After upgrading Endpoint Protection clients to 14.3 RU4+ there is an increase of unproven detections
search cancel

After upgrading Endpoint Protection clients to 14.3 RU4+ there is an increase of unproven detections

book

Article ID: 256019

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security

Issue/Introduction

After upgrading Symantec Endpoint Protection (SEP) clients to 14.3 RU4+ there is an increase of the following detections:

Unproven.Insight
Unproven.Insight.S
Unproven.NewFile
Unproven.LowPrevalence 

Environment

Symantec Endpoint Protection 14.3 RU4+
Symantec Endpoint Security 14.3 RU4+

Cause

Starting with 14.3 RU4 the decision was made to split WS.Reputation.1 and Unproven.Insight detections. WS.Reputation.1 is now reserved for Download Insight blocking detections. Unproven.Insight detections are reserved for User Decision detections. If users are logged in during the detection they will be prompted with an option to Allow or Block. If a decision is not made within 180 seconds the detected file will be quarantined. If the file is allowed it will show up in the logs as Unproven.Insight.S. If the file is blocked it will show up in the logs as Unproven.Insight.

Prior to 14.3 RU5, if Network Intrusion Prevention was not installed the Download Insight (DI) sensitivity level would be restricted to <1>.  At DI sensitivity level <1> only items with an ultra-high confidence level of malicious are detected and blocked. 

In 14.3 RU5, this restriction was eliminated which means DI now follows the level defined within the policy. In most cases, this means the level is now at <5>. This means that unproven files may be detected by DI.

Unproven.Insight, Unproven.NewFile, or Unproven.LowPrevalence detections will trigger on any file that is unknown or has a very very low-confidence reputation and/or a very low in-field prevalence or age.

Resolution

There are options available to tune DI to meet the environment's needs:

  • For Unproven Files, the action can be configured to Quarantine, Delete risk, Log-Only (log only), Prompt (default) or Ignore
  • DI sensitivity level can be configured to <4>, which allows DI to detect and block items with a medium confidence level of malicious and below
  • Submit files for whitelisting or create exceptions


See:  https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/customizing-the-virus-and-spyware-scans-that-run-o-v43098005-d49e1253/customizing-download-insight-settings-v43545665-d49e3484.html