Video Screencast Help

How to install the SCSP SymIDS ISAPI filter on Windows Server 2008 R2

Created: 07 Aug 2012 • Updated: 06 Oct 2013
Language Translations
Shulk's picture
+5 5 Votes
Login to vote

Content:

  • Descriptive steps
  • Troubleshooting IIS
  • Related articles

Descriptive steps

The Microsoft IIS policies detect attacks on Microsoft IIS Web servers using a specially designed ISAPI filter. This filter collects data from incoming HTTP traffic to the Web server and writes it to <installdir>\IDS\SymIDSFilterLog\SymIDSFilter.log.
You must install this filter on a Web server that is being monitored by a Symantec Critical System Protection agent.
This filter must be installed to enable detection in the following IIS log monitoring policies:

  • Malware (to enable the WebDAV, CodeRed, and Nimda rules)
  • MS_IIS_Vulnerable_CGI_Scripts
  • SANS (to enable the text log rules)

Installing the ISAPI filter

The ISAPI filter is a file that is named SymIDSFilter.dll, and by default is located in the C:\Program Files\Symantec\Critical System Protection\Agent\IDS\bin directory. After you install the SymIDS ISAPI filter, you must restart the IIS service.

Note: If a different directory location was specified during agent installation, please refer to that directory location (<installdir>\IDS\bin).
Warning: After an agent upgrade, if you loaded the SymIDSFilter.dll file from a location other than the installation directory (<installdir>\IDS\bin), you must manually replace the SymIDSFilter.dll file with a new copy, and restart IIS.

The <installdir>\IDS\SymIDSFilterLog\SymIDSFilter.log file truncates to zero size when it grows greater than 10MB.
The directory that contains the ISAPI filter should be accessible only to administrators or a members of the Administrators group on the local computer.

To install the SymIDS ISAPI filter

a. Click Start > Programs > Administrator Tools > Internet Information Services (IIS) Manager.

b. In the Internet Information Services (IIS) Manager window, open the ISAPI Filters feature:

c. Click Add from the Actions pane, enter a filter name as well as the executable path and click OK:

d. The filter has now been added:

e. It might be required to change the identity of the default application pool to LocalSystem:

f. Finally, restart IIS:

Troubleshooting IIS

Useful links:

Related articles

How to install SCSP with Microsoft SQL Server 2008 R2 Express Edition

SCSP - Error "Database population FAILED"

How to install SCSP agent on Windows, UNIX and Solaris

How to use the SCSP Agent Configuration Tool

How to upgrade SCSP to a newer release

How to import, create and update default policies in SCSP

Configuring Virtual Agents in SCSP 5.2 RU8

How to install the SCSP SymIDS ISAPI filter on Windows Server 2008 R2

Symantec Critical System Protection 5.2 RU9 Docs