How to use Symantec Endpoint Protection Manager to add an Intrusion Prevention exception

Article:TECH97176  |  Created: 2009-01-02  |  Updated: 2014-04-29  |  Article URL http://www.symantec.com/docs/TECH97176
Article Type
Technical Solution


Issue



A group of Symantec Endpoint Protection clients are detecting traffic that is known to be a False Positive (FP). You want to know how to add an exception in the Intrusion Prevention (IPS) Policy to allow traffic despite this specific Signature ID.


Error



The SEP clients receive pop-ups and log entries similar to:

 

Symantec Endpoint Protection

Traffic from IP address x.x.x.x is blocked from [date][time] to [date][time]
[SID: #####] 
 

 


Cause



The applied Intrusion Prevention Policy is blocking a specific ID and denying traffic from the specific IP address associated with it.


Solution



To create an exception for Intrusion Prevention Policy to allow a specific ID:

  1. Log in to the Symantec Endpoint Protection Manager (SEPM) console.
  2. Click Policies>Intrusion Prevention.
  3. Select the Intrusion Prevention policy you wish to update and click Edit the policy.
  4. Click Exceptions>Add and select the desired ID(s) from the exceptions list.
  5. Click Next>> and change the action from Block to Allow and click OK to save your changes.
  6. Confirm the exception is present in the Intrusion Prevention Exceptions list and click OK to save the policy.
  7. Ensure this policy is applied to the SEP client group which is affected.

 

Use the above procedure- and any other exclusions- with great caution.  In the case of a suspected False Positive, the best approach is to submit to Security Response network captures (.pcap files) of the traffic which is triggering the detection. For more information, please see the "What if I want to submit a file that I believe is being falsely detected?" section of How to Use the Web Submission Process to Submit Suspicious Files




Legacy ID



2009110213020648


Article URL http://www.symantec.com/docs/TECH97176


Terms of use for this information are found in Legal Notices