Symantec Endpoint Protection (SEP) for Macintosh version 12.1.4 (12.1 RU4) introduces IPS (Intrusion Prevention System).
IPS protects against network threats supported on Mac OS.
User Space: SymIPS.bundle and SymDaemon
Kernel Space: Ndcengine.kext and SymIPS.kext
Warning: All configuration file accesses are limited to privileged users only, and should not be edited directly!
Detected attacks will result in an automatic 10-minute block of the attacker's IP address. In the PC product, this autoblock can be turned off or the duration changed, but as of SEP 12.1 RU4 for Macintosh, the autoblock feature is not configurable.
See Related Articles below.
Use "kextstat" utility to check if required kexts are loaded:
Maverick:~ admin$ kextstat | grep -i symantec 41 3 0xffffff7f807db000 0xf000 0xf000 com.symantec.kext.internetSecurity (5.2f2) <5 4 3 1> 42 1 0xffffff7f807ea000 0x70000 0x70000 com.symantec.kext.ndcengine (1.0f2) <41 4 1> 43 0 0xffffff7f8085a000 0xb000 0xb000 com.symantec.kext.ips (3.5f2) <42 41 5 4 3 1> 85 0 0xffffff7f819e9000 0x4000 0x4000 com.symantec.kext.SymAPComm (12.2f2) <41 7 5 4 1>
Check if SymIPS.bundle is loaded into SymDaemon process. Obtain PID of symdaemon first (66 in example below) and run vmmap command:
Maverick:~ admin$ sudo ps x | grep -i symdaemon 66 ?? Ss 0:26.87 /Library/Application Support/Symantec/Daemon/SymDaemon.bundle/Contents/MacOS/SymDaemon Maverick:~ admin$ sudo vmmap 66 | grep -i symips __TEXT 0000000102d66000-0000000102d8a000 [ 144K] r-x/rwx SM=COW /Library/Application Support/Symantec/Daemon/SymDaemon.bundle/Contents/PlugIns/SymIPS.bundle/Contents/MacOS/SymIPS __LINKEDIT 0000000102d8d000-0000000102d9a000 [ 52K] r--/rwx SM=COW /Library/Application Support/Symantec/Daemon/SymDaemon.bundle/Contents/PlugIns/SymIPS.bundle/Contents/MacOS/SymIPS __TEXT 0000000102e09000-0000000102e14000 [ 44K] r-x/rwx SM=COW /Library/PrivateFrameworks/SymIPS.framework/Versions/A/SymIPS __LINKEDIT 0000000102e15000-0000000102e1d000 [ 32K] r--/rwx SM=COW /Library/PrivateFrameworks/SymIPS.framework/Versions/A/SymIPS __DATA 0000000102d8a000-0000000102d8d000 [ 12K] rw-/rwx SM=PRV /Library/Application Support/Symantec/Daemon/SymDaemon.bundle/Contents/PlugIns/SymIPS.bundle/Contents/MacOS/SymIPS __DATA 0000000102e14000-0000000102e15000 [ 4K] rw-/rwx SM=PRV /Library/PrivateFrameworks/SymIPS.framework/Versions/A/SymIPS
Logs from kexts (SymIPS.kext and ndcengine.kext -- look for "Vulnerability Protection" string):
IPS policy and attack related logs:
IPS submission logs:
"The Vulnerability Protection signatures are out of date. Please run LiveUpdate immediately to download the latest signatures."
"The Vulnerability Protection signatures have been corrupted and could not be used. You should run LiveUpdate immediately and restart your computer. If the problem persists after you restart your computer, please re-install the product. Your computer will not be protected until you restart your computer. Symantec apologizes for this error. (Error location 1)"
"The Vulnerability Protection engine has been corrupted and could not be used. You should run LiveUpdate immediately. If the problem persists, please try re-installing this product. Your computer will not be protected until you re-install. Symantec apologizes for this error. (Error location 3)"
"The Vulnerability Protection signatures have been corrupted and could not be recovered from a previous version. You should run LiveUpdate immediately and restart your computer. If the problem persists after you restart your computer, please re-install the product. Your computer will not be protected until you re-install. Symantec apologizes for this error. (Error location 4)"
Guest virtual machines (GVMs) that are hosted on Macs on your local network can trigger this alert. You can set host / IP exceptions for those GVMs that
repeatedly trigger this false positive. Improperly configured machines can also trigger this alert. For more information see Built-in signatures for Symantec Endpoint Protection IPS for Mac and About false positive IPS events on Symantec Endpoint Protection for Macintosh. Built-in signatures for Symantec Endpoint Protection IPS for Mac.