This document describes the challenges of running network vulnerability scans when the Symantec Endpoint Protection (SEP) client is installed on the scanner computer, and/or the target computers of the scan.
Vulnerability scanners test computers and applications for vulnerabilities. They probe target computers to find open network ports and send network traffic to determine what applications and services are listening on those ports. They interrogate the applications and services to detect version and configuration information, and send simulated exploits of known vulnerabilities. If an application or service shows evidence it is running a vulnerable version or configuration, or responds to the simulated attacks as if it were vulnerable, the scanner provides feedback, usually in the form of a report showing this.
Since the SEP client protects computers against vulnerabilities. It uses several protection technologies to detect network traffic that appear to be related to known threats and vulnerability exploits, as well as application behaviors that appear suspicious. The SEP client will detect and block this activity, causing false negatives for the vulnerability scanner, and notifications to users and administrators that appear to show a compromised computer or application.
If SEP is installed on the vulnerability scanner computer, the Intrusion Prevention System (IPS) component will block outbound network connections to target computers once it has determined the traffic appears malicious. The IPS component on the target computers will block network traffic to or from the vulnerability scanner computer that appears malicious as well. If the network traffic doesn't trigger an IPS detection, it may trigger a Behavior-Based Protection (SONAR) detection based on apparent malicious process activity.
Review these methods to see which will work best in your environment.
Excluded Hosts exceptions
Adding an Excluded Hosts list to the scanner and target computers IPS policy is the simplest method, and can be accomplished with little administrative overhead. If possible, the excluded hosts lists should be removed during normal operation.
This method prevents the SEP client from blocking network traffic, so the SEP client's Auto-Protect Network scanning can still block Server Message Blocks (SMB) based communications, and the SONAR engine can still block suspicious process activity triggered by the scan. It also prevents IPS from blocking legitimate attacks to/from the computers in the Excluded Hosts list. Because of this, it's only recommended when the other methods in this document are not feasible.
To use Excluded Hosts exceptions:
SEP location based policy method
You can isolate the target computers by creating a location within the Symantec Endpoint Protection Manager (SEPM) with a set of policies that disable the protection technologies that will potentially block the vulnerability scanner.
Move the target computers into the location that applies the above policies during the vulnerability scan. After the scan completes, move the clients back into their default location.
Isolated network segment method
This method relies in 3rd party network equipment that is capable of supporting Virtual Lan (VLAN) capabilities. Create an isolated VLAN and move the scanner computers into that VLAN. When necessary, move target computers into the same isolated VLAN and disable the Firewall, IPS, Auto-Protect and SONAR components during the scan. After the scan completes, re-enable all protection technologies on the target computers and move them out of the isolated VLAN.