- Descriptive steps
- Troubleshooting IIS
- Related articles
The Microsoft IIS policies detect attacks on Microsoft IIS Web servers using a specially designed ISAPI filter. This filter collects data from incoming HTTP traffic to the Web server and writes it to <installdir>\IDS\SymIDSFilterLog\SymIDSFilter.log.
You must install this filter on a Web server that is being monitored by a Symantec Critical System Protection agent.
This filter must be installed to enable detection in the following IIS log monitoring policies:
- Malware (to enable the WebDAV, CodeRed, and Nimda rules)
- SANS (to enable the text log rules)
Installing the ISAPI filter
The ISAPI filter is a file that is named SymIDSFilter.dll, and by default is located in the C:\Program Files\Symantec\Critical System Protection\Agent\IDS\bin directory. After you install the SymIDS ISAPI filter, you must restart the IIS service.
Note: If a different directory location was specified during agent installation, please refer to that directory location (<installdir>\IDS\bin).
Warning: After an agent upgrade, if you loaded the SymIDSFilter.dll file from a location other than the installation directory (<installdir>\IDS\bin), you must manually replace the SymIDSFilter.dll file with a new copy, and restart IIS.
The <installdir>\IDS\SymIDSFilterLog\SymIDSFilter.log file truncates to zero size when it grows greater than 10MB.
The directory that contains the ISAPI filter should be accessible only to administrators or a members of the Administrators group on the local computer.
To install the SymIDS ISAPI filter
a. Click Start > Programs > Administrator Tools > Internet Information Services (IIS) Manager.
b. In the Internet Information Services (IIS) Manager window, open the ISAPI Filters feature:
c. Click Add from the Actions pane, enter a filter name as well as the executable path and click OK:
d. The filter has now been added:
e. It might be required to change the identity of the default application pool to LocalSystem:
f. Finally, restart IIS: