Insight is a technology included with Symantec Protection Engine (SPE) which performs SHA256 hash matching requests to external Symantec servers for Portable Executable (PE) files. In some instances the process fails to complete with an error.
When a scan request is sent to the Symantec Protection Engine there are several different evaluations performed against each file. For the purposes of Insight the following occurs:
Received file is SHA256 hashed and checked against the exclude from Insight list.
File is passed to the AV scanning engine and processed with Virus definitions.
A connection is made to external Symantec Insight servers and the SHA256 hash of the file is sent to determine if it is a known file
In nearly all circumstances a ResultID 17 indicates the external Symantec server had an issue completing the request. As a response the server sends back RESULT_INSIGHT_INTERNAL_ERROR which Symantec Protection Engine assigns to the code pair Insight:17.
There is an expectation that a small percentage of requests will not be successful resulting in an Insight ID 17 return. Since the files are scanned prior to the Insight evaulation by AV definitions there is very little risk if the virus definitios are current.
The situation to be concerned about is as follows:
If all Portable Executable (PE) files continuously fail with Insight ID 17 it would be recommended to contact Symantec Support. There is a possibility of an Insight server outage or some currently unknown other cause that can generate Insight ID 17 returns.
By default Symantec Protection Engine logging does not log successful scans. To determine if the above scenario applies please ensure that logging is set to "Debug" level and that all Portable Executable (PE) files are resulting in Insight ID 17.
Subscribing will provide email updates when this Article is updated. Login is required.