Endpoint Protection Download Insight is blocking an internally developed program

book

Article ID: 155316

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You regularly develop executable programs which are blocked by Symantec Endpoint Protection (SEP) Download Insight (DI). These executables are downloaded from an internal server. You consider this to be a False Positive (FP).

Download Insight Pop up says that the file is malicious and download was blocked.

Cause

Download Insight makes decisions based on file Reputation. A quick illustration can be viewed in Symantec Endpoint Protection 12: Demonstration of Insight Reputation Technology

Any new, previously-unknown file which is internally developed by a company is likely to trigger Reputation-based detections. For more information:

How Symantec Endpoint Protection uses reputation data to make decisions about files

Exclusion Guidelines for Symantec Endpoint Protection 12.1

Environment

SEP 12.x and 14.x

Resolution

Several solutions are possible:

  1. Digitally Sign the binaries.  To prevent false positive detections we strongly recommend that you digitally sign your software with a class 3 digital certificate. Code signing from a recognized and trusted Certificate Authority provides explicit third-party confirmation of the publisher's identity. It also helps ensure the integrity of the application since it indicates that code has not been tampered with since the initial digital signature. Our Symantec whitepaper discusses the topic further and includes details surrounding best practices for digitally signing your software.

 

  1. Add web domain as trusted:
    1. Add web domain to the trusted web sites in the internet browser. Make sure "Automatically trust any file downloaded from an intranet web site" is ticked (select the Virus and Spyware Protection Policy that applies to the affected machines, click the option on the left for "Download Insight" and make sure last option is ticked).

OBS.: mostly useful if there are several programs being developed and the names keep changing. Internet browser in each machine must be configured locally. Any download from that domain will be allowed. Other technologies using file reputation will still scan the file.

 

  1. Use Exceptions policy to make exclusions:
    1. For specific applications: go to Policies > Exceptions > click the policy in use for the affected machines > right click > edit > Exceptions > Add > Windows Exceptions > Application > Add an Application to Monitor > type application name and click add (the application can take several hours to appear on the list) > repeat steps from "add > windows exceptions" and when the application appears on that list you will be able to select "Allow" action in the drop down below.
      1. OBS: A new exclusion must be added every time a new application is to be downloaded. Exclusions will apply to all technologies and not just to Download Insight.
    2. For a specific web domain: repeat steps above selecting add > windows exceptions > trusted web domain and insert the relevant web domain.

OBS.: All communications from that web domain will be trusted as it will be taken into account by all technologies. Especially useful if several applications are being developed and the names keep changing. Local configuration in Internet Browsers is not necessary.

  1. Submit file(s) to Symantec and refer them as false positives. Symantec will analyze those files and if it is confirmed that they can be trusted, the information in the file reputation database will be updated accordingly. Especially useful if the files are programs that will be distributed to other companies. The link for submission is: https://symsubmit.symantec.com/

 

Additional information for software developers can be found in the Medium article Why security software misfires, and 6 things software authors can do about it