The Intrusion Prevention System (IPS) of a Symantec Endpoint Protection (SEP) client if being triggered by traffic to a website that is believed to be safe, or unusual, unexpected IPS events are being seen from a SEP client.
Do not assume that unexpected events are False Positives! Legitimate websites and public-facing internal webservers may have been compromised by an attacker to serve malware, or malicious advertisements on those pages (maladvertizements) may be attempting to redirect visitors to a site hosting a drive-by download for vulnerable browsers. Also, malware that is not yet caught by SEP’s AntiVirus component may be silently active on a computer, with the IPS events that block its malicious traffic a “red flag” that an infection is present. Consider all IPS events carefully and perform a Threat Analysis Scan on any computer which is triggering a “System Infected” IPS event.
|IPS is a crucial proactive technology. More information can be found in Security Response's post What Symantec’s Intrusion Prevention System did for you in 2015 and the Connect article Two Reasons why IPS is a "Must Have" for your Network|
If the IPS event is believed to be a False Positive (FP), please follow these steps:
While the reported FP is being investigated, it is possible for administrators to temporarily disable the signature if they are extremely confident that this is a False Positive and the IPS event is disrupting crucial business processes. Apply exclusions with great caution.
For more information, please see the "What if I want to submit a file that I believe is being falsely detected?" section of How to Use the Web Submission Process to Submit Suspicious Files.