Expected behavior of Browser Intrusion Prevention

Article:TECH172174  |  Created: 2011-10-19  |  Updated: 2013-08-19  |  Article URL http://www.symantec.com/docs/TECH172174
Article Type
Technical Solution


How does the Browser Intrusion Prevention System (IPS) feature of Symantec Endpoint Protection (SEP) 12.1 function?


Browser Intrusion Prevention System (Browser IPS) is a new advanced protection feature included with the SEP 12.1 client. This technology works in conjunction with, but is separate from the Client Intrusion Detection System (CIDS) used by the client firewall-based IPS engine in SEP.

Browser IPS intercepts VBScript, JavaScript and ActiveX calls running in the browser as they are executed, inspecting the parameters of these calls for exploits to vulnerabilities. This allows the Browser IPS engine to detect exploit code which would otherwise have been hidden or obfuscated from other detection methods -including the CIDS engine.

Browser IPS utilizes an extension for Internet Explorer or Firefox to provide this protection. For more information on supported browser versions, see Supported Browser versions for Browser Intrusion Prevention.


How to enable or disable Browser IPS

Browser IPS can be disabled or enabled through the client UI or through the client IPS policy on the Symantec Endpoint Protection Manager (SEPM).

From the local client:

  1. Open the SEP client interface
  2. Select the Change Settings tab
  3. Click the Configure Settings button in the Network Threat Protection section
  4. Select the Intrusion Prevention tab on the Network Threat Protection Settings window
  5. Select or deselect the Enable Browser Intrusion Prevention check box to enable/disable Browser IPS

On the SEPM:

  1.  Log in to the SEPM Console
  2. Select the Policies tab
  3. Select Intrusion Prevention in the Policies pane
  4. Ensure the Intrusion Prevention Policies tab is selected
  5. Open or create an Intrusion Prevention policy for editing
  6. Select the Settings tab in the policy editor window
  7. Select or deselect the Enable Browser Intrusion Prevention check box to enable/disable Browser IPS
  8. Click the OK button to save the changes to the policy

Please note that disabling the Browser Intrusion Prevention by policy in this manner does not actually disable the add-on within the the browser.  Instead what occurs is that the add-on enters, essentially, a passthrough mode in which it should perform no filtering.

Browser IPS detection flow

The following is an example of how Browser IPS can help prevent browser-based threats that would have otherwise gone undetected:

  1. A user browses to a Web site hosting malicious scripts
    • The malicious code is obfuscated, requiring execution of the script before the code is readable
  2. The browser starts executing the JavaScript embedded on the page while rendering the web page
  3. All of the obfuscation code is executed, removing the obfuscation
  4. The Browser IDS engine intercepts the code before it can execute and determines the code exploits a vulnerability
  5. The SEP client takes the following actions:
    1. blocks the attack
    2. displays a browser attack notification
    3. writes a log entry for the browser attack in the SEP Security log


Article URL http://www.symantec.com/docs/TECH172174

Terms of use for this information are found in Legal Notices