Managing intrusion prevention on your client computers

Article:HOWTO55156  |  Created: 2011-06-29  |  Updated: 2011-12-16  |  Article URL http://www.symantec.com/docs/HOWTO55156
Article Type
How To


Subject


Managing intrusion prevention on your client computers

The default intrusion prevention settings protect client computers against a wide variety of threats. You can change the default settings for your network.

Table: Managing intrusion prevention

Task

Description

Learn about intrusion prevention

Learn how intrusion prevention detects and blocks network and browser attacks.

See How intrusion prevention works.

See About Symantec IPS signatures.

Enable or disable intrusion prevention

You might want to disable intrusion prevention for troubleshooting purposes or if client computers detect excessive false positives. However, to keep your client computers secure, typically you should not disable intrusion prevention.

You can enable or disable the following types of intrusion prevention in the Intrusion Prevention policy:

  • Network intrusion prevention

  • Browser intrusion prevention

See Enabling or disabling network intrusion prevention or browser intrusion prevention.

You can also enable or disable both types of intrusion prevention, as well as the firewall, when you run the Enable Network Threat Protection or Disable Network Threat Protection command.

See Running commands on the client computer from the console.

Create exceptions to change the default behavior of Symantec network intrusion prevention signatures

You might want to create exceptions to change the default behavior of the default Symantec network intrusion prevention signatures. Some signatures block the traffic by default and other signatures allow the traffic by default.

Note:

You cannot change the behavior of browser intrusion prevention signatures.

You might want to change the default behavior of some network signatures for the following reasons:

  • Reduce consumption on your client computers.

    For example, you might want to reduce the number of signatures that block traffic. Make sure, however, that an attack signature poses no threat before you exclude it from blocking.

  • Allow some network signatures that Symantec blocks by default.

    For example, you might want to create exceptions to reduce false positives when benign network activity matches an attack signature. If you know the network activity is safe, you can create an exception.

  • Block some signatures that Symantec allows.

    For example, Symantec includes signatures for peer-to-peer applications and allows the traffic by default. You can create exceptions to block the traffic instead.

See Creating exceptions for IPS signatures.

You can use application control to prevent users from running peer-to-peer applications on their computers.

See Typical application control rules.

If you want to block the ports that send and receive peer-to-peer traffic, use a Firewall policy.

See Creating a firewall policy.

Create exceptions to ignore browser signatures on client computers

You can create exceptions to exclude browser signatures from browser intrusion prevention.

You might want to ignore browser signatures if browser intrusion prevention causes problems with browsers in your network.

See Creating exceptions for IPS signatures.

Exclude specific computers from intrusion prevention scans

You might want to exclude certain computers from intrusion prevention. For example, some computers in your internal network may be set up for testing purposes. You might want Symantec Endpoint Protection to ignore the traffic that goes to and from those computers.

When you exclude computers, you also exclude them from the denial of service protection and port scan protection that the firewall provides.

See Setting up a list of excluded computers.

Configure intrusion prevention notifications

By default, messages appear on client computers for intrusion attempts. You can customize the message.

See Configuring client intrusion prevention notifications.

Create custom intrusion prevention signatures

You can write your own intrusion prevention signature to identify a specific threat. When you write your own signature, you can reduce the possibility that the signature causes a false positive.

For example, you might want to use custom intrusion prevention signatures to block and log Web sites.

See Managing custom intrusion prevention signatures.

Monitor intrusion prevention

Regularly check that intrusion prevention is enabled on the client computers in your network.

See Monitoring endpoint protection


Legacy ID



v36820771_v59371754


Article URL http://www.symantec.com/docs/HOWTO55156


Terms of use for this information are found in Legal Notices