Built-in signatures for Symantec Endpoint Protection IPS for Mac

book

Article ID: 158413

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

In Symantec Endpoint Protection 12.1.4 for Mac and later, you see intrusion prevention signatures with a given category of "Built-in." These signatures are present even before LiveUpdate runs for the first time. You would like to know what kind of attacks they are designed to prevent.

Resolution

Symantec Endpoint Protection for Mac IPS includes four built-in signatures at installation. You can see them under Policies > Intrusion Prevention > Intrusion Prevention Policies; double-click on an Intrusion Prevention policy, then under Mac Settings, click Exceptions > Add....

Signature ID Name Description Possible False Positives Response
99990 ARP Cache Poison This signature detects attempts to modify your Internet address cache using unrequested ARP (address resolution protocol) packets. Guest virtual machines (GVM) that are hosted on Macs on your local network can trigger this alert. You can set host / IP exceptions for those GVMs that repeatedly trigger this false positive. Intrusion Prevention detects the attack and drops the corresponding packets. You do not need to take any additional action.
9000 ICMP Ping Flood This signature defends against a denial of service created by sending too many 'ping' requests to your Mac. Attackers will send your Mac thousands of ping packets, which can overwhelm your Mac's Internet connection. There are no known false positives associated with this signature. Intrusion Prevention detects the attack and drops the corresponding packets. You do not need to take any additional action.
99992 TCP SYN Flood This signature defends against a denial of service created by sending too many connection requests to your Mac. Attackers will send your Mac thousands of TCP SYN packets, which can overwhelm your Mac's Internet connection and consume your Mac's memory.   It is possible that a very busy Mac used as a server will receive many connection requests, causing this signature to trigger. Intrusion Prevention detects the attack and drops the corresponding packets. You do not need to take any additional action.
10000 Port Scan This signature defends against attempts to scan your Mac for open ports. Some attackers repeatedly scan your network connection looking for weaknesses. However, such scan may also have legitimate uses. This alert may be triggered by normal Internet activity. In extreme cases, this signature may block your DNS (domain name server), resulting in the loss of Internet connectivity.

If you see this alert followed by a loss of Internet connectivity, you should set the Port Scan signature to Log Only.
Intrusion Prevention detects the attack and drops the corresponding packets. You do not need to take any additional action.

If you receive too many notifications, you can disable IPS-related notifications by going to Clients > Policies > Server or Mixed Mode control.  However, ensure that the logging is on so you can monitor whether the notifications are the result of a known false positive. If you resolve the false positives, enable the notifications again.

Additional information

Here are the default settings for built-in signatures:

Signature ID Name Default Severity Default Action Default Log
99990 ARP Cache Poison Medium Block Not logged
9000 ICMP Ping Flood Medium Block Logged
99992 TCP SYN Flood High Block Not Logged
10000 Port Scan Medium Block Logged