, the action can be configured to Log-Only or Ignore
  • DI sensitivity level can be configured to <4>, which allows DI to detect and block items with a medium confidence level of malicious and below
  • Submit files for whitelisting or create exceptions

See:  https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/customizing-the-virus-and-spyware-scans-that-run-o-v43098005-d49e1253/customizing-download-insight-settings-v43545665-d49e3484.html

Additional Information

CRE-11729