In Symantec Endpoint Protection 12.1.4 for Mac and later, you see intrusion prevention signatures with a given category of "Built-in." These signatures are present even before LiveUpdate runs for the first time. You would like to know what kind of attacks they are designed to prevent.
Symantec Endpoint Protection for Mac IPS includes four built-in signatures at installation. They are internal to the product and will never be visible in Exceptions list of Policies > Intrusion Prevention > Intrusion Prevention Policies. They are controlled instead by Firewall Policy and checkboxes in Mac Settings > Protection.
|Signature ID||Name||Description||Possible False Positives||Response|
|99990||ARP Cache Poison||This signature detects attempts to modify your Internet address cache using unrequested ARP (address resolution protocol) packets.||Guest virtual machines (GVM) that are hosted on Macs on your local network can trigger this alert. You can set host / IP exceptions for those GVMs that repeatedly trigger this false positive.||Intrusion Prevention detects the attack and drops the corresponding packets. You do not need to take any additional action.|
|9000||ICMP Ping Flood||This signature defends against a denial of service created by sending too many 'ping' requests to your Mac. Attackers will send your Mac thousands of ping packets, which can overwhelm your Mac's Internet connection.||There are no known false positives associated with this signature.||Intrusion Prevention detects the attack and drops the corresponding packets. You do not need to take any additional action.|
|99992||TCP SYN Flood||This signature defends against a denial of service created by sending too many connection requests to your Mac. Attackers will send your Mac thousands of TCP SYN packets, which can overwhelm your Mac's Internet connection and consume your Mac's memory.||It is possible that a very busy Mac used as a server will receive many connection requests, causing this signature to trigger.||Intrusion Prevention detects the attack and drops the corresponding packets. You do not need to take any additional action.|
|10000||Port Scan||This signature defends against attempts to scan your Mac for open ports. Some attackers repeatedly scan your network connection looking for weaknesses. However, such scan may also have legitimate uses.||This alert may be triggered by normal Internet activity. In extreme cases, this signature may block your DNS (domain name server), resulting in the loss of Internet connectivity.
If you see this alert followed by a loss of Internet connectivity, you should set the Port Scan signature to Log Only.
If you receive too many notifications, you can disable IPS-related notifications by going to Clients > Policies > Server or Mixed Mode control. However, ensure that the logging is on so you can monitor whether the notifications are the result of a known false positive. If you resolve the false positives, enable the notifications again.
Here are the default settings for built-in signatures:
|Signature ID||Name||Default Severity||Default Action||Default Log|
|99990||ARP Cache Poison||Medium||Block||Not logged|
|9000||ICMP Ping Flood||Medium||Block||Logged|
|99992||TCP SYN Flood||High||Block||Not Logged|