Symantec Endpoint Protection Client - Reviewing Intrusion Protection System Detections and How to Handle Them

book

Article ID: 192157

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The Symantec Endpoint Protection client for Windows and macOS includes an Intrusion Protection System (IPS) module that will detect network (Windows or macOS) or browser-based threats (Windows only) if those features are installed and the client has appropriate policies. This article explains how to review the detections from the client, and how to determine the next steps as a customer on how to deal with the detections.

Cause

SEP IPS module has detected one or more network or browser-based threats, has taken action on the threat and displayed a message to the user on the endpoint.

Environment

Microsoft Windows or Apple macOS Operating Systems

Resolution

There are two basic scenarios that need to be examined:
  • The client is receiving a single IPS detection (meaning one or more detections of the same threat).
If this is the case, the following steps should be followed:
  • Review the client logs using View Logs > Client Management > Security Log
  • Review the entries and look in particular at the Signature ID and Signature Name values. 
These fields identify the specific threat that was detected. 
Note: If the threat name includes a CVE in the name, such as Attack: Apache Struts CVE 2017 9805 2, or on the attack signatures page under Additional Resources, this is indicating that this threat is something that can potentially be patched and remediated. While the SEP IPS module includes many mitigating controls for CVE threats, the best option when dealing with all CVE threats is to patch the application where the vulnerability exists. The SEP IPS module and its detections should always be considered a secondary remediation plan step after patching the application.
  • If the client is getting multiple different IPS detections in rapid succession (meaning one or more detections of multiple different threats).
This often indicates that the endpoint is being scanned by a vulnerability scanner, either from an internal Remote Host or from the internet. 

If this is the case, the following steps should be followed:
  • Review the client logs using View Logs > Client Management > Security Log
  • Review the entries and look in particular at the Signature ID, Signature Name, and Remote Host.
These fields identify the specific threat that was detected. 
If the Remote Host is a local host that has a vulnerability scanner installed, then that hostname/IP should be added to the IPS Excluded Hosts section of the IPS policy. This is to tell the client to ignore these IPS detections from that specific host(s). See the following documentation on adding hosts to the Excluded Hosts list: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/managing-intrusion-prevention-v36820771-d53e8657/setting-up-a-list-of-excluded-computers-v8148757-d53e9455.html

If the Remote Host is NOT a local host or is a local host where a vulnerability scanner is NOT known to be installed, then these detections need to be researched to determine if they are legitimate or not. If the threat detections are not legitimate internal scanning activities, then SEP is protecting the endpoint, and the scans coming from that remote host need to be examined as that is a possible indication of compromise of that endpoint.

Additional Information

Broadcom Technicians, see internal notes on KB for more information. 

Ransomware Removal and Protection with Symantec Endpoint Protection - https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/preventing-and-handling-virus-and-spyware-attacks-v40739565-d49e172/ransomware-removal-and-protection-with-v117307288-d11e5383.html

Symantec Endpoint Protection Manager - Intrusion Prevention - Policies Explained: https://knowledge.broadcom.com/external/article?legacyId=TECH104434

Best Practices Regarding Intrusion Prevention System Technology: https://knowledge.broadcom.com/external/article?legacyId=TECH95347

Managing Intrusion Prevention: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/managing-intrusion-prevention-v36820771-d53e8657.html#v36820771