I tried to launch a port scan for one of my clients. After some seconds of launching the scan, SEP client blocked it as it identified it as a port scan. The weird thing is that reports that not me but the remote host launched the port scan (probably SEP misinterprets the SYN packets responses and thinks that the other part launches the attack). Is there any way to stop this from happening? (Apart from disabling the agent.) Port scanning is a necessity for my job and I need to work properly and without having to turn off the agent. Thanks in advance, aa
Do I understand you correctly that your SEP client mixes up attacker and victim in its security log?
Could you tell us, if possible, how you performed the attack (e.g., which nmap options you set -- if nmap is your tool)?
What version of SEP are you on?
SEP 12.1
Add the client to the "Enabled Excluded hosts" list on the Settings tab under the IPS policy
I 've done it. But it seems that it doesn't work...