How to use Symantec Endpoint Protection Manager to add an exception for Intrusion Prevention Policy
|Article:TECH97176|||||Created: 2009-01-02|||||Updated: 2014-01-20|||||Article URL http://www.symantec.com/docs/TECH97176|
A group of Symantec Endpoint Protection clients are detecting traffic that exploits a vulnerability against which they have already been patched, or that is known to be a False Positive (FP). You want to know how to add an exception in the Intrusion Prevention (IPS) Policy to allow traffic despite this specific Signature ID.
The SEP clients receive pop-ups and log entries similar to:
Symantec Endpoint Protection
Traffic from IP address x.x.x.x is blocked from [date][time] to [date][time]
The applied Intrusion Prevention Policy is blocking a specific ID and denying traffic from the specific IP address associated with it.
To create an exception for Intrusion Prevention Policy to allow a specific ID:
- Open the Symantec Endpoint Protection Manager (SEPM) console.
- Select 'Policies' icon on the left.
- Under 'View Policies', select 'Intrusion Prevention'.
- Select Intrusion Prevention policy, and under 'Tasks' select 'Edit the Policy'.
- Select 'Exceptions' tab.
- Click on 'Add...' button.
- Search and select the desired ID.
- Click on 'Next>>' button.
- Change 'Action', from 'Block' to 'Allow'. Click on 'OK' button.
- Check if the exception edited has been added to 'Intrusion Prevention Exceptions' list.
- Click on 'OK' button for save changes in the Intrusion Prevention policy.
- Ensure this policy is applied to the SEP client group which is affected
Use the above procedure- and any other exclusions- with great caution. In the case of a suspected False Positive, the best approach is to submit to Security Response network captures (.pcap files) of the traffic which is triggering the detection. For more information, please see the "What if I want to submit a file that I believe is being falsely detected?" section of How to Use the Web Submission Process to Submit Suspicious Files.
Article URL http://www.symantec.com/docs/TECH97176