How Windows clients receive definitions from the cloud

Symantec Endpoint Protection
standard and embedded/VDI clients provide real-time protection with definitions in the cloud. Earlier versions provided some cloud protection with various features, such as Download Insight. Now, all virus and spyware features use the cloud to evaluate files. Cloud content includes the entire set of virus and spyware definitions as well as the latest information that Symantec has about files and potential threats.
The Intelligent Threat Cloud Service is supported on Windows clients only.

Clients support cloud-enabled content

Cloud-enabled content includes a reduced-sized set of definitions that provides full protection. When the client requires new definitions, the client downloads or looks up the definitions in the cloud for better performance and speed.
Standard clients and embedded/VDI clients support cloud-enabled content.

All scans automatically use cloud lookups

Cloud lookups include queries to Symantec Insight for file reputation information and definition checking in the cloud.
  • Scheduled and on-demand scans automatically perform cloud lookups.
  • Auto-Protect also automatically performs cloud lookups. Auto-Protect now runs in user mode rather than kernel mode to reduce memory usage and provide better performance.
In addition to leveraging a smaller footprint with definitions on disk, the Intelligent Threat Cloud Service provides a 15-percent reduction in scan time.
Clients automatically send information about file reputation lookups to Symantec.

How cloud lookups work in your network

Symantec Endpoint Protection
sends cloud lookups directly to the cloud.
If you want to use a proxy server, you can specify an HTTPS proxy in the client's browser Internet options. Or you can use the
Symantec Endpoint Protection Manager
console to specify the HTTPS proxy for clients in
Policies > External Communications
The amount of bandwidth that the Intelligent Threat Cloud Service clients use is nearly identical to pre-14 clients, which use reputation lookups only with specific features such as Download Insight.

Symantec Endpoint Protection Manager
alerts you about cloud lookup errors

If clients try cloud lookups for 3 days without success, by default
Symantec Endpoint Protection Manager
sends an email notification to system administrators. You can also view the alert in
Monitors > Logs> System Logs > Client Activity
. The notification condition type is
File Reputation Detection

What are portal files?

Download Insight marks a file as a portal file when it examines a file that a user downloads from a supported portal. Scheduled and on-demand scans, Auto-Protect, and Download Insight evaluate the reputation of portal files using the sensitivity level that is set for Download Insight.
Download Insight must be enabled to mark files as portal files.
Supported portals include: Internet Explorer, Firefox, Microsoft Outlook, Outlook Express, Google Chrome, Windows Live Messenger, and Yahoo Messenger. The portal list (or Auto-Protect portal list) is part of the Virus and Spyware Protection content that LiveUpdate downloads to the management server or the client.
Scans and Download Insight always evaluate non-portal files with a default internal sensitivity level that Symantec sets. The internal default detects only the most malicious files.

Example of cloud lookups in action

An example of the way the Intelligent Threat Cloud Service protects clients:
  • The client user runs Internet Explorer and tries to download a file. Download Insight uses its sensitivity level and reputation information from Symantec Insight in the cloud to determine that the file is not harmful.
  • Download Insight determines that the file's reputation is acceptable, allows the file to download, and marks the file as a portal file.
  • Later, Symantec gets more information about the file from its extensive global intelligence network. Symantec determines that the file might be harmful and updates the Insight reputation database. Symantec might provide a late-breaking signature for the file in its definitions in the cloud.
  • If the user opens the file or runs a scan, Auto-Protect or the scan gets the latest information about the file from the cloud. Using the latest file reputation and the Download Insight sensitivity level, or using a late-breaking file signature, Auto-Protect or the scan now detects the file as potentially malicious.

Required and recommended settings

By default,
Symantec Endpoint Protection
uses the cloud. If you disable any of these options, you limit or disable cloud protection.
  • Auto-Protect
    Auto-Protect must be enabled. Auto-Protect is enabled by default.
  • Download Insight
    Download Insight must be enabled so that it can examine file downloads, and so that file downloads are marked as portal files for future scans. If you disable Download Insight, all file downloads are treated as non-portal. Scans detect only the most malicious non-portal files.
  • Insight lookups
    Insight lookups must be enabled. The Insight lookups option controls reputation lookups as well as cloud definition lookups. This option is enabled by default.
    If you disable Insight lookups, cloud protection is completely disabled.