Symantec Endpoint Protection IPS logs shows inconsistent actions for the same IPS signatures. SID Audit [SID: 27959] signature sometimes shows blocked and sometimes shows allowed.

For example:

[SID: 27959] Audit: SSLV3 Server Hello attack detected but not blocked.
Application path: C:\PROGRAM…

[SID: 27959] Audit: SSLV3 Server Hello attack blocked. Traffic has been blocked
for this application: C:\PROGRAM…

This issue was fixed in the 17.0 CIDS engine and newer.