search cancel

Endpoint for Mac users receive "Vulnerability BLOCKED" popups for ARP traffic but anti-MAC spoofing is disabled

book

Article ID: 175153

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

SEP (Symantec Endpoint Protection) Mac users receive "Vulnerability BLOCKED" popups for ARP traffic, with "ARP Cache Poison" in SEP Vulnerability log details. But anti-MAC spoofing setting is disabled in the Mac Firewall policy settings at SEPM (SEP Manager).

"Vulnerability BLOCKED" popups on desktop.

"ARP Cache Poison" in SEP Vulnerability log details.

Environment

SEP for Mac versions 14.2.x

Cause

This is caused by remnants of Mac IPS (Intrusion Protection) policy settings from an older SEPM that has been upgraded to 14.2.x, along with the clients. That version of SEP for Mac should not alert users or log ARP traffic; it is handled silently as long as IPS is enabled. The "anti-MAC spoofing" checkbox in Mac firewall policy settings has no effect.

Resolution

Re-create the IPS policy fresh at the SEPM so that the old Mac policy settings will not be present.