Endpoint Protection

Hi,

On few machines when IPS is on it blocks access to internet and even it does not ping to proxy but when i remove IPS it works perfectly, any idea

Thanks

Did you check the logs?

It should be firewall component , can you check the firewall logs on the client.

But when i login to the client and i disable ONLY IPS and i leave Firewall it works well

Is this a managed client or self managed?

I would still go through the logs , coz in earlier versions IPS and NTP were dependent, 12.X versions you can run IPS without NTP.

Can you check the firewall logs on the client? 

and also from SEPM - montiors- logs - Network threat proetction logs - Traffic log

click advanced option ( the blue link)

under Blocked status select Blocked and check those logs

See below

It is managed machine, see below the log

On the client do you see any anything under security log..

10.40.100.30 is your proxy ip which you tried to ping ( ICMP )?

10.40.100.30 is not a proxy, it is one of my DCs

What is that first event?  That is not a http request (the ports are far too high) - have you got logs of http/https traffic being blocked?

On SEP client you can check the System logs from teh SEP console

No http neither https logs only TCP and ICMP

On the client Security 

Do does that has any thing to do with internet being blocked

Guys please see attached, i think the below is showing what is happeining but i am not sure why that happened!!!!!!!!!

Attachment(s)

Security Log.xlsx   10 KB 1 version

Well what's happening is the user is visiting a site which is trying to re-direct to a site containing malware so it is being blocked. Traffic from 10.40.100.60 is being blocked for the next ten minutes every time this detection happens.

10.40.100.60 is our proxy, so you mean Symantec is blocking the machine from getting to the proxy because of the malware on that web site, if yes then can Symantec just block that web site and let the user to continue browsing on internet or atlease show a log on SEPM because when Symantec block the proxy the machine can not access the internet until i disable IPS.

That's correct, your proxy is being blocked because SEP firewall cannot differentiate between proxied and non-proxied traffic.

Go into your firewall policy and on the Protection and Stealth tab, uncheck "Automatically block an attacker's IP address" The initial attack will be stopped but your proxy will no longer be blocked and you will still be able to browse.

I did as you advised but i still the below log in the security

[SID: 27071] System Infected: Backdoor Houdini Activity attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WSCRIPT.EX

You may want tp investigate that file further, it could be malicious, that what the SEP IPS is firing on.

This is a separate incident from your proxy being blocked

SID is 27071

you have two options to check if thats working

Open SEPM - policies - IPS - right click edit

under settings - exclude host - try adding your Proxy IP 

2)

1. Open the Symantec Endpoint Protection Manager (SEPM) console.
2. Select 'Policies' icon on the left.
3. Under 'View Policies', select 'Intrusion Prevention'.
4. Select Intrusion Prevention policy, and under 'Tasks' select 'Edit the Policy'.
5. Select 'Exceptions' tab.
6. Click on 'Add...' button.
7. Search and select the desired ID (27071)
8. Click on 'Next>>' button.
9. Change 'Action', from 'Block' to 'Allow'. Click on 'OK' button.
10. Check if the exception edited has been added to 'Intrusion Prevention Exceptions' list.
11. Click on 'OK' button for save changes in the Intrusion Prevention policy.
12. Ensure this policy is applied to the SEP client group which is affected

But i still can not access internet eventhough i disabled "Automatically block an attacker's IP address" and sorry which file you want me to investigate further.

Did the clients pickup the policy and are in the correct group for which the policy is applied?

wscript.exe

Thank you _Brian for this point as the policy shows not update latelly even it is connected with SEPM and only updated 3 hours ago, how can i force it to update even i click on Policy Profile -- Update but not policy update yet, so i can make sure what i changed on firewall and IP would work.

On the SEP client, you force it to check in to the server by going to Start >> Run and typing "smc -updateconfig"

Or by right clicking on the SEP icon and selecting "Update Policy"

This thread ended up in Endpoint Encryption somehow. Moving thread.