How to use Symantec Endpoint Protection Manager to add an exception for Intrusion Prevention Policy
|Article:TECH97176|||||Created: 2009-01-02|||||Updated: 2013-09-03|||||Article URL http://www.symantec.com/docs/TECH97176|
A group of Symantec Endpoint Protection clients are detecting traffic that exploits a vulnerability against which they have already been patched, or that is known to be a False Positive. You want to know how to add an exception in the Intrusion Prevention (IPS) Policy to allow traffic despite this specific Signature ID.
The SEP clients receive pop-ups and log entries similar to:
Symantec Endpoint Protection
Traffic from IP address x.x.x.x is blocked from [date][time] to [date][time]
The applied Intrusion Prevention Policy is blocking a specific ID and denying traffic from the specific IP address associated with it.
To create an exception for Intrusion Prevention Policy to allow a specific ID:
- Open the Symantec Endpoint Protection Manager (SEPM) console.
- Select 'Policies' icon on the left.
- Under 'View Policies', select 'Intrusion Prevention'.
- Select Intrusion Prevention policy, and under 'Tasks' select 'Edit the Policy'.
- Select 'Exceptions' tab.
- Click on 'Add...' button.
- Search and select the desired ID.
- Click on 'Next>>' button.
- Change 'Action', from 'Block' to 'Allow'. Click on 'OK' button.
- Check if the exception edited has been added to 'Intrusion Prevention Exceptions' list.
- Click on 'OK' button for save changes in the Intrusion Prevention policy.
- Ensure this policy is applied to the SEP client group which is affected
Use the above procedure- and any other exclusions- with great caution.
Article URL http://www.symantec.com/docs/TECH97176