Some Symantec Endpoint Protection for Macintosh (SEP for Mac) IPS detections occur despite host exceptions, and there are no exception signatures for the detected IDs. Macintosh IPS exceptions cannot be defined for the detection because the signature ID is not listed in the SEPM IPS Exceptions dialog. Detected attacks will result in an automatic 10-minute block of the attacker's IP address. In the Windows SEP product this auto-block can be turned off or the duration changed but as of yet the SEP Macintosh auto-block feature is not configurable.

Example pop-up on SEP Macintosh client for "brute force remote logon":

Details of example event in SEPM Logs: Network Threat Protection: Attacks:

Host exceptions by IP range do not work. IP exceptions defined as by single IP addresses may be used as a work-around. This issue is fixed in Symantec Endpoint Protection 12.1 RU6.

Solution is to upgrade to Symantec Endpoint Protection 12.1 RU6.  See Download the latest version of Symantec Endpoint Protection. Host exceptions work as expected in that version.

More details:

"Brute force remote login" in particular (signature ID 99995) is absent from the SEPM exception list by design. Brute force attack is detected by monitoring system log on client, and it is a detection only---no traffic is blocked.

If IPS detections are OK but the Macintosh pop-ups are a nuisance then disable Network Protection Security Event Notifications at the SEPM, in client group Policy, Location-specific Settings.

If IPS is not a requirement in the customer's environment, IPS policy may also be completely disabled at the SEPM. For unmanaged Macintosh clients, see How to remove the IPS feature from an unmanaged SEP Macintosh client

Applies To

SEP 12.1 RU5 and newer. Mac OS X.