Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Custom IPS signature website blocking

Created: 26 May 2010 • Updated: 28 Jun 2010 | 7 comments
This issue has been solved. See solution.

I am implementing the blocking of site using custom ips but the link below is not working for me.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/9c561a4628b3c9a44925747f007b19cd?OpenDocument

I read through the forum and have done the following suggestions already:

- there should space after comma
- there should be existing main IPS policy in place

Any ideas?
 

Comments 7 CommentsJump to latest comment

Thomas K's picture


How to block/allow website access using the Symantec Endpoint Protection Manager custom Intrusion Prevention Signature policy

http://service1.symantec.com/support/ent-security....

About custom IPS signatures

http://seer.entsupport.symantec.com/docs/331103.htm

Ooyala - Check us out!

Koosah's picture

You can export your policy and upload to see if there is something we can see that is a problem

Symantec Technical Specialist

Please don't forget to mark which thread solved your issue!

AchillesX's picture

Here you go, please see screenshot. I have also attached a zip file which is the exported policy I am testing.

Let me know if there is anything else I need to provide.

AttachmentSize
Block Site.zip 1.61 KB
AchillesX's picture

I finally got this working with this syntax:

rule tcp, dest=(8080), msg="GOOGLE BLOCKED", content=www.google.com.ph 

dest=(80) does not block the site for me.  Can someone explain why alt-http port works not http?

Why dest=(443) does not work as well when accesing facebook?

Koosah's picture

I have tested this policy on my machine and it works just fine and blocks all that is entered. Sounds like there might be database corruption. I would make a new group and assign the policy to the group then move the client to that new group. Also make sure you are not doing this while connected to the server in a RDP session unless you are using the mstsc -v:servername /admin and verify your user has ID 0 in the task manager users tab.

Symantec Technical Specialist

Please don't forget to mark which thread solved your issue!

SOLUTION
AchillesX's picture

Thanks iofractal. Im good on this. Its the rdp console made it work now. =)

We can close this thread.

Koosah's picture

Good I am glad I could assist you! 

Remember to mark the solution!! 

Thanks!

Symantec Technical Specialist

Please don't forget to mark which thread solved your issue!