Endpoint Protection

I am currently running into an issue where I would like to scan the network from one server but when I try to scan a test machine the SEP Client is blocking the scan from occuring.  I receive the alert "The client will block traffic from IP address 10.10.10.10 for the next 600 seconds"

Reviewing the logs in the SEPM I see this event under the Network Threat Protection as an "Active Response".  Followed by several Intrusion Prevention alerts blocking specific Signature Names.

I tried going into the Intrusion Prevention policy and adding the Scanning Server into the Excluded Hosts list but that did not seem to work. 

Is there any way to exclude the Scanning Server source and continue to protect the environment from scans from other sources?

Thanks,

Mike

You need to setup as an excluded host

IPS policy >> Settings >> Excluded Hosts

Did you check the that the policies match?

Did you check if client picked up the new policy, ideally if you excluded the server it should be allowed

Yes, this is what I was referring to in the description of the problem.  I went into the IPS Policy and added the scanning server as an Excluded Host. 

Then, I did make sure that I waited until the Policy was showing updated in the SEPM for the group of machines receiving the scan and I verified on the test machine that was receiving the scan that it had received the latest policy update.

So at the moment it sounds like I was in the right spot but for some reason its not working.  Any other ideas? 

Yes, I verified that the test machine did receive the latest policy after updating the IPS policy to exclude the scanning server.

Try creating a new firewall rule to allow all traffic to/from that host only.

Does it work if you exclude the SID from IPS?

I will go ahead and try that and let you know the results.

Thanks.

Is there a particular IPS SID that is firing? You can exclude individual sigs as well if needed

https://www-secure.symantec.com/connect/articles/how-exclude-individual-ips-signatures-ips-policy

What I know about this feature "Active Response' is there is no way to create an exception to not block for "x" amount of time.

If you don't want it to block for "x" amount of time, you can just uncheck this option. The attack will still be blocked, it just won't be timed.

It's a way to stop DDos, brute forcing, etc.

So I tried excluding the particular IPS SID's also but that didn't seem to work either.  The bigger issue still remained with the 'Active Response' blocking the scan.

I am still waiting on testing after the most recent change in regards to allowing the Scanning Server via the Firewall policy.  I will let you know the results on this.

It does not appears that creating an allow for the specific rules that are being alerted on is working.  I still see those events and the 'Active Response' event in the logs.

Do keep me informed. This would be interesting to see this particular setting is part of the firewall policy so the firewall rule to allow should work, however, there is no way to add exceptions for this particular setting.

So still no luck.........

I tried putting a rule in the firewall policy at the very top which allows any from the Source IP of the Scanner Server and it did not help. 

At this point I think I'll have to raise a ticket with Symantec support and see if they have any suggestions.

I'll keep you guys posted on what they find.

still the same rule which is blocking from sep client logs?

yup support will get you sorted. curious to see the outcome of this...

So I've found out further information on this although I still haven't identified the exact cause.  But at the moment it appears the problem is due to a GPO in our environment.  I have been able to take the same machine and move it from one Test OU and it honors the exclusions without issue and then I move it to the other OU and experience the problem.  If I move the machine back to the Test OU it works fine again. 

I'm planning on doing trial and error until I locate the one causing the issue but we've got quite a few GPO's so it will take a while. 

That option to block a remote host for 600 secs is managed by the FW policy in SEP 12.1:

http://www.symantec.com/docs/HOWTO80881

#EDIT#

Contrary to the article, I found the option in the "Protection and Stealth" section of the FW policy.  Try disabling the "Automatically Block an attacker's IP address" option and give it aonother whirl.

Incidentally, I'm a little unclear on why you would want to scan files on another machine that is already protected by SEP.  Can't you just rely on SEP on the remote machine to scan it's own files?

If you're looking to scan a network share that doesn't have SEP on it, then you won't encounter the "Block attacker's IP address" issue anyway.  Not to mention, you could look into Symantec Protection Engine for NAS device and the like (http://www.symantec.com/protection-engine-network-attached-storage).