Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

intrusion prevention

Created: 11 Jul 2013 • Updated: 11 Jul 2013 | 5 comments
This issue has been solved. See solution.

What is Intrusion prevention?

Operating Systems:

Comments 5 CommentsJump to latest comment

.Brian's picture

Per the KBA:

What does Intrusion Prevention do that Antivirus protection does not?

Antivirus technology is strong, effective technology that protects your computer from files that are on the hard drive. Intrusion Prevention System technology is strong, effective technology that prevents malicious files from getting to your hard drive in the first place.

Unlike antivirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them.

For example, the Downadup/Conficker worm uses a known vulnerability, the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, to spread to unpatched computers. When the worm was released, antivirus technology could not stop the infection until virus definitions were written for the file. Since IPS already had signatures for the RPC Handling vulnerability, however, computers running IPS were protected before the worm was ever released.

IPS is very good at detecting "drive-by" downloads of malware and fake antivirus scanner web pages, which Auto-Protect cannot prevent. In today's complex threat environment, this technology is an effective complement to antivirus technology, and its usage should be considered a necessity on any network that is connected to the Internet.

Check these KBAs:

Best practices regarding Intrusion Prevention System technology

Article:TECH95347  |  Created: 2009-01-03  |  Updated: 2012-09-27  |  Article URL http://www.symantec.com/docs/TECH95347

How intrusion prevention works

Article:HOWTO80870  |  Created: 2012-10-24  |  Updated: 2013-06-06  |  Article URL http://www.symantec.com/docs/HOWTO80870

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Intrusion Prevention technology scans the network traffic and uses signatures to look for malicious traffic and block it if it is. It's simply another added layer of security.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

The intrusion prevention system (IPS) is the Symantec Endpoint Protection client's second layer of defense after the firewall. The intrusion prevention system is a network-based system. If a known attack is detected, one or more intrusion prevention technologies can automatically block it.

For example, it can prevent clients from writing files to a USB flash drive. Intrusion prevention also work as IDS. Policies are enforced by TruScan. The IPS functionality acts as a first line of defence against network based attacks.

Intrusion Prevention System technology significantly increases the level of protection that Symantec Endpoint Security gives to your network. You should always have IPS enabled on your network

Intrusion Prevention System technology is strong, effective technology that prevents malicious files from getting to your hard drive in the first place

Unlike antivirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them.

In Symantec Endpoint Protection 12.1, the client firewall function is separate and does not need to be installed or enabled for IPS to function.

Best practices regarding Intrusion Prevention System technology

http://www.symantec.com/docs/TECH95347

Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained

http://www.symantec.com/docs/TECH104434

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION