Security Response

Insight
Deployment Best Practices

Overview
Symantec Insight is a reputation-based security technology that lever-
ages the anonymous software adoption patterns of Symantec’s hun-
dreds of millions of users to automatically discover and classify every
single software file, good or bad, on the Internet. Based on advanced
data mining techniques, Insight seeks out mutating code separating out
risky, low-reputation files from those that are safe.

Symantec Endpoint Protection (SEP) uses reputation-based technology

to protect you in three ways:

• First, SEP uses Insight to evaluate new files before they are in-
troduced to a protected machine. This feature, called Down-
load Insight, enables SEP to block all low-reputation files when
they are introduced and before they can take root and cause
damage. Since most malware is introduced via Web surfing,
instant messaging, or email, by checking the reputation of all
such files/attachments before they are saved and used drasti-
cally reduces infections on endpoints.

• Second, all of SEP’s security technologies (such as SONAR

Contents
Overview............................................................. 1
Creating Effective Insight Policies..................... 2
False Positive Prevention.................................. 10
Correcting a False Positive............................... 11
behavioral protection and Malheur heuristics) now leverage
Insight reputation data as a second opinion to improve their
accuracy. Just as you would want to get a second opinion from
another physician about a potential medical problem, Insight
provides a second, community-based assessment to our other
security technologies to improve their detection rate and re-
duce false positives.
 Insight – Deployment Best Practices
Security Response

• Third, since Insight can identify trusted, high-reputation files (as well as low-reputation bad files), our product
now uses this data to avoid scanning highly-trusted programs, unless they are modified or change. This typically
results in a reduction of 70-80 percent of scanning overhead while maintaining a higher level of security than
previous products.

This document is separated into three key areas of recommended practices:

• Creating Effective Insight Policies

• False Positive Prevention

• Correcting a False Positive

The “Creating Effective Insight Policies” section provides specific advice on recommended Insight configurations based
on your corporation’s specific tolerance for risk. The “False Positive Prevention” section is designed primarily to provide
recommendations on how to proactively make sure your files and files from your trusted vendors have a good reputation.
The “Correcting a False Positive” section helps provides information on how to submit a false positive to Symantec for
correction or to create Exceptions Policies to eliminate known false positives.

Creating Effective Insight Policies

There are three main functionalities configurable by administrators and users in the Symantec Endpoint Protection Man-
ager (SEPM):

1. Download Insight Configuration: The Download Insight feature helps prevent your users from downloading
low-reputation software onto their machines.

2. Insight Performance Improvements: This SEP feature uses reputation data to prevent wastefully scanning files
with good reputation. This reduces the overhead of the security product without compromising security.

3. Insight Submissions: By submitting anonymous application adoption data to Symantec, you help increase the
accuracy and precision of our reputation system.

1. Download Insight Configuration

What does Download Insight check?

Download Insight is only applied to software files at the time of their introduction (i.e., at the time of download and at-
tempted installation) through typical Internet activities. Download Insight checks:

• New software files as they are downloaded by Internet Explorer, Firefox, Chrome, etc. Both user-downloaded
files and drive-by downloads (not initiated by the user) are checked

• File attachments in emails when users save and/or launch these files from their email readers

• Files sent over Instant Messaging before users can save and launch these files on their computers

• Files downloaded over popular file-sharing programs (e.g., Micro Torrent) before users can save and launch these
files on their computers

Download Insight does not check other software on protected machines, such as actively running applications that are
already installed and running. It only checks new software at the time it is introduced to a machine (e.g., downloaded). Its
goal is to block a high percentage of new malware before it ever has a chance to run, with minimal false positive implica-
tions.

You may specify a single Download Insight policy for your entire enterprise OR you may create multiple Download Insight
policies for different corporate divisions (or even for individuals) if your different divisions have different risk tolerances.

Page 2
 Insight – Deployment Best Practices
Security Response

How-to: Download Insight configuration settings can be accessed in the SEPM by clicking on Computers -> Policies tab
-> Virus and Spyware Protection Policy -> Download Protection (see Figure 1).

