Does Endpoint Protection always use reputation to detect malicious files?

A Symantec Endpoint Protection (SEP) client reports a missed detection for a malicious file. The Symantec Endpoint Protection client on this computer has Auto-Protect enabled, but not Download Insight or SONAR or any other component. A malicious file downloaded but did not trigger any Symantec Endpoint Protection detection, and the computer became infected. However, when you run a manual scan with the same antivirus definitions, the scan detects the file as Suspicious.Cloud.5. You want to know why Auto-Protect did not block the file before it infected the computer.  

With the specific configuration in place as described, this is working as designed.

• Symantec Endpoint Protection Auto-Protect does not use full reputation with every scan. It can use reputation to block malicious downloads as part of the optional Download Insight feature.
• Symantec Endpoint Protection  scheduled/manual scans can use reputation, if configured to do so.
• Also, Symantec Endpoint Protection SONAR can use reputation as part of its defenses.

Manual and Scheduled scans can use full internal (IRON) and cloud-based community/Symantec reputation information as part of their scans, when configured to do so. (When Insight Lookup is enabled, these scans use the latest definitions from the cloud and the Insight reputation database to make decisions about files. If you disable Insight lookups, Insight Lookup uses the latest definitions only to make decisions about files.) For more information, see Customizing the virus and spyware scans that run on Windows computers.

Download Insight is an optional/add-on Auto-Protect feature. It is purely reputation based. If there is no reputation in use (or no Auto-Protect), then Download Insight cannot function. See Managing Download Insight detections.

SONAR (PTP) uses reputation data in addition to heuristics to make detections. It is possible to run SONAR with reputation-checking disabled, but then it is purely heuristic and not as effective. See About SONAR.

Use Symantec Technology and Response (STAR) and Symantec Endpoint Protection (SEP) recommended security settings for Endpoint Protection:

• TECH173752 - Recommended security settings for Endpoint Protection

It's recommended also to reveiw the below article on reputation, explaining how this technology is used by SEP:

• HOWTO80989 - How Symantec Endpoint Protection uses reputation data to make decisions about files

When possible, submit the suspicious.cloud file to Symantec Security Response, so that traditional Anti Virus signatures can be created against it.