SEP and Norton Network Threat Protection/IPS Signature Naming Improvements

Article:TECH152794  |  Created: 2011-02-07  |  Updated: 2014-05-26  |  Article URL
Article Type
Technical Solution


What is happening?

An Intrusion Prevention System (IPS) is one of the chief proactive protection technologies in use today to keep malware, web based attacks, social engineering attacks and the latest threats off users systems.  IPS is important both for Symantec's Consumer (Norton) and Enterprise products.  Please see the Connect article Two Reasons why IPS is a "Must Have" for your Network to learn how IPS compliments the AntiVirus and other components of Symantec Endpoint Protection (SEP).
To ensure that IT managers quickly understand the category and type of attack and what next steps are required, Symantec has changed all IPS signatures to include a keyword prefix for attacks of a similar category.  The use of keywords will also allow customers to quickly and clearly prioritize events.
The following prefixes will be used to more clearly identify the type of protection :
  • System Infected:
  • OS Attack:
  • Web Attack:
  • Fake App Attack:
  • Malicious Site:
  • Attack:
System Infected:   Threat events with the “System Infected” prefix should be the highest priority events being investigated for breach and malware removal.  These events clearly indicate an active infection of malware, Trojan or a bot that is trying to communicate outbound.  
Example:  "System Infected: Tidserv Activity":  This message means that that a variant of Tidserv is being detected by IPS attempting to "phone-home" or infect other systems.
OS Attack:  Threat events with the “OS Attack” prefix should be investigated with the second highest priority.  These events occurring within an enterprise indicate that while the individual system has been protected; there is still an active infection coming from the Server Bound direction.  In other words, there was an inbound attack prevented.  Correlation of these events can also easily help you pinpoint where the attack is originating.  
Example:  “OS Attack:  MS RPCSS (3)”.  This IPS trigger means that IPS blocked an attempt to exploit the MS RPC vulnerability and install malware on the system.  You should investigate the originating IP address to determine where infections are coming from.
Web Attack: Threat events with the “Web Attack” prefix should be investigated with the third highest priority.  These systems were protected from a Web-based attack like a drive-by download that attempts to exploit vulnerabilities in the Browser, or browser plug-ins such as reader, multimedia and ActiveX controls.   Application vulnerabilities being exploited such as Java, Adobe Flash, Adobe Acrobat, Apple QuickTime, would also be included in this category.  No further investigation should be required.    
Example “Web Attack: HTTP Malicious Javascript Heap Spray”.  This means that IPS protected your system against a Web Attack toolkit attempting to exploit a vulnerability via a drive-by download web attack.
Fake App Attack:  Threat events with the “Fake App Attack” prefix should be investigated with the fourth highest priority. These systems were protected with IPS from a social engineering Fake AV or Fake Codec Attack.  No further investigation is required. Since user interaction is required and are quite common from simple actions like Google Searches and clicking on links in Facebook, these are slightly lower in priority for analysis then the Web Attacks.  
Example:  “FakeApp Attack: FakeAV Installer Download”.  This means that IPS protected your system from a social engineering attack.  In this case, a Fake Antivirus solution attempted to be installed on an end users systems.
Malicious Site:  Threat Events with the “Malicious Site” prefix should be investigated with the lowest priority.  These systems were protected from visiting a domain, web site or IP address known to be malicious.  No malicious activity will be able to come from this site as the malicious site event blocked all further communication.
Example “Malicious Site:  Malicious Web Site, Domain, or URL 1”.  This means that a known malicious web site was prevented from being navigated to.  Various malicious content including web attack toolkits or social engineering attacks may be originating from these URLs, IPs, or Domains.
Attack:  Threat events with the “Attack” prefix are the targeted other vectors such as file formats, or additional application vulnerabilities.  Examples of such signatures may include other third party applications that are not browser-based.  
Example “Attack:  Microsoft PowerPoint PPT4 RCE”.  This means that an attempt to exploit a MS Powerpoint vulnerability was blocked.
When did the change happen?
The naming format went into effect in March 2011.


Why were these changes made?

The previous naming convention was confusing and inconsistent. The goal is to allow IT managers and users a better understanding of what is occurring just by looking at the signature name.  The IPS/Network Threat Protection is a very powerful technology blocking tens of millions of variants of malware and social engineering attacks that Antivirus alone is unable to detect – this new naming convention will help IT managers better understand the true types of protection being delivered and how to use it to protect their environments.



Will it affect me?

The IPS Signature ID will stay the same – only the name is changing.  The client and server operations use only the Signature ID for reporting IPS events; so no action is required from a user perspective.  This change will effect all Symantec and Norton products that use IPS/Network Threat Protection.  This includes Symantec Endpoint Protection and all Norton products. 

Proposed Final IPS Signature Naming Conventions Examples:

Original IPS Signature Naming

Revised Final Proposed IPS Signature Naming

Post Infection:


HTTP Tidserv Request

System Infected: Tidserv Activity

HTTP Tidserv Download Request 2

System Infected: Tidserv Download 2  Activity

Fake AV


HTTP Fake AV Redirect Request               

FakeApp Attack: Fake AV Redirect

HTTP Fake AV Executable Download

FakeApp Attack: Fake AV Download

HTTP FakeAV Installer Download Request

FakeApp Attack: FakeAV Installer Download

HTTP Fake Codec Request Generic

FakeApp Attack: Fake Codec Generic

Drive-by download and Malicious Web Attack Toolkits


HTTP Neosploit Toolkit Activity 1

Web Attack: Neosploit Toolkit Attack

HTTP Malicious Javascript Heap Spray BO

Web Attack: HTTP Malicious Javascript Heap Spray

HTTP Malicious Toolkit Variant Activity 16

Web Attack: Malicious Toolkit (16)

HTTP Phoenix ToolKit Java Applet Activity

Web Attack: Phoenix ToolKit Java Applet

HTTP Suspicious Executable Image Download

Web Attack: Suspicious Executable Image Download

HTTP Acrobat Suspicious Executable File Download

Web Attack: Acrobat Executable File Download

Base OS Attack:


MSRPC Server Service BO


MS RPCSS Attack (3)

OS Attack:  MS RPCSS (3)

MSRPC SrvSvc NetApi Buffer Overflow (2)

OS Attack:  MS RPCSS NetApi BO (2)

Malicious Domain Blocked:



Malicious Site:  Malicious Domain or IP Blocked

Other Malicious Sites or domains, IPs or websites that may serve up drive-by downloads or fakeAV

Malicious Site: Signature Name



MSIE Yahoo! Messenger GetFile Method File Upload

Attack: Yahoo! Messenger GetFile Method File Upload

HTTP Microsoft PowerPoint PPT4 RCE

Attack:  Microsoft PowerPoint PPT4 RCE


A list of all IPS signatures can be found the Security Response Attack Signatures site.

Article URL

Terms of use for this information are found in Legal Notices