Disable IPS and dependent features for Endpoint Protection

book

Article ID: 179323

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

In the course of troubleshooting an issue, you may wish to disable IPS and dependent features –because you either read Best Practices for Endpoint Protection on Windows servers, which states that they can interfere with the operation of high-load or high-throughput servers, or were instructed to do so by Symantec Support.

This article describes one possible way to achieve this, for both managed and unmanaged clients.

Managed Clients

  1. In SEPM Clients, click Add a group and name it e.g. "Disable IPS and dependent features".
  2. In the "Disable IPS and dependent features" Policies tab, untick Inherit policies and settings from parent group "My Company".
  3. Right-click SEPM Policies Intrusion Prevention > Intrusion Prevention policy and select Add. Name the new policy e.g. "Disable Intrusion Prevention policy", simply replacing New with Disable.
  4. Click Intrusion Prevention, then uncheck Enable Network Intrusion Prevention and Enable Browser Intrusion Prevention for Windows and click the OK button. Click the Yes button when asked to assign the policy.
  5. Tick the "Disable IPS and dependent features" group, then click the Assign and Yes buttons.
  6. Right-click SEPM Policies Virus and Spyware Protection Policies > Virus and Spyware Protection Policy - Balanced and click Add. Name the new policy e.g. "Disable SONAR and Download Protection".
  7. Under Protection Technology, click Download Protection, then untick Enable Download Insight to detect potential risks in downloaded files based on file reputation. Under SONAR, untick Enable SONAR. Click the OK button, then click the Yes button when asked to assign the policy. Tick the "Disable IPS and dependent features" group, then click the Assign and Yes buttons.
  8. Right-click SEPM Policies Memory Exploit Mitigation > Memory Exploit Mitigation policy and click Add. Name the new policy e.g. "Disable Memory Exploit Mitigation".
  9. Under Memory Exploit Mitigation, untick Enable Memory Exploit Mitigation. Click the OK button, then click the Yes button when asked to assign the policy. Tick the "Disable IPS and dependent features" group, then click the Assign and Yes buttons.
  10. Navigate to SEPM Clients and then the group in which the clients to be moved to the new group are located. One by one, right-click the systems to be moved, select Move, tick the "Disable IPS and dependent features" group, then click the OK button.
  11. On the systems on which IPS and dependent features are to be disabled, either wait for the next heartbeat interval to pass or right-click the SEP tray notification area icon and select Update Policy

Unmanaged Clients

  1. Right-click the SEP tray notification area icon and select Open Symantec Endpoint Protection.
  2. Click the Options button next to Virus and Spyware Protection, select Change Settings... and navigate to the Download Insight tab. Uncheck Enable Download Insight to detect potential risks in downloaded files based on file reputation
  3. Click the Options button next to Proactive Threat Protection, select Change Settings... and untick Enable SONAR.
  4. Click the Options button next to Network and Host Exploit Mitigation, select Change Settings... and navigate to the Intrusion Prevention tab. Untick the Enable Network Intrusion Preventation and Enable Browser Intrusion Prevention settings. Navigate to the Memory Exploit Mitigation tab and untick Enable Memory Exploit Mitigation. Click the OK button.