IPS is installed and active on SEP SBE client but client PCs are still vulnerable to attacks
SEP SBE 12 RU1 clients are deployed in Console-managed mode with all components included. After deployment, all of components are active and on; definitions are implemented correctly.
However, when launching ping of death attack from another computer (i.e. ping -l 65500 <Target IP Address>), IPS does not seem to react by blocking an attacker nor by logging such an event.
The following activities have been done to troubleshoot the issue:
- SPC management console policies for IPS are doublechecked if IPS is on and active.
- Policy was pushed from the Console and received correctly by all SEP clients.
- Policy serial number has been counterchecked for consistency.
- sc queryex command shows all five Symantec services on and active on the client PC.
- serdef.dat file shows that IPS module is on and active.
Nevertheless, the vulnerability seems to persist on all client PCs.
No reaction from IPS on the local machine while remote ping of death attack is sent from outside.
SEP SBE 12.0.1 RU1
Problem encountered on Windows 7 client machines.
Corruption of serdef.dat file responsible for holding policies deployed from SPC management console.
1. Stopping SEP client service with the command : start | run > smc -stop
2. Deleting the following files from %programfiles%\Symantec\Symantec Endpoint Protection
3. Pasting original serdef.dat and sylink.xml from unmanaged client installation package (available on installation CD in \SEP\Data1.cab)
4. Restarting SEP service with the command : start | run > smc -start
5. Exporting sylink.xml from SPC management console and importing it through "import communication settings" button in SEP client interface | help | troubleshooting