Endpoint Protection

Looking for clarification on the new CIDS v14.1 and the SEP IPS plug-in.

Windows 7 64-bit Professional, Internet Explorer 9, SEP 12.1.4

Symptom:   We noticed that the Browser IPS plug-in is disabled on clients.

Action:   Followed steps in TECH164924 http://www.symantec.com/docs/TECH164924 to create a GPO to prevent disabling of the IPS plug-in.

We recently started getting a message in the - System Log - Client Management Logs -
"Browser Intrusion Prevention is malfunctioning.  Browser type: Internet Explorer.Try to update the signatures Browser path:  C:\Program Files (x86)\Internet Explorer\iexplore.exe"

Referring to http://www.symantec.com/business/support/index?page=content&id=TECH224237, it appears that the new CIDS - v14.1 - removes the necessity for the IPS BHO and the BHO will be automatically disabled on the SEP client.   Evidently the CIDS v14.1 was pushed out sometime in early December, 2014.   The BHO is still present, but disabled.  According to TECH224237, the CIDS v14.1 "improves Symantec Endpoint Protection's protection capabilites" with no loss of functionality.  TECH224237 also recommends to remove the GPO policy that keeps the IPS BHO enabled.

So, are we correct in our assessment?   (1) We just need to remove the GPO that prevents disabling of the IPS plug-in to get rid of the "Browser Intrusion Prevention is malfunctioning." message.  (2) With the CIDS v14.1 engine it is normal for the IPS BHO to be disabled.  (3) And, the "Browser Intrusion Prevention is malfunctioning." message we see in the logs is just cosmetic - nothing is really broken.

We have verified that we have the CIDS 14.1 engine.

TECH224237 is a little confusing as it states that "It is normal for Internet Explorer users to no longer see the BHO and similarly, Firefox users will not see the add-on installed in their browsers.  Note: All versions of IE BHO will be disabled and all Firefox plugins removed."  We can still "see" the BHO in IE9's manage add-ons, but the IPS BHO is disabled.

Please respond to our items (1) through (3) above. We don't need any problem determination advice at this point, only feedback that we've correctly assesed the cause of the error message ("Browser IPS is malfunctioning") due to the GPO and that it's normal for the IPS BHO to be disabled due to the new CIDS engine (v14.1).

Thanks,

Wally

1. Correct, GPO needs to be removed.

2. Correct, it is normal for the BHO to be disabled. It is no longer needed.

3. Also correct, should go away once the GPO is removed and BHO removed. Purely cosmetic though in terms of functionality

Overall, if you remove the BHO, that message will go away.

Addendum -

   We removed the GPO on a test machine and the "Browser Intrusion Prevention is malfunctioning.  Browser type: Internet Explorer.Try to update the signatures Browser path:  C:\Program Files (x86)\Internet Explorer\iexplore.exe" warning in the logs went away.  The Browser IPS plug-in still appears in manage plug-ins" but is disabled.  

Still looking for clarification that this is normal with the CIDS v14.1.

Wally

Thanks Brian for your clear and concise response to our questions.  The BHO is now disabled, no error messages.   Once the GPO is removed, it appears that the SEP client automatically disables the IPS BHO even if a user enables it.

I've marked your answer as the solution.

Regards,

Wally