I've written this up multiple times - and will try again since support closed the case with no effort at all to resolve it. They simply CLOSED the case! (but that's a topic that's going to be a very interesting discussion with our sales engineer very soon - support, or lack there-of)
SEP (and you can include the home product Norton 360, as the behave the same in this area) Latest SEP, RU2 (but that does not matter in this case)
We use a product for web-based meetings called BlueJeans. It's an IE plug-in. The wonderful and great thing is that it's tight, lean, and does NOT use JAVA, for which we are very thankful. Upon first use, you visit the site, get the file which installs and you have BlueJeans plug-in in IE and can join or participate in online meetings - video and audio.
The company periodically releases updates (don't they all) - typically monthly. Because of the updates being small and specialized - meaning they are only for that product, and come rather frequently - they will never build what SEP and Norton 360 call "reputation". They will always be seen by SYMANTEC as having "few users". Now keep in mind, SEP and Norton 360 track Symantec CUSTOMERS that use these other files, NOT who in the whole world, even NON-Symantec customers use a file. So I constantly see SEP blocking these files because "fewer than 5 Symantec customers" use the file. Uh, that may be the case, but trust me, when the huge Wall Street firms and banking customers and other gov't agencies use a file, it's not exactly high risk or unknown. However, because the Symantec products see these files as not being common, well-known, few customers use it, and it has no long-term reputation (because it's only a month old or LESS), SEP will block it.
Now the fun starts! "Download Insight" says it blocks it - it says it's not based on heuristics. Ah, but the deails of the log entry say it was based on heuristics. It says I can exclude the file - no, I cannot. And the reason I cannot is because SEP, in it's finite wisdom (finite in this area, meaning short-sighted) will ONLY ALLOW SUCH A FILE TO BE EXCLUDED IF you have the FULL PATH and file name. Now, how can you exclude a full path - when that full path and file name will vary with every download, and every user, and every user session.
Why do I say it will vary - two reasons -
It's under the USER PROFILE, and since no two users have the same user name (wouldn't that be fun!), the path will always vary
AND
It's first in the WEB CACHE. Think about it a second - where does IE put the cache files? Well, of course under the user profile (there's 1 variable) but further, down the line in a folder with a name like C15VKA9T or some such random name. Hmmm, this means with each user the path will vary, but pick just a single user - today the path will be in the web cache folder named ABCDEF and later today if I do this again, it may be in folder MNOPQR.
So, how can I exclude a file based on the file path? I cannot. What about just excluding based on name? SEP doesn't make that easy at all - and if you figure out a place, well, kicker number 2 - the file name MUST BE STATIC. It will not be. It will always be "BLUEJEANSPLUGIN.3.010.4.exe" where the last part is the version.
SEP, again in its finite wisdom, will not allow wildcards or variables in any exclusions.
So, we are stumped - how to keep SEP from blocking and REMOVING these plugin files?
This is not application and device control - not application control, it's SEP finding a high-risk in a file because it simply doesn't know about it.
If SEP doesn't know about a file reputation, it will block it and it won't let you slap it and say "no, I know better than you, these are safe".
* side note, Norton 360 has the same issue with a well-known machine embriodery applicatin from Viking sewing machine company - it comes on the CD that comes with the embroidery/sewing machine, and Norton 360 will block it and will NOT allow you to do a thing with it. You can't exclude it because it's on a removable device! So, to use the Viking Sewing Machine Company embriodery tool install, you must fully disable Norton 360 - trust me, I've got 3 or 4 hours in that one, too.*
Symantec needs to give us administrators a way to exlude a file that WE KNOW is safe, and allow us to do it on ANY source or ANY drive, and allow the use of variables or wildcards. The product is simply too harsh in this area. I need to exclude files based on a file name, regardless of the location (CD, thumbdrive, local C drive, network drive, etc.) AND exclude based on a name with a wildcard, or path with a variable.
Until I'm shown a way or given a way to do this, I have to acutally DISABLE protection in SEP (and Norton 360, but this is SEP for now) And that is really secure, isn't it.........
The old products I could tell SEP to ignore a file - didn't need a full path, just went into the log entry and clicked ignore, restore, whatever. There is no such option these days.
Nearly forgot - can't exclude based on "trusted domain" as the company uses Amazon cloud services, thus, the path will be 934frt543.cloudfront.com, the domain will be "cloudfront.com" and do we REALLY want to trust that WHOLE domain?? And at this point, and I've been throught his too, a trusted domain can't be FTP, can't be HTTPS, must be HTTP, and can't be a url, but a domain.
Now to find out why Symantec support took weeks to repsond to my opening 2 cases, and then after they finally responded, ended up closing one with no resolution and no even working on it........