The Intrusion Prevention System (IPS) of a Symantec Endpoint Protection (SEP) client if being triggered by traffic to a website that is believed to be safe, or unusual, unexpected IPS events are being seen from a SEP client.
Do not assume that unexpected events are False Positives! Legitimate websites and public-facing internal webservers may have been compromised by an attacker to serve malware, or malicious advertisements on those pages (malvertisements) may be attempting to redirect visitors to a site hosting a drive-by download for vulnerable browsers. Also, malware that is not yet caught by SEP’s AntiVirus component may be silently active on a computer, with the IPS events that block its malicious traffic a “red flag” that an infection is present. Consider all IPS events carefully and perform a Threat Analysis Scan on any computer which is triggering a “System Infected” IPS event.
|IPS is a crucial proactive technology. More information about IPS is found at What is intrusion prevention and what does it do? and the Connect article Two Reasons why IPS is a "Must Have" for your Network|
If the IPS event is believed to be a False Positive (FP), please follow these steps:
While the reported FP is being investigated, it is possible for administrators to temporarily disable the signature if they are extremely confident that this is a False Positive and the IPS event is disrupting crucial business processes. Apply exclusions with great caution.
For more information, please see the "What if I want to submit a file that I believe is being falsely detected?" section of How to Use the Web Submission Process to Submit Suspicious Files.