Symantec Endpoint Protection (SEP) for Mac may not forward all Intrusion Prevention (IPS) detections to Manager (SEPM).
IPS detections appear and are logged locally on the Mac client, but some of these events are not forwarded to SEPM.
Affected IPS signatures include TCP Syn Flood (99992), Portscan (10000), and ARP Cache Poison (99990).
This issue appears to affect only SEP 14.x for Mac; SEP 12.1.x for Mac will forward all IPS events OK to SEPM.
This issue was fixed in SEP 14 RU1 MP1, but then appears to be broken again for versions 14 RU2 thru 14.3 MP1
This article will be updated when a solution is available