After upgrading Endpoint Protection clients to 14.3 RU4+ there is an increase of unproven detections
Article ID: 256019
Updated On:
Products
Issue/Introduction
After upgrading Symantec Endpoint Protection (SEP) clients to 14.3 RU4+ there is an increase of the following detections:
Unproven.Insight
Unproven.Insight.S
Unproven.NewFile
Unproven.LowPrevalence
Environment
Symantec Endpoint Protection 14.3 RU4+
Symantec Endpoint Security 14.3 RU4+
Cause
Starting with 14.3 RU4 the decision was made to split WS.Reputation.1 and Unproven.Insight detections. WS.Reputation.1 is now reserved for Download Insight (DI) blocking detections. Unproven.Insight detections are reserved for User Decision detections. If users are logged in during the detection they will be prompted with an option to Allow or Block. If a decision is not made within 180 seconds the detected file will be quarantined. If the file is allowed it will show up in the logs as Unproven.Insight.S. If the file is blocked it will show up in the logs as Unproven.Insight.
Prior to 14.3 RU5, if Network Intrusion Prevention was not installed the Download Insight (DI) sensitivity level would be restricted to <1>. At DI sensitivity level <1> only items with an ultra-high confidence level of malicious are detected and blocked.
In 14.3 RU5, this restriction was eliminated which means DI now follows the level defined within the policy. In most cases, this means the level is now at <5>. This means that unproven files may be detected by DI.
Unproven.Insight, Unproven.NewFile, or Unproven.LowPrevalence detections will trigger on any file that is unknown or has a very very low-confidence reputation and/or a very low in-field prevalence or age.
Resolution
There are options available to tune DI to meet the environment's needs:
(On Prem SEPM manager - within the Virus and Spyware Protection policy for Download Protection)
- For Unproven Files, the action can be configured to Quarantine, Delete risk, Log-Only (log only), Prompt (default) or Ignore
- DI sensitivity level can be configured to <4>, which allows DI to detect and block items with a medium confidence level of malicious and below
See: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/customizing-the-virus- and-spyware-scans-that-run-o-v43098005-d49e1253/customizing-download-insight-settings-v43545665-d49e3484.html
(Symantec Endpoint Security (SES) - within Antimalware Policy (cloud managed) or Intensive Protection Policy (Hybrid managed / On Prem SEPM manager cloud enrolled))
- For Unproven Files, SES Cloud determines the best course of action based on the configured DI sensitivity level, which can be adjusted using the Blocking and Monitoring level slider bars
See: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Protection/antimalware-policy-advanced-settings-v128420816-d4155e13131/using-intensive-protection-settings-v119910353-d4155e29254.html - Alternatively, files can be submitted for whitelisting or file exceptions can be created if the files detected are known good files
Feedback