Figure 1

Page 3
 Insight – Deployment Best Practices
Security Response

Protection Level Setting

Use this setting to control the file reputation level that Download Insight should consider to be malicious. In general, a
lower protection level will yield both a lower false positive rate and a lower detection rate, while higher protection levels
provide better protection but tend to have a higher rate of false positives on unknown/new files that have yet to build up
a good reputation. Please follow the guide below to change the protection level slider setting.

Levels Description
1-3 Appropriate for highly FP-averse divisions or test environments that cannot tolerate the blocking of newly
downloaded good files that are still building reputation (e.g., new files from little-known publishers). At these
levels, malware that is still building reputation may evade detection, but the system is highly unlikely to convict
good files at download time.
4-6 Appropriate for most desktop users downloading normal software. These levels balance FP risk and detection to
capture most malware with low FPs. Level 5 is the appropriate threshold for a majority of users and we discourage
users from changing the value unless advised by Symantec support personnel.
7-9 Appropriate for highly secure environments where you wish to “lock-down” a server or desktop that does not
frequently install new or unproven software. FPs on newly downloaded good files that lack a higher reputation will
occur at this level, but very little malware will evade detection.

NOTE: For most enterprises, we recommend the preset default configuration at Protection Level 5. This will block low-
reputation software and software still without a reputation (e.g., software that is new and not from a trusted vendor) in
addition to blocking files that trigger classic fingerprints or heuristics.

Age & Prevalence Setting

The Download Insight feature also provides administrators the ability to restrict the Age and Prevalence of downloaded
files. We call this feature Policy-Based Lockdown (see Figure 1).

TIP: You may want to institute prevalence/age blocking policies for departments that require a high level of security. For
example, you could block Finance employees from downloading software unless it had at least 1000 users and had been
in the field at least two weeks. Such a policy limits these users to using only proven software. You may also allow files
with lower prevalence/age to reach your IT/Helpdesk department if your IT staff needs to download more arcane tools to
do their jobs.

The Age/Prevalence values that you specify in these fields will differ according to the risk profile and the nature of appli-
cations typically downloaded by each organization or division. These Age and Prevalence policies only apply to down-
loaded files (at the time of download), and they only apply to untrusted software that is not from Symantec-trusted
software vendors. This means that software from vendors such as Microsoft, Symantec, Oracle, etc. will not be filtered
due to Age or Prevalence criteria. This prevents false positives on downloads from trusted software vendors while en-
suring that unproven software from untrusted vendors is blocked.

We also highly recommend that you enable the option to automatically trust any files downloaded from your company’s
Intranet websites (see Figure 1). This option allows the Download Insight feature to automatically trust downloads that
come from the domains, URLs and IPs published in your organization’s trusted domain/Intranet site list. (These sites are
specified in your Trusted Zones list in Internet Explorer; if this option is set, the trusted zone list is automatically import-
ed and used by Download Insight).

Page 4
 Insight – Deployment Best Practices
Security Response

Actions Setting
The next step is to configure the actions you want Download Insight to take if it detects a malicious or unknown file being
downloaded. The options can be configured through the ‘Actions’ tab under ‘Download Protection’ window (see Figure 2).
Figure 2

Recommended settings:

• We recommend leaving the action setting for malicious files (files with the lowest reputation) at its recommend-
ed default of Quarantine.

• We recommend leaving the action setting for unproven files (i.e., files that still lack a reputation) at the default
‘Prompt’ value. This will warn users against downloading files that lack a solid reputation. SEP will warn users
with a message that you may customize. Users can then decide if they should allow the file onto their systems.

TIP: You can customize the Download Insight warning message to suit your company’s needs. For example: “This file may
violate company policy. If the file is necessary for business purposes and you believe this message is in error, you may
proceed and use the file. Otherwise, using this file may violate company policy and result in disciplinary action.”

