Managing Download Insight detections

Auto-Protect includes a feature that is called Download Insight, which examines the files that users try to download through Web browsers, text messaging clients, and other portals.
Supported portals include Internet Explorer, Firefox, Microsoft Outlook, Outlook Express, Google Chrome, Windows Live Messenger, and Yahoo Messenger.
Download Insight determines that a downloaded file might be a risk based on evidence about the file's reputation. Download Insight is supported only for the clients that run on Windows computers.
If you install Auto-Protect for email on your client computers, Auto-Protect also scans the files that users receive as email attachments.
For more information, see:
Managing Download Insight detections
Task
Description
Learn how Download Insight uses reputation data to make decisions about files
Download Insight uses reputation information exclusively when it makes decisions about downloaded files. It does not use signatures or heuristics to make decisions. If Download Insight allows a file, Auto-Protect or SONAR scans the file when the user opens or runs the file. See:
View the Download Risk Distribution report to view Download Insight detections
You can use the Download Risk Distribution report to view the files that Download Insight detected on your client computers. You can sort the report by URL, Web domain, or application. You can also see whether a user chose to allow a detected file.
Risk details for a Download Insight detection show only the first portal application that attempted the download. For example, a user might use Internet Explorer to try to download a file that Download Insight detects. If the user then uses Firefox to try to download the file, the risk details show Internet Explorer as the portal.
The user-allowed files that appear in the report might indicate false positive detections.
You can also specify that you receive email notifications about new user-allowed downloads. See:
Users can allow files by responding to notifications that appear for detections.
Administrators receive the report as part of a weekly report that
Symantec Endpoint Protection Manager
generates and emails. You must have specified an email address for the administrator during installation or configured as part of the administrator properties. You can also generate the report from the
Reports
tab in the console. See:
Create exceptions for specific files or Web domains
You can create an exception for an application that your users download. You can also create an exception for a specific Web domain that you believe is trustworthy. See:
If your client computers use a proxy with authentication, you must specify trusted Web domain exceptions for Symantec URLs. The exceptions let your client computers communicate with Symantec Insight and other important Symantec sites.
For information about the recommended exceptions, see the following articles:
By default, Download Insight does not examine any files that users download from a trusted Internet or intranet site. You configure trusted sites and trusted local intranet sites on the
Windows Control Panel > Internet Options > Security
tab. When the
Automatically trust any file downloaded from an intranet site
option is enabled,
Symantec Endpoint Protection
allows any file that a user downloads from any sites in the lists.
Symantec Endpoint Protection
checks for updates to the Internet Options trusted sites list at user logon and every four hours.
Download Insight recognizes only explicitly configured trusted sites. Wildcards are allowed, but non-routable IP address ranges are not supported. For example, Download Insight does not recognize 10.*.*.* as a trusted site. Download Insight also does not support the sites that are discovered by the
Internet Options > Security > Automatically detect intranet network
option.
Make sure that Insight lookups are enabled
Download Insight requires reputation data from Symantec Insight to make decisions about files. If you disable Insight lookups, Download Insight runs but detects only the files with the worst reputations. Insight lookups are enabled by default. See:
Customize Download Insight settings
You might want to customize Download Insight settings for the following reasons:
  • Increase or decrease the number of Download Insight detections.
    You can adjust the malicious file sensitivity slider to increase or decrease the number of detections. At lower sensitivity levels, Download Insight detects fewer files as malicious and more files as unproven. Fewer detections are false positive detections.
    At higher sensitivity levels, Download Insight detects more files as malicious and fewer files as unproven. More detections are false positive detections.
  • Change the action for malicious or unproven file detections.
    You can change how Download Insight handles malicious or unproven files. The specified action affects not only the detection but whether or not users can interact with the detection.
    For example, you might change the action for unproven files to
    Ignore
    . Then Download Insight always allows unproven files and does not alert the user.
  • Alert users about Download Insight detections.
    When notifications are enabled, the malicious file sensitivity setting affects the number of notifications that users receive. If you increase the sensitivity, you increase the number of user notifications because the total number of detections increases.
    You can turn off notifications so that users do not have a choice when Download Insight makes a detection. If you keep notifications enabled, you can set the action for unproven files to
    Ignore
    so that these detections are always allowed and users are not notified.
    Regardless of the notifications setting, when Download Insight detects an unproven file and the action is
    Prompt
    , the user can allow or block the file. If the user allows the file, the file runs automatically.
    When notifications are enabled and Download Insight quarantines a file, the user can undo the quarantine action and allow the file.
    If users allow a quarantined file, the file does not automatically run. The user can run the file from the Temporary Internet Files folder. Typically, the folder location is one of the following:
    • Windows 8 and later:
      Drive
      :\Users\
      username
      \AppData\Local\Microsoft\Windows\INetCache
    • Windows Vista / 7:
      Drive
      :\Users\
      username
      \AppData\Local\Microsoft\Windows\Temporary Internet Files
For more information, see:
Allow clients to submit information about reputation detections to Symantec
By default, clients send information about reputation detections to Symantec.
Symantec recommends that you enable submissions for reputation detections. The information helps Symantec address threats. See: