Detecting potential attacks and spoofing attempts

Article:HOWTO81160

Created: 2012-10-24

Updated: 2013-06-06

Article URL http://www.symantec.com/docs/HOWTO81160

Article Type
How To

Product(s)

Show all

Subject

Show all

Languages

Show all

Detecting potential attacks and spoofing attempts

You can enable the various settings that enable Symantec Endpoint Protection to detect and log potential attacks on the client and block spoofing attempts. All of these options are disabled by default.

The settings that you can enable are as follows:

Enable port scan detection

When this setting is enabled, Symantec Endpoint Protection monitors all incoming packets that any security rule blocks. If a rule blocks several different packets on different ports in a short period of time, Symantec Endpoint Protection creates a Security log entry.

Port scan detection does not block any packets. You must create a security policy to block traffic when a port scan occurs.

Enable denial of service detection

Denial of service detection is a type of intrusion detection. When enabled, the client blocks traffic if it detects a pattern from known signatures, regardless of the port number or type of Internet protocol.

Enable anti-MAC spoofing

When enabled, Symantec Endpoint Protection allows incoming and outgoing address resolution protocol (ARP) traffic if an ARP request was made to that specific host. All other unexpected ARP traffic is blocked and an entry is generated to the Security log.

Note:

To configure these settings in mixed control, you must also enable these settings in the Client User Interface Mixed Control Settings dialog box.

To detect potential attacks and spoofing attempts