Page 5
 Insight – Deployment Best Practices
Security Response

If you would prefer to simply quarantine/block unproven files, you can change the action taken for the unproven files to
Quarantine. For example, while you might allow your HelpDesk team to use unproven files (with a warning), you may want
to make sure that your Finance department employees can only install files with a known-good reputation. Therefore,
you can set the unproven file option to ‘Quarantine’ for your Finance department, while leaving this option at ‘Prompt’ for
the HelpDesk department.

NOTE: If you set the option for unproven files to ‘Quarantine’ or ‘Delete’ – then the small subset of files that are still build-
ing reputation in the Symantec community will be blocked at download time. Note that files authored vendors trusted by
Symantec will not be given an unproven rating and will never fall into this category.

As mentioned above, the SEPM console enables the administrator to provide custom warning text to the end user for the
‘Prompt’ option. Typical information filled in this area includes admin contact details and a warning on the enterprise
policy. The same warning will also be displayed if the end user decides to restore a file from the “Quarantine”. The text
can be entered in the ‘Notifications’ tab under ‘Download Protection’ as shown in Figure 3, below.
Figure 3

Page 6
 Insight – Deployment Best Practices
Security Response

2. Insight Performance Improvements

The Insight (“scan-less”) feature reduces the overhead of SEP by enabling it to skip the real-time scanning of extremely
high-reputation files, such as Word, Excel, Windows kernel files, and other files that are discovered to have a sterling
reputation. On a typical system, when enabled, this prevents scanning of 70 to 80 percent or more of the applications on
a system, dramatically reducing the overhead of the SEP product when compared with other endpoint security solutions.
Should such a trusted file change–even a flip of a single bit from a 1 to a 0 value, for example–then the file immediately
becomes untrusted and is scanned using all available protection technologies.

HOW-TO: The (“scan-less”) feature can be configured in SEPM through the management console by clicking on Computers
-> Policies tab -> Virus and Spyware Protection Policy -> Global Scan Options (see Figure 4).

Figure 4

Recommended settings: We encourage you to leave the default option set at “Symantec Trusted” for the best perfor-
mance and security.

Page 7
 Insight – Deployment Best Practices
Security Response

2. Insight Submissions
Symantec highly encourages you to anonymously submit your file usage data to Symantec’s secure reputation servers.
This feedback enables Symantec’s systems to provide you with better protection. The Insight submission system is de-
signed to comply with the Personally Identifiable Information (PII) regulations of all countries to ensure privacy.

NOTE: Insight submissions require very little bandwidth.

The administrator can enable or disable Insight submissions for SEP client installs via Symantec Endpoint Protection
Manager (SEPM) using two methods:

1. Set the group policy to enable submissions and include it in the client installation package (see Figure 5). You
can ensure that your SEP instances are properly submitting telemetry data by leaving the default “File Reputa-
tion” option enabled, as highlighted below.

2. If the group policy is not included in the client installation package, then the admin can pre-set the client install
to enable the submissions (see Figure 6). The submissions are controlled via the “Submit reputation information
to Symantec Security Response” option highlighted in the figure.
Figure 5

Page 8
 Insight – Deployment Best Practices
Security Response

Figure 6

Symantec Endpoint Protection Client

The Download Insight options may be configured both in SEPM as well as in the client SEP UI. Download Insight can be
accessed in the SEP client by clicking on Change Settings -> Global Settings.

Recommended settings: We highly recommend that administrators disable Download Insight controls at the endpoints.
This will help make sure that the administrator can provide uniform security protection across the organization.

Page 9
 Insight – Deployment Best Practices
Security Response

False Positive Prevention

SEP 12.1 will not detect known good files as malware. There are several ways to make sure your good files are known as
‘good’. The following steps will help prevent false positives when using SEP 12.1.

Step 1 – Using Digital Signatures

One of the easiest ways to identify that a file is ‘good’ is to know where it came from and who created it. An important
factor in building confidence in a file being ‘good’ is to check its digital signature. Executable files without a digital sig-
nature have a higher chance of being identified as ‘unknown’ or low-reputation.

