ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Symantec Endpoint Protection - Intrusion Prevention Policy - Out of Band Scanning and Use Signature Subset for Servers

book

Article ID: 188808

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

This article discusses the Intrusion Prevention Policy, Server Performance Tuning features, Out-of-Band Scanning, and Use Signature Subset for Servers, what they are for, and when to use them. 

Cause

When using the Intrusion Prevention (IPS) feature of the Symantec Endpoint Protection client, there will be a nominal reduction in network throughput as the IPS module inspects all network traffic and runs it through the IPS definitions. This is unavoidable given how the IPS technology works within the larger multi-layered protection umbrella provided by SEP.

Environment

Client Operating Systems, i.e. Windows 10 (all versions)
Server Operating Systems, i.e. Windows Server (all versions)

Resolution

Starting with Symantec Endpoint Protection v14.2 RU1, a new feature was added within the Intrusion Prevention Policy named Server Performance Tuning that contains two different options, Out-of-band Scanning and Use Signature Subset for Servers. The intention of these features is to allow additional tuning for the IPS module and definitions in high-throughput scenarios, which are typically Servers providing network-based services. However, these features can be used on endpoints of all types as desired, as long as they are supported by the SEP client itself. 

Out-of-band Scanning
 tells the SEP client to use a multi-threaded processing approach for all network traffic examination via the IPS module, which has an overall effect of reducing the performance impact of using the IPS module. The use of this feature does not reduce the efficacy of the IPS module in any way.

Use Signature Subset for Servers is a smaller, consolidated and optimized set of IPS signatures intended for use in high-throughput scenarios, regardless of the endpoint type.

Note: In the Intrusion Prevention policy on the SEP Manager, the user interface calls out the use of the Out-of-band scanning feature as possibly conflicting with Windows Filtering Platform drivers, on Server operating systems. Therefore it is highly advisable to thoroughly test this option with a Server operating system, in a testing environment, prior to enabling it on production Server operating systems.

Additional Information

Link to SEP Release Notes page: https://knowledge.broadcom.com/external/article?legacyId=tech163829#SystemRequirements - 14.2.1 Release Notes - Page 5 - Performance Improvements for intrusion prevention on servers.