About false positive IPS events on Endpoint Protection for Macintosh

book

Article ID: 161778

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Logs indicate that certain IPS events are detected by Symantec Endpoint Protection on Macintosh clients, but when Symantec Security Response is queried, the response is that these are silent IPS signatures that should not be visible. In some cases, there also may be no information about this event in the list of IPS Attack Signatures.  Is there any cause for concern?

Example SEP for Mac log entries:

"Informational: HTTP PE Download" Signature ID: 23318

"Web Attack: Malicious Website Accessed 3" Signature ID: 25618

"Web attack : Malicious JPEG image download 3" Signature ID: 28875

... or any attack whose ID does not have a write-up linked at http://www.symantec.com/security_response/attacksignatures

Cause

These silent IPS signatures are meant to gather telemetry that is sent only to Symantec---they should not be visible anywhere in the user interface.

There is no public list of such signatures that can be referenced because they are constantly changing. Any detection whose ID does not have a corresponding link at http://www.symantec.com/security_response/attacksignatures is a silent signature.

They do not indicate a threat of any kind, despite the undesired appearance in pop-ups or logging. No traffic is blocked as a result of these detections. They are meant only to gather data on traffic trends and help Symantec shape the design of signatures that actually do detect real threats. See "Data Collection" tab under site properties in SEPM.

Environment

SEP for Macintosh only

Resolution

Silent IPS signatures were completely hidden in client-side interface via LiveUpdate CIDS content version 15.0.3 in March of 2016.

Silent signatures were still visible in SEPM, and this was fixed as of SEP 14.0.