SEP SBE 12 RU1 clients are deployed in Console-managed mode with all components included. After deployment, all of components are active and on; definitions are implemented correctly.
However, when launching ping of death attack from another computer (i.e. ping -l 65500 <Target IP Address>), IPS does not seem to react by blocking an attacker nor by logging such an event.
The following activities have been done to troubleshoot the issue:
- SPC management console policies for IPS are doublechecked if IPS is on and active.
- Policy was pushed from the Console and received correctly by all SEP clients.
- Policy serial number has been counterchecked for consistency.
- sc queryex command shows all five Symantec services on and active on the client PC.
- serdef.dat file shows that IPS module is on and active.
Nevertheless, the vulnerability seems to persist on all client PCs.