Managing intrusion prevention on your client computers

Article:HOWTO81346  |  Created: 2012-10-25  |  Updated: 2014-09-21  |  Article URL
Article Type
How To


Managing intrusion prevention on your client computers

The default intrusion prevention settings protect client computers against a wide variety of threats. You can change the default settings for your network.

If you run Symantec Endpoint Protection Small Business Edition on servers, intrusion prevention might affect server resources or response time. For more information, see the following knowledge base article:

Best Practices for the Intrusion Prevention System component of Symantec Endpoint Protection on high-availability/high bandwidth servers

Table: Managing intrusion prevention



Learn about intrusion prevention

Learn how intrusion prevention detects and blocks network and browser attacks.

See How intrusion prevention works.

See About Symantec IPS signatures.

Enable or disable intrusion prevention

You might want to disable intrusion prevention for troubleshooting purposes or if client computers detect excessive false positives. However, to keep your client computers secure, typically you should not disable intrusion prevention.

You can enable or disable the following types of intrusion prevention in the Intrusion Prevention policy:

  • Network intrusion prevention

  • Browser intrusion prevention (Windows computers only)

See Enabling or disabling network intrusion prevention or browser intrusion prevention.

You can also enable or disable both types of intrusion prevention, as well as the firewall, when you run the Enable Network Threat Protection or Disable Network Threat Protection command.

See Running commands on the client computer from the console.

Create exceptions to change the default behavior of Symantec network intrusion prevention signatures

You might want to create exceptions to change the default behavior of the default Symantec network intrusion prevention signatures. Some signatures block the traffic by default and other signatures allow the traffic by default.


You cannot change the behavior of browser intrusion prevention signatures.

You might want to change the default behavior of some network signatures for the following reasons:

  • Reduce consumption on your client computers.

    For example, you might want to reduce the number of signatures that block traffic. Make sure, however, that an attack signature poses no threat before you exclude it from blocking.

  • Allow some network signatures that Symantec blocks by default.

    For example, you might want to create exceptions to reduce false positives when benign network activity matches an attack signature. If you know the network activity is safe, you can create an exception.

  • Block some signatures that Symantec allows.

    For example, Symantec includes signatures for peer-to-peer applications and allows the traffic by default. You can create exceptions to block the traffic instead.

  • Use audit signatures to monitor certain types of traffic (Windows only)

    Audit signatures have a default action of Not log for certain traffic types, such as traffic from instant message applications. You can create an exception to log the traffic so that you can view the logs and monitor this traffic in your network. You can then use the exception to block the traffic, create a firewall rule to block the traffic, or leave the traffic alone.

See Creating exceptions for IPS signatures.

If you want to block the ports that send and receive peer-to-peer traffic, use a Firewall policy.

See Creating a firewall policy.

Create exceptions to ignore browser signatures on client computers

(Windows only)

You can create exceptions to exclude browser signatures from browser intrusion prevention on Windows computers.

You might want to ignore browser signatures if browser intrusion prevention causes problems with browsers in your network.

See Creating exceptions for IPS signatures.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices