Intrusion Prevention System (IPS) exceptions may not work correctly for some signatures on Symantec Endpoint Protection (SEP) clients versions 12.1.x which are using the CIDS engine version 16.1.4. For example: test systems that host vulnerability scanners may still generate "blocked and logged" events for outgoing traffic, even though the related intrusion signature exceptions have been configured to "allow and do not log".

This is due to the CIDS 16.1.4 engine looking for a "SiloId" registry value during some operations. This value is expected to be in the IPS driver's service registry under HKLM\SYSTEM\CurrentControlSet\services\IDSVia64\Parameters (on 64-bit systems) but is missing in SEP 12.1.x

This has been addressed via a new version of the CIDS engine (16.2) released through LiveUpdate.