Endpoint Protection

I have installed the Shared Insight Cache Server, I have the firewall disabled on this server, it has a static IP address, and I have ran VIETool against a fresh install of 2008 to get some files in the cache.   I used the --hash switch.

The policies in SEPM have Shared Insight Cache Server enabled, and are pointing to the IP address of the server.

How do I tell if this is working or not?   Is there any GUI or log or anything?

Also, is there any documentation on how to configure the BASIC user authenticaion settings?   The PDF explains how to turn on authentication, but not how the syntax for the XML for the user and password.

Hello ,

Please chekc out the below document,

How Shared Insight Cache works

http://www.symantec.com/business/support/index?page=content&id=HOWTO55318&actp=search&viewlocale=en_US&searchid=1311284985850

How Shared Insight Cache works

http://www.symantec.com/business/support/index?page=content&id=HOWTO55314&actp=search&viewlocale=en_US&searchid=1311284985850

Please check out PDF ,Symantec™ Endpoint Protection Shared Insight Cache User Guide

http://www.symantec.com/business/support/index?page=answerlink&url=http%3A%2F%2Fwww.symantec.com%2Fbusiness%2Fsupport%2Fresources%2Fsites%2FBUSINESS%2Fcontent%2Fstaging%2FDOCUMENTATION%2F4000%2FDOC4334%2Fen_US%2F2.0%2Fsep_shared_insight_cache.pdf&answerid=16777230&searchid=1311284985850

SIC exposes four performance monitor counters, you can use these to see the requests it is serving and number of clean files in the cache.

Note that if you have used VIEtool on the image then its unlikely to scan the files anyway, since they are marked as clean - you would need to run the scan on a machine that you haven't run VIEtool against in order to see some real movement on the SIC.

Ok, so PERFMON tells me it's not working.   I have enough clients pointed to this service, I should have counters > 0.   

Also, where in the documentation does it show how to specify the user name and password for basic authentication in the XML file?   I simply do not see this.

With realtime scans, Perfmon shows 0 hits after watching it for about an hour.   I have about 20 clients pointed to this server.    Running Wireshark, I do not even see the client trying to contact the server.

When I do an active scan, I have activity.

So is this feature only for scheduled and active scans, not realtime file downloads and scans?

Shared Insight Cache is for on-demand, manual and scheduled scans only, thats correct.  It is not used for autoprotect.

Hello,

I would recommend you to read this:

These docs need clarification.   For example, Shared Insight Cache settings;  Memory Usage is a percent value.  Described as Percentage of size of the cache in megabytes before Shared Insight Cache starts pruning the cache.    How does one state a percentage in MB?   10MB%?   That makes no sense.   Does 50 mean that after 50MB% are free, the service starts removing entry's from cache?   Again, that makes no sense.  If I dedicate a server with 4GB to this service, does the 50 value mean it's only going to use 2GB?  More detail is needed.

My question about authentication:  The document states to put this in the config file to use basic authentication;

<!-- Basic authentication with SSL. >

<security mode="Transport">

<transport clientCredentialType="Basic"/>

And then in SEPM under policies I can specify a user ID and password to pass to the shared insight server for authentication.   However nowhere does it state the syntax for adding the user ID and password to the config file.    What is the syntax for specifying the user id and password in the Shared Insight Cache Server config file?   I obviously do not want to leave this thing open so that a single malicious person can whitelist a virus and thus bypass SEP.

Thanks!