ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Endpoint Protection Host IPS blocks a URL but Symantec does not block the same URL


Article ID: 172210


Updated On:


Endpoint Protection


Symantec Endpoint Protection (SEP) IPS blocks URL 
False Positive submission [89731]: Upon further analysis and investigation we have determined that the URL(s) in question meet the necessary criteria to be detected by our products and as such, the detection cannot be revoked.  If malicious, the customer is asking why Symantecis not blocking it too as malicious or suspicious. 


The website is blocked by Symantec.

The website was blocked for [SID: 28821] Web Attack: Mass Injection Website 19, and when we went and looked, security response verified the site was, indeed, attempting a mass injection attack. Basically, The site is injected with a script that redirects the viewer to malicious domains.
Symantec is not blocking the same url.


ProxySG and WSS use the Symantec GIN services to categorize and classify URLs. It is possible that SEP and GIN do not use the same criteria for URL classification.