Endpoint Protection Intrusion Prevention System detects traffic to Excluded Hosts

book

Article ID: 157713

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The Symantec Endpoint Protection (SEP) client Client Intrusion Detection System (CIDS) detects outbound network traffic from a computer in the Excluded Hosts list in the Intrusion Prevention System (IPS) policy. The IPS logs show the the direction of the event as Outgoing, the Local Host is the local computer, and Remote Host is another computer in the network.

Cause

The CIDS engine evaluates network traffic against known security threats and blocks traffic that matches those threats. Excluded Hosts allow administrators to define hosts whose traffic should not trigger detections. This is useful for preventing detections from traffic which may appear malicious, but is necessary to normal business operations. For example, you can exclude traffic generated from a network vulnerability scanner to prevent simulated attacks from being blocked by the SEP client.

Excluded hosts exceptions apply to the remote host IP address on any inbound or outbound traffic to the computer. IPS will not detect outbound traffic to destination computers in the Excluded Hosts list. IPS will not detect inbound traffic from source computers in the excluded hosts list.

Resolution

Ensure both computers have an IPS policy with the remote computer's IP address in the Excluded Hosts list. For example:

  • The sending computer has an IPS policy with the receiving computer's IP address in the Excluded Hosts list.
  • The receiving computer has an IPS policy with the sending computer's IP address in the Excluded Hosts list.