Endpoint Protection

We have issue with our SEPM IPS alerts sending from citrix sessions.

We have users logging into to citrix desktops and browse internet, when SEPM blocks certain websites with IPS engine we receive the alerts.

Now the issue is we receive the alerts with wrong username, especially from the first user(user) logged on that particular Citirx server.

Any pointers for this issue please.

What username is it coming from?

Depends on who logs into that server first, assume the following 

Joe is the first user logged into a Citrix server X. Next user Bob logs into the same Citrix server X and opens a malicious website and sepm blocked it .SEPM send outs a alert on Joes Name not on Bobs name,

Now Joes logged out of the server X, but Bob continues to access the same website from the server. SEPM still sends out the alerts in Joe's Name.

Seems like SEP records the initial logged in user and does nothing after that. What is the exact SEP version running?

Client version is 12.1.6318.6100 (12.1.RU6 MP1).

Can someone please help me to understand how SEP client generates the NTP alert and send its details to SEPM?

Have you followed best practices for SEP on citrix servers ?

What does Intrusion Prevention do that Antivirus protection does not?

Antivirus technology is strong, effective technology that protects your computer from files that are on the hard drive. Intrusion Prevention System technology is strong, effective technology that prevents malicious files from getting to your hard drive in the first place.

Unlike antivirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them.

For example, the Downadup/Conficker worm uses a known vulnerability, the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, to spread to unpatched computers. When the worm was released, antivirus technology could not stop the infection until virus definitions were written for the file. Since IPS already had signatures for the RPC Handling vulnerability, however, computers running IPS were protected before the worm was ever released.

IPS is very good at detecting "drive-by" downloads of malware and fake antivirus scanner web pages, which Auto-Protect cannot prevent. In today's complex threat environment, this technology is an effective complement to antivirus technology, and its usage should be considered a necessity on any network that is connected to the Internet.

Best practices regarding Intrusion Prevention System technology

Is the SEP client in "Computer mode" or "User mode"?.

If it is in computer mode, try switching it to user mode (and vice versa) and then check if the alerts are triggered with correct user name.

To switch the mode, locate the client entry in SEPM and right click click on it and select "switch to......"

Note: When you swicth a SEP client to user mode, multiple entries will be created for that computer each for one user. However, the license consumed will still be 1 license per computer.

Yes, I read about this, We have enabled IPS in our citrix servers to stop risks like Ransomware and cryptolocker.

Did you get the chance to try the client mode switching? Did it help?

Tried user mode, did not resolve the issue. 

After changed to user mode, logged into the server did not show the user name in the sepm console.

Tried to generate alerts, with multiple users always received the alerts from the user first logged in.