After upgrading Symantec Endpoint Protection (SEP) clients to 14.3 RU4+ there is an increase of the following detections:
Unproven.Insight
Unproven.Insight.S
Unproven.NewFile
Unproven.LowPrevalence
Symantec Endpoint Protection 14.3 RU4+
Symantec Endpoint Security 14.3 RU4+
Starting with 14.3 RU4 the decision was made to split WS.Reputation.1 and Unproven.Insight detections. WS.Reputation.1 is now reserved for Download Insight blocking detections. Unproven.Insight detections are reserved for User Decision detections. If users are logged in during the detection they will be prompted with an option to Allow or Block. If a decision is not made within 180 seconds the detected file will be quarantined. If the file is allowed it will show up in the logs as Unproven.Insight.S. If the file is blocked it will show up in the logs as Unproven.Insight.
Prior to 14.3 RU5, if Network Intrusion Prevention was not installed the Download Insight (DI) sensitivity level would be restricted to <1>. At DI sensitivity level <1> only items with an ultra-high confidence level of malicious are detected and blocked.
In 14.3 RU5, this restriction was eliminated which means DI now follows the level defined within the policy. In most cases, this means the level is now at <5>. This means that unproven files may be detected by DI.
Unproven.Insight, Unproven.NewFile, or Unproven.LowPrevalence detections will trigger on any file that is unknown or has a very very low-confidence reputation and/or a very low in-field prevalence or age.
There are options available to tune DI to meet the environment's needs: