Symantec Endpoint Protection Manager - Intrusion Prevention

Products

Endpoint Protection

Issue/Introduction

You need more details about the Options in the Policies of the Symantec Endpoint Protection Manager (SEPM).

Resolution

Settings

Use this page to enable or disable the intrusion prevention settings for the client.

You can configure the intrusion prevention settings that can detect and prevent attacks that you otherwise would have to create signatures for. You can exclude specific network activity from monitoring or alerting, and automatically block an attacking computer.

Table 1: Intrusion prevention options

Option	Description
Enable Intrusion Prevention	Enables the intrusion prevention system engine that checks IPS signatures, exceptions to IPS signatures, and custom signatures. The IPS analyzes network packets and compares them with both known attacks and known patterns of attack. If the IPS the packets match a known attack or pattern of attack, the IPS blocks the inbound traffic. You can download IPS signatures, exclusions to IPS signatures, or custom IPS signatures to the client at any time. However, unless the intrusion prevention system is enabled, the client does not compare the signatures in the IPS libraries with the inbound or the outbound traffic. The attacks are logged in the Security Log. You can configure notifications to appear if the client computer detects an attack. This option is enabled by default.
Enable denial of service detection	Causes the client to check inbound and outbound traffic for known denial-of-service attack patterns. Denial-of-service attacks are an explicit attempt by an intruder to prevent legitimate users of a service from using that service. This option is enabled by default.
Enable port scan detection	Detects if another computer scans the client computer's ports. Hackers use port scans to determine which of the client computer's ports are open to communication. The client dynamically blocks the ports and therefore protects the computer from hacking attempts. If the client detects a port scan, it displays a notification. If you disable this option, the client does not detect any scans or notify the user, but still protects the ports from hacking attempts. This option is enabled by default.
Enable excluded hosts	Enables you set up a list of hosts for which the client ignores all inbound and outbound traffic. The firewall and the IPS signatures do not scan these hosts for firewall rules, matching attack signatures, port scans, anti-MAC spoofing, or denial-of-service attacks. This option is disabled by default. (*IPS excluded host is only available for IP packets, not for ARP packets.)
Automatically block an attacker's IP address	Blocks all the communication from a source host for the specified number of seconds when the client detects an attack. For example, if the client detects a denial-of-service attack, the client blocks all traffic from the originating IP address. This feature is also called active response. This option is enabled by default.

Exceptions

Use this table to view the exceptions to the IPS signatures that LiveUpdate downloads to the Symantec Endpoint Protection Manager console. You can change the default action and the log action before you download the signatures to the client.

If you create an exception to a signature, it appears in the list. If you want to remove the exception, click Delete. If you edit the behavior so that the behavior is the same as the signature's original behavior, the signature remains in the list.

Table 2: Exceptions options

Option	Description
ID	The ID that Symantec assigns to each signature.
Signature Name	The name of signature.
Severity	The level of danger that the traffic packet causes if the signature detects it.
Categories	Type of signature.
Action	The action that the client takes on the traffic packet that matches the IPS signature.
Log	The logging action that the client takes on the traffic packet that matches the IPS signature.