You have Symantec Endpoint Protection. You need to know whether you should enable Intrusion Prevention System (IPS).
Note: To quickly check if the system in question is configured according to this best practice, download and run SymHelp.
Intrusion Prevention System technology significantly increases the level of protection that Symantec Endpoint Security gives to your network. You should always have IPS enabled on your network.
Antivirus technology is strong, effective technology that protects your computer from files that are on the hard drive. Intrusion Prevention System technology is strong, effective technology that prevents malicious files from getting to your hard drive in the first place.
Unlike antivirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them.
For example, the Downadup/Conficker worm uses a known vulnerability, the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, to spread to unpatched computers. When the worm was released, antivirus technology could not stop the infection until virus definitions were written for the file. Since IPS already had signatures for the RPC Handling vulnerability, however, computers running IPS were protected before the worm was ever released.
IPS is very good at detecting "drive-by" downloads of malware and fake antivirus scanner web pages, which Auto-Protect cannot prevent. In today's complex threat environment, this technology is an effective complement to antivirus technology, and its usage should be considered a necessity on any network that is connected to the Internet.
IPS is fully compatible with Windows server operating systems. For more information on the limitations of IPS on high availability/high bandwidth SEPMs, see Best Practices for employing Intrusion Prevention System (IPS) to high-availability/high bandwidth servers.
Note: Proactive Threat Protection is not the same thing as IPS. SEP 11.X Proactive Threat Protection is not compatible with server operating systems.
In Symantec Endpoint Protection 12.1, the client firewall function is separate and does not need to be installed or enabled for IPS to function.
In order to enable IPS in Symantec Endpoint Protection 11.x, you must have the client firewall portion of Symantec Endpoint Protection installed and running. This can seem like a problem if you want to run IPS but do not want to use the firewall. To work around this, withdraw the firewall policy. This ensures that IPS is enabled and protecting your network without forcing you to use the client firewall.
If you do not have IPS installed on the clients on your network, you can use Symantec Endpoint Protection Manager to add the feature to managed clients, or use Add or Remove Programs to add IPS to unmanaged clients. For instructions, read the document How to add or remove features to existing Symantec Endpoint Protection client installations.