Symantec Endpoint Protection for Macintosh: IPS Overview and Troubleshooting

book

Article ID: 158650

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) for Macintosh version 12.1.4 (12.1 RU4) introduces IPS (Intrusion Prevention System).

Features:

  • IPS protects against network threats
  • Signature-based protection
  • Built on Symantec STAR (Security Technology and Response) mNDC engine
  • IPS Submission support (also known as IPS Ping)

Cause

IPS protects against network threats supported on Mac OS.
 

Resolution

Architecture Details - High Level

User Space: SymIPS.bundle and SymDaemon

Kernel Space: Ndcengine.kext and SymIPS.kext

 
Installation

  • Requires reboot after installation
  • No option to add/remove IPS feature during the installation
    • IPS feature can be disable by policy or UI
  • Installation logs are stored at /private/var/log/install.log
    • It contains not only SEP for Mac installation specific logs, but also all other software installation logs
  • Main SEP for Mac folder: /Library/Application Support/Symantec
    • No option to install on other location
  • SymIPS.kext and ndcengine.kext are installed at /System/Library/Extensions/ (OS X 10.7 and 10.8) or /Library/Extensions/ (OS X10.9)
  • SEP App is installed at /Applications/Symantec Solutions/

 
Configuration

Warning: All configuration file accesses are limited to privileged users only, and should not be edited directly!

Detected attacks will result in an automatic 10-minute block of the attacker's IP address. In the PC product, this autoblock can be turned off or the duration changed, but as of SEP 12.1 RU4 for Macintosh, the autoblock feature is not configurable.

  • IPS signatures
    • Located at /Library/Application Support/Symantec/IntrusionPrevention/CurrentSignatures
    • "su-cr.md" contains metadata for signatures
    • Signatures are updated via LiveUpdate
  • Built-in IPS signatures (See Built-in signatures for Symantec Endpoint Protection IPS for Mac)
    • TCP SYN flood, port scan, ARP Cache Poison, Brute force remote login
    • Metadata located at /Library/Application Support/Symantec/IntrusionPrevention/ipsinternal.md
    • No update via LiveUpdate
  • IPS submission control data
    • /Library/Application Support/Symantec/Submissions/scd.xml
    • Updated via LiveUpdate

See Related Articles below.

 
Troubleshooting

Use "kextstat" utility to check if required kexts are loaded:

Maverick:~ admin$ kextstat | grep -i symantec
   41    3 0xffffff7f807db000 0xf000     0xf000     com.symantec.kext.internetSecurity (5.2f2) <5 4 3 1>
   42    1 0xffffff7f807ea000 0x70000    0x70000    com.symantec.kext.ndcengine (1.0f2) <41 4 1>
   43    0 0xffffff7f8085a000 0xb000     0xb000     com.symantec.kext.ips (3.5f2) <42 41 5 4 3 1>
   85    0 0xffffff7f819e9000 0x4000     0x4000     com.symantec.kext.SymAPComm (12.2f2) <41 7 5 4 1>

Check if SymIPS.bundle is loaded into SymDaemon process. Obtain PID of symdaemon first (66 in example below) and run vmmap command:

Maverick:~ admin$ sudo ps x | grep -i symdaemon
   66   ??  Ss     0:26.87 /Library/Application Support/Symantec/Daemon/SymDaemon.bundle/Contents/MacOS/SymDaemon
Maverick:~ admin$ sudo vmmap 66 | grep -i symips
__TEXT                 0000000102d66000-0000000102d8a000 [  144K] r-x/rwx SM=COW  /Library/Application Support/Symantec/Daemon/SymDaemon.bundle/Contents/PlugIns/SymIPS.bundle/Contents/MacOS/SymIPS
__LINKEDIT             0000000102d8d000-0000000102d9a000 [   52K] r--/rwx SM=COW  /Library/Application Support/Symantec/Daemon/SymDaemon.bundle/Contents/PlugIns/SymIPS.bundle/Contents/MacOS/SymIPS
__TEXT                 0000000102e09000-0000000102e14000 [   44K] r-x/rwx SM=COW  /Library/PrivateFrameworks/SymIPS.framework/Versions/A/SymIPS
__LINKEDIT             0000000102e15000-0000000102e1d000 [   32K] r--/rwx SM=COW  /Library/PrivateFrameworks/SymIPS.framework/Versions/A/SymIPS
__DATA                 0000000102d8a000-0000000102d8d000 [   12K] rw-/rwx SM=PRV  /Library/Application Support/Symantec/Daemon/SymDaemon.bundle/Contents/PlugIns/SymIPS.bundle/Contents/MacOS/SymIPS
__DATA                 0000000102e14000-0000000102e15000 [    4K] rw-/rwx SM=PRV  /Library/PrivateFrameworks/SymIPS.framework/Versions/A/SymIPS

 

Logs from kexts (SymIPS.kext and ndcengine.kext -- look for "Vulnerability Protection" string):

  • /private/var/log/kernel.log
  • /private/var/log/system.log

 IPS policy and attack related logs:

  • /Library/Application Support/Symantec/SMC/debug/smc_debug.log

IPS submission logs:

  • /Library/Application Support/Symantec/Daemon/messages.log
  • /Library/Logs/SymHTTPSubmissions.txt (admin privilege is required to access this file)

 
Possible Error / Cause / Solution

"The Vulnerability Protection signatures are out of date. Please run LiveUpdate immediately to download the latest signatures."

  • IPS signature has not been updated in last 90 days
  • Run LiveUpdate to download new signatures
  • Troubleshoot LiveUpdate

 
"The Vulnerability Protection signatures have been corrupted and could not be used. You should run LiveUpdate immediately and restart your computer. If the problem persists after you restart your computer, please re-install the product. Your computer will not be protected until you restart your computer. Symantec apologizes for this error. (Error location 1)"

  • Failed to load IPS signatures
  • Run LiveUpdate to download new signatures
  • Troubleshoot LiveUpdate

 
"The Vulnerability Protection engine has been corrupted and could not be used. You should run LiveUpdate immediately. If the problem persists, please try re-installing this product. Your computer will not be protected until you re-install. Symantec apologizes for this error. (Error location 3)"

  • Failed to load kernel extensions

 
"The Vulnerability Protection signatures have been corrupted and could not be recovered from a previous version. You should run LiveUpdate immediately and restart your computer. If the problem persists after you restart your computer, please re-install the product. Your computer will not be protected until you re-install. Symantec apologizes for this error. (Error location 4)"

  • Failed to roll back signatures

 
False Positives

Guest virtual machines (GVMs) that are hosted on Macs on your local network can trigger this alert. You can set host / IP exceptions for those GVMs that
repeatedly trigger this false positive. Improperly configured machines can also trigger this alert. For more information see Built-in signatures for Symantec Endpoint Protection IPS for Mac and About false positive IPS events on Symantec Endpoint Protection for MacintoshBuilt-in signatures for Symantec Endpoint Protection IPS for Mac

 

 

Applies To

  • Macintosh OS X 10.7, 10.8, 10.9
  • SEP 12.1 RU4 for Macintosh