How does the Advanced Download Protection (Download Insight) feature of Symantec Endpoint Protection (SEP) function?
Advanced Download Protection (Download Insight) is a new advanced protection feature included with the SEP client. This feature allows the SEP client to leverage Symantec's Cloud-based reputation database when files are downloaded or executed directly from popular Web browsers.
Download Insight scans all Portable Executable (PE) and MSI files (including .bat, .com, .dll, .drv, .exe, .msi, .ocx, .sys - etc.) when they are downloaded through or launched by a portal application.
Web browsers like Internet Explorer and FireFox are supported portal applications
Download Insight is a protection technology based solely on the reputation of files ( No signature or behavioral analysis is performed by Download Insight )
AutoProtect is the driver responsible for the reputation scanning functionality of Download Insight.
Download Insight uses the SEP client's Client Intrusion Detection System ( CIDS ) to retrieve information about files being accessed
Download Insight detection flow
Download Insight scanning occurs as a normal part of the AutoProtect component when files are downloaded through a supported portal application. It's possible for an application to be detected as a possible threat by Download Insight and trigger local Antivirus definitions. In this instance, the threat will be remediated using the Eraser engine.
An executable file is created by a known portal application
The file is scanned by AutoProtect using the local SEP client's AntiVirus (AV) definitions
The file is scanned for Reputation
AutoProtect notifies the SEP client of the reputation results
The SEP client displays a notification that the file is being scanned/remediated
The SEP client initiates the remediation process (Eraser remediation for AV detections, CloudScan notification for reputation detections)
Once the remediation process is complete, a dialog box is presented to the user with the results of the scan
Note: Antivirus and Antispyware ONLY installations do not install the CIDS (IPS) driver which will reduce some of the functionality of Download Advisor. Download Advisor will be locked to level 1 and Trusted Web Domain exclusions will be unavailable.
In most cases, it will take a long time (more than 10 seconds) for the detection/remediation process to complete
While the detection/remediation work is taking place, a small notification is displayed at the bottom right corner of the screen once an anomaly is detect
The default duration of this notification is 8 seconds and it disappears automatically
Once the detection has been remediated, a dialog is displayed detailed information about the detection ( URL, file name, detection information, and actions taken by the SEP client).
Imported Document ID: TECH171776
Subscribing will provide email updates when this Article is updated. Login is required.