You want to understand how Insight Lookup, sometimes also called CloudScan or Cloud Scan, works in Symantec Endpoint Protection 12.1.x (SEP 12.1).
You see repeated detections identified as WS.Reputation.1.
Symantec Insight uses reputation security technology that tracks billions of files from millions of systems to identify new threats as they are created. Based on advanced data mining techniques, Insight seeks out changing encryption and mutating code. Insight separates files at risk from those that are safe, for faster and more accurate malware detection. For more information, please see the short video Symantec Endpoint Protection 12: Insight or Symantec - Reputation Based Protection.
Insight Lookup occurs during any user- or administrator-defined scan. Some caveats do apply.
Insight Lookup normally applies to running processes, not files. For instance, in a cloud scan, processes are scanned rather than files.
You can force an Insight Lookup with a right-click scan directly on the target file. Note that a right-click scan does not provide the Insight Lookup behavior that is equivalent to what happens when accessing files via portals (applications that can download and execute files).
When a right-click scan is initiated on a selected file, a cloud connection to Symantec can occur if deemed appropriate by the Symantec Endpoint Protection (SEP) client. This scan is strictly used to check for known bad files, so it's a close equivalent to checking the file against the very latest virus and spyware protection definitions Symantec has available, even before Symantec has published them to customers via certified definitions.
The right-click scan does not do an Insight lookup that provides detection against unknown samples (i.e. new and mutating threats that are not currently on the Symantec blacklist). Right-click scans on folders or drives do not scan using Insight Lookup to prevent performance issues.
To exclude an application or file from Insight Lookup, you must set an application exclusion.
In order to set an exclusion in Symantec Endpoint Protection Manager (SEPM), a client must have already detected the file at least once and forwarded the information to Symantec Endpoint Protection Manager so that the detected application shows in the application list. You should install Symantec Endpoint Protection on a client computer that is representative of all the applications in the your environment and run a full scan so that the Symantec Endpoint Protection Manager receives information about these applications. Once those applications show on the detected list, you can correctly set a application exclusion for the file.
To set an Insight Lookup exclusion from the Symantec Endpoint Protection Manager
- Click Policies > Exceptions.
- In the right pane, double-click your Exceptions policy to edit it.
- Click Exceptions
- Click Add > Windows Exceptions > Application
- From the list of detected applications, click the application you wish to exclude.
- Set the Action to Ignore.
- Click OK, and then click OK again to save the policy change.
To set an Insight Lookup exclusion from the Symantec Endpoint Protection client
- Click Change Settings.
- Next to Exceptions, click Configure Settings.
- Click Add > Application Exception.
- Browse to and then click the file you wish to exclude.
- Click OK, and then click Close to save the change.
Additional information on Insight can be found at http://go.symantec.com/insight