Endpoint Protection for Mac does not forward some IPS events (flood, portscan, ARP poisoning) events to Manager


Article ID: 170202


Updated On:


Endpoint Protection


Symantec Endpoint Protection (SEP) for Mac may not forward all Intrusion Prevention (IPS) detections to Manager (SEPM). 

IPS detections appear and are logged locally on the Mac client, but some of these events are not forwarded to SEPM.

Affected IPS signatures include TCP Syn Flood (99992),  Portscan (10000), and ARP Cache Poison (99990).


This issue appears to affect only SEP 14.x for Mac; SEP 12.1.x for Mac will forward all IPS events OK to SEPM.


This issue was fixed in SEP 14 RU1 MP1 for Mac, but then appears to be broken again for versions 14 RU2 thru 14.3 MP1

The issue is resolved again in SEP for Mac 14.3 RU1 (14.3.3384). Download the latest version of Symantec software