Responding to suspected IPS false positives in Endpoint Protection

book

Article ID: 162648

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The Intrusion Prevention System (IPS) of a Symantec Endpoint Protection (SEP) client if being triggered by traffic to a website that is believed to be safe, or unusual, unexpected IPS events are being seen from a SEP client.  

Resolution

Do not assume that unexpected events are False Positives!  Legitimate websites and public-facing internal webservers may have been compromised by an attacker to serve malware, or malicious advertisements on those pages (maladvertizements) may be attempting to redirect visitors to a site hosting a drive-by download for vulnerable browsers.  Also, malware that is not yet caught by SEP’s AntiVirus component may be silently active on a computer, with the IPS events that block its malicious traffic a “red flag” that an infection is present.  Consider all IPS events carefully and perform a Threat Analysis Scan on any computer which is triggering a “System Infected” IPS event.

IPS is a crucial proactive technology.  More information can be found in Security Response's post What Symantec’s Intrusion Prevention System did for you in 2015 and the Connect article Two Reasons why IPS is a "Must Have" for your Network

 

If the IPS event is believed to be a False Positive (FP), please follow these steps:

  1. Ensure that the SEP client has the latest available IPS definitions in place.   Run LiveUpdate or compare the “Network Threat Protection” definition date on the client matches the latest available listed on Security Updates.
  2. Note if the intrusion is inbound or outbound, note the source and destination IP address (or domain), and note the exact IPS event number and name. (These details must be provided when reporting the suspected False Positive.)
  3. If the IPS event occurs when simply accessing a public website, copy the exact URL and details necessary to reproduce the issue. 
  4. Otherwise, using Wireshark, TCPDump or another packet capture tool, whitelist that domain or disable that IPS signature, then record the traffic which triggers the IPS event.  A video demonstrating how to capture network traffic is available. Be sure to enable that IPS signature once again immediately after the traffic is collected!
  5. Provide the URL and details (from 3, above) or the .pcap (packet capture) to Symantec's False Positive Submission Site.  Be sure to specify that this is an IPS (“Network Intrusion Detection”) detection rather than a suspected False Positive on a file.

While the reported FP is being investigated, it is possible for administrators to temporarily disable the signature if they are extremely confident that this is a False Positive and the IPS event is disrupting crucial business processes.  Apply exclusions with great caution.  

For more information, please see the "What if I want to submit a file that I believe is being falsely detected?" section of How to Use the Web Submission Process to Submit Suspicious Files.