Endpoint Protection for Mac does not forward some IPS events (flood, portscan, ARP poisoning) events to Manager

book

Article ID: 170202

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) for Mac may not forward all Intrusion Prevention (IPS) detections to Manager (SEPM). 

IPS detections appear and are logged locally on the Mac client, but some of these events are not forwarded to SEPM.

Affected IPS signatures include TCP Syn Flood (99992),  Portscan (10000), and ARP Cache Poison (99990).

Cause

This issue appears to affect only SEP 14.x for Mac; SEP 12.1.x for Mac will forward all IPS events OK to SEPM.

Resolution

This issue was fixed in SEP 14 RU1 MP1 for Mac, but then appears to be broken again for versions 14 RU2 thru 14.3 MP1

The issue is resolved again in SEP for Mac 14.3 RU1 (14.3.3384). Download the latest version of Symantec software