Content:
- Descriptive steps
- Troubleshooting IIS
- Related articles
Descriptive steps
The Microsoft IIS policies detect attacks on Microsoft IIS Web servers using a specially designed ISAPI filter. This filter collects data from incoming HTTP traffic to the Web server and writes it to <installdir>\IDS\SymIDSFilterLog\SymIDSFilter.log.
You must install this filter on a Web server that is being monitored by a Symantec Critical System Protection agent.
This filter must be installed to enable detection in the following IIS log monitoring policies:
- Malware (to enable the WebDAV, CodeRed, and Nimda rules)
- MS_IIS_Vulnerable_CGI_Scripts
- SANS (to enable the text log rules)
Installing the ISAPI filter
The ISAPI filter is a file that is named SymIDSFilter.dll, and by default is located in the C:\Program Files\Symantec\Critical System Protection\Agent\IDS\bin directory. After you install the SymIDS ISAPI filter, you must restart the IIS service.
Note: If a different directory location was specified during agent installation, please refer to that directory location (<installdir>\IDS\bin).
Warning: After an agent upgrade, if you loaded the SymIDSFilter.dll file from a location other than the installation directory (<installdir>\IDS\bin), you must manually replace the SymIDSFilter.dll file with a new copy, and restart IIS.
The <installdir>\IDS\SymIDSFilterLog\SymIDSFilter.log file truncates to zero size when it grows greater than 10MB.
The directory that contains the ISAPI filter should be accessible only to administrators or a members of the Administrators group on the local computer.
To install the SymIDS ISAPI filter
a. Click Start > Programs > Administrator Tools > Internet Information Services (IIS) Manager.
b. In the Internet Information Services (IIS) Manager window, open the ISAPI Filters feature:
c. Click Add from the Actions pane, enter a filter name as well as the executable path and click OK:
d. The filter has now been added:
e. It might be required to change the identity of the default application pool to LocalSystem:
f. Finally, restart IIS:
Troubleshooting IIS
Useful links:
Related articles
How to install SCSP with Microsoft SQL Server 2008 R2 Express Edition
SCSP - Error "Database population FAILED"
How to install SCSP agent on Windows, UNIX and Solaris
How to use the SCSP Agent Configuration Tool
How to upgrade SCSP to a newer release
How to import, create and update default policies in SCSP
Configuring Virtual Agents in SCSP 5.2 RU8
How to install the SCSP SymIDS ISAPI filter on Windows Server 2008 R2
Symantec Critical System Protection 5.2 RU9 Docs