How the Insight Lookup process works

book

Article ID: 155027

calendar_today

Updated On:

Products

Endpoint Protection Network Access Control

Issue/Introduction

You want to understand how Insight Lookup, sometimes also called CloudScan or Cloud Scan, works in Symantec Endpoint Protection (SEP).

You see repeated detections identified as WS.Reputation.1.

Resolution

Symantec Insight uses reputation security technology that tracks billions of files from millions of systems to identify new threats as they are created. Based on advanced data mining techniques, Insight seeks out changing encryption and mutating code. Insight separates files at risk from those that are safe, for faster and more accurate malware detection.

Insight Lookup occurs during any user-defined or administrator-defined scan. Some caveats do apply.

Insight Lookup normally applies to running processes, not files. For instance, in a cloud scan, processes are scanned rather than files.

You can force an Insight Lookup with a right-click scan directly on the target file. Note that a right-click scan does not provide the Insight Lookup behavior that is equivalent to what happens when accessing files via portals (applications that can download and execute files).

When a right-click scan is initiated on a selected file, a cloud connection to Symantec can occur if deemed appropriate by the Symantec Endpoint Protection (SEP) client. This scan is strictly used to check for known bad files, so it's a close equivalent to checking the file against the very latest virus and spyware protection definitions Symantec has available, even before Symantec has published them to customers via certified definitions.

The right-click scan does not do an Insight lookup that provides detection against unknown samples (i.e. new and mutating threats that are not currently on the Symantec blacklist). Right-click scans on folders or drives do not scan using Insight Lookup to prevent performance issues.

To exclude an application or file from Insight Lookup, you must set an application exclusion.

In order to set an exclusion in Symantec Endpoint Protection Manager (SEPM), a client must have already detected the file at least once and forwarded the information to Symantec Endpoint Protection Manager so that the detected application shows in the application list. You should install Symantec Endpoint Protection on a client computer that is representative of all the applications in the your environment and run a full scan so that the Symantec Endpoint Protection Manager receives information about these applications. Once those applications show on the detected list, you can correctly set a application exclusion for the file.

 
To set an Insight Lookup exclusion from the Symantec Endpoint Protection Manager

  1. In the Symantec Endpoint Protection Manager console, in the left pane, click Policies > Exceptions.
  2. In the right pane, double-click your Exceptions policy to edit it.
  3. Click Exceptions
  4. Click Add > Windows Exceptions > Application
  5. From the list of detected applications, click the application you wish to exclude.
  6. Set the Action to Ignore.
  7. Click OK, and then click OK again to save the policy change.

 
To set an Insight Lookup exclusion from the Symantec Endpoint Protection client

  1. In the Symantec Endpoint Protection client user interface, in the left pane, click Change Settings.
  2. Next to Exceptions, click Configure Settings.
  3. In the Exceptions window, click Add > Application Exception.
  4. Browse to and then click the file you wish to exclude.
  5. Click OK, and then click Close to save the change.