Endpoint Protection

 View Only
  • 1.  Information of SEP IPS Attack Signatures

    Posted Jun 11, 2016 08:02 AM

    Hi guys, does the SEP IPS components uses these attack signatures which are listed here on this Security response. Meaning SEP IPS components have all these attack signatures in place to prevent from such exploits. Please confirm

    https://www.symantec.com/security_response/attacksignatures/

     

    Secondly under SEPM which logs and reports i can validate to check if any of the attacks were blocked by SEP which matched the above signatures. Your usual support is highly appreciated. Thanks 

     

     

     



  • 2.  RE: Information of SEP IPS Attack Signatures

    Posted Jun 11, 2016 08:10 AM

    Yes, those are the ones currently used by SEP IPS.

    Monitors >> Logs

    Log type: Network Threat Protection
    Log content: Attacks



  • 3.  RE: Information of SEP IPS Attack Signatures

    Posted Jun 11, 2016 08:18 AM

    Hi Brian, thanks for the reply. Actually I also have Symantec ATP in place that is integrated with SEP. However ATP is reporting one machine that is showing as still infected. Now the incident that I have in ATP comprises of these IPS events which the SEP blocked, so I am wondering why is it showing as still infected if the IPS component blocked these attacks. I am attaching the screenshots can you please have a quick look at it and see if you can figure out something. Appreciate your support. Thanks 



  • 4.  RE: Information of SEP IPS Attack Signatures

    Posted Jun 11, 2016 08:30 AM

    It's inbound traffic, correct? If so the system was attacked and the IPS blocked it. I don't see it as an infection.



  • 5.  RE: Information of SEP IPS Attack Signatures

    Posted Jun 11, 2016 08:45 AM

    Exactly, but for some weird reasons ATP is showing the machine as still infected. Furthermore in SEP once it does the IPS signature detection there isn't any other steps needs to be done like running a full scan or anything else, right?  Thanks 



  • 6.  RE: Information of SEP IPS Attack Signatures

    Posted Jun 11, 2016 08:51 AM

    The SEP IPS did its job by blocking the attack attempt. No further action is needed unless the attack attempts continue at which point you can block the malicious IP at your border firewall.