Endpoint Protection

 View Only

  • 1.  Gumblar False Positive

    Posted Aug 04, 2010 10:36 AM

    We have a user that hits a particular website all the time for his business function. Every time the user goes there Endpoint logs a Gumblar threat. Our Network team has monitored the site and has gotten a packet capture of the data during the visit to the site. Is there a way to create an exception for this site/user so we don't continue to get the alerts? It is used on a daily basis so we are constantly getting them.


  • 2.  RE: Gumblar False Positive

    Posted Aug 04, 2010 10:44 AM
    You can create an Exception in your IPS policy for Gumblar activity.




  • 3.  RE: Gumblar False Positive

    Posted Aug 04, 2010 10:44 AM
    Check this :-


    How to block/allow website access using the Symantec Endpoint Protection Manager custom Intrusion Prevention Signature policy

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008070803545448


  • 4.  RE: Gumblar False Positive

    Posted Aug 04, 2010 10:45 AM
    Hi,

    Exceptions can be added in a policy.

    A policy is always applied to a group.

    So, if there are more than one users that face this issue, then you can add them to a group and then apply the policy with exception for Gumbler.

    Regards,
    aniket


  • 5.  RE: Gumblar False Positive

    Posted Aug 04, 2010 11:36 AM
    Thank you for the responses. I have a few questions on both approaches given. One, if I create an exception for the Gumblar activity, won't that then open the clients up to real threats? Two, blocking the site isn't what I need to do. The user does need access to the site. Would specifically allowing the site get rid of the alerts?

    I also noticed you could use the Excluded Hosts button inside the IP policy. Could I get the IP of the website and then place that in the exclusions list?