Intrusion Prevention exceptions may not work in Endpoint Protection versions 12.1.x using CIDS 16.1.4

book

Article ID: 170380

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Intrusion Prevention System (IPS) exceptions may not work correctly for some signatures on Symantec Endpoint Protection (SEP) clients versions 12.1.x which are using the CIDS engine version 16.1.4. For example: test systems that host vulnerability scanners may still generate "blocked and logged" events for outgoing traffic, even though the related intrusion signature exceptions have been configured to "allow and do not log".

Cause

This is due to the CIDS 16.1.4 engine looking for a "SiloId" registry value during some operations. This value is expected to be in the IPS driver's service registry under HKLM\SYSTEM\CurrentControlSet\services\IDSVia64\Parameters (on 64-bit systems) but is missing in SEP 12.1.x

Resolution

This has been addressed via a new version of the CIDS engine (16.2) released through LiveUpdate.