You stated that $LOCALHOST is pre-defined in SEP's custom IPS.
However, it seems to me that in 11.xxx it used to be listed in the variables tab.
Currently, I see a pre-defined "any" variable - I did not put it there, yet it exists.
$LOCALHOST does not exist i that Variables tab, any does.
I'm trying to figure out how so many people here are getting through to blocked things- it's almost as if the computer or user tries so hard they eventually over-run SEP's custom IPS and they get through anyway.
I say that because I see in the logs where a person/computer triggered a rule, and it says it was blocked and it's listed in the logs, so I assume it was blocked, and yet I see in the web history that they successfully accessed the blocked site, logged in and actually used it for a while, dozens of hits in the history, and the sequence of pages proves they met with success getting there, yet SEP's custom IPS logs show that attempts were blocked. So I have to assume SEP blocks some attempts, but not all, and they eventually make it!
I'm trying to figure out where the problem is - are there so many rules defined in the custom IPS that SEP just plain can't keep up and so half the traffic is blocked, half can't be blocked and all it does is slow them down getting there?
Is there a problem with the "$LOCALHOST" variable - I no longer see it defined in the variables tab, I thought it USED to be years ago, but it sure isn't now. And if not there, why is an ANY definition in there? Why one and not the other as "ANY" is also predefined by someone! Not me.......
So - should I "see" LOCALHOST being defined anywhere, or is it a hidden, built-in thing that isn't listed but it's there anyway? Sort of hard-coded into SEP?
And if the rules DO block, why can some - even most folks get through if they keep trying hard enough?