• Custom or home-grown application should be digitally signed with class three digital certificates

• Customers should insist that their software vendors digitally sign their applications

Step 2 - Add to the Symantec White List

Symantec has a growing white list of over 25 million ‘good’ files. These files are used in testing signatures before they
are published. Their hash values are also stored online and used to avoid false positives on the SEP client via real-time
cloud lookups whenever a file is detected by any of our client security technologies (e.g., SONAR behavioral technology,
a fingerprint, etc.). This white list is a powerful tool for avoiding false positives. Customers and vendors can add files to
this list.

• Software vendors can request that their executable be added to the Symantec white list at https://submit.
symantec.com/whitelist/

• BCS Customers can have their system images submitted to the white-listing program here: https://submit.
symantec.com/whitelist/bcs.cgi Symantec provides customers with simple whitelisting tools that can greatly
simplify the submission of information on known good files to Symantec.

NOTE: Do not use the above links to correct a false positive. See below for instructions on correcting a false positive.

Step 3 - Test

The initial deployment of SEP 12.1 during beta should include test machines with representative images of the software
you run in your environment, including common third-party applications

• Monitor for potential issues during beta testing

Step 4 - Feedback

Each security technology in SEP 12.1 can collect data that is sent back to Symantec to measure and mitigate false posi-
tives via analysis, heuristic training against collected data sets, and custom generic whitelisting.

• Enable automated submission of meta data on detections

Page 10
 Insight – Deployment Best Practices
Security Response

Correcting a False Positive

Symantec wants to know about and correct false positives. Having a submission not only allows Symantec to correct a
current issue, it also allows us study the causes of the false positive to avoid similar files from having issues in the future.

Step 1 - Submit

False positive submissions can be made immediately to Symantec via a Web form.

• All suspected false positives should be submitted to https://submit.symantec.com/false_positive/. It is critical

for resolution of Reputation (Download Insight) false positives that the file or the SHA256 value of the file be
included with the submission. (Hash value of a file is also presented in notices on client third-party tools.)

• False positives should not be submitted via the malware submission system. This is a change in procedure and
not specific to SEP 12.1. The URL above should be used to report false positives, no matter which product in-
volved.

Once the submission has been processed and the file whitelisted by Symantec, the quarantine rescan feature will auto-
matically restore the file out of quarantine.

Step 2 - Exclude

SEP 12.1 supports multiple ways to exclude good files from detection. Exclusions can be performed from the SEP man-
agement console to mitigate false positives enterprise-wide.

• You may exclude files downloaded from known, trusted domains (e.g., your corporation’s Web domain or your
company’s vendors’ domains) from Download Insight detections (see Chapter 20 of the SEP Implementation
Guide)

• You may add exclusions/exceptions in SEPM for critical files, directories or URLs/IPs

Adding Exceptions
Administrators can add new exceptions for files (e.g., “File X is always safe”) or domains (e.g., “All files downloaded from
domain http://somedomain.com are safe”) in two ways:

1. Define Exceptions Policy

To add a single or small number of domain/file exclusions, use the Exceptions Policy screens in SEPM. The Exceptions
Policy can be used, for example, to add a new exclusion for an internally developed enterprise application. It can also be
used to whitelist the domain of a new enterprise vendor that hosts trusted applications used by employees.

HOW-TO: To add one or more files/domains to the Exceptions Policy, administrators can do so from SEPM through the
management console by clicking on Computers -> Policies tab -> Exceptions -> Add an Exceptions Policy. Exceptions can
be created to always trust a ‘File” or a “Web Domain” (see figure 7 and figure 8).

Page 11
 Insight – Deployment Best Practices
Security Response

Figure 7

Figure 8

Page 12
 Insight – Deployment Best Practices
Security Response

2. Use Risk Log to View Recent Download Insight Blocking Events

Administrators can also use SEPM Risk Log to review Download Insight blocking events in order to identify and address
recent false positives encountered by their employees. The Risk Log includes every blocking event from every endpoint
in the enterprise, and includes files blocked by our classic fingerprint-based antivirus scanner, our SONAR behavioral
engine, and our new Insight technology.

HOW-TO: To review recent blocking events, administrators can navigate to the Risk Log section of the SEPM console.
Click on Monitors -> Logs -> Risk (under Log type) -> View Log button (see Figure 9). You can identify Insight-blocked
files can be identified by their “WS.Reputation.1” name in the “Risk Name” column of the table (see Figure 10). For
each such Insight-blocked file, SEPM also displays the domain or IP address from where the file was downloaded (e.g.,
183.168.232.137 or http://www.website.com).

Figure 9

TIP: If the “Risk Logs” show many malicious downloads blocked by Insight, you can select to view block events “By Ap-
plication” or “By Web Domain” (see Figure 10).

Figure 10

Page 13
 Insight – Deployment Best Practices
Security Response

By Application
If you select the view “By Application” option, you can get a list of all unique files that were blocked across the enterprise
as well as the prevalence of each such blocked file. This data helps identify high-prevalence any malware that may be
affecting employees. It also lets you identify high-prevalence false positives on good files. You may order this list by the
prevalence of each false positive by clicking on the “Count” tab. This will allow you to quickly identify all high-prevalence
false positives that are affecting users. The Risk Log provides a view of blocked files (ordered by prevalence) and enables
rapid whitelisting of such high-prevalence false positives. This process will be described in more detail below.

HOW-TO: To permanently allow (whitelist) a file across the enterprise, click on the “+” sign in the “Action” column for a
particular file and select “Allow Application” from the drop-down list (see Figure 11). Future downloads of the selected file
will no longer be blocked.

Figure 11

By Web Domain
Selecting to view events “By Web Domain,” will provide a list of domains from which your employees downloaded blocked
files. These domains could either be malicious domains or potentially legitimate domains of vendors that host lower-repu-
tation files. This view will also show that many legitimate files from trusted vendors’ websites are being blocked by Down-
load Insight because they have a low reputation. If so, you might want to whitelist these domains so that Download Insight
will no longer block the site. You can easily identify the highest-prevalence false positives by clicking on the “Count” tab.
This will place those domains with the highest number of blocked files first, enabling rapid whitelisting of your important
domains. The Risk Log also provides such a view and enables rapid whitelisting of such high-prevalence domains.

HOW-TO: To permanently allow downloads from a domain, click the “+” sign in the “Action” column for that domain and
select “Trust Web Domain” from the drop-down list (see Figure 12). Future downloads from the selected domain will be no
longer be blocked based on Insight reputation.

NOTE: Whitelisting a domain will not prevent our other technologies (e.g., fingerprints) from blocking files downloaded
from such a domain. This will only override our Insight reputation rating for files downloaded from such a domain.

Page 14
 Insight – Deployment Best Practices
Security Response

Figure 12

Page 15
Security Response

Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec
Corporation.

NO WARRANTY . The technical information is being delivered to you as is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the
technical documentation or the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical
errors. Symantec reserves the right to make changes without prior notice.

About Symantec
Symantec is a global leader in
providing security, storage and
systems management solutions to
help businesses and consumers
secure and manage their information.
Headquartered in Moutain View, Calif.,
Symantec has operations in more
than 40 countries. More information
is available at www.symantec.com.

For specific country offices and contact num- Symantec Corporation Copyright © 2011 Symantec Corporation. All rights reserved.
Symantec and the Symantec logo are trademarks or registered
bers, please visit our Web site. For product World Headquarters trademarks of Symantec Corporation or its affiliates in the
information in the U.S., call 350 Ellis Street U.S. and other countries. Other names may be trademarks of
their respective owners.
toll-free 1 (800) 745 6054. Mountain View, CA 94043 USA
+1 (650) 527-8000
www.symantec